KPMG appointed

The document reveals that following the regulator's macro-prudential intervention in late 2014 it became increasingly unhappy with the quality of CBA's reporting, going so far as to appoint KPMG to review the bank's data and work performed by its internal audit team.

A section of the document attributed to former Commonwealth Bank executive Gary Dingley shows how APRA escalated its concerns once it had reason to believe the mortgage data it was being provided with was not accurate.

CBA brought KPMG on board in December 2015 after the regulator asked the bank to provide independent verification of its reporting systems. The subsequent report set off alarm bells at the regulator, said to be "disappointed at the findings".

CBA would play down the conflict, arguing that this was due to a misunderstanding. APRA however would return to the bank, asking for more detail about the bank's mortgage book saying the bank had been unable to "demonstrate the completeness and accuracy of the LVR data".

Commonwealth Bank's catalogue of risks was a mile high and growing according to an internal document prepared for the board. Louie Douvis

The data APRA wanted tested had been given the green light by CBA's internal audit team even though it had identified "control gaps in the reporting process".

"At APRA's request, KPMG were also engaged to complete their own valuation over the LVR data set and the work completed by Internal Audit. The KPMG review identified only 'minor' issues for RBS [retail banking services], however we understand APRA still has residual concerns", the report reads.


The report reveals that the bank had its own concerns about data quality and had launched its own strategy to address the issue under the codename Project Crystal.

Despite projecting an air of technical confidence and competence, the report reveals internal concerns that the bank was losing the fight to control and organise its data.

APRA became increasingly unhappy with the quality of CBA's reporting, going so far as to appoint KPMG to review the bank's data. Glenn Hunt

"Peer banks are more advanced in sponsoring, funding and resourcing data quality, data governance support teams, and common enterprise tools and practices" the report reads.

Long list of issues

Among the data issues self-identified by the bank are "ineffective record keeping, insecure customer data, and the inability to adequately monitor where our customer data resides – be it internally or with external vendors".

The report also says a high proportion of the processes it relies on to manage "Cyber/Technology Risk" were currently rated "marginal or unsatisfactory".

As its data management systems were overhauled and brought up to speed, it acknowledged the risk of new issues emerging was "elevated".


A confidential internal catalogue of risks prepared for Commonwealth Bank's board in July 2016 shows the bank was dealing with a spiralling list of concerns. James Elsby

The report also reveals APRA contacted the bank in 2015 expressing concern about "a pattern of operational risk incidents with both financial and reputational consequences" in an apparent reference to high profile missteps by the bank's financial advice and life insurance arms.

APRA questioned the effectiveness of the structure of its risk management framework, highlighting specific examples including ongoing control weaknesses at fully owned financial advice subsidiary Count Financial. CBA bought Count Financial in 2011 for $373 million.

The bank responded by saying the issues were isolated examples. It told APRA its processes were effective at "identifying, escalating and addressing" issues as they arose. However the bank acknowledged to the board that it if failed to get on top of these issues that it risked "financial loss, reputational loss or adverse customer impacts".

APRA would launch a review into the bank's governance, culture and accountability on September 8. The preliminary report suggested the resourcing of the risk function and investment in compliance will be a key area of focus.

The report also says a high proportion of the processes it relies on to manage 'Cyber/Technology Risk' were currently rated "marginal or unsatisfactory".

The bank also outlined a laundry list of employee behaviours that expose the bank under the heading "Conduct Risk" which it says includes "insider trading, index rigging, fraud, theft of data, bribery and corruption and intentional AML [anti-money laundering] and sanctions breaches".

In terms of live issues the bank is facing on this front, the bank lists business clients from the institutional banking and markets division being incorrectly billed and charged bank-initiated transactions.

ASIC notices on BBSW and foreign exchange trading are also highlighted alongside misconduct by Colonial First State Global Asset Management picked up by the Monetary Authority of Singapore.