Many words have been written about the Commonwealth Bank money-laundering scandal and many, many more will be written still; being caught for 55,700 breaches is no mean feat. Fused with the state, backed by taxpayers, too big to fail, a financial success and a moral failure; Commonwealth Bank has become a symbol for what is wrong with big business and government. No better story has been written about the CBA fiasco than the following investigative feature by Nathan Lynch of Thomson Reuters’ Financial Crime and Risk, Regulatory Intelligence division. Nathan has kindly allowed us to publish outside the paywall in the public interest.

BY EARLY 2015, Commonwealth Bank’s investment in the rollout of hundreds of intelligent deposit machines (IDMs) across Australia was paying off handsomely. The country’s largest financial institution was reporting bumper profits and the gradual automation of its teller services, along with the push towards 24/7 banking, was making a significant contribution to its success.

Re APRA probe into #CBA. Who funds APRA? Er, CBA (& other banks). Just sayin' — Michael West (@MichaelWestBiz) August 28, 2017

The response to the technology was stratospheric. When the IDMs were first introduced in 2012 customers had placed A$89.1 million into the cash deposit smart ATMs over a six-month period. Two-and-a-half years later the machines took around A$3.36 billion during an equivalent six-month window.

Customers liked non-face-to-face banking and were voting with their ATM cards. Over three years A$8.9 billion moved through IDMs. They promised speed and convenience, among an array of other consumers benefits (including, as some customers had discovered, a lack of teller scrutiny and a reduced likelihood of the bank “forming a suspicion” about money laundering or terrorism financing).

The Diebold Nixdorf IDM technology enabled instantaneous crediting of cash deposits into any CBA account. The name was not the only thing that was intelligent about this investment. In addition to providing customer choice, the biggest benefit for CBA was in promoting efficiency and automation.

Risking a 100 year reputation. The inside story of Australia's biggest money laundering scandal https://t.co/jzQ91uYTaH — Michael West (@MichaelWestBiz) August 28, 2017

CBA was able to create huge cost savings by pushing cash transactions out of the branches and onto the streets, as well as impressing institutional investors with its efficiency strategy. IDMs were a winning proposition and marked a big step in the transformation of CBA’s customer experience. The bank was leading the charge from face-to-face banking during office hours to 24/7 banking though whatever channel the customer preferred.

“It’s a consistent strategy … invest in people, invest in technology,” Ian Narev, chief executive, said during a shareholder presentation in February 2015. During the previous six months productivity improvements had delivered A$140 million in savings to shareholders.

Face of efficiency

The automation of services that were once a staple of face-to-face banking was symbolic of CBA’s lead on the competition. In February 2015, the bank told investors its operating expenses had fallen to 42.2 per cent on a cost-to-income basis. CBA spoke of a four-pronged strategy for success:

people,

productivity,

technology and

strength.

The success of IDMs reflected why CBA were the smartest guys in the room in Australian banking. Narev and other executives could point to evidence of this in the price-to-earnings premium that his bank’s shares attracted, relative to the other three pillars.

By 2015, the IDM technology was starting to look old school but the bank was still attracting massive volumes of deposits. CBA was trumpeting its market-leading moves into a “digital banking ecosystem”, one that promised to deliver real-time banking at an “ultra-low cost” to consumers.

Behind the successful customer-facing tech-based banking revolution, however, was a creaking back-office infrastructure. The deployment of IDMs and other technology was being rushed to meet an ambitious timetable. The bank wanted to steal a march on its competitors and continue to be regarded as the best player in technology, a mantle Narev had inherited from his forebear and mentor, former chief executive Ralph Norris.

According to senior people in the risk team at the time, morale was sapped. Efficiency was being chased at the expense of compliance controls. Everywhere there was a cost centre, analysts within the bank looked at ways to streamline things. It was an approach to management and corporate efficiency Narev had honed during his decade as a star performer at consultancy McKinsey.

“Efficiency was being chased at the expense of compliance controls”

“If you had a project and you wanted to get approval for it you had to present a business case. Things were funded on a project basis. So if you wanted the project to go ahead you had to be able to demonstrate the business benefits — and they needed to be several multiples of the money spent,” a bank insider said, on condition of anonymity.

This approach to cost control was an organisational mantra. In the construction lending area, for instance, the bank discovered it could dispense with site checks prior to progress payments, another bank insider said.

“These on-site checks cost time and money. They delayed payments to builders and the costs were difficult to pass onto customers. A historical data analysis found that the bank virtually never made losses as a result of fraudulent progress payments. Someone made a commercial decision that you could do away with these controls,” the source said.

The savings were relatively small but it was the idea that mattered. CBA had found savings other banks had missed and this thinking flowed through to greater profitability, higher dividends, bigger bonuses and possibly even options being “in the money”.

“Management just ignored anyone within the bank who warned this was a high-risk strategy. Passing on bad news basically wasn’t a good career move,” the source said.

Before long, however, criminal syndicates got wind of the changes. Fraudsters discovered that CBA’s elimination of these controls meant they could come up with fake developments and draw down progress payments without any checks on physical construction.

“The bank only discovered this when it found out it had a A$30 million liability to a fraudulent commercial development,” the bank insider said. “And that’s just the one I knew about. No doubt there were many more.”

Eerily familiar

There are no shortage of international case studies where banks that sideline their risk and compliance teams enjoy rapid short-term profitability, while the tail risks accumulate.

With IDMs, by mid-2015 the situation was becoming eerily familiar. The machines were a success in terms of customer activity but had become deeply unpopular within the branches and the financial crime teams.

At Leichhardt in Sydney, for instance, branch staff were at their wits end. The team had been observing continual suspicious deposits, secret alarms linked to the IDMs were going off and machines were even jamming through over-use. The branch sent an email to the Group Security team on June 30, with the desperate subject header “Urgent!!!”.

“We have had people coming in and depositing about 5 times into account with $50 notes.. this is just short of $10,000.00 Then that night there is a transfer sent to china for just short of $50K. The person who is making the deposit would clearly know the process as sometimes they deposit into all different accounts until the ATM is full then leave,” the email said. “I believe that there should be other security measures in place as this is crazy.. if you review these people’s accounts they have sent millions and millions overseas!!”

In fact, the launderers had worked out that Commonwealth Bank’s IDMs contained two cash cannisters, both of which could accept 3,000 notes. So a “smurf” could deposit up to $600,000 into a single machine before having to move on down the road to the next one.

On August 20 a customer fed so many A$50 notes into the branch’s IDMs that the internal alarm sounded three times. A banker went outside to investigate and saw a person who he described as: “Male who was tall with black hair of Asian background.”

When the account was investigated they found that it belonged to someone with an “anglo name and NSW drivers licence as ID”. The funds were sent immediately to an individual in Hong Kong. The Group Security team decided that the account activity was linked to a Malaysian laundering syndicate.

As luck would have it, around this time AUSTRAC uncovered what appeared to be a small problem with CBA’s transaction reporting. Routine data analysis in AUSTRAC’s financial intelligence unit revealed that two threshold transaction reports (TTRs) had not been filed.

Peter Clark, AUSTRAC’s acting chief executive, told a Senate committee on Friday the regulator followed this up with CBA. It was the tip of the iceberg.

“[The investigation] was a result of AUSTRAC identifying two threshold transaction reports that had not been identified to us. We made enquiries to the bank and as a result of that we became aware of other issues,” Clark said.

No admission

Commonwealth Bank executives had no idea at this stage that they had just stumbled into Australia’s largest-ever money laundering scandal. At the time AUSTRAC had never used its civil litigation powers. A few weeks earlier it had launched civil proceedings against gaming giant Tabcorp for AML breaches but this was in its early stages. Anyone doing a risk assessment on the likelihood of getting fined by AUSTRAC would have deemed it to be a non-existent threat.

Many months later, when the scope of the allegations became apparent, CBA still believed it could resolve the matter with an enforceable undertaking without any admission of liability.

According to Clark, AUSTRAC spent months investigating and attempting to resolve the matter with CBA. The two missing transaction reports ultimately led to the discovery of another 53,504 reports, AUSTRAC’s claim says. CBA took the view that the missing TTRs, which ran over three years, were the result of a single technical breach and should be treated as such.

AUSTRAC differed. The more the regulator looked into CBA’s compliance controls, the more problems it found.

Alarmed, the regulator quickly organised a targeted on-site review at the other major banks. Sources at one “big four” bank said they had been preparing for a visit based on correspondent banking in October 2015. Without explanation, at the last minute the thematic review changed to “smart ATMs”. The financial crime teams were left scratching their heads as to why AUSTRAC was suddenly more interested in basic ATM controls than the more complex issue of “corrie banking”. They decided the regulator was just trying to keep them on their toes.

At the Senate committee hearing, Clark said these on-site reviews did not uncover any systemic issues across the banking sector. Some of the banks had exceptional controls in place designed to mitigate the risks associated with such a high-risk channel (non-face-to-face cash placement).

“We undertook an examination of the other major banks in terms of their IDMs. We were satisfied that they had thresholds that were less than the reporting threshold for their transactions and they had in place mechanisms to monitor and report,” the AUSTRAC chief said.

The other banks were understood to have coded in limits of A$4,000 to A$5,000 for cash deposits into their smart ATMs. At ANZ, for example, there was a 50-note maximum. Any higher than that and the customer would be required to enter the branch.

This was the way ANZ managed this risk associated with its smart ATMs. The bank viewed non-face-to-face cash deposits as “high risk” under the AML regime and set their compliance controls accordingly. ANZ, Westpac and National Australia Bank all made sure they had stringent controls around transaction monitoring — and reporting — to manage the inevitable risk that criminals would try to exploit this cash placement channel.

At CommBank, however, forcing customers with large cash deposits back inside branches would have undermined the whole ethos and business case behind the move towards automated banking. There was a fundamental tension at play between the risk and commercial teams.

Heading to court

By the time AUSTRAC detected 174 allegedly late or missing suspicious matter reports at CBA, as well as missing reports relating to five terrorism financiers, the most serious type of reporting failures, the matter was heading for court.

CBA, like Tabcorp before it, has said it was blindsided by AUSTRAC’s decision to file civil penalty proceedings. The bank said it believed it was working through the issues with AUSTRAC. To support the bank’s position, sources said the other three “pillar” banks resolved much more serious AML breaches quietly, without publicity or fanfare, by spending hundreds of millions on remedial action under a previous AUSTRAC chief executive.

AUSTRAC, on the other hand, said it had explored all other options before pursuing civil enforcement action against CBA. It described litigation as a last resort.

“It’s not something we take lightly. We give very careful consideration to measures we seek to apply in terms of addressing non-compliance, particularly when it’s of a serious nature. So a lot of careful consideration was given before filing civil penalty proceedings in this case,” Clark said.

The CBA, meanwhile, is preparing its response to what is likely to be Australia’s largest ever regulatory enforcement case. The TTRs alone, which CBA acknowledges were not lodged in accordance with the law, could lead to a fine that eclipses the Tabcorp penalty. Although the Federal Court is likely to regard TTR breaches as being less grave than suspicious matter reporting failures (the type that dominated the Tabcorp case), the sheer number of alleged breaches in this case puts it in a very serious category.

Risking a 100-year reputation

Over at Commonwealth Bank, some staff are trying to work out why the bank would gamble its reputation on such a risky line of business. They are questioning why the IDM revenue was worth the potential damages, be they political, reputational or financial.

The statement of claim shows CBA made just A$22 from each transaction of illicit funds to Hong Kong as well as, presumably, clipping the ticket on forex. The bank had also spent significant money rolling out physical alarms on IDMs, transaction monitoring software and the operations team were set up to report TTRs and SMRs to AUSTRAC.

When banks allow themselves to be used in the placement stage of the money laundering cycle, the deposits are notoriously “unsticky”. Criminals want to move those funds on as quickly as possible. This was why IDMs proved so attractive to launderers. Provided there were “smurfs” willing to feed cash into ATMs, 200 notes at a time, the kingpins behind the laundering syndicates did not need to step foot in Australia. They could sit in Malaysia, or anywhere with an internet connection, and watch the funds landing into fake accounts in real time. This was one of the joys of the push towards real-time 24/7 banking.

The hapless “smurfs”, on the other hand, were taking all the risk and being paid A$300 to A$400 per day. Several of them are now serving prison sentences in New South Wales and Western Australia for their involvement in the laundering schemes.

More than words

The Commonwealth Bank has been hamstrung, to a large extent, in its ability to respond to the allegations in AUSTRAC’s claims. The bank is working on its response but does not have a timeline yet for its likely submission to the Federal Court. A spokesman said this defence would take “significant time to prepare”.

A spokesman stressed that the bank would “never undertake action that enables any form of crime.”

“We can’t share any detailed information about the claims or our own defence because court proceedings are on foot and providing this information may prejudice our position,” he said.

In a media briefing Narev said there was no suggestion that CBA had obtained any commercial benefit as a result of the alleged breaches, including the failure to lodge TTRs.

“There is no economic reason that would underpin the alleged activity and that is not part of the equation,” Narev said.

Insiders have asked why the bank would risk billions in fines and endless column inches of bad publicity, if there was no commercial return. CBA is Australia’s most widely held bank share. It risked alienating 800,000 families who own its stock by facilitating the laundering of black money from the meth trade — and possibly even financing terrorism.

The words “trust” and “culture” are the hallmarks of any Commonwealth Bank presentation. Ian Narev, as chief executive, was the chief advocate of that promise.

Narev told a “Meet the CEO” forum at the UNSW Business School in November 2015, well after the money laundering problems had come to light, that being custodian of the century-old reputation of the Commonwealth Bank of Australia was one of the greatest honours — and responsibilities — of his career.

“I’m a huge believer in the importance of me, and our people, really understanding the history … Two weeks after I started the role, in December 2011, was the centenary celebration. There was a wonderful celebration at the Hordern Pavilion. It was started with a kind of walk through the years of the Commonwealth Bank’s history. And the way I describe it is that I was walking through with my wife Francis, going to the dinner, and all I could hear was these voices saying: ‘Do not stuff up this institution’,” he said.

“You get this fabulous appreciation for the history of the institution, and the fact that it was the Reserve Bank and it was government owned. That does create different franchise benefits and a higher degree of scrutiny on certain things, and we embrace both of them.”

As Narev prepares to step down from his career-defining role, he will doubtless be reflecting on the condition in which he leaves the bank.

The board’s reaction to the AUSTRAC litigation has shown that when it comes to banking there are few things that trigger the public’s ire more than an institution that allegedly facilitates the drug trade or terrorism. As the litigation drags on, shareholders will be asking themselves why the bank’s senior managers thought the IDM strategy was a winner and where the financial benefit was to at least offset the risk.

The bank’s IDM strategy (coupled with the instantaneous A$22 conduit to Hong Kong) was flawed from the outset. Sources close to the bank said it never believed AUSTRAC would dare to take it on. It was a bank that sidelined the warnings from the risk division, while operations failed to lodge basic financial intelligence reports for three years and the commercial units had a monopoly on senior management’s ear. The bank ignored warnings and pared back risk controls in pursuit of greater efficiency.

CBA’s board will now begin the job of restoring the bank’s brand. Shareholders will pay fines for the board and management’s errors of judgement, while executives have their bonuses docked and move on. There will likely be a management “refresh” and CBA will doubtless come back with a very public focus on trust and culture.

One thing is unavoidable though. As senior managers walk away, down those hallowed hallways for the last time, there will be the deep baritone of history ringing in their ears.

Nathan Lynch is Regional Bureau Chief Asia-Pacific, Financial Crime and Risk, Regulatory Intelligence, Thomson Reuters.