Skip to content

Australian banks reassessing risks amid unprecedented enforcement action: sources

In the wake of an unprecedented lawsuit against Commonwealth Bank of Australia for alleged compliance violations, other lenders are re-evaluating their own risks and adjusting to a potentially more aggressive regulatory climate, say sources.

On August 3, the Australian Transaction Reports and Analysis Centre, or AUSTRAC, accused the country’s largest financial institution of violating anti-money laundering rules on nearly 54,000 occasions by failing to gauge the risks posed by cash-deposit machines, file timely reports on large cash transactions, monitor specific clients adequately and report suspicious behavior even when warned by law enforcement.

AUSTRAC claimed those violations caused Commonwealth Bank of Australia, or CBA, to overlook transactions tied to four criminal syndicates, allowing the groups to launder almost $80 million through the bank’s cash-deposit machines.

While the lawsuit largely focuses on claims that CBA failed to monitor certain types of cash- deposit machines, regulators especially took issue with the bank’s apparent failure to assess the specific compliance risks associated with the products before and after bringing them online.

Several attorneys and consultants contacted by ACAMS described handling a barrage of phone calls from financial services firms eager to understand how closely their own compliance programs resemble that of CBA since the lawsuit.
“Everyone is having a much, much closer look at their obligations and their systems to make sure that this [lawsuit] doesn’t happen to them in the future,” Ehsan Fallahi, a compliance attorney with MistryFallahi in Sydney said.

According to Anthony Quinn, a Sydney-based consultant and founder of Arctic Intelligence, self assessments remain a weak point for several of the country’s financial firms, many of which use overly simple methods of calculating their risks.

In 2015, the Financial Action Task Force, an intergovernmental group that sets global AML standards, claimed in a mutual evaluation that the “big four” Australian banks were well aware of their obligations, but the country’s legal framework still fell short by not requiring more robust customer due-diligence processes.

FATF also criticized Australian law enforcement for launching a relatively low number of money laundering investigations and criminal prosecutions.

“An underlying concern remains that the authorities are addressing predicate crime rather than money laundering,” FATF said.

In the days after the lawsuit was announced, two other large Australian institutions, ANZ and Westpac, said in statements that they are complying with AML regulations and were not involved in money laundering. ANZ said it had conducted appropriate risk assessments and that its cash-deposit machines were inspected and approved by AUSTRAC this year.

Yet court documents filed by regulators suggest that some of the criminal syndicates that took advantage of CBA’s allegedly lax oversight also laundered cash through other Australian banks, though those lenders are not cited by name.

The civil action against CBA is unique in part because of the maximum potential fine it carries. Given that AUSTRAC cited over 53,000 violations, and the maximum penalty per violation can reach as high as AU$18 million ($14.2 million), the total penalty could easily reach billions of dollars.

Such a figure would shatter the current record for a civil corporate penalty, which was set in March when Tabcorp gaming company was fined $45 million for 108 violations stemming from its failure to implement a robust compliance program for three years and identify a customer who collected $100,000 in winnings.

The lawsuit is also notable in that AUSTRAC chose to pursue an enforcement action against the largest financial institution in Australia after a fairly quiet decade of supervision that followed the country’s adoption of the Anti-Money Laundering and Counter-Terrorism Financing Act in 2006.

Before Tabcorp, the largest fines were imposed in 2015 via a pair of infringement notices against MoneyGram for a combined $500,000, after Remittance firm Ria Financial Services Australia paid $225,600 in 2013. A handful of other large institutions have received “enforcement undertakings” that carried no penalties, according to AUSTRAC’s website.

Intelligent machines

The “intelligent deposit machines,” or IDMs, tied to the bulk of CBA’s alleged violations have proven popular with customers working unconventional hours who use them to make cash deposits at any time of day, said Aub Chapman, a former auditor with Westpac Banking Corporation.

That convenience helped fuel an exponential growth in use of the machines: from $90 million in total deposits in the six months that followed their November 2012 debut, to $1 billion in June 2016 alone.

The bank’s machines could accept up to 200 banknotes—a maximum of $16,000 per customer interface—but were not programmed to obtain identifying data from the person making them, even if he or she was a customer of a different financial institution. The funds had to be credited to an accountholder at CBA, but could then be wired elsewhere with relative ease.

Thousands of the deposits were structured and showed other indications that they constituted the proceeds of crime, AUSTRAC said, claiming that many of the funds were wired from CBA accounts to beneficiaries inside and outside of Australia shortly after being deposited. AUSTRAC said that many of the deposits generated transaction-monitoring alerts, but by mid-2015, when the bank finally decided to assess the risks posed by IDMs, they had already taken in nearly $9 billion.

That sum includes 53,000 transactions that should have been reported quickly because they were over the currency-reporting threshold of AU$10,000, according to the lawsuit.
Days after the regulatory action was announced, CBA Chairman Catherine Livingstone said the vast majority of the violations could be traced to a “coding error,” adding in a subsequent statement that the bank plans to invest $31 million in new compliance technology over the next 12 months.

But on those instances when CBA managed to identify potentially illicit activity, its process to notify law enforcement was obstructed by its own internal policies—including an expectation that staff refrain from filing “suspicious matter reports,” or SMRs, if similar behavior in the previous three months had already triggered such a disclosure.

CBA even “ignored” notices from law enforcement about suspicious activity involving some of the bank’s customers, and often focused their internal deliberations primarily on whether to file a SMR, rather than conduct any enhanced due diligence or consider terminating the account.

A pair of individuals moving funds for a criminal syndicate structured more than $20 million in cash deposits via IDMs through a network of 30 accounts, all but one of which were opened under fake names. The deposits were then wired abroad, including $9 million to Hong Kong.

In 2014 and 2015, another group that imported narcotics managed to deposit $27 million cash into a single account, including regular single deposits at CBA branches that totalled $532,000 before the funds were wired to unspecified offshore accounts.

The bank considered the account to be suspicious, but filed an SMR on the account only “every 3 months or so” and allowed the activity to continue without proactively monitoring the account, according to the enforcement action.

CBA has also disclosed plans to recruit 50 anti-financial crime employees, create a subcommittee with four directors who will guide the bank’s overhaul and interaction with regulators, and change “senior leadership” responsible for risk and compliance.

The bank said in a statement Monday that it was preparing a response to AUSTRAC’s 580- page complaint, which has yet to be made public.

News of the lawsuit has accelerated previously stalled legislation to improve the country’s controls against money laundering and terrorist financing, including by allocating additional funds to AUSTRAC, the Australian reported.

Originally posted in

Posted in , ,