The amazing AUSTRAC versus CBA turmoil

The SMSF trustee suggestion is understandable in the light of the community exasperation, but it will not work. Like posting a cop in every bed-room to avert marital discord, the costs will overwhelm the economy, and by all accounts governments and regulators have not shown themselves any more adept at identifying wrong doing than internal check(er)s and balance(r)s. We are left with risk-based investigation, looking for signals and clues with a healthy dose of disbelief. This is how Austrac would have stumbled onto the money-laundering saga.

OK, which is an admission that no system is perfect. So how about instead of threatening wealth-eliminating fines or starting up stupid class action court cases, we admit that mistakes can happen and let the CBA get on with the job of taking deposits, making loans and earning interest to generate a profit for shareholders and support economic activity. That is their core business, not policing criminals, isn't it?

How about the Government requires a download of all bank transactions to their own system and then they do some investigation themselves? Yes, expect the banks to have proper Know Your Customer processes in place and be part of the solution, but wouldn't a more co-operative approach, with lots of sets of eyes on things, be more effective? If the bank sees something, alert the regulator and both can investigate. If the regulator sees something, then talk to the bank about it and work out what's gone on together. The current arrangement, where threats of heads rolling and shareholders losing wealth are the modus operandi, seems socially and economically inefficient to me.

Merely outsourcing criminal activity detection to any organisation - be it a bank or a bakery - that does not have such things as its core activity nor motivation for being in business is simply bad policy implementation.

Having worked in the retail side and compliance in industry, and since with the prudential regulator, the following lessons from the CBA Austrac saga spring to mind:
1. Every innovation ('Intelligent ATMs') evokes wide-eyed enthusiasm and the wish to exploit the novelty before it gets copied around. Those who point out weaknesses and risksw and require controls are often dismissed as 'party poopers', until the poo lands on the party.
2. Financial controllers must question excessive cashflow and profits as much as they quiz low figures: like a doctor suspecting cancerous growth in a lump, someone / business might be out of control. Healthy cynicism is the antidote to hindsight torture. Witness: Barings.
3. Just as Boards and management take credit for collective good results, they cannot escape blame for group fiascos. Corporates and HR have not worked out a way to recognise those who avert losses and disasaters as much as those who produce revenue. Heard of the Internal Auditor heading up the bonus list, ever?
4. External audits seldom capture such wrong-doing given their materiality thresholds, reliance on managemenr representations and limitation of compensation to a multiple of fees.
5. The conundrum is punishing the corporate, without punishing the passive shareholders who entrusted the job to the board and executive. Similar to the culpability test in APRA-regulated super, we need to isolate the real wrongdoers and exempt the innocent to avoid a double whammy (share price crash & effect of large fines).
6. How do we value and monetise the national and community detriment caused by helping money laundering?

Leigh's comment on a dramatic change in the number of Austrac reports during the 2012 to 2015 period was something that stood out to me when I read press reports on the matter. You would think somebody along the chain would notice they were not getting these reports any longer.

Like Graham, I find the CBA's position hard to believe.

In the banking world the need to report suspicious transactions has been drummed into employees for years. For those who were in banking before the late 80's - compliance was very important. In those times we had audits - real audits.

I even found in my short time in CBA, since the late 80's, many things had solid black lines - policy ruled. In many respects some approaches were from a bygone era.

There were other things that I saw which were, well less desirable.... much less desirable.

There were other things that had crept into banking [ as it has in many businesses ]. We saw the employment in senior management, and even at lower levels, of people who did not know the industry, people who didn't understand compliance, people who hadn't been through... "training".

Experience and knowledge was undesirable, sales were a necessity, as too were the opinions of consultants [some were even employed].

Cross-sell; share of wallet; referrals; targets - that was the new vocabulary - and instead of looking after clients.... well.

In my many studies I learned that the audit function in relation to "technology" included a "systems audit" - to check and test the inputs, the processes the computer system did, and the outputs.

Importantly, if you are changing code the use of a test environment and comparing it to an existing system will help to identify oversights. The auditors could "compare the pair".

Now, I read about a single line of code that was overlooked in 2012 that was not known about until 2015.... how many software changes were there over those 3 years.... AND no-one, at any time, did an appropriate audit to check the functioning of the system? Is that what we are to believe?

Didn't anyone notice a dramatic change in the number of Austrac reports?

Ha, I may as well go further....the External Auditors - did they ask what checks had been done on the computer system? Did they check it? And the regulators, did they do anything? What does supervision really entail?

PLEASE .... spare me the excuses... people haven't been doing their jobs!

Leigh, you've nailed it in one...well said. All care, no responsibility...there should be some within CBA feeling very nervous about their tenure.

This is going to make it even more difficult for the honest client to open new accounts with banks and be reluctant to switch accounts with all the endless paperwork involved. As an existing customer with a major bank I wanted to place funds in a term deposit from my Super fund. It took me 90 minutes spread over 2 days at the bank for them to understand the basic documents I had to provide..
company details,trust deeds, more I.D, etc. and they still were not sure what they were doing.
It appears the more hoops and hurdles that are thrown up in dealing with everyday banking, the more
the crooks find ways around them. Staff are obviously not trained properly and senior management have no idea what is going on at the shop front.

Probably fair to say that codifying & outsourcing ethics rather than having it as an innate attribute of professional bankers has not been a rip-roaring success - with due recognition to the many bankers who still retain a moral compass. Still, society gets the banks and bankers it deserves, just as it gets the politicians it deserves and the tax code it deserves. We're all responsible. Sigh.

Hi Graham, I have a very clear opinion why money laundering could take place without anyone reacting, despite a high number of controls (Risk, Compliance, Internal Audit, HR, IT security, reviews, signoffs, committees, policies, procedures, charters, etc). I fully understand and support the need for all controls but the behaviour of the "control" teams is often detrimental to their organisation. To them, the quantity of controls matters more than their quality and their big pleasure is to catch people out. Many of them have a terrible approach and are instilling the wrong box ticking culture into their organisation. Many staff have simply given up doing things right because common sense and initiative have become too hard. Nobody can be blamed for following a procedure blindly and we all know that despite the official spiel, we can't speak out when we see issues. People who do speak out are silenced and ridiculed (Amber Harrison, Julian Assange, Edward Snowden, Chelsea Manning are just the most famous ones). I would like to get the views of psychologists on the effect of controlling staff like children. Does it really work ?

When I wanted to discharge my mortgage this year the CBA couldn't find the title and blamed me as I must have taken out a second mortgage hence they didn't or couldn't find the title- I told them I think I would know if I had a second mortgage. Turns out the titles from Tasmania were sent to Victoria in the 1990s without any communication to mortgage holders so the problem was CBAs own poor housing keeping after some 6 weeks I finally got my discharge. When its their error they simply wont admit the error at first instance.

I'm more interested in why they didn't disclose to the ASX when they first knew of the problem 2 years ago, what the ASX has to say about it, and why the CBA Board have not commented on that issue. The ASX say they won't comment while an investigation by Austrac is ongoing - so this will drag on for a very long time I imagine as it goes through various processes.

Unfortunately, the CBA's attempted "one coding error" defence seems to be their go to default position.
For years I contributed to my kids' Super in CBA owned CFS. Despite clearly labelling the deposits "personal non-concessional" CFS deducted 15% contributions tax, robbing my kids' Super.
When I complained, CBA wrote to me citing a coding error and tried to blame me!
It's hard to think well of the CBA who, in my view, deserve everything coming to them...

I do love your newsletter. The CBA article had us laughing out loud, I haven't heard it put so well.

G’day Graham, CBA v Austrac….unbelievable. I was speaking to someone in CBA yesterday and as you would expect, EVERYONE is checking every customers ids. Maybe we should start an AML Bullet-Proofing business!

Chris