Commonwealth Bank anti-money laundering breach allegations


The Commonwealth Bank of Australia (CBA) is dealing with allegations that it committed over 50,000 anti-money laundering breaches.

On 3 August 2017, Australia’s financial intelligence agency, AUSTRAC, started civil proceedings against CBA.

AUSTRAC claims CBA breached the Anti-Money Laundering and Counter-Terrorism Financing Act 53,700 times.

The allegations concern CBA’s roll out in May 2012 of its Intelligent Deposit Machines (IDMs), which customers use to deposit cash and cheques.

It’s said CBA failed to identify certain deposits made via the machines as suspicious. Nor did it submit correct transaction reports to AUSTRAC in the correct time – which can attract fines of up to AUD$18 million.


Commonwealth Bank’s role in assessing money laundering risks

The CBA case highlights the role banks play in assessing ML/TF risk. Financial institutions must uphold high standards to combat ML/TF.

The law imposes various obligations on ‘reporting entities’ such as CBA. For example, there’s a key obligation to establish a AML/CFT program to identify, mitigate and manage ML/TF risk.

According to AUSTRAC, CBA did not adequately assess the machines’ money laundering and terrorism financing (ML/TF) risk between May 2012 and September 2015. In particular, AUSTRAC says CBA failed to:

  • comply with its AML/CFT program
  • carry out ongoing due diligence
  • report 53,506 threshold transactions totalling $624.7 million
  • report suspicious transactions totalling over $77 million


Fintech and regtech implications of Commonwealth Bank case

For the Bank’s part, it argues that the breaches occurred as a result of a coding error. This error, the Bank says, prevented its machines from raising the red flag on so-called ‘threshold transactions’ of over $10,000.

For this reason, commentators, in analysing CBA’s use of deposit machines, will almost inevitably focus their scrutiny on the rise of technology in financial services, or ‘fintech’.

But fintech is only part of the story. The other part concerns ‘regtech’.

Regtech – the use of technology to facilitate regulation and promote cultures of compliance – is a burgeoning field. And it’s rapidly transforming the way organisations are preventing and identifying breaches.

So this case poses an interesting question about how regtech can assist reporting entities like CBA. Does a better way exist to embed ‘compliance by design’ into deposit machine technology?

Or to put things differently: what’s the most effective, most secure way to identify red flags, before either reporting entities or the regulators have to identify suspicious transactions manually?



GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses, including Anti-Money Laundering. Contact us today for more information.