Commonwealth Bank of Australia (“CBA”), the largest bank in Australia, has agreed to a proposed civil settlement — subject to court approval — of historic proportions, involving a fine of approximately $700 million Australian dollars (roughly equivalent to $530 million U.S. dollars) regarding numerous alleged Anti-Money Laundering (“AML”) and Counter Terrorism Financing (“CTF”) violations. The settlement is with the Australian Transaction Reports and Analysis Center (“AUSTRAC”) – a government financial intelligence agency whose counterpart in the U.S. would be the Financial Crimes Enforcement Network (“FinCEN”) — and represents the largest such enforcement action in the history of Australia. Under the settlement, AUSTRAC also will recoup its legal costs of $2.5 million Australian dollars.
As we have blogged, AUSTRAC filed on August 3, 2017 a claim seeking civil monetary penalties against CBA for over 53,000 alleged violations of Australia’s AML/CTF law. Although the case involves several types of alleged AML violations, it fundamentally rests on the bank’s use of so-called intelligent deposit machines (“IDMs”), a type of ATM which allowed customers to anonymously deposit and transfer cash. Unfortunately, and perhaps not surprisingly, the IDMs also became an alleged favored conduit for money laundering by criminals involved in drug trafficking and illegal firearms.
In its press release regarding the settlement, CBA, through its new CEO, apologized and stressed that CBA has taken the following remedial steps:
- Spent over $400 million “on systems, processes and people relating to AML/CTF compliance;”
- Hired additional financial crime operations, compliance and risk professionals, so as to employ over 300 such professionals;
- Strengthened its Know Your Customer policies by establishing “a specialist hub providing consistent and high-quality on-boarding of customers;”
- Enhanced the technology used to monitor accounts and transactions for suspicious activity, and to perform digital electronic customer verification to reduce the risk of document fraud;
- Imposed an account-based daily limit of $10,000 for cash deposits using IDMs;
- “[C]hanged senior leadership in the key roles overseeing financial crimes compliance supported by significant resources and clear accountabilities;”
- “[S]tarted implementing our response to the recommendations provided to us by our prudential regulator;” and
- Adopted a risk-management approach which recognizes the importance of non-financial risks, including a process to escalate operational and compliance issues.
Further, CBA noted in its press release what it had done during the relevant time period: filed over 44,000 Suspicious Matter Reports, including 264 relating to the individuals or organizations at issue in the enforcement action; submitted a total of over 19 million reports to AUSTRAC; and responded to approximately 20,000 law enforcement requests for assistance in 2017. Despite these reforms and compliance efforts, the proposed fine against CBA is severe, presumably because the allegations were so egregious. The action represents a case study regarding the need to meaningfully address red flags in a timely manner, and the consequences that can ensue when compliance risks are recognized but still not acted on.
CBA summarized its admissions in the proposed settlement as follows:
- Late filing of 53,506 Threshold Transaction Reports for cash deposits through [IDMs].
- Inadequate adherence to risk assessment requirements for IDMs on 14 occasions.
- Transaction monitoring did not operate as intended in respect of a number of accounts between October 2012 and October 2015.
- 149 Suspicious Matter Reports were filed late or were not filed as required.
- Ongoing customer due-diligence requirements were breached in respect of 80 customers.
Focusing on the IDM services, the Statement of Agreed Facts and Admissions (“Statement”) filed by AUSTRAC explained that, “[i]n contrast to an ordinary or older ATM, any cash deposited through an IDM is automatically counted by the machine and is instantly credited to the nominated beneficiary CBA account. Those funds are immediately available for transfer, including for international transfer.” According to AUSTRAC, the AML/CTF “risks of providing designated services through IDMs were high and obvious at all relevant times because cash could be deposited anonymously at any time at hundreds of locations and transferred immediately, either domestically or international, without any limit being imposed.”
Although the technology behind the IDMs sought to generate automatically a required report to AUSTRAC whenever the amount of cash deposited was $10,000 or more, the system contained an inadvertent but major glitch: the system was not configured to recognize one of three relevant transaction codes pertaining to cash deposits. As a result, over 53,000 reports regarding cash deposits were never generated and sent to AUSTRAC, as intended, until the glitch was detected in 2014 and fixed in late 2015.
More generally, the lengthy statement filed by AUSTRAC alleges in detail how, over the years, CBA began to realize that money laundering likely was occurring through its IDMs, and even filed certain Suspicious Matter Reports accordingly, but nonetheless failed to perform adequate risk assessments or introduce any new or appropriate risk-based controls to manage and mitigate the high risks admittedly posed by the IDMs. In particular, paragraph 39 of the Statement sets forth a litany of failures stretching from 2012 through 2017 to perform sufficient periodic risk assessments or introduce appropriate risk-based controls regarding the IDMs, despite the alleged awareness by CBA that the IDMs were being used to further serious criminal activity.
An exacerbating factor likely was the fact that the amount of cash being deposited through the IDMs ballooned from $868,825 in May 2012, when the product was first rolled out, to approximately $1.7 billion in May 2017. AUSTRAC may have viewed that trend as reflecting not just evidence of growing abuse, but also an institutional preference for profit generation over action on acknowledged compliance concerns.