AUSTRAC and CBA Settlement



"On 3 August 2017, the Australian Transaction Reports and Analysis Centre (AUSTRAC) commenced legal proceedings against CBA in the Federal Court of Australia (proceedings NSD1305/2017).  

The proceedings related to CBAs Intelligent Deposit Machines (IDMs), an ATM that accepts deposits by cash and cheque which are automatically counted and credited to the nominated account at the time of the deposit.  The funds are immediately available to access and transfer, both domestically and internationally. The IDM could accept up to $20,000 per deposit, and there was no limit to the number of deposits a customer could make per day (since these proceedings were commenced the deposit limit has been reduced and a limit has been placed on deposits per customer per day). 

 According to the Concise Statement filed in the proceedings on behalf of AUSTRAC, within the first six months of the IDMs being rolled out just over $89 million was deposited through the machines.  Then, in the six months from January 2016 to June 2016 this figure grew to just over $5.8 billion.   These figures are mind-boggling to me, but apparently not to CBA because these figures were not sufficient to cause CBA to think about risk assessment in the context of Anti-Money Laundering and Counter-Terrorism Financing.  These figures were apparently not worthy of attention to matters like transaction monitoring, suspicious transaction reporting, customer due diligence or identification risk assessment.  According to the court document, it was 3 years and more than $8.91 billion later, before CBA conducted any assessment of risks associated with its IDMs. 

The allegations made against CBA by AUSTRAC in its pleadings include: 

‘serious and systemic non-compliance’ with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006(more than 53,000 times);

failure to monitor suspected terrorist financiers;

failure to comply with obligations and procedures to manage risks associated with facilitating money laundering or financing terrorism;

failure to carry out any risk assessment prior to the roll out of the IDMs; failure to carry out risk assessment in response to the exponential rise in cash deposits through IDMs, nor in response to alters raised by internal transaction monitoring systems -  the list goes on. 

The proceedings were referred to mediation which took place at the end of May this year.  The matter settled and according to the statement issued by AUSTRAC’s CEO on 4 June agreement was reached between AUSTRAC and CBA whereby CBA admitted to 53,750 breaches of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, and agreed to pay a financial penalty of $700 million plus legal fees (still to be formally approved by the Federal Court). 

 The statement goes on to explain that ‘CBAs compliance failings translated into serious and organised criminals exploiting the financial sector to launder the illicit proceeds of their criminal activities…’.  The statement later tells us that ‘CBA has commenced a plan to rebuild its compliance program’.  I suspect the public are supposed to take some sort of comfort from this.  

On one hand, the settlement and position taken by AUSTRAC may sound impressive, especially when reported as the largest civil penalty ever ordered in Australia.  But where is it reported that the total exposure to CBA is in the billions when one does the math and calculates the penalties for each of the breaches it committed?  

The billions.

 Why are we not reading about the reasons for the years of repeated compliance failures of CBA?. Other than CBA saying the failures were not deliberate, and were a coding error, there appears to be little about this.  Surely it wasn’t a coding error that caused CBA to fail to comply with its obligations to manage risk?  Or its failure to carry out any risk assessment prior to the roll out of the IDMs? 

Are the public supposed to be distracted by the impressive financial penalty, and not focus on how this was all able to occur in the first place?

AUSTRAC CEO, Nicole Rose PSM has been reported as saying the outcome sends a strong message to the industry that non-compliance with the relevant Act would not be tolerated, and “I hope this result alerts the financial sector to the consequences of poor compliance, and reinforces that businesses need to take their obligations seriously.”

This seems to fall short, in my opinion, of addressing how CBAs failures and compliance breaches occurred in the first place, and why it could conduct itself in the manner it did, for as long as it did”



Tracey Mylecharane - Solicitor

Tracey Mylecharane has more than 12 years’ experience in legal practice and has developed considerable knowledge of business and commercial law issues. She has acted for small and medium businesses across several industries and has been able to assist clients with a vast range of issues from start-up structures and systems, supplier and third-party contracts, to partnership break-ups and dispute resolution (both in and out of court).