CBA allegedly took two years to fully fix its IDM software error

The Commonwealth Bank did not fully rectify the "coding error" at the centre of the money laundering and terrorism financing scandal engulfing the bank until two years after it first discovered the problem.

CBA has been taken to court by financial regulator AUSTRAC for allegedly failing to properly report $77 million in suspicious transactions that flowed through its intelligent deposit machines (IDMs) over three years.

The bank introduced the intelligent deposit machines - a form of ATM - in May 2012. The machines instantly credit cash and cheque deposits to the recipient's account, and make the funds immediately available for transfer, including internationally.

They are capable of accepting up to 200 notes per transaction - and therefore a maximum $20,000 deposit per transaction - but have no daily transaction limit.

AUSTRAC says CBA did not assess the potential for money laundering and terrorism financing to be conducted through the IDMs before it rolled the technology out.

It claims no such assessment was undertaken until three years later in July 2015, after $8.9 billion in cash deposits had passed through the machines.

According to AUSTRAC, CBA failed to act despite an "exponential" rise in deposits, warnings from its transaction monitoring systems, and police identification of money laundering through the machines.

What went wrong?

Banks are required to report to AUSTRAC any "threshold transactions" (TTRs) involving more than $10,000 in physical currency within 10 business days.

CBA failed to meet the deadline for reporting for 53,506 such transactions between November 2012 to September 2015, AUSTRAC alleges.

These transactions represented around 95 percent of all TTRs made through the bank's IDMs in that period, at a value of $624.7 million.

A number of these late - if at all - reported TTRs were allegedly connected to money laundering syndicates under investigation by the AFP, while others had been allegedly assessed by CBA as posing a potential risk of terrorism financing, AUSTRAC's court documents made public yesterday state.

AUSTRAC said it has identified significant policy and governance failures with CBA's approach to its suspicious matter reports to the financial regulator.

But it also revealed that CBA's efforts to fix what it has called a "coding error" that prevented TTR reports from being created took a full two years to complete.

The unidentified error - CBA declined to comment - was first spotted on June 16 2014, and affected the monitoring of 778,370 accounts, according to AUSTRAC.

CBA updated its financial crimes platform to resolve the error for active accounts within the affected bundle on September 14 that year, but this didn't fix the issue for all the targeted accounts until November 30.

Further, the error was not resolved for all of the inactive accounts within the 778,370 until September 27 2016, AUSTRAC alleges.

CBA said its IDMs have been providing the correct threshold transaction reports since September 2015.

The bank's board today voted to cut executives' short-term variable bonuses for this year over the scandal, and reduce non-executive director fees by 20 percent.

The matter is listed for its first case management hearing on September 4. 

Update 9/8: On Wednesday CBA said it would spend $40 million over the next 12 months upgrading its financial crimes platform to new, unspecified, technology.