back to article Commonwealth Bank: Buggy software made us miss money laundering

Australia's Commonwealth Bank has blamed a software update for a money laundering scam that saw criminals send over AU$70m (US$55m, £42.5m) offshore after depositing cash into automatic teller machines. News of the Bank's involvement in the laundering scam broke last week, when Australia's financial intelligence agency AUSTRAC …

  1. TheElder

    Big Money

    I like the sound of ~ONE TRILLION DOLLARS. As long as they pay off all the depositors first (excepting the level 1-2s) I say go for it. It would be very instructional. We have the same rules here.

    1. Anonymous Coward
      Anonymous Coward

      Re: Big Money

      Speaking of Big Money - I'd like to see how long it takes someone to stuff $10,000 into an ATM machine. And I'd hate to be the car sitting behind him waiting to withdraw my $20 spending cash.

      1. eldakka Silver badge

        Re: Big Money

        I haven't tried to deposit money into an ATM in at least a decade, but when I did it was done via putting the cash in an envelope supplied by the ATM, not individual notes fed into it like it was a vending machine.

        1. Anonymous Coward
          Anonymous Coward

          Re: Big Money

          @eldakka - times have changed. Now you sick a wad of cash into a contraption that grabs it from you and counts it. But I think you can only stick a maximum of 50 bills in at one go, and I would suspect most money laundering isn't done with crisp, clean, large denomination bills. So you'd probably have to feed several stacks into the machine and wait as they are counted in order to hit the $10,000 mark.

          And these crooks did it over 53,000 times without setting off the alerts. They must have been camped out in front of the ATMs for months at a time.

          1. TheElder

            Re: Big Money

            you sick a wad of cash...

            SICK = "Possible mental illness"

            1. Anonymous Coward
              Headmaster

              Re: Big Money

              If you can sic a dog, you can sick [sic] a wad of cash.

          2. This post has been deleted by its author

        2. Ken Moorhouse Silver badge

          Re: I haven't tried to deposit money into an ATM in at least a decade

          I had two Bad Experiences of doing that.

          (1) The bank got raided soon after I deposited my cheques, and I had to really moan at the bank to get my money credited (weeks later), even though I had proof of deposit. (The bank's excuse was that they are not insured against this kind of eventuality).

          (2) Used one of those machines where it prints out copies of everything you submit. Ooh good! Except that the bank branch I submitted the cheques to was different to that on the printed receipt. Took an extra day for my account to be credited.

          Since then I prefer to queue. Thank you.

    2. TReko
      FAIL

      Re: Big Money

      No one is going to pay big fines.

      CBA donates liberally to both big political parties in Australia. This is protection money.

    3. CrazyOldCatMan Silver badge

      Re: Big Money

      I like the sound of ~ONE TRILLION DOLLARS

      As the old saying goes - if I owe the bank £500, then it's my problem. If I owe the bank £500 million then it becomes the bank's problem..

      1. Potemkine! Silver badge

        Re: Big Money

        if I owe the bank £500, then it's my problem. If I owe the bank £500 million then it becomes the bank's problem

        And if the bank owes you £500 million it's a taxpayers' problem

  2. James Ashton
    FAIL

    Mistakes = Liability

    I'm pretty sure that if the bank made a mistake whereby it lost $1T of funds it would be on the hook and the old "computer error" defence would not stop them being bankrupted. Also, I'd be very surprised if AUSTRAC needs to demonstrate criminal intent to nail the bank; incompetence alone should be enough.

  3. Spotswood

    Lose $70M to money laundering, potentially get fined $954,000,000,000...

    Remind me who the criminals are again here please?

    1. Anonymous Coward
      Anonymous Coward

      Lose 70M to money laundering.....

      How do you figure they lost $70M? If banks lost money on laundering, they wouldn't circumvent the reporting rules.

    2. Cpt Blue Bear

      "Remind me who the criminals are again here please?"

      If you really need someone to, it was the bank.

      They committed an offense 53,500 times and took a fee to do it each time. As Norman Fletcher said, if you can't do the time don't do the crime.

  4. TheElder
    Mushroom

    Remind me who the criminals are again here please?

    I wonder how many IEDs $70m can buy?

  5. Anonymous Coward
    Holmes

    Also - It was the Russians!!

    If they don't use that excuse, they aren't even trying. Everyone knows that big, bad Putin is digging around inside all of our computers 24/7.

  6. Anonymous Coward
    Anonymous Coward

    Outsourcing...

    From experience, the testing and validation of coding at the CBA has dropped off dramatically. There was a time when every code change was peer reviewed before it was implemented. The outsourcing of the IT meant that there were pressures on the outsourcer to cut their costs so "unnecessary" costs like code review and validation went out the window.

    AC because I worked for CBA in their IT... and had to do periodic money laundering (and terrorist watch list) checks and independent verification of reporting code.

    BTW, don't try to get around the $10000 mandatory reporting by doing multiple smaller transactions, certain patterns of transactions will flag the lower amounts...

    1. Doctor Syntax Silver badge

      Re: Outsourcing...

      "BTW, don't try to get around the $10000 mandatory reporting by doing multiple smaller transactions, certain patterns of transactions will flag the lower amounts."

      In your day. On the basis of this report, maybe not now.

      1. Anonymous Coward
        Anonymous Coward

        Re: Outsourcing...

        "BTW, don't try to get around the $10000 mandatory reporting by doing multiple smaller transactions, certain patterns of transactions will flag the lower amounts."

        In your day. On the basis of this report, maybe not now.

        Oh, there are stories in the US of small business owners who been put out of business by the government (assets seized) because they kept doing $9000 deposits....

        1. Ken Moorhouse Silver badge

          Re: because they kept doing $9000 deposits....

          Readily spotted with software that knows about Benford's Law

          1. Parash2

            Re: because they kept doing $9000 deposits....

            Yes, ACL knows all about that.

        2. Private Citizen.AU
          WTF?

          Re: Outsourcing...

          AUSTRAC notes all transactions over AUD$50, so running sub $10,000 transactions fools no-one. You may not be in the most watched category but every transaction should have been noted. It is one of the essential systems designed to find black money in our economy.

          But to claim that it was software bug that went undetected for 3 years makes you wonder how competent the rest of their banking systems is. It beggars belief

          It is inviting a case action.

  7. Barrie Shepherd

    "The news was not a good look for the Bank (CBA), because most of the cash was deposited into accounts established with fake drivers licences."

    Software glitches aside what went on with the identity checking?

    Given the Australian addiction to identity checking for almost everything (even worse, IMHO, than the UK - I was asked for proof of ID and address when buying a $750 camera lens with cash "to prevent guarantee fraud") the CB should be taken for task for not complying with ID requirements.

    It begs the question as to how many other CB accounts are based on fake identity and are operating under the radar by just moving chunks $9000 around.

    1. eldakka Silver badge

      The identity check requirements only require someone to present the 100-point ID check documents to the bank staff creating the account. It doesn't require the bank staff to verify with the issuing agency the ID document.

      So if the documents were either good enough forgeries such that they passed a quick visual inspection from a non-expert, or the ID is a genuinely issued ID but was obtained with fraudulent information (e.g. false information was provided to the DMV who issued the drivers licence with that fraudulent information), the bank would never know.

    2. Richocet

      By "worse" you mean "thorough".

      When someone is able to establish a bank account with a false identity it opens up a Pandora's box of problems for police, banks, government agencies and national security. It would be stupid for banks to slacken their identity verification processes.

      This is why most criminal syndicates use mules with real identities. The mules wear the consequences when they are found out. This is a big hassle for crims which limits their operations.

    3. alexmcm

      "Given the Australian addiction to identity checking for almost everything (even worse, IMHO, than the UK"

      You are not wrong there. When I first got to Australia 13 years ago, i went to Hardly Normals to buy a digital tv receiver. I was paying cash, and they asked for ID and proof of address. As I didn't have a permanent address yet or utility bills on me, there was a big debate amongst staff whether they could sell it to me.

      They did eventually after much discussion. I still hate going to Harvey Normans, even for the simplest thing like an ink cartridge they want all your details.

  8. John Smith 19 Gold badge
    IT Angle

    Probably play the "We are too big to fail" to defense as usual.

    Because Y'know, we're banks. We're special.*

    This story smells all kinds of fishy. The ATM hardware is standard from various mfgs.

    So is this a fault in the ATM code for transaction reporting at source, or a fail in the banks in house SW that crunches that data to produce a "suspect accounts list" ? Who writes ATM code? The banks provide the graphics but do they do detailed internal functions as well?

    Wouldn't that be a pretty strange ATM reporting fault? Doesn't report some transactions, does report others? Keep in mind, those transactions are partly how the bank knows how much money is in a customers account. Sounds like the bank should be suing the ATM mfg. OTOH if it's in house they should sue their IT supplier.

    *When I look at a bank I see a business. If it can't meet it's obligations due to fines then it's an ex business. It's customers need to find a new business to do their business through (after they've been compensated by the personal protection scheme most governments run) and shift their payments. It's loan book gets sold off and eventually everyone with a loan or mortgage through them gets a letter telling them the new arrangements.

    What may complicate things is wheather they are still using that BS "insurance" process where by a claim on their "insurance" triggers multiple other bets (which is what they are) to fail.

    It's way past time more banks were put out of their misery.

    "Business without bankruptcy is like Heaven without Hell" as IIRC George Sorros put it.

    1. mathew42

      Re: Probably play the "We are too big to fail" to defense as usual.

      There are reports that other Australian banks accept a maximum of $5,000 via similar ATMs. I suspect management at those banks were much happier after finding this out.

      1. Anonymous Coward
        Anonymous Coward

        Re: Probably play the "We are too big to fail" to defense as usual.

        There are reports that other Australian banks accept a maximum of $5,000 via similar ATMs. I suspect management at those banks were much happier after finding this out.

        Yes, seriously, what's the deposit limit on these?

        Now, I can understand in Canada where a $10k limit on an ATM is impractical because it would stop people from withdrawing enough to buy a cup of Tim Horton's, but still.

      2. katrinab Silver badge

        Re: Probably play the "We are too big to fail" to defense as usual.

        Yes, but two sequential $5,000 deposits is still reportable.

  9. Pascal Monett Silver badge
    FAIL

    It took three years

    For 3 years there were no ATM reports and nobody normally getting them even blinked ? I mean, after a week at most somebody should have started asking questions.

    I'm pretty sure they knew about the average number of reports they usually got. Seeing that drop to zero is a statistical impossibility.

    3 years is a bloody long time to keep thinking "oh well, I might get a report next week".

    But of course, blame the developers. We're used to that.

    1. LDS Silver badge

      Re: It took three years

      Probably, nobody ever read the reports...

      1. Denarius Silver badge

        Re: It took three years

        plausible. C Northtcote-Parkinson had the same experience in WW2 leading to Parkinsons Law.

        OTGH, this being an Oz bank, skepticism is reasonable.

      2. Anonymous Coward
        Anonymous Coward

        Re: It took three years

        "Probably, nobody ever read the reports..."

        Once had a customer whose contract demanded certain detailed reports sent to them on the first day of each month - otherwise there was a financial penalty.

        Crunching the raw data to produce accurate reports was complicated and often required human intervention for reported exceptions. We managed to automate most of it with some customised software. A human still had to be in the office on the 1st of a month at the crack of dawn to oversee the run - no matter what day of the week or season.

        After a few years it turned out that the customer's staff just filed the reports without anyone even understanding or looking at them.

    2. eldakka Silver badge

      Re: It took three years

      oh, that's what the TPS reports no-one ever read were for.

    3. Locky Silver badge
      Flame

      Re: It took three years

      @Pascal Monett

      Blame the developers? Has someone already exhausted blaming the network already?

      1. Bronek Kozicki Silver badge
        Joke

        Re: It took three years

        It was probably the same rogue developer who wrote emission acoustic control code for VW Bosch diesel engines.

        1. John Smith 19 Gold badge
          Happy

          "It was probably the same rogue developer who wrote acoustic control code for Bosch diesel engines."

          Ah yes, the "One bad developer"

          You would just not believe how many jobs this person has had traveling the globe as they ply their trade.

          All distinguished by the level of s**t code they leave behind. :-(

          The day they retire world software quality will rise dramatically.

          As if.

    4. gryps

      Re: It took three years

      Maybe the staff who would have known had been terminated in favour of more profits/higher management salaries?

  10. Anonymous Coward
    Anonymous Coward

    This cannot be simply down to software issues

    The fact the issue was not detected by asking, why am I not reporting these any more (would expect it to be tracked just for a measure of business operations), and that nobody attempted to identify the transactions via other means (they are only simple transactions after all) suggests a deep rooted systemic failure.

    Yes, testing should have caught it, %$(t happens - but this was long standing, undetected, and unmitigated.

    Not a goo show at all I am afraid.

    1. TheElder

      Re: This cannot be simply down to software issues

      Agree. It reminds me of the recent Mr. Page interview...

  11. Puts_the_lotion

    Crooks

    @Spotswood.

    " including sales of insurance policies that covered almost nothing and predatory financial advisors who lined their own pockets by dishing out poor advice to investors. The Bank was also at the centre of the bribery allegations made against CSC subsidiary ServiceMesh"

    yep, it's the CBA for sure.

  12. Version 1.0 Silver badge

    Inside job?

    While I generally believe in the adage "Never attribute to malice anything that can be accomplished by incompetence," this sounds a little too convenient to be accidental ... did someone have a quiet word with the offshore developers and suggest that they quietly add a semi-colon in the wrong place? It could have been quite profitable for everyone.

    1. Anonymous Coward
      Anonymous Coward

      Re: Inside job?

      It can be a bit of both. Someone spots the mistake. They realise they are in big trouble for seeing it. Even if they do not even work in IT. Even if they are just a desk worker. How do they convince their boss? Who will believe them when the accuse the multi million dollar IT staff of making a mistake?

      Then finally, they realize their pay check and bonus is being paid through the processing charges and other things involved, so they just get on with their day job and don't make any noise.

  13. adam payne Silver badge

    "Today the bank has explained the reason for its failure: “a coding error” that saw the ATMs fail to create reports of $10,000+ transactions. The error was introduced in a May 2012 update designed to address other matters, but not repaired until September 2015."

    No-one noticed or cared that the report for large transactions weren't coming through and it takes three years to find it and fix it.

    WOW, just WOW!

    1. CrazyOldCatMan Silver badge

      No-one noticed or cared that the report for large transactions weren't coming through and it takes three years to find it and fix it.

      Yup. As others have said, quite clearly not a coding error but quite clearly a business process failure.

  14. Spinux

    All checks failed, why cry now

    It is one thing that within the bank controls failed. Buy the regulator also took 3 years to spot the issue? They also should have been surprised that (only) one bank had no large deposits. So they have to review their own checks and in my opinion have no ground to put up a fine at all.

    1. hidflect

      Re: All checks failed, why cry now

      They never spotted it. It was reported to them by police who found receipts in a raid.. Or they knew about it and never spoke up. In any event, it will be the cover up that kills them, not the act itself.

  15. keith_w

    It may simply have been that they thought that no one was depositing $10000 at a time through an ATM. As a previous poster pointed out, the machines only accept 50 notes at a time, which means that to deposit $10,000 in a single transaction, ie stuffing sufficient notes in for a single counting episode, would require 10 $1,000 notes, or 20 $500 notes or 50 $200 notes or some combination such as 6 $1000 notes and 40 $100 notes. On the other hand, walking into a branch and slamming down 1,000 $10 notes would have been much more possible.

    1. Steve Foster

      Note Denominations (@keith_w)

      And are such notes in common distribution ($1000, $500, $200)?

      1. James 63
        IT Angle

        Re: Note Denominations (@keith_w)

        Biggest note in Australia is $100. So two tranches of the max of 50 notes at a time to hit the $10k.

    2. TheElder

      slamming down 1,000 $10 notes

      Would be very difficult to wear the anon mask in that event.

    3. Anonymous Coward
      Anonymous Coward

      You have never worked...

      At a bank, shop or self employed then? Some customers will pay in pennies. Other customers will draw and pay in large cash denominations every time. If these were out of hours ATMs as well, then it is extremely easy to choose quiet times.

  16. Anonymous Coward
    Anonymous Coward

    Denominations

    In Canada the largest is $1000. However, any account with more than 10,000 cash is flagged regardless of transactions taking place.

    1. Flip

      Re: Denominations

      "In Canada the largest is was $1000. However, any account with more than 10,000 cash is flagged regardless of transactions taking place."

      And it looks as though any transaction involving old $1000 bills will get noticed. More info here:

      http://nationalpost.com/news/canada/the-hunt-for-canadas-1000-bills-there-are-nearly-a-million-left-most-in-the-hands-of-criminal-elites/wcm/5827c613-4297-43fa-9eb1-2dd768a3ca1c

  17. Gerryb

    Trouble is the CBA's coders do get a lot right. CBA internet banking web portal and phone apps are the , better the offering of ANZ, Lloyds, Barclays , the best most useful and slickest I have ever found. compared to any other bank I have used here in UK or Australia.

  18. Sanctimonious Prick

    If the law prevails, they should be fined out of existence.

    If politics are involved, they'll just get a slap on the wrist.

  19. Clive Harris
    Unhappy

    CBA lost $650000 of my money!

    I've never trusted Commonwealth Bank since they managed to lose $650000 of my money in 2001 (OK I got it back eventually)

    When I emigrated in late 2000, I sold my house in England and, on the advice of my local adviser, I put the money on deposit at CBA. I didn't understand the process of buying a house in Australia so, when I bought a house over here, I trusted CBA to handle all the paperwork. About 2 months later I received an eviction notice! It appears they had set me up with a large line-of-credit mortgage. The money I had brought over from England had apparently vanished, so no repayments were coming in. When I called them, they apologised for a "small paperwork error" and promised to sort it all out. A month later I received another eviction notice, and the money from England was still nowhere to be seen. That's when I threatened to call the police, citing evidence of fraud. The reaction from my neighbours and colleagues was interesting, generally along the lines of "Yeah, mate, this happens all the time. Lots of immigrants lose all their money. You just have to put up with it". There was also some comment along the lines of "How dare you foreigners attack our great Australian banks". The bank's response was that I had obviously attempted some sort of currency fraud, and I only had myself to blame.

    Eventually it was sorted out. It appears that my branch was closed just as the house purchase was going through, and some paperwork was mis-filed when my accounts were transferred to another branch. The $650000 was eventually found (in a non-interest-bearing account!), and I used it to pay off the mortgage, which I had never needed in the first place. I wasted thousands in stamp duty, conveyancer's fees, lost interest etc, but I finally got the deeds back in my hands. CBA never officially admitted any responsibility, although one branch manager told me, strictly unofficially, that she was "livid" with how the bank had treated me.

    They put one last sting in the tail, which I only found out very recently. Last year I took out a mortgage to help my daughter buy her house. It turned out that CBA still had a caveat on my deeds, which they had "forgotten" to remove. That cost me a few hundred to fix.

    CBA! Not happy!

    P.S. The other banks over here aren't much better. Last year I donated $50 to the Mozilla Foundation from my Westpac account. Westpac responded to this "suspicious transaction" by freezing my account. They didn't give me any warning, or even tell me that they'd done it. I only found out when I started getting calls from people whose payments had bounced. When I phoned Westpac, their response was that I should be grateful for their "alertness" in responding to an unusual transaction.

    1. Anonymous Coward
      Anonymous Coward

      Re: CBA lost $650000 of my money!

      I smell a bit of poo here.

      As if you wouldn't have been paying very close attention to what you were doing here as opposed to just trusting everything was going to be just fine and dandy. You didnt keep an eye on your accounts to make sure your mortgage payments were going through? I mean come on who does that?

      I am not saying that CBA have not screwed up but your complacency is a part of the problem here.

  20. Anonymous Coward
    Anonymous Coward

    Not just a business process failure

    >quite clearly a business process failure.

    More than that I think.

    It may have been a business decision to provide minimum funding to these systems that doesn't make money for them, hence the business process failure. The system is there to comply with Australian financial regulation, and which the banks have to bear the cost of its development and running.

    Had it been a system that does make money for the bank then they would have made sure that the system was verified and validated three times over.

  21. kofeyh

    ignorance is no excuse for lack of governance

    Never underestimate the power of situation normal to cause issues to lie for a very long time. 3 years is well long enough for a missing report to become institutionalised as 'typical', get a bit of turnover in staff and like anything else, the knowledge is lost.

    I can't tell if the bank is simply arrogant, grossly incompetent, negligent or genuinely complicit at this point. Perhaps it's a mixture. That's far far too long for it to be purely "a coding issue"; it's a SYSTEMIC issue, and heads should absolutely roll.

    There's been some talk of people taking some pay cuts or some such, but making this all just go away with a "software glitch" excuse is hand-waving in the extreme. Not for 3 years, m8. That's just plain old fashioned negligence.

    The bank has history at this point; so I have every expectation that there is more going on than a 'code issue'.

  22. kneedragon

    Not news to Australians perhaps, but... the opposition Labor party has promised that one of their first acts on getting in next time, will be to set up a standing Royal Commission (big government backed investigation) into banking and the finance industry. The Liberal National Coalition (The main Australian right-wing conservative party, who are currently in government) have howled and screamed that this is unnecessary and expensive and a waste and a nasty thing to do to their biggest donors...

    On the same day this appeared in the papers, we had a report of a couple of Liberal Party people who used a phone, to bug a conversation, at a meeting. The meeting was to hand over a donation to the Liberals, from the Mafia. Now reports of that have partly been taken down again, due to a heavy-weight legal onslaught from the Liberal Party. Exactly where the truth lays, I'm not sure - but it was reported, even in the ABC, Australia's version of the Beeb.

    At the same time, we are having a circus about same sex marriage. That would be alright, except there's more going on than meets the eye. The previous Lib PM, Tony Abbot, is trying to destabilise and replace the current Lib PM, Malcolm Turnbull, in as many ways and as many settings as he can, and the mess and the muddle over same sex marriage has become a political instrument for Tony Abbot to roll his boss, the man who rolled him. So we have Tony Abbot and his supporters doing every dirty sneaky trick they can think of, to sabotage the business of legalising gay marriage, and delay it, and put a spanner in the works, because it provides a backdrop for them to have a night-of-the-long-knives against the other Liberal faction who rolled them about a year and a half ago. All of which provides good political theatre, unless you're gay.

    So, in one day, the Liberal Party are protecting the Commonwealth Bank, taking a bribe - sorry, donation - from the Mafia, (we have a recording) and using gay marriage to roll their current leader in favour of their previous leader.

    And no, I don't know that the current Australian Labor Party are a whole lot better, but I will be extremely glad to see the back end of this set of clowns.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019