back to article Commonwealth Bank: Buggy software made us miss money laundering

Australia's Commonwealth Bank has blamed a software update for a money laundering scam that saw criminals send over AU$70m (US$55m, £42.5m) offshore after depositing cash into automatic teller machines. News of the Bank's involvement in the laundering scam broke last week, when Australia's financial intelligence agency AUSTRAC …

Page:

  1. TheElder

    Big Money

    I like the sound of ~ONE TRILLION DOLLARS. As long as they pay off all the depositors first (excepting the level 1-2s) I say go for it. It would be very instructional. We have the same rules here.

    1. Anonymous Coward
      Anonymous Coward

      Re: Big Money

      Speaking of Big Money - I'd like to see how long it takes someone to stuff $10,000 into an ATM machine. And I'd hate to be the car sitting behind him waiting to withdraw my $20 spending cash.

      1. eldakka

        Re: Big Money

        I haven't tried to deposit money into an ATM in at least a decade, but when I did it was done via putting the cash in an envelope supplied by the ATM, not individual notes fed into it like it was a vending machine.

        1. Anonymous Coward
          Anonymous Coward

          Re: Big Money

          @eldakka - times have changed. Now you sick a wad of cash into a contraption that grabs it from you and counts it. But I think you can only stick a maximum of 50 bills in at one go, and I would suspect most money laundering isn't done with crisp, clean, large denomination bills. So you'd probably have to feed several stacks into the machine and wait as they are counted in order to hit the $10,000 mark.

          And these crooks did it over 53,000 times without setting off the alerts. They must have been camped out in front of the ATMs for months at a time.

          1. TheElder

            Re: Big Money

            you sick a wad of cash...

            SICK = "Possible mental illness"

            1. Anonymous Coward
              Headmaster

              Re: Big Money

              If you can sic a dog, you can sick [sic] a wad of cash.

          2. This post has been deleted by its author

        2. Ken Moorhouse Silver badge

          Re: I haven't tried to deposit money into an ATM in at least a decade

          I had two Bad Experiences of doing that.

          (1) The bank got raided soon after I deposited my cheques, and I had to really moan at the bank to get my money credited (weeks later), even though I had proof of deposit. (The bank's excuse was that they are not insured against this kind of eventuality).

          (2) Used one of those machines where it prints out copies of everything you submit. Ooh good! Except that the bank branch I submitted the cheques to was different to that on the printed receipt. Took an extra day for my account to be credited.

          Since then I prefer to queue. Thank you.

    2. TReko
      FAIL

      Re: Big Money

      No one is going to pay big fines.

      CBA donates liberally to both big political parties in Australia. This is protection money.

    3. CrazyOldCatMan Silver badge

      Re: Big Money

      I like the sound of ~ONE TRILLION DOLLARS

      As the old saying goes - if I owe the bank £500, then it's my problem. If I owe the bank £500 million then it becomes the bank's problem..

      1. Potemkine! Silver badge

        Re: Big Money

        if I owe the bank £500, then it's my problem. If I owe the bank £500 million then it becomes the bank's problem

        And if the bank owes you £500 million it's a taxpayers' problem

  2. James Ashton
    FAIL

    Mistakes = Liability

    I'm pretty sure that if the bank made a mistake whereby it lost $1T of funds it would be on the hook and the old "computer error" defence would not stop them being bankrupted. Also, I'd be very surprised if AUSTRAC needs to demonstrate criminal intent to nail the bank; incompetence alone should be enough.

  3. Spotswood

    Lose $70M to money laundering, potentially get fined $954,000,000,000...

    Remind me who the criminals are again here please?

    1. Anonymous Coward
      Anonymous Coward

      Lose 70M to money laundering.....

      How do you figure they lost $70M? If banks lost money on laundering, they wouldn't circumvent the reporting rules.

    2. Cpt Blue Bear

      "Remind me who the criminals are again here please?"

      If you really need someone to, it was the bank.

      They committed an offense 53,500 times and took a fee to do it each time. As Norman Fletcher said, if you can't do the time don't do the crime.

  4. TheElder
    Mushroom

    Remind me who the criminals are again here please?

    I wonder how many IEDs $70m can buy?

  5. Anonymous Coward
    Holmes

    Also - It was the Russians!!

    If they don't use that excuse, they aren't even trying. Everyone knows that big, bad Putin is digging around inside all of our computers 24/7.

  6. Anonymous Coward
    Anonymous Coward

    Outsourcing...

    From experience, the testing and validation of coding at the CBA has dropped off dramatically. There was a time when every code change was peer reviewed before it was implemented. The outsourcing of the IT meant that there were pressures on the outsourcer to cut their costs so "unnecessary" costs like code review and validation went out the window.

    AC because I worked for CBA in their IT... and had to do periodic money laundering (and terrorist watch list) checks and independent verification of reporting code.

    BTW, don't try to get around the $10000 mandatory reporting by doing multiple smaller transactions, certain patterns of transactions will flag the lower amounts...

    1. Doctor Syntax Silver badge

      Re: Outsourcing...

      "BTW, don't try to get around the $10000 mandatory reporting by doing multiple smaller transactions, certain patterns of transactions will flag the lower amounts."

      In your day. On the basis of this report, maybe not now.

      1. Anonymous Coward
        Anonymous Coward

        Re: Outsourcing...

        "BTW, don't try to get around the $10000 mandatory reporting by doing multiple smaller transactions, certain patterns of transactions will flag the lower amounts."

        In your day. On the basis of this report, maybe not now.

        Oh, there are stories in the US of small business owners who been put out of business by the government (assets seized) because they kept doing $9000 deposits....

        1. Ken Moorhouse Silver badge

          Re: because they kept doing $9000 deposits....

          Readily spotted with software that knows about Benford's Law

          1. Parash2

            Re: because they kept doing $9000 deposits....

            Yes, ACL knows all about that.

        2. Private Citizen.AU
          WTF?

          Re: Outsourcing...

          AUSTRAC notes all transactions over AUD$50, so running sub $10,000 transactions fools no-one. You may not be in the most watched category but every transaction should have been noted. It is one of the essential systems designed to find black money in our economy.

          But to claim that it was software bug that went undetected for 3 years makes you wonder how competent the rest of their banking systems is. It beggars belief

          It is inviting a case action.

  7. Barrie Shepherd

    "The news was not a good look for the Bank (CBA), because most of the cash was deposited into accounts established with fake drivers licences."

    Software glitches aside what went on with the identity checking?

    Given the Australian addiction to identity checking for almost everything (even worse, IMHO, than the UK - I was asked for proof of ID and address when buying a $750 camera lens with cash "to prevent guarantee fraud") the CB should be taken for task for not complying with ID requirements.

    It begs the question as to how many other CB accounts are based on fake identity and are operating under the radar by just moving chunks $9000 around.

    1. eldakka

      The identity check requirements only require someone to present the 100-point ID check documents to the bank staff creating the account. It doesn't require the bank staff to verify with the issuing agency the ID document.

      So if the documents were either good enough forgeries such that they passed a quick visual inspection from a non-expert, or the ID is a genuinely issued ID but was obtained with fraudulent information (e.g. false information was provided to the DMV who issued the drivers licence with that fraudulent information), the bank would never know.

    2. Richocet

      By "worse" you mean "thorough".

      When someone is able to establish a bank account with a false identity it opens up a Pandora's box of problems for police, banks, government agencies and national security. It would be stupid for banks to slacken their identity verification processes.

      This is why most criminal syndicates use mules with real identities. The mules wear the consequences when they are found out. This is a big hassle for crims which limits their operations.

    3. alexmcm

      "Given the Australian addiction to identity checking for almost everything (even worse, IMHO, than the UK"

      You are not wrong there. When I first got to Australia 13 years ago, i went to Hardly Normals to buy a digital tv receiver. I was paying cash, and they asked for ID and proof of address. As I didn't have a permanent address yet or utility bills on me, there was a big debate amongst staff whether they could sell it to me.

      They did eventually after much discussion. I still hate going to Harvey Normans, even for the simplest thing like an ink cartridge they want all your details.

  8. John Smith 19 Gold badge
    IT Angle

    Probably play the "We are too big to fail" to defense as usual.

    Because Y'know, we're banks. We're special.*

    This story smells all kinds of fishy. The ATM hardware is standard from various mfgs.

    So is this a fault in the ATM code for transaction reporting at source, or a fail in the banks in house SW that crunches that data to produce a "suspect accounts list" ? Who writes ATM code? The banks provide the graphics but do they do detailed internal functions as well?

    Wouldn't that be a pretty strange ATM reporting fault? Doesn't report some transactions, does report others? Keep in mind, those transactions are partly how the bank knows how much money is in a customers account. Sounds like the bank should be suing the ATM mfg. OTOH if it's in house they should sue their IT supplier.

    *When I look at a bank I see a business. If it can't meet it's obligations due to fines then it's an ex business. It's customers need to find a new business to do their business through (after they've been compensated by the personal protection scheme most governments run) and shift their payments. It's loan book gets sold off and eventually everyone with a loan or mortgage through them gets a letter telling them the new arrangements.

    What may complicate things is wheather they are still using that BS "insurance" process where by a claim on their "insurance" triggers multiple other bets (which is what they are) to fail.

    It's way past time more banks were put out of their misery.

    "Business without bankruptcy is like Heaven without Hell" as IIRC George Sorros put it.

    1. mathew42

      Re: Probably play the "We are too big to fail" to defense as usual.

      There are reports that other Australian banks accept a maximum of $5,000 via similar ATMs. I suspect management at those banks were much happier after finding this out.

      1. Anonymous Coward
        Anonymous Coward

        Re: Probably play the "We are too big to fail" to defense as usual.

        There are reports that other Australian banks accept a maximum of $5,000 via similar ATMs. I suspect management at those banks were much happier after finding this out.

        Yes, seriously, what's the deposit limit on these?

        Now, I can understand in Canada where a $10k limit on an ATM is impractical because it would stop people from withdrawing enough to buy a cup of Tim Horton's, but still.

      2. katrinab Silver badge

        Re: Probably play the "We are too big to fail" to defense as usual.

        Yes, but two sequential $5,000 deposits is still reportable.

  9. Pascal Monett Silver badge
    FAIL

    It took three years

    For 3 years there were no ATM reports and nobody normally getting them even blinked ? I mean, after a week at most somebody should have started asking questions.

    I'm pretty sure they knew about the average number of reports they usually got. Seeing that drop to zero is a statistical impossibility.

    3 years is a bloody long time to keep thinking "oh well, I might get a report next week".

    But of course, blame the developers. We're used to that.

    1. Anonymous Coward
      Anonymous Coward

      Re: It took three years

      Probably, nobody ever read the reports...

      1. Denarius

        Re: It took three years

        plausible. C Northtcote-Parkinson had the same experience in WW2 leading to Parkinsons Law.

        OTGH, this being an Oz bank, skepticism is reasonable.

      2. Anonymous Coward
        Anonymous Coward

        Re: It took three years

        "Probably, nobody ever read the reports..."

        Once had a customer whose contract demanded certain detailed reports sent to them on the first day of each month - otherwise there was a financial penalty.

        Crunching the raw data to produce accurate reports was complicated and often required human intervention for reported exceptions. We managed to automate most of it with some customised software. A human still had to be in the office on the 1st of a month at the crack of dawn to oversee the run - no matter what day of the week or season.

        After a few years it turned out that the customer's staff just filed the reports without anyone even understanding or looking at them.

    2. eldakka

      Re: It took three years

      oh, that's what the TPS reports no-one ever read were for.

    3. Locky
      Flame

      Re: It took three years

      @Pascal Monett

      Blame the developers? Has someone already exhausted blaming the network already?

      1. Bronek Kozicki
        Joke

        Re: It took three years

        It was probably the same rogue developer who wrote emission acoustic control code for VW Bosch diesel engines.

        1. John Smith 19 Gold badge
          Happy

          "It was probably the same rogue developer who wrote acoustic control code for Bosch diesel engines."

          Ah yes, the "One bad developer"

          You would just not believe how many jobs this person has had traveling the globe as they ply their trade.

          All distinguished by the level of s**t code they leave behind. :-(

          The day they retire world software quality will rise dramatically.

          As if.

    4. gryps

      Re: It took three years

      Maybe the staff who would have known had been terminated in favour of more profits/higher management salaries?

  10. Anonymous Coward
    Anonymous Coward

    This cannot be simply down to software issues

    The fact the issue was not detected by asking, why am I not reporting these any more (would expect it to be tracked just for a measure of business operations), and that nobody attempted to identify the transactions via other means (they are only simple transactions after all) suggests a deep rooted systemic failure.

    Yes, testing should have caught it, %$(t happens - but this was long standing, undetected, and unmitigated.

    Not a goo show at all I am afraid.

    1. TheElder

      Re: This cannot be simply down to software issues

      Agree. It reminds me of the recent Mr. Page interview...

  11. Puts_the_lotion

    Crooks

    @Spotswood.

    " including sales of insurance policies that covered almost nothing and predatory financial advisors who lined their own pockets by dishing out poor advice to investors. The Bank was also at the centre of the bribery allegations made against CSC subsidiary ServiceMesh"

    yep, it's the CBA for sure.

  12. Version 1.0 Silver badge

    Inside job?

    While I generally believe in the adage "Never attribute to malice anything that can be accomplished by incompetence," this sounds a little too convenient to be accidental ... did someone have a quiet word with the offshore developers and suggest that they quietly add a semi-colon in the wrong place? It could have been quite profitable for everyone.

    1. Anonymous Coward
      Anonymous Coward

      Re: Inside job?

      It can be a bit of both. Someone spots the mistake. They realise they are in big trouble for seeing it. Even if they do not even work in IT. Even if they are just a desk worker. How do they convince their boss? Who will believe them when the accuse the multi million dollar IT staff of making a mistake?

      Then finally, they realize their pay check and bonus is being paid through the processing charges and other things involved, so they just get on with their day job and don't make any noise.

  13. adam payne

    "Today the bank has explained the reason for its failure: “a coding error” that saw the ATMs fail to create reports of $10,000+ transactions. The error was introduced in a May 2012 update designed to address other matters, but not repaired until September 2015."

    No-one noticed or cared that the report for large transactions weren't coming through and it takes three years to find it and fix it.

    WOW, just WOW!

    1. CrazyOldCatMan Silver badge

      No-one noticed or cared that the report for large transactions weren't coming through and it takes three years to find it and fix it.

      Yup. As others have said, quite clearly not a coding error but quite clearly a business process failure.

  14. Spinux

    All checks failed, why cry now

    It is one thing that within the bank controls failed. Buy the regulator also took 3 years to spot the issue? They also should have been surprised that (only) one bank had no large deposits. So they have to review their own checks and in my opinion have no ground to put up a fine at all.

    1. hidflect

      Re: All checks failed, why cry now

      They never spotted it. It was reported to them by police who found receipts in a raid.. Or they knew about it and never spoke up. In any event, it will be the cover up that kills them, not the act itself.

  15. keith_w

    It may simply have been that they thought that no one was depositing $10000 at a time through an ATM. As a previous poster pointed out, the machines only accept 50 notes at a time, which means that to deposit $10,000 in a single transaction, ie stuffing sufficient notes in for a single counting episode, would require 10 $1,000 notes, or 20 $500 notes or 50 $200 notes or some combination such as 6 $1000 notes and 40 $100 notes. On the other hand, walking into a branch and slamming down 1,000 $10 notes would have been much more possible.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like