Buggy Software Made Us Miss Money Laundering Scam, Says Australian Bank

An anonymous reader shares a report: Australia's Commonwealth Bank has blamed a software update for a money laundering scam that saw criminals send over AU$70m (US$55m) offshore after depositing cash into automatic teller machines. News of the Bank's involvement in the laundering scam broke last week, when Australia's financial intelligence agency AUSTRAC announced that it had found over 53,500 occasions on which the Bank failed to submit reports on transactions over $10,000. All transactions of that value are reportable in Australia, as part of efforts to crimp the black economy, crime and funding of terrorism. The news was not a good look for the Bank (CBA), because most of the cash was deposited into accounts established with fake drivers licences. Worse still is that each failure of this type can attract a fine of AU$18m, leaving CBA open to a sanction that would kill it off. Today the bank has explained the reason for its failure: "a coding error" that saw the ATMs fail to create reports of $10,000+ transactions. The error was introduced in a May 2012 update designed to address other matters, but not repaired until September 2015.

Office Space

[Nidi62]

Sounds to me like a couple programmers found a way to take their retirement accounts into their own hands.

Well, that's news.

[hey!]

I didn't know they held a pageant for that.

"a coding error"

[nastyphil]

A coding error that was not caught in regression testing, and remained undetected and thus unpatched for years, breaking your organization's compliance... IS A BUSINESS ERROR.

Re:"a coding error"

[ZiakII]

All the time automatically every night only a complete idiot wouldn't do it.

Why ATM

[Luthair]

Why exactly is the ATM machine the piece that is doing the reporting? Shouldn't it be a central authority not some piece of hardware the a large number of people have physical access to?

Re:Why ATM

[gravewax]

The reporting is not for a standard ATM, these are for deposit ATM's placed around the world where deposits can be very large and from the sounds of it when a large deposit is received they are supposed to trigger a report (larger than $10,000 AUD). the coding error gives them an excuse for the majority however there is also a chunk of them (around 100 or so) where they also failed to monitor and report known suspicious accounts for which they have no excuse for. In theory total fines could be as much as $1 trillion dollars, in reality I suspect they are looking at a couple of hundred million in fines and mandated oversight/audits.

/. is more fun when you're half awake

[GrumpySteen]

I read the headline as "Buggy software made the United States win the Miss Money Laundering Scam according to an Australian bank." I think it's a title we would live up to.

Re:It's hard to care about money laundering

[GumphMaster]

The $10000 reporting limit is transparent to the end user unless the transaction is made in cash (and not, it seems, a deposit through one of these machines) or triggers the "suspicious activity" criteria (e.g. repeated $9000+ deposits). I have moved close to $30000 electronically to other parties, in both AUD and USD through a forex service, in past weeks for a trip to Patagonia/Antarctica: not a piece of paper in sight. The machines in question are for deposits, primarily for out-of-bank-hours business trade, and not the transactional cash withdrawal machines. They replaced the old night safe arrangements where cash was deposited in a bank safe and processed manually the following business day. The user population for these machines is much smaller than the common ATM. The number of unreported transactions we know about is in excess of 50000, each of more than $10000. We do not yet know to what extent suspicious activity on smaller deposits has been unreported. I do not think for a moment that these are all money laundering transactions, but it is still an amount in excess of $500,000,000 that has moved without scrutiny through these machines alone. The machines are only a small part of the systemic problem.