Commonwealth Bank of Australia 2018: $530M Enforcement Action

What happened?

Commonwealth Bank of Australia deployed its Intelligent Deposit Machines (IDMs) from mid-2012. These ATM-style devices accepted cash deposits up to AUD 20,000 per transaction across CBA's branch network with minimal customer friction. Product teams saw a convenience win. The compliance function, apparently, didn't get an equal seat at that table.

According to AUSTRAC's statement of claim, filed in the Federal Court of Australia on 3 August 2017, a software coding error in the IDMs meant CBA failed to submit Threshold Transaction Reports (TTRs) for approximately 53,506 cash transactions. Australia's AML/CTF Act requires banks to file TTRs for all cash transactions at or above AUD 10,000. The coding error ran from November 2012 to September 2015. Nearly three years. No compensating control caught it.

The failures went beyond the TTR defect. AUSTRAC alleged that after law enforcement agencies notified CBA in 2015 about criminal exploitation of IDM accounts, including accounts linked to drug trafficking syndicates, CBA's response was inadequate. Suspicious Matter Reports (SMRs) on flagged accounts were filed late or not at all. Ongoing customer due diligence (OCDD) on high-risk accounts was insufficient.

CBA and AUSTRAC filed joint consent orders in the Federal Court on 4 June 2018. The court approved a civil penalty of AUD 700 million, approximately USD 530 million at prevailing exchange rates, which AUSTRAC described as the largest civil penalty in Australian corporate history.

What did regulators say?

AUSTRAC CEO Nicole Rose, in the regulator's June 2018 press release, described CBA's failures as having exposed the Australian financial system to unacceptable risk from criminal exploitation. The press release characterized the bank's non-compliance as serious and systemic.

AUSTRAC's August 2017 statement of claim alleged more than 53,000 contraventions across four categories: failure to submit TTRs for IDM transactions, failure to conduct adequate OCDD on certain high-risk customers, failure to report suspicious matters on time, and failure to properly manage the money laundering and terrorism financing risks of the IDM product before and after launch.

The consent order found CBA had admitted to the contraventions and acknowledged the AUD 700 million penalty was appropriate given their scale and duration. The joint statement filed with the Federal Court described the non-compliance as persisting over a multi-year period, with the TTR failures, the most serious element, running undetected for approximately three years. Regulators characterized the failures as the product of systemic governance and control weaknesses rather than deliberate evasion. That distinction mattered for the civil, not criminal, framing of the proceedings. It didn't reduce the penalty.

What controls failed?

The first failure was at product launch. CBA's AML/CTF Program required a formal assessment of money laundering and terrorism financing risks before any new product or delivery channel went live. IDMs handled large cash deposits with limited customer identification friction. That's exactly the profile requiring heightened scrutiny. Under the risk-based approach required by FATF Recommendation 1, institutions must identify and assess ML/TF risks before deploying new products. The evidence suggests either the assessment was absent or its findings weren't acted on.

The second failure was the absence of monitoring reconciliation. The coding error in the IDM software disabled the TTR reporting feed. For nearly three years, no one noticed because no one was checking that expected TTR volumes matched actual submissions. If your compliance function isn't generating the volume of regulatory reports it should be producing, that gap should be visible in a basic reconciliation. It wasn't here.

OCDD on high-risk accounts failed next. FATF Recommendation 10 requires enhanced due diligence and ongoing monitoring that updates with account behavior. When law enforcement flagged specific accounts in 2015, CBA's processes were too slow to respond. SMR filing on those accounts was delayed or absent.

Governance was a fourth failure. APRA's Prudential Inquiry, which produced its final report in April 2018 (available at APRA's website), concluded that CBA's board and senior management had not adequately treated non-financial risk, including compliance, as a board-level priority. Accountability was diffuse, escalation pathways were unclear, and the bank had grown faster than its governance structures could manage. The inquiry described this as a cultural problem, not a process one.

Which regulations were violated?

The primary statute was Australia's Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), available on the Australian Government legislation register. This Act governs AML/CTF obligations for all Australian reporting entities, including banks. CBA's consent order accepted contraventions across multiple provisions covering transaction reporting, customer due diligence, risk management, and program compliance.

The Act implements the FATF Recommendations, so the failures map onto international standards. The TTR and SMR failures were direct breaches of obligations consistent with FATF Recommendation 20 (suspicious transactions), which requires financial institutions to report suspicious transactions promptly to financial intelligence units. Threshold reporting serves the same intelligence purpose: making large cash flows visible to AUSTRAC.

The failure to assess the IDMs' ML/TF risks before launch sits within the scope of FATF Recommendation 15 (new technologies), which requires institutions to identify and assess risks posed by new products, business practices, and delivery mechanisms. That assessment was expected before the IDMs launched, not after three years of criminal exploitation.

Record-keeping obligations consistent with FATF Recommendation 11 were also at issue: documentation of due diligence decisions on high-risk accounts was insufficient for regulatory review. AUSTRAC publishes detailed guidance on threshold transaction reporting obligations that sets out what banks are required to file and when.

Which typologies were involved?

The IDM case is, at its core, a cash placement case. Criminal groups used the machines to move physical cash into the banking system in amounts that, with functioning controls, would have triggered reporting and scrutiny. This is the opening move in the standard placement-layering-integration sequence: place cash into an account before obscuring its origin.

The TTR failure made placement easier. Deposits above AUD 10,000 that should have generated reports didn't. That removed regulatory visibility on larger cash flows and likely encouraged structuring behavior on other accounts: splitting deposits across multiple machines or transactions to stay below reporting thresholds.

AUSTRAC's statement of claim referenced accounts linked to organized crime, including drug trafficking syndicates. These groups used CBA accounts for layering, moving funds between accounts in patterns designed to obscure their origin. Without timely SMRs, those movements went unreported even after law enforcement had raised specific concerns directly with the bank.

There's a broader typology at work here too. Criminal actors consistently target new payment channels before institutions build adequate monitoring around them. Cash-accepting ATMs, instant payment rails, digital wallets: the pattern repeats across jurisdictions. Institutions launch a convenient product, monitoring lags the launch, and criminal actors fill the gap. The CBA case is one of the most documented examples of this sequence anywhere in the world, and it cost AUD 700 million to resolve.

Aftermath and remediation

The settlement was a civil proceeding. No criminal charges were brought against CBA or named individuals as a result of the AUSTRAC enforcement action.

Ian Narev, who was CBA's CEO when the IDMs were deployed and when the control failures accumulated, announced his intention to step down in August 2017, the same month AUSTRAC filed civil proceedings. He remained in the role until April 2018, when Matt Comyn took over as CEO. CBA's share price fell sharply on the day AUSTRAC announced the civil proceedings.

APRA conducted a parallel Prudential Inquiry into CBA's governance and culture. The inquiry's final report, released in April 2018 and available at APRA's website, concluded that CBA's accountability frameworks had not adequately kept pace with the bank's growth and complexity. APRA required CBA to hold an additional AUD 1 billion in regulatory capital until it met the inquiry's remediation conditions, a requirement on top of the AUD 700 million civil penalty.

The consent order required CBA to implement a remediation program covering its AML/CTF Program, transaction monitoring systems, and customer due diligence processes. The bank increased its compliance headcount substantially and engaged external consultants to support the rebuild. It also upgraded IDM monitoring infrastructure to close the reporting gap.

The case prompted AUSTRAC to signal increased supervisory intensity across all major Australian financial institutions. Industry bodies acknowledged the need for sector-wide improvements in AML/CTF controls. The CBA case is now referenced frequently in Australian and international regulatory discussions about product governance and financial crime risk management.

Lessons for other institutions

Three failures drove this case. All three appear, in different forms, in enforcement actions across jurisdictions.

First: don't launch a cash-facing product without a formal ML/TF risk assessment. CBA's IDMs accepted large cash deposits with limited friction. That profile required a documented, board-approved assessment before rollout. Any institution planning a new product that changes how cash enters the system should treat that risk assessment as a launch prerequisite, not a post-launch audit item.

Second: verify that monitoring systems are actually working. The coding error that disabled CBA's TTR reporting ran for nearly three years because no one reconciled expected TTR volumes against actual submissions. This is a simple control: compare the number of reports the system should generate, based on transaction counts, against the number it's actually producing. A gap triggers an investigation. Most compliance teams can build this check in days.

Third: treat law enforcement referrals as high-priority, time-sensitive inputs. When law enforcement flagged specific CBA accounts in 2015, the bank's response was too slow. Compliance teams need a defined protocol: named ownership of the review, a maximum response timeframe, and clear authority to restrict or close accounts. If it's not written down and tested, it won't happen consistently under pressure.

The APRA finding on governance deserves a separate board conversation. APRA concluded that CBA's senior management hadn't treated non-financial risk as a board-level concern. That's a culture problem, and culture problems don't fix themselves with a new policy document. Boards at peer institutions should test honestly whether their own accountability structures for financial crime risk would survive the same scrutiny. If the answer is uncertain, that's where to start.

How FluxForce helps prevent similar failures

FluxForce's AI agents monitor transaction channels continuously, including across new product deployments, flagging gaps in reporting feeds before they become multi-year blind spots. Nova Sentinel runs real-time behavioral analytics on high-risk accounts and automatically drafts SMRs when transaction patterns match known typologies. Every decision generates a documented, audit-ready evidence trail. Aiden Flux coordinates due diligence workflows so OCDD obligations on flagged accounts trigger immediately rather than sitting in a queue. Talk to the team to see how these capabilities apply in a regulated banking environment.