The Commonwealth Bank of Australia (CBA) this week agreed to pay a record penalty to settle its violations of anti-money laundering and counter-terrorism financing laws. The A$700 million fine plus legal costs will become final upon the approval of the Federal Court.
The deal was met with market approval, and has allowed regulators to claim victory. Given the public’s current hostility to banks in the wake of revelations from the Banking Royal Commission, politicians also joined the bandwagon and applauded CBA’s loss.
What if the penalty is a sign of mob justice, rather than just deserts? And given the scale of the payout, will the fine also end up further punishing customers and shareholders?
Answering these questions requires a close look at the case. CBA was alleged to have violated the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, in several specific ways.
First, it introduced Intelligent Deposit Machines (IDMs) without conducting an independent risk assessment and/or instituting mitigation procedures to tackle money-laundering. Unlike older ATMs, IDMs process cash deposits and make the funds available for transfer immediately. Clearly, criminals could use these features to launder cash gained through crime. CBA wrongly believed that its existing ATM monitoring processes covered these risks.
Second, it was warned about these risks and could have minimised money laundering by imposing daily limits on accounts. CBA refused.
Third, CBA failed to provide transaction reports within 10 business days for cash deposits greater than A$10,000. This violation referred to 53,506 transactions totalling about A$625 million. The failure was due to a coding error – the software was not updated to pick up a new code created for IDM deposits.
Fourth, CBA failed to report transactions with a pattern of money-laundering – apparently misunderstanding its legal obligations.
Fifth, CBA failed to report suspicions about identity fraud – for example, in relation to eight money-laundering syndicates. Therefore, AUSTRAC and law enforcement were unaware of “several million dollars of proceeds of crime mostly connected with drug importation and distribution” that passed into accounts held by CBA.
Sixth, CBA was deficient in monitoring accounts despite warnings from law enforcement – 778,370 accounts were not monitored. CBA was slow to act even after suspicious accounts were terminated, facilitating money-laundering.
Clearly these are significant violations. However, the statement of facts agreed by AUSTRAC and CBA state that the bank did not deliberately or intentionally violate its legal obligations under the relevant laws.
Considering that CBA’s violations were inadvertent, due to technical glitches, and attributable to a mistaken belief about existing systems satisfying legal obligations, the A$700 million fine might be excessive.
By international standards, the fine seems to be very high. This week the UK Financial Conduct Authority fined the British division of India’s Canara Bank £896,100 (A$1.58 million) for “consistent failure” in its money-laundering controls, and for failings “affecting almost all aspects of its business”.
The FCA said the bank’s failings “potentially undermine the integrity of the UK financial system by significantly increasing the risk that Canara could be used for the purposes of domestic and international money laundering, terrorist financing and those seeking to evade taxation or the implementation of sanction requirements”.
In the United States, the Justice Department fined US Bancorp US$528 million (A$694 million) for criminal violations of money-laundering laws and for concealing its behaviour from regulators.
CBA’s fine is far higher than Canara’s punishment for similar violations, and roughly on a par with the sanction meted out to US Bancorp - albeit the latter was for more serious criminal wrongdoing. It is also comparable to the US$665 million (A$874 million) penalty imposed on HSBC (plus US$1.26 billion in sacrificed profits). Unlike CBA, HSBC was punished for “willfully failing” to maintain proper money-laundering controls.
Yet the proceeds from HSBC’s violations stretching back to the 1990s were staggering: at least US$881 million in laundered drug money; a failure to monitor more than US$670 billion in wire transfers and over US$9.4 billion in purchases of physical US dollars from HSBC Mexico; some US$660 million in sanctions-prohibited transactions; and evidence of deliberate sanctions violations by processing transactions to parties in Iran, Cuba, Burma, Sudan, and Libya.
A fair punishment?
The size of CBA’s penalty seems to be more in line with banks that have deliberately flouted money-laundering laws, rather than the smaller punishments handed to banks that did so unintentionally. It is tempting to conclude that this is influenced by the current prevailing mood to “send a message” to financial institutions.
What’s more, we cannot necessarily assume that the fine will act as a deterrent. The penalty is not paid by the CBA staff who acted wrongly; it is paid by the bank, ultimately by the shareholders.
Similarly, the cost of managing enhanced scrutiny and investing in additional compliance machinery will be passed on to customers in the form of higher charges and fees. Likewise, if banks become excessively cautious because of apprehensions about overenforcement, that will impact services and reduce profitability – again harming innocent people.
The punishment must always fit the crime. Excessive punishment is counterproductive and creates additional victims.
If the purpose was really to tackle wrongdoing, the CBA staff who were responsible for the violations should have been identified and penalised.
The A$700 million fine is good for political posturing but will hurt customers and shareholders the most. Bank-bashing has a cost, and it is paid by ordinary people, not politicians.