Federal Court of Australia

Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 5) [2024] FCA 477

ORDERS

THE COURT ORDERS THAT:

1.    In the event that agreement can be reached on the form of the orders that should be made, and the answers to the common questions that should be given, in light of the reasons for judgment published as Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 5) [2024] FCA 477 (the reasons for judgment), the parties provide a draft of the orders and the answers, which they propose, to the Associate to Yates J on or before 4.00 pm on 24 May 2024.

2.    In the event that agreement on the matters referred to in Order 1 cannot be reached, the parties inform the Associate to Yates J, on or before 4.00 pm on 24 May 2024, of the nature and extent of the disagreement between them, whereupon a case management hearing will be appointed to make further directions that are necessary to allow all outstanding matters in dispute to be determined.

3.    Subject to further order, until 5.00 pm on 15 May 2024 the reasons for judgment be published only to the parties and their legal advisers and not be disclosed to any other person.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

ORDERS

THE COURT ORDERS THAT:

1.    In the event that agreement can be reached on the form of the orders that should be made, and the answers to the common questions that should be given, in light of the reasons for judgment published as Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 5) [2024] FCA 477 (the reasons for judgment), the parties provide a draft of the orders and the answers, which they propose, to the Associate to Yates J on or before 4.00 pm on 24 May 2024.

2.    In the event that agreement on the matters referred to in Order 1 cannot be reached, the parties inform the Associate to Yates J, on or before 4.00 pm on 24 May 2024, of the nature and extent of the disagreement between them, whereupon a case management hearing will be appointed to make further directions that are necessary to allow all outstanding matters in dispute to be determined.

3.    Subject to further order, until 5.00 pm on 15 May 2024 the reasons for judgment be published only to the parties and their legal advisers and not be disclosed to any other person.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

YATES J:

Introduction

1    On 3 August 2017, the Chief Executive Officer (CEO) of the Australian Transaction Reports and Analysis Centre (AUSTRAC) commenced a proceeding against the respondent, Commonwealth Bank of Australia Limited (the Bank), for civil penalties and other relief (the civil penalty proceeding) because the Bank failed to comply with its obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act). As events transpired, the Bank made various admissions of contravention for the purposes of that proceeding. On 20 June 2018, the Court granted declarations in relation to the Bank’s contraventions and imposed a pecuniary penalty pursuant to s 175(1) of the AML/CTF Act in the sum of $700 million: Chief Executive Officer of the Australian Transaction Reports and Analysis Centre v Commonwealth Bank of Australia Limited [2018] FCA 930.

2    The present proceedings concern events and circumstances that gave rise, in part, to the civil penalty proceeding. They are, however, separate from the civil penalty proceeding and involve markedly different questions of legal liability.

3    The applicants allege that the Bank breached its obligations of continuous disclosure under Ch 6CA of the Corporations Act 2001 (Cth) (the Corporations Act)—specifically, s 674(2)—because, in the period 16 June 2014 and 1.00 pm on 3 August 2017 (the relevant period), it had information relating to some of (what were later found to be) its contraventions of the AML/CTF Act which it did not disclose to the market operated by the Australian Securities Exchange (the ASX) on which its shares (CBA shares) were traded. This information, which the applicants plead in various forms, is conveniently categorised as the Late TTR Information, the Account Monitoring Failure Information, the IDM ML/TF Risk Assessment Non-Compliance Information, and the Potential Penalty Information. The applicants allege that the Bank was required by r 3.1 of the ASX Listing Rules to disclose this information. They allege, further, that, had this information (or a combination of it) been disclosed, it would have had a material effect on the market price of CBA shares.

4    Relatedly, the applicants allege that, throughout the relevant period, the Bank engaged in misleading or deceptive conduct on a continuous basis by publishing, and failing to correct or modify, various representations. These representations included representations to the effect that the Bank had in place effective policies, procedures, and systems to ensure its compliance with relevant regulatory requirements, and with its continuous disclosure obligations.

5    The applicants contend that these representations were misleading or deceptive because the Bank did not have effective policies, procedures, and systems in place to ensure compliance with the AML/CTF Act or to ensure compliance with its continuous disclosure obligations under Ch 6CA of the Corporations Act. The applicants allege that, by engaging in this conduct, the Bank contravened s 1041H(1) of the Corporations Act, s 12DA(1) of the Australian Securities and Investments Commission Act 2001 (Cth) (the ASIC Act) and, or alternatively, s 18(1) of Sch 2 to the Competition and Consumer Act 2010 (Cth) (the Australian Consumer Law).

6    Further, the applicants allege that, in connection with a pro-rata renounceable entitlement offer of new CBA shares that was made to shareholders in September and October 2015 to raise $5 billion in capital (the 2015 Entitlement Offer), the Bank issued a cleansing notice that was defective within the meaning of s 708AA(11), and which was not corrected as required by s 708AA(10), of the Corporations Act.

7    The applicants allege that, because the Bank did not comply with its continuous disclosure obligations as it should have done, or because the Bank engaged in misleading or deceptive conduct, or because the Bank issued and did not correct an allegedly defective cleansing notice, CBA shares traded on the ASX at an artificially inflated price (i.e., at a price above the price that a properly informed market would have set). They contend that they acquired CBA shares in that inflated market and, as a consequence, paid too much for them. They seek to recover, by way of damages, the amount of that inflation or an amount referable to that inflation.

8    For the reasons that follow, I have concluded that the applicants’ case against the Bank fails at a number of levels.

The proceedings

9    There are two proceedings before the Court that have been commenced under Pt IVA of the Federal Court of Australia Act 1976 (Cth).

10    The first proceeding is Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited: VID 1085 of 2017 (the Zonia proceeding). The second proceeding is Philip Anthony Baron and Joanne Baron v Commonwealth Bank of Australia Limited: NSD 1158 of 2018 (the Baron proceeding). The Zonia proceeding was commenced as an “open” class action. The Baron proceeding was commenced as a “closed” class action (whose Group Members are those who had signed a funding agreement with Therium Australia Limited at the commencement of that proceeding).

11    For some time, the two proceedings were case-managed together. After a significant period of conferral between the applicants in each proceeding, interlocutory applications were filed seeking orders that the two proceedings be consolidated. This proposal was abandoned before the interlocutory applications were heard. The interlocutory applications were then amended, with leave, to seek (what were called) Cooperative Case Management orders. These orders were made over the Bank’s opposition on 10 July 2019: Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 2) [2019] FCA 1061.

12    Amongst other things, the Cooperative Case Management orders provided for the filing of harmonised pleadings to ensure that the allegations against the Bank in each proceeding were substantially the same. The orders also provided that one set of counsel be briefed to represent the applicants and Group Members in each proceeding.

13    As a consequence, one case was presented against the Bank at the hearing. In these reasons, I have referred to this case as “the applicants’ case”. I have drawn distinctions between the applicants only when it has been necessary to do so. I have also referred to the final amended, but nevertheless harmonised, versions of the statements of claim filed by the applicants in their respective proceedings as, simply, “the statement of claim” and the defences filed by the Bank as “the defence”.

The evidence

14    The applicants’ case was advanced through documentary tenders and expert evidence.

15    The Bank’s case was advanced through documentary tenders, lay evidence, and expert evidence responding to the applicants’ expert evidence.

The Bank’s lay evidence

16    As to the lay evidence, the Bank read affidavits by:

(a)    Ian Mark Narev, who was the Managing Director and CEO of the Bank and its related corporate entities (together, the Group) from 1 December 2011 until 8 April 2018;

(b)    Shirish Moreshwar Apte, who was, at relevant times, a non-executive director of the Bank and a member of the Risk Committee and the Audit Committee (both Board committees);

(c)    Mark Andrew Worthington, who was, from July 2010 to 31 March 2019, the Executive General Manager of Group Audit and Assurance (Group Audit) for the Bank (i.e., the internal Group Auditor); and

(d)    David Antony Keith Cohen, who was, at the time of hearing, the Bank’s Deputy CEO. From February 2012 to June 2016, he was the Group’s General Counsel and Group Executive (Group Corporate Affairs). From July 2016 to November 2018, he was the Group’s Chief Risk Officer (CRO).

17    These deponents were cross-examined.

18    The Bank also read affidavits by Gopal Jana, Justin Jun-Ting Lee, Leisa Nicole Zaharis, Craig Bruce Woodburn, Prathish Jose, and Nada Novakovic, all of whom, at the time of the hearing, were employees of the Bank, and affidavits from Bryony Kate Adams, a partner in Herbert Smith Freehills, the solicitors for the Bank. These deponents were not cross-examined.

19    The Bank expected to read an affidavit by Sir David Hartmann Higgins who was, at relevant times, a non-executive director of the Bank and a member of Board committees, including the Risk Committee (from April 2016 until his retirement from the Board on 31 December 2019) and the Audit Committee (from October 2014 until March 2016). However, following my refusal of the Bank’s application to permit him to give oral evidence by audio-visual link (Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 3) [2022] FCA 1323), Sir David’s affidavit was not read.

20    The applicants advance a number of submissions criticising the evidence given by Mr Narev, Mr Apte, Mr Worthington, and Mr Cohen.

21    The applicants contend that Mr Narev’s affidavit evidence provided “a selective account of events” that was “an elaborately crafted artifice”. In closing submissions, they compared various passages in Mr Narev’s affidavit with various passages in the transcript of his cross-examination in an endeavour to demonstrate what they saw to be inconsistencies in his evidence. The applicants went so far as to contend that Mr Narev’s affidavit was “never a true or accurate reflection of his recollection of events or state of mind during the Relevant Period”.

22    I do not accept these submissions. I do not consider the applicants’ criticisms to be warranted. I found Mr Narev to be a sound witness who, in cross-examination, was prepared to revisit his affidavit and accept various propositions put to him. Generally speaking, I do not think that any matters of substance arose in the course of Mr Narev’s cross-examination that revealed material inconsistencies with the matters to which he had deposed in his affidavit. On the whole, I accept Mr Narev’s evidence.

23    The applicants contend that Mr Apte “had no genuine recollection of, or was not involved in, significant events during the Relevant Period”. They contend that Mr Apte “did not appear to possess any memory of significant events immediately prior to or during the Relevant Period”. They contend, further, that the opinions expressed by Mr Apte in his affidavit were “nothing more than self-serving submissions constructed after the fact”.

24    I do not accept these submissions. Indeed, I think the applicants’ criticisms of Mr Apte’s evidence are unfair. I found Mr Apte to be a careful witness who attended to the detail of the questions put to him in cross-examination. I do not accept that he did not have, or did not appear to have, a memory of significant events during the time that he was a director of the Bank. I do not think that Mr Apte is to be criticised for making clear the limits of his memory of events that occurred a significant number of years before the hearing. Moreover, I do not consider it to be unusual that, as a non-executive director of the Bank, Mr Apte did not profess to have knowledge of some matters of detail that were put to him. On some occasions, Mr Apte made clear that he was not prepared to speculate on what his state of mind would have been on matters of which he had no actual knowledge. This, however, indicates the care with which Mr Apte attended to the questions put to him. On the whole, I accept Mr Apte’s evidence.

25    The applicants contend that Mr Worthington’s evidence had “little, if any, relevance to the issues in dispute in this proceeding” and that there were “inconsistencies between [his] affidavit and oral testimony”. The applicants contend that Mr Worthington was “a wholly unimpressive witness” whose evidence should be disregarded.

26    I do not accept these submissions. I do not accept that Mr Worthington was “a wholly unimpressive witness” and do not understand why his evidence should be characterised as such. Mr Worthington’s evidence was relevant and informative and, on the whole, I accept it.

27    The applicants contend that Mr Cohen’s affidavit was “a carefully constructed artifice that did not withstand scrutiny during cross-examination”. The applicants contend that because of “significant and numerous contradictions” revealed in Mr Cohen’s cross-examination and “his frequently convoluted accounts in the witness box”, the Court should not have “any confidence in the reliability or truthfulness of [his] evidence” which, according to the applicants, the Court should set aside save where Mr Cohen made admissions against the Bank’s interests.

28    I accept that there were some concerning aspects of Mr Cohen’s evidence. One such aspect was Mr Cohen’s account of when he first learned of the late TTR issue—a significant matter discussed in greater detail below. In his oral evidence in chief, Mr Cohen corrected the statement he had made in his affidavit (to the effect that he became aware of this issue in October 2015). Mr Cohen said that, in preparing to give his oral evidence, it had become apparent to him that he had received a copy of a 6 September 2015 email referring to this issue and that a verbal disclosure of the issue was also made by Mr Toevs at a meeting of the Bank’s Executive Committee on 17 September 2015 (Mr Cohen said that he had mistakenly thought that this disclosure had been made verbally by Mr Toevs at an Executive Committee meeting on 8 October 2015, but Mr Cohen later realised that Mr Toevs was not in attendance at that meeting).

29    In his oral evidence in chief, Mr Cohen said that he wanted to draw attention to these matters because his affidavit “might give the impression that the very first time I heard of the TTR issue was in October 2015”. In that assessment, Mr Cohen was correct. I think this is how his affidavit reads.

30    When cross-examined on the correction, Mr Cohen maintained that his affidavit evidence was still correct because, in October 2015, he became aware that, in August 2015, the Bank had (as he said in his affidavit) identified “an error which had resulted in more than 50,000 threshold transaction reports … not being submitted to AUSTRAC through [the Bank’s] intelligent deposit machines … within the required 10 day time frame …”. In other words, although he had recently come to accept that he had had earlier knowledge of the late TTR issue, Mr Cohen only learned of the number of late TTRs in October 2015 and, to this extent, his affidavit was correct.

31    Mr Cohen was cross-examined on the truthfulness of the last-mentioned explanation. In closing submissions, his explanation was at the forefront of the applicants’ contention that his evidence was unsatisfactory, and that his explanation had cast “doubt on both the accuracy of his recollections and his capacity to provide truthful evidence under oath”.

32    I am not persuaded that Mr Cohen was being untruthful in defending his affidavit evidence. However, on this matter, I think that Mr Cohen’s affidavit evidence was inadvertently incomplete on an important issue. Although Mr Cohen’s affidavit evidence on this topic was not critical to establishing the Bank’s awareness of the late TTR issue (because the Bank’s own evidence was that Mr Narev and Mr Comyn were aware of that issue by 6 September 2015 at the latest), it was important in relation to events concerning the 2015 Entitlement Offer—another significant matter discussed in greater detail below. Uncorrected, the effect of Mr Cohen’s affidavit was that, as Chairman of the due diligence committee appointed to oversee the 2015 Entitlement Offer, he did not know of the late TTR issue until after the final meeting of the committee on 17 September 2015 (the day before the shares under the offer were issued). Mr Cohen’s inadvertence on this matter leads me to treat his evidence with some care on other topics he addressed.

33    The applicants also criticise Mr Cohen for the lateness of his correction. However, ultimately, nothing turns on this. I do not think it fell to Mr Cohen to decide when the correction to his affidavit should have been communicated to the applicants’ legal representatives.

34    The applicants also submit that Mr Cohen’s explanation for his correction was “conflicting, incoherent and garbled”. I do not accept that submission. Mr Cohen’s explanation was clear.

35    The applicants also criticise Mr Cohen’s evidence that, as at 24 April 2017, the Bank’s Executive Committee did not have sufficient information to warrant disclosure to the market of AUSTRAC’s investigation into the Bank’s non-compliance with the AML/CTF Act. In his affidavit, Mr Cohen provided reasons for that view. The applicants submit that, in cross-examination, Mr Cohen contradicted the reasons he had given. I am not persuaded that Mr Cohen’s affidavit evidence was contradicted by his oral evidence in cross-examination. That said, the cross-examination did assist in putting Mr Cohen’s affidavit evidence, on that topic, in context.

36    There are some other aspects of Mr Cohen’s evidence on which I will comment in later paragraphs of these reasons. However, for present purposes it is sufficient for me to state that I do not accept that Mr Cohen’s affidavit was “a carefully constructed artifice” or that, in cross-examination, he made “significant and numerous contradictions” or “frequently convoluted accounts in the witness box”. Further, even though some aspects of Mr Cohen’s evidence were qualified in cross-examination, I do not accept that I should set aside his evidence as unreliable or untruthful. On the whole, I found him to be a satisfactory witness although, as I will later explain, I do not accept all his evidence.

The applicants’ submissions on inferences to be drawn

37    The applicants also contend that I should draw inferences that are adverse to the Bank’s interests because of its failure to call certain witnesses. As a general observation, it is not clear to me what these witnesses could have added to what is already apparent from the extensive documentary record that is before the Court.

38    For example, the applicants point to the fact that the Bank did not call certain employees who (they say) could have given evidence concerning the late TTR issue in relation to events in 2013. I deal with these events in later sections of these reasons. In my view, the documentary record is clear. As will become apparent, my interpretation of that record does not accord with the applicants’ interpretation. Therefore, I do not draw the inferences that the applicants say I should draw simply because the Bank did not call these employees to give evidence.

39    The applicants submit that I should draw certain inferences because the Bank did not call Mr Comyn as a witness (in the relevant period, Mr Comyn was the Group Executive for Retail Banking Services). However, the documentary record (as it relates to communications to and from Mr Comyn, or with which Mr Comyn was copied) is clear. The applicants do not suggest that the record is incomplete or contrived. The Bank does not suggest that Mr Comyn had an understanding of events that differs from the documentary record. There is, therefore, no reason why I should not take these communications at face value.

40    The applicants submit that I should infer that Mr Comyn was aware from October 2015 that “no … risk assessment had been completed since May 2012” in respect of the Bank’s Intelligent Deposit Machines (IDMs) (as to which see [60] and [97] – [104] below). I am not prepared to draw an inference that adds to the evidence in that way. Even so, I do not see how this submission advances the applicants’ case because, as I will later explain, it is not in doubt that the Bank knew in October 2015 that a separate risk assessment had not been carried out when IDMs were introduced in 2012.

41    The applicants also submit that I should infer that Mr Comyn was aware of the seriousness of certain matters communicated to him in emails of 23 June 2016 and 13 July 2016 in relation to a (first) notice given to the Bank under s 167 of the AML/CTF Act seeking the production of information and documents, and in an email dated 7 March 2017 relating to the outcome of a meeting between two employees of the Bank and AUSTRAC. Once again, the content of the emails is clear on the face of the documents themselves, and the Bank does not suggest that Mr Comyn had any view that differed from what the emails clearly say.

42    The applicants submit, further, that I should infer that Mr Comyn knew of, and was kept abreast of, an undertaking within the Bank called Project Concord and that Mr Comyn was concerned to manage reputational damage from the public disclosure of “AML issues” by AUSTRAC, “including by way of a penalty proceeding”. Once again, I am not prepared to make an inference that adds to the evidence in that way. In any event, the evidence establishes, independently, that officers of the Bank knew the details of Project Concord, which is discussed in more detail below.

43    The applicants submit that I should infer that, in light of a proceeding commenced by AUSTRAC against Tab Limited, Tabcorp Holdings Limited, and Tabcorp Wagering (Vic) Pty Ltd (collectively, Tabcorp) (the Tabcorp proceeding), certain officers of the Bank (who were not called as witnesses) were concerned that civil penalty proceedings might also be commenced against the Bank for its breaches of the AML/CTF Act. However, as I will come to explain, the evidence already makes it abundantly clear that the Bank knew of the Tabcorp proceeding and that it was possible that civil penalty proceedings could also be commenced against it. Equally, the evidence makes it clear that AUSTRAC had informed the Bank on a number of occasions prior to 3 August 2017 that, if enforcement action were to be taken against the Bank: (a) AUSTRAC had a number of options available to it; (b) that AUSTRAC had made no decision on the question of enforcement action (including what, if any, enforcement option it might take); and (c) that AUSTRAC would give notice to the Bank before taking any enforcement action.

44    The applicants submit that I should draw certain inferences because the Bank did not call Ms Livingstone, the Bank’s former Chair, as a witness. Again, I am not prepared to draw inferences that add to the evidence in the way that the applicants suggest. The documents on which they rely—a transcript of part of Ms Livingstone’s evidence to the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (the Financial Services Royal Commission) and a copy of Ms Livingstone’s file note of a meeting with Mr Jevtovic on 30 January 2017, also discussed below—are in evidence and speak for themselves.

The expert evidence

45    Expert evidence was given through the tender of expert reports (including joint reports) and orally in concurrent expert evidence sessions in which each of the participants was cross-examined.

46    The applicants called expert evidence from:

(a)    Professor Raymond da Silva Rosa, who is a Professor of Finance at the University of Western Australia’s Business School. He is the Chair of the University’s Academic Board and Council, a member of the Senate of the University, and a past-President of the Accounting and Finance Association of Australia and New Zealand. He has expertise in studying investor behaviour. He has co-authored research on the impact of Australia’s continuous disclosure regime. He has also undertaken and published, in both academic and industry refereed journals, research on the appropriate way to measure investor reaction to corporate events, such as takeover announcements and the publication of substantial shareholder notices. He has lectured on Behavioural Finance (how psychology and economics explain investor behaviour).

(b)    Mr Rowan Johnston, who has expertise in arranging, managing, underwriting, and advising on share issues and engaging with market participants via a corporate advisory role. From 1987 to 2002, Mr Johnston worked at Deutsche Bank AG in Sydney and Hong Kong in Corporate Finance and then Equity Capital Markets, including some five or six years as Joint Head or Head of Equity Capital Markets in Australia. From 2003 to 2014, Mr Johnston worked at Greenhill (formerly called Caliburn Partnership Pty Ltd) with a focus on advising on capital raisings and sell-downs. Mr Johnston was formerly a corporate lawyer.

(c)    Professor Peter Easton, who is the Notre Dame Alumni Professor of Accountancy and Director of the Center of Accounting Research and Education at the Mendoza College of Business at the University of Notre Dame in the United States of America. Professor Easton has held a number of other academic positions in Australian and overseas universities. Over the past 40 years, his research has focused on the role of information in securities valuation and investors’ decision-making. He has published numerous articles in peer-reviewed academic journals and several textbooks on these subjects. He has also served as editor of a number of peer-reviewed journals. His teaching, as well as a large part of his consulting activities, has involved the detailed analysis of complex accounting and valuation issues, forecasting future financial statements, determining the feasibility of investment opportunities, and exploring the link between financial statements and the value and viability of the underlying entity.

(d)    Mr Howard Elliot, who has expertise in the design and development of IT systems.

47    The Bank called expert evidence from:

(a)    Dr Sanjay Unni, who is a former academic with more than 30 years’ experience. He has taught at the University of California, Berkeley, the University of Strathclyde, Glasgow, the University of Texas, and Southern Methodist University. He is the Managing Director of the Berkley Research Group. Dr Unni has expertise as a financial economist.

(b)    Mr Mozammel Ali who is a former investment banker with more than 25 years’ experience in the financial services industry. He was a senior executive in the Corporate Finance division of Deutsche Bank AG, including in the Financial Institutions Group and the Capital Markets and Treasury Solutions team. He was also Head of Capital Solutions. Before then he was employed by Citibank advising on mergers and acquisitions, and capital raising transactions. Mr Ali has expertise in equity capital markets.

(c)    Mr David Singer, who is a former investment banker with more than 25 years’ experience. Mr Singer was the Managing Director and Head of Sales Trading at UBS Securities Australia. In that employment, he was active in the market speaking to investors, trading shares (including CBA shares) and making assessments on a day-to-day basis as to the information that was material to investors’ decisions.

(d)    Mr Shane Bell, who is a partner in McGrathNicol. Mr Bell is a technology and cybersecurity expert, and a certified computer examiner.

48    The parties advanced criticisms of the evidence given by the opposing experts. I do not propose to deal with these criticisms seriatim. It is sufficient for me to record that, contrary to some of the submissions that were advanced, I found each expert to be a satisfactory witness whose analysis and opinions provided assistance in elucidating the issues before the Court that were within his field of expertise. I discuss the expert evidence in some considerable detail in later sections of these reasons, including the extent to which I accept that evidence. The fact that I have not accepted a particular expert’s opinion is not intended to reflect, and should not be taken as reflecting, adversely on that witness’s competence.

Background

The Bank

49    The Bank is, and was at all times relevant to this proceeding, Australia’s largest bank. For the years ended 30 June 2014 to 30 June 2017 (a period covering, substantially, the relevant period), the Bank’s total annual income was between $22 billion and $26 billion; its profit was between $8.6 billion and $9.9 billion. It employed approximately 52,000 staff members.

50    The Bank operates (and, in the relevant period, operated) in a highly regulated market and processes a large volume of domestic and cross-border transactions. The Bank’s own estimate is that it has “visibility” of around 40% of all financial transactions in Australia. According to the Bank, one in two inbound cross-border commercial payments are destined to its account holders.

51    The Bank is required to monitor all these transactions under AML/CTF legislation, to which I will refer in more detail. For present purposes, it is sufficient to record that, as at May 2015, the Bank was monitoring approximately 7 million transactions per day with a value of $219 billion. At that time, peak volumes stood at 16 million transactions per day with a value of $570 billion. As at June 2016, the Bank was monitoring over 8 million transactions per day with a value of $300 billion. As at April 2017, the Bank was reporting approximately 3.1 million International Funds Transfer Instructions (IFTIs), 800,000 Threshold Transaction Reports (TTRs), and almost 9,000 Suspicious Matter Reports (SMRs) to AUSTRAC each year.

AML/CTF legislative regime

52    The Bank is, and was at all times relevant to this proceeding, licensed to carry on banking business in Australia and authorised to take deposits from customers as an Authorised Deposit-Taking Institution (ADI) under the Banking Act 1959 (Cth). It was subject to the AML/CTF Act and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (Cth) (the AML/CTF Rules).

53    The AML/CTF Act imposes obligations on ADIs which provide “designated services”. These services are defined in s 6 of the AML/CTF Act. A “designated service” includes opening an account or allowing a transaction to be conducted in relation to an account. A person who provides a “designated service” is a “reporting entity”: s 5.

54    Part 3 of the AML/CTF Act contains reporting obligations for reporting entities. Relevantly to this proceeding, one obligation is to report a “threshold transaction” (as defined in s 5) to the CEO of AUSTRAC (the AUSTRAC CEO): ss 43(2)–(3). A “threshold transaction” includes, for example, a transaction involving the transfer of physical currency, where the total amount of physical currency transferred is not less than $10,000. I will refer to these reports as “TTRs”, in accordance with what appears to be the commonly used acronym for these transactions. Section 43(2) is a civil penalty provision: s 43(4). The obligation to report threshold transactions features prominently in this case.

55    Section 81(1) of the AML/CTF Act provides that a reporting entity must not commence to provide a designated service to a customer if the reporting entity has not adopted and maintained an anti-money laundering and counter-terrorism financing program that applies to the reporting entity. Section 81(1) is a civil penalty provision: s 81(2). The program can be a standard AML/CTF program, a joint AML/CTF program, or a special AML/CTF program: s 83(1). The Bank adopted and maintained a joint anti-money laundering and counter-terrorism program. Such a program is divided into two parts—Part A (general) and Part B (customer identification): s 85(1).

56    The primary purpose of Part A is to identify, manage, and mitigate the risk that a reporting entity may reasonably face that the provision of designated services at or through its Australian operations might involve or facilitate money laundering or the financing of terrorism: s 85(2)(a). Section 82(1) provides that a reporting entity must comply with Part A of the program. Section 82(1) is a civil penalty provision: s 82(2). The Bank’s compliance with Part A of its program also features in this case.

57    The sole or primary purpose of Part B is to set out the applicable customer identification procedures for the purpose of the application of the Act to customers. Part B must comply with the requirements of the AML/CTF Rules: s 85(3).

The Bank’s Joint Anti-Money Laundering and Counter-Terrorism Program Part A

58    Part A of the Bank’s program provided that the program would be implemented and monitored in accordance with its Group Compliance Risk Management Framework and Group Operational Risk Management Framework.

59    In relation to risk identification and assessment, Part A provided that the Group must conduct an assessment of Money Laundering and Terrorism Financing (ML/TF) risks faced by members of the Group and maintain a current assessment, with changes in risk recognised and assessed. Each Business Unit or Designated Business Group (where the reporting entities in the Group were related to each other) was required to conduct an assessment, using the Group’s ML/TF Risk Assessment Methodology (or another appropriate and approved method), of the inherent ML/TF risk posed by (a) each new designated service prior to introducing it to the market; (b) each new method of designated service delivery prior to adopting it; and (c) each new or developing technology used for the provision of a designated service prior to adopting it. Further, periodic reviews were to be carried out at least every two years.

60    The applicants contend—and it is not disputed—that the “IDM channel” rolled out by the Bank in 2012 (see [97] – [104] below) fitted these descriptions: it was (at least) a “new method of designated service delivery” or a “new or developing technology used for the provision of a designated service”.

The Group Compliance Risk Management Framework

61    The Group Compliance Risk Management Framework (CRMF) was directed to the risk of legal and regulatory sanctions, material financial loss, or loss of reputation that the Group might incur as a result of its failure to comply with the requirements of relevant laws, industry and Group standards and policies, and codes of conduct. Compliance risk is also known as regulatory risk.

62    One of the Group CRMF principles concerned monitoring and measuring. The principle was expressed as:

Transparency around compliance incidents, control weaknesses and framework effectiveness will be maintained, including timely escalation and reporting.

63    In this regard, the framework also provided that:

Issues or incidents must be reported in accordance with the relevant incident and issue procedures.

64    It is appropriate to mention here that, in relation to monitoring and measurement, the Bank adopted a “Three Lines of Defence” model (the 3LoD model) under which the accountability for the management of risk fell primarily (the first line of defence) to business management to ensure effective compliance risk and incident management within their operations, with the second line of defence falling to (a) Business Units to establish and maintain an effective Business Unit CRMF and compliance control infrastructure, and to monitor compliance consistent with that framework; and (b) Group Compliance to monitor and report on compliance risk management across the Group, raising issues where necessary and reporting to senior management, the Risk Committee, and the Board. The third line of defence was Group Audit and External Audit to conduct independent audits of the implementation, condition, maintenance, and management of the Group CRMF.

65    On 3 November 2015, following the findings of the transaction monitoring program (TMP) review report, the 2013 audit report, and the 2015 audit report (discussed at [170] – [221] below), a briefing paper was prepared for Mr Narev which discussed “a range of potential options” in relation to improvements in the Bank’s 3LoD model from “tactical adjustments” to “major structural shifts”. It would seem that Mr Narev (and perhaps others) had arrived at the view that the Bank’s implementation of the then current 3LoD model was neither effective nor efficient and that this state of affairs was not acceptable. These issues led to Project Trifecta, which was a redesign of the Bank’s 3LoD model.

66    On 16 November 2015, Mr Toevs (who, at the time, was Group CRO) and Mr Dingley (who, at the time, was Chief Operational Risk Officer) presented a proposal to the Bank’s Executive Committee containing three options. The recommended option was a centralisation of specific functions (as opposed to full centralisation (Option 2) or a global model (Option 3)). In March 2016, Mr Toevs circulated a further proposal, which he described as “an iteration of an option presented in the original Trifecta strategy presentation last year” and which included a proposal to create a “Financial Crime Centre of Excellence”.

The Compliance Incident Management Group Policy

67    As part of the Group CRMF, the Bank adopted a Compliance Incident Management Group Policy. It was identified as a key component of the framework. The purpose of the policy was to establish principles in relation to identifying, assessing, and managing compliance issues, and outlining the requirements with respect to the regulatory reporting of compliance issues.

68    The policy identified a compliance issue as an actual, suspected, likely, or imminent contravention of an obligation of any applicable law, regulation, industry standard, industry code, or external business rule or guideline (such as the ASX Listing Rules). The policy identified a reportable breach as a compliance incident which had been assessed and had been determined as being reportable to a regulator.

69    Paragraph 5.1 of the policy principles provided:

5.1     BUs must develop and maintain up to date and approved procedures that are clear, well-understood and document the process for:

•    Identifying compliance incidents or likely compliance incidents;

•    Assessing all compliance incidents; including determining if they are reportable breaches;

•    Reporting and escalating compliance Incidents, ensuring the relevant people including those responsible for compliance, are made aware of compliance incidents and reportability; and

•    Rectifying and resolving compliance incidents.

70    RiskInSite was the Group’s integrated system which provided a common platform for managing operational risk and compliance risk across the Group. The policy provided that all compliance risk incidents were to be accurately recorded and maintained in RiskInSite, with the expectation that such incidents would be recorded within a maximum of five business days of discovery.

AUSTRAC’s powers

71    AUSTRAC has certain investigative powers. Under s 202(2) of the AML/CTF Act, the AUSTRAC CEO (or another person authorised by s 202(1)) can give a written notice to a person (who the AUSTRAC CEO or another authorised person believes, on reasonable grounds, is a reporting entity) requiring the person to give information or produce documents relevant to: (a) determining whether the person provides designated services at or through a permanent establishment in Australia; (b) ascertaining details relating to any permanent establishment in Australia at or through which the person provides designated services; and (c) ascertaining details relating to designated services provided by the person at or through a permanent establishment of the person in Australia. However, such a notice can only be given where, on reasonable belief, the notice is required to determine whether to take action under the AML/CTF Act or in relation to proceedings under that Act: s 202(3).

72    Under s 167 of the AML/CTF Act, the AUSTRAC CEO (or another authorised officer, as defined in s 5) can give written notice to certain persons, including a reporting entity, to give information or to produce documents where, on reasonable belief, the person has information or a document that is relevant to the operation of the AML/CTF Act, the Anti-Money Laundering and Counter-Terrorism Financing Regulations (Cth) (when in force) (the Regulations), or the AML/CTF Rules. In the present case, notices were given to the Bank under this provision, in the circumstances discussed below.

73    There are a number of avenues open to the AUSTRAC CEO where non-compliance with the AML/CTF Act, Regulations, or AML/CTF Rules has occurred.

74    First, no formal action need be taken. AUSTRAC may engage with the reporting entity on an informal basis to remedy the non-compliance.

75    Secondly, if there are reasonable grounds to think that there has been a contravention of an “infringement notice provision” (defined in s 184(1A)), the AUSTRAC CEO (or another authorised officer) can issue an infringement notice under s 184(1) requiring payment of a penalty.

76    Thirdly, the AUSTRAC CEO can give a remedial direction under s 191(2) of the AML/CTF Act if satisfied that a reporting entity has contravened, or is contravening, a civil penalty provision. The written direction requires the reporting entity to take specified action directed towards ensuring that the entity does not contravene the civil penalty provision, or is unlikely to contravene the civil penalty provision, in the future.

77    Fourthly, the AUSTRAC CEO can accept enforceable undertakings under s 197 of the AML/CTF Act to the effect that a person will take specified action or refrain from taking specified action in order to comply with the AML/CTF Act, Regulations, or AML/CTF Rules, or will take specified action directed towards ensuring that the person does not contravene, or is unlikely in the future to contravene, the AML/CTF Act, Regulations, or AML/CTF Rules. The breach of such an undertaking can result in proceedings being taken against the person for certain relief: see s 198.

78    Fifthly, if the AUSTRAC CEO has reasonable grounds to suspect that a reporting entity has contravened, is contravening, or is proposing to contravene the AML/CTF Act, Regulations, or AML/CTF Rules, a written notice can be given under s 162 of the AML/CTF Act requiring the reporting entity to appoint an external auditor to carry out an audit of, and report on, the reporting entity’s compliance with the AML/CTF Act, Regulations, or AML/CTF Rules.

79    Sixthly, the AUSTRAC CEO can commence proceedings under s 175 of the AML/CTF Act seeking a civil penalty order for the contravention of a civil penalty provision.

80    In its published Enforcement Strategy 2012 – 2014, AUSTRAC stated that it generally chooses to use a supervisory approach to secure reporting entity compliance before proceeding to “more formal enforcement activities”. AUSTRAC referred to its supervisory activities as having “three levels of intensity: (a) low intensity or “engagement” activities (such as by providing information and tools to enable reporting entities to comply with their obligations); (b) moderate intensity or “heightened” activities (such as behavioural assessments, desk reviews, and themed reviews directed at specific behaviours); and (c) high intensity or “escalated” activities (such as providing tailored on-site activities designed to have a direct impact on improving compliance outcomes).

81    AUSTRAC said:

While AUSTRAC prefers to engage and work cooperatively with reporting entities, where these activities do not result in improved compliance, matters are referred to AUSTRAC’s Enforcement team for consideration of enforcement action.

82    I observe that this statement implies that, certainly at that time, enforcement action would not necessarily ensue simply because a matter had been referred to AUSTRAC’s enforcement team. Moreover, enforcement action did not necessarily mean applying for a civil penalty order.

83    Before 3 August 2017, AUSTRAC had taken 33 enforcement actions. Only one was for a civil penalty order, namely the Tabcorp proceeding, which I discuss below. This action was taken in July 2015 with a civil penalty order for $45 million made by this Court on 16 March 2017. The rest of the enforcement actions involved remedial directions (four cases); the issuance of an infringement notice (four cases); the acceptance of enforceable undertakings (15 cases); and the appointment of an external auditor (nine cases).

The Bank’s dealings with AUSTRAC immediately before the relevant period

84    As at March 2012, the Bank’s dealings with AUSTRAC were managed through the Group’s AML/CTF Compliance Officer. In a briefing to the Bank’s Board on 13 March 2012, this relationship was described as “transparent and open” which had enabled the Bank and AUSTRAC “to work collaboratively through a number of AML/CTF issues”. The Bank and AUSTRAC met once a month to discuss improvements to the Bank’s AML/CTF Program, including quality assurance initiatives on transaction reporting, and progress on open audit items. AUSTRAC also audited the Bank annually.

85    On 16 July 2012, the Bank’s Risk Committee was informed that AUSTRAC had conducted its annual audit for 2012 of the Group’s AML/CTF Program and had verbally communicated that it had not identified any material issues with that program.

86    At a meeting on 28 June 2012, the Bank’s Group Head of AML/CTF and Sanctions, Mr Byrne was informed that AUSTRAC was looking to move to 18 month review periods for the Bank (whereas other banks would be getting three to four reviews per year).

87    AUSTRAC conducted a two-day onsite audit on 19 and 20 November 2013. A Senior Manager provided the Bank with a “high level debrief” during which the Bank was informed that AUSTRAC was “extremely pleased with the process, collaboration and availability of people and systems”. AUSTRAC had picked up some “minor errors” and “a few issues” but “nothing systemic” and “nothing serious”. It seems that AUSTRAC indicated that an initial draft of its report would be provided before Christmas 2013, with the Bank given a period of approximately one month to provide comments.

88    At what appears to have been a follow-up meeting on 19 February 2014, AUSTRAC explained that the language used in a letter accompanying its audit report may have come across in “somewhat a terse manner”. However, as understood by the Bank, AUSTRAC attributed this to the fact that “some institutions [had] not proved as collaborative as [the Bank] so AUSTRAC has ‘hardened’ its language in formal communications to all entities for consistency”.

89    These interactions support the proposition that, before the relevant period, the Bank enjoyed a collaborative, business-like relationship with AUSTRAC that appears to have been free of significant non-compliance issues.

90    Mr Narev gave evidence that, at a meeting with Mr Jevtovic (then the new AUSTRAC CEO) on 19 December 2014 (held in Mr Narev’s office), Mr Jevtovic told Mr Narev that there was a “strong relationship” between AUSTRAC and the Bank and that Mr Jevtovic had received “positive feedback” from his team about the Bank. According to Mr Narev, Mr Jevtovic told him that there had been some “minor issues” but these “had always been remedied quickly”.

The Bank’s IT environment, processes and procedures

91    It is appropriate at this stage to say something briefly about the Bank’s information technology (IT) environment.

92    At relevant times, the Bank operated an IT environment of scale and complexity, characterised by a large number of interconnected IT enterprise systems and a large number of internal IT and system support staff. Support was also provided by a large number of external service providers who provided services ranging from system development to day-to-day support.

93    Complex IT environments are prone to possible issues or errors during their life cycles. These issues or errors are driven by various factors. System interdependencies can be affected by upstream changes which can impact information flows and the downstream interpretation of data. Knowledge gaps can occur with system specific teams not having an holistic view of the enterprise architecture and structure. Issues and errors can arise from the requirement to support, update, or replace legacy systems. There may also be dependencies on external service providers, rather than internal staff members, to implement change appropriately.

94    As to complex systems within an IT environment, Mr Elliott and Mr Bell agreed that:

… a complex system within an IT environment … consists of a series of steps or events, perhaps with many inputs and outputs. Complex process steps often rely on previous steps to have completed in a specific order and with a specific result in order to determine the next step. Sometimes complex processes may have to deal with many external events, sometimes being introduced randomly.

95    I discuss in more detail below some of the Bank’s IT processes that are of particular relevance to this proceeding.

96    Mr Elliott and Mr Bell agreed that organisations such as the Bank, operating within a regulatory environment with compliance obligations, will often call upon numerous frameworks to help them achieve enterprise governance of IT. The Bank had various governance frameworks (broader than IT alone) to assist it in achieving its regulatory requirements and obligations. I have referred to some of them above (being those that are more relevant than others to the issues canvassed in this proceeding). As Mr Elliott and Mr Bell also recognised, the Bank’s approach to governance involved an internal audit and assurance capability. I will discuss the output of that capability in later sections of these reasons.

IDMs

97    IDMs are a type of automated teller machine (ATM) with additional functionality. They are part of the Bank’s NetBank platform. IDMs allow customers to deposit cash or cheques into their accounts without the need to enter the branch itself. Cash deposits are automatically counted and credited instantly to the nominated recipient account. This means that these funds are then immediately available for transfer to other domestic or international accounts.

98    During the relevant period, the Bank’s IDMs could accept up to 200 notes per deposit (i.e., up to $20,000 per cash transaction). The Bank did not limit the number of IDM transactions a customer could make each day. A card was required to activate and make a deposit through an IDM. The card could be issued by any financial institution, but the funds could only be deposited to one of the Bank’s account holders.

99    The IDM channel favours anonymity and there is no mechanism to identify the person who activates the machine and performs the transaction. IDMs can also be used to structure transactions in which large cash amounts can be deposited in smaller quantities. IDMs present a high inherent ML/TF risk. When challenged with the proposition that IDMs present a higher risk profile than ATMs, Mr Narev said that the risk with IDMs was different to the risk with ATMs which was worthy of, or required, separate consideration.

100    The Bank began rolling out its fleet of IDMs in around May 2012. At the commencement of the relevant period (16 June 2014), the Bank had 245 active IDMs and 3,147 active ATMs. At the end of the relevant period (3 August 2017), the Bank had 904 active IDMs and 2,522 active ATMs.

101    Before rolling out the IDMs in May 2012, the Bank did not conduct a formal risk assessment in relation to the designated services provided through this channel. The Bank accepts this fact, and also that such an assessment was not made before July 2015. It accepts that, by not conducting the required risk assessment before rolling out the IDMs, it failed to comply with its AML/CTF Program. I will refer to this as the IDM ML/TF risk assessment non-compliance issue.

102    This is not to say, however, that the Bank did not have regard to AML/CTF risks in respect of IDMs at the time they were rolled out. In a business requirements document, the Bank considered the need to report threshold transactions to the AUSTRAC CEO and the means by which this would be done through IDMs. TTR reporting and transaction monitoring were considered to be mandatory requirements as part of the IDM roll out project, and TTR reporting functionality was built and linked to IDMs. IDM deposits were also linked to automated transaction monitoring rules that targeted certain practices.

103    The Bank also gave specific consideration as to whether to impose limits of less than $10,000 on the amount of cash deposits that could be made through IDMs, but decided against this on the basis that, by doing so, the Bank might encourage “structuring activity”.

104    The Bank completed its first formal risk assessment of IDMs on 14 July 2015. This assessment was carried out following inquiries from “law enforcement agencies”, not AUSTRAC. Following that assessment, the IDMs were rated as “high risk”. However, transaction monitoring was in place and, based on its performance as at 28 July 2015, was considered (by the Bank) to be “working well”. No further controls were envisaged as necessary at that time. A further risk assessment was carried out in July 2016.

The Bank’s TTR processes

105    As I have noted, a “threshold transaction” is a transaction with a cash component of not less than $10,000 in respect of which the Bank is required to submit a TTR to the AUSTRAC CEO.

106    During the relevant period, there were two main ways in which a threshold transaction could occur at the Bank. First, by cash deposit or cash withdrawal at one of the Bank’s branches through its “over-the-counter” system. Secondly, by cash deposit into an IDM.

107    Data with respect to a threshold transaction “flowed” from the relevant “input” through various systems within the Bank before a TTR was submitted to the AUSTRAC CEO. These “flows” involved real-time data flows (i.e., data which flowed almost instantaneously) and batch data flows (i.e., data which flowed periodically and which, typically, included data about batches of multiple transactions).

108    The Group Data Warehouse (GDW) was one of the systems within the Bank involved in the TTR process. It stored data relating to the Bank’s customers, their accounts, and their transactions. As its name suggests, it was the largest system within the Bank, storing current and historical data for millions of customers in relation to a range of products across the Bank.

109    The systems used in the TTR process connected with other systems across the Bank, such as the Bank’s financial crimes systems. These systems included the Financial Crime Platform (FCP) (described in more detail below at [144] – [154]) and Real Time Transaction Monitoring (RTTM). The FCP was used for functions such as sanctions screening, account monitoring, and fraud monitoring. RTTM monitored for fraud in real-time. Its functions included payment and card screening, such as to detect a fraudulent transaction on a customer’s credit card. Because of the sensitivity of their functions, access to these systems and their data was restricted to a limited number of the Bank’s personnel.

110    The TTR process did not involve data flowing directly to AUSTRAC. Rather, there were a number of intermediate systems which involved a combination of real-time and periodic batch data flows. This meant that there was not a single, uniform TTR process which applied to all transactions. There were separate TTR processes depending on the input used and the nature of the transaction. Further, not all transactions processed through an IDM or “over-the-counter” involved threshold transactions.

111    The Bank used transactional data, including about threshold transactions, for a multitude of purposes in addition to threshold transaction reporting, such as:

(a)    crediting and debiting customer accounts to reflect the transaction;

(b)    monitoring transactions for fraud and anti-money laundering (AML) purposes as part of the Bank conducting its own monitoring of transactions for suspicious matters; and

(c)    customer reporting, customer support, and suggesting ways to improve customers’ financial well-being.

112    Therefore, many of the intermediate systems used as part of the Bank’s TTR processes also formed part of other processes within the Bank. This meant that common systems contained data which was unrelated to TTRs. In addition to TTR data flows, data from these common systems was exported to other intermediate systems across the Bank which were wholly unrelated to TTRs. Thus, there was a “web” of data flows. TTR processes were just one component of these flows.

113    Data was not stored in a uniform format in all systems. As data flowed downstream, it was filtered and re-formatted as necessary before being sent to the next system. As a result, whilst some irrelevant data flowed downstream, not all data compiled about a transaction at the input stage flowed downstream to the various intermediate systems involved in the Bank’s TTR processes. As data did not necessarily remain in the same format from system to system, comparing data at the start of the process with data at the end of the process was not a “one-for-one” comparison.

114    Further, the timing of data flows differed according to the type of transaction. Deposits were processed differently depending on whether they related to a debit account or a credit account. In the case of a debit account, the deposit was credited to the relevant account in real-time. In the case of a credit account, the deposit typically settled the following business day. There was, therefore, a lag between the time of the transaction and the time at which the data hit the GDW. This impacted the timing of submitting a TTR to AUSTRAC because the TTR was only generated once the deposit settled, which, in the case of a transaction on a credit account, could be days later (depending on when the transaction occurred and when the settlement occurred).

115    Deposits in IDMs involved other complexities, such as where cash was not removed from a component of the IDM within the “timeout period” (for example, when the deposited cash was held together by a clip or a rubber band). This led to a “failed” transaction in which the cash was directed to a “retract canister” within the IDM. When this happened, the cash “deposited” was not identified and counted for the purposes of the Bank’s automated systems. Such transactions were identified by a customer reporting the failed transaction in a Branch or by the staff within the Branch (in which the IDM was located) identifying the failed transaction from the IDM’s end of day balance. The process of identifying the failed transaction could be complicated because the retract canister could contain other cash. In order to process a failed transaction, Branch staff typically pay the relevant funds to the customer through an electronic funds transfer, which was not processed as an IDM transaction.

116    Of central importance to the present case is an issue concerning the late reporting to the AUSTRAC CEO of threshold transactions through IDMs. When the IDMs were introduced, the Bank’s processes relied on two transaction codes to generate TTRs (codes 5022 and 4013). However, in November 2012, the Bank introduced an additional transaction code (code 5000) for a sub-set of IDM transactions to clarify a deposit message that was visible to customers via the NetBank platform. The new transaction code fixed the message problem, but it was not factored into the downstream process by which threshold transactions were identified for reporting. In short, a “flag” in the system for TTR reporting was missing.

117    This problem was not discovered, and its implications brought home to officers of the Bank, until much later. It is certainly the case, however, that, much earlier in 2013, a potential problem, with an association with code 5000, was identified by the Bank’s staff, but regrettably not fully investigated and rectified. It is necessary to turn, now, to the circumstances in which this occurred.

Enquiries in 2013

118    On 29 August 2013, a Compliance Executive employed by the Bank in the AML Sanction section of Risk Management in Retail Banking Services (RBS), Mr Kalra, sent an email to employees responsible for the GDW seeking confirmation that TTRs were being lodged for cash deposits made through IDMs. The evidence does not suggest that this original inquiry was connected with transaction code 5000. Indeed, the applicants’ expert, Mr Elliott, made it clear that “this internal issue was not specifically related to transaction code 5000”.

119    On the same day, a Senior Technical Business Analyst, Mr Ashdown (who had done work on extracting TTRs from the GDW), responded to this inquiry by confirming that cash deposits through IDMs were included in TTRs. However, Mr Ashdown raised a concern about whether the cash component of “mixed deposits” (i.e., deposits involving cash and cheques), where the cash component was a threshold amount ($10,000 or more), was being reported. The reason for raising this appears to have been Mr Ashdown’s understanding that, during his involvement in working on the “TTR extract”, IDMs “couldn’t do mixed deposits”. He did not know “if the functionality was ever developed”.

120    This information prompted Mr Kalra to request that an investigation be conducted:

…

It has come to my attention that Threshold Transaction Reports (TTR) may not be getting lodged for mixed deposits (cash + cheque) made via the Intelligent Deposit Machines (aka IDA or IDM). [I’m assuming the IDM’s would sit under the D&T world.]

As per below email from the Group Data Warehouse (GDW) team, they have confirmed that if cash deposits of $10k or more are accompanied with a cheque deposit, no TTR is lodged for the cash component.

Regulatory requirement is that any transactions in physical currency of $10k or more are supposed to be lodged as a TTR to AUSTRAC. Therefore if what the GWD team is saying is correct, then there may have been some breaches.

Can I please request you to check this process and confirm?

…

121    Later, on 3 September 2013, Mr Kalra raised a further query—whether cash deposits in IDMs using an OFI (Other Financial Institution) card were being reported.

122    The context for each of Mr Kalra’s queries was an upcoming on-site audit by AUSTRAC.

123    A Service Manager in Retail & Business Banking Enterprise Services, Mr Wright, provided a response to Mr Kalra on 4 September 2013. In relation to the question whether there were “(a)ny cash deposits for which TTRs are not currently reported?”, Mr Wright responded:

Would appear yes based on this issue being raised.

124    Properly considered, this answer does not evidence Mr Wright’s knowledge, or indeed any other employee’s knowledge, that these cash transactions were not being reported. Indeed, it was not a substantive answer to Mr Kalra’s question. Self-evidently, Mr Wright’s answer was no more than the unhelpful comment that, because a query had been raised by Mr Kalra, it “appeared” that there were cash deposits for which TTRs were not being given.

125    It is clear that, at this time, two issues had been raised: whether (a) the cash component of a “mixed deposit” and whether (b) cash deposited using an OFI card (in each case, using an IDM to deposit a threshold amount), were being reported.

126    On about 12 September 2013, Mr Kalra escalated these matters to Ms Ishlove-Morris (the Executive Manager AML/CTF & Sanctions, Group Operational Risk & Compliance, Risk Management) and Mr Byrne. In doing so, he informed Ms Ishlove-Morris and Mr Byrne that “(t)he business is checking to confirm whether or not this is actually an issue or not”.

127    There are emails in evidence whose language can be interpreted as stating that, at this time, TTRs were not being provided when they should have been. However, when these emails are read in the context of accompanying emails, it is tolerably clear that Mr Kalra was raising a potential problem and escalating it to those who had an interest in knowing whether there was an actual problem, as Mr Kalra’s email to Ms Ishlove-Morris and Mr Byrne makes clear.

128    On 19 September 2013, Mr Kalra was informed by Mr Razdan, a Project Manager in Retail Banking Enterprise Services that, in fact, cash deposits using an OFI card were being reported.

129    Separately, on the same day, Mr Ashdown informed Mr Kalra that “the TTR report is reporting the Mixed Deposits”. In somewhat chastising language, Mr Kalra responded:

Mark – I thought you’d initially mentioned that for mixed deposits, TTR’s weren’t being generated even for the cash component and that’s why I escalated this issue to the business. Can you please double check again and confirm once and for all?

130    Later that day, Mr Ashdown replied:

I didn’t know whether they were being reported – that was the issue.

I can confirm they are being reported …

131    Having escalated the matter to Ms Ishlove-Morris and Mr Byrne, Mr Kalra then sent an email to Ms Ishlove-Morris on 19 September 2013, stating:

After email chains floating around the world, GDW team have come back and confirmed that TTR’s are being reported for all relevant cash deposits (whether mixed or individual) and there’s no issue.

So we don’t need to report anything to AUSTRAC.

132    Ms Ishlove-Morris then forwarded Mr Kalra’s email to Mr Byrne.

133    It is appropriate to record at this juncture that there is no evidence before the Court as to AUSTRAC’s on-site audit which Mr Kalra had mentioned in his emails. It is not disputed that, at this time, AUSTRAC had not detected any problems with the Bank’s TTR reporting in respect of cash deposits made through IDMs.

134    On 20 September 2013, employees of the Bank identified two OFI card cash deposits for investigation. One deposit was for $10,000; the other was for $10,500. Details of these transactions found their way to Mr Ashdown on 8 October 2013.

135    On 10 October 2013, Mr Ashdown advised that the two transactions had not been reported in TTRs. Mr Ashdown sought further information. Later that day, Mr Ashdown advised that the two transactions had been processed with transaction code 5000 and that “we only pick up Transaction types (cash and mixed deposits)”. In this regard, Mr Ashdown said that there were only two transactions to be considered—those under code 4013 for cheque and mixed deposits to savings accounts, cheque accounts and credit accounts, and those under code 5022 for cash deposits to savings accounts, cheque accounts, and credit accounts.

136    On 11 October 2013, Mr Ashdown was asked to “summarise … if there is an issue, and if there is – what exactly is it and who should be … the owner?”. On 14 October 2013, Mr Ashdown provided the following “summary”:

…

Kote sent me 2 transactions (cash deposits on OFI cards) to check if they had been picked up by TTR.

These transactions (with transaction code 5000) are not being identified as cash transactions by TTR and were not reported.

Kote reported that transaction code 5000 is not on the transaction range for IDA cash transactions. TTR is performing as expected.

However, these 2 transactions are the one identified by Kote as being cash transactions on OFI cards, which would indicate to me that there is possibly a problem.

My understanding of the actions are:

-    Refresh Team Confirm whether the tran code on the transactions is correct and therefore the transaction is not a cash transaction.

-    If not a cash transaction, Refresh Team need to provide new examples of cash transactions on the OFI cards for me to investigate.

-    If it is a cash transaction, Refresh team need to look into why the transactions have the wrong code.

-    If Tran code 5000 should be included as a cash deposit, then that’s a bigger issue. We’ll need to discuss how to resolve this,

…

137    It is apparent from this response that the possibilities exercising Mr Ashdown’s mind were that: (a) the two transactions were not, in fact, cash transactions; (b) if they were cash transactions, it was possible that the wrong transaction code had been used; and (c) if the transactions were cash transactions and the correct transaction code had been used and transaction code 5000 should have been on the transaction range for IDMs, then there was “a bigger issue”. However, Mr Ashdown’s advice was that “TTR is performing as expected”.

138    Further email correspondence shows that, as at 24 October 2013, the view was taken that “TTR is working as expected” and that “any potential issues with OFI transactions are at the source system level”. The matter appears to have been left with those who were responsible for advancing that matter at that level, but nothing happened.

139    With hindsight, the ramifications of that inaction can be readily appreciated. I accept the Bank’s submission, however, that, as at 24 October 2013, no-one in the Bank had identified that transactions which should have been flowing through to TTR reporting were not flowing through and being reported to AUSTRAC. While, initially, questions had been raised about TTR reporting in respect of “mixed deposits” and cash deposits using an OFI card, the Bank’s employees had determined that these transactions were being reported. While, later, two other OFI card transactions had been identified for investigation, it was queried whether the transactions had been correctly coded and whether they were even cash transactions. Although the possibility of a “bigger issue” had also been flagged, no further investigation was undertaken, and the facts were not known as to whether there was a “bigger issue”.

140    The evidence does not elaborate on why, at that time, further investigation of the two OFI card transactions was not undertaken. With hindsight, there should have been further investigation to elucidate whether there was a “bigger issue”. Had there been further investigation, it is likely that the general problem associated with cash deposits processed under code 5000 would have come to light. The applicants’ disclosure case, however, is concerned with the information that officers of the Bank had, or ought reasonably to have had. The employees with knowledge of the matters in 2013 that I have described, were many levels below “officer” level, and none had identified a general and significant problem with deposits processed through IDMs under transaction code 5000.

141    The next relevant event is that, on 11 August 2015 (some 22 months later), AUSTRAC asked the Bank to locate TTRs relating to “two ATM deposits” (these are not the two deposits considered in October 2013). The Bank could not locate these reports. It realised that they had not been made. On investigation, it was found that the deposits were processed under code 5000, but that code 5000 had not been linked to TTR reporting, as it should have been. It was then found that this resulted in the non-reporting of 51,637 threshold transactions from November 2012 to 18 August 2015. The number of affected transactions represented approximately 2.3% of the overall volume of TTRs provided by the Bank over the same period.

142    On 8 September 2015, the Bank notified AUSTRAC about the issue. By 24 September 2015, the outstanding TTRs had been lodged. In the meantime, the Bank continued to report threshold transactions identified by the two original codes.

143    I will refer to this as the late TTR issue. I provide further details in relation to this issue at [250] – [269] below.

The Bank’s Financial Crimes Platform

144    The FCP contained data about the Bank’s customers, accounts and transactions, which were sourced from different upstream systems. The platform was used by the Bank to undertake various functions, including:

(a)    certain kinds of fraud detection, in particular internal fraud by the Bank’s employees, cheque fraud, and application fraud;

(b)    automated politically exposed person and sanctions customer screening; and

(c)    automated transaction monitoring for AML/CTF purposes

145    The platform was not used by the Bank to undertake “know your customer” (KYC) procedures, suspicious matter reporting, threshold transaction reporting, sanctions payment screening, or manual politically exposed person screening.

146    There were three main ways in which data entered the FCP. The first was from the GDW, discussed above. The second was from the Bank’s Operational Data Store which contained data from SAP (the Bank’s core banking platform) and the Payments Journal (which recorded payments processed by the Bank). The third was direct data flow (i.e., data not stored in, and then extracted from, an intermediate system such as the GDW).

147    As with the flow of data into the GDW, data flowing into the FCP needed to be “normalised”— in other words, reorganised and transformed into a standardised format that was compatible with the platform.

148    Data was stored in the FCP in a series of “tables”. These tables were separated into various topics, such as whether the data were customer data or account data. Each table was divided into fields (or columns) populated by the data relevant to that table. There were several hundred data fields across the various tables in the FCP which, depending on their content, could be relevant to some combination of automated transaction monitoring, fraud monitoring, or politically exposed person and sanctions screening.

149    Not all data which ultimately flowed into the FCP was ultimately relevant to its automated transaction monitoring functions. For example, some of the data flowing into the FCP was only relevant to its fraud monitoring and sanctions customer screening functions.

150    In the case of automated transaction monitoring, the FCP ran a series of transaction monitoring “rules”. These rules concerned data in respect of the Bank’s transaction accounts, such as savings, cheque, personal, and business lending accounts. Not all rules applied to every account.

151    The automated transaction monitoring rules operated as filters to identify transactions or activities that were potentially suspicious and which warranted further investigation. These rules could be complex, with many different parameters.

152    There were two categories of automated transaction monitoring rules within the FCP:

(a)    customer level rules, which sought to identify particular transactions or activity across accounts held by a single customer; and

(b)    account level rules, which sought to identify particular transactions or activity on distinct accounts (these rules were only concerned with the behaviour of specific accounts, not the customer’s behaviour more broadly, which was considered by the customer level rules).

153    The automated transaction monitoring rules could, but did not always, apply differently depending on whether an individual or a company was involved. For example, the rules might apply differently to a small business which could be expected to have a high volume of cash transactions, compared with a typical individual customer. How these rules applied depended on whether the rule was an account level rule or a customer level rule. For account level rules, an individual account was usually flagged as either “Personal” or “Commercial” in a field called “ACCOUNT_TYPE_DESC”. For customer level rules, the customer was usually flagged as either a “Person” or an “Organisation” in a field in a different table called “PARTY_TYPE_DESC”.

154    Where particular transactions or activities were caught by these rules, the FCP automatically generated “alerts”, which flagged the relevant transaction or activity for review. The alerts were transmitted into a separate case management tool, called Pegasus. Pegasus was accessed by a separate team within the Bank which sat within the Group Security division, which was responsible for reviewing and investigating the alerts for the purpose of determining whether there was information that needed to be submitted to AUSTRAC as part of an SMR.

155    In 2012, the Bank commenced an internal project known as Project Juno. This project related to enhancing the Bank’s ability to monitor and detect potential instances of internal fraud. It was not focused on the Bank’s AML/CTF systems, although it did impact on the FCP because the FCP was used for both fraud monitoring and automated transaction monitoring.

156    One aspect of Project Juno involved integrating a new process called the “Associate Web” into the FCP. The Associate Web sourced data from the GDW and the FCP to identify potential linkages between the Bank’s staff and their customer profiles, the accounts they held, and any accounts that were related to them. For example, the Associate Web identified accounts that were registered with the same address or telephone number as a Bank staff member, or where an account was shared by a Bank staff member. This data was then used to populate a field in the FCP which flagged whether an account was “employee-related” or not. The rules in the FCP could then automatically run internal fraud monitoring rules to identify instances where Bank employees had initiated transactions involving accounts that had been identified as “related” to them.

157    Another important issue in the present case concerns an error that arose from updating account profiles in the FCP with data from the Associate Web. In that process, the ACCOUNT_TYPE_DESC field for some accounts was populated with a null value (i.e., it was left blank). Over time, this caused the ACCOUNT_TYPE_DESC field in the FCP to be left blank, for a period, for certain “employee related” account profiles (i.e., accounts that were intended to be flagged as accounts belonging to a Bank employee or related to a Bank employee). This occurred even though the process of integrating data from the Associate Web with the FCP was not intended to make any changes to the ACCOUNT_TYPE_DESC field. The consequence was that the automated transaction monitoring rules that depended on this field being populated did not operate for so long as the field was not populated. In short, some account monitoring did not occur in respect of some “employee related” accounts. Not all “employee-related” accounts were affected and the accounts that were affected were still monitored for financial crime screening (they were monitored against sanctions, politically exposed persons, and terrorists lists). Further, only some of the affected accounts were not subject to customer level transaction monitoring in the FCP.

158    This problem was identified by a Bank employee, Mr Dhankhar (who was engaged in Financial Crime Analytics) in the course of developing rules for the FCP in mid-June 2014. On 17 June 2014, Mr Dhankhar circulated an email in which he identified seven issues with FCP data, one of which concerned the ACCOUNT_TYPE_DESC field. This was given the incident number IM0809261. By late August 2014, this issue (amongst other issues) was recorded in RiskInSite as “Medium Impact”.

159    On about 18 September 2014, the FCP was updated with a change that resolved the error so that, on updating the account profile, the ACCOUNT_TYPE_DESC field was updated with the relevant data as part of a “self-correct” process, and not left blank. Implementation of the Bank’s usual data updating processes resulted in approximately 75% of the affected accounts (being active accounts) self-correcting by 30 November 2015. A manual update of the ACCOUNT_TYPE_DESC field in respect of inactive affected accounts (approximately 25% of the affected accounts) was completed by 27 September 2016.

160    In total, 778,370 accounts were affected in the period 20 October 2012 to 30 November 2015. The accounts were affected over varying time periods. For example, some accounts (54,357 accounts) were affected for a period of less than one month (for example, the period could have been one day); some accounts (73,716 accounts) were affected for a period of between 25 to 36 months. However, as I have noted, a significant percentage of accounts (representing, in number 195,000 accounts) were not active accounts.

161    I will refer to this as the account monitoring failure issue.

Audits

Preliminary observations

162    The applicants have directed much attention to various audits that were conducted in relation to the Bank both internally and externally. Although these audits provide background material in relation to the state of the Bank’s management of regulatory risk over time, they should not distract attention from the case that the applicants have specifically pleaded against the Bank in relation to the non-disclosure of market sensitive information and related misleading or deceptive conduct.

163    One purpose of the applicants’ reliance on this material is to match the reported findings in that material, as objectively and contemporaneously expressed, against the evidence in chief given, mainly, by Mr Narev and Mr Apte respectively, particularly in relation to their individual understandings of the extent of the Bank’s shortcomings with respect to AML/CTF compliance issues. The applicants advance numerous submissions to the effect that either or both of these witnesses, in various ways, had, for example, sought to minimise the seriousness of certain findings that were made, or had an incomplete understanding of significant regulatory issues, or had made incorrect assessments of the risk to which the Bank’s AML/CTF environment had exposed it in the lead up to the late TTR issue, or had exhibited misplaced confidence in certain audit findings. These submissions were directed to qualifying each witness’s evidence in chief and to urge the Court to disregard each witness’s own assessment of the materiality of the information with which he had been provided.

164    To the extent that these matters are relevant to the case at hand, I have taken these submissions into account in my assessment of Mr Narev’s and Mr Apte’s evidence. I accept that an appreciation of Mr Narev’s and Mr Apte’s subjective thoughts and reactions, as recorded in their affidavits, must have regard to the contemporaneous documentary record, as well as the matters elicited from them in cross-examination. However, I have not found it necessary to discuss, in these reasons, each and every submission that the applicants make in relation to the significance I should attribute to Mr Narev’s and Mr Apte’s evidence. I have only explicitly addressed the applicants’ submissions where I consider it important to do so.

Internal audits

165    The Bank has, and at all times relevant to this proceeding had, a group audit and assurance team (Group Audit) headed by a Group Auditor (whose title within the Bank was Executive General Manager of Group Audit and Assurance). At the times relevant to these proceedings, this team comprised around 100 people in Sydney (who undertook audits across the Group) and around 25 people in Perth (who undertook audits specific to the Bank’s Bankwest division).

166    Mr Worthington, who was the Group Auditor in the period July 2010 to 31 March 2019, described Group Audit’s role as follows:

18.    During my time as Group Auditor, Group Audit’s role was to assess risks and internal controls across the Group, provide independent assurance about those controls to senior management and the CBA Board Audit Committee (Audit Committee), assess the effectiveness of risk management across the business, provide recommendations as to how to improve CBA’s control environment, and periodically audit and validate the resolution of “Very High” and “High” rated audit issues. As it had an independent assurance function, Group Audit was not involved in making management decisions for the Group.

167    Mr Worthington’s evidence was that, in any given year, Group Audit performed around 200 to 250 audits of which around 50 were Bank branch audits, with the remainder generally focused on systems or products. These audits were conducted according to an Annual Audit Plan which was overseen by the Group Auditor.

168    Mr Worthington described the process for conducting Group-wide internal audits in the following terms:

37.     When Group Audit carried out an audit of an issue at a Group-wide level, the practice that was followed by Group Audit was:

(a)     conducting planning to determine the scope, key risks and timeframes for completing the audit;

(b)     undertaking any required field testing and conducting an assessment of the systems, processes and key risk areas falling within the scope of the audit;

(c)     issuing draft reports and issues logs to the relevant Group Executives, Executive General Managers, General Managers and Executive Managers (in some cases) within the relevant BUs for discussion. At this point, any feedback from such persons was sought;

(d)     finalising and issuing the final report to the same executives as identified above, the Accountable Executive (being a person nominated to be the key contact within the relevant BU or Group function for the purposes of the audit), selected line management and other persons within CBA; and

(e)     reporting and discussing the findings of the audits with the relevant executives, and separately with the Chair of the Audit Committee.

38.     The issues logs were records of issues identified through the audit process. The    preparation of an issues log involved my team working with the part of the business which    had been audited to determine the appropriate action items to be undertaken in order to address audit findings, the “issue owner” for those action items, and a timeframe for their completion. The business formulated draft action items and due dates in response to the audit findings, and the role of my team was to review the proposed action items and due dates before they were finalised to ensure they were a reasonable response to the audit findings. The audit findings, action items and due dates were then incorporated into the issues log, and signed off by my direct reports. On occasions I became involved if the business and my audit team were unable to agree on appropriate action items, although this was rare. My general observation was that Group Audit was given a lot of respect by the business, and if Group Audit identified an issue, the business usually identified an appropriate action to address it. If the “issue owner” and audit team agreed with an action item and the due date, the “Issue Status” was recorded as “Agreed” in the issues log. This engagement with the business meant that in practice, by the time that the audit report and issues log were finalised, key personnel within each BU were already apprised of the matters that had been identified through the audit process as relevant to them and the action items required to address those matters, and had usually indicated acceptance of the action item and the timeframe stipulated to complete it.

39.     Each audit report provided an overall rating, as well as separate ratings for the “controls environment” and for “management awareness and actions. The available ratings were “Satisfactory” (green), “Marginal” (amber) or “Unsatisfactory” (red). The criteria for these ratings were set out as an appendix to the accompanying audit report and, to the best of my recollection, remained broadly consistent throughout the Relevant Period.

40.     Given the volume of audits undertaken by Group Audit each year, it was not practical for me to be involved in each audit. My primary focus was on audits with either an “Unsatisfactory” or “Marginal” rating. For these audits, my role was to engage with the members of my team responsible for conducting the audit, review and provide feedback on a draft audit report prior to it being issued, and communicate the final audit report findings to senior personnel within CBA including Mr Long, the Audit Committee, Mr Narev, and other relevant Group Executives. As part of this, prior to the audit report being finalised, it was my practice to consider the overall ratings being proposed and whether I agreed with them, and ensure that I understood the key findings and themes to be communicated to the business.

169    I now turn to a number of internal and external audit reports on which the applicants rely.

Transaction Monitoring Program Review Final Report 2011

170    PricewaterhouseCoopers (PwC) was engaged by the Bank to conduct an independent review of the Bank’s TMP in relation to the Bank’s compliance with its AML/CTF regulatory obligations. In a report dated 25 February 2011 (the TMP review report), PwC identified “gaps” in the course of its review which appeared to be related to “the migration of data to new systems where some data failed to transfer as part of updated TMP automated processes”. PwC noted that the Bank was aware of the gaps and had implemented interim measures to cover these gaps.

171    In the TMP review report, PwC made the following key observations:

From our observations and testing of the different parts of the TMP, including automated, semi-automated and manual processes, we found a complex monitoring system, with multiple data flows and pathways. Furthermore, the various monitoring pathways are used to monitor different products within and across the three business units under review; and different monitoring pathways utilise different rules, processes, and systems.

We noted that there are currently no reconciliations undertaken of data extracted (including volumes) from source systems to the TMP and between stages of the TMP. We understand this is not a simple reconciliation as in some case it involves sophisticated and complex transition and analysis of data between stages and systems within the TMP. Therefore, without such reconciliations being undertaken over time, it is not possible to determine that all data that should have entered the TMP has done so and has subsequently been processed as expected. We also note that the scope of our testing did not cover what occurred prior to data being provided from the source systems and thus we were not able to determine that all transactional activity with customers is recorded in the relevant source systems for TMP purposes.

Our recommendations cover further review for TMP upgrades and with respect to reconciliations. If interim arrangements or upgrades are not reviewed there is the risk that systemic failure in the monitoring processes could exist and not be identified immediately. Failure to undertake reconciliations from source systems through the monitoring processes means there is a risk that the TMP could contain incomplete data.

We observed that different teams are involved in the many elements of the program. Therefore there is not in all cases a clear understanding of the end to end processes involved across all pathways although within individual stages of the TMP, the teams involved have more detailed knowledge. The lack of a documented, up to date, end to end process with clear accountabilities over time adds to the risk that gaps in the TMP may not be identified quickly in the future.

In addition, within specific monitoring pathways there are variable levels of knowledge, documentation, and responsibilities in relation to different elements of the process. The key impact of the varying levels of knowledge and responsibilities is that accountabilities are not always clear, as different teams are responsible for often separate and discrete parts of the process. Changes that are made to the TMP by different teams are not always documented, which makes it difficult to track decisions, and changes to different teams are not always documented, which makes it difficult to track decisions, and changes to the process over time. Due to the separate accountabilities for different stages of the monitoring pathways, issues have arisen around changes to the process (including system upgrades and technological changes) that were not always made in consultation with all potentially impacted stakeholders. Clear accountabilities are also a key aspect to the success of the TMP.

172    Notwithstanding these observations, PwC expressed the overall view that the Bank had “a well developed and in many cases sophisticated TMP compared to other Australian financial institutions”.

173    In their Joint Report, Mr Elliott and Mr Bell noted that, in various sections of the TMP review report, PwC highlighted the complexities of the Bank’s TMP, but did not identify any immediate, specific recommendations for the Bank to review its account monitoring process.

The Bank’s Internal Audit Report 2013

174    On 16 December 2013, Group Audit delivered a report on “Group-wide Anti-Money Laundering/Counter Terrorism Financing” (the 2013 audit report). The 2013 audit report gave an overall “red” rating based on “unsatisfactory” ratings for “Control Environment” and “Management Awareness & Actions”. In relation to “Control Environment”, this meant:

Controls are not appropriate for the risks being managed. There are a significant number of issues that require immediate attention.

175    In relation to “Management Awareness & Actions” this meant:

Management has a poor understanding of the risks and controls relevant to their business, and/or were not performing testing of the controls to asses their operating effectiveness.

Alternatively, management were not aware of the material issues and/or were not taking appropriate and timely action to resolve and escalate.

176    Group Audit expressed the opinion that:

A consolidated view of AML/CTF risk and the effectiveness of the controls over AML/CTF risk across CBA has not been established due to the current inconsistent use of RiskInSite.

177    The Issues Log noted that the RiskInSight functionality was not currently being used to provide an overview of AML/CTF compliance across the Group, with the implication that: (a) there was an “(i)nability to monitor and track key risks and issues to obtain a holistic view of the level of AML compliance”; and (b) “(k)nown risks and issues are not being properly managed and monitored”.

178    The Issues Log also noted that Group Operational Risk & Compliance (GORC) was aware that inadequate monitoring and assurance was being performed by Business Unit AML and Compliance teams.

179    Based on the fact that, in cross-examination, Mr Narev could not recall asking for, or being provided with, a copy of the 2013 audit report (although he had received a number of other reports, and attended meetings with Mr Worthington, leading up to the 2013 audit report), the applicants advance a number of submissions.

180    First, the applicants submit that Mr Narev did not have a proper understanding of the “severe deficiencies in [the Bank’s] AML/CTF compliance”, including deficiencies that, in the applicants’ submission, “caused the TTR issue not to be escalated and remediated in October 2013”.

181    Secondly, the applicants submit that this lack of understanding contributed to a failure by Mr Narev to properly assess the materiality of the late TTR issue after he was informed of it which, in his affidavit, Mr Narev described as “a single event resulting from an unintended software glitch”.

182    There are a number of things to be said in response to these submissions.

183    First, I do not accept that Mr Narev did not have an understanding of the deficiencies identified in the 2013 audit report that was sufficient and appropriate for his role as the Managing Director and CEO of the Bank.

184    Secondly, I am not persuaded that it can be said that the deficiencies identified in the 2013 audit report “caused the TTR issue not to be escalated and remediated in October 2013”. Absent explanation, the fact that the potential problem with code 5000 was not fully investigated and rectified in 2013 does not, perhaps, speak well of the Bank’s staff. I do not accept, however, that that failure can be rationalised as having been “caused” by the deficiencies that were identified. Moreover, as I have recorded, Mr Kalra did, in fact, promptly escalate the issue with the two deposit transactions he had raised. However, he later “de-escalated” the issue after being told that there was no problem and that TTR was performing as expected.

185    Thirdly, I do not accept that Mr Narev failed to properly assess the materiality of the late TTR issue or that his description of that issue as “a single event resulting from an unintended software glitch” evidences such a failure. I do not think that, by that description, Mr Narev was endeavouring to trivialise the late TTR issue. Rather, he was doing no more than characterising the reason for the failure to report, whose cause was not multifactorial but sourced in the fact that, inadvertently (but no less seriously), a single code had not been implemented when it should have been.

186    The applicants also advance a number of submissions in respect of Mr Apte’s evidence. The substance and effect of those submissions is that Mr Apte did not have a proper understanding of the 2013 audit report, whose findings he sought to minimise by saying that it had “flagged some issues to be addressed”.

187    I do not accept those submissions. Mr Apte was appointed to the Bank’s Board as a non-executive director with effect from 10 June 2014, after the 2013 audit report had been given. The evidence on which the applicants rely was given by Mr Apte in the context of him explaining that the first formal meetings he attended as a non-executive director were meetings of the Audit Committee and Risk Committee on the very date of his appointment. At the Audit Committee meeting, Mr Worthington presented the Annual Audit Plan for 2015. Mr Apte said that he learned from that presentation that a Group-wide AML/CTF audit had been completed in late 2013 and that it had “flagged some issues to be addressed”. I do not think that describing the outcome of the audit in these cursory terms, in the narrative of the events given by Mr Apte, portrays that Mr Apte was seeking to minimise the findings of the 2013 audit report.

188    The applicants also advance a submission that seeks to ally a contention that Mr Apte’s understanding of regulatory reports was based on “high-level updates”, with a contention that Mr Apte had an “incomplete understanding of the deficiencies in [the Bank’s] AML/CTF compliance landscape”. The applicants submit that these matters undermine “the veracity of [Mr Apte’s] assessment of the materiality” of the late TTR issue. To support this submission, the applicants draw attention to Mr Apte’s reference, in his evidence in chief, to the late TTR issue being flagged with AUSTRAC as a “coding error”.

189    I do not accept this submission. First, I do not accept that Mr Apte’s reference to the late TTR issue being flagged with AUSTRAC as a “coding error” signifies that, somehow, Mr Apte dismissed the importance of that issue. It is appropriate to describe the late TTR issue as one arising from a “coding error”.

190    Secondly, and perhaps more importantly, I am not persuaded that Mr Apte had an “incomplete understanding of the deficiencies in [the Bank’s] AML/CTF compliance landscape”. Whilst, in his affidavit, Mr Apte gives evidence about receiving regulatory reports touching on ML/TF risk management considerations, these are not the only reports Mr Apte referred to when discussing the key mechanisms used by the Bank’s Board to assess ML/TF risks and compliance. In Section E of his affidavit, Mr Apte identified and discussed a large range of reports and other information sources. This is reflected in the following overview given by Mr Apte, on which he expanded in subsequent paragraphs of his affidavit:

125.     Over the Period, there were several mechanisms by which I, as a Board member, (directly or through the Audit and Risk Committees) developed an understanding of the level of the Group’s non-financial risk, how it was performing from a compliance perspective and the effectiveness of its AML/CTF policies, processes, systems and controls. I summarise these mechanisms below.

126.     As a member of the Board and Risk Committee, it was the practice that I received regular written reports and oral presentations on non-financial risk and compliance including:

(a)     formal scheduled updates on risk management considerations (including on AML/CTF specific matters), through the routine provision of a CRO Report to the Risk Committee;

(b)     formal scheduled updates on regulatory risks, issues, engagements and developments, such as through the routine provision of a regulatory report which, from around February 2015, went to the full Board; and

(c)     other scheduled or unscheduled updates on key developments or areas of interest as requested by the relevant Chair, the CEO, or other Board or Committee members.

This included both general risk management updates and updates specific to AML/CTF.

127.     As a member of the Board and Audit Committee, I received internal audit updates on non-financial risks and controls including through twice yearly updates on key audit themes that had arisen during the previous six months (Thematic Audit Reports) and through other updates such as scheduled risk and control “deep dives” into particular business units or focus areas.

128.     From a broader risk management perspective, I participated in formal processes to understand and get comfortable with CBA’s risk management framework, including (from 2015) a formal scheduled annual risk management declaration process.

129.     I also engaged in other formal processes to understand and confirm CBA’s compliance and risk management, which processes were scheduled into the Board’s calendars in advance, such as the process for confirming statements made in CBA’s annual reports.

130.     Based on the information provided to me through these key mechanisms (both as addressed in Section D and as expanded upon further in the remainder of this Section E) and based on my own observations through participating in the Board and Committees, I developed and maintained a general understanding over the Period that:

(a)     the Group’s overarching risk management processes, systems and controls were substantially effective through to FY17, following which I still understood them to remain largely effective despite some challenges being faced particularly in our offshore business;

(b)     risk and compliance matters were escalated to Group Executives, the Committees and the Board (as appropriate), whether from the business units, risk and compliance teams or GA&A;

(c)     in respect of AML/CTF specifically:

(i)     the Group’s AML/CTF framework was overall sound (having been considered by both internal and external experts) albeit that there were opportunities to improve particular processes, systems and controls. As a consequence, for example, management had engaged PwC to undertake reviews of certain of the Group’s AML/CTF processes, systems and controls as discussed at paragraph 136(a) below;

(ii)     where instances of non-compliance, weaknesses in particular processes, systems or controls or other areas for enhancement were identified (which I considered to be inevitable given the size and complexity of the Group), executable action plans were put in place, funding and resources were authorised, and relevant regulators were consulted and kept informed; and

(iii)     the Group had established a positive and productive relationship with AUSTRAC, such that (for example), even after AUSTRAC was aware of the TTR issue and various additional matters unearthed through GA&A audits, the Board received positive feedback from AUSTRAC and opportunities to partner with AUSTRAC continued to be made available to our personnel (for example, through Ms Watson being invited to join AUSTRAC at a financial crime forum in Moscow, which I refer to in paragraph 109(d) above).

131.     This understanding reinforced my view that I did not have material information to disclose in respect of issues being considered by AUSTRAC in respect of CBA over the Period.

191    In relation to the 2013 audit report, I also observe that, in their Joint Report, Mr Elliott and Mr Bell noted that while the report: (a) covered a broad range of areas related to the Bank’s AML/CTF Program which identified 21 audit issues; and (b) alerted the Bank that there were numerous issues to be addressed by relevant and nominated people to further uplift the Bank’s overall AML/CTF Program, the late TTR issue was not specifically identified in the findings of the report or in the Issues Log, and the report did not identify a specific requirement to immediately review the detection methods for the cash deposit reporting systems.

192    In this connection, it is important to understand that a significant focus (albeit not the sole concern) of the 2013 audit report was the Bank’s AML/CTF compliance in respect of KYC requirements and the fact that the escalation of KYC error rates had been ineffective. The report noted that improvement on this matter was required to bring the Bank’s management of AML/CTF risks within an acceptable risk tolerance. Any issues the Bank had in respect of its compliance with KYC requirements are not relevant to the issues raised in this case.

193    The Bank provided a copy of the 2013 audit report to AUSTRAC. AUSTRAC prepared a Compliance Assessment Report. On 6 February 2014, AUSTRAC wrote to the Bank expressing its concern with the 2013 audit report’s findings:

Given the high level of AUSTRAC’s concern with the contents of the CBA internal review we anticipate that all issues raised in the report will be addressed in accordance with the prescribed due dates. AUSTRAC appreciates that some of the issues raised are focused on CBA’s own internal concerns that may not be relevant to AML/CTF compliance.

194    In its letter, AUSTRAC required the Bank to provide comprehensive and detailed action plans for issues that related to the AML/CTF Act and AML/CTF Rules, and said:

Given the serious nature of some [of] the issues identified in the internal review, AUSTRAC will closely monitor CBA’s progress against its various action plans.

195    In its letter, AUSTRAC also requested the Bank to provide it with written monthly update reports.

Project Alpha

196    Following the 2013 audit report, the Bank engaged PwC in March 2014 to conduct an external review of the issues that had been raised. On 19 August 2014, PwC delivered its report entitled “Project Alpha: Root cause analysis of the identified Group-wide AML/CTF issues” (the Project Alpha Report).

197    In its report, PwC referred to the increase, from a global perspective, in the punitive measures and regulator expectations in respect of AML/CTF compliance. They noted that, in Australia, “the AML/CTF regulatory landscape is experiencing significant change”. PwC spoke of an expectation that the potential for regulatory action by AUSTRAC would increase.

198    PwC noted the key failings identified in the 2013 audit report. Conspicuously, PwC identified that the “crux of the high-risk issues” identified in the 2013 audit report was the failure among all relevant Business Units to “correctly conduct the required customer due diligence … for clients that are non-individual entities (for example, trusts and private companies)”. This is a reference to the KYC requirements of the Bank’s AML/CTF Program. It was in that context that PwC observed:

These issues were compounded by a failure of the AML/CTF operating framework in testing, monitoring and escalating known issues to key stakeholders to ensure sufficient attention and corrective action.

199    Even so, PwC concluded that, in respect of all the issues raised in the 2013 audit report, the root causes included “ambiguity” around the AML/CTF operating framework, an under-investment in specialised AML/CTF resources and training, and the fact that the Bank’s AML/CTF assurance activities had been “conducted in silos” (meaning that AML/CTF assurance was not being conducted within an holistic framework supported by systemised reporting).

200    In relation to the “ambiguity” around the AML/CTF operating framework, PwC observed:

The AML/CTF operating framework is not consistently understood across the Group. Within each [Business Unit] there are different understandings of the roles and responsibilities of each line of defence and the roles of the [AML Compliance Officer]. As a result, there is limited escalation of issues (unless deemed high risk) or regular reporting through to GORC, and decisions are made in isolation within [Business Units].

201    One of PwC’s primary recommendations was:

Build a formal, Group-wide, systemised assurance and monitoring framework for AML/CTF using RiskInSite and leveraging existing CBA assurance processes where possible.

APRA Prudential Review Report

202    The Australian Prudential Regulation Authority (APRA) also conducted a review of the 2013 audit report. On 5 September 2014, it provided a report (the APRA Report) to the Bank.

203    In the report’s Executive Summary, APRA said:

The CBA Group is a diverse entity, with multiple business units that operate in a variety of regulatory and legislative frameworks in both Australia and overseas jurisdictions. Add to this the volume and complexity of global regulatory change and it highlights the importance of effective compliance risk management. APRA’s assessment is that whilst CBA’s Compliance Risk Management Framework (CRMF) provides the foundation for sound management of compliance risk, there is a need for improvement in the maturity and consistency of implementation across the Group. This could be facilitated by Group Compliance providing a stronger role in the direction and guidance given to the businesses in terms of how they implement and follow the CRMF. APRA observed some actions in this regard had already been initiated.

APRA also considers that the level of challenge from Group and business unit compliance functions could be enhanced to improve consistency and promote the prompt identification of key risks and their escalation to more senior risk forums, where necessary. The development of a more forward looking approach to compliance risk, backed by the appropriate use of data and enhanced compliance reporting, would enable a greater focus on emerging risks and trends within the business. While APRA notes that this is an area requiring development across the industry, we observed that CBA was not making full use of all available data and that there was limited evidence of forward looking discussion and reporting at a business unit level.

APRA noted the Group’s CRMF includes reputational risk within its definition of compliance risk, and as an outcome of incidents. We were advised that the bank addresses reputational considerations through a variety of executive forums; including the Board, Executive Committee (Exco) and the recently formed Reputational Risk Committee. During the review APRA noted an absence of discussion of reputational risk at a business unit level. Business unit committee minutes and reports focused more on the financial impact of crystallised events as opposed to consideration of potential reputational implications of events that have yet to emerge. APRA’s view remains that the CRMF is an important contributor to the management of reputational risk by the Group, and that business unit and compliance staff should take proactive steps to identify, discuss, document and, where appropriate, escalate reputational risks to more senior forums.

The review provided APRA with some insights into how CBA assessed its compliance risk culture. We noted a key component to this assessment is the People and Culture Surveys which have contributed to supporting the view of the CBA Board and management that CBA has a ‘good culture’. APRA noted that for some survey questions the range of answers was wide, which could indicate potential vulnerabilities, and that staff exhibiting poor behaviours may simply choose to not complete the survey. We also note that this has been the subject of a recent paper to Exco on culture and other discussions with the Board. APRA supports CBA developing its capability to measure and report on the quality of its risk and compliance culture. This is particularly relevant in light of the cultural weaknesses APRA has observed in Bankwest and historically in the Wealth Management Advice business.

One area of particular concern was the identified gaps within the bank’s AML/CTF and Sanctions controls and monitoring processes. APRA observed that key systems were overdue for upgrading and noted that concerns with the bank’s ability to manage these risks have been raised by both Internal Audit and other external regulators. lt is critical that CBA address the deficiencies that have been identified in a prompt and complete manner. This is of increasing importance given the recent large fines levied overseas for breaches of AML regulations and Sanctions. Accordingly, APRA has made this issue a requirement.

APRA supports the continued development of RisklnSite as a risk and compliance management tool and noted its strong capability and potential to capture risks, controls, testing and track assessments. However, the current state of RisklnSite implementation and its utilisation across business units varies significantly and is incomplete. APRA observed that multiple businesses were still in the process of inputting data into RisklnSite from other support systems, which included key risks and controls relating to compliance risks. In APRA’s view there is a need for greater standardisation across business units and an improvement in the data quality. Until these enhancements are completed, the ability of RisklnSite to be a source for meaningful Group-wide reporting from both a consolidated and bottom-up perspective will be limited.

204    In relation to the 2013 audit report, APRA said:

APRA noted that the Internal Audit review of AML/CTF in December 2013 was rated ‘Red’ and the Group-wide Sanctions Review in February 2013 was rated ‘Amber’. Of particular concern to APRA was that in the AML/CTF review, Internal Audit identified that Know Your Customer (KYC) error rates of 25 to 45 per cent had been identified by the business or assurance areas in RBS, lB&B, Markets and Bankwest. However, test plans and RisklnSite controls had been rated ‘Green’, even though these errors existed and were well above the stated tolerances of 3 per cent. Internal Audit made the comment “we are concerned about the speed and, effectiveness of the escalation of these issues across the Group”. Although we only observed one incidence of this, it is a concern that business and risk staff were rating controls ‘Green’ when they should have been rated ‘Red’.

This finding also raises the issue of roles and responsibilities in regard to implementation, monitoring and oversight in this area, i.e. what role is played by Group functions versus the business units. APRA notes that CBA is, currently in the process of preparing a Group level assurance program for AML/CTF, Sanctions and anti-bribery and corruption.

Project Beta

205    In order to assess the status of the Bank’s remediation of the issues arising from the 2013 audit report, PwC considered AUSTRAC’s Compliance Assessment Report of 6 February 2014 and the Bank’s monthly updates to AUSTRAC outlining the remediation activities to be undertaken by its Business Units. In April 2015, PwC released a report entitled “Project Beta: Assessment of AML/CTF Remediation Activities Interim Report” in relation to its assessment.

206    In this report, PwC recorded that it “noted improved support and motivation amongst AML/CTF representatives at the Group and Business level” compared to a previous review. Of the 21 issues identified in the 2013 audit report, 20 had been completed and “closed” within the agreed timeframes, and that Business Units had offered and provided training to employees where policies, procedures, systems or controls had changed. PwC noted that Business Units had established Line 1 and Line 2 monitoring and testing, where necessary, to ensure ongoing compliance with remediation actions. PwC said that it was clear from discussions with “Action Owners” and employees within each of the Business Units that the findings of the 2013 audit report and AUSTRAC’s Compliance Assessment Report, as well as the remediation plans, had been communicated to relevant employees and that these employees “understood that these matters had to be addressed”.

207    PwC noted, however, that RiskInSite was continuing to be used inconsistently and that there appeared to be an “inconsistent understanding of RiskInSite across the [Business Units] regarding its purpose, how to capture an issue and how to describe the activities and controls implemented to address the issue”.

208    PwC delivered a final report in June 2016.

The Bank’s Internal Audit Report 2015

209    In May 2015, Group Audit delivered a report on an internal audit which focused on the completeness of data captured in the Bank’s systems used for centralised AML/CTF screening and the processes it used for the maintenance of “AML/CTF rules” (the 2015 audit report). This audit was one of APRA’s requirements notified in the APRA Report.

210    The 2015 audit report gave an overall “red” rating based on an “unsatisfactory” rating for “Control Environment” and a “marginal” rating for “Management Awareness & Actions”. A “marginal” rating meant:

Management has shown some understanding of the significant risks and controls relevant to their business; however they were not performing regular testing of the controls to assess their operating effectiveness.

Alternatively, management was not aware of all material issues and/or was not taking appropriate and timely action to resolve and escalate.

211    In its Audit Conclusion, Group Audit noted (amongst other things):

… controls have not been embedded across the Group to validate the completeness and accuracy of data flows between source systems and those used for centralised AML/CTF screening.

212    Group Audit also noted:

A small proportion of International Fund Transfer Instructions (IFTI) and Transaction Threshold Reports (TTR) were not reported to AUSTRAC. The accuracy of information provided on IFTI, TTR and Suspicious Matter Reports was also highlighted as a concern by AUSTRAC in its Annual Compliance Assessment performed in January 2015.

213    Group Audit noted, further, that, in relation to co-ordinating the development of clear accountabilities for AML/CTF compliance processes across the Group:

… the Chief Compliance Officer will develop an enhanced Financial Crimes Compliance Framework, which will include mapping of end-to-end business processes, systems architecture and accountabilities. This aims to address the lack of ownership of group-wide compliance processes which has contributed to the current weaknesses in the control environment.

214    The 2015 audit report identified certain issues which had been given a “high” rating.

215    One issue was that there was “(u)nclear end-to end ownership and governance for AML/CTF processes across the Group”. This involved a lack of definition of roles and responsibilities to ensure that the reporting of IFTIs (and TTRs) to AUSTRAC was complete and accurate. The accompanying Issues Log noted:

The audit highlighted that transactional data relating to some high risk rated products is not being fed into the Group’s AML/CTF screening systems and high risk customer models maintained in systems are not up-to-date. We also observed knowledge gaps across multiple teams responsible for maintaining data flows between source systems and AML/CTF systems used for AUSTRAC reporting.

216    This issue was also given a “major” impact rating in the Issues Log with a “possible” likelihood (meaning, a less than 50% probability of occurring within the next 12 months). This entailed certain “reputation/brand” consequences, including a possible medium term fall (10 – 20%) in the Group’s share price. This rating also entailed certain “legal/regulatory compliance” consequences, including possible focused regulatory surveillance and significant increased regulatory oversight, and possible “major fines and sanctions”.

217    Another issue with a “high” rating was that there was “no end-to-end assurance performed over the completeness and accuracy of transactional data used for AML/CTF screening”. The Issues Log recorded:

There is no process to validate the completeness and accuracy of transactional data flows between source systems and those used for AML/CTF screening such as Financial Crimes Platform (FCP), Financial Crime Case Management (FCCM) and Proactive Risk Manager (PRM).

218    This issue was also given a “major” impact rating in the Issues Log with a “possible” likelihood.

219    Similar issues had been raised in the 2013 audit report.

220    The 2015 audit report identified a number of issues with a “medium” rating. One of these was that all cash deposits and withdrawals greater than or equal to $10,000 were not being reported to AUSTRAC. The Issues Log gave this issue a “moderate” impact rating with a “possible” likelihood. A “moderate” impact rating entailed certain “reputation/brand” consequences, including a possible short term fall (less than 10%) in the Group’s share price. It also entailed certain “legal/regulatory compliance” consequences, including “[i]ncreased general regulatory oversight”, “[p]otential impact on regulator relationships”, and “[f]ines”.

221    However, as Mr Elliott and Mr Bell noted in their Joint Report, the late TTR issue was not specifically identified in the 2015 audit report, including in the associated Issues Log. Mr Elliott and Mr Bell also noted that the 2015 audit report did “not identify a specific requirement to immediately review the detection methods for the cash deposit reporting systems”. They noted, further, that the account monitoring failure issue had already been self-identified on about 16 June 2014 and had been recorded in RiskInSite on 4 September 2014.

Events from mid-July 2015

The Tabcorp penalty proceeding

222    On 22 July 2015, AUSTRAC announced that it had commenced proceedings against Tabcorp for “extensive, significant and systemic non-compliance with Australia’s anti-money laundering and counter-terrorism financing legislation”. In its press release, it stated:

As we have demonstrated in this case, we are prepared to work with businesses to improve their systems and controls, but will take strong action when they fail to make the necessary improvements to address serious and systemic non-compliance.

223    These proceedings subsequently resolved with Tabcorp agreeing to pay a pecuniary penalty of $45 million.

AUSTRAC raises concerns

224    On 30 July 2015, the Bank met with AUSTRAC to provide a “general monthly update”. It seems that, beforehand, AUSTRAC and APRA had met and discussed the 2015 audit report. As I have noted, this audit was one of APRA’s requirements notified in the APRA report.

225    At the meeting with the Bank, AUSTRAC said that it had “serious concerns around” the audit. AUSTRAC made the overarching comment that, on the face of it, the 2015 audit report was “very concerning” and was “raising questions internally within AUSTRAC” and that, potentially, AUSTRAC “would … consider if enforcement action would be necessary”.

226    In a file note created on 30 July 2015, Mr Byrne (whose title in the file note was given as the Bank’s Head of Group Financial Crime Compliance, Regulatory liaison & complex matters) noted:

Examples of concerns from AUSTRAC’s perspective are around the apparent gaps in IFTI, TTR and SMR reporting, the fact that the Internal Audit report states that the business didn’t understand what is reportable, that systems are not generating alerts that they should be and that there are issues with the High Risk Customer Model. Further concerns include that the systems haven’t been looked at since 2009. However, there are general concerns with the report as a whole.

227    On 19 August 2015, a further meeting was held between the Bank and AUSTRAC. A report of the meeting that was given to Mr Toevs makes clear the Bank’s appreciation that there had been “a lot of dialog” between AUSTRAC and APRA and that AUSTRAC was “very open” about that fact. The report indicates that the Bank had been told informally that “the enforcement comment” had been made “incorrectly” but that “there was no firm retraction of the comment during the meeting”.

Project Nitrogen: The 2015 Entitlement Offer

228    In 2015, the Bank undertook a $5 billion capital raising through a pro-rata renounceable entitlement offer of new shares to existing shareholders. A due diligence committee (DDC) was established for that purpose. Mr Cohen was the Chair of the committee. The DDC was responsible for overseeing the due diligence process established by the Bank in connection with the preparation of the offer documents. One of its tasks was to identify potentially significant matters that might be regarded as market sensitive and to address those matters as appropriate. The DDC met regularly from July to September 2015.

229    The Bank’s advisers included their solicitors, PricewaterhouseCoopers Securities (PwCS), Goldman Sachs, Morgan Stanley, and UBS. Morgan Stanley and UBS were the underwriters of the issue.

230    The due diligence process included the following steps: (a) management personnel were issued with a questionnaire and were required to “sign-off” (confirm) information in their assigned areas; (b) the managers of the 2015 Entitlement Offer had the opportunity to question the Bank’s management personnel; and (c) Group Executives were required to provide formal verification to the effect that they were not aware of any material information being withheld from continuous disclosure that was required to be disclosed to the market.

231    The DDC was advised that, when assessing whether a particular matter was material to the offer, both quantitative and qualitative factors needed to be considered. In relation to quantitative materiality, PwCS provided input on the threshold that it considered appropriate for the Bank to use.

232    The Bank’s Board approved the 2015 Entitlement Offer and the offer documents on 11 August 2015.

233    On the same day, the DDC issued a report (the DDC Report). The DDC Report attached (amongst other things): (a) a management due diligence questionnaire; (b) management “sign offs”; and (c) verification certificates.

234    Amongst other things, the due diligence questionnaire:

(a)    asked whether there were “any material legal, regulatory or administrative actions, suits or proceedings in any court or by any government agency or body, domestic or foreign, currently pending or that are, to the knowledge of the Group, threatened against or affecting the Group or its directors” (Question 1.48);

(b)    asked for confirmation “that the Group has substantively complied with money laundering statutes” in Australia (Question 1.55); and

(c)    asked for confirmation that “the Group has appropriate risk management policies to monitor compliance with applicable laws and regulations and to detect any non-compliance…[and] that no material non-compliance has been detected recently” (Question 1.63).

235    Mr Cohen was the Group Executive responsible for Question 1.48. He answered “No”. Mr Cohen’s evidence was that this reflected his view at the time.

236    Mr Toevs was the Group Executive responsible for Question 1.55. He answered “Confirmed”. As to that answer, Mr Cohen gave this evidence:

36.    I note that the wording of question 1.55 sought confirmation that the Group had substantively complied with its AML requirements. My view was that this was the appropriate level of confirmation to seek. Given the volume of transactions and customers using CBA’s services (then approximately 68 million branch deposits and withdrawals, 270 million transactions through Automatic Teller Machines (ATMs), 1.532 billion EFTPOS transactions and 528 million internet transactions, as well as a customer base of 15 million in FY15), I did not consider it reasonable (or indeed tenable) to expect there to be no instances of non-compliance (whether known or unknown).

237    Mr Toevs was also the Group Executive responsible for Question 1.63. He answered that question as follows:

Confirmed. The Group has appropriate risk management policies to monitor compliance with applicable laws and regulations and to detect non-compliance. Due to the detailed self-reporting regulatory regimes in the various jurisdictions the Group operates, on average each month some regulatory breaches are self-identified and reported. Confirmed that no material non-compliance issues [have] been recently detected.

238    On 12 August 2015, the 2015 Entitlement Offer was announced to the market through a cleansing notice issued under s 708AA(2)(f) of the Corporations Act (the 2015 Cleansing Notice).

239    On 24 August 2015, Mr Cohen signed a “new circumstances” proforma confirmation that he was not aware of any:

(a)     ... statement in the Offer Documents [that was] false, misleading or deceptive (including by omission) or likely to mislead or deceive (including by omission) or does not otherwise comply with the Corporations Act; or

(b)     ... omission from the Offer Documents of material required by the Corporations Act; or

(c)     ... new circumstance that [had] arisen since the Offer Documents were issued which the DDC would have required to be included in the Offer Documents if it had arisen before Offer Documents were issued or that changes the nature of any of the disclosures in the Offer Documents; or

(d)     ... material change to the potential effect the Offer will have on the control of CBA or the consequences of that effect.

240    Mr Cohen provided this confirmation on the express basis that he had relied on other members of the DDC and those responsible for reporting to the DDC who had appropriate expertise in relation to those matters falling outside his expertise.

241    On 17 September 2015, which was the day before the new shares were to be issued, Mr Cohen signed a confirmation that he was not aware:

(a)     that there is a statement in the Offer Documents which is false, misleading or deceptive (including by omission) or likely to mislead or deceive (including by omission) or does not otherwise comply with the Corporations Act; or

(b)     that there is an omission from the Offer Documents of material required by the Corporations Act; or

(c)     that there is a new circumstance that has arisen since the Offer Documents were issued which the DDC would have required to be included in the Offer Documents if it had arisen before Offer Documents were issued or that changes the nature of any of the disclosures in the Offer Documents; or

(d)     of a material change to the potential effect the Offer will have on the control of CBA or the consequences of that effect.

242    How does knowledge of the IDM ML/TF risk assessment non-compliance issue, the late TTR issue, and the account monitoring failure issue relate to the 2015 Entitlement Offer?

243    Mr Cohen became aware of the late TTR issue as a result of being sent an email by Mr Narev on 6 September 2015. I refer to this email in a later section of these reasons. As I have noted, in his affidavit Mr Cohen said that he did not become aware of the late TTR issue until October 2015. However, he corrected this statement at the commencement of his evidence in chief. Mr Cohen became aware of the account monitoring failure issue in April 2017. He became aware of the IDM ML/TF risk assessment non-compliance issue in August 2017, after the commencement of proceedings against the Bank by the AUSTRAC CEO.

244    In his affidavit, Mr Cohen turned his mind to what his thought processes would have been if each of these issues had been raised with him as part of the DDC process. He expressed his belief that none of them would have been a matter that needed to be disclosed and none of them would have had an impact on his ability to provide the verifications or confirmations he did provide, or warranted the Bank taking other steps such as “suspending, cancelling, withdrawing, [or] varying the 2015 Entitlement Offer, or making a supplementary disclosure”.

245    In the case of the late TTR issue, Mr Cohen’s evidence on this score—expressed as a hypothetical—sits somewhat awkwardly with the fact that he had actual knowledge of that issue as at 6 September 2015. However, he also said that, in relation to Question 1.55, he did not recall any discussion of AML/CTF compliance issues in the context of the 2015 Entitlement Offer, or that Mr Toevs or Mr Dingley had raised any concerns about such issues.

246    Mr Cohen’s evidence was that:

51.    In relation to the TTR issue, at the time of the DDC process, this was a compliance issue affecting a particular BU that had been uncovered in the context of a query from a regulator seeking to locate two TTRs, which needed to be (and was promptly) remediated. While threshold transaction reporting was an important process and the TTR issue was an unsatisfactory occurrence, from a continuous disclosure perspective I also believe that I would not have considered this to meet the threshold for disclosure in the context of CBA’s broader business activities. It is my experience that having regard to the nature of CBA’s business, it will be contacted regularly by regulators on a weekly, if not daily, basis in relation to CBA providing information and documents (including in response to statutory notices) to that regulator in relation to CBA’s activities. It was consistently my view throughout the Relevant Period that the receipt of requests or notices from a regulator is not of itself material information because such receipt does not give any clear indication of whether the regulator intends to or will take any form of regulatory action, what form that action might take or other clear information about the nature, scale and composition of the issues underpinning that action. In the case of the TTR issue, at the time of the DDC process the regulatory query had not even advanced to a statutory notice stage.

247    The applicants contend that the Court should find that, knowing about the late TTR issue, Mr Cohen should not have provided the confirmation that he did on 17 September 2015. They contend that the Court should also find that the late TTR issue warranted the Bank suspending, cancelling, withdrawing, or varying the 2015 Entitlement Offer.

248    As to the account monitoring failure issue, Mr Cohen’s evidence was that:

52.     … at the time of the DDC process this was a compliance issue that had been self-identified, was close to being resolved and was not to my knowledge the subject of any communication with the regulator. I am not aware of the exact number of affected accounts that were known at the time but in any event it was not something that I understood to be material even when the number of affected accounts later came to my attention. I would not have considered it something that needed to be disclosed in the context of the Entitlement Offer.

249    As to the IDM ML/TF risk assessment non-compliance issue, Mr Cohen’s evidence was that:

53.     … even if I had understood CBA to have not complied with the Group’s joint AML/CTF Program (AML/CTF Program) with respect to preparing an ML/TF Risk assessment of IDMs at or prior to their roll-out, I would not have understood it to be material … and I would again not have considered it something that needed to be disclosed in the context of the Entitlement Offer.

Further events concerning the late TTR issue

250    By 18 August 2015 the late TTR issue had been escalated to Mr Dingley (and others). At that time, Mr Dingley was the Chief Operational Risk Officer. As communicated in an email from Mr Byrne, the Bank’s initial investigation at that time was that:

RBS [Retail Banking Services] has determined that large cash deposits made thru these IDMs are not feeding the TTR process. It is determining when the issue started and consequently how many reports were not lodged.

251    Mr Dingley responded:

… please push hard to get [the] facts quickly so we know how to respond. This does not sound good.

252    On 20 August 2015, Mr Dingley escalated the late TTR issue to Mr Toevs. In an email to Mr Toevs, Mr Dingley described the position as follows:

… It appears as if the deposits made through this channel are not being reflected in the cash transaction report that is submitted to Austrac. I have not yet been able to establish if this (sic) for a period of time, or since the machines went into the network. This could go back to 2010 as a worse case scenario. Tony Byrne is working with RBS and ES to get all the facts. If this is systemic, it will be very disappointing as Tony Byrne has had prior confirmation from RBS Risk that this was operating correctly.

253    Mr Dingley also said:

If [this] is a systemic issue, it may just tip the balance and it could be a tough ride with Austrac.

254    This last-mentioned comment was made in the context of Mr Dingley reporting to Mr Toevs that AUSTRAC had already raised concerns about the findings of the 2015 audit report (see [224] – [227] above).

255    By at least the morning of 4 September 2015, the late TTR issue had been escalated to Mr Narev who had asked for a “short briefing paper”. By the afternoon, Mr Byrne had prepared a briefing paper. The briefing paper said that it had been discovered that the two deposits (which had been referred to the Bank by AUSTRAC) had not been reported “because of a system coding error dating back to November 2012” and that, at that stage, “the investigation has identified that 51,637 TTRs were not reported to AUSTRAC” which represented “approximately 2.5% of the total reportable transactions for the same period (November 2012 to 18 August 2015)”. A prefatory section of the report noted that failure to comply with the obligation to lodge TTRs “can result in reputational damage and regulatory enforcement including fines and remedial action”.

256    On 6 September 2015 an email exchange took place between Mr Narev and Mr Comyn. In that exchange, Mr Comyn said that “the full extent of the issue is [being] investigated”. In response, Mr Narev said that he had spoken to Mr Toevs that day. He continued:

It goes without saying that we need to take this extremely seriously. I have let Alden know that he should personally be in touch with Austrac about this, and offer up a discussion with me. We need to adopt a similarly senior posture with AFP, though I suspect David Cohen (also copied) may be the better contact with them given that there are current legal proceedings.

Whilst this is as a result of unintentional coding related errors, the circumstances warrant very senior oversight.

We need also to make sure that:

- we are going through all relevant transactions to check for other problems

- we have fixed the problem, and

- no-one within the Group had knowledge of/concern about this issue. I understand we have no cause for concern about this, but I want to know that there was no avoidance of the issue/reluctance to escalate.

257    Mr Comyn replied on 7 September 2015 that the matter was being taken “very seriously” but that he had “zero concerns about the reluctance to escalate”.

258    In submissions, the applicants make much of the fact that, in his affidavit, Mr Narev did not refer to this correspondence. The applicants also rely on other aspects of Mr Narev’s cross-examination to contend that, in his affidavit, Mr Narev sought to minimise his initial reaction to the late TTR issue.

259    On reviewing the cross-examination of Mr Narev, I do not think that much turns on the fact that Mr Narev did not refer, specifically, to his email correspondence with Mr Comyn on 6 September 2015 in his affidavit. That said, I have no reason to doubt that this correspondence reflects Mr Narev’s contemporaneous state of mind.

260    In addition, I do not think that, in his affidavit, Mr Narev sought to minimise his initial reaction to the late TTR issue. In his affidavit, he did say that he did not consider that the late TTR issue had exposed the Bank to a “risk” of regulatory action until about October/November 2016. However, in cross-examination, Mr Narev clarified that he meant a “serious risk” of regulatory action. In other words, although in early September 2015 he thought that the late TTR issue posed a risk of AUSTRAC taking regulatory action, it was not until October/November 2016 that he thought that there was a serious risk of that happening. Mr Narev’s evidence was that, even then, he did not consider it to be “at all likely that AUSTRAC would commence regulatory action in the form of civil penalty proceedings in respect of the [late] TTR issue”. I accept this evidence.

261    On 8 September 2015, Mr Toevs sent a letter to AUSTRAC notifying it that 51,637 TTRs had not been lodged for the period November 2012 to 18 August 2015. The letter advised AUSTRAC of the root cause of the problem and informed it of the “extensive remediation program” that the Bank would implement in response. This included the Bank retrospectively submitting “all of the reportable TTRs that resulted from the missing transaction code”.

262    On 24 September 2015, the Bank wrote to AUSTRAC informing it that the late TTRs had been lodged. There were 53,506 TTRs so lodged.

263    On 12 October 2015, Mr Toevs, Mr Dingley, and Ms Williams (the Chief Compliance Officer) prepared a report for the Bank’s Risk Committee which, after noting the outcome of the 2015 audit report, included the following:

3.4.2.     Group Operational Risk and Compliance (GORC) has accepted the outcomes of the Internal Audit reviews and is driving a series of initiatives to deliver effective end-to-end governance over the control environment.

3.4.3.        An example of the outcomes of these control issues and their ongoing rectification is that, following a recent investigation undertaken by the Bank into two unreported threshold transaction reports (TTRs) to AUSTRAC, it was identified that between November 2012 and August 2015, 51,637 cash deposits of over $10,000 conducted through intelligent deposit machines (IDMs) were unreported to AUSTRAC. This arose because of a coding error.

3.4.4.        While there is no formal breach reporting requirement under the AML/CTF Act, the breach has been reported to AUSTRAC and the non-compliance remediated. We have also taken steps to ensure better assurance processes are in place to detect these types of failures going forward. By taking steps to rectify the reporting failure and improving our control environment we reduce the risk of any regulatory action being taken by AUSTRAC.

264    The report noted that, in Australia, regulatory action had been taken against Barclays Bank, Mega Bank and Tabcorp for AML/CTF breaches, resulting in enforceable undertakings being given and (in the case of Tabcorp) “Federal Court action”.

265    The Bank’s Board was informed of the late TTR issue at its meeting on 12 and 13 October 2015.

266    On 12 October 2015, AUSTRAC responded to the Bank’s communications of 8 and 24 September 2015. In a letter to Mr Toevs, AUSTRAC expressed its “serious concerns” about the scale of the Bank’s non-compliance with s 43 of the AML/CTF Act and the period over which those contraventions had occurred.

267    AUSTRAC sought further details from the Bank in the form of information and documents. Among the documents sought was “any ML/TF risk assessment the CBA conducted on the IDMs before rolling out these machines in May 2012”. AUSTRAC sought a response by 26 October 2015.

268    The Bank provided that response by letter on 26 October 2015. In relation to the request for documents of any ML/TF risk assessment before rolling out IDMs, the Bank said:

CBA considers that IDMs were an enhancement of the existing ATM functionality as a channel to provide designated services. As a result, CBA has relied upon the ML/TF risk assessments conducted on ATMs as a channel for providing designated services.

269    The Bank also said:

No changes have been made to IDMs since 2012 to warrant any further risk assessment.

There were no additional high rated ML/TF risks raised in relation to the roll out of IDMs that required escalation to the Board or senior management. IDMs were intended to provide deposit functionality (similar to that of Branches) and the existing AML transaction monitoring controls and TTR reporting were applied to deposits via IDMs.

Events in 2016

Board meeting with AUSTRAC on 14 June 2016

270    On 18 April 2016, a briefing paper was prepared for the Board in relation to an upcoming lunch to be attended by the Board and several members of the Bank’s management with Mr Jevtovic (the AUSTRAC CEO) and Mr Clark (the Deputy CEO). This was to be Mr Jevtovic’s first meeting with the Board. The briefing paper noted Mr Jevtovic’s “strong law enforcement background” which, at the time of his appointment in 2014, “was expected to mark a change in AUSTRAC’s regulatory approach”. The paper said that:

Since his appointment, Mr Jevtovic has engaged in a program of reshaping and refocusing the activities of AUSTRAC. This has led to work commencing on a range of new initiatives. Many relate to developing greater partnerships with the private sector. …

271    An additional briefing paper was prepared for the Board on 27 April 2016. In relation to the Bank’s regulatory relationship with AUSTRAC, the paper said:

13.1        Whilst CBA’s collaboration on many of the initiatives set out above is viewed positively by AUSTRAC, their view of our compliance is less clear.

13.2        In the past year, there have been two issues which appear to have raised senior level concerns within AUSTRAC.

13.3        In May 2015, internal audit completed a review of AML/CTF systems across the Group. This review was undertaken as a result of an APRA Compliance Review in July 2014.

13.4        In July 2015, AUSTRAC raised concerns about findings in the review around potential transaction reporting failures.

13.5        A revalidation exercise was undertaken in relation to the transactions in question and it was determined that in most cases, the transactions identified by internal audit had either been reported manually, or were not reportable.

13.6        In September 2015, we notified AUSTRAC that we had identified that a number of transactions which were undertaken through intelligent deposit machines had not been reported to AUSTRAC.

13.7        AUSTRAC responded with two detailed requests for information in relation to this matter. The non-compliance detected has now been remediated.

272    The lunch was held on 14 June 2016. Mr Narev’s evidence of the meeting was that it was “a general discussion about what [the Bank] was doing in the AML/CTF area” and that Mr Jevtovic “did most of the talking”. Mr Narev recalled Mr Jevtovic saying words to the effect of “AUSTRAC’s relationship with [the Bank] is very strong and I feel very positive about it”. According to Mr Narev, nothing was raised at the meeting about the late TTR issue or any other concerns about the Bank’s AML/CTF compliance. Mr Narev said that he left the meeting “thinking that the Group was doing well and that AUSTRAC did not seem to have any current areas of concern relating to the Group”.

The statutory notices

273    On 22 June 2016, a notice was given to the Bank under s 167(2) of the AML/CTF Act seeking the production of information and documents (the first statutory notice). The notice was circulated to Mr Comyn and others by an email dated 23 June 2016. The content of the notice (and the background to it) was described by Mr Keaney (General Manager, Group Financial Crime Services) in a further email dated 13 July 2016 that was sent to various people, including Mr Comyn:

On 22 June 2016, a statutory notice was received from AUSTRAC for the production of information and documents. Information collected under this notice could be used by AUSTRAC in civil penalty proceedings against the Group, although at this stage AUSTRAC is silent on its intentions. The notice is wide ranging but primarily relates to CBA’s compliance with AUSTRAC’s customer on-boarding and ongoing customer due diligence requirements. There is a particular focus on on-line account opening procedures, including electronic verification of customer identities, and the monitoring of transactions through Intelligent Deposit Machines. The notice also seeks detailed information in relation to 59 customers and 120 accounts, and asks for AML-related audit reports (over multiple years) as well as minutes of Board meetings where those reports were considered.

This incident is related to the non-reporting of Threshold Transaction Reports for transactions undertaken through Intelligent Deposit Machines which was detected and self-reported to AUSTRAC in August 2015. Issues relating to that incident are largely closed out. The root cause for regulatory interest in relation to our customer on-boarding and ongoing customer due diligence processes more generally is not yet known. Further information on the root cause may be determined over the course of responding to the notice.

Should AUSTRAC launch Federal Court proceedings against the Group (as in the case of Tabcorp) there will be reputational impacts. In addition, the Group would incur costs in defending such action. The maximum penalty that could potentially be applied by a court is $18 million per breach. Based on the CEO of AUSTRAC’s description to the CBA Board just weeks ago that he has no concerns about the CBA’s intention to be fully compliant with AML legislation, and his belief that the Group is a diligent manager of AML Risk (against a backdrop of significant business and technology complexity) it is hard to believe that AUSTRAC intends to impose significant penalties on the Group – especially given that the CEO Mr Jevtovic would have known about this imminent notice at the time he met with our Board and yet didn’t raise it to offset his praise of the Group in relation to the management of financial crime.

274    Mr Keaney’s email was forwarded to Mr Narev on the same day.

275    The applicants submit that, in his affidavit, Mr Narev sought to downplay the significance of the first statutory notice. I am not persuaded that that is so. Mr Narev was clearly conscious of the fact that information collected under the notice could be used by AUSTRAC in civil penalty proceedings. However, Mr Narev said:

89.    Mr Keaney stated in his email that: “Information collected under this notice could be used by AUSTRAC in civil penalty proceedings against the Group, although at this stage AUSTRAC is silent on its intentions” and he provided a maximum penalty per breach as available under the AML/CTF Act. From my experience as CEO, it was common at any one time for several entities within the Group to be engaging with regulators (including ASIC, APRA and others, both domestic and foreign), including through formal and informal requests for information and documents at any given time. This included engaging through notices that could be used in civil penalty proceedings. The Regulatory Reports that I received routinely prior to CBA Board meetings, contained a table of “significant” interactions with a range of regulators for the previous period of which there were always several entries. However, as the Group had less experience in dealing with statutory notices from AUSTRAC, it made sense to me that Mr Keaney would confirm the use to which the notice could be put and the theoretical fines that could result.

90.        For the reasons given in his email, I understood that Mr Keaney continued to think that AUSTRAC’s concerns stemmed from the TTR Issue and that he did not believe that AUSTRAC intended to impose significant penalties on the Group, especially given recent interactions with Mr Jevtovic. This was consistent with my own view. My understanding was that the TTR Issue had been promptly actioned upon discovery by CBA and that AUSTRAC had only brought one civil penalty proceeding up until this point (against Tabcorp, which I expand on at paragraph 122 below). I did not consider there to be any likely prospect of AUSTRAC commencing civil penalty proceedings against CBA.

276    Despite some concessions made by Mr Narev in cross-examination to the effect that this was the first time the Bank had received a s 167(2) notice from AUSTRAC and that the Bank’s receipt of similar notices from other regulators could not inform him of how seriously AUSTRAC was undertaking its inquiries, I accept the general thrust of Mr Narev’s evidence as to his understanding at the time.

277    The applicants also submit that, in his affidavit, Mr Cohen sought to downplay the significance of the first statutory notice. Having reviewed Mr Cohen’s evidence, I do not accept that submission.

278    At the request of the Bank’s Legal Services team, a project team was formed to assist in maintaining confidentiality and legal privilege in respect of responses to the first statutory notice. This was part of a project called Project Concord (the project being the Bank’s response to AUSTRAC’s investigation as reflected in the first statutory notice).

279    On 2 September 2016, a second notice was given to the Bank under s 167(2).

280    On 14 October 2016, a third notice was given to the Bank under s 167(2) (the third statutory notice).

281    On 17 October 2016, an Executive Committee report was prepared seeking endorsement of a proposal to execute a program of work that would “establish the fundamentals for the Group to manage its financial crime risk effectively and efficiently over the next three years”. The report commenced by noting:

1.1.    The Executive Committee is aware of the Group’s exposure to financial crime risk, including money-laundering, sanctions-violations and bribery and corruption, and of consequences of non-compliance, including fines by onshore and offshore regulators.

1.2.    Notwithstanding the Group’s investment in financial crime compliance in recent years, there is still a way to go, as recently confirmed by Group Audit.

1.3.    The potential for fines or other regulatory action seem elevated in light of AUSTRAC recently issuing the Group with an Enforcement Notice, stemming from breaches in Threshold Transaction Reporting from branch-based Intelligent Deposit Machines.

1.4.    Group Security is taking a leadership role in improving the Group’s management of financial crime and is now returning to ExCo to provide an update and plan for the way forward.

282    As I have noted above, by October/November 2016, Mr Narev thought that there was a serious risk of AUSTRAC taking regulatory action in relation to the late TTR issue. However, he did not consider it to be likely that AUSTRAC would commence civil penalty proceedings.

283    Mr Narev gave this evidence, which I accept:

98.     I recall that the updates in respect of AUSTRAC’s notices continued to be very administrative (that is, they were updates on the status and timetable of CBA’s responses to the notices) and discussion at CBA Board meetings about the issues was limited. AUSTRAC’s enquiries were just one aspect of the Group’s regulatory engagements at the time. Nobody suggested to me that this was more serious than the various other regulatory issues that the Group was dealing with at the time. That said, at about the time I became aware of AUSTRAC’s third statutory notice, I started to become concerned by the fact that AUSTRAC was continuing to ask questions and seek documents notwithstanding that we had by now been engaging for more than a year. I turned my mind to the possibility that it may take some type of formal action against CBA. At the time, I thought that if AUSTRAC decided to take formal action, it was likely to involve some type of remedial direction, engagement of an external auditor, or enforceable undertaking. I based that view on my experience in dealing with other regulators over the course of my role, and my understanding of the issues and their status as set out above. To my mind, while AUSTRAC was asking a range of questions, their interest stemmed from the TTR Issue which CBA had been open with them about and had worked hard to address. Based on the reports I had read as described above, my understanding was that the issues had been closed out and that AUSTRAC had indicated that it was “comfortable” with how that had been done. My direct interactions with Mr Jevtovic had been positive, even at a CBA Board lunch directly before CBA received the first statutory notice as I have referred to above. In the circumstances, I did not consider it at all likely that AUSTRAC would commence civil penalty proceedings. I do not recall anyone expressing a different view.

284    The applicants place reliance on evidence given by the Chairperson of the Bank’s Board, Ms Livingstone (who was appointed with effect from 1 January 2017), at the Financial Services Royal Commission:

… either at the October meeting, and I think it was the October meeting, because I think by then the second notice had been received, I challenged management about why were we getting these notices. What was behind them. And was AUSTRAC concerned about something. And so the answer I received was, well, AUSTRAC knew that we were working hard and investing in our financial crimes compliance platform but that we weren’t fully compliant at that time. And that there was significant work and significant investment going on, and that we were maintaining contact with AUSTRAC. And in addition, the then CEO of AUSTRAC had actually met with the board at its June 2016 meeting, at which I was not present, but had not raised any issues with the board at that meeting. I have to say, I was concerned about the fact of the notices, and I had had experience with AUSTRAC in a previous role. So it didn’t feel quite right to me that AUSTRAC would be comfortable with where we were, but management provided assurances that they were fully informed about the situation of - in terms of our level of compliance.

When you say “management”, who provided those assurances?---The CFO did.

285    I do not think that this evidence advances matters substantively other than to confirm that, while service of the statutory notices was a matter of concern, senior executives in the Bank were of the view that the Bank was working productively with AUSTRAC in relation to the Bank’s AML/CTF compliance issues and did not think that it was likely that AUSTRAC would commence civil penalty proceedings against the Bank.

The Bank’s internal audit report 2016

286    In the meantime, on 28 September 2016, Group Audit delivered a report on a further internal audit in relation to the Bank’s AML/CTF framework (the 2016 audit report). The 2016 audit report gave an overall “red” rating based on an “unsatisfactory” rating for “Control Environment” and a “marginal” rating for “Management Awareness & Actions”.

287    In its Audit Conclusion, Group Audit noted (amongst other things) that:

A large number of AML/CTF issues continue to exist across the Group, with weaknesses identified across Business Unit’s (sic) … and Group-wide AML/CTF processes. A number of repeat issues were identified due to inadequate implementation of action plans. Many of the prior issues remain open, with projects currently underway or due to commence to revisit the AML/CTF operating model and completeness of AML/CTF data flows.

288    Group Audit also said:

As part of this Audit, Internal Audit conducted an independent review of the Group’s Part A AML/CTF Program as required by the AML/CTF Rules … Whilst we found that the Bank’s AML/CTF framework covered all of the key requirements of an effective AML/CTF framework, we noted a number of gaps in the development of the program (for example, mapping of compliance obligations), and the implementation and operationalisation of the program …

289    Group Audit noted that the Group had been “slow to address many of the previously identified issues and associated root causes” and that a “number of significant issues from our Audits in 2013 and 2015 remain unaddressed and are either still being remediated … have been reopened due to inadequate remediation … or are yet to be addressed …”.

Events in 2017

Meeting with the AUSTRAC CEO

290    On 30 January 2017, Ms Livingstone had a meeting with Mr Jevtovic. Ms Livingstone did not give evidence in this proceeding, but her handwritten note of the meeting is in evidence. The note records, amongst other things, the following matters.

291    First, the note records Mr Jevtovic’s view that the Bank’s relationship with AUSTRAC was professional “outside of IDMs”. The apparent concern in that regard appears to have been the late TTR issue and the Bank’s failure to lodge TTRs as discussed above. However, the note records that, while that matter “warrants close scrutiny”, the Bank did respond to “the systems issue”.

292    Secondly, the note records that AUSTRAC was concerned about whether the Bank had done sufficient work on understanding AML/CTF risk. In this regard, the note refers to the 2015 internal audit and appears to question the Bank’s “risk culture” (with the Bank’s “poor performance” as against other banks noted).

293    Thirdly, the note records that AUSTRAC was concerned about the Bank’s lack of reporting, its poor risk assessment, its slow response to risk assessment, and the fact that its IDMs had been compromised by organised crime.

294    Fourthly, the note refers to the issue of the three statutory notices, but records AUSTRAC’s view that the Bank had responded adequately to the notices.

295    Fifthly, the note records that AUSTRAC had made no decision on what action “it may or may not take”. The note appears to indicate that AUSTRAC would make a decision in that regard within two weeks, and that there were “options”.

296    On 31 January 2017, Mr Narev (who, at this time, was concerned that the late TTR issue had been “dragging on” with AUSTRAC and that AUSTRAC might be considering taking action, such as an enforceable undertaking, which he wanted to avoid) sent Ms Livingstone an email in which he said:

I am keen to get your instincts on how, if at all, you believe we can engage with [AUSTRAC] in advance of the final determination to influence it.

297    Mr Cohen gave evidence that he had a conversation with Ms Livingstone following her meeting with Mr Jevtovic in which she said that “[t]he discussion was unremarkable”, that Mr Jevtovic was “fine”, and that “AUSTRAC has no major issues”, although there was “an ongoing investigation which we obviously know about”.

298    This evidence was based on Mr Cohen’s recollection of the conversation some years after the event (in the course of preparing his affidavit). Mr Cohen had not seen Ms Livingstone’s note and had made no record of his conversation with her. Mr Cohen’s recollection of the conversation does not sit well with the matters recorded in Ms Livingstone’s note, which reflects a concern by AUSTRAC that was more significant than Mr Cohen’s recollection of Ms Livingstone’s words suggest. I consider that Ms Livingstone’s note provides a more reliable picture of AUSTRAC’s concerns at the time.

The development of Project Concord

299    The further action, if any, that AUSTRAC might take as a consequence of the late TTR issue remained a matter of abiding concern for the Bank. The Bank continued to consider the causes and impacts of that issue.

300    By 7 February 2017, Project Concord had expanded to include “an internal and external communications plan to be used in the event of public dialogue from AUSTRAC on the TTR matter”. The concern appears to have been that, through various means, the fact that AUSTRAC was investigating the Bank in relation to the late TTR issue might or would become public knowledge. The Bank was concerned about bad publicity. One of the aims of the management of this issue was to seek to influence, to the extent possible, how the Bank’s customers and investors would react upon becoming aware of the investigation of the late TTR issue. However, at that time, the plan did not envisage that AUSTRAC would commence proceedings against the Bank.

301    On 14 February 2017, Ms Watson (the Executive General Manager, Group Security and Advisory) sent an email to Mr Craig (the Bank’s Chief Financial Officer), stating (amongst other things):

-        No new information from AUSTRAC

-        AUSTRAC have knocked back multiple requests for clarity

-        Paul Jevtovic has declined two invitations to meet with the CBA Board this week (invited May and June – no to both)

-        Latest update is Catherine Livingstone’s where Paul said “I will let you know soon…”

-        Action could include:

o    Civil penalties following court proceedings

o    Enforceable undertaking style action

o    External review/audit of our financial crime arrangements.

There would likely be a media overlay to any of these actions.

The settlement of the Tabcorp proceeding

302    On 16 February 2017, The Australian newspaper reported that Tabcorp had revealed the terms of a settlement with the AUSTRAC CEO in which it had agreed to pay a pecuniary penalty of $45 million. A copy of the article was sent, by internal email, to Mr Cohen. Mr Cohen’s response was:

Yes saw that today – this will potentially embolden AUSTRAC in its issue with us.

303    I understand Mr Cohen’s reference to “its issue with us” to be to the late TTR issue.

304    Ms Watson sent an email to Mr Comyn and others attaching a media release and articles explaining the settlement. Mr Comyn’s response was:

Jeez, that’s a lot of money. Can you please remind me of the nature of their breach. I hope it’s much more severe than us?

305    Around 21 February 2017, Mr Cohen reviewed a draft regulatory report to be presented at the upcoming March 2017 Board meeting. The report was directed to regulatory matters concerning APRA, the Australian Securities and Investments Commission (ASIC), and other regulators (including AUSTRAC). Mr Cohen made a number of amendments to the draft including in relation to the section dealing with “Other Domestic Regulators and Financial Crime Compliance”. As amended by Mr Cohen, the report provided the following update in relation to AUSTRAC’s investigation into the late TTR issue (the italicised words are Mr Cohen’s additions and the strike throughs are his deletions):

There have been no further regulatory enquiries from AUSTRAC since 9 December 2016 but AUSTRAC has stated that it is considering whether to take regulatory action against CBA for failing to report transactions processed through Intelligent Deposit Machines when the final responses were submitted to the AUSTRAC notices on customer due diligence and ongoing customer due diligence requirements. CBA continues to meet with AUSTRAC and support its AUSTRAC’s broader strategic initiatives. On 16 February 2017, it was reported that AUSTRAC had has reached a $45 million out of court settlement with Tabcorp for breaches of the AML/CTF Act. Tabcorp is the first entity against which AUSTRAC has ever sought to take civil penalty action.

306    In his affidavit, Mr Cohen commented that he could not recall the source of the added statement about AUSTRAC considering regulatory action. He expressed his confidence that the addition of this statement was not intended to indicate the view that AUSTRAC was considering civil penalty proceedings. In this connection, he referred to his use of the expression “regulatory action” which, in his understanding, conveys that there are a range of steps that are available to a regulator. He said that if, at the time, he had considered that the commencement of civil penalty proceedings against the Bank was a real risk, he would have used the words “commence legal proceedings”.

307    Mr Cohen was challenged on this evidence in cross-examination. It was put to him that, by his affidavit, he was seeking to “ameliorate or alter the plain meaning of the contemporaneous record”.

308    I do not accept that contention. First, I can think of no reason why, if Mr Cohen had considered the commencement of civil penalty proceedings to be a real risk, he would not have said so directly in the report. Secondly, AUSTRAC’s armamentarium included a range of actions (discussed above). According to Ms Livingstone’s note, Mr Jevtovic had communicated to her only some weeks beforehand that AUSTRAC had made no decision on what action “it may or may not take”, and that it had “options”. There is nothing in the evidence to suggest that this view had changed in the period between Ms Livingstone’s meeting with Mr Jevtovic and Mr Cohen’s amendment to the draft report.

7 March 2017 meeting with AUSTRAC

309    On 7 March 2017, Ms Watson and Mr Keaney met with AUSTRAC. Ms Watson summarised the meeting in an email to Mr Craig on 8 March 2017, as follows:

Matt Keaney and I met with AUSTRAC yesterday. They described their view of the TTR and associated matters as “serious, significant and systemic”. They also said our failure to immediately and proactively tell them about these and other problems (here they were talking about control weaknesses over multiple years, etc) is a show of bad faith which leads them to wonder what else is broken across CBA’s financial crime landscape.

They said they have not made a determination but it isn’t far off. And in either a slip or a deliberate signal they said “we will tell you before we go public or to media.”

Legal is helping draft a defence outline so we can work out what we do under a civil penalty scenario in particular. I didn’t get any sense of them being interested in us putting an EU to them - they told me that the ball is in their court and they’re going to make a decision then either advise or consult with us.

310    A copy of the email found its way to Mr Narev. Mr Narev gave this evidence:

109.    I understood the discussion that AUSTRAC had with Ms Watson and Mr Keaney as an opening up of the lines of communications with CBA, and I also anticipated that AUSTRAC had used this opportunity to play ‘hardball’ ahead of further discussions between the parties. In that context, I was not surprised by the message from AUSTRAC, including the fact that AUSTRAC had described CBA’s conduct as “serious, significant and systemic” - this was the first time I had seen that language used in CBA’s engagement with AUSTRAC, and I interpreted it as part of AUSTRAC’s desire to be taken seriously ahead of discussions. In response, I suggested CBA take the initiative, and seek to initiate high level discussions involving Mr Jevtovic, Ms Livingstone and myself. I wanted to quickly engage with AUSTRAC at the highest levels of the organisations. My view was that now that we had heard from AUSTRAC, and that it appeared it was contemplating some type of action but had not yet made a determination, it was time for CBA to step up its attempts at engagement with them. While my view remained that a civil penalty proceeding continued to be unlikely, at about this time (I do not now recall precisely when), I did turn my mind to what the outcome might look like for CBA, in what I considered to be the unlikely event that civil proceedings were commenced in respect of the TTR Issue. To the best of my recollection, I speculated that a penalty might be in the region of about $10 million, because I viewed the TTR Issue as a single event resulting from an unintended software glitch.

311    Mr Narev forwarded Ms Watson’s email to Ms Livingstone, saying:

Obviously not good news here, though also not surprising.

The judgment call we need to make from here is whether at the Chair/CEO level we ought to reach out again before a final determination?

312    Ms Livingstone responded:

Agree – not good news. Paul didn’t say anything on Monday and in fact could not have been more friendly.

It might be a good idea if you and I together seek a meeting with Paul. If they speculate publicly about ‘what else is broken’ it will play into the very convenient culture rhetoric. We must make sure that we are dealing with facts and not supposition.

313    I understand the reference to “Paul” in Ms Livingstone’s email to be to Mr Jevtovic.

21 March 2017 meeting with AUSTRAC

314    On 21 March 2017, Mr Narev and Ms Livingstone met with Mr Jevtovic and Mr Clark. In preparation for that meeting Mr Narev drafted a “high level script”. This script envisaged that Mr Narev would suggest to AUSTRAC that the Bank and AUSTRAC:

… [engage] heavily now, in good faith, prior to any formal action, in discussions that would result, within a month, in an agreed path that involves acknowledgement for our part of weaknesses, a clear commitment to remediation, and a monetary fine. We would engage senior subject matter experts rather than lawyers (though of course some legal input would be necessary). And those experts would report directly to us. At a minimum, if that does not work within the relevant legal frameworks, it would involve an announcement by Austrac that it is commencing proceedings, accompanied by a clear statement that Austrac and CBA are already working constructively towards a solution.

315    It is apparent that, in preparing this script, Mr Narev’s thinking was to attempt to negotiate an outcome with AUSTRAC which, preferentially, did not involve the bringing of proceedings for a civil penalty. In that regard, it is apparent that he thought that he could agree on a monetary “fine” with AUSTRAC without further action being taken.

316    As events transpired, Mr Narev’s thinking changed with respect to the approach to be taken at the meeting. A further draft script (this time comprising bullet points) omitted the above quoted passage and any reference to payment of a “fine”.

317    In oral closing submissions (in reply), the applicants pointed to a document prepared by Ms Watson entitled: “Do we believe we can influence the outcome?”. The document appears to have been prepared around 15 March 2017. It discusses the possible action that AUSTRAC might take and the Bank’s preferred outcome.

318    The applicants refer to a part of the document that recognises (contrary to what seems to have been Mr Narev’s understanding at the time) that a “fine” could not be imposed by AUSTRAC “outside of court proceedings”. The applicants submit that this realisation is the reason why Mr Narev’s thinking changed with respect to the approach to be taken at the meeting. I note, however, that the document also suggests that the Bank not offer a “fine”, not just because AUSTRAC “can’t do it” but also because “the EU should be to prevent a fine on any known issues or new issues found through the review”. This reference, read with other elements of the document, suggests that the Bank had in mind that it could influence AUSTRAC to require the Bank to give an enforceable undertaking rather than proceeding down the path of civil penalty proceedings (notwithstanding the reservation expressed in Ms Watson’s email of 8 March 2017 (see [309] above)). Another part of the document looks to the possibility that another preferred outcome would be the appointment of an external auditor. Read as a whole, the document shows that the Bank believed that there was, indeed, a prospect of influencing AUSTRAC’s thinking as to the course it could follow.

319    Mr Narev gave evidence of the discussion at the meeting. After recounting statements made by Mr Jevtovic and Mr Clark about the general nature of the engagement between the Bank and AUSTRAC, Mr Narev gave this evidence of the discussion:

Mr Jevtovic:    We have been looking into the information which CBA had been providing to us, and we have found some other things beyond the non-reporting of the TTRs. As recently as January, something happened that concerned us. We are looking into possible failures to lodge reports, submit reports linked to investigations, do some on­going customer due diligence, and undertake adequate risk assessment of the IDMs.

    We think this is serious because of the scale of the IDMs, which should have prompted an earlier risk assessment than what was undertaken in mid-2016. Internal advice had highlighted the risk of IDMs.

    I wonder whether CBA's investment has necessarily been in the right place. We think accounts have remained open without follow-up. We also think that CBA’s SMR policy may contradict the Act. There is a written policy which suggests that once SMRs had been submitted, further SMRs did not need to be.

    In terms of next steps, AUSTRAC is going to take an evidence-based approach. The options for us are an external auditor, a remedial direction, seeking an Enforceable Undertaking, or instituting civil penalty proceedings.

    We think it will take approximately one more month until we decide which path we want to follow.

    As we consider our options, CBA’s leadership approach will be critical. This is the first time that a Chair and CEO have ever come personally to AUSTRAC, and that makes a difference. We are also very encouraged by Philippa’s leadership and her relationship with Peter.

Ms Livingstone:     I have met with Paul prior to this meeting, on matters unrelated to these issues.

    We acknowledge that the issues you are now raising are serious, and that CBA needs to do better.

    We do think it is important that the path forward be constructive. Beyond the regulatory issues, there are potential reputational issues that are important to CBA, and it is key to us that it is not portrayed that CBA has a cavalier and disrespectful approach.

    It is clear that this is about systems, policy and capability, not bad intent. Our priority is to make sure this process sticks to the facts.

Mr Jevtovic:    We are not interested in adding to “bank bashing”, and in fact all the major banks have been important and constructive partners for us.

    We will give you advance notice once we have decided what path to go down. We will definitely not do anything without telling CBA first, and we'll allow CBA time to consider what AUSTRAC is going to do.

    The work that CBA has done in recent times will be instrumental in shaping AUSTRAC’s thinking about which path it will take.

Ms Livingstone:     We will have Philippa Watson articulate CBA's vision today and walk that over.

320    Mr Narev’s evidence in this regard was not challenged substantively in cross-examination. I note that, consistently with Mr Jevtovic’s advice to Ms Livingstone at their meeting on 30 January 2017, and the indication given at the meeting on 7 March 2017 between AUSTRAC and Ms Watson and Mr Keaney, AUSTRAC was still referring to “options” which not only included civil penalty proceedings, but other regulatory action which was available to it. In cross-examination, Mr Narev accepted that it was fair to say (apparently based on his understanding of the matter) that AUSTRAC was seriously considering all options, including civil penalty proceedings. Even so, Mr Jevtovic had made it clear that AUSTRAC had not made a decision about “the path we want to follow”. He had also made it clear that AUSTRAC would give the Bank “advance notice once we have decided what path to go down” and provide the Bank with an opportunity to consider what AUSTRAC was going to do.

321    Although Mr Narev did not deploy the idea of agreeing to an outcome with AUSTRAC that involved the bank paying a “fine”, he was cross-examined on his preparation of the first draft of the script. Mr Narev accepted that, at that time, his thinking was that it was “highly likely”, but not inevitable, that AUSTRAC would be seeking a “fine” from the Bank.

322    On 27 March 2017, Ms Watson sent a letter to Mr Clark referring to the meeting with Mr Narev and Ms Livingstone on 21 March 2017. The letter affirmed the Bank’s commitment to combatting financial crime and advised on key enhancements the Bank had made to the way in which it managed its AML/CTF obligations and the actions it had taken to address specific concerns that had been raised by AUSTRAC through the statutory notices. The letter also spoke of the steps that the Bank had taken to strengthen its “AML/CTF capability”.

Mr Jevtovic leaves AUSTRAC

323    On 13 April 2017, it was announced that Mr Jevtovic was leaving AUSTRAC. In a departing public statement, Mr Jevtovic said:

I want to also acknowledge the strong support for our vision received from industry, particularly CBA, NAB, Westpac, ANZ, Western Union, PayPal and Thomson Reuters, as well as partners in academia, non-government organisations and the community.

324     On that day Ms Watson sent an email to Mr Craig, saying:

As you see, some positive statements about CBA. I connected with Peter Clarke (sic) (the acting CEO) on a separate issue prior to this announcement and received a warm note back, signed “cheers” so perhaps all the effort we have made to build the relationship with AUSTRAC is starting to pay off. Time will tell. We still need to get the enhancement work done as a priority, so we’re driving that.

325    Mr Craig forwarded this email to Mr Narev. Mr Craig’s accompanying message to Mr Narev included the following:

Philippa has developed an excellent relationship with Peter Clarke (sic) and has accepted his invitation to attend a Conference that he is co-leading in Moscow in a couple of week’s time.

326    From that time, up to 3 August 2017, there were no substantive updates from AUSTRAC. However, on 13 April 2017, the Bank did respond to a request from AUSTRAC (made on 1 March 2017) for further information in relation to two matters arising from the Bank’s responses to the first and third statutory notices (issued on 22 June 2016 and 14 October 2016, respectively) in respect of the account monitoring failure issue.

327    Also, on 22 June 2017, Ms Watson had a telephone discussion with the Acting Deputy CEO of AUSTRAC and Head of Enforcement on a range of matters. The call was initiated by Ms Watson. In an email to Mr Craig on that day, Ms Watson said:

We explained that the call was very much in the spirit of wanting to maintain an open dialogue and to demonstrate our commitment to building a trust-based relationship where an early “heads up” on matters reinforces the relationship.

328    As to this communication, Ms Watson said: “All in all, it was a good call”. Ms Watson reported that, in the call, she raised the “TTR/IDM Issue” but was told that “things had slowed at AUSTRAC”. The indication was given to Ms Watson that AUSTRAC was hoping to inform the Bank of its deliberations “by late July”.

329    Mr Narev forwarded Ms Watson’s email to Ms Livingstone, saying:

A good update; and a sign that the relationship management is good. Though of course the risks all remain.

330    In his evidence, Mr Narev described his reaction to Ms Watson’s email as one of “cautious optimism”. He said:

I thought AUSTRAC was likely in a period of disorganisation following the announcement of Mr Jevtovic’s departure, and that there was likely to be a further period before AUSTRAC made any decision about CBA. It seemed to me that there continued to be a very constructive relationship between the two organisations, and while I was aware AUSTRAC still needed to make a decision on its approach, I thought this was a good update from CBA’s perspective, but was not a cause for complacency.

331    On 23 June 2017, Mr Narev had a meeting with the Minister for Justice and Minister Assisting the Prime Minister on Counter Terrorism, the Honourable Michael Keenan. Mr Narev wanted to meet Mr Keenan prior to any further developments with AUSTRAC. In an email (which included Mr Craig and Ms Watson as recipients), Mr Narev described the meeting as “very valuable” and reported:

… Key points are as follows:

-        The Minister is aware of Austrac’s investigations

-        This is very much Austrac’s process, ie he does not expect to have significant involvement

-        He has heard directly that Austrac considers us to have a partnership approach. He noted specifically that he was made aware that Catherine and I had made the effort to go and visit

-        In that sense it was considered a different type of issue than Tabcorp

-        Although of course there is currently a leadership change, he believes these views are shared by the level below Paul as well, ie the key acting leaders.

Whilst of course this does not alter the seriousness with which we should take all this, nor remove the risk, it does show that the approach we are taking in our interactions is unquestionably the right one.

The Bank develops a communications strategy on a “worst case scenario”

332    By 22 March 2017, Project Concord had reached the stage of formulating a communications strategy should AUSTRAC commence proceedings against the Bank, described as a “worst case scenario”. The strategy was based on the events attending the Tabcorp proceeding. It also focused on AUSTRAC’s investigation of the late TTR issue.

The civil penalty proceeding

AUSTRAC informs the Bank it is commencing proceedings

333    At about 10.18 am on 3 August 2017, Mr Narev received a message that Mr Clark of AUSTRAC needed to speak to him “quite urgently”. Shortly after receiving the message, Mr Narev telephoned Mr Clark, who, according to Mr Narev, said:

AUSTRAC is issuing civil proceedings against CBA in around 15 minutes. We will arrange service of the relevant court documents and this will be followed shortly after by a media release from AUSTRAC.

334    Mr Narev’s response to Mr Clark was:

This is exactly what you said you wouldn’t do.

335    Mr Clark replied:

I hope this doesn’t harm the relationship AUSTRAC has with CBA.

336    I accept that Mr Clark’s message took Mr Narev (and the Bank) by surprise, in that AUSTRAC had informed the Bank on a number of occasions that it would give advance notice of any action it decided to take to enable the Bank to consider its position. No doubt, from the Bank’s perspective, adequate notice would have provided it with the opportunity to make further representations to AUSTRAC.

AUSTRAC announces the commencement of proceedings

337    At 12.26 pm on 3 August 2017, AUSTRAC posted the following Tweet:

338    The Tweet linked to the following media release posted on AUSTRAC’s website:

339    It will be apparent that the media release refers to, sequentially, the IDM ML/TF risk assessment non-compliance issue, the account monitoring failure issue, and the late TTR issue. However, importantly, the media release also refers to two other issues of non-compliance—the Bank’s failure to report suspicious matters (either on time or at all) for transactions totalling over $77 million, and the Bank’s failure to monitor customers even after becoming aware of suspected money laundering or structuring in respect of accounts held with the Bank.

340    The media release also communicated AUSTRAC’s view that, by commencing proceedings against the Bank, it was sending “a clear message” to all reporting entities about “the importance of meeting their AML/CTF obligations”.

341    This media release conveyed significant public censure by AUSTRAC of the Bank’s failings. It conveyed the message that AUSTRAC’s action against the Bank should be taken by other reporting entities as a warning that similar strong action could be expected for like conduct. It included a link to the Concise Statement that AUSTRAC had filed (which is reproduced in Schedule 1 to these reasons).

342    The Concise Statement contains significantly more detail than the media release. Paragraph 6 deals with the IDM ML/TF risk assessment non-compliance issue and para 8 deals with the account monitoring failure issue. However, para 7 refers to another area of alleged non-compliance:

CommBank has not introduced appropriate risk-based systems and controls to mitigate and manage the higher ML/TF risks it reasonably faces by providing designated services through IDMs, contrary to Section 2 of Part A [of the Bank’s AML/CTF Program].

343    Paragraphs 9 and 10 refer to the late TTR issue. However, para 10 includes the following additional information:

… 1,640 of the Late TTRs (totalling about $17.3 million) related to transactions connected with money laundering syndicates being investigated and prosecuted by the Australian Federal Police (AFP) or accounts connected with those investigations. A further 6 of the Late TTRs related to 5 customers who had been assessed by CommBank as posing a potential risk of terrorism or terrorism financing. Two of the Late TTRs were lodged with AUSTRAC on 24 August 2015 and the remaining 53,504 were lodged with AUSTRAC on 24 September 2015.

344    Paragraphs 11 to 14 refer to the Bank’s alleged failure to lodge SMRs and to carry out ongoing due diligence on accounts, even after becoming aware of suspected money laundering and the structuring of accounts:

11.     Suspected money laundering was conducted through CommBank accounts, by way of cash deposits, many through IDMs, followed immediately by international and domestic transfers. Many of the cash deposits were ‘structured’ by customers: that is, deposited in amounts just under the threshold transaction limit to avoid triggering CommBank’s obligation to give a TTR to AUSTRAC. Structuring is an offence under s 142 of the Act.

12.     Despite identifying the pattern of activity on these accounts as suspicious and indicative of money laundering, CommBank repeatedly failed to comply with its obligations to give a suspicious matter report (SMR) to AUSTRAC either at all or within the time required by s 41 of the Act. In part, this was because CommBank adopted a policy not to submit SMRs if the same type of suspicious behaviour had been reported any time within 3 months prior. In other cases, SMRs were not reported because no transaction monitoring alert had been raised, alerts had not been reviewed, or, where alerts had been raised and reviewed, CommBank only partially reported its suspicions. CommBank also failed to lodge SMRs because notifications by law enforcement of unlawful activity were ignored.

13.     Section 36 of the Act requires CommBank to monitor its customers with a view to identifying, mitigating and managing ML/TF risk. CommBank failed to do this, including because in some instances, no transaction monitoring alerts were raised for suspicious activity, and, when alerts were raised, they were not reviewed in a timely manner having regard to ML/TF risk (in many instances, alerts were not reviewed for months after they were raised). In many cases, the accounts the subject of money laundering were not being monitored at all.

14.     Even after suspected money laundering or structuring on CommBank accounts had been brought to CommBank’s attention (by law enforcement or through internal analysis), CommBank did not monitor its customers with a view to mitigating and managing ML/TF risk, including the ongoing ML/TF risks of doing business with these customers. Rather, once suspected money laundering or structuring had been identified on these accounts, CommBank often looked no further than whether or not to submit an SMR. The Rules require mandatory enhanced customer due diligence (ECDD) where a s 41 suspicion is formed. CommBank did not carry out any ECDD on these accounts (such as identifying the source of the customer’s wealth or terminating accounts) either at all or until after several SMRs had been raised. When CommBank terminated accounts, customers were generally given 30 days’ notice. Suspicious transactions were allowed to, and did, continue during the notice period on some of these accounts.

345    The Concise Statement then proceeds to give details of the consequences of the Bank’s failings in relation to the activities of four money laundering syndicates (paras 15 to 29) and a “cuckoo smurfing” syndicate (paras 30 to 34). (“Cuckoo smurfing” is a particular form of money laundering.)

346    Finally, paras 35 to 37 provide other instances of non-compliance by the Bank with its AML/CTF obligations.

347    It will be noted that, even though Mr Clark had told Mr Narev after 10.18 am on 3 August 2017 that AUSTRAC would be commencing proceedings, the Concise Statement had, in fact, been lodged with the Court for filing at 9.39 am on that day. In other words, AUSTRAC had taken steps to commence enforcement proceedings seeking pecuniary penalties against the Bank without prior warning or, indeed, the advance notice that AUSTRAC said that it would give to the Bank when it had arrived at a decision as to the action, if any, it intended to take. Contrary to the expectation that AUSTRAC had engendered, the Bank did not have an opportunity to consider its position in relation to AUSTRAC’s decision. No doubt that consideration would have included whether steps could, or should, be taken by the Bank to attempt to dissuade AUSTRAC from taking its chosen course.

348    I will refer to AUSTRAC’s Tweet, its media release, and the Concise Statement as the 3 August 2017 announcement.

The Bank’s media release

349    On 3 August 2017, the Bank issued the following media release:

Commonwealth Bank today acknowledges that civil proceedings have been brought by the Australian Transaction Reports and Analysis Centre (AUSTRAC). The proceedings relate to deposits made through our Intelligent Deposit Machines from 2012.

We have been in discussions with AUSTRAC for an extended period and have cooperated fully with their requests. Over the same period we have worked to continuously improve our compliance and have kept AUSTRAC abreast of those efforts, which will continue.

We take our regulatory obligations extremely seriously and we are one of the largest reporters to AUSTRAC. On an annual basis we report over four million transactions to AUSTRAC in an effort to identify and combat any suspicious activity as quickly and efficiently as we can.

We have invested more than $230 million in our anti-money laundering compliance and reporting processes and systems, and all of our people are required to complete mandatory training on the Anti-Money Laundering and Counter-Terrorism Financing Act.

Money laundering undermines the integrity of our financial system and impacts the Australian community’s safety and wellbeing. We will always work alongside law enforcement, intelligence agencies and government authorities to identify, disrupt and prevent this type of activity.

We are reviewing the nature of the proceedings and will have more to say on the specific claims in due course.

350    It is noteworthy that the Bank’s media release referred to AUSTRAC’s action against it as relating to “deposits made through our Intelligent Deposit Machines from 2012”. The proceeding commenced by AUSTRAC against the Bank concerned non-compliance that was far more extensive than the late TTR issue. The focus of the Bank’s media release on the late TTR issue reveals the Bank’s perception that this issue was the one that had attracted AUSTRAC’s concern and was the catalyst for AUSTRAC commencing proceedings—not the IDM ML/TF risk assessment non-compliance issue, the account monitoring failure issue, or any other issue.

351    It would seem that the Bank was mistaken in this perception. Much of the Concise Statement was directed to the Bank’s failure to file SMRs, the Bank’s actual awareness of suspicious transactions, and its failure to carry out ongoing due diligence. The Bank’s failure to lodge TTRs is implicated in some of this conduct, but that failure is only an aspect of what was identified by AUSTRAC as more extensive, and condemnatory, conduct by the Bank.

The continuous disclosure case

The market disclosure regime governing the Bank’s obligations of disclosure

352    The Bank is, and was at all times relevant to this proceeding, included in the official list of the financial market operated by the ASX. Its shares are “ED securities” for the purposes of s 111AE of the Corporations Act and are able to be acquired and disposed of by investors on the financial market operated by the ASX.

353    The Bank is, and was at all time relevant to this proceeding, a “disclosing entity” within the meaning of s 111AC(1), and a “listed disclosing entity” within the meaning of s 111AL(1), of the Corporations Act.

354    Section 674(1) of the Corporations Act provides:

Obligation to disclose in accordance with listing rules

(1)     Subsection (2) applies to a listed disclosing entity if provisions of the listing rules of a listing market in relation to that entity require the entity to notify the market operator of information about specified events or matters as they arise for the purpose of the operator making that information available to participants in the market.

355    In turn, s 674(2) (as it applies in the present case) provides:

(2)     If:

(a)     this subsection applies to a listed disclosing entity; and

(b)     the entity has information that those provisions require the entity to notify to the market operator; and

(c)     that information:

(i)    is not generally available; and

(ii)    is information that a reasonable person would expect, if it were generally available, to have a material effect on the price or value of ED securities of the entity;

    the entity must notify the market operator of that information in accordance with those provisions.

    Note 1:     Failure to comply with this subsection is an offence (see subsection 1311(1)).

    Note 2:    This subsection is also a civil penalty provision (see section 1317E). For relief from liability to a civil penalty relating to this subsection, see section 1317S.

    Note 3:     An infringement notice may be issued for an alleged contravention of this subsection, see section 1317DAC.

356    Section 677 of the Corporations Act is a facultative provision. As it applies in the present case, it provides:

For the purposes of sections 674 and 675, a reasonable person would be taken to expect information to have a material effect on the price or value of ED securities of a disclosing entity if the information would, or would be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of the ED securities.

357    In Grant-Taylor v Babcock & Brown Ltd (in liquidation) [2016] FCAFC 60; 245 FCR 402 (Babcock & Brown), the Full Court (at [92]) addressed the statutory purposes for the continuous disclosure regime. The Full Court said that the main purpose is to achieve a well-informed market leading to greater investor confidence, with the object of enhancing the integrity and efficiency of capital markets through the timely disclosure of price or market sensitive information. Further, the Full Court (at [93]) observed that ss 674 to 677 of the Corporations Act are remedial or protective legislation. With reference to James Hardie Industries NV v Australian Securities and Investments Commission [2010] NSWCA 332; 274 ALR 85 (James Hardie) the Full Court (at [356]) said that those provisions should be construed beneficially to the investing public, in a manner that gives the fullest relief which the fair meaning of their language allows.

358    The Bank is subject to, and bound by, the Listing Rules of the ASX (the ASX Listing Rules).

359    Rule 3.1 provides that, once an entity is or becomes aware of any information concerning it that a reasonable person would expect to have a material effect on the price or value of the entity’s securities, the entity must immediately tell the ASX that information. In Babcock & Brown at [95], the Full Court said that the “Listing Rule 3.1 concept” should be read as implicitly embracing the elaboration that s 677 of the Corporations Act provides.

360    Exceptionally, however, r 3.1A provides that r 3.1 does not apply to particular information while certain cumulative criteria are satisfied in relation to that information.

361    First, one or more of the following must apply: (a) it would be a breach of a law to disclose the information; (b) the information concerns an incomplete proposal or negotiation; (c) the information comprises matters of supposition or is insufficiently definite to warrant disclosure; (d) the information is generated for the internal management purposes of the entity; or (e) the information is a trade secret.

362    Secondly, the information must be confidential and ASX has not formed the view that the information has ceased to be confidential.

363    Thirdly, a reasonable person would not expect the information to be disclosed.

364    The Bank relies on the r 3.1A exception in respect of each disclosure which the applicants allege that the Bank should have made to the ASX.

The applicants’ case: an overview

365    The applicants’ case is that the Bank has contravened s 674(2) of the Corporations Act by failing to disclose to the ASX during the relevant period, one or more of a number of categories of information, being the pleaded Late TTR Information, the Account Monitoring Failure Information, the IDM ML/TF Risk Assessment Non-Compliance Information, and the Potential Penalty Information.

366    The applicants contend that there are only two issues in relation to their case on liability.

367    The first issue is whether the Bank “had” the pleaded forms of the information. This involves consideration of whether officers of the Bank were “aware” of the pleaded information in the requisite sense, and whether the ASX Listing Rules required that information to be disclosed.

368    The second issue is whether, assuming the first issue is decided in the applicants’ favour, each category of the pleaded information was material in the sense that a reasonable person would expect it to have a material effect on the price of the Bank’s shares: s 674(2)(c)(ii). As noted above, this is answered affirmatively if the information would, or would be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of the Bank’s shares: s 677.

369    The applicants submit that each issue should be answered affirmatively.

The pleaded categories of Information

The Late TTR Information

370    The applicants plead three forms of the Late TTR Information.