Federal Court of Australia

Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 5) [2024] FCA 477

File numbers:

VID 1085 of 2017

NSD 1158 of 2018

Judgment of:

YATES J

Date of judgment:

10 May 2024

Catchwords:

CORPORATIONS – representative proceeding – listed securities – continuous disclosure obligations – ASX Listing Rules – whether respondent “aware” of certain pleaded information – whether the content of the information as pleaded conforms to the requirements for disclosure under the ASX Listing Rules – whether the information as pleaded, and if generally available, would have a material effect on the price of the securities

COMPETITION AND CONSUMER LAW – misleading or deceptive conduct – whether certain representations were made

CORPORATIONS – disclosure to investors about securities – pro-rata renounceable entitlement offer of new shares to existing shareholders – cleansing notice – whether cleaning notice defective – whether cleansing notice required correction

DAMAGES – causation and loss – market-based causation – alleged loss in the form of artificial share price inflation – whether causation and loss established on the basis of an event study

DAMAGES – assessment – sufficiency of evidence

Legislation:

Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) ss 5, 36, 43, 82, 83, 85, 162, 167, 175, 184, 191, 197, 198, 202

Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (Cth)

Australian Securities and Investments Commission Act 2001 (Cth) ss 12BAA, 12BAB

Banking Act 1959 (Cth)

Competition and Consumer Act 2010 (Cth) s 131A, Sch 2 (Australian Consumer Law) s 18

Corporations Act 2001 (Cth) Ch 6CA, ss 9, 12DA, 111, 111AL, 674 – 677, 708AA, 708A, 764A, 1041H,

Corporations Law (Cth) (repealed) ss 995, 999

Federal Court of Australia Act 1976 (Cth) Pt IVA, s 111AC

Trade Practices Act 1974 (Cth) s 52

Cases cited:

Armory v Delamirie (1722) 1 Stra 505; 93 ER 664

Australian Securities and Investments Commission v Big Star Energy Limited (No 3) [2020] FCA 1442; 389 ALR 17

Australian Securities and Investments Commission v Fortescue Metals Group Ltd (No 5) [2009] FCA 1586; 264 ALR 201

Australian Securities and Investments Commission v Vocation Limited (in liquidation) [2019] FCA 807; 136 ACSR 339

Brunner v Greenslade [1971] Ch 993

Campomar Sociedad, Limitada v Nike International Limited [2000] HCA 12; 202 CLR 45

Chief Executive Officer of the Australian Transaction Reports and Analysis Centre v Commonwealth Bank of Australia Limited [2018] FCA 930

Crowley v Worley Limited (No 2) [2023] FCA 1613

Crowley v Worley Limited [2022] FCAFC 33; 293 FCR 438

Cruickshank v Australian Securities and Investments Commission [2022] FCAFC 128; 292 FCR 627

Flogineering Pty Ltd v Blu Logistics SA Pty Ltd (No 3) [2019] FCA 1258; 138 ACSR 172

Grant-Taylor v Babcock & Brown Ltd (in liquidation) [2016] FCAFC 60; 245 FCR 402

James Hardie Industries NV v Australian Securities and Investments Commission [2010] NSWCA 332; 274 ALR 85

Jubilee Mines NL v Riley [2009] WASCA 62; 40 WAR 299

Masters v Lombe (Liquidator); In the Matter of Babcock & Brown Limited (In Liq) [2019] FCA 1720

McFarlane as Trustee for the S McFarlane Superannuation Fund v Insignia Financial Ltd [2023] FCA 1628

National Australia Bank Ltd v Pathway Investments Pty Ltd [2012] VSCA 168; 265 FLR 247

Parkdale Custom Built Furniture Proprietary Limited v Puxu Proprietary Limited [1982] HCA 44; 149 CLR 191

Re HIH Insurance Ltd (in liquidation) [2016] NSWSC 482; 335 ALR 320

Sanda v PTTEP Australasia (Ashmore Cartier) Pty Ltd (No 7) [2021] FCA 237

Self Care IP Holdings Pty Ltd v Allergan Australia Pty Ltd [2023] HCA 8; 408 ALR 195

Taco Bell Pty Limited v Taco Company of Australia Inc [1982] FCA 170; 42 ALR 177

The Commonwealth of Australia v Amann Aviation Pty Limited [1991] HCA 54; 174 CLR 64

TPT Patrol Pty Ltd, as trustee for Amies Superannuation Fund v Myer Holdings Limited [2019] FCA 1747; 140 ACSR 38

Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited [2018] FCA 659

Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 2) [2019] FCA 1061

Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 3) [2022] FCA 1323

Division:

General Division

Registry:

New South Wales

National Practice Area:

Commercial and Corporations

Sub-area:

Commercial Contracts, Banking, Finance and Insurance

Number of paragraphs:

1265

Date of last submissions:

9 February 2024 (respondent)

16 February 2024 (applicants)

20 February 2024 (respondent)

Date of hearing:

7 November 2022 22 November 2022

29 November 2022 1 December 2022

5 December 2022

12 December 2022 14 December 2022

Counsel for the Applicants in VID 1085 of 2017 and NSD 1158 of 2018:

Mr J Stoljar SC

Mr W Edwards KC

Mr D Fahey

Ms S Chordia

Solicitor for the Applicant in VID 1085 of 2017:

Maurice Blackburn

Solicitor for the Applicants in NSD 1158 of 2018:

Phi Finney McDonald

Counsel for the Respondent in VID 1085 of 2017 and NSD 1158 of 2018:

Mr N Hutley SC

Ms E Collins SC

Mr I Ahmed

Mr T Kane

Ms A llic

Solicitor for the Respondent in VID 1085 of 2017 and NSD 1158 of 2018:

Herbert Smith Freehills

ORDERS

VID 1085 of 2017

BETWEEN:

ZONIA HOLDINGS PTY LTD (ACN 008 565 286)

Applicant

AND:

COMMONWEALTH BANK OF AUSTRALIA LIMITED (ACN 123 123 124)

Respondent

order made by:

YATES J

DATE OF ORDER:

10 May 2024

THE COURT ORDERS THAT:

1.    In the event that agreement can be reached on the form of the orders that should be made, and the answers to the common questions that should be given, in light of the reasons for judgment published as Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 5) [2024] FCA 477 (the reasons for judgment), the parties provide a draft of the orders and the answers, which they propose, to the Associate to Yates J on or before 4.00 pm on 24 May 2024.

2.    In the event that agreement on the matters referred to in Order 1 cannot be reached, the parties inform the Associate to Yates J, on or before 4.00 pm on 24 May 2024, of the nature and extent of the disagreement between them, whereupon a case management hearing will be appointed to make further directions that are necessary to allow all outstanding matters in dispute to be determined.

3.    Subject to further order, until 5.00 pm on 15 May 2024 the reasons for judgment be published only to the parties and their legal advisers and not be disclosed to any other person.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

ORDERS

NSD 1158 of 2018

BETWEEN:

PHILIP ANTHONY BARON

First Applicant

JOANNE BARON

Second Applicant

AND:

COMMONWEALTH BANK OF AUSTRALIA LIMITED (ACN 123 123 124)

Respondent

order made by:

YATES J

DATE OF ORDER:

10 May 2024

THE COURT ORDERS THAT:

1.    In the event that agreement can be reached on the form of the orders that should be made, and the answers to the common questions that should be given, in light of the reasons for judgment published as Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 5) [2024] FCA 477 (the reasons for judgment), the parties provide a draft of the orders and the answers, which they propose, to the Associate to Yates J on or before 4.00 pm on 24 May 2024.

2.    In the event that agreement on the matters referred to in Order 1 cannot be reached, the parties inform the Associate to Yates J, on or before 4.00 pm on 24 May 2024, of the nature and extent of the disagreement between them, whereupon a case management hearing will be appointed to make further directions that are necessary to allow all outstanding matters in dispute to be determined.

3.    Subject to further order, until 5.00 pm on 15 May 2024 the reasons for judgment be published only to the parties and their legal advisers and not be disclosed to any other person.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

Introduction

[1]

The proceedings

[9]

The evidence

[14]

The Bank’s lay evidence

[16]

The applicants’ submissions on inferences to be drawn

[37]

The expert evidence

[45]

Background

[49]

The Bank

[49]

AML/CTF legislative regime

[52]

The Bank’s Joint Anti-Money Laundering and Counter-Terrorism Program Part A

[58]

The Group Compliance Risk Management Framework

[61]

The Compliance Incident Management Group Policy

[67]

AUSTRAC’s powers

[71]

The Bank’s dealings with AUSTRAC immediately before the relevant period

[84]

The Bank’s IT environment, processes and procedures

[91]

IDMs

[97]

The Bank’s TTR processes

[105]

Enquiries in 2013

[118]

The Bank’s Financial Crimes Platform

[144]

Audits

[162]

Preliminary observations

[162]

Internal audits

[165]

Transaction Monitoring Program Review Final Report 2011

[170]

The Bank’s Internal Audit Report 2013

[174]

Project Alpha

[196]

APRA Prudential Review Report

[202]

Project Beta

[205]

The Bank’s Internal Audit Report 2015

[209]

Events from mid-July 2015

[222]

The Tabcorp penalty proceeding

[222]

AUSTRAC raises concerns

[224]

Project Nitrogen: The 2015 Entitlement Offer

[228]

Further events concerning the late TTR issue

[250]

Events in 2016

[270]

Board meeting with AUSTRAC on 14 June 2016

[270]

The statutory notices

[273]

The Bank’s internal audit report 2016

[286]

Events in 2017

[290]

Meeting with the AUSTRAC CEO

[290]

The development of Project Concord

[299]

The settlement of the Tabcorp proceeding

[302]

7 March 2017 meeting with AUSTRAC

[309]

21 March 2017 meeting with AUSTRAC

[314]

Mr Jevtovic leaves AUSTRAC

[323]

The Bank develops a communications strategy on a “worst case scenario”

[332]

The civil penalty proceeding

[333]

AUSTRAC informs the Bank it is commencing proceedings

[333]

AUSTRAC announces the commencement of proceedings

[337]

The Bank’s media release

[349]

The continuous disclosure case

[352]

The market disclosure regime governing the Bank’s obligations of disclosure

[352]

The applicants’ case: an overview

[365]

The pleaded categories of Information

[370]

The Late TTR Information

[370]

The June 2014 Late TTR Information

[371]

The August 2015 Late TTR Information

[372]

The September 2015 Late TTR Information

[373]

The Account Monitoring Failure Information

[374]

The June 2014 Account Monitoring Failure Information

[375]

The August 2015 Account Monitoring Failure Information

[376]

The September 2015 Account Monitoring Failure Information

[377]

The IDM ML/TF Risk Assessment Non-Compliance Information

[378]

The June 2014 IDM ML/TF Risk Assessment Non-Compliance Information

[379]

The August 2015 IDM ML/TF Risk Assessment Non-Compliance Information

[380]

The Potential Penalty Information

[381]

The significance of the applicants’ pleading

[382]

Was the Bank “aware” of the relevant information?

[392]

Legal principles

[392]

The Late TTR Information: the applicants’ submissions

[399]

The Late TTR Information: analysis

[434]

The Account Monitoring Failure Information

[478]

The Account Monitoring Failure Information

[489]

The IDM ML/TF Risk Assessment Non-Compliance Information

[502]

The IDM ML/TF Risk Assessment Non-Compliance Information

[514]

Potential Penalty Information: the applicants’ submissions

[532]

Potential Penalty Information: analysis

[554]

Conclusion

[566]

The completeness and accuracy of the pleaded information

[568]

Legal principles

[568]

The Late TTR Information

[577]

The Account Monitoring Failure Information

[596]

The IDM ML/TF Risk Assessment Non-Compliance Information

[607]

The Potential Penalty Information

[618]

Conclusion

[631]

The rule 3.1A exception

[632]

Legal principles

[632]

The Bank’s submissions

[634]

Analysis

[639]

Materiality

[650]

Introduction

[650]

Legal principles

[652]

Investor decision-making

[665]

The evidence of Professor da Silva Rosa

[666]

The evidence of Mr Johnston

[679]

The evidence of Mr Singer

[687]

Materiality: The Late TTR Information

[710]

The applicants’ submissions

[710]

Serious non-compliance

[712]

Reputational damage

[720]

The perception of the risk of regulatory action

[725]

The cost of remediation

[727]

The expert evidence

[728]

Professor da Silva Rosa

[730]

Mr Johnston

[738]

Mr Ali

[756]

Mr Singer

[777]

Dr Unni

[813]

Other evidence

[836]

The Lieser paper

[836]

Case studies

[842]

The Westpac case study

[845]

The NAB case study

[856]

Media and analysts’ reports

[874]

The beta analysis

[889]

Materiality: The account monitoring failure information and the IDM ML/TF Risk Assessment Non-Compliance Information

[901]

The applicants’ submissions

[901]

Professor da Silva Rosa

[903]

Mr Johnston

[904]

Mr Ali

[907]

Mr Singer

[915]

Dr Unni

[922]

Materiality: Potential Penalty Information

[923]

Materiality: Analysis

[942]

The significance of the market reaction to the 3 August 2017 announcement

[942]

Consideration of Professor da Silva Rosa’s evidence

[953]

The IDM ML/TF Risk Assessment Non-Compliance Information

[953]

The Late TTR Information

[957]

The Account Monitoring Failure Information

[973]

The Potential Penalty Information

[979]

Consideration of Mr Johnston’s evidence

[985]

Consideration of the other evidence

[992]

The materiality of the information of which the Bank was “aware”

[1021]

Conclusion

[1030]

The case on misleading or deceptive conduct

[1032]

Introduction

[1032]

The alleged representations

[1042]

The applicants’ submissions

[1054]

Analysis

[1064]

The Compliance Representations

[1064]

The Continuous Disclosure Representation

[1089]

Conclusion

[1097]

The 2015 Cleansing Notice

[1098]

The applicants’ case

[1098]

Analysis

[1108]

Conclusion

[1119]

The case on causation and loss

[1120]

Overview

[1120]

Market-based causation

[1137]

Professor Easton’s event study

[1165]

The applicants’ submissions

[1198]

Pathway 1A

[1198]

Pathway 1B

[1204]

Pathway 1C

[1207]

Pathways 2A, 2B, and 2C

[1208]

2015 Entitlement Offer alternative pathway

[1209]

Analysis

[1211]

Pathway 1A

[1212]

Pathway 1B

[1231]

Pathway 1C

[1235]

Pathways 2A, 2B, and 2C

[1236]

2015 Entitlement Offer alternative pathway

[1238]

Conclusion

[1245]

Damages

[1246]

Further submissions

[1259]

Disposition

[1264]

Schedule 1

YATES J:

Introduction

1    On 3 August 2017, the Chief Executive Officer (CEO) of the Australian Transaction Reports and Analysis Centre (AUSTRAC) commenced a proceeding against the respondent, Commonwealth Bank of Australia Limited (the Bank), for civil penalties and other relief (the civil penalty proceeding) because the Bank failed to comply with its obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act). As events transpired, the Bank made various admissions of contravention for the purposes of that proceeding. On 20 June 2018, the Court granted declarations in relation to the Bank’s contraventions and imposed a pecuniary penalty pursuant to s 175(1) of the AML/CTF Act in the sum of $700 million: Chief Executive Officer of the Australian Transaction Reports and Analysis Centre v Commonwealth Bank of Australia Limited [2018] FCA 930.

2    The present proceedings concern events and circumstances that gave rise, in part, to the civil penalty proceeding. They are, however, separate from the civil penalty proceeding and involve markedly different questions of legal liability.

3    The applicants allege that the Bank breached its obligations of continuous disclosure under Ch 6CA of the Corporations Act 2001 (Cth) (the Corporations Act)—specifically, s 674(2)—because, in the period 16 June 2014 and 1.00 pm on 3 August 2017 (the relevant period), it had information relating to some of (what were later found to be) its contraventions of the AML/CTF Act which it did not disclose to the market operated by the Australian Securities Exchange (the ASX) on which its shares (CBA shares) were traded. This information, which the applicants plead in various forms, is conveniently categorised as the Late TTR Information, the Account Monitoring Failure Information, the IDM ML/TF Risk Assessment Non-Compliance Information, and the Potential Penalty Information. The applicants allege that the Bank was required by r 3.1 of the ASX Listing Rules to disclose this information. They allege, further, that, had this information (or a combination of it) been disclosed, it would have had a material effect on the market price of CBA shares.

4    Relatedly, the applicants allege that, throughout the relevant period, the Bank engaged in misleading or deceptive conduct on a continuous basis by publishing, and failing to correct or modify, various representations. These representations included representations to the effect that the Bank had in place effective policies, procedures, and systems to ensure its compliance with relevant regulatory requirements, and with its continuous disclosure obligations.

5    The applicants contend that these representations were misleading or deceptive because the Bank did not have effective policies, procedures, and systems in place to ensure compliance with the AML/CTF Act or to ensure compliance with its continuous disclosure obligations under Ch 6CA of the Corporations Act. The applicants allege that, by engaging in this conduct, the Bank contravened s 1041H(1) of the Corporations Act, s 12DA(1) of the Australian Securities and Investments Commission Act 2001 (Cth) (the ASIC Act) and, or alternatively, s 18(1) of Sch 2 to the Competition and Consumer Act 2010 (Cth) (the Australian Consumer Law).

6    Further, the applicants allege that, in connection with a pro-rata renounceable entitlement offer of new CBA shares that was made to shareholders in September and October 2015 to raise $5 billion in capital (the 2015 Entitlement Offer), the Bank issued a cleansing notice that was defective within the meaning of s 708AA(11), and which was not corrected as required by s 708AA(10), of the Corporations Act.

7    The applicants allege that, because the Bank did not comply with its continuous disclosure obligations as it should have done, or because the Bank engaged in misleading or deceptive conduct, or because the Bank issued and did not correct an allegedly defective cleansing notice, CBA shares traded on the ASX at an artificially inflated price (i.e., at a price above the price that a properly informed market would have set). They contend that they acquired CBA shares in that inflated market and, as a consequence, paid too much for them. They seek to recover, by way of damages, the amount of that inflation or an amount referable to that inflation.

8    For the reasons that follow, I have concluded that the applicants’ case against the Bank fails at a number of levels.

The proceedings

9    There are two proceedings before the Court that have been commenced under Pt IVA of the Federal Court of Australia Act 1976 (Cth).

10    The first proceeding is Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited: VID 1085 of 2017 (the Zonia proceeding). The second proceeding is Philip Anthony Baron and Joanne Baron v Commonwealth Bank of Australia Limited: NSD 1158 of 2018 (the Baron proceeding). The Zonia proceeding was commenced as an “open” class action. The Baron proceeding was commenced as a “closed” class action (whose Group Members are those who had signed a funding agreement with Therium Australia Limited at the commencement of that proceeding).

11    For some time, the two proceedings were case-managed together. After a significant period of conferral between the applicants in each proceeding, interlocutory applications were filed seeking orders that the two proceedings be consolidated. This proposal was abandoned before the interlocutory applications were heard. The interlocutory applications were then amended, with leave, to seek (what were called) Cooperative Case Management orders. These orders were made over the Bank’s opposition on 10 July 2019: Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 2) [2019] FCA 1061.

12    Amongst other things, the Cooperative Case Management orders provided for the filing of harmonised pleadings to ensure that the allegations against the Bank in each proceeding were substantially the same. The orders also provided that one set of counsel be briefed to represent the applicants and Group Members in each proceeding.

13    As a consequence, one case was presented against the Bank at the hearing. In these reasons, I have referred to this case as “the applicants’ case”. I have drawn distinctions between the applicants only when it has been necessary to do so. I have also referred to the final amended, but nevertheless harmonised, versions of the statements of claim filed by the applicants in their respective proceedings as, simply, “the statement of claim and the defences filed by the Bank as “the defence”.

The evidence

14    The applicants’ case was advanced through documentary tenders and expert evidence.

15    The Bank’s case was advanced through documentary tenders, lay evidence, and expert evidence responding to the applicants’ expert evidence.

The Bank’s lay evidence

16    As to the lay evidence, the Bank read affidavits by:

(a)    Ian Mark Narev, who was the Managing Director and CEO of the Bank and its related corporate entities (together, the Group) from 1 December 2011 until 8 April 2018;

(b)    Shirish Moreshwar Apte, who was, at relevant times, a non-executive director of the Bank and a member of the Risk Committee and the Audit Committee (both Board committees);

(c)    Mark Andrew Worthington, who was, from July 2010 to 31 March 2019, the Executive General Manager of Group Audit and Assurance (Group Audit) for the Bank (i.e., the internal Group Auditor); and

(d)    David Antony Keith Cohen, who was, at the time of hearing, the Bank’s Deputy CEO. From February 2012 to June 2016, he was the Group’s General Counsel and Group Executive (Group Corporate Affairs). From July 2016 to November 2018, he was the Group’s Chief Risk Officer (CRO).

17    These deponents were cross-examined.

18    The Bank also read affidavits by Gopal Jana, Justin Jun-Ting Lee, Leisa Nicole Zaharis, Craig Bruce Woodburn, Prathish Jose, and Nada Novakovic, all of whom, at the time of the hearing, were employees of the Bank, and affidavits from Bryony Kate Adams, a partner in Herbert Smith Freehills, the solicitors for the Bank. These deponents were not cross-examined.

19    The Bank expected to read an affidavit by Sir David Hartmann Higgins who was, at relevant times, a non-executive director of the Bank and a member of Board committees, including the Risk Committee (from April 2016 until his retirement from the Board on 31 December 2019) and the Audit Committee (from October 2014 until March 2016). However, following my refusal of the Bank’s application to permit him to give oral evidence by audio-visual link (Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited (No 3) [2022] FCA 1323), Sir David’s affidavit was not read.

20    The applicants advance a number of submissions criticising the evidence given by Mr Narev, Mr Apte, Mr Worthington, and Mr Cohen.

21    The applicants contend that Mr Narev’s affidavit evidence provided “a selective account of events” that was “an elaborately crafted artifice”. In closing submissions, they compared various passages in Mr Narev’s affidavit with various passages in the transcript of his cross-examination in an endeavour to demonstrate what they saw to be inconsistencies in his evidence. The applicants went so far as to contend that Mr Narev’s affidavit was “never a true or accurate reflection of his recollection of events or state of mind during the Relevant Period”.

22    I do not accept these submissions. I do not consider the applicants’ criticisms to be warranted. I found Mr Narev to be a sound witness who, in cross-examination, was prepared to revisit his affidavit and accept various propositions put to him. Generally speaking, I do not think that any matters of substance arose in the course of Mr Narev’s cross-examination that revealed material inconsistencies with the matters to which he had deposed in his affidavit. On the whole, I accept Mr Narev’s evidence.

23    The applicants contend that Mr Apte “had no genuine recollection of, or was not involved in, significant events during the Relevant Period”. They contend that Mr Apte “did not appear to possess any memory of significant events immediately prior to or during the Relevant Period”. They contend, further, that the opinions expressed by Mr Apte in his affidavit were “nothing more than self-serving submissions constructed after the fact”.

24    I do not accept these submissions. Indeed, I think the applicants’ criticisms of Mr Apte’s evidence are unfair. I found Mr Apte to be a careful witness who attended to the detail of the questions put to him in cross-examination. I do not accept that he did not have, or did not appear to have, a memory of significant events during the time that he was a director of the Bank. I do not think that Mr Apte is to be criticised for making clear the limits of his memory of events that occurred a significant number of years before the hearing. Moreover, I do not consider it to be unusual that, as a non-executive director of the Bank, Mr Apte did not profess to have knowledge of some matters of detail that were put to him. On some occasions, Mr Apte made clear that he was not prepared to speculate on what his state of mind would have been on matters of which he had no actual knowledge. This, however, indicates the care with which Mr Apte attended to the questions put to him. On the whole, I accept Mr Apte’s evidence.

25    The applicants contend that Mr Worthington’s evidence had “little, if any, relevance to the issues in dispute in this proceeding” and that there were “inconsistencies between [his] affidavit and oral testimony”. The applicants contend that Mr Worthington was “a wholly unimpressive witness” whose evidence should be disregarded.

26    I do not accept these submissions. I do not accept that Mr Worthington was “a wholly unimpressive witness” and do not understand why his evidence should be characterised as such. Mr Worthington’s evidence was relevant and informative and, on the whole, I accept it.

27    The applicants contend that Mr Cohen’s affidavit was “a carefully constructed artifice that did not withstand scrutiny during cross-examination”. The applicants contend that because of “significant and numerous contradictions” revealed in Mr Cohen’s cross-examination and “his frequently convoluted accounts in the witness box”, the Court should not have any confidence in the reliability or truthfulness of [his] evidence” which, according to the applicants, the Court should set aside save where Mr Cohen made admissions against the Bank’s interests.

28    I accept that there were some concerning aspects of Mr Cohen’s evidence. One such aspect was Mr Cohen’s account of when he first learned of the late TTR issue—a significant matter discussed in greater detail below. In his oral evidence in chief, Mr Cohen corrected the statement he had made in his affidavit (to the effect that he became aware of this issue in October 2015). Mr Cohen said that, in preparing to give his oral evidence, it had become apparent to him that he had received a copy of a 6 September 2015 email referring to this issue and that a verbal disclosure of the issue was also made by Mr Toevs at a meeting of the Bank’s Executive Committee on 17 September 2015 (Mr Cohen said that he had mistakenly thought that this disclosure had been made verbally by Mr Toevs at an Executive Committee meeting on 8 October 2015, but Mr Cohen later realised that Mr Toevs was not in attendance at that meeting).

29    In his oral evidence in chief, Mr Cohen said that he wanted to draw attention to these matters because his affidavit “might give the impression that the very first time I heard of the TTR issue was in October 2015”. In that assessment, Mr Cohen was correct. I think this is how his affidavit reads.

30    When cross-examined on the correction, Mr Cohen maintained that his affidavit evidence was still correct because, in October 2015, he became aware that, in August 2015, the Bank had (as he said in his affidavit) identified “an error which had resulted in more than 50,000 threshold transaction reports … not being submitted to AUSTRAC through [the Bank’s] intelligent deposit machines … within the required 10 day time frame …”. In other words, although he had recently come to accept that he had had earlier knowledge of the late TTR issue, Mr Cohen only learned of the number of late TTRs in October 2015 and, to this extent, his affidavit was correct.

31    Mr Cohen was cross-examined on the truthfulness of the last-mentioned explanation. In closing submissions, his explanation was at the forefront of the applicants’ contention that his evidence was unsatisfactory, and that his explanation had cast “doubt on both the accuracy of his recollections and his capacity to provide truthful evidence under oath”.

32    I am not persuaded that Mr Cohen was being untruthful in defending his affidavit evidence. However, on this matter, I think that Mr Cohen’s affidavit evidence was inadvertently incomplete on an important issue. Although Mr Cohen’s affidavit evidence on this topic was not critical to establishing the Bank’s awareness of the late TTR issue (because the Bank’s own evidence was that Mr Narev and Mr Comyn were aware of that issue by 6 September 2015 at the latest), it was important in relation to events concerning the 2015 Entitlement Offer—another significant matter discussed in greater detail below. Uncorrected, the effect of Mr Cohen’s affidavit was that, as Chairman of the due diligence committee appointed to oversee the 2015 Entitlement Offer, he did not know of the late TTR issue until after the final meeting of the committee on 17 September 2015 (the day before the shares under the offer were issued). Mr Cohen’s inadvertence on this matter leads me to treat his evidence with some care on other topics he addressed.

33    The applicants also criticise Mr Cohen for the lateness of his correction. However, ultimately, nothing turns on this. I do not think it fell to Mr Cohen to decide when the correction to his affidavit should have been communicated to the applicants’ legal representatives.

34    The applicants also submit that Mr Cohen’s explanation for his correction was “conflicting, incoherent and garbled”. I do not accept that submission. Mr Cohen’s explanation was clear.

35    The applicants also criticise Mr Cohen’s evidence that, as at 24 April 2017, the Bank’s Executive Committee did not have sufficient information to warrant disclosure to the market of AUSTRAC’s investigation into the Bank’s non-compliance with the AML/CTF Act. In his affidavit, Mr Cohen provided reasons for that view. The applicants submit that, in cross-examination, Mr Cohen contradicted the reasons he had given. I am not persuaded that Mr Cohen’s affidavit evidence was contradicted by his oral evidence in cross-examination. That said, the cross-examination did assist in putting Mr Cohen’s affidavit evidence, on that topic, in context.

36    There are some other aspects of Mr Cohen’s evidence on which I will comment in later paragraphs of these reasons. However, for present purposes it is sufficient for me to state that I do not accept that Mr Cohen’s affidavit was “a carefully constructed artifice” or that, in cross-examination, he made “significant and numerous contradictions” or “frequently convoluted accounts in the witness box”. Further, even though some aspects of Mr Cohen’s evidence were qualified in cross-examination, I do not accept that I should set aside his evidence as unreliable or untruthful. On the whole, I found him to be a satisfactory witness although, as I will later explain, I do not accept all his evidence.

The applicants’ submissions on inferences to be drawn

37    The applicants also contend that I should draw inferences that are adverse to the Bank’s interests because of its failure to call certain witnesses. As a general observation, it is not clear to me what these witnesses could have added to what is already apparent from the extensive documentary record that is before the Court.

38    For example, the applicants point to the fact that the Bank did not call certain employees who (they say) could have given evidence concerning the late TTR issue in relation to events in 2013. I deal with these events in later sections of these reasons. In my view, the documentary record is clear. As will become apparent, my interpretation of that record does not accord with the applicants’ interpretation. Therefore, I do not draw the inferences that the applicants say I should draw simply because the Bank did not call these employees to give evidence.

39    The applicants submit that I should draw certain inferences because the Bank did not call Mr Comyn as a witness (in the relevant period, Mr Comyn was the Group Executive for Retail Banking Services). However, the documentary record (as it relates to communications to and from Mr Comyn, or with which Mr Comyn was copied) is clear. The applicants do not suggest that the record is incomplete or contrived. The Bank does not suggest that Mr Comyn had an understanding of events that differs from the documentary record. There is, therefore, no reason why I should not take these communications at face value.

40    The applicants submit that I should infer that Mr Comyn was aware from October 2015 that “norisk assessment had been completed since May 2012” in respect of the Bank’s Intelligent Deposit Machines (IDMs) (as to which see [60] and [97] – [104] below). I am not prepared to draw an inference that adds to the evidence in that way. Even so, I do not see how this submission advances the applicants’ case because, as I will later explain, it is not in doubt that the Bank knew in October 2015 that a separate risk assessment had not been carried out when IDMs were introduced in 2012.

41    The applicants also submit that I should infer that Mr Comyn was aware of the seriousness of certain matters communicated to him in emails of 23 June 2016 and 13 July 2016 in relation to a (first) notice given to the Bank under s 167 of the AML/CTF Act seeking the production of information and documents, and in an email dated 7 March 2017 relating to the outcome of a meeting between two employees of the Bank and AUSTRAC. Once again, the content of the emails is clear on the face of the documents themselves, and the Bank does not suggest that Mr Comyn had any view that differed from what the emails clearly say.

42    The applicants submit, further, that I should infer that Mr Comyn knew of, and was kept abreast of, an undertaking within the Bank called Project Concord and that Mr Comyn was concerned to manage reputational damage from the public disclosure of “AML issues” by AUSTRAC, “including by way of a penalty proceeding”. Once again, I am not prepared to make an inference that adds to the evidence in that way. In any event, the evidence establishes, independently, that officers of the Bank knew the details of Project Concord, which is discussed in more detail below.

43    The applicants submit that I should infer that, in light of a proceeding commenced by AUSTRAC against Tab Limited, Tabcorp Holdings Limited, and Tabcorp Wagering (Vic) Pty Ltd (collectively, Tabcorp) (the Tabcorp proceeding), certain officers of the Bank (who were not called as witnesses) were concerned that civil penalty proceedings might also be commenced against the Bank for its breaches of the AML/CTF Act. However, as I will come to explain, the evidence already makes it abundantly clear that the Bank knew of the Tabcorp proceeding and that it was possible that civil penalty proceedings could also be commenced against it. Equally, the evidence makes it clear that AUSTRAC had informed the Bank on a number of occasions prior to 3 August 2017 that, if enforcement action were to be taken against the Bank: (a) AUSTRAC had a number of options available to it; (b) that AUSTRAC had made no decision on the question of enforcement action (including what, if any, enforcement option it might take); and (c) that AUSTRAC would give notice to the Bank before taking any enforcement action.

44    The applicants submit that I should draw certain inferences because the Bank did not call Ms Livingstone, the Bank’s former Chair, as a witness. Again, I am not prepared to draw inferences that add to the evidence in the way that the applicants suggest. The documents on which they relya transcript of part of Ms Livingstone’s evidence to the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (the Financial Services Royal Commission) and a copy of Ms Livingstone’s file note of a meeting with Mr Jevtovic on 30 January 2017, also discussed beloware in evidence and speak for themselves.

The expert evidence

45    Expert evidence was given through the tender of expert reports (including joint reports) and orally in concurrent expert evidence sessions in which each of the participants was cross-examined.

46    The applicants called expert evidence from:

(a)    Professor Raymond da Silva Rosa, who is a Professor of Finance at the University of Western Australia’s Business School. He is the Chair of the University’s Academic Board and Council, a member of the Senate of the University, and a past-President of the Accounting and Finance Association of Australia and New Zealand. He has expertise in studying investor behaviour. He has co-authored research on the impact of Australia’s continuous disclosure regime. He has also undertaken and published, in both academic and industry refereed journals, research on the appropriate way to measure investor reaction to corporate events, such as takeover announcements and the publication of substantial shareholder notices. He has lectured on Behavioural Finance (how psychology and economics explain investor behaviour).

(b)    Mr Rowan Johnston, who has expertise in arranging, managing, underwriting, and advising on share issues and engaging with market participants via a corporate advisory role. From 1987 to 2002, Mr Johnston worked at Deutsche Bank AG in Sydney and Hong Kong in Corporate Finance and then Equity Capital Markets, including some five or six years as Joint Head or Head of Equity Capital Markets in Australia. From 2003 to 2014, Mr Johnston worked at Greenhill (formerly called Caliburn Partnership Pty Ltd) with a focus on advising on capital raisings and sell-downs. Mr Johnston was formerly a corporate lawyer.

(c)    Professor Peter Easton, who is the Notre Dame Alumni Professor of Accountancy and Director of the Center of Accounting Research and Education at the Mendoza College of Business at the University of Notre Dame in the United States of America. Professor Easton has held a number of other academic positions in Australian and overseas universities. Over the past 40 years, his research has focused on the role of information in securities valuation and investors’ decision-making. He has published numerous articles in peer-reviewed academic journals and several textbooks on these subjects. He has also served as editor of a number of peer-reviewed journals. His teaching, as well as a large part of his consulting activities, has involved the detailed analysis of complex accounting and valuation issues, forecasting future financial statements, determining the feasibility of investment opportunities, and exploring the link between financial statements and the value and viability of the underlying entity.

(d)    Mr Howard Elliot, who has expertise in the design and development of IT systems.

47    The Bank called expert evidence from:

(a)    Dr Sanjay Unni, who is a former academic with more than 30 years’ experience. He has taught at the University of California, Berkeley, the University of Strathclyde, Glasgow, the University of Texas, and Southern Methodist University. He is the Managing Director of the Berkley Research Group. Dr Unni has expertise as a financial economist.

(b)    Mr Mozammel Ali who is a former investment banker with more than 25 years’ experience in the financial services industry. He was a senior executive in the Corporate Finance division of Deutsche Bank AG, including in the Financial Institutions Group and the Capital Markets and Treasury Solutions team. He was also Head of Capital Solutions. Before then he was employed by Citibank advising on mergers and acquisitions, and capital raising transactions. Mr Ali has expertise in equity capital markets.

(c)    Mr David Singer, who is a former investment banker with more than 25 years’ experience. Mr Singer was the Managing Director and Head of Sales Trading at UBS Securities Australia. In that employment, he was active in the market speaking to investors, trading shares (including CBA shares) and making assessments on a day-to-day basis as to the information that was material to investors’ decisions.

(d)    Mr Shane Bell, who is a partner in McGrathNicol. Mr Bell is a technology and cybersecurity expert, and a certified computer examiner.

48    The parties advanced criticisms of the evidence given by the opposing experts. I do not propose to deal with these criticisms seriatim. It is sufficient for me to record that, contrary to some of the submissions that were advanced, I found each expert to be a satisfactory witness whose analysis and opinions provided assistance in elucidating the issues before the Court that were within his field of expertise. I discuss the expert evidence in some considerable detail in later sections of these reasons, including the extent to which I accept that evidence. The fact that I have not accepted a particular expert’s opinion is not intended to reflect, and should not be taken as reflecting, adversely on that witness’s competence.

Background

The Bank

49    The Bank is, and was at all times relevant to this proceeding, Australia’s largest bank. For the years ended 30 June 2014 to 30 June 2017 (a period covering, substantially, the relevant period), the Bank’s total annual income was between $22 billion and $26 billion; its profit was between $8.6 billion and $9.9 billion. It employed approximately 52,000 staff members.

50    The Bank operates (and, in the relevant period, operated) in a highly regulated market and processes a large volume of domestic and cross-border transactions. The Bank’s own estimate is that it has “visibility” of around 40% of all financial transactions in Australia. According to the Bank, one in two inbound cross-border commercial payments are destined to its account holders.

51    The Bank is required to monitor all these transactions under AML/CTF legislation, to which I will refer in more detail. For present purposes, it is sufficient to record that, as at May 2015, the Bank was monitoring approximately 7 million transactions per day with a value of $219 billion. At that time, peak volumes stood at 16 million transactions per day with a value of $570 billion. As at June 2016, the Bank was monitoring over 8 million transactions per day with a value of $300 billion. As at April 2017, the Bank was reporting approximately 3.1 million International Funds Transfer Instructions (IFTIs), 800,000 Threshold Transaction Reports (TTRs), and almost 9,000 Suspicious Matter Reports (SMRs) to AUSTRAC each year.

AML/CTF legislative regime

52    The Bank is, and was at all times relevant to this proceeding, licensed to carry on banking business in Australia and authorised to take deposits from customers as an Authorised Deposit-Taking Institution (ADI) under the Banking Act 1959 (Cth). It was subject to the AML/CTF Act and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (Cth) (the AML/CTF Rules).

53    The AML/CTF Act imposes obligations on ADIs which provide “designated services”. These services are defined in s 6 of the AML/CTF Act. A “designated service” includes opening an account or allowing a transaction to be conducted in relation to an account. A person who provides a “designated service” is a “reporting entity”: s 5.

54    Part 3 of the AML/CTF Act contains reporting obligations for reporting entities. Relevantly to this proceeding, one obligation is to report a “threshold transaction(as defined in s 5) to the CEO of AUSTRAC (the AUSTRAC CEO): ss 43(2)(3). A “threshold transaction” includes, for example, a transaction involving the transfer of physical currency, where the total amount of physical currency transferred is not less than $10,000. I will refer to these reports as “TTRs”, in accordance with what appears to be the commonly used acronym for these transactions. Section 43(2) is a civil penalty provision: s 43(4). The obligation to report threshold transactions features prominently in this case.

55    Section 81(1) of the AML/CTF Act provides that a reporting entity must not commence to provide a designated service to a customer if the reporting entity has not adopted and maintained an anti-money laundering and counter-terrorism financing program that applies to the reporting entity. Section 81(1) is a civil penalty provision: s 81(2). The program can be a standard AML/CTF program, a joint AML/CTF program, or a special AML/CTF program: s 83(1). The Bank adopted and maintained a joint anti-money laundering and counter-terrorism program. Such a program is divided into two parts—Part A (general) and Part B (customer identification): s 85(1).

56    The primary purpose of Part A is to identify, manage, and mitigate the risk that a reporting entity may reasonably face that the provision of designated services at or through its Australian operations might involve or facilitate money laundering or the financing of terrorism: s 85(2)(a). Section 82(1) provides that a reporting entity must comply with Part A of the program. Section 82(1) is a civil penalty provision: s 82(2). The Bank’s compliance with Part A of its program also features in this case.

57    The sole or primary purpose of Part B is to set out the applicable customer identification procedures for the purpose of the application of the Act to customers. Part B must comply with the requirements of the AML/CTF Rules: s 85(3).

The Bank’s Joint Anti-Money Laundering and Counter-Terrorism Program Part A

58    Part A of the Bank’s program provided that the program would be implemented and monitored in accordance with its Group Compliance Risk Management Framework and Group Operational Risk Management Framework.

59    In relation to risk identification and assessment, Part A provided that the Group must conduct an assessment of Money Laundering and Terrorism Financing (ML/TF) risks faced by members of the Group and maintain a current assessment, with changes in risk recognised and assessed. Each Business Unit or Designated Business Group (where the reporting entities in the Group were related to each other) was required to conduct an assessment, using the Group’s ML/TF Risk Assessment Methodology (or another appropriate and approved method), of the inherent ML/TF risk posed by (a) each new designated service prior to introducing it to the market; (b) each new method of designated service delivery prior to adopting it; and (c) each new or developing technology used for the provision of a designated service prior to adopting it. Further, periodic reviews were to be carried out at least every two years.

60    The applicants contend—and it is not disputed—that the “IDM channel” rolled out by the Bank in 2012 (see [97] – [104] below) fitted these descriptions: it was (at least) a “new method of designated service delivery” or a “new or developing technology used for the provision of a designated service”.

The Group Compliance Risk Management Framework

61    The Group Compliance Risk Management Framework (CRMF) was directed to the risk of legal and regulatory sanctions, material financial loss, or loss of reputation that the Group might incur as a result of its failure to comply with the requirements of relevant laws, industry and Group standards and policies, and codes of conduct. Compliance risk is also known as regulatory risk.

62    One of the Group CRMF principles concerned monitoring and measuring. The principle was expressed as:

Transparency around compliance incidents, control weaknesses and framework effectiveness will be maintained, including timely escalation and reporting.

63    In this regard, the framework also provided that:

Issues or incidents must be reported in accordance with the relevant incident and issue procedures.

64    It is appropriate to mention here that, in relation to monitoring and measurement, the Bank adopted a “Three Lines of Defence” model (the 3LoD model) under which the accountability for the management of risk fell primarily (the first line of defence) to business management to ensure effective compliance risk and incident management within their operations, with the second line of defence falling to (a) Business Units to establish and maintain an effective Business Unit CRMF and compliance control infrastructure, and to monitor compliance consistent with that framework; and (b) Group Compliance to monitor and report on compliance risk management across the Group, raising issues where necessary and reporting to senior management, the Risk Committee, and the Board. The third line of defence was Group Audit and External Audit to conduct independent audits of the implementation, condition, maintenance, and management of the Group CRMF.

65    On 3 November 2015, following the findings of the transaction monitoring program (TMP) review report, the 2013 audit report, and the 2015 audit report (discussed at [170] – [221] below), a briefing paper was prepared for Mr Narev which discussed “a range of potential options” in relation to improvements in the Banks 3LoD model from “tactical adjustments” to “major structural shifts”. It would seem that Mr Narev (and perhaps others) had arrived at the view that the Bank’s implementation of the then current 3LoD model was neither effective nor efficient and that this state of affairs was not acceptable. These issues led to Project Trifecta, which was a redesign of the Bank’s 3LoD model.

66    On 16 November 2015, Mr Toevs (who, at the time, was Group CRO) and Mr Dingley (who, at the time, was Chief Operational Risk Officer) presented a proposal to the Bank’s Executive Committee containing three options. The recommended option was a centralisation of specific functions (as opposed to full centralisation (Option 2) or a global model (Option 3)). In March 2016, Mr Toevs circulated a further proposal, which he described as “an iteration of an option presented in the original Trifecta strategy presentation last year” and which included a proposal to create a “Financial Crime Centre of Excellence”.

The Compliance Incident Management Group Policy

67    As part of the Group CRMF, the Bank adopted a Compliance Incident Management Group Policy. It was identified as a key component of the framework. The purpose of the policy was to establish principles in relation to identifying, assessing, and managing compliance issues, and outlining the requirements with respect to the regulatory reporting of compliance issues.

68    The policy identified a compliance issue as an actual, suspected, likely, or imminent contravention of an obligation of any applicable law, regulation, industry standard, industry code, or external business rule or guideline (such as the ASX Listing Rules). The policy identified a reportable breach as a compliance incident which had been assessed and had been determined as being reportable to a regulator.

69    Paragraph 5.1 of the policy principles provided:

5.1     BUs must develop and maintain up to date and approved procedures that are clear, well-understood and document the process for:

    Identifying compliance incidents or likely compliance incidents;

    Assessing all compliance incidents; including determining if they are reportable breaches;

    Reporting and escalating compliance Incidents, ensuring the relevant people including those responsible for compliance, are made aware of compliance incidents and reportability; and

    Rectifying and resolving compliance incidents.

70    RiskInSite was the Group’s integrated system which provided a common platform for managing operational risk and compliance risk across the Group. The policy provided that all compliance risk incidents were to be accurately recorded and maintained in RiskInSite, with the expectation that such incidents would be recorded within a maximum of five business days of discovery.

AUSTRAC’s powers

71    AUSTRAC has certain investigative powers. Under s 202(2) of the AML/CTF Act, the AUSTRAC CEO (or another person authorised by s 202(1)) can give a written notice to a person (who the AUSTRAC CEO or another authorised person believes, on reasonable grounds, is a reporting entity) requiring the person to give information or produce documents relevant to: (a) determining whether the person provides designated services at or through a permanent establishment in Australia; (b) ascertaining details relating to any permanent establishment in Australia at or through which the person provides designated services; and (c) ascertaining details relating to designated services provided by the person at or through a permanent establishment of the person in Australia. However, such a notice can only be given where, on reasonable belief, the notice is required to determine whether to take action under the AML/CTF Act or in relation to proceedings under that Act: s 202(3).

72    Under s 167 of the AML/CTF Act, the AUSTRAC CEO (or another authorised officer, as defined in s 5) can give written notice to certain persons, including a reporting entity, to give information or to produce documents where, on reasonable belief, the person has information or a document that is relevant to the operation of the AML/CTF Act, the Anti-Money Laundering and Counter-Terrorism Financing Regulations (Cth) (when in force) (the Regulations), or the AML/CTF Rules. In the present case, notices were given to the Bank under this provision, in the circumstances discussed below.

73    There are a number of avenues open to the AUSTRAC CEO where non-compliance with the AML/CTF Act, Regulations, or AML/CTF Rules has occurred.

74    First, no formal action need be taken. AUSTRAC may engage with the reporting entity on an informal basis to remedy the non-compliance.

75    Secondly, if there are reasonable grounds to think that there has been a contravention of an “infringement notice provision” (defined in s 184(1A)), the AUSTRAC CEO (or another authorised officer) can issue an infringement notice under s 184(1) requiring payment of a penalty.

76    Thirdly, the AUSTRAC CEO can give a remedial direction under s 191(2) of the AML/CTF Act if satisfied that a reporting entity has contravened, or is contravening, a civil penalty provision. The written direction requires the reporting entity to take specified action directed towards ensuring that the entity does not contravene the civil penalty provision, or is unlikely to contravene the civil penalty provision, in the future.

77    Fourthly, the AUSTRAC CEO can accept enforceable undertakings under s 197 of the AML/CTF Act to the effect that a person will take specified action or refrain from taking specified action in order to comply with the AML/CTF Act, Regulations, or AML/CTF Rules, or will take specified action directed towards ensuring that the person does not contravene, or is unlikely in the future to contravene, the AML/CTF Act, Regulations, or AML/CTF Rules. The breach of such an undertaking can result in proceedings being taken against the person for certain relief: see s 198.

78    Fifthly, if the AUSTRAC CEO has reasonable grounds to suspect that a reporting entity has contravened, is contravening, or is proposing to contravene the AML/CTF Act, Regulations, or AML/CTF Rules, a written notice can be given under s 162 of the AML/CTF Act requiring the reporting entity to appoint an external auditor to carry out an audit of, and report on, the reporting entity’s compliance with the AML/CTF Act, Regulations, or AML/CTF Rules.

79    Sixthly, the AUSTRAC CEO can commence proceedings under s 175 of the AML/CTF Act seeking a civil penalty order for the contravention of a civil penalty provision.

80    In its published Enforcement Strategy 2012 – 2014, AUSTRAC stated that it generally chooses to use a supervisory approach to secure reporting entity compliance before proceeding to “more formal enforcement activities”. AUSTRAC referred to its supervisory activities as having “three levels of intensity: (a) low intensity or “engagement” activities (such as by providing information and tools to enable reporting entities to comply with their obligations); (b) moderate intensity or “heightened activities (such as behavioural assessments, desk reviews, and themed reviews directed at specific behaviours); and (c) high intensity or “escalated activities (such as providing tailored on-site activities designed to have a direct impact on improving compliance outcomes).

81    AUSTRAC said:

While AUSTRAC prefers to engage and work cooperatively with reporting entities, where these activities do not result in improved compliance, matters are referred to AUSTRAC’s Enforcement team for consideration of enforcement action.

82    I observe that this statement implies that, certainly at that time, enforcement action would not necessarily ensue simply because a matter had been referred to AUSTRAC’s enforcement team. Moreover, enforcement action did not necessarily mean applying for a civil penalty order.

83    Before 3 August 2017, AUSTRAC had taken 33 enforcement actions. Only one was for a civil penalty order, namely the Tabcorp proceeding, which I discuss below. This action was taken in July 2015 with a civil penalty order for $45 million made by this Court on 16 March 2017. The rest of the enforcement actions involved remedial directions (four cases); the issuance of an infringement notice (four cases); the acceptance of enforceable undertakings (15 cases); and the appointment of an external auditor (nine cases).

The Bank’s dealings with AUSTRAC immediately before the relevant period

84    As at March 2012, the Bank’s dealings with AUSTRAC were managed through the Group’s AML/CTF Compliance Officer. In a briefing to the Bank’s Board on 13 March 2012, this relationship was described as “transparent and open” which had enabled the Bank and AUSTRAC “to work collaboratively through a number of AML/CTF issues”. The Bank and AUSTRAC met once a month to discuss improvements to the Bank’s AML/CTF Program, including quality assurance initiatives on transaction reporting, and progress on open audit items. AUSTRAC also audited the Bank annually.

85    On 16 July 2012, the Bank’s Risk Committee was informed that AUSTRAC had conducted its annual audit for 2012 of the Group’s AML/CTF Program and had verbally communicated that it had not identified any material issues with that program.

86    At a meeting on 28 June 2012, the Bank’s Group Head of AML/CTF and Sanctions, Mr Byrne was informed that AUSTRAC was looking to move to 18 month review periods for the Bank (whereas other banks would be getting three to four reviews per year).

87    AUSTRAC conducted a two-day onsite audit on 19 and 20 November 2013. A Senior Manager provided the Bank with a “high level debrief” during which the Bank was informed that AUSTRAC was “extremely pleased with the process, collaboration and availability of people and systems”. AUSTRAC had picked up some “minor errors” and “a few issues” but “nothing systemic” and “nothing serious”. It seems that AUSTRAC indicated that an initial draft of its report would be provided before Christmas 2013, with the Bank given a period of approximately one month to provide comments.

88    At what appears to have been a follow-up meeting on 19 February 2014, AUSTRAC explained that the language used in a letter accompanying its audit report may have come across in “somewhat a terse manner”. However, as understood by the Bank, AUSTRAC attributed this to the fact that “some institutions [had] not proved as collaborative as [the Bank] so AUSTRAC has ‘hardened’ its language in formal communications to all entities for consistency”.

89    These interactions support the proposition that, before the relevant period, the Bank enjoyed a collaborative, business-like relationship with AUSTRAC that appears to have been free of significant non-compliance issues.

90    Mr Narev gave evidence that, at a meeting with Mr Jevtovic (then the new AUSTRAC CEO) on 19 December 2014 (held in Mr Narev’s office), Mr Jevtovic told Mr Narev that there was a “strong relationship” between AUSTRAC and the Bank and that Mr Jevtovic had received “positive feedback” from his team about the Bank. According to Mr Narev, Mr Jevtovic told him that there had been some “minor issues” but these “had always been remedied quickly”.

The Bank’s IT environment, processes and procedures

91    It is appropriate at this stage to say something briefly about the Bank’s information technology (IT) environment.

92    At relevant times, the Bank operated an IT environment of scale and complexity, characterised by a large number of interconnected IT enterprise systems and a large number of internal IT and system support staff. Support was also provided by a large number of external service providers who provided services ranging from system development to day-to-day support.

93    Complex IT environments are prone to possible issues or errors during their life cycles. These issues or errors are driven by various factors. System interdependencies can be affected by upstream changes which can impact information flows and the downstream interpretation of data. Knowledge gaps can occur with system specific teams not having an holistic view of the enterprise architecture and structure. Issues and errors can arise from the requirement to support, update, or replace legacy systems. There may also be dependencies on external service providers, rather than internal staff members, to implement change appropriately.

94    As to complex systems within an IT environment, Mr Elliott and Mr Bell agreed that:

… a complex system within an IT environment … consists of a series of steps or events, perhaps with many inputs and outputs. Complex process steps often rely on previous steps to have completed in a specific order and with a specific result in order to determine the next step. Sometimes complex processes may have to deal with many external events, sometimes being introduced randomly.

95    I discuss in more detail below some of the Bank’s IT processes that are of particular relevance to this proceeding.

96    Mr Elliott and Mr Bell agreed that organisations such as the Bank, operating within a regulatory environment with compliance obligations, will often call upon numerous frameworks to help them achieve enterprise governance of IT. The Bank had various governance frameworks (broader than IT alone) to assist it in achieving its regulatory requirements and obligations. I have referred to some of them above (being those that are more relevant than others to the issues canvassed in this proceeding). As Mr Elliott and Mr Bell also recognised, the Bank’s approach to governance involved an internal audit and assurance capability. I will discuss the output of that capability in later sections of these reasons.

IDMs

97    IDMs are a type of automated teller machine (ATM) with additional functionality. They are part of the Bank’s NetBank platform. IDMs allow customers to deposit cash or cheques into their accounts without the need to enter the branch itself. Cash deposits are automatically counted and credited instantly to the nominated recipient account. This means that these funds are then immediately available for transfer to other domestic or international accounts.

98    During the relevant period, the Bank’s IDMs could accept up to 200 notes per deposit (i.e., up to $20,000 per cash transaction). The Bank did not limit the number of IDM transactions a customer could make each day. A card was required to activate and make a deposit through an IDM. The card could be issued by any financial institution, but the funds could only be deposited to one of the Bank’s account holders.

99    The IDM channel favours anonymity and there is no mechanism to identify the person who activates the machine and performs the transaction. IDMs can also be used to structure transactions in which large cash amounts can be deposited in smaller quantities. IDMs present a high inherent ML/TF risk. When challenged with the proposition that IDMs present a higher risk profile than ATMs, Mr Narev said that the risk with IDMs was different to the risk with ATMs which was worthy of, or required, separate consideration.

100    The Bank began rolling out its fleet of IDMs in around May 2012. At the commencement of the relevant period (16 June 2014), the Bank had 245 active IDMs and 3,147 active ATMs. At the end of the relevant period (3 August 2017), the Bank had 904 active IDMs and 2,522 active ATMs.

101    Before rolling out the IDMs in May 2012, the Bank did not conduct a formal risk assessment in relation to the designated services provided through this channel. The Bank accepts this fact, and also that such an assessment was not made before July 2015. It accepts that, by not conducting the required risk assessment before rolling out the IDMs, it failed to comply with its AML/CTF Program. I will refer to this as the IDM ML/TF risk assessment non-compliance issue.

102    This is not to say, however, that the Bank did not have regard to AML/CTF risks in respect of IDMs at the time they were rolled out. In a business requirements document, the Bank considered the need to report threshold transactions to the AUSTRAC CEO and the means by which this would be done through IDMs. TTR reporting and transaction monitoring were considered to be mandatory requirements as part of the IDM roll out project, and TTR reporting functionality was built and linked to IDMs. IDM deposits were also linked to automated transaction monitoring rules that targeted certain practices.

103    The Bank also gave specific consideration as to whether to impose limits of less than $10,000 on the amount of cash deposits that could be made through IDMs, but decided against this on the basis that, by doing so, the Bank might encourage “structuring activity”.

104    The Bank completed its first formal risk assessment of IDMs on 14 July 2015. This assessment was carried out following inquiries from “law enforcement agencies”, not AUSTRAC. Following that assessment, the IDMs were rated as “high risk”. However, transaction monitoring was in place and, based on its performance as at 28 July 2015, was considered (by the Bank) to be “working well”. No further controls were envisaged as necessary at that time. A further risk assessment was carried out in July 2016.

The Bank’s TTR processes

105    As I have noted, a “threshold transaction” is a transaction with a cash component of not less than $10,000 in respect of which the Bank is required to submit a TTR to the AUSTRAC CEO.

106    During the relevant period, there were two main ways in which a threshold transaction could occur at the Bank. First, by cash deposit or cash withdrawal at one of the Bank’s branches through its “over-the-counter” system. Secondly, by cash deposit into an IDM.

107    Data with respect to a threshold transaction “flowed” from the relevant “input” through various systems within the Bank before a TTR was submitted to the AUSTRAC CEO. These “flows” involved real-time data flows (i.e., data which flowed almost instantaneously) and batch data flows (i.e., data which flowed periodically and which, typically, included data about batches of multiple transactions).

108    The Group Data Warehouse (GDW) was one of the systems within the Bank involved in the TTR process. It stored data relating to the Bank’s customers, their accounts, and their transactions. As its name suggests, it was the largest system within the Bank, storing current and historical data for millions of customers in relation to a range of products across the Bank.

109    The systems used in the TTR process connected with other systems across the Bank, such as the Bank’s financial crimes systems. These systems included the Financial Crime Platform (FCP) (described in more detail below at [144] – [154]) and Real Time Transaction Monitoring (RTTM). The FCP was used for functions such as sanctions screening, account monitoring, and fraud monitoring. RTTM monitored for fraud in real-time. Its functions included payment and card screening, such as to detect a fraudulent transaction on a customer’s credit card. Because of the sensitivity of their functions, access to these systems and their data was restricted to a limited number of the Bank’s personnel.

110    The TTR process did not involve data flowing directly to AUSTRAC. Rather, there were a number of intermediate systems which involved a combination of real-time and periodic batch data flows. This meant that there was not a single, uniform TTR process which applied to all transactions. There were separate TTR processes depending on the input used and the nature of the transaction. Further, not all transactions processed through an IDM or “over-the-counter” involved threshold transactions.

111    The Bank used transactional data, including about threshold transactions, for a multitude of purposes in addition to threshold transaction reporting, such as:

(a)    crediting and debiting customer accounts to reflect the transaction;

(b)    monitoring transactions for fraud and anti-money laundering (AML) purposes as part of the Bank conducting its own monitoring of transactions for suspicious matters; and

(c)    customer reporting, customer support, and suggesting ways to improve customers’ financial well-being.

112    Therefore, many of the intermediate systems used as part of the Bank’s TTR processes also formed part of other processes within the Bank. This meant that common systems contained data which was unrelated to TTRs. In addition to TTR data flows, data from these common systems was exported to other intermediate systems across the Bank which were wholly unrelated to TTRs. Thus, there was a “web” of data flows. TTR processes were just one component of these flows.

113    Data was not stored in a uniform format in all systems. As data flowed downstream, it was filtered and re-formatted as necessary before being sent to the next system. As a result, whilst some irrelevant data flowed downstream, not all data compiled about a transaction at the input stage flowed downstream to the various intermediate systems involved in the Bank’s TTR processes. As data did not necessarily remain in the same format from system to system, comparing data at the start of the process with data at the end of the process was not a “one-for-one” comparison.

114    Further, the timing of data flows differed according to the type of transaction. Deposits were processed differently depending on whether they related to a debit account or a credit account. In the case of a debit account, the deposit was credited to the relevant account in real-time. In the case of a credit account, the deposit typically settled the following business day. There was, therefore, a lag between the time of the transaction and the time at which the data hit the GDW. This impacted the timing of submitting a TTR to AUSTRAC because the TTR was only generated once the deposit settled, which, in the case of a transaction on a credit account, could be days later (depending on when the transaction occurred and when the settlement occurred).

115    Deposits in IDMs involved other complexities, such as where cash was not removed from a component of the IDM within the “timeout period” (for example, when the deposited cash was held together by a clip or a rubber band). This led to a “failed” transaction in which the cash was directed to a “retract canister” within the IDM. When this happened, the cash “deposited” was not identified and counted for the purposes of the Bank’s automated systems. Such transactions were identified by a customer reporting the failed transaction in a Branch or by the staff within the Branch (in which the IDM was located) identifying the failed transaction from the IDM’s end of day balance. The process of identifying the failed transaction could be complicated because the retract canister could contain other cash. In order to process a failed transaction, Branch staff typically pay the relevant funds to the customer through an electronic funds transfer, which was not processed as an IDM transaction.

116    Of central importance to the present case is an issue concerning the late reporting to the AUSTRAC CEO of threshold transactions through IDMs. When the IDMs were introduced, the Bank’s processes relied on two transaction codes to generate TTRs (codes 5022 and 4013). However, in November 2012, the Bank introduced an additional transaction code (code 5000) for a sub-set of IDM transactions to clarify a deposit message that was visible to customers via the NetBank platform. The new transaction code fixed the message problem, but it was not factored into the downstream process by which threshold transactions were identified for reporting. In short, a “flag” in the system for TTR reporting was missing.

117    This problem was not discovered, and its implications brought home to officers of the Bank, until much later. It is certainly the case, however, that, much earlier in 2013, a potential problem, with an association with code 5000, was identified by the Bank’s staff, but regrettably not fully investigated and rectified. It is necessary to turn, now, to the circumstances in which this occurred.

Enquiries in 2013

118    On 29 August 2013, a Compliance Executive employed by the Bank in the AML Sanction section of Risk Management in Retail Banking Services (RBS), Mr Kalra, sent an email to employees responsible for the GDW seeking confirmation that TTRs were being lodged for cash deposits made through IDMs. The evidence does not suggest that this original inquiry was connected with transaction code 5000. Indeed, the applicants’ expert, Mr Elliott, made it clear that “this internal issue was not specifically related to transaction code 5000”.

119    On the same day, a Senior Technical Business Analyst, Mr Ashdown (who had done work on extracting TTRs from the GDW), responded to this inquiry by confirming that cash deposits through IDMs were included in TTRs. However, Mr Ashdown raised a concern about whether the cash component of “mixed deposits (i.e., deposits involving cash and cheques), where the cash component was a threshold amount ($10,000 or more), was being reported. The reason for raising this appears to have been Mr Ashdown’s understanding that, during his involvement in working on the “TTR extract”, IDMs “couldn’t do mixed deposits”. He did not know “if the functionality was ever developed”.

120    This information prompted Mr Kalra to request that an investigation be conducted:

It has come to my attention that Threshold Transaction Reports (TTR) may not be getting lodged for mixed deposits (cash + cheque) made via the Intelligent Deposit Machines (aka IDA or IDM). [I’m assuming the IDM’s would sit under the D&T world.]

As per below email from the Group Data Warehouse (GDW) team, they have confirmed that if cash deposits of $10k or more are accompanied with a cheque deposit, no TTR is lodged for the cash component.

Regulatory requirement is that any transactions in physical currency of $10k or more are supposed to be lodged as a TTR to AUSTRAC. Therefore if what the GWD team is saying is correct, then there may have been some breaches.

Can I please request you to check this process and confirm?

121    Later, on 3 September 2013, Mr Kalra raised a further query—whether cash deposits in IDMs using an OFI (Other Financial Institution) card were being reported.

122    The context for each of Mr Kalra’s queries was an upcoming on-site audit by AUSTRAC.

123    A Service Manager in Retail & Business Banking Enterprise Services, Mr Wright, provided a response to Mr Kalra on 4 September 2013. In relation to the question whether there were “(a)ny cash deposits for which TTRs are not currently reported?”, Mr Wright responded:

Would appear yes based on this issue being raised.

124    Properly considered, this answer does not evidence Mr Wright’s knowledge, or indeed any other employee’s knowledge, that these cash transactions were not being reported. Indeed, it was not a substantive answer to Mr Kalra’s question. Self-evidently, Mr Wright’s answer was no more than the unhelpful comment that, because a query had been raised by Mr Kalra, it “appeared” that there were cash deposits for which TTRs were not being given.

125    It is clear that, at this time, two issues had been raised: whether (a) the cash component of a “mixed deposit” and whether (b) cash deposited using an OFI card (in each case, using an IDM to deposit a threshold amount), were being reported.

126    On about 12 September 2013, Mr Kalra escalated these matters to Ms Ishlove-Morris (the Executive Manager AML/CTF & Sanctions, Group Operational Risk & Compliance, Risk Management) and Mr Byrne. In doing so, he informed Ms Ishlove-Morris and Mr Byrne that “(t)he business is checking to confirm whether or not this is actually an issue or not”.

127    There are emails in evidence whose language can be interpreted as stating that, at this time, TTRs were not being provided when they should have been. However, when these emails are read in the context of accompanying emails, it is tolerably clear that Mr Kalra was raising a potential problem and escalating it to those who had an interest in knowing whether there was an actual problem, as Mr Kalra’s email to Ms Ishlove-Morris and Mr Byrne makes clear.

128    On 19 September 2013, Mr Kalra was informed by Mr Razdan, a Project Manager in Retail Banking Enterprise Services that, in fact, cash deposits using an OFI card were being reported.

129    Separately, on the same day, Mr Ashdown informed Mr Kalra that “the TTR report is reporting the Mixed Deposits”. In somewhat chastising language, Mr Kalra responded:

Mark – I thought you’d initially mentioned that for mixed deposits, TTR’s weren’t being generated even for the cash component and that’s why I escalated this issue to the business. Can you please double check again and confirm once and for all?

130    Later that day, Mr Ashdown replied:

I didn’t know whether they were being reported – that was the issue.

I can confirm they are being reported …

131    Having escalated the matter to Ms Ishlove-Morris and Mr Byrne, Mr Kalra then sent an email to Ms Ishlove-Morris on 19 September 2013, stating:

After email chains floating around the world, GDW team have come back and confirmed that TTR’s are being reported for all relevant cash deposits (whether mixed or individual) and there’s no issue.

So we don’t need to report anything to AUSTRAC.

132    Ms Ishlove-Morris then forwarded Mr Kalra’s email to Mr Byrne.

133    It is appropriate to record at this juncture that there is no evidence before the Court as to AUSTRAC’s on-site audit which Mr Kalra had mentioned in his emails. It is not disputed that, at this time, AUSTRAC had not detected any problems with the Bank’s TTR reporting in respect of cash deposits made through IDMs.

134    On 20 September 2013, employees of the Bank identified two OFI card cash deposits for investigation. One deposit was for $10,000; the other was for $10,500. Details of these transactions found their way to Mr Ashdown on 8 October 2013.

135    On 10 October 2013, Mr Ashdown advised that the two transactions had not been reported in TTRs. Mr Ashdown sought further information. Later that day, Mr Ashdown advised that the two transactions had been processed with transaction code 5000 and that “we only pick up Transaction types (cash and mixed deposits)”. In this regard, Mr Ashdown said that there were only two transactions to be considered—those under code 4013 for cheque and mixed deposits to savings accounts, cheque accounts and credit accounts, and those under code 5022 for cash deposits to savings accounts, cheque accounts, and credit accounts.

136    On 11 October 2013, Mr Ashdown was asked to “summarise … if there is an issue, and if there is – what exactly is it and who should be … the owner?”. On 14 October 2013, Mr Ashdown provided the following “summary”:

Kote sent me 2 transactions (cash deposits on OFI cards) to check if they had been picked up by TTR.

These transactions (with transaction code 5000) are not being identified as cash transactions by TTR and were not reported.

Kote reported that transaction code 5000 is not on the transaction range for IDA cash transactions. TTR is performing as expected.

However, these 2 transactions are the one identified by Kote as being cash transactions on OFI cards, which would indicate to me that there is possibly a problem.

My understanding of the actions are:

-    Refresh Team Confirm whether the tran code on the transactions is correct and therefore the transaction is not a cash transaction.

-    If not a cash transaction, Refresh Team need to provide new examples of cash transactions on the OFI cards for me to investigate.

-    If it is a cash transaction, Refresh team need to look into why the transactions have the wrong code.

-    If Tran code 5000 should be included as a cash deposit, then that’s a bigger issue. We’ll need to discuss how to resolve this,

137    It is apparent from this response that the possibilities exercising Mr Ashdown’s mind were that: (a) the two transactions were not, in fact, cash transactions; (b) if they were cash transactions, it was possible that the wrong transaction code had been used; and (c) if the transactions were cash transactions and the correct transaction code had been used and transaction code 5000 should have been on the transaction range for IDMs, then there was “a bigger issue”. However, Mr Ashdown’s advice was that “TTR is performing as expected”.

138    Further email correspondence shows that, as at 24 October 2013, the view was taken that “TTR is working as expected” and that “any potential issues with OFI transactions are at the source system level”. The matter appears to have been left with those who were responsible for advancing that matter at that level, but nothing happened.

139    With hindsight, the ramifications of that inaction can be readily appreciated. I accept the Bank’s submission, however, that, as at 24 October 2013, no-one in the Bank had identified that transactions which should have been flowing through to TTR reporting were not flowing through and being reported to AUSTRAC. While, initially, questions had been raised about TTR reporting in respect of “mixed deposits” and cash deposits using an OFI card, the Bank’s employees had determined that these transactions were being reported. While, later, two other OFI card transactions had been identified for investigation, it was queried whether the transactions had been correctly coded and whether they were even cash transactions. Although the possibility of a “bigger issue” had also been flagged, no further investigation was undertaken, and the facts were not known as to whether there was a “bigger issue”.

140    The evidence does not elaborate on why, at that time, further investigation of the two OFI card transactions was not undertaken. With hindsight, there should have been further investigation to elucidate whether there was a “bigger issue”. Had there been further investigation, it is likely that the general problem associated with cash deposits processed under code 5000 would have come to light. The applicants’ disclosure case, however, is concerned with the information that officers of the Bank had, or ought reasonably to have had. The employees with knowledge of the matters in 2013 that I have described, were many levels below “officer” level, and none had identified a general and significant problem with deposits processed through IDMs under transaction code 5000.

141    The next relevant event is that, on 11 August 2015 (some 22 months later), AUSTRAC asked the Bank to locate TTRs relating to “two ATM deposits” (these are not the two deposits considered in October 2013). The Bank could not locate these reports. It realised that they had not been made. On investigation, it was found that the deposits were processed under code 5000, but that code 5000 had not been linked to TTR reporting, as it should have been. It was then found that this resulted in the non-reporting of 51,637 threshold transactions from November 2012 to 18 August 2015. The number of affected transactions represented approximately 2.3% of the overall volume of TTRs provided by the Bank over the same period.

142    On 8 September 2015, the Bank notified AUSTRAC about the issue. By 24 September 2015, the outstanding TTRs had been lodged. In the meantime, the Bank continued to report threshold transactions identified by the two original codes.

143    I will refer to this as the late TTR issue. I provide further details in relation to this issue at [250] – [269] below.

The Bank’s Financial Crimes Platform

144    The FCP contained data about the Bank’s customers, accounts and transactions, which were sourced from different upstream systems. The platform was used by the Bank to undertake various functions, including:

(a)    certain kinds of fraud detection, in particular internal fraud by the Bank’s employees, cheque fraud, and application fraud;

(b)    automated politically exposed person and sanctions customer screening; and

(c)    automated transaction monitoring for AML/CTF purposes

145    The platform was not used by the Bank to undertake “know your customer” (KYC) procedures, suspicious matter reporting, threshold transaction reporting, sanctions payment screening, or manual politically exposed person screening.

146    There were three main ways in which data entered the FCP. The first was from the GDW, discussed above. The second was from the Bank’s Operational Data Store which contained data from SAP (the Bank’s core banking platform) and the Payments Journal (which recorded payments processed by the Bank). The third was direct data flow (i.e., data not stored in, and then extracted from, an intermediate system such as the GDW).

147    As with the flow of data into the GDW, data flowing into the FCP needed to be “normalised”— in other words, reorganised and transformed into a standardised format that was compatible with the platform.

148    Data was stored in the FCP in a series of “tables”. These tables were separated into various topics, such as whether the data were customer data or account data. Each table was divided into fields (or columns) populated by the data relevant to that table. There were several hundred data fields across the various tables in the FCP which, depending on their content, could be relevant to some combination of automated transaction monitoring, fraud monitoring, or politically exposed person and sanctions screening.

149    Not all data which ultimately flowed into the FCP was ultimately relevant to its automated transaction monitoring functions. For example, some of the data flowing into the FCP was only relevant to its fraud monitoring and sanctions customer screening functions.

150    In the case of automated transaction monitoring, the FCP ran a series of transaction monitoring “rules”. These rules concerned data in respect of the Bank’s transaction accounts, such as savings, cheque, personal, and business lending accounts. Not all rules applied to every account.

151    The automated transaction monitoring rules operated as filters to identify transactions or activities that were potentially suspicious and which warranted further investigation. These rules could be complex, with many different parameters.

152    There were two categories of automated transaction monitoring rules within the FCP:

(a)    customer level rules, which sought to identify particular transactions or activity across accounts held by a single customer; and

(b)    account level rules, which sought to identify particular transactions or activity on distinct accounts (these rules were only concerned with the behaviour of specific accounts, not the customer’s behaviour more broadly, which was considered by the customer level rules).

153    The automated transaction monitoring rules could, but did not always, apply differently depending on whether an individual or a company was involved. For example, the rules might apply differently to a small business which could be expected to have a high volume of cash transactions, compared with a typical individual customer. How these rules applied depended on whether the rule was an account level rule or a customer level rule. For account level rules, an individual account was usually flagged as either “Personal” or “Commercial” in a field called “ACCOUNT_TYPE_DESC”. For customer level rules, the customer was usually flagged as either a “Person” or an “Organisation” in a field in a different table called “PARTY_TYPE_DESC”.

154    Where particular transactions or activities were caught by these rules, the FCP automatically generated “alerts”, which flagged the relevant transaction or activity for review. The alerts were transmitted into a separate case management tool, called Pegasus. Pegasus was accessed by a separate team within the Bank which sat within the Group Security division, which was responsible for reviewing and investigating the alerts for the purpose of determining whether there was information that needed to be submitted to AUSTRAC as part of an SMR.

155    In 2012, the Bank commenced an internal project known as Project Juno. This project related to enhancing the Bank’s ability to monitor and detect potential instances of internal fraud. It was not focused on the Bank’s AML/CTF systems, although it did impact on the FCP because the FCP was used for both fraud monitoring and automated transaction monitoring.

156    One aspect of Project Juno involved integrating a new process called the “Associate Web” into the FCP. The Associate Web sourced data from the GDW and the FCP to identify potential linkages between the Bank’s staff and their customer profiles, the accounts they held, and any accounts that were related to them. For example, the Associate Web identified accounts that were registered with the same address or telephone number as a Bank staff member, or where an account was shared by a Bank staff member. This data was then used to populate a field in the FCP which flagged whether an account was “employee-related” or not. The rules in the FCP could then automatically run internal fraud monitoring rules to identify instances where Bank employees had initiated transactions involving accounts that had been identified as “related” to them.

157    Another important issue in the present case concerns an error that arose from updating account profiles in the FCP with data from the Associate Web. In that process, the ACCOUNT_TYPE_DESC field for some accounts was populated with a null value (i.e., it was left blank). Over time, this caused the ACCOUNT_TYPE_DESC field in the FCP to be left blank, for a period, for certain “employee related” account profiles (i.e., accounts that were intended to be flagged as accounts belonging to a Bank employee or related to a Bank employee). This occurred even though the process of integrating data from the Associate Web with the FCP was not intended to make any changes to the ACCOUNT_TYPE_DESC field. The consequence was that the automated transaction monitoring rules that depended on this field being populated did not operate for so long as the field was not populated. In short, some account monitoring did not occur in respect of some “employee related” accounts. Not all “employee-related” accounts were affected and the accounts that were affected were still monitored for financial crime screening (they were monitored against sanctions, politically exposed persons, and terrorists lists). Further, only some of the affected accounts were not subject to customer level transaction monitoring in the FCP.

158    This problem was identified by a Bank employee, Mr Dhankhar (who was engaged in Financial Crime Analytics) in the course of developing rules for the FCP in mid-June 2014. On 17 June 2014, Mr Dhankhar circulated an email in which he identified seven issues with FCP data, one of which concerned the ACCOUNT_TYPE_DESC field. This was given the incident number IM0809261. By late August 2014, this issue (amongst other issues) was recorded in RiskInSite as “Medium Impact”.

159    On about 18 September 2014, the FCP was updated with a change that resolved the error so that, on updating the account profile, the ACCOUNT_TYPE_DESC field was updated with the relevant data as part of a “self-correct” process, and not left blank. Implementation of the Bank’s usual data updating processes resulted in approximately 75% of the affected accounts (being active accounts) self-correcting by 30 November 2015. A manual update of the ACCOUNT_TYPE_DESC field in respect of inactive affected accounts (approximately 25% of the affected accounts) was completed by 27 September 2016.

160    In total, 778,370 accounts were affected in the period 20 October 2012 to 30 November 2015. The accounts were affected over varying time periods. For example, some accounts (54,357 accounts) were affected for a period of less than one month (for example, the period could have been one day); some accounts (73,716 accounts) were affected for a period of between 25 to 36 months. However, as I have noted, a significant percentage of accounts (representing, in number 195,000 accounts) were not active accounts.

161    I will refer to this as the account monitoring failure issue.

Audits

Preliminary observations

162    The applicants have directed much attention to various audits that were conducted in relation to the Bank both internally and externally. Although these audits provide background material in relation to the state of the Bank’s management of regulatory risk over time, they should not distract attention from the case that the applicants have specifically pleaded against the Bank in relation to the non-disclosure of market sensitive information and related misleading or deceptive conduct.

163    One purpose of the applicants’ reliance on this material is to match the reported findings in that material, as objectively and contemporaneously expressed, against the evidence in chief given, mainly, by Mr Narev and Mr Apte respectively, particularly in relation to their individual understandings of the extent of the Bank’s shortcomings with respect to AML/CTF compliance issues. The applicants advance numerous submissions to the effect that either or both of these witnesses, in various ways, had, for example, sought to minimise the seriousness of certain findings that were made, or had an incomplete understanding of significant regulatory issues, or had made incorrect assessments of the risk to which the Bank’s AML/CTF environment had exposed it in the lead up to the late TTR issue, or had exhibited misplaced confidence in certain audit findings. These submissions were directed to qualifying each witness’s evidence in chief and to urge the Court to disregard each witness’s own assessment of the materiality of the information with which he had been provided.

164    To the extent that these matters are relevant to the case at hand, I have taken these submissions into account in my assessment of Mr Narev’s and Mr Apte’s evidence. I accept that an appreciation of Mr Narev’s and Mr Apte’s subjective thoughts and reactions, as recorded in their affidavits, must have regard to the contemporaneous documentary record, as well as the matters elicited from them in cross-examination. However, I have not found it necessary to discuss, in these reasons, each and every submission that the applicants make in relation to the significance I should attribute to Mr Narev’s and Mr Apte’s evidence. I have only explicitly addressed the applicants’ submissions where I consider it important to do so.

Internal audits

165    The Bank has, and at all times relevant to this proceeding had, a group audit and assurance team (Group Audit) headed by a Group Auditor (whose title within the Bank was Executive General Manager of Group Audit and Assurance). At the times relevant to these proceedings, this team comprised around 100 people in Sydney (who undertook audits across the Group) and around 25 people in Perth (who undertook audits specific to the Bank’s Bankwest division).

166    Mr Worthington, who was the Group Auditor in the period July 2010 to 31 March 2019, described Group Audit’s role as follows:

18.    During my time as Group Auditor, Group Audits role was to assess risks and internal controls across the Group, provide independent assurance about those controls to senior management and the CBA Board Audit Committee (Audit Committee), assess the effectiveness of risk management across the business, provide recommendations as to how to improve CBAs control environment, and periodically audit and validate the resolution of Very High and High rated audit issues. As it had an independent assurance function, Group Audit was not involved in making management decisions for the Group.

167    Mr Worthington’s evidence was that, in any given year, Group Audit performed around 200 to 250 audits of which around 50 were Bank branch audits, with the remainder generally focused on systems or products. These audits were conducted according to an Annual Audit Plan which was overseen by the Group Auditor.

168    Mr Worthington described the process for conducting Group-wide internal audits in the following terms:

37.     When Group Audit carried out an audit of an issue at a Group-wide level, the practice that was followed by Group Audit was:

(a)     conducting planning to determine the scope, key risks and timeframes for completing the audit;

(b)     undertaking any required field testing and conducting an assessment of the systems, processes and key risk areas falling within the scope of the audit;

(c)     issuing draft reports and issues logs to the relevant Group Executives, Executive General Managers, General Managers and Executive Managers (in some cases) within the relevant BUs for discussion. At this point, any feedback from such persons was sought;

(d)     finalising and issuing the final report to the same executives as identified above, the Accountable Executive (being a person nominated to be the key contact within the relevant BU or Group function for the purposes of the audit), selected line management and other persons within CBA; and

(e)     reporting and discussing the findings of the audits with the relevant executives, and separately with the Chair of the Audit Committee.

38.     The issues logs were records of issues identified through the audit process. The    preparation of an issues log involved my team working with the part of the business which    had been audited to determine the appropriate action items to be undertaken in order to address audit findings, the issue owner for those action items, and a timeframe for their completion. The business formulated draft action items and due dates in response to the audit findings, and the role of my team was to review the proposed action items and due dates before they were finalised to ensure they were a reasonable response to the audit findings. The audit findings, action items and due dates were then incorporated into the issues log, and signed off by my direct reports. On occasions I became involved if the business and my audit team were unable to agree on appropriate action items, although this was rare. My general observation was that Group Audit was given a lot of respect by the business, and if Group Audit identified an issue, the business usually identified an appropriate action to address it. If the “issue owner” and audit team agreed with an action item and the due date, the “Issue Status” was recorded as “Agreed” in the issues log. This engagement with the business meant that in practice, by the time that the audit report and issues log were finalised, key personnel within each BU were already apprised of the matters that had been identified through the audit process as relevant to them and the action items required to address those matters, and had usually indicated acceptance of the action item and the timeframe stipulated to complete it.

39.     Each audit report provided an overall rating, as well as separate ratings for the “controls environment” and for “management awareness and actions. The available ratings were “Satisfactory” (green), “Marginal” (amber) or “Unsatisfactory” (red). The criteria for these ratings were set out as an appendix to the accompanying audit report and, to the best of my recollection, remained broadly consistent throughout the Relevant Period.

40.     Given the volume of audits undertaken by Group Audit each year, it was not practical for me to be involved in each audit. My primary focus was on audits with either an “Unsatisfactory” or “Marginal” rating. For these audits, my role was to engage with the members of my team responsible for conducting the audit, review and provide feedback on a draft audit report prior to it being issued, and communicate the final audit report findings to senior personnel within CBA including Mr Long, the Audit Committee, Mr Narev, and other relevant Group Executives. As part of this, prior to the audit report being finalised, it was my practice to consider the overall ratings being proposed and whether I agreed with them, and ensure that I understood the key findings and themes to be communicated to the business.

169    I now turn to a number of internal and external audit reports on which the applicants rely.

Transaction Monitoring Program Review Final Report 2011

170    PricewaterhouseCoopers (PwC) was engaged by the Bank to conduct an independent review of the Bank’s TMP in relation to the Bank’s compliance with its AML/CTF regulatory obligations. In a report dated 25 February 2011 (the TMP review report), PwC identified “gaps” in the course of its review which appeared to be related to “the migration of data to new systems where some data failed to transfer as part of updated TMP automated processes”. PwC noted that the Bank was aware of the gaps and had implemented interim measures to cover these gaps.

171    In the TMP review report, PwC made the following key observations:

From our observations and testing of the different parts of the TMP, including automated, semi-automated and manual processes, we found a complex monitoring system, with multiple data flows and pathways. Furthermore, the various monitoring pathways are used to monitor different products within and across the three business units under review; and different monitoring pathways utilise different rules, processes, and systems.

We noted that there are currently no reconciliations undertaken of data extracted (including volumes) from source systems to the TMP and between stages of the TMP. We understand this is not a simple reconciliation as in some case it involves sophisticated and complex transition and analysis of data between stages and systems within the TMP. Therefore, without such reconciliations being undertaken over time, it is not possible to determine that all data that should have entered the TMP has done so and has subsequently been processed as expected. We also note that the scope of our testing did not cover what occurred prior to data being provided from the source systems and thus we were not able to determine that all transactional activity with customers is recorded in the relevant source systems for TMP purposes.

Our recommendations cover further review for TMP upgrades and with respect to reconciliations. If interim arrangements or upgrades are not reviewed there is the risk that systemic failure in the monitoring processes could exist and not be identified immediately. Failure to undertake reconciliations from source systems through the monitoring processes means there is a risk that the TMP could contain incomplete data.

We observed that different teams are involved in the many elements of the program. Therefore there is not in all cases a clear understanding of the end to end processes involved across all pathways although within individual stages of the TMP, the teams involved have more detailed knowledge. The lack of a documented, up to date, end to end process with clear accountabilities over time adds to the risk that gaps in the TMP may not be identified quickly in the future.

In addition, within specific monitoring pathways there are variable levels of knowledge, documentation, and responsibilities in relation to different elements of the process. The key impact of the varying levels of knowledge and responsibilities is that accountabilities are not always clear, as different teams are responsible for often separate and discrete parts of the process. Changes that are made to the TMP by different teams are not always documented, which makes it difficult to track decisions, and changes to different teams are not always documented, which makes it difficult to track decisions, and changes to the process over time. Due to the separate accountabilities for different stages of the monitoring pathways, issues have arisen around changes to the process (including system upgrades and technological changes) that were not always made in consultation with all potentially impacted stakeholders. Clear accountabilities are also a key aspect to the success of the TMP.

172    Notwithstanding these observations, PwC expressed the overall view that the Bank had “a well developed and in many cases sophisticated TMP compared to other Australian financial institutions”.

173    In their Joint Report, Mr Elliott and Mr Bell noted that, in various sections of the TMP review report, PwC highlighted the complexities of the Bank’s TMP, but did not identify any immediate, specific recommendations for the Bank to review its account monitoring process.

The Bank’s Internal Audit Report 2013

174    On 16 December 2013, Group Audit delivered a report on Group-wide Anti-Money Laundering/Counter Terrorism Financing (the 2013 audit report). The 2013 audit report gave an overall “red” rating based on “unsatisfactory” ratings for “Control Environment” and “Management Awareness & Actions”. In relation to “Control Environment”, this meant:

Controls are not appropriate for the risks being managed. There are a significant number of issues that require immediate attention.

175    In relation to “Management Awareness & Actions” this meant:

Management has a poor understanding of the risks and controls relevant to their business, and/or were not performing testing of the controls to asses their operating effectiveness.

Alternatively, management were not aware of the material issues and/or were not taking appropriate and timely action to resolve and escalate.

176    Group Audit expressed the opinion that:

A consolidated view of AML/CTF risk and the effectiveness of the controls over AML/CTF risk across CBA has not been established due to the current inconsistent use of RiskInSite.

177    The Issues Log noted that the RiskInSight functionality was not currently being used to provide an overview of AML/CTF compliance across the Group, with the implication that: (a) there was an “(i)nability to monitor and track key risks and issues to obtain a holistic view of the level of AML compliance”; and (b) “(k)nown risks and issues are not being properly managed and monitored”.

178    The Issues Log also noted that Group Operational Risk & Compliance (GORC) was aware that inadequate monitoring and assurance was being performed by Business Unit AML and Compliance teams.

179    Based on the fact that, in cross-examination, Mr Narev could not recall asking for, or being provided with, a copy of the 2013 audit report (although he had received a number of other reports, and attended meetings with Mr Worthington, leading up to the 2013 audit report), the applicants advance a number of submissions.

180    First, the applicants submit that Mr Narev did not have a proper understanding of the “severe deficiencies in [the Bank’s] AML/CTF compliance”, including deficiencies that, in the applicants’ submission, “caused the TTR issue not to be escalated and remediated in October 2013”.

181    Secondly, the applicants submit that this lack of understanding contributed to a failure by Mr Narev to properly assess the materiality of the late TTR issue after he was informed of it which, in his affidavit, Mr Narev described as “a single event resulting from an unintended software glitch”.

182    There are a number of things to be said in response to these submissions.

183    First, I do not accept that Mr Narev did not have an understanding of the deficiencies identified in the 2013 audit report that was sufficient and appropriate for his role as the Managing Director and CEO of the Bank.

184    Secondly, I am not persuaded that it can be said that the deficiencies identified in the 2013 audit report “caused the TTR issue not to be escalated and remediated in October 2013”. Absent explanation, the fact that the potential problem with code 5000 was not fully investigated and rectified in 2013 does not, perhaps, speak well of the Bank’s staff. I do not accept, however, that that failure can be rationalised as having been “caused” by the deficiencies that were identified. Moreover, as I have recorded, Mr Kalra did, in fact, promptly escalate the issue with the two deposit transactions he had raised. However, he later “de-escalated” the issue after being told that there was no problem and that TTR was performing as expected.

185    Thirdly, I do not accept that Mr Narev failed to properly assess the materiality of the late TTR issue or that his description of that issue as “a single event resulting from an unintended software glitch” evidences such a failure. I do not think that, by that description, Mr Narev was endeavouring to trivialise the late TTR issue. Rather, he was doing no more than characterising the reason for the failure to report, whose cause was not multifactorial but sourced in the fact that, inadvertently (but no less seriously), a single code had not been implemented when it should have been.

186    The applicants also advance a number of submissions in respect of Mr Apte’s evidence. The substance and effect of those submissions is that Mr Apte did not have a proper understanding of the 2013 audit report, whose findings he sought to minimise by saying that it had “flagged some issues to be addressed”.

187    I do not accept those submissions. Mr Apte was appointed to the Bank’s Board as a non-executive director with effect from 10 June 2014, after the 2013 audit report had been given. The evidence on which the applicants rely was given by Mr Apte in the context of him explaining that the first formal meetings he attended as a non-executive director were meetings of the Audit Committee and Risk Committee on the very date of his appointment. At the Audit Committee meeting, Mr Worthington presented the Annual Audit Plan for 2015. Mr Apte said that he learned from that presentation that a Group-wide AML/CTF audit had been completed in late 2013 and that it had “flagged some issues to be addressed”. I do not think that describing the outcome of the audit in these cursory terms, in the narrative of the events given by Mr Apte, portrays that Mr Apte was seeking to minimise the findings of the 2013 audit report.

188    The applicants also advance a submission that seeks to ally a contention that Mr Apte’s understanding of regulatory reports was based on “high-level updates”, with a contention that Mr Apte had an “incomplete understanding of the deficiencies in [the Bank’s] AML/CTF compliance landscape”. The applicants submit that these matters undermine “the veracity of [Mr Apte’s] assessment of the materiality” of the late TTR issue. To support this submission, the applicants draw attention to Mr Apte’s reference, in his evidence in chief, to the late TTR issue being flagged with AUSTRAC as a “coding error”.

189    I do not accept this submission. First, I do not accept that Mr Apte’s reference to the late TTR issue being flagged with AUSTRAC as a “coding error” signifies that, somehow, Mr Apte dismissed the importance of that issue. It is appropriate to describe the late TTR issue as one arising from a “coding error”.

190    Secondly, and perhaps more importantly, I am not persuaded that Mr Apte had an “incomplete understanding of the deficiencies in [the Bank’s] AML/CTF compliance landscape”. Whilst, in his affidavit, Mr Apte gives evidence about receiving regulatory reports touching on ML/TF risk management considerations, these are not the only reports Mr Apte referred to when discussing the key mechanisms used by the Bank’s Board to assess ML/TF risks and compliance. In Section E of his affidavit, Mr Apte identified and discussed a large range of reports and other information sources. This is reflected in the following overview given by Mr Apte, on which he expanded in subsequent paragraphs of his affidavit:

125.     Over the Period, there were several mechanisms by which I, as a Board member, (directly or through the Audit and Risk Committees) developed an understanding of the level of the Group’s non-financial risk, how it was performing from a compliance perspective and the effectiveness of its AML/CTF policies, processes, systems and controls. I summarise these mechanisms below.

126.     As a member of the Board and Risk Committee, it was the practice that I received regular written reports and oral presentations on non-financial risk and compliance including:

(a)     formal scheduled updates on risk management considerations (including on AML/CTF specific matters), through the routine provision of a CRO Report to the Risk Committee;

(b)     formal scheduled updates on regulatory risks, issues, engagements and developments, such as through the routine provision of a regulatory report which, from around February 2015, went to the full Board; and

(c)     other scheduled or unscheduled updates on key developments or areas of interest as requested by the relevant Chair, the CEO, or other Board or Committee members.

This included both general risk management updates and updates specific to AML/CTF.

127.     As a member of the Board and Audit Committee, I received internal audit updates on non-financial risks and controls including through twice yearly updates on key audit themes that had arisen during the previous six months (Thematic Audit Reports) and through other updates such as scheduled risk and control “deep dives” into particular business units or focus areas.

128.     From a broader risk management perspective, I participated in formal processes to understand and get comfortable with CBA’s risk management framework, including (from 2015) a formal scheduled annual risk management declaration process.

129.     I also engaged in other formal processes to understand and confirm CBA’s compliance and risk management, which processes were scheduled into the Board’s calendars in advance, such as the process for confirming statements made in CBA’s annual reports.

130.     Based on the information provided to me through these key mechanisms (both as addressed in Section D and as expanded upon further in the remainder of this Section E) and based on my own observations through participating in the Board and Committees, I developed and maintained a general understanding over the Period that:

(a)     the Group’s overarching risk management processes, systems and controls were substantially effective through to FY17, following which I still understood them to remain largely effective despite some challenges being faced particularly in our offshore business;

(b)     risk and compliance matters were escalated to Group Executives, the Committees and the Board (as appropriate), whether from the business units, risk and compliance teams or GA&A;

(c)     in respect of AML/CTF specifically:

(i)     the Group’s AML/CTF framework was overall sound (having been considered by both internal and external experts) albeit that there were opportunities to improve particular processes, systems and controls. As a consequence, for example, management had engaged PwC to undertake reviews of certain of the Group’s AML/CTF processes, systems and controls as discussed at paragraph 136(a) below;

(ii)     where instances of non-compliance, weaknesses in particular processes, systems or controls or other areas for enhancement were identified (which I considered to be inevitable given the size and complexity of the Group), executable action plans were put in place, funding and resources were authorised, and relevant regulators were consulted and kept informed; and

(iii)     the Group had established a positive and productive relationship with AUSTRAC, such that (for example), even after AUSTRAC was aware of the TTR issue and various additional matters unearthed through GA&A audits, the Board received positive feedback from AUSTRAC and opportunities to partner with AUSTRAC continued to be made available to our personnel (for example, through Ms Watson being invited to join AUSTRAC at a financial crime forum in Moscow, which I refer to in paragraph 109(d) above).

131.     This understanding reinforced my view that I did not have material information to disclose in respect of issues being considered by AUSTRAC in respect of CBA over the Period.

191    In relation to the 2013 audit report, I also observe that, in their Joint Report, Mr Elliott and Mr Bell noted that while the report: (a) covered a broad range of areas related to the Bank’s AML/CTF Program which identified 21 audit issues; and (b) alerted the Bank that there were numerous issues to be addressed by relevant and nominated people to further uplift the Bank’s overall AML/CTF Program, the late TTR issue was not specifically identified in the findings of the report or in the Issues Log, and the report did not identify a specific requirement to immediately review the detection methods for the cash deposit reporting systems.

192    In this connection, it is important to understand that a significant focus (albeit not the sole concern) of the 2013 audit report was the Bank’s AML/CTF compliance in respect of KYC requirements and the fact that the escalation of KYC error rates had been ineffective. The report noted that improvement on this matter was required to bring the Bank’s management of AML/CTF risks within an acceptable risk tolerance. Any issues the Bank had in respect of its compliance with KYC requirements are not relevant to the issues raised in this case.

193    The Bank provided a copy of the 2013 audit report to AUSTRAC. AUSTRAC prepared a Compliance Assessment Report. On 6 February 2014, AUSTRAC wrote to the Bank expressing its concern with the 2013 audit report’s findings:

Given the high level of AUSTRAC’s concern with the contents of the CBA internal review we anticipate that all issues raised in the report will be addressed in accordance with the prescribed due dates. AUSTRAC appreciates that some of the issues raised are focused on CBA’s own internal concerns that may not be relevant to AML/CTF compliance.

194    In its letter, AUSTRAC required the Bank to provide comprehensive and detailed action plans for issues that related to the AML/CTF Act and AML/CTF Rules, and said:

Given the serious nature of some [of] the issues identified in the internal review, AUSTRAC will closely monitor CBA’s progress against its various action plans.

195    In its letter, AUSTRAC also requested the Bank to provide it with written monthly update reports.

Project Alpha

196    Following the 2013 audit report, the Bank engaged PwC in March 2014 to conduct an external review of the issues that had been raised. On 19 August 2014, PwC delivered its report entitled “Project Alpha: Root cause analysis of the identified Group-wide AML/CTF issues” (the Project Alpha Report).

197    In its report, PwC referred to the increase, from a global perspective, in the punitive measures and regulator expectations in respect of AML/CTF compliance. They noted that, in Australia, “the AML/CTF regulatory landscape is experiencing significant change”. PwC spoke of an expectation that the potential for regulatory action by AUSTRAC would increase.

198    PwC noted the key failings identified in the 2013 audit report. Conspicuously, PwC identified that the “crux of the high-risk issues” identified in the 2013 audit report was the failure among all relevant Business Units to “correctly conduct the required customer due diligence … for clients that are non-individual entities (for example, trusts and private companies)”. This is a reference to the KYC requirements of the Bank’s AML/CTF Program. It was in that context that PwC observed:

These issues were compounded by a failure of the AML/CTF operating framework in testing, monitoring and escalating known issues to key stakeholders to ensure sufficient attention and corrective action.

199    Even so, PwC concluded that, in respect of all the issues raised in the 2013 audit report, the root causes included “ambiguity” around the AML/CTF operating framework, an under-investment in specialised AML/CTF resources and training, and the fact that the Bank’s AML/CTF assurance activities had been “conducted in silos” (meaning that AML/CTF assurance was not being conducted within an holistic framework supported by systemised reporting).

200    In relation to the “ambiguity” around the AML/CTF operating framework, PwC observed:

The AML/CTF operating framework is not consistently understood across the Group. Within each [Business Unit] there are different understandings of the roles and responsibilities of each line of defence and the roles of the [AML Compliance Officer]. As a result, there is limited escalation of issues (unless deemed high risk) or regular reporting through to GORC, and decisions are made in isolation within [Business Units].

201    One of PwC’s primary recommendations was:

Build a formal, Group-wide, systemised assurance and monitoring framework for AML/CTF using RiskInSite and leveraging existing CBA assurance processes where possible.

APRA Prudential Review Report

202    The Australian Prudential Regulation Authority (APRA) also conducted a review of the 2013 audit report. On 5 September 2014, it provided a report (the APRA Report) to the Bank.

203    In the report’s Executive Summary, APRA said:

The CBA Group is a diverse entity, with multiple business units that operate in a variety of regulatory and legislative frameworks in both Australia and overseas jurisdictions. Add to this the volume and complexity of global regulatory change and it highlights the importance of effective compliance risk management. APRAs assessment is that whilst CBA’s Compliance Risk Management Framework (CRMF) provides the foundation for sound management of compliance risk, there is a need for improvement in the maturity and consistency of implementation across the Group. This could be facilitated by Group Compliance providing a stronger role in the direction and guidance given to the businesses in terms of how they implement and follow the CRMF. APRA observed some actions in this regard had already been initiated.

APRA also considers that the level of challenge from Group and business unit compliance functions could be enhanced to improve consistency and promote the prompt identification of key risks and their escalation to more senior risk forums, where necessary. The development of a more forward looking approach to compliance risk, backed by the appropriate use of data and enhanced compliance reporting, would enable a greater focus on emerging risks and trends within the business. While APRA notes that this is an area requiring development across the industry, we observed that CBA was not making full use of all available data and that there was limited evidence of forward looking discussion and reporting at a business unit level.

APRA noted the Group’s CRMF includes reputational risk within its definition of compliance risk, and as an outcome of incidents. We were advised that the bank addresses reputational considerations through a variety of executive forums; including the Board, Executive Committee (Exco) and the recently formed Reputational Risk Committee. During the review APRA noted an absence of discussion of reputational risk at a business unit level. Business unit committee minutes and reports focused more on the financial impact of crystallised events as opposed to consideration of potential reputational implications of events that have yet to emerge. APRA’s view remains that the CRMF is an important contributor to the management of reputational risk by the Group, and that business unit and compliance staff should take proactive steps to identify, discuss, document and, where appropriate, escalate reputational risks to more senior forums.

The review provided APRA with some insights into how CBA assessed its compliance risk culture. We noted a key component to this assessment is the People and Culture Surveys which have contributed to supporting the view of the CBA Board and management that CBA has a ‘good culture’. APRA noted that for some survey questions the range of answers was wide, which could indicate potential vulnerabilities, and that staff exhibiting poor behaviours may simply choose to not complete the survey. We also note that this has been the subject of a recent paper to Exco on culture and other discussions with the Board. APRA supports CBA developing its capability to measure and report on the quality of its risk and compliance culture. This is particularly relevant in light of the cultural weaknesses APRA has observed in Bankwest and historically in the Wealth Management Advice business.

One area of particular concern was the identified gaps within the bank’s AML/CTF and Sanctions controls and monitoring processes. APRA observed that key systems were overdue for upgrading and noted that concerns with the bank’s ability to manage these risks have been raised by both Internal Audit and other external regulators. lt is critical that CBA address the deficiencies that have been identified in a prompt and complete manner. This is of increasing importance given the recent large fines levied overseas for breaches of AML regulations and Sanctions. Accordingly, APRA has made this issue a requirement.

APRA supports the continued development of RisklnSite as a risk and compliance management tool and noted its strong capability and potential to capture risks, controls, testing and track assessments. However, the current state of RisklnSite implementation and its utilisation across business units varies significantly and is incomplete. APRA observed that multiple businesses were still in the process of inputting data into RisklnSite from other support systems, which included key risks and controls relating to compliance risks. In APRAs view there is a need for greater standardisation across business units and an improvement in the data quality. Until these enhancements are completed, the ability of RisklnSite to be a source for meaningful Group-wide reporting from both a consolidated and bottom-up perspective will be limited.

204    In relation to the 2013 audit report, APRA said:

APRA noted that the Internal Audit review of AML/CTF in December 2013 was rated ‘Red’ and the Group-wide Sanctions Review in February 2013 was rated ‘Amber’. Of particular concern to APRA was that in the AML/CTF review, Internal Audit identified that Know Your Customer (KYC) error rates of 25 to 45 per cent had been identified by the business or assurance areas in RBS, lB&B, Markets and Bankwest. However, test plans and RisklnSite controls had been rated ‘Green’, even though these errors existed and were well above the stated tolerances of 3 per cent. Internal Audit made the comment “we are concerned about the speed and, effectiveness of the escalation of these issues across the Group”. Although we only observed one incidence of this, it is a concern that business and risk staff were rating controls ‘Green’ when they should have been rated ‘Red’.

This finding also raises the issue of roles and responsibilities in regard to implementation, monitoring and oversight in this area, i.e. what role is played by Group functions versus the business units. APRA notes that CBA is, currently in the process of preparing a Group level assurance program for AML/CTF, Sanctions and anti-bribery and corruption.

Project Beta

205    In order to assess the status of the Bank’s remediation of the issues arising from the 2013 audit report, PwC considered AUSTRAC’s Compliance Assessment Report of 6 February 2014 and the Bank’s monthly updates to AUSTRAC outlining the remediation activities to be undertaken by its Business Units. In April 2015, PwC released a report entitled “Project Beta: Assessment of AML/CTF Remediation Activities Interim Report” in relation to its assessment.

206    In this report, PwC recorded that it “noted improved support and motivation amongst AML/CTF representatives at the Group and Business level” compared to a previous review. Of the 21 issues identified in the 2013 audit report, 20 had been completed and “closed” within the agreed timeframes, and that Business Units had offered and provided training to employees where policies, procedures, systems or controls had changed. PwC noted that Business Units had established Line 1 and Line 2 monitoring and testing, where necessary, to ensure ongoing compliance with remediation actions. PwC said that it was clear from discussions with “Action Owners” and employees within each of the Business Units that the findings of the 2013 audit report and AUSTRAC’s Compliance Assessment Report, as well as the remediation plans, had been communicated to relevant employees and that these employees “understood that these matters had to be addressed.

207    PwC noted, however, that RiskInSite was continuing to be used inconsistently and that there appeared to be an “inconsistent understanding of RiskInSite across the [Business Units] regarding its purpose, how to capture an issue and how to describe the activities and controls implemented to address the issue”.

208    PwC delivered a final report in June 2016.

The Bank’s Internal Audit Report 2015

209    In May 2015, Group Audit delivered a report on an internal audit which focused on the completeness of data captured in the Bank’s systems used for centralised AML/CTF screening and the processes it used for the maintenance of “AML/CTF rules” (the 2015 audit report). This audit was one of APRA’s requirements notified in the APRA Report.

210    The 2015 audit report gave an overall “red” rating based on an “unsatisfactory” rating for “Control Environment” and a “marginal” rating for “Management Awareness & Actions”. A “marginal” rating meant:

Management has shown some understanding of the significant risks and controls relevant to their business; however they were not performing regular testing of the controls to assess their operating effectiveness.

Alternatively, management was not aware of all material issues and/or was not taking appropriate and timely action to resolve and escalate.

211    In its Audit Conclusion, Group Audit noted (amongst other things):

… controls have not been embedded across the Group to validate the completeness and accuracy of data flows between source systems and those used for centralised AML/CTF screening.

212    Group Audit also noted:

A small proportion of International Fund Transfer Instructions (IFTI) and Transaction Threshold Reports (TTR) were not reported to AUSTRAC. The accuracy of information provided on IFTI, TTR and Suspicious Matter Reports was also highlighted as a concern by AUSTRAC in its Annual Compliance Assessment performed in January 2015.

213    Group Audit noted, further, that, in relation to co-ordinating the development of clear accountabilities for AML/CTF compliance processes across the Group:

… the Chief Compliance Officer will develop an enhanced Financial Crimes Compliance Framework, which will include mapping of end-to-end business processes, systems architecture and accountabilities. This aims to address the lack of ownership of group-wide compliance processes which has contributed to the current weaknesses in the control environment.

214    The 2015 audit report identified certain issues which had been given a “high” rating.

215    One issue was that there was “(u)nclear end-to end ownership and governance for AML/CTF processes across the Group”. This involved a lack of definition of roles and responsibilities to ensure that the reporting of IFTIs (and TTRs) to AUSTRAC was complete and accurate. The accompanying Issues Log noted:

The audit highlighted that transactional data relating to some high risk rated products is not being fed into the Group’s AML/CTF screening systems and high risk customer models maintained in systems are not up-to-date. We also observed knowledge gaps across multiple teams responsible for maintaining data flows between source systems and AML/CTF systems used for AUSTRAC reporting.

216    This issue was also given a “major” impact rating in the Issues Log with a “possible” likelihood (meaning, a less than 50% probability of occurring within the next 12 months). This entailed certain “reputation/brand” consequences, including a possible medium term fall (10 – 20%) in the Group’s share price. This rating also entailed certain “legal/regulatory compliance” consequences, including possible focused regulatory surveillance and significant increased regulatory oversight, and possible “major fines and sanctions”.

217    Another issue with a “high” rating was that there was “no end-to-end assurance performed over the completeness and accuracy of transactional data used for AML/CTF screening”. The Issues Log recorded:

There is no process to validate the completeness and accuracy of transactional data flows between source systems and those used for AML/CTF screening such as Financial Crimes Platform (FCP), Financial Crime Case Management (FCCM) and Proactive Risk Manager (PRM).

218    This issue was also given a “major” impact rating in the Issues Log with a “possible” likelihood.

219    Similar issues had been raised in the 2013 audit report.

220    The 2015 audit report identified a number of issues with a “medium” rating. One of these was that all cash deposits and withdrawals greater than or equal to $10,000 were not being reported to AUSTRAC. The Issues Log gave this issue a “moderate” impact rating with a “possible” likelihood. A “moderate” impact rating entailed certain “reputation/brand” consequences, including a possible short term fall (less than 10%) in the Group’s share price. It also entailed certain “legal/regulatory compliance” consequences, including “[i]ncreased general regulatory oversight”, “[p]otential impact on regulator relationships”, and “[f]ines”.

221    However, as Mr Elliott and Mr Bell noted in their Joint Report, the late TTR issue was not specifically identified in the 2015 audit report, including in the associated Issues Log. Mr Elliott and Mr Bell also noted that the 2015 audit report did “not identify a specific requirement to immediately review the detection methods for the cash deposit reporting systems”. They noted, further, that the account monitoring failure issue had already been self-identified on about 16 June 2014 and had been recorded in RiskInSite on 4 September 2014.

Events from mid-July 2015

The Tabcorp penalty proceeding

222    On 22 July 2015, AUSTRAC announced that it had commenced proceedings against Tabcorp for “extensive, significant and systemic non-compliance with Australia’s anti-money laundering and counter-terrorism financing legislation”. In its press release, it stated:

As we have demonstrated in this case, we are prepared to work with businesses to improve their systems and controls, but will take strong action when they fail to make the necessary improvements to address serious and systemic non-compliance.

223    These proceedings subsequently resolved with Tabcorp agreeing to pay a pecuniary penalty of $45 million.

AUSTRAC raises concerns

224    On 30 July 2015, the Bank met with AUSTRAC to provide a “general monthly update”. It seems that, beforehand, AUSTRAC and APRA had met and discussed the 2015 audit report. As I have noted, this audit was one of APRA’s requirements notified in the APRA report.

225    At the meeting with the Bank, AUSTRAC said that it had “serious concerns around” the audit. AUSTRAC made the overarching comment that, on the face of it, the 2015 audit report was “very concerning” and was “raising questions internally within AUSTRAC” and that, potentially, AUSTRAC “would … consider if enforcement action would be necessary”.

226    In a file note created on 30 July 2015, Mr Byrne (whose title in the file note was given as the Bank’s Head of Group Financial Crime Compliance, Regulatory liaison & complex matters) noted:

Examples of concerns from AUSTRAC’s perspective are around the apparent gaps in IFTI, TTR and SMR reporting, the fact that the Internal Audit report states that the business didn’t understand what is reportable, that systems are not generating alerts that they should be and that there are issues with the High Risk Customer Model. Further concerns include that the systems haven’t been looked at since 2009. However, there are general concerns with the report as a whole.

227    On 19 August 2015, a further meeting was held between the Bank and AUSTRAC. A report of the meeting that was given to Mr Toevs makes clear the Bank’s appreciation that there had been “a lot of dialog” between AUSTRAC and APRA and that AUSTRAC was “very open” about that fact. The report indicates that the Bank had been told informally that “the enforcement comment” had been made “incorrectly” but that “there was no firm retraction of the comment during the meeting”.

Project Nitrogen: The 2015 Entitlement Offer

228    In 2015, the Bank undertook a $5 billion capital raising through a pro-rata renounceable entitlement offer of new shares to existing shareholders. A due diligence committee (DDC) was established for that purpose. Mr Cohen was the Chair of the committee. The DDC was responsible for overseeing the due diligence process established by the Bank in connection with the preparation of the offer documents. One of its tasks was to identify potentially significant matters that might be regarded as market sensitive and to address those matters as appropriate. The DDC met regularly from July to September 2015.

229    The Bank’s advisers included their solicitors, PricewaterhouseCoopers Securities (PwCS), Goldman Sachs, Morgan Stanley, and UBS. Morgan Stanley and UBS were the underwriters of the issue.

230    The due diligence process included the following steps: (a) management personnel were issued with a questionnaire and were required to “sign-off” (confirm) information in their assigned areas; (b) the managers of the 2015 Entitlement Offer had the opportunity to question the Bank’s management personnel; and (c) Group Executives were required to provide formal verification to the effect that they were not aware of any material information being withheld from continuous disclosure that was required to be disclosed to the market.

231    The DDC was advised that, when assessing whether a particular matter was material to the offer, both quantitative and qualitative factors needed to be considered. In relation to quantitative materiality, PwCS provided input on the threshold that it considered appropriate for the Bank to use.

232    The Bank’s Board approved the 2015 Entitlement Offer and the offer documents on 11 August 2015.

233    On the same day, the DDC issued a report (the DDC Report). The DDC Report attached (amongst other things): (a) a management due diligence questionnaire; (b) management “sign offs”; and (c) verification certificates.

234    Amongst other things, the due diligence questionnaire:

(a)    asked whether there were “any material legal, regulatory or administrative actions, suits or proceedings in any court or by any government agency or body, domestic or foreign, currently pending or that are, to the knowledge of the Group, threatened against or affecting the Group or its directors” (Question 1.48);

(b)    asked for confirmation “that the Group has substantively complied with money laundering statutes in Australia (Question 1.55); and

(c)    asked for confirmation that “the Group has appropriate risk management policies to monitor compliance with applicable laws and regulations and to detect any non-compliance…[and] that no material non-compliance has been detected recently (Question 1.63).

235    Mr Cohen was the Group Executive responsible for Question 1.48. He answered “No”. Mr Cohen’s evidence was that this reflected his view at the time.

236    Mr Toevs was the Group Executive responsible for Question 1.55. He answered “Confirmed”. As to that answer, Mr Cohen gave this evidence:

36.    I note that the wording of question 1.55 sought confirmation that the Group had substantively complied with its AML requirements. My view was that this was the appropriate level of confirmation to seek. Given the volume of transactions and customers using CBAs services (then approximately 68 million branch deposits and withdrawals, 270 million transactions through Automatic Teller Machines (ATMs), 1.532 billion EFTPOS transactions and 528 million internet transactions, as well as a customer base of 15 million in FY15), I did not consider it reasonable (or indeed tenable) to expect there to be no instances of non-compliance (whether known or unknown).

237    Mr Toevs was also the Group Executive responsible for Question 1.63. He answered that question as follows:

Confirmed. The Group has appropriate risk management policies to monitor compliance with applicable laws and regulations and to detect non-compliance. Due to the detailed self-reporting regulatory regimes in the various jurisdictions the Group operates, on average each month some regulatory breaches are self-identified and reported. Confirmed that no material non-compliance issues [have] been recently detected.

238    On 12 August 2015, the 2015 Entitlement Offer was announced to the market through a cleansing notice issued under s 708AA(2)(f) of the Corporations Act (the 2015 Cleansing Notice).

239    On 24 August 2015, Mr Cohen signed a “new circumstances” proforma confirmation that he was not aware of any:

(a)     ... statement in the Offer Documents [that was] false, misleading or deceptive (including by omission) or likely to mislead or deceive (including by omission) or does not otherwise comply with the Corporations Act; or

(b)     ... omission from the Offer Documents of material required by the Corporations Act; or

(c)     ... new circumstance that [had] arisen since the Offer Documents were issued which the DDC would have required to be included in the Offer Documents if it had arisen before Offer Documents were issued or that changes the nature of any of the disclosures in the Offer Documents; or

(d)     ... material change to the potential effect the Offer will have on the control of CBA or the consequences of that effect.

240    Mr Cohen provided this confirmation on the express basis that he had relied on other members of the DDC and those responsible for reporting to the DDC who had appropriate expertise in relation to those matters falling outside his expertise.

241    On 17 September 2015, which was the day before the new shares were to be issued, Mr Cohen signed a confirmation that he was not aware:

(a)     that there is a statement in the Offer Documents which is false, misleading or deceptive (including by omission) or likely to mislead or deceive (including by omission) or does not otherwise comply with the Corporations Act; or

(b)     that there is an omission from the Offer Documents of material required by the Corporations Act; or

(c)     that there is a new circumstance that has arisen since the Offer Documents were issued which the DDC would have required to be included in the Offer Documents if it had arisen before Offer Documents were issued or that changes the nature of any of the disclosures in the Offer Documents; or

(d)     of a material change to the potential effect the Offer will have on the control of CBA or the consequences of that effect.

242    How does knowledge of the IDM ML/TF risk assessment non-compliance issue, the late TTR issue, and the account monitoring failure issue relate to the 2015 Entitlement Offer?

243    Mr Cohen became aware of the late TTR issue as a result of being sent an email by Mr Narev on 6 September 2015. I refer to this email in a later section of these reasons. As I have noted, in his affidavit Mr Cohen said that he did not become aware of the late TTR issue until October 2015. However, he corrected this statement at the commencement of his evidence in chief. Mr Cohen became aware of the account monitoring failure issue in April 2017. He became aware of the IDM ML/TF risk assessment non-compliance issue in August 2017, after the commencement of proceedings against the Bank by the AUSTRAC CEO.

244    In his affidavit, Mr Cohen turned his mind to what his thought processes would have been if each of these issues had been raised with him as part of the DDC process. He expressed his belief that none of them would have been a matter that needed to be disclosed and none of them would have had an impact on his ability to provide the verifications or confirmations he did provide, or warranted the Bank taking other steps such as “suspending, cancelling, withdrawing, [or] varying the 2015 Entitlement Offer, or making a supplementary disclosure”.

245    In the case of the late TTR issue, Mr Cohen’s evidence on this score—expressed as a hypothetical—sits somewhat awkwardly with the fact that he had actual knowledge of that issue as at 6 September 2015. However, he also said that, in relation to Question 1.55, he did not recall any discussion of AML/CTF compliance issues in the context of the 2015 Entitlement Offer, or that Mr Toevs or Mr Dingley had raised any concerns about such issues.

246    Mr Cohen’s evidence was that:

51.    In relation to the TTR issue, at the time of the DDC process, this was a compliance issue affecting a particular BU that had been uncovered in the context of a query from a regulator seeking to locate two TTRs, which needed to be (and was promptly) remediated. While threshold transaction reporting was an important process and the TTR issue was an unsatisfactory occurrence, from a continuous disclosure perspective I also believe that I would not have considered this to meet the threshold for disclosure in the context of CBAs broader business activities. It is my experience that having regard to the nature of CBAs business, it will be contacted regularly by regulators on a weekly, if not daily, basis in relation to CBA providing information and documents (including in response to statutory notices) to that regulator in relation to CBAs activities. It was consistently my view throughout the Relevant Period that the receipt of requests or notices from a regulator is not of itself material information because such receipt does not give any clear indication of whether the regulator intends to or will take any form of regulatory action, what form that action might take or other clear information about the nature, scale and composition of the issues underpinning that action. In the case of the TTR issue, at the time of the DDC process the regulatory query had not even advanced to a statutory notice stage.

247    The applicants contend that the Court should find that, knowing about the late TTR issue, Mr Cohen should not have provided the confirmation that he did on 17 September 2015. They contend that the Court should also find that the late TTR issue warranted the Bank suspending, cancelling, withdrawing, or varying the 2015 Entitlement Offer.

248    As to the account monitoring failure issue, Mr Cohen’s evidence was that:

52.      at the time of the DDC process this was a compliance issue that had been self-identified, was close to being resolved and was not to my knowledge the subject of any communication with the regulator. I am not aware of the exact number of affected accounts that were known at the time but in any event it was not something that I understood to be material even when the number of affected accounts later came to my attention. I would not have considered it something that needed to be disclosed in the context of the Entitlement Offer.

249    As to the IDM ML/TF risk assessment non-compliance issue, Mr Cohen’s evidence was that:

53.      even if I had understood CBA to have not complied with the Groups joint AML/CTF Program (AML/CTF Program) with respect to preparing an ML/TF Risk assessment of IDMs at or prior to their roll-out, I would not have understood it to be material and I would again not have considered it something that needed to be disclosed in the context of the Entitlement Offer.

Further events concerning the late TTR issue

250    By 18 August 2015 the late TTR issue had been escalated to Mr Dingley (and others). At that time, Mr Dingley was the Chief Operational Risk Officer. As communicated in an email from Mr Byrne, the Bank’s initial investigation at that time was that:

RBS [Retail Banking Services] has determined that large cash deposits made thru these IDMs are not feeding the TTR process. It is determining when the issue started and consequently how many reports were not lodged.

251    Mr Dingley responded:

… please push hard to get [the] facts quickly so we know how to respond. This does not sound good.

252    On 20 August 2015, Mr Dingley escalated the late TTR issue to Mr Toevs. In an email to Mr Toevs, Mr Dingley described the position as follows:

… It appears as if the deposits made through this channel are not being reflected in the cash transaction report that is submitted to Austrac. I have not yet been able to establish if this (sic) for a period of time, or since the machines went into the network. This could go back to 2010 as a worse case scenario. Tony Byrne is working with RBS and ES to get all the facts. If this is systemic, it will be very disappointing as Tony Byrne has had prior confirmation from RBS Risk that this was operating correctly.

253    Mr Dingley also said:

If [this] is a systemic issue, it may just tip the balance and it could be a tough ride with Austrac.

254    This last-mentioned comment was made in the context of Mr Dingley reporting to Mr Toevs that AUSTRAC had already raised concerns about the findings of the 2015 audit report (see [224] – [227] above).

255    By at least the morning of 4 September 2015, the late TTR issue had been escalated to Mr Narev who had asked for a “short briefing paper”. By the afternoon, Mr Byrne had prepared a briefing paper. The briefing paper said that it had been discovered that the two deposits (which had been referred to the Bank by AUSTRAC) had not been reported “because of a system coding error dating back to November 2012” and that, at that stage, “the investigation has identified that 51,637 TTRs were not reported to AUSTRAC” which represented “approximately 2.5% of the total reportable transactions for the same period (November 2012 to 18 August 2015)”. A prefatory section of the report noted that failure to comply with the obligation to lodge TTRs “can result in reputational damage and regulatory enforcement including fines and remedial action”.

256    On 6 September 2015 an email exchange took place between Mr Narev and Mr Comyn. In that exchange, Mr Comyn said that “the full extent of the issue is [being] investigated”. In response, Mr Narev said that he had spoken to Mr Toevs that day. He continued:

It goes without saying that we need to take this extremely seriously. I have let Alden know that he should personally be in touch with Austrac about this, and offer up a discussion with me. We need to adopt a similarly senior posture with AFP, though I suspect David Cohen (also copied) may be the better contact with them given that there are current legal proceedings.

Whilst this is as a result of unintentional coding related errors, the circumstances warrant very senior oversight.

We need also to make sure that:

- we are going through all relevant transactions to check for other problems

- we have fixed the problem, and

- no-one within the Group had knowledge of/concern about this issue. I understand we have no cause for concern about this, but I want to know that there was no avoidance of the issue/reluctance to escalate.

257    Mr Comyn replied on 7 September 2015 that the matter was being taken “very seriously” but that he had “zero concerns about the reluctance to escalate”.

258    In submissions, the applicants make much of the fact that, in his affidavit, Mr Narev did not refer to this correspondence. The applicants also rely on other aspects of Mr Narev’s cross-examination to contend that, in his affidavit, Mr Narev sought to minimise his initial reaction to the late TTR issue.

259    On reviewing the cross-examination of Mr Narev, I do not think that much turns on the fact that Mr Narev did not refer, specifically, to his email correspondence with Mr Comyn on 6 September 2015 in his affidavit. That said, I have no reason to doubt that this correspondence reflects Mr Narev’s contemporaneous state of mind.

260    In addition, I do not think that, in his affidavit, Mr Narev sought to minimise his initial reaction to the late TTR issue. In his affidavit, he did say that he did not consider that the late TTR issue had exposed the Bank to a risk of regulatory action until about October/November 2016. However, in cross-examination, Mr Narev clarified that he meant a “serious risk” of regulatory action. In other words, although in early September 2015 he thought that the late TTR issue posed a risk of AUSTRAC taking regulatory action, it was not until October/November 2016 that he thought that there was a serious risk of that happening. Mr Narev’s evidence was that, even then, he did not consider it to be “at all likely that AUSTRAC would commence regulatory action in the form of civil penalty proceedings in respect of the [late] TTR issue”. I accept this evidence.

261    On 8 September 2015, Mr Toevs sent a letter to AUSTRAC notifying it that 51,637 TTRs had not been lodged for the period November 2012 to 18 August 2015. The letter advised AUSTRAC of the root cause of the problem and informed it of the “extensive remediation program” that the Bank would implement in response. This included the Bank retrospectively submitting all of the reportable TTRs that resulted from the missing transaction code”.

262    On 24 September 2015, the Bank wrote to AUSTRAC informing it that the late TTRs had been lodged. There were 53,506 TTRs so lodged.

263    On 12 October 2015, Mr Toevs, Mr Dingley, and Ms Williams (the Chief Compliance Officer) prepared a report for the Bank’s Risk Committee which, after noting the outcome of the 2015 audit report, included the following:

3.4.2.     Group Operational Risk and Compliance (GORC) has accepted the outcomes of the Internal Audit reviews and is driving a series of initiatives to deliver effective end-to-end governance over the control environment.

3.4.3.        An example of the outcomes of these control issues and their ongoing rectification is that, following a recent investigation undertaken by the Bank into two unreported threshold transaction reports (TTRs) to AUSTRAC, it was identified that between November 2012 and August 2015, 51,637 cash deposits of over $10,000 conducted through intelligent deposit machines (IDMs) were unreported to AUSTRAC. This arose because of a coding error.

3.4.4.        While there is no formal breach reporting requirement under the AML/CTF Act, the breach has been reported to AUSTRAC and the non-compliance remediated. We have also taken steps to ensure better assurance processes are in place to detect these types of failures going forward. By taking steps to rectify the reporting failure and improving our control environment we reduce the risk of any regulatory action being taken by AUSTRAC.

264    The report noted that, in Australia, regulatory action had been taken against Barclays Bank, Mega Bank and Tabcorp for AML/CTF breaches, resulting in enforceable undertakings being given and (in the case of Tabcorp) “Federal Court action”.

265    The Bank’s Board was informed of the late TTR issue at its meeting on 12 and 13 October 2015.

266    On 12 October 2015, AUSTRAC responded to the Bank’s communications of 8 and 24 September 2015. In a letter to Mr Toevs, AUSTRAC expressed its “serious concerns” about the scale of the Bank’s non-compliance with s 43 of the AML/CTF Act and the period over which those contraventions had occurred.

267    AUSTRAC sought further details from the Bank in the form of information and documents. Among the documents sought was “any ML/TF risk assessment the CBA conducted on the IDMs before rolling out these machines in May 2012”. AUSTRAC sought a response by 26 October 2015.

268    The Bank provided that response by letter on 26 October 2015. In relation to the request for documents of any ML/TF risk assessment before rolling out IDMs, the Bank said:

CBA considers that IDMs were an enhancement of the existing ATM functionality as a channel to provide designated services. As a result, CBA has relied upon the ML/TF risk assessments conducted on ATMs as a channel for providing designated services.

269    The Bank also said:

No changes have been made to IDMs since 2012 to warrant any further risk assessment.

There were no additional high rated ML/TF risks raised in relation to the roll out of IDMs that required escalation to the Board or senior management. IDMs were intended to provide deposit functionality (similar to that of Branches) and the existing AML transaction monitoring controls and TTR reporting were applied to deposits via IDMs.

Events in 2016

Board meeting with AUSTRAC on 14 June 2016

270    On 18 April 2016, a briefing paper was prepared for the Board in relation to an upcoming lunch to be attended by the Board and several members of the Bank’s management with Mr Jevtovic (the AUSTRAC CEO) and Mr Clark (the Deputy CEO). This was to be Mr Jevtovic’s first meeting with the Board. The briefing paper noted Mr Jevtovic’s “strong law enforcement background” which, at the time of his appointment in 2014, “was expected to mark a change in AUSTRAC’s regulatory approach”. The paper said that:

Since his appointment, Mr Jevtovic has engaged in a program of reshaping and refocusing the activities of AUSTRAC. This has led to work commencing on a range of new initiatives. Many relate to developing greater partnerships with the private sector. …

271    An additional briefing paper was prepared for the Board on 27 April 2016. In relation to the Bank’s regulatory relationship with AUSTRAC, the paper said:

13.1        Whilst CBA’s collaboration on many of the initiatives set out above is viewed positively by AUSTRAC, their view of our compliance is less clear.

13.2        In the past year, there have been two issues which appear to have raised senior level concerns within AUSTRAC.

13.3        In May 2015, internal audit completed a review of AML/CTF systems across the Group. This review was undertaken as a result of an APRA Compliance Review in July 2014.

13.4        In July 2015, AUSTRAC raised concerns about findings in the review around potential transaction reporting failures.

13.5        A revalidation exercise was undertaken in relation to the transactions in question and it was determined that in most cases, the transactions identified by internal audit had either been reported manually, or were not reportable.

13.6        In September 2015, we notified AUSTRAC that we had identified that a number of transactions which were undertaken through intelligent deposit machines had not been reported to AUSTRAC.

13.7        AUSTRAC responded with two detailed requests for information in relation to this matter. The non-compliance detected has now been remediated.

272    The lunch was held on 14 June 2016. Mr Narev’s evidence of the meeting was that it was “a general discussion about what [the Bank] was doing in the AML/CTF area” and that Mr Jevtovic “did most of the talking”. Mr Narev recalled Mr Jevtovic saying words to the effect of “AUSTRAC’s relationship with [the Bank] is very strong and I feel very positive about it”. According to Mr Narev, nothing was raised at the meeting about the late TTR issue or any other concerns about the Bank’s AML/CTF compliance. Mr Narev said that he left the meeting “thinking that the Group was doing well and that AUSTRAC did not seem to have any current areas of concern relating to the Group”.

The statutory notices

273    On 22 June 2016, a notice was given to the Bank under s 167(2) of the AML/CTF Act seeking the production of information and documents (the first statutory notice). The notice was circulated to Mr Comyn and others by an email dated 23 June 2016. The content of the notice (and the background to it) was described by Mr Keaney (General Manager, Group Financial Crime Services) in a further email dated 13 July 2016 that was sent to various people, including Mr Comyn:

On 22 June 2016, a statutory notice was received from AUSTRAC for the production of information and documents. Information collected under this notice could be used by AUSTRAC in civil penalty proceedings against the Group, although at this stage AUSTRAC is silent on its intentions. The notice is wide ranging but primarily relates to CBA’s compliance with AUSTRAC’s customer on-boarding and ongoing customer due diligence requirements. There is a particular focus on on-line account opening procedures, including electronic verification of customer identities, and the monitoring of transactions through Intelligent Deposit Machines. The notice also seeks detailed information in relation to 59 customers and 120 accounts, and asks for AML-related audit reports (over multiple years) as well as minutes of Board meetings where those reports were considered.

This incident is related to the non-reporting of Threshold Transaction Reports for transactions undertaken through Intelligent Deposit Machines which was detected and self-reported to AUSTRAC in August 2015. Issues relating to that incident are largely closed out. The root cause for regulatory interest in relation to our customer on-boarding and ongoing customer due diligence processes more generally is not yet known. Further information on the root cause may be determined over the course of responding to the notice.

Should AUSTRAC launch Federal Court proceedings against the Group (as in the case of Tabcorp) there will be reputational impacts. In addition, the Group would incur costs in defending such action. The maximum penalty that could potentially be applied by a court is $18 million per breach. Based on the CEO of AUSTRAC’s description to the CBA Board just weeks ago that he has no concerns about the CBA’s intention to be fully compliant with AML legislation, and his belief that the Group is a diligent manager of AML Risk (against a backdrop of significant business and technology complexity) it is hard to believe that AUSTRAC intends to impose significant penalties on the Group – especially given that the CEO Mr Jevtovic would have known about this imminent notice at the time he met with our Board and yet didn’t raise it to offset his praise of the Group in relation to the management of financial crime.

274    Mr Keaney’s email was forwarded to Mr Narev on the same day.

275    The applicants submit that, in his affidavit, Mr Narev sought to downplay the significance of the first statutory notice. I am not persuaded that that is so. Mr Narev was clearly conscious of the fact that information collected under the notice could be used by AUSTRAC in civil penalty proceedings. However, Mr Narev said:

89.    Mr Keaney stated in his email that: “Information collected under this notice could be used by AUSTRAC in civil penalty proceedings against the Group, although at this stage AUSTRAC is silent on its intentions” and he provided a maximum penalty per breach as available under the AML/CTF Act. From my experience as CEO, it was common at any one time for several entities within the Group to be engaging with regulators (including ASIC, APRA and others, both domestic and foreign), including through formal and informal requests for information and documents at any given time. This included engaging through notices that could be used in civil penalty proceedings. The Regulatory Reports that I received routinely prior to CBA Board meetings, contained a table of “significant” interactions with a range of regulators for the previous period of which there were always several entries. However, as the Group had less experience in dealing with statutory notices from AUSTRAC, it made sense to me that Mr Keaney would confirm the use to which the notice could be put and the theoretical fines that could result.

90.        For the reasons given in his email, I understood that Mr Keaney continued to think that AUSTRACs concerns stemmed from the TTR Issue and that he did not believe that AUSTRAC intended to impose significant penalties on the Group, especially given recent interactions with Mr Jevtovic. This was consistent with my own view. My understanding was that the TTR Issue had been promptly actioned upon discovery by CBA and that AUSTRAC had only brought one civil penalty proceeding up until this point (against Tabcorp, which I expand on at paragraph 122 below). I did not consider there to be any likely prospect of AUSTRAC commencing civil penalty proceedings against CBA.

276    Despite some concessions made by Mr Narev in cross-examination to the effect that this was the first time the Bank had received a s 167(2) notice from AUSTRAC and that the Bank’s receipt of similar notices from other regulators could not inform him of how seriously AUSTRAC was undertaking its inquiries, I accept the general thrust of Mr Narev’s evidence as to his understanding at the time.

277    The applicants also submit that, in his affidavit, Mr Cohen sought to downplay the significance of the first statutory notice. Having reviewed Mr Cohen’s evidence, I do not accept that submission.

278    At the request of the Bank’s Legal Services team, a project team was formed to assist in maintaining confidentiality and legal privilege in respect of responses to the first statutory notice. This was part of a project called Project Concord (the project being the Bank’s response to AUSTRAC’s investigation as reflected in the first statutory notice).

279    On 2 September 2016, a second notice was given to the Bank under s 167(2).

280    On 14 October 2016, a third notice was given to the Bank under s 167(2) (the third statutory notice).

281    On 17 October 2016, an Executive Committee report was prepared seeking endorsement of a proposal to execute a program of work that would establish the fundamentals for the Group to manage its financial crime risk effectively and efficiently over the next three years”. The report commenced by noting:

1.1.    The Executive Committee is aware of the Group’s exposure to financial crime risk, including money-laundering, sanctions-violations and bribery and corruption, and of consequences of non-compliance, including fines by onshore and offshore regulators.

1.2.    Notwithstanding the Group’s investment in financial crime compliance in recent years, there is still a way to go, as recently confirmed by Group Audit.

1.3.    The potential for fines or other regulatory action seem elevated in light of AUSTRAC recently issuing the Group with an Enforcement Notice, stemming from breaches in Threshold Transaction Reporting from branch-based Intelligent Deposit Machines.

1.4.    Group Security is taking a leadership role in improving the Group’s management of financial crime and is now returning to ExCo to provide an update and plan for the way forward.

282    As I have noted above, by October/November 2016, Mr Narev thought that there was a serious risk of AUSTRAC taking regulatory action in relation to the late TTR issue. However, he did not consider it to be likely that AUSTRAC would commence civil penalty proceedings.

283    Mr Narev gave this evidence, which I accept:

98.     I recall that the updates in respect of AUSTRACs notices continued to be very administrative (that is, they were updates on the status and timetable of CBAs responses to the notices) and discussion at CBA Board meetings about the issues was limited. AUSTRACs enquiries were just one aspect of the Groups regulatory engagements at the time. Nobody suggested to me that this was more serious than the various other regulatory issues that the Group was dealing with at the time. That said, at about the time I became aware of AUSTRACs third statutory notice, I started to become concerned by the fact that AUSTRAC was continuing to ask questions and seek documents notwithstanding that we had by now been engaging for more than a year. I turned my mind to the possibility that it may take some type of formal action against CBA. At the time, I thought that if AUSTRAC decided to take formal action, it was likely to involve some type of remedial direction, engagement of an external auditor, or enforceable undertaking. I based that view on my experience in dealing with other regulators over the course of my role, and my understanding of the issues and their status as set out above. To my mind, while AUSTRAC was asking a range of questions, their interest stemmed from the TTR Issue which CBA had been open with them about and had worked hard to address. Based on the reports I had read as described above, my understanding was that the issues had been closed out and that AUSTRAC had indicated that it was comfortable with how that had been done. My direct interactions with Mr Jevtovic had been positive, even at a CBA Board lunch directly before CBA received the first statutory notice as I have referred to above. In the circumstances, I did not consider it at all likely that AUSTRAC would commence civil penalty proceedings. I do not recall anyone expressing a different view.

284    The applicants place reliance on evidence given by the Chairperson of the Bank’s Board, Ms Livingstone (who was appointed with effect from 1 January 2017), at the Financial Services Royal Commission:

… either at the October meeting, and I think it was the October meeting, because I think by then the second notice had been received, I challenged management about why were we getting these notices. What was behind them. And was AUSTRAC concerned about something. And so the answer I received was, well, AUSTRAC knew that we were working hard and investing in our financial crimes compliance platform but that we weren’t fully compliant at that time. And that there was significant work and significant investment going on, and that we were maintaining contact with AUSTRAC. And in addition, the then CEO of AUSTRAC had actually met with the board at its June 2016 meeting, at which I was not present, but had not raised any issues with the board at that meeting. I have to say, I was concerned about the fact of the notices, and I had had experience with AUSTRAC in a previous role. So it didn’t feel quite right to me that AUSTRAC would be comfortable with where we were, but management provided assurances that they were fully informed about the situation of - in terms of our level of compliance.

When you say “management”, who provided those assurances?---The CFO did.

285    I do not think that this evidence advances matters substantively other than to confirm that, while service of the statutory notices was a matter of concern, senior executives in the Bank were of the view that the Bank was working productively with AUSTRAC in relation to the Bank’s AML/CTF compliance issues and did not think that it was likely that AUSTRAC would commence civil penalty proceedings against the Bank.

The Bank’s internal audit report 2016

286    In the meantime, on 28 September 2016, Group Audit delivered a report on a further internal audit in relation to the Bank’s AML/CTF framework (the 2016 audit report). The 2016 audit report gave an overall “red” rating based on an “unsatisfactory” rating for “Control Environment” and a “marginal” rating for “Management Awareness & Actions”.

287    In its Audit Conclusion, Group Audit noted (amongst other things) that:

A large number of AML/CTF issues continue to exist across the Group, with weaknesses identified across Business Unit’s (sic) … and Group-wide AML/CTF processes. A number of repeat issues were identified due to inadequate implementation of action plans. Many of the prior issues remain open, with projects currently underway or due to commence to revisit the AML/CTF operating model and completeness of AML/CTF data flows.

288    Group Audit also said:

As part of this Audit, Internal Audit conducted an independent review of the Group’s Part A AML/CTF Program as required by the AML/CTF Rules … Whilst we found that the Bank’s AML/CTF framework covered all of the key requirements of an effective AML/CTF framework, we noted a number of gaps in the development of the program (for example, mapping of compliance obligations), and the implementation and operationalisation of the program …

289    Group Audit noted that the Group had been “slow to address many of the previously identified issues and associated root causes” and that a “number of significant issues from our Audits in 2013 and 2015 remain unaddressed and are either still being remediated … have been reopened due to inadequate remediation … or are yet to be addressed …”.

Events in 2017

Meeting with the AUSTRAC CEO

290    On 30 January 2017, Ms Livingstone had a meeting with Mr Jevtovic. Ms Livingstone did not give evidence in this proceeding, but her handwritten note of the meeting is in evidence. The note records, amongst other things, the following matters.

291    First, the note records Mr Jevtovic’s view that the Bank’s relationship with AUSTRAC was professional “outside of IDMs”. The apparent concern in that regard appears to have been the late TTR issue and the Bank’s failure to lodge TTRs as discussed above. However, the note records that, while that matter “warrants close scrutiny”, the Bank did respond to “the systems issue”.

292    Secondly, the note records that AUSTRAC was concerned about whether the Bank had done sufficient work on understanding AML/CTF risk. In this regard, the note refers to the 2015 internal audit and appears to question the Bank’s “risk culture” (with the Bank’s “poor performance” as against other banks noted).

293    Thirdly, the note records that AUSTRAC was concerned about the Bank’s lack of reporting, its poor risk assessment, its slow response to risk assessment, and the fact that its IDMs had been compromised by organised crime.

294    Fourthly, the note refers to the issue of the three statutory notices, but records AUSTRAC’s view that the Bank had responded adequately to the notices.

295    Fifthly, the note records that AUSTRAC had made no decision on what action “it may or may not take”. The note appears to indicate that AUSTRAC would make a decision in that regard within two weeks, and that there were “options”.

296    On 31 January 2017, Mr Narev (who, at this time, was concerned that the late TTR issue had been “dragging on” with AUSTRAC and that AUSTRAC might be considering taking action, such as an enforceable undertaking, which he wanted to avoid) sent Ms Livingstone an email in which he said:

I am keen to get your instincts on how, if at all, you believe we can engage with [AUSTRAC] in advance of the final determination to influence it.

297    Mr Cohen gave evidence that he had a conversation with Ms Livingstone following her meeting with Mr Jevtovic in which she said that “[t]he discussion was unremarkable”, that Mr Jevtovic was “fine”, and that “AUSTRAC has no major issues”, although there was “an ongoing investigation which we obviously know about”.

298    This evidence was based on Mr Cohen’s recollection of the conversation some years after the event (in the course of preparing his affidavit). Mr Cohen had not seen Ms Livingstone’s note and had made no record of his conversation with her. Mr Cohen’s recollection of the conversation does not sit well with the matters recorded in Ms Livingstone’s note, which reflects a concern by AUSTRAC that was more significant than Mr Cohen’s recollection of Ms Livingstone’s words suggest. I consider that Ms Livingstone’s note provides a more reliable picture of AUSTRAC’s concerns at the time.

The development of Project Concord

299    The further action, if any, that AUSTRAC might take as a consequence of the late TTR issue remained a matter of abiding concern for the Bank. The Bank continued to consider the causes and impacts of that issue.

300    By 7 February 2017, Project Concord had expanded to include “an internal and external communications plan to be used in the event of public dialogue from AUSTRAC on the TTR matter”. The concern appears to have been that, through various means, the fact that AUSTRAC was investigating the Bank in relation to the late TTR issue might or would become public knowledge. The Bank was concerned about bad publicity. One of the aims of the management of this issue was to seek to influence, to the extent possible, how the Bank’s customers and investors would react upon becoming aware of the investigation of the late TTR issue. However, at that time, the plan did not envisage that AUSTRAC would commence proceedings against the Bank.

301    On 14 February 2017, Ms Watson (the Executive General Manager, Group Security and Advisory) sent an email to Mr Craig (the Bank’s Chief Financial Officer), stating (amongst other things):

-        No new information from AUSTRAC

-        AUSTRAC have knocked back multiple requests for clarity

-        Paul Jevtovic has declined two invitations to meet with the CBA Board this week (invited May and June – no to both)

-        Latest update is Catherine Livingstone’s where Paul said “I will let you know soon…”

-        Action could include:

o    Civil penalties following court proceedings

o    Enforceable undertaking style action

o    External review/audit of our financial crime arrangements.

There would likely be a media overlay to any of these actions.

The settlement of the Tabcorp proceeding

302    On 16 February 2017, The Australian newspaper reported that Tabcorp had revealed the terms of a settlement with the AUSTRAC CEO in which it had agreed to pay a pecuniary penalty of $45 million. A copy of the article was sent, by internal email, to Mr Cohen. Mr Cohen’s response was:

Yes saw that today – this will potentially embolden AUSTRAC in its issue with us.

303    I understand Mr Cohen’s reference to “its issue with us” to be to the late TTR issue.

304    Ms Watson sent an email to Mr Comyn and others attaching a media release and articles explaining the settlement. Mr Comyn’s response was:

Jeez, that’s a lot of money. Can you please remind me of the nature of their breach. I hope it’s much more severe than us?

305    Around 21 February 2017, Mr Cohen reviewed a draft regulatory report to be presented at the upcoming March 2017 Board meeting. The report was directed to regulatory matters concerning APRA, the Australian Securities and Investments Commission (ASIC), and other regulators (including AUSTRAC). Mr Cohen made a number of amendments to the draft including in relation to the section dealing with “Other Domestic Regulators and Financial Crime Compliance”. As amended by Mr Cohen, the report provided the following update in relation to AUSTRAC’s investigation into the late TTR issue (the italicised words are Mr Cohen’s additions and the strike throughs are his deletions):

There have been no further regulatory enquiries from AUSTRAC since 9 December 2016 but AUSTRAC has stated that it is considering whether to take regulatory action against CBA for failing to report transactions processed through Intelligent Deposit Machines when the final responses were submitted to the AUSTRAC notices on customer due diligence and ongoing customer due diligence requirements. CBA continues to meet with AUSTRAC and support its AUSTRAC’s broader strategic initiatives. On 16 February 2017, it was reported that AUSTRAC had has reached a $45 million out of court settlement with Tabcorp for breaches of the AML/CTF Act. Tabcorp is the first entity against which AUSTRAC has ever sought to take civil penalty action.

306    In his affidavit, Mr Cohen commented that he could not recall the source of the added statement about AUSTRAC considering regulatory action. He expressed his confidence that the addition of this statement was not intended to indicate the view that AUSTRAC was considering civil penalty proceedings. In this connection, he referred to his use of the expression “regulatory action” which, in his understanding, conveys that there are a range of steps that are available to a regulator. He said that if, at the time, he had considered that the commencement of civil penalty proceedings against the Bank was a real risk, he would have used the words “commence legal proceedings”.

307    Mr Cohen was challenged on this evidence in cross-examination. It was put to him that, by his affidavit, he was seeking to “ameliorate or alter the plain meaning of the contemporaneous record”.

308    I do not accept that contention. First, I can think of no reason why, if Mr Cohen had considered the commencement of civil penalty proceedings to be a real risk, he would not have said so directly in the report. Secondly, AUSTRAC’s armamentarium included a range of actions (discussed above). According to Ms Livingstone’s note, Mr Jevtovic had communicated to her only some weeks beforehand that AUSTRAC had made no decision on what action “it may or may not take”, and that it had “options”. There is nothing in the evidence to suggest that this view had changed in the period between Ms Livingstone’s meeting with Mr Jevtovic and Mr Cohen’s amendment to the draft report.

7 March 2017 meeting with AUSTRAC

309    On 7 March 2017, Ms Watson and Mr Keaney met with AUSTRAC. Ms Watson summarised the meeting in an email to Mr Craig on 8 March 2017, as follows:

Matt Keaney and I met with AUSTRAC yesterday. They described their view of the TTR and associated matters as “serious, significant and systemic”. They also said our failure to immediately and proactively tell them about these and other problems (here they were talking about control weaknesses over multiple years, etc) is a show of bad faith which leads them to wonder what else is broken across CBA’s financial crime landscape.

They said they have not made a determination but it isn’t far off. And in either a slip or a deliberate signal they said “we will tell you before we go public or to media.”

Legal is helping draft a defence outline so we can work out what we do under a civil penalty scenario in particular. I didn’t get any sense of them being interested in us putting an EU to them - they told me that the ball is in their court and they’re going to make a decision then either advise or consult with us.

310    A copy of the email found its way to Mr Narev. Mr Narev gave this evidence:

109.    I understood the discussion that AUSTRAC had with Ms Watson and Mr Keaney as an opening up of the lines of communications with CBA, and I also anticipated that AUSTRAC had used this opportunity to play hardballahead of further discussions between the parties. In that context, I was not surprised by the message from AUSTRAC, including the fact that AUSTRAC had described CBAs conduct as serious, significant and systemic - this was the first time I had seen that language used in CBAs engagement with AUSTRAC, and I interpreted it as part of AUSTRACs desire to be taken seriously ahead of discussions. In response, I suggested CBA take the initiative, and seek to initiate high level discussions involving Mr Jevtovic, Ms Livingstone and myself. I wanted to quickly engage with AUSTRAC at the highest levels of the organisations. My view was that now that we had heard from AUSTRAC, and that it appeared it was contemplating some type of action but had not yet made a determination, it was time for CBA to step up its attempts at engagement with them. While my view remained that a civil penalty proceeding continued to be unlikely, at about this time (I do not now recall precisely when), I did turn my mind to what the outcome might look like for CBA, in what I considered to be the unlikely event that civil proceedings were commenced in respect of the TTR Issue. To the best of my recollection, I speculated that a penalty might be in the region of about $10 million, because I viewed the TTR Issue as a single event resulting from an unintended software glitch.

311    Mr Narev forwarded Ms Watson’s email to Ms Livingstone, saying:

Obviously not good news here, though also not surprising.

The judgment call we need to make from here is whether at the Chair/CEO level we ought to reach out again before a final determination?

312    Ms Livingstone responded:

Agree – not good news. Paul didn’t say anything on Monday and in fact could not have been more friendly.

It might be a good idea if you and I together seek a meeting with Paul. If they speculate publicly about ‘what else is broken’ it will play into the very convenient culture rhetoric. We must make sure that we are dealing with facts and not supposition.

313    I understand the reference to “Paul” in Ms Livingstone’s email to be to Mr Jevtovic.

21 March 2017 meeting with AUSTRAC

314    On 21 March 2017, Mr Narev and Ms Livingstone met with Mr Jevtovic and Mr Clark. In preparation for that meeting Mr Narev drafted a “high level script”. This script envisaged that Mr Narev would suggest to AUSTRAC that the Bank and AUSTRAC:

… [engage] heavily now, in good faith, prior to any formal action, in discussions that would result, within a month, in an agreed path that involves acknowledgement for our part of weaknesses, a clear commitment to remediation, and a monetary fine. We would engage senior subject matter experts rather than lawyers (though of course some legal input would be necessary). And those experts would report directly to us. At a minimum, if that does not work within the relevant legal frameworks, it would involve an announcement by Austrac that it is commencing proceedings, accompanied by a clear statement that Austrac and CBA are already working constructively towards a solution.

315    It is apparent that, in preparing this script, Mr Narev’s thinking was to attempt to negotiate an outcome with AUSTRAC which, preferentially, did not involve the bringing of proceedings for a civil penalty. In that regard, it is apparent that he thought that he could agree on a monetary “fine” with AUSTRAC without further action being taken.

316    As events transpired, Mr Narev’s thinking changed with respect to the approach to be taken at the meeting. A further draft script (this time comprising bullet points) omitted the above quoted passage and any reference to payment of a fine.

317    In oral closing submissions (in reply), the applicants pointed to a document prepared by Ms Watson entitled: “Do we believe we can influence the outcome?”. The document appears to have been prepared around 15 March 2017. It discusses the possible action that AUSTRAC might take and the Bank’s preferred outcome.

318    The applicants refer to a part of the document that recognises (contrary to what seems to have been Mr Narev’s understanding at the time) that a “fine” could not be imposed by AUSTRAC “outside of court proceedings”. The applicants submit that this realisation is the reason why Mr Narev’s thinking changed with respect to the approach to be taken at the meeting. I note, however, that the document also suggests that the Bank not offer a “fine”, not just because AUSTRAC can’t do it” but also because “the EU should be to prevent a fine on any known issues or new issues found through the review”. This reference, read with other elements of the document, suggests that the Bank had in mind that it could influence AUSTRAC to require the Bank to give an enforceable undertaking rather than proceeding down the path of civil penalty proceedings (notwithstanding the reservation expressed in Ms Watson’s email of 8 March 2017 (see [309] above)). Another part of the document looks to the possibility that another preferred outcome would be the appointment of an external auditor. Read as a whole, the document shows that the Bank believed that there was, indeed, a prospect of influencing AUSTRAC’s thinking as to the course it could follow.

319    Mr Narev gave evidence of the discussion at the meeting. After recounting statements made by Mr Jevtovic and Mr Clark about the general nature of the engagement between the Bank and AUSTRAC, Mr Narev gave this evidence of the discussion:

Mr Jevtovic:    We have been looking into the information which CBA had been providing to us, and we have found some other things beyond the non-reporting of the TTRs. As recently as January, something happened that concerned us. We are looking into possible failures to lodge reports, submit reports linked to investigations, do some on­going customer due diligence, and undertake adequate risk assessment of the IDMs.

    We think this is serious because of the scale of the IDMs, which should have prompted an earlier risk assessment than what was undertaken in mid-2016. Internal advice had highlighted the risk of IDMs.

    I wonder whether CBA's investment has necessarily been in the right place. We think accounts have remained open without follow-up. We also think that CBA’s SMR policy may contradict the Act. There is a written policy which suggests that once SMRs had been submitted, further SMRs did not need to be.

    In terms of next steps, AUSTRAC is going to take an evidence-based approach. The options for us are an external auditor, a remedial direction, seeking an Enforceable Undertaking, or instituting civil penalty proceedings.

    We think it will take approximately one more month until we decide which path we want to follow.

    As we consider our options, CBA’s leadership approach will be critical. This is the first time that a Chair and CEO have ever come personally to AUSTRAC, and that makes a difference. We are also very encouraged by Philippa’s leadership and her relationship with Peter.

Ms Livingstone:     I have met with Paul prior to this meeting, on matters unrelated to these issues.

    We acknowledge that the issues you are now raising are serious, and that CBA needs to do better.

    We do think it is important that the path forward be constructive. Beyond the regulatory issues, there are potential reputational issues that are important to CBA, and it is key to us that it is not portrayed that CBA has a cavalier and disrespectful approach.

    It is clear that this is about systems, policy and capability, not bad intent. Our priority is to make sure this process sticks to the facts.

Mr Jevtovic:    We are not interested in adding to “bank bashing”, and in fact all the major banks have been important and constructive partners for us.

    We will give you advance notice once we have decided what path to go down. We will definitely not do anything without telling CBA first, and we'll allow CBA time to consider what AUSTRAC is going to do.

    The work that CBA has done in recent times will be instrumental in shaping AUSTRACs thinking about which path it will take.

Ms Livingstone:     We will have Philippa Watson articulate CBA's vision today and walk that over.

320    Mr Narev’s evidence in this regard was not challenged substantively in cross-examination. I note that, consistently with Mr Jevtovic’s advice to Ms Livingstone at their meeting on 30 January 2017, and the indication given at the meeting on 7 March 2017 between AUSTRAC and Ms Watson and Mr Keaney, AUSTRAC was still referring to “options” which not only included civil penalty proceedings, but other regulatory action which was available to it. In cross-examination, Mr Narev accepted that it was fair to say (apparently based on his understanding of the matter) that AUSTRAC was seriously considering all options, including civil penalty proceedings. Even so, Mr Jevtovic had made it clear that AUSTRAC had not made a decision about “the path we want to follow”. He had also made it clear that AUSTRAC would give the Bank “advance notice once we have decided what path to go down” and provide the Bank with an opportunity to consider what AUSTRAC was going to do.

321    Although Mr Narev did not deploy the idea of agreeing to an outcome with AUSTRAC that involved the bank paying a “fine”, he was cross-examined on his preparation of the first draft of the script. Mr Narev accepted that, at that time, his thinking was that it was “highly likely”, but not inevitable, that AUSTRAC would be seeking a fine from the Bank.

322    On 27 March 2017, Ms Watson sent a letter to Mr Clark referring to the meeting with Mr Narev and Ms Livingstone on 21 March 2017. The letter affirmed the Bank’s commitment to combatting financial crime and advised on key enhancements the Bank had made to the way in which it managed its AML/CTF obligations and the actions it had taken to address specific concerns that had been raised by AUSTRAC through the statutory notices. The letter also spoke of the steps that the Bank had taken to strengthen its “AML/CTF capability”.

Mr Jevtovic leaves AUSTRAC

323    On 13 April 2017, it was announced that Mr Jevtovic was leaving AUSTRAC. In a departing public statement, Mr Jevtovic said:

I want to also acknowledge the strong support for our vision received from industry, particularly CBA, NAB, Westpac, ANZ, Western Union, PayPal and Thomson Reuters, as well as partners in academia, non-government organisations and the community.

324     On that day Ms Watson sent an email to Mr Craig, saying:

As you see, some positive statements about CBA. I connected with Peter Clarke (sic) (the acting CEO) on a separate issue prior to this announcement and received a warm note back, signed “cheers” so perhaps all the effort we have made to build the relationship with AUSTRAC is starting to pay off. Time will tell. We still need to get the enhancement work done as a priority, so we’re driving that.

325    Mr Craig forwarded this email to Mr Narev. Mr Craig’s accompanying message to Mr Narev included the following:

Philippa has developed an excellent relationship with Peter Clarke (sic) and has accepted his invitation to attend a Conference that he is co-leading in Moscow in a couple of week’s time.

326    From that time, up to 3 August 2017, there were no substantive updates from AUSTRAC. However, on 13 April 2017, the Bank did respond to a request from AUSTRAC (made on 1 March 2017) for further information in relation to two matters arising from the Bank’s responses to the first and third statutory notices (issued on 22 June 2016 and 14 October 2016, respectively) in respect of the account monitoring failure issue.

327    Also, on 22 June 2017, Ms Watson had a telephone discussion with the Acting Deputy CEO of AUSTRAC and Head of Enforcement on a range of matters. The call was initiated by Ms Watson. In an email to Mr Craig on that day, Ms Watson said:

We explained that the call was very much in the spirit of wanting to maintain an open dialogue and to demonstrate our commitment to building a trust-based relationship where an early “heads up” on matters reinforces the relationship.

328    As to this communication, Ms Watson said: “All in all, it was a good call”. Ms Watson reported that, in the call, she raised the “TTR/IDM Issue” but was told that “things had slowed at AUSTRAC”. The indication was given to Ms Watson that AUSTRAC was hoping to inform the Bank of its deliberations “by late July”.

329    Mr Narev forwarded Ms Watson’s email to Ms Livingstone, saying:

A good update; and a sign that the relationship management is good. Though of course the risks all remain.

330    In his evidence, Mr Narev described his reaction to Ms Watson’s email as one of “cautious optimism”. He said:

I thought AUSTRAC was likely in a period of disorganisation following the announcement of Mr Jevtovic’s departure, and that there was likely to be a further period before AUSTRAC made any decision about CBA. It seemed to me that there continued to be a very constructive relationship between the two organisations, and while I was aware AUSTRAC still needed to make a decision on its approach, I thought this was a good update from CBA’s perspective, but was not a cause for complacency.

331    On 23 June 2017, Mr Narev had a meeting with the Minister for Justice and Minister Assisting the Prime Minister on Counter Terrorism, the Honourable Michael Keenan. Mr Narev wanted to meet Mr Keenan prior to any further developments with AUSTRAC. In an email (which included Mr Craig and Ms Watson as recipients), Mr Narev described the meeting as “very valuable” and reported:

… Key points are as follows:

-        The Minister is aware of Austracs investigations

-        This is very much Austrac’s process, ie he does not expect to have significant involvement

-        He has heard directly that Austrac considers us to have a partnership approach. He noted specifically that he was made aware that Catherine and I had made the effort to go and visit

-        In that sense it was considered a different type of issue than Tabcorp

-        Although of course there is currently a leadership change, he believes these views are shared by the level below Paul as well, ie the key acting leaders.

Whilst of course this does not alter the seriousness with which we should take all this, nor remove the risk, it does show that the approach we are taking in our interactions is unquestionably the right one.

The Bank develops a communications strategy on a “worst case scenario

332    By 22 March 2017, Project Concord had reached the stage of formulating a communications strategy should AUSTRAC commence proceedings against the Bank, described as a “worst case scenario”. The strategy was based on the events attending the Tabcorp proceeding. It also focused on AUSTRAC’s investigation of the late TTR issue.

The civil penalty proceeding

AUSTRAC informs the Bank it is commencing proceedings

333    At about 10.18 am on 3 August 2017, Mr Narev received a message that Mr Clark of AUSTRAC needed to speak to him “quite urgently”. Shortly after receiving the message, Mr Narev telephoned Mr Clark, who, according to Mr Narev, said:

AUSTRAC is issuing civil proceedings against CBA in around 15 minutes. We will arrange service of the relevant court documents and this will be followed shortly after by a media release from AUSTRAC.

334    Mr Narev’s response to Mr Clark was:

This is exactly what you said you wouldn’t do.

335    Mr Clark replied:

I hope this doesn’t harm the relationship AUSTRAC has with CBA.

336    I accept that Mr Clark’s message took Mr Narev (and the Bank) by surprise, in that AUSTRAC had informed the Bank on a number of occasions that it would give advance notice of any action it decided to take to enable the Bank to consider its position. No doubt, from the Bank’s perspective, adequate notice would have provided it with the opportunity to make further representations to AUSTRAC.

AUSTRAC announces the commencement of proceedings

337    At 12.26 pm on 3 August 2017, AUSTRAC posted the following Tweet:

338    The Tweet linked to the following media release posted on AUSTRAC’s website:

339    It will be apparent that the media release refers to, sequentially, the IDM ML/TF risk assessment non-compliance issue, the account monitoring failure issue, and the late TTR issue. However, importantly, the media release also refers to two other issues of non-compliance—the Bank’s failure to report suspicious matters (either on time or at all) for transactions totalling over $77 million, and the Bank’s failure to monitor customers even after becoming aware of suspected money laundering or structuring in respect of accounts held with the Bank.

340    The media release also communicated AUSTRAC’s view that, by commencing proceedings against the Bank, it was sending “a clear message” to all reporting entities about “the importance of meeting their AML/CTF obligations”.

341    This media release conveyed significant public censure by AUSTRAC of the Bank’s failings. It conveyed the message that AUSTRAC’s action against the Bank should be taken by other reporting entities as a warning that similar strong action could be expected for like conduct. It included a link to the Concise Statement that AUSTRAC had filed (which is reproduced in Schedule 1 to these reasons).

342    The Concise Statement contains significantly more detail than the media release. Paragraph 6 deals with the IDM ML/TF risk assessment non-compliance issue and para 8 deals with the account monitoring failure issue. However, para 7 refers to another area of alleged non-compliance:

CommBank has not introduced appropriate risk-based systems and controls to mitigate and manage the higher ML/TF risks it reasonably faces by providing designated services through IDMs, contrary to Section 2 of Part A [of the Bank’s AML/CTF Program].

343    Paragraphs 9 and 10 refer to the late TTR issue. However, para 10 includes the following additional information:

1,640 of the Late TTRs (totalling about $17.3 million) related to transactions connected with money laundering syndicates being investigated and prosecuted by the Australian Federal Police (AFP) or accounts connected with those investigations. A further 6 of the Late TTRs related to 5 customers who had been assessed by CommBank as posing a potential risk of terrorism or terrorism financing. Two of the Late TTRs were lodged with AUSTRAC on 24 August 2015 and the remaining 53,504 were lodged with AUSTRAC on 24 September 2015.

344    Paragraphs 11 to 14 refer to the Bank’s alleged failure to lodge SMRs and to carry out ongoing due diligence on accounts, even after becoming aware of suspected money laundering and the structuring of accounts:

11.     Suspected money laundering was conducted through CommBank accounts, by way of cash deposits, many through IDMs, followed immediately by international and domestic transfers. Many of the cash deposits were ‘structured’ by customers: that is, deposited in amounts just under the threshold transaction limit to avoid triggering CommBanks obligation to give a TTR to AUSTRAC. Structuring is an offence under s 142 of the Act.

12.     Despite identifying the pattern of activity on these accounts as suspicious and indicative of money laundering, CommBank repeatedly failed to comply with its obligations to give a suspicious matter report (SMR) to AUSTRAC either at all or within the time required by s 41 of the Act. In part, this was because CommBank adopted a policy not to submit SMRs if the same type of suspicious behaviour had been reported any time within 3 months prior. In other cases, SMRs were not reported because no transaction monitoring alert had been raised, alerts had not been reviewed, or, where alerts had been raised and reviewed, CommBank only partially reported its suspicions. CommBank also failed to lodge SMRs because notifications by law enforcement of unlawful activity were ignored.

13.     Section 36 of the Act requires CommBank to monitor its customers with a view to identifying, mitigating and managing ML/TF risk. CommBank failed to do this, including because in some instances, no transaction monitoring alerts were raised for suspicious activity, and, when alerts were raised, they were not reviewed in a timely manner having regard to ML/TF risk (in many instances, alerts were not reviewed for months after they were raised). In many cases, the accounts the subject of money laundering were not being monitored at all.

14.     Even after suspected money laundering or structuring on CommBank accounts had been brought to CommBank’s attention (by law enforcement or through internal analysis), CommBank did not monitor its customers with a view to mitigating and managing ML/TF risk, including the ongoing ML/TF risks of doing business with these customers. Rather, once suspected money laundering or structuring had been identified on these accounts, CommBank often looked no further than whether or not to submit an SMR. The Rules require mandatory enhanced customer due diligence (ECDD) where a s 41 suspicion is formed. CommBank did not carry out any ECDD on these accounts (such as identifying the source of the customers wealth or terminating accounts) either at all or until after several SMRs had been raised. When CommBank terminated accounts, customers were generally given 30 daysnotice. Suspicious transactions were allowed to, and did, continue during the notice period on some of these accounts.

345    The Concise Statement then proceeds to give details of the consequences of the Bank’s failings in relation to the activities of four money laundering syndicates (paras 15 to 29) and a “cuckoo smurfing” syndicate (paras 30 to 34). (“Cuckoo smurfing” is a particular form of money laundering.)

346    Finally, paras 35 to 37 provide other instances of non-compliance by the Bank with its AML/CTF obligations.

347    It will be noted that, even though Mr Clark had told Mr Narev after 10.18 am on 3 August 2017 that AUSTRAC would be commencing proceedings, the Concise Statement had, in fact, been lodged with the Court for filing at 9.39 am on that day. In other words, AUSTRAC had taken steps to commence enforcement proceedings seeking pecuniary penalties against the Bank without prior warning or, indeed, the advance notice that AUSTRAC said that it would give to the Bank when it had arrived at a decision as to the action, if any, it intended to take. Contrary to the expectation that AUSTRAC had engendered, the Bank did not have an opportunity to consider its position in relation to AUSTRAC’s decision. No doubt that consideration would have included whether steps could, or should, be taken by the Bank to attempt to dissuade AUSTRAC from taking its chosen course.

348    I will refer to AUSTRAC’s Tweet, its media release, and the Concise Statement as the 3 August 2017 announcement.

The Bank’s media release

349    On 3 August 2017, the Bank issued the following media release:

Commonwealth Bank today acknowledges that civil proceedings have been brought by the Australian Transaction Reports and Analysis Centre (AUSTRAC). The proceedings relate to deposits made through our Intelligent Deposit Machines from 2012.

We have been in discussions with AUSTRAC for an extended period and have cooperated fully with their requests. Over the same period we have worked to continuously improve our compliance and have kept AUSTRAC abreast of those efforts, which will continue.

We take our regulatory obligations extremely seriously and we are one of the largest reporters to AUSTRAC. On an annual basis we report over four million transactions to AUSTRAC in an effort to identify and combat any suspicious activity as quickly and efficiently as we can.

We have invested more than $230 million in our anti-money laundering compliance and reporting processes and systems, and all of our people are required to complete mandatory training on the Anti-Money Laundering and Counter-Terrorism Financing Act.

Money laundering undermines the integrity of our financial system and impacts the Australian community’s safety and wellbeing. We will always work alongside law enforcement, intelligence agencies and government authorities to identify, disrupt and prevent this type of activity.

We are reviewing the nature of the proceedings and will have more to say on the specific claims in due course.

350    It is noteworthy that the Bank’s media release referred to AUSTRAC’s action against it as relating to “deposits made through our Intelligent Deposit Machines from 2012”. The proceeding commenced by AUSTRAC against the Bank concerned non-compliance that was far more extensive than the late TTR issue. The focus of the Bank’s media release on the late TTR issue reveals the Bank’s perception that this issue was the one that had attracted AUSTRAC’s concern and was the catalyst for AUSTRAC commencing proceedings—not the IDM ML/TF risk assessment non-compliance issue, the account monitoring failure issue, or any other issue.

351    It would seem that the Bank was mistaken in this perception. Much of the Concise Statement was directed to the Bank’s failure to file SMRs, the Bank’s actual awareness of suspicious transactions, and its failure to carry out ongoing due diligence. The Bank’s failure to lodge TTRs is implicated in some of this conduct, but that failure is only an aspect of what was identified by AUSTRAC as more extensive, and condemnatory, conduct by the Bank.

The continuous disclosure case

The market disclosure regime governing the Bank’s obligations of disclosure

352    The Bank is, and was at all times relevant to this proceeding, included in the official list of the financial market operated by the ASX. Its shares are “ED securities” for the purposes of s 111AE of the Corporations Act and are able to be acquired and disposed of by investors on the financial market operated by the ASX.

353    The Bank is, and was at all time relevant to this proceeding, a “disclosing entity” within the meaning of s 111AC(1), and a “listed disclosing entity” within the meaning of s 111AL(1), of the Corporations Act.

354    Section 674(1) of the Corporations Act provides:

Obligation to disclose in accordance with listing rules

(1)     Subsection (2) applies to a listed disclosing entity if provisions of the listing rules of a listing market in relation to that entity require the entity to notify the market operator of information about specified events or matters as they arise for the purpose of the operator making that information available to participants in the market.

355    In turn, s 674(2) (as it applies in the present case) provides:

(2)     If:

(a)     this subsection applies to a listed disclosing entity; and

(b)     the entity has information that those provisions require the entity to notify to the market operator; and

(c)     that information:

(i)    is not generally available; and

(ii)    is information that a reasonable person would expect, if it were generally available, to have a material effect on the price or value of ED securities of the entity;

    the entity must notify the market operator of that information in accordance with those provisions.

    Note 1:     Failure to comply with this subsection is an offence (see subsection 1311(1)).

    Note 2:    This subsection is also a civil penalty provision (see section 1317E). For relief from liability to a civil penalty relating to this subsection, see section 1317S.

    Note 3:     An infringement notice may be issued for an alleged contravention of this subsection, see section 1317DAC.

356    Section 677 of the Corporations Act is a facultative provision. As it applies in the present case, it provides:

For the purposes of sections 674 and 675, a reasonable person would be taken to expect information to have a material effect on the price or value of ED securities of a disclosing entity if the information would, or would be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of the ED securities.

357    In Grant-Taylor v Babcock & Brown Ltd (in liquidation) [2016] FCAFC 60; 245 FCR 402 (Babcock & Brown), the Full Court (at [92]) addressed the statutory purposes for the continuous disclosure regime. The Full Court said that the main purpose is to achieve a well-informed market leading to greater investor confidence, with the object of enhancing the integrity and efficiency of capital markets through the timely disclosure of price or market sensitive information. Further, the Full Court (at [93]) observed that ss 674 to 677 of the Corporations Act are remedial or protective legislation. With reference to James Hardie Industries NV v Australian Securities and Investments Commission [2010] NSWCA 332; 274 ALR 85 (James Hardie) the Full Court (at [356]) said that those provisions should be construed beneficially to the investing public, in a manner that gives the fullest relief which the fair meaning of their language allows.

358    The Bank is subject to, and bound by, the Listing Rules of the ASX (the ASX Listing Rules).

359    Rule 3.1 provides that, once an entity is or becomes aware of any information concerning it that a reasonable person would expect to have a material effect on the price or value of the entity’s securities, the entity must immediately tell the ASX that information. In Babcock & Brown at [95], the Full Court said that the “Listing Rule 3.1 concept” should be read as implicitly embracing the elaboration that s 677 of the Corporations Act provides.

360    Exceptionally, however, r 3.1A provides that r 3.1 does not apply to particular information while certain cumulative criteria are satisfied in relation to that information.

361    First, one or more of the following must apply: (a) it would be a breach of a law to disclose the information; (b) the information concerns an incomplete proposal or negotiation; (c) the information comprises matters of supposition or is insufficiently definite to warrant disclosure; (d) the information is generated for the internal management purposes of the entity; or (e) the information is a trade secret.

362    Secondly, the information must be confidential and ASX has not formed the view that the information has ceased to be confidential.

363    Thirdly, a reasonable person would not expect the information to be disclosed.

364    The Bank relies on the r 3.1A exception in respect of each disclosure which the applicants allege that the Bank should have made to the ASX.

The applicants’ case: an overview

365    The applicants’ case is that the Bank has contravened s 674(2) of the Corporations Act by failing to disclose to the ASX during the relevant period, one or more of a number of categories of information, being the pleaded Late TTR Information, the Account Monitoring Failure Information, the IDM ML/TF Risk Assessment Non-Compliance Information, and the Potential Penalty Information.

366    The applicants contend that there are only two issues in relation to their case on liability.

367    The first issue is whether the Bank “had” the pleaded forms of the information. This involves consideration of whether officers of the Bank were aware of the pleaded information in the requisite sense, and whether the ASX Listing Rules required that information to be disclosed.

368    The second issue is whether, assuming the first issue is decided in the applicants’ favour, each category of the pleaded information was material in the sense that a reasonable person would expect it to have a material effect on the price of the Bank’s shares: s 674(2)(c)(ii). As noted above, this is answered affirmatively if the information would, or would be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of the Bank’s shares: s 677.

369    The applicants submit that each issue should be answered affirmatively.

The pleaded categories of Information

The Late TTR Information

370    The applicants plead three forms of the Late TTR Information.

The June 2014 Late TTR Information

371    The June 2014 Late TTR Information as pleaded, and supplemented by further particulars, is:

From around November 2012 to 16 June 2014:

(a)    CBA had failed to give TTRs for 12,374 cash transactions of $10,000 or more processed through IDMs following the introduction of IDMs (June 2014 Late TTRs);

(b)    the June 2014 Late TTRs represented between approximately 80% and 95% of threshold transactions that occurred through CBA’s IDMs during the period from around November 2012 to June 2014;

(c)    the June 2014 Late TTRs had a total value of approximately [$]143.7 million;

(d)    the June 2014 Late TTRs had not been lodged, at least in part because of a systems error which had occurred in or around November 2012; and

(e)    the cause of the June 2014 Late TTRs had not been rectified.

(the June 2014 Late TTR Information).

The August 2015 Late TTR Information

372    The August 2015 Late TTR Information as pleaded, and supplemented by further particulars, is:

From around November 2012 to 11 August 2015:

(a)    CBA had failed to give TTRs for 50,385 cash transactions of $10,000 or more processed through IDMs following the introduction of IDMs (August 2015 Late TTRs);

(b)    the August 2015 Late TTRs represented between approximately 80% and 95% of threshold transactions that occurred through CBA’s IDMs during the period from November 2012 to August 2015;

(c)    the August 2015 Late TTRs had a total value of approximately $588.6 million dollars;

(d)    the August 2015 Late TTRs had not been lodged, at least in part because of a systems error which occurred in or around November 2012; and

(e)    the cause of the August 2015 Late TTRs had not been rectified.

(the August 2015 Late TTR Information).

The September 2015 Late TTR Information

373    The September 2015 Late TTR Information, as pleaded, is:

From around November 2012 to 8 September 2015:

(a)    CBA had failed to give TTRs on time for approximately 53,506 cash transactions of $10,000 or more processed through IDMs following the introduction of IDMs (September 2015 Late TTRs);

(b)    the September 2015 Late TTRs represented between approximately 80% and 95% of threshold transactions that occurred through CBA’s IDMs during the period from November 2012 to September 2015;

(c)    the September 2015 Late TTRs had a total value of approximately $624.7 million dollars;

(d)    the September 2015 Late TTRs had not been lodged, at least in part because of a systems error which occurred in or around November 2012

(the September 2015 Late TTR Information).

The Account Monitoring Failure Information

374    The applicants plead three forms of the Account Monitoring Failure Information.

The June 2014 Account Monitoring Failure Information

375    The June 2014 Account Monitoring Failure Information, as pleaded, is:

From around 16 June 2014 or shortly thereafter, CBA was aware (within the meaning of ASX Listing Rule 19.12) that from at least 20 October 2012 CBA had failed to conduct account level monitoring with respect to approximately 676,000 accounts (the June 2014 Account Monitoring Failure Information).

The August 2015 Account Monitoring Failure Information

376    The August 2015 Account Monitoring Failure Information, as pleaded, is:

From around 11 August 2015 or shortly thereafter, CBA was aware (within the meaning of ASX Listing Rule 19.12) that from at least 20 October 2012 to 11 August 2015, CBA failed to conduct account level monitoring with respect to 778,370 accounts (the August 2015 Account Monitoring Failure Information).

The September 2015 Account Monitoring Failure Information

377    The September 2015 Account Monitoring Failure Information, as pleaded, is:

From around 8 September 2015 or shortly thereafter, CBA was aware (within the meaning of ASX Listing Rule 19.12) that from at least 20 October 2012 to 8 September 2015, CBA failed to conduct account level monitoring with respect to 778,370 accounts (the September 2015 Account Monitoring Failure Information).

The IDM ML/TF Risk Assessment Non-Compliance Information

378    The applicants plead two forms of the IDM ML/TF Risk Assessment Non-Compliance Information.

The June 2014 IDM ML/TF Risk Assessment Non-Compliance Information

379    The June 2014 IDM ML/TF Risk Assessment Non-Compliance Information, as pleaded, is:

From around 16 June 2014, or shortly thereafter, CBA was aware (within the meaning of ASX Listing Rule 19.12) of the June 2014 IDM ML/TF Risk Assessment Non-Compliance Information, namely that CBA had failed in the period prior to the roll-out of CBA’s IDMs in May 2012 or at any time since May 2012 to carry out any assessment of ML/TF Risk in relation to or including the provision of designated services through CBA’s IDMs, as required to comply with CBA’s AML/CTF Program.

The August 2015 IDM ML/TF Risk Assessment Non-Compliance Information

380    The August 2015 IDM ML/TF Risk Assessment Non-Compliance Information, as pleaded, is:

Further or alternatively, from 11 August 2015, or shortly thereafter, CBA was aware (within the meaning of ASX Listing Rule 19.12) of the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information; namely that CBA had failed:

(a)    in the period prior to the roll-out of CBA’s IDMs in May 2012, and between May 2012 and July 2015, to carry out any assessment of ML/TF Risk in relation to or including the provision of designated services through CBA’s IDMs, as required to comply with CBA’s AML/CTF Program; further or alternatively,

(b)    in the period since July 2015, to carry out an assessment of ML/TF Risk in relation to or including the provision of designated services through CBA’s IDMs that followed the procedures in, and/or complied with the requirements of, CBA’s AML/CTF Program.

The Potential Penalty Information

381    The Potential Penalty Information, as pleaded, is:

From around 16 June 2014 or shortly thereafter, or alternatively 11 August 2015 or shortly thereafter, or alternatively 8 September 2015 or shortly thereafter, or alternatively 24 April 2017 or shortly thereafter, CBA was potentially exposed to enforcement action by AUSTRAC in respect of allegations of serious and systemic non-compliance with the AML/CTF Act, which might result in CBA being ordered to pay a substantial civil penalty (Potential Penalty Information).

The significance of the applicants’ pleading

382    A contravention of s 674(2) of the Corporations Act must be “finally and precisely” pleaded and the party making the allegations must identify the case it seeks to make clearly and distinctly”: Cruickshank v Australian Securities and Investments Commission [2022] FCAFC 128; 292 FCR 627 (Cruickshank) at [120]; see also TPT Patrol Pty Ltd, as trustee for Amies Superannuation Fund v Myer Holdings Limited [2019] FCA 1747; 140 ACSR 38 (TPT Patrol) at [1121]. This is a matter that I emphasised when dealing with the Bank’s objection to an earlier form of the statement of claim: Zonia Holdings Pty Ltd v Commonwealth Bank of Australia Limited [2018] FCA 659 at [24].

383    The applicants’ pleaded case proceeds on the basis that the pleaded forms of the Late TTR Information, the Account Monitoring Failure Information, the IDM ML/TF Risk Assessment Non-Compliance Information, and the Potential Penalty Information—which I will call, collectively, the Information (as did the expert witnesses)set the metes and bounds of the information that the Bank was obliged to disclose, and should have disclosed, to the ASX.

384    The Bank specifically canvassed this matter in correspondence with the applicants, who confirmed that the precise form of the information they contend that the Bank should have disclosed to the ASX was the information defined by the terms of the Late TTR Information, the Account Monitoring Failure Information, the IDM ML/TF Risk Assessment Non-Compliance Information, and the Potential Penalty Information as pleaded in the statement of claim.

385    Therefore, in the case of each of the Late TTR Information, the Account Monitoring Failure Information, the IDM ML/TF Risk Assessment Non-Compliance Information, and the Potential Penalty Information, it can be taken that: (a) all the integers pleaded by the applicants, for each form of the Information, are necessary to identify the information that the applicants say the Bank should have disclosed to the ASX and are an inseparable part of that information, and that (b) each pleaded form is a complete statement of the information that the applicants say should have been disclosed.

386    In closing submissions, the applicants deviated from the course they had set by contending, in the context of submissions directed to the June 2014 Late TTR Information, that:

… if the Court were to find … that components of the June 2014 Late TTR Information … did not exist, or … [were] for some reason not required or apt to be disclosed to the ASX, the resultant exercise for the Court would involve determining the effects and consequences of, and in particular the quantum of loss caused by, CBA’s failure to disclose the components of the June 2014 Late TTR Information in the remaining sub-paragraphs, being those components of the June 2014 Late TTR Information that did exist or were apt to be disclosed.

387    They also submitted that if the disclosure of further, contextual information is necessary to make the pleaded information complete, it was not their task to supply that information as part of their case under s 674(2) of the Corporations Act, so long as the pleaded information was otherwise material: T 1198, line 13 – 1199, line 8.

388    I do not accept that it is the task of the Court, in a case such as the present, to refashion a plaintiff’s pleaded case to define, to its own liking, the information that, arguably, should have been disclosed by a defendant. The task of the Court is to adjudicate upon a pleaded case, not to plead the case itself.

389    Nor do I accept that it is the task of a defendant to refashion a plaintiff’s pleaded case. The defendant may, in its defence, identify omissions from the pleaded information which go to the materiality of that information and whether the defendant is required to disclose the information in its pleaded form. It remains, nevertheless, the plaintiff’s onus to plead, completely, the information which, it says, the market operator required to be disclosed: see s 674(1) of the Corporations Act. In the present case, this means information conforming to the requirements of r 3.1 of the ASX Listing Rules. I discuss some of these requirements in a later section of these reasons at [568] – [572] below.

390    To adopt the approach advocated by the applicants would not only create the potential for procedural unfairness, but also the potential to create confusion and disorder in the conduct of the proceeding, particularly where the expert evidence has been prepared and adduced in a form which is directed to the plaintiff’s pleaded case.

391    In the present case, I do not accept, for example, that the Court should embark on its own course to select parts of the pleaded forms of the Information that it finds to be material to determine for itself, in the absence of appropriate evidence, the likely market effects and consequences of those parts or, in the absence of appropriate evidence, to determine for itself whether those parts were, in and of themselves, productive of actual loss. In any event, as I will later explain, the evidence in respect of the event study on which the applicants rely to establish the existence and quantum of their alleged loss makes clear that the task they now advocate cannot be performed on the basis of that study.

Was the Bank aware” of the relevant information?

Legal principles

392    I have already briefly referred to the market disclosure regime governing the Bank’s obligations of disclosure. It is necessary to say something more about the notion of “awareness” as understood by r 3.1 of the ASX Listing Rules.

393    Chapter 19.12 of the ASX Listing Rules provides the following definition of “aware:

an entity becomes aware of information if, and as soon as, an officer of the entity … has, or ought reasonably to have, come into possession of the information in the course of the performance of their duties as an officer of that entity.

394    This definition invokes an officer’s actual or constructive awareness: Babcock & Brown at [185].

395    The notion of constructive awareness was explained by Jagot and Murphy JJ in Crowley v Worley Limited [2022] FCAFC 33; 293 FCR 438 (Crowley (FC)). After stating (at [176]) that the word “information”, as used in the definition of “aware”, embraces “facts”, “circumstances”, and “opinions”, their Honours said (at [178]):

178    If the evidence shows that: (a) the information in fact existed, (b) reasonable information systems or management procedures ought to have brought the information to the attention of a relevant company officer; and (c) acting reasonably the company officer ought to have discerned the significance of the information, then s 674 and the Listing Rules deem the company to have had the information. …

396    What does it mean to say that “the information in fact existed”? It is tolerably clear that, for this first critical step of the inquiry, Jagot and Murphy JJ were not inviting an excursion into metaphysics. Their Honours could only have been referring to the fact that, at a given point in time, the information in question was extant because it was already in a form whose content was fixed and comprehensible as a matter of ordinary perception.

397    It is important to understand that the focus of their Honours’ concern was a case in which it had been argued that r 3.1 was not engaged where officers did not realise, even though they should have realised, the implications of information of which they were actually aware. Their Honours did not accept that r 3.1 was not engaged in those circumstances. They accepted the submission that the information that a corporation ought reasonably to have includes opinions that an officer ought to have held by reason of known facts. At [182] their Honours said:

182    Given the statutory provisions, to confine the inquiry to the question whether an officer or employee under a duty to inform an officer in fact formed an opinion or drew an inference consistent with [the pleaded information] would be in error. The required inquiry extends to the question whether an officer or employee under a duty to inform an officer knew facts from which they reasonably ought to have formed an opinion or drawn an inference consistent with [the pleaded information]. …

398    This aspect of their Honours’ reasoning has importance for the present case. The Bank submits, and I accept, that Crowley (FC) does not extend the notion of “awareness” to an awareness of unknown facts that are merely capable of discovery through a process of further investigation to ascertain their existence. I would add that, even more so, Crowley (FC) does not extend “awareness” to facts that are capable of discovery with the benefit of hindsight.

The Late TTR Information: the applicants’ submissions

399    The applicants accept that there is no evidence that any officer of the Bank had actual awareness of the June 2014 Late TTR Information by 16 June 2014. Their case is that one or more officers of the Bank ought reasonably to have come into possession of this information by that date. In advancing this case, the applicants adopt a three step process of reasoning.

400    The first step is that the facts comprising the June 2014 Late TTR Information “existed” as at 16 June 2014.

401    It will be appreciated that, as pleaded, this information comprises a number of integers. The applicants submit that there is no controversy that, from its introduction, transaction code 5000 was not linked or “mapped” to the Bank’s TTR processes from around November 2012 to 16 June 2014. So much can be accepted.

402    The applicants then contend that, as a matter of fact, the Bank failed to lodge approximately 12,374 TTRs with the AUSTRAC CEO due to “the transaction code 5000 problem” in that period (integer (a)). I note that this figure is taken from a spreadsheet that was discovered by the Bank and appears to have been prepared on 22 September 2015.

403    By reference to other documents, the applicants contend that, in November 2012, the late TTRs represented approximately 80% of the threshold transactions that occurred through the Bank’s IDMs, and in June 2014, approximately 95% of such transactions (integer (b)).

404    The applicants contend that the value component of the June 2014 Late TTR Information (integer (c)) is “a simple mathematical exercise” based on an analysis of the number of TTRs not lodged. This, the applicants submit, is supported by the spreadsheet to which I have referred.

405    Therefore, according to the applicants, the information comprising the number, percentage, and value, of cash deposits made in the Bank’s IDMs for which TTRs were not given from around November 2012 to 16 June 2014, “existed”.

406    As to integer (d), the applicants submit that the reference to “systems error” is accurate and apt to capture the simple fact that, as at 16 June 2014, the 12,374 contraventions of s 43 of the AML/CTF Act resulting from the Bank’s failure to lodge TTRs on time were not the result of 12,374 individual errors “by, and idiosyncratic to, one or more individual employees” of the Bank. Rather, there was “an error in CBA’s computer system: it had been coded wrongly”.

407    As to integer (e), the applicants contend that, as a matter of fact, “the transaction code 5000 issue” was rectified by about 11 September 2015. Therefore, as a matter of fact, that error existed at all times from November 2012 to 11 September 2015. Accordingly, any disclosure as at June 2014 would have required a statement that the cause of the June 2014 Late TTRs had not been rectified.

408    The second step of the applicants’ reasoning is that, by 16 June 2014, the June 2014 Late TTR Information ought reasonably to have been escalated to an officer of the Bank.

409    The applicants advance this part of their case principally by reference to three matters. First, according to the applicants, the Bank’s policies and procedures, particularly its compliance policy, required the June 2014 Late TTR Information to be escalated to officer level on or shortly after October 2013. Secondly, the applicants rely on (what they contend was) Mr Narev’s acceptance in cross-examination that the late TTR issue should have been escalated prior to 16 June 2014. Thirdly, the applicants contend that Mr Elliott’s evidence demonstrates that this information should have been escalated.

410    It will be apparent that this part of the applicants’ case focuses on the events I have described in 2013 at [118] – [140] above.

411    As to escalation and the Bank’s compliance policy (see, in particular, the summary of the Compliance Incident Management Group Policy at [67] – [70] above), the applicants submit that: (a) “there is no doubt” that, on or by 14 October 2013, the Bank’s employees had identified that two threshold transactions had not been reported to AUSTRAC; (b) the failure to lodge such reports comprised or gave rise to two contraventions of s 43 of the AML/CTF Act; (c) the cause of these contraventions was that transaction code 5000 was not “mapping” with or “on the range for” TTR reporting processes; and (d) the failure to link transaction code 5000 with the Bank’s TTR processes meant that there was a “bigger issue” than the two contraventions of s 43.

412    The applicants submit that, amongst other things: (a) these incidents were not logged in RiskInSite; (b) the procedures in phases 2, 3, and 4 of para 5.1 of the Bank’s Compliance Incident Management Group Policy summarised at [69] above (Identification→Assess→Report & Escalate→Rectify & Resolve) were not followed; (c) the incidents were not elevated to “the relevant Group Executive” (who, the applicants say, was Mr Comyn) or reported to AUSTRAC; and (d) employees did not investigate, or even consider, let alone rectify, the “bigger issue” (that transaction code 5000 was not “mapping” with the Bank’s reporting processes).

413    As to Mr Narev’s evidence, the applicants rely on the following exchange in cross-examination:

MR STOLJAR:      The way I put it was this, Mr Narev: If someone else at the bank – not you – but if someone else at the bank had discovered the transaction code 5000 issue at some earlier point in time, would you expect that that issue would have been investigated fully?---Can I just ask one – I think the answer is yes, but I want one clarification. Are you talking about the inaccurate code or the consequence of the – with the TTRs?

I’m talking about both, both limbs?---Yes. I would expect it would be investigated promptly upon anyone becoming aware of it. That would be my assumption.

And conformably with – well, and it would have been escalated?---I would have expected, had that – had it been identified that there was a coding issue and as a consequence there was a compliance breach, at a minimum I would expect it to be in the sorts of reports that we’ve talked about. Based on my practice running the bank I would have hoped and expected I would be made aware of it fairly rapidly under normal practice.

And it would have been reported to AUSTRAC, I take it?---I would assume, absolutely, in the way it was when it was discovered.

And indeed, because the compliance incident policy and other procedures at the bank require that to be done?---Yes.

That’s a fair summary?---There’s nothing in that I disagree with. Yes, it is.

414    The applicants also rely on Mr Narev’s evidence that, when he was briefed on the late TTR issue in September 2015, it is likely that he was briefed on the proportion of affected transactions through IDMs and the dollar value of those transactions. The applicants’ point, here, is that, had that information been sought as part of a “fuller investigation” that the Bank was “required to undertake”, it would have produced, and made the Bank’s officers aware of, that particular information.

415    As to Mr Elliott’s evidence, Mr Elliott expressed opinions on a range of matters in his report of 12 April 2022, including whether the Bank “could/should” have detected the June 2014 Late TTRs by 16 June 2014.

416    In an introductory part of his report dealing with Terminology and Relevant Concepts, Mr Elliott discussed quality assurance in IT systems. He explained that the objective of quality assurance is to eliminate or minimise the occurrence and consequent impact of errors in data processing. Mr Elliott said that these errors generally arise from unexpected external events (such as unexpected input data) or logic errors (usually coding or design errors).

417    Mr Elliott also explained that quality assurance frameworks generally focus on the implementation of Prevention Methods and Detection Methods:

… Prevention Methods are usually implemented during development and focus on ensuring the developed systems are robust and able to handle issues or problems arising. Detection Methods are designed to detect situations where the Prevention Methods have not anticipated a particular external event or logic error resulting in the system not functioning as required. They are implemented in the production (or “live”) environment and can be thought of as the “checks and balances”. Detection Methods are also used to trace problem situations when attempting to identify the underlying cause.

418    Later in his report, Mr Elliott exemplified a Detection Method as the temperature gauge in a car: when the gauge exceeds a threshold temperature it alerts the driver of a potential problem in the engine.

419    Mr Elliott said that Reconciliation Methods are commonly used Detection Methods in IT systems:

… Generally, a Reconciliation Method checks the output of two systems each of which process the same input data but the outputs of each can be compared to check the veracity of each system. A simple example of a Reconciliation Method is where you check your credit card statement against the receipts in your wallet. The common input data is the details of each transaction. The first system is the merchant terminal which produces the paper receipts. The second system is the online transaction processing system(s) which ultimately produce your statement. When you compare the paper receipts to the statement you are carrying out a reconciliation.

420    Mr Elliott also discussed Compensating Controls, which he said are “designed to detect situations where the Prevention Methods have not envisioned a particular external event or logic error and Detection Methods are too complex or not economically feasible to implement”. Mr Elliott said that Reconciliations are the more commonly encountered Compensating Control and are often used by auditors.

421    Finally, Mr Elliott explained that, when auditors audit a system, they review not just the output of the Detection Methods but whether the Detection Method (or audit control) is effective (the extent to which the Detection Method meets the risk objective). He said that it is reasonable to expect that audit controls should be effective.

422    Mr Elliott expressed the opinion that, because the Bank had the necessary data available in an accessible form, and because it “could have reasonably implemented an effective Detection Method or Compensating Control such as a reconciliation”, it could have detected the June 2014 Late TTRs by 16 June 2014.

423    Mr Elliott also expressed the opinion that the Bank should have detected the June 2014 Late TTRs by 16 June 2014. He based his opinion on four matters. First, the Bank was, and is, required by the AML/CTF Act to implement appropriate controls and processes. Secondly, the Bank’s attention was drawn to “issues raised regarding cash deposits in the IDMs” (this was a reference to the events in 2013). Thirdly, Group Audit had “identified AML/CTF systems deficiencies well prior to the Late TTRs being first identified by CBA” (this was a reference to the 2013 audit report). Fourthly, the Bank should have implemented Detection Methods, such as reconciliation controls in its IT processes and procedures.

424    Mr Elliott’s overall conclusion was:

… CBA had a regulatory requirement and had the necessary data from the time the Late TTR problem arose (November 2012) to implement effective detection controls. Deficiencies in their Detection Methods had been identified, and incidents had occurred which should have caused CBA to investigate whether TTR Reporting from IDMs was effective, such as by a reconciliation. CBA should have implemented effective Detection Methods which would have enabled them to detect the June 2014 Late TTRs and therefore should have detected the June 2014 Late TTRs on or before 16 June 2014.

425    In their closing submissions, the applicants deployed Mr Elliott’s evidence by making this submission:

Mr Elliott opines that CBA should have detected the Late TTR problem prior to the commencement of the Relevant Period. In Mr Elliott’s opinion, when an issue of this nature is identified, as it was in October 2013, both reasonable information technology processes and CBA’s own policies and procedures dictate that the issue should be appropriately investigated and escalated. Had that been attended to in October 2013, the issue would have been subject to the formal escalation and oversight processes that are applicable to what CBA defines as ‘compliance incidents’. In particular, Mr Elliott observes that reasonable information technology practice would have involved the deployment of detection methods, including reconciliations: however reconciliations either were not in place for threshold transaction reporting, or they were not operating effectively.

Thus, having regard to the fact that CBA had identified the coding error which caused the Late TTR problem by no later than October 2013, the fact that CBA’s internal audit had called out the poor controls and lack of end to end data assurances in AML reporting and the fact that reconciliations are an important control for systems generally, Mr Elliott concludes that CBA should have identified the Late TTR problem prior to the Relevant Period. Having been detected, the scope of the Late TTR problem should have been investigated and the results of that investigation escalated appropriately.

426    The third step of the applicants’ reasoning is that, acting reasonably, an officer of the Bank would have discerned the significance of the June 2014 Late TTR Information” (by this I take the applicants to mean the significance of the facts known to the Bank’s employees in 2013).

427    For this step, the applicants rely on the Bank’s response following AUSTRAC’s email of 11 August 2015 which identified two missing TTRs: see [141] – [142] above. The applicants submit that this prompt investigation and escalation of the issue is a “useful blueprint” of how matters should have been dealt with had the Bank’s processes been followed in 2013. Once again relying on Mr Narev’s evidence (quoted at [413]) above, the applicants submit that the problem would have been escalated to officer level.

428    For these reasons, the applicants submit that the Bank “had” the June 2014 Late TTR Information by 16 June 2014, the start of the relevant period.

429    The applicants’ case with respect to the Bank’s possession of the August 2015 Late TTR Information proceeds on a similar basis of constructive awareness, with integers (a) – (e) of the pleaded information based on the same documents that inform the applicants’ case on constructive awareness of integers (a) – (e) of the June Late TTR Information.

430    Whilst the applicants’ case on the Bank’s possession of the September 2015 Late TTR Information has similarities to the other forms of the Late TTR Information (such as the fact that integers (b) (d) are based on the same documents), it, nevertheless, has three distinguishing features.

431    The first distinguishing feature is that the Bank accepts that from late August 2015 it had actual knowledge of the fact that approximately 51,000 TTRs had not been submitted to the AUSTRAC CEO on time. It is not in dispute that preliminary estimates of the number of TTRs that had not been lodged on time were escalated to Mr Narev (amongst other officers) and, hence, an “officer” of the Bank for the purposes of the ASX Listing Rules.

432    The second distinguishing feature is that, unlike the June 2014 Late TTR Information and the August 2015 Late TTR Information, the September 2015 Late TTR Information does not include integer (e)—namely that, at the relevant date by which the information should have been disclosed, the cause of the late TTRs had not been rectified.

433    The third distinguishing feature is that the applicants plead that the Bank was aware of the September Late TTR Information as at both 8 September 2015 (or shortly thereafter) and 24 April 2017.

The Late TTR Information: analysis

434    I am not satisfied that the Bank was “aware” of the June 2014 Late TTR Information “from around 16 June 2014 or shortly thereafter”, as pleaded. There are a number of reasons for this finding.

435    First, the applicants’ case purports to be based on the three steps discernible from Jagot and Murphy JJ’s statement at [178] of Crowley (FC) quoted at [395] above. However, the applicants’ reasoning misapplies what Jagot and Murphy JJ said. As I have emphasised, their Honours were addressing a case where “opinions” which had not been formed should have been formed, or inferences which had not be drawn should have been drawn, on or from facts known to an officer or by an employee under a duty to inform an officer (for the purposes of this part of my reasons I will refer to such persons as a relevant person).

436    In this connection, the applicants treat the first element of Jagot and Murphy JJ’s statement—that the information in fact existed—as an abstract inquiry, where the “existence” of the fact can be ascertained by an ex post facto investigation, divorced from whether a relevant person actually knew the fact at the relevant time or ought to have formed an opinion or drawn an inference to the effect of the fact from other known facts. This is not the correct approach.

437    With respect to integers (a) – (c) of the June 2014 Late TTR Information, the applicants arrive at the position that these facts “existed” by recourse to facts ascertained well after the relevant period. What is more, these facts only came to be ascertained because of an actual awareness of the late TTR issue. Thus, the first step of the applicants’ analysis is also affected by hindsight.

438    To explain, the applicants have ascertained that, in the relevant period, the Bank failed to give TTRs for 12,374 cash transactions of $10,000 or more that had been processed through IDMs by reference to an electronic spreadsheet created by the Bank on 22 September 2015. The date of creation of the spreadsheet can be deduced (as the applicants themselves contend) from the file name (TTR-FBS2015092201). It appears that the spreadsheet was created as part of the Bank’s lodgement of the late TTRs. The evidence shows that on 24 September 2015 the Bank lodged the file with AUSTRAC.

439    Next, the applicants have ascertained that the June 2014 Late TTRs represented between approximately 80% and 95% of threshold transactions that occurred through the Bank’s IDMs in the relevant period from email correspondence on 22 January 2016 and 3 August 2017 between Bank employees. Furthermore, the applicants have misreported the 95% figure. According to the email of 22 January 2016, this figure is referable to the period November 2012 to August 2015, not November 2012 to June 2014.

440    Next, the applicants have ascertained that the June 2014 Late TTRs had a value of approximately $143.7 million from, once again, the spreadsheet created on 22 September 2015.

441    On the evidence before me, all these facts, for the purposes of “awareness”, have been ascertained from investigations undertaken well after 16 June 2014, with knowledge of the late TTR issue. As at 16 June 2014, no relevant person (being an officer or someone with a duty to report to an officer) knew that, in the relevant period: (a) the Bank had failed to give TTRs for 12,374 cash transactions of $10,000 or more that had been processed through the Bank’s IDMs; (b) that those transactions represented between approximately 80% and 95% of threshold transaction that occurred through the Bank’s IDMs; or (c) that the total value of the June 2014 Late TTRs was approximately $143.7 million. Nor on the facts known as at 16 June 2014, could any relevant person deduce the content of the June 2014 Late TTR Information in this regard.

442    Integers (d) and (e) of the June 2014 Late TTR Information can only be determined with knowledge of the late TTR issue (which was only ascertained in August 2015) and with the assistance of the spreadsheet and emails referred to above, all of which were created well after 16 June 2014.

443    It is convenient to note at this juncture that the applicants’ contention that the other pleaded forms of the Information also “existed” at relevant times is based on the same incorrect approach, as I will explain.

444    The applicants are not assisted by Mr Elliott’s opinion. Mr Elliott’s opinion proceeds on the basis of what the Bank could have done, and what the Bank should have done, to detect the late TTR issue. These are not relevant questions. The correct starting point for determining whether the Bank was awareof the June 2014 Late TTR Information by 16 June 2014 is the fact or facts known to a relevant person or the facts on which a relevant person ought to have formed an opinion or drawn an inference from other known facts. The starting point is not the facts that could have been discovered or the facts that should have been discovered by a relevant person through an investigation which did not, in fact, take place. To use the Bank’s expression, Mr Elliott’s expert task “misfired” because the task he was instructed to undertake was misdirected from the outset.

445    The Bank advances a number of criticisms of Mr Elliott’s evidence. In the end, Mr Elliott’s evidence has played only a minimal role in the presentation of the applicants’ case in final submissions (in relation to the Late TTR Information it does not, in substance, go beyond the matters I have summarised and quoted above). For this reason, I do not propose to address the Bank’s detailed criticisms given the limited use of Mr Elliott’s evidence. Consequently, I also do not propose to address Mr Bell’s evidence (which challenges a number of Mr Elliott’s opinions) beyond the matters I have already recorded from Mr Elliott and Mr Bell’s Joint Report in earlier paragraphs of these reasons.

446    However, there are two matters to which I should refer in relation to the applicants’ deployment of Mr Elliott’s opinion.

447    First, in their closing submissions (quoted at [425] above), the applicants refer to the Bank having identified, by no later than October 2013, “the coding error which caused the Late TTR problem”. Also, as I have already noted, the applicants submit that: (a) there is no doubt that, on or by 14 October 2013, the Bank’s employees had identified that two threshold transactions had not been reported to AUSTRAC; (b) that the failure to lodge such reports comprised or gave rise to two contraventions of s 43 of the AML/CTF Act; (c) that the cause of these contraventions was that transaction code 5000 was not “mapping” with or “on the range for” TTR reporting processes; and (d) that the failure to link transaction code 5000 with the Bank’s TTR processes meant that there was a “bigger issue” than the two contraventions of s 43.

448    I do not accept that these submissions accurately reflect the evidence.

449    To begin with, I do not accept that it is substantively correct to say that, by no later than October 2013, the Bank had identified “the coding error which caused the Late TTR problem”. That statement rolls up a number of facts and does not place them in their correct sequence or context.

450    Initially, on 29 August 2013 and 3 September 2013, two queries were raised with respect to cash deposits for threshold amounts made through IDMs: whether the cash component of a “mixed deposit” and whether cash deposited using an OFI card were being reported. On 19 September 2013, these queries were resolved. On the information then known by the Bank’s employees, all cash deposits for threshold amounts were being reported.

451    On 20 September 2013, a further query was raised with respect to two OFI card cash deposits for threshold amounts. As I have said, on 14 October 2013 a number of potential issues were identified, only one of which was “a bigger issue”. With hindsight, there should have been further investigation to elucidate whether there was a “bigger issue”. Had there been further investigation, it is likely that the general problem associated with cash deposits processed through the Bank’s IDMs under code 5000 would have come to light at that time. However, there was no further investigation at that time, and the general problem did not come to light until approximately 22 months later. Indeed, the view taken at that time was that “TTR is performing as expected” and any “potential issues” were at the “source system level”: see [138] above.

452    Further, I do not accept that it can be said that, armed with Mr Ashdown’s understanding of the “actions” to be taken (see the email quoted at [136] above), the Bank’s employees ought reasonably to have formed an opinion or drawn an inference that there was a general problem associated with cash deposits processed through IDMs under code 5000, still less an opinion or inference consistent with the June 2014 Late TTR Information: see Crowley (FC) at [182]. The only reasonable opinion that could have been drawn at that time was that, based on the state of affairs communicated by Mr Ashdown on 14 October 2013, there should be (and, viewed at the present time, should have been) a more complete investigation to try to find the answer to the query raised on 20 September 2013 with respect to the two OFI card cash deposits for the threshold amounts, having regard to the “actions” noted by Mr Ashdown.

453    Secondly, Mr Elliott’s opinion that the Bank should have implemented effective Detection Methods which would have enabled it to detect the June 2014 Late TTRs on or before 16 June 2014 (such that the Bank should have detected those TTRs), and the appellants’ submission quoted at [425] above which rely on Mr Elliott’s opinion, ally the detection of the late TTRs with the findings of the Bank’s internal audit in the 2013 audit report. However, as I have noted (at [191] above), Mr Elliott’s and Mr Bell’s joint opinion was that, while the 2013 audit report covered a broad range of areas related to the Bank’s AML/CTF Program (identifying 21 audit issues), and alerted the Bank that there were numerous issues to be addressed to uplift the Bank’s overall AML/CTF Program, the late TTR issue was not specifically identified in the findings of the report or the Issues Log, and the 2013 audit report did not identify a specific requirement to immediately review the detection methods for the cash deposit reporting systems. Therefore, the findings of the 2013 report do not have the significance that the applicants attribute to them in relation to the Bank’s “awareness” of the June 2014 Late TTR Information.

454    Next, the applicants’ reliance on Mr Narev’s evidence needs to be considered in the light of the findings I have made in relation to the events of 2013. Mr Narev accepted that, had a coding issue (with reference to code 5000) been discovered, he would have expected it to have been investigated fully. That acceptance, however, does not advance matters materially. The queries raised on 29 August 2013 and 3 September 2013 did not reveal a coding error involving transaction code 5000. The queries raised on 20 September 2013 led to the recognition, on 14 October 2013, of the possibility of a coding error which remained unconfirmed. Whilst I accept that this possibility should have been investigated further, it does not assist in establishing that the June 2014 late TTR Information in fact existed.

455    Mr Narev also accepted that, had a coding error been identified, with the consequence that there had been a compliance breach, then that matter should have been escalated. Although by 10 October 2013 it had been identified that the two OFI card transactions referred for investigation on 20 September 2013 “are not in the TTR reports”, a coding error had not been identified. What had been identified was a query on the use of transaction code 5000. Further, had the “actions” identified in Mr Ashdown’s email of 14 October 2013 been escalated, I have little doubt that the instruction would have been to investigate the two OFI card transactions further to ascertain whether there was a coding problem. But, once again, this does not advance matters materially as to what was known as at 16 June 2014.

456    Finally, it is clear from Mr Narev’s evidence that he did not consider that the problem with transaction code 5000 was discovered until August 2015, when the matter was escalated, and the late TTR issue then reported to AUSTRAC.

457    As to the August 2015 Late TTR Information, the applicants’ closing submissions do not extend beyond noting the source of the information in each of integers (a) – (e), and relying on the same submissions they advance in respect of the June 2014 late TTR Information. Therefore, the findings I have made above apply equally to the August 2015 Late TTR Information. I am not satisfied that the Bank was “aware” of the August 2015 Late TTR Information from around 11 August 2015 or shortly thereafter, as pleaded.

458    As to the September 2015 Late TTR Information, there is (as I have already noted) no question that, by 8 September 2015, the late TTR issue had come to light, and was known by officers of the Bank. On 8 September 2015, Mr Toevs wrote to AUSTRAC, stating that, following AUSTRAC’s letter of 11 August 2015, an investigation had been immediately commissioned by the Bank. This was because the TTR details relating to the two transactions (to which AUSTRAC had drawn attention) “were not immediately available in our records”. Mr Toevs letter continued:

Our investigation identified that the Threshold Transactions in question were related to cash deposits made through deposit taking teller machines (Intelligent Deposit Machines or IDMs) and it was revealed that TTRs were not generated for either of these transactions.

Further analysis revealed that there are three possible transaction codes that may be generated where a transaction contains a cash component of $10,000.00 or greater via an IDM. It was however identified only two of the three transaction codes are currently automatically generating a TTR when the transaction is conducted using an IDM.

Root Cause

Analysis performed on this matter revealed the following:

    At the time of rolling out IDMs in May 2012, two transaction types, each with a unique transaction code (5022 & 4013) were mapped to automated TTR reporting where the cash component of a transaction involved $10,000 or more;

    Subsequently, in November 2012 (as part of another IT project), one of these transaction types was divided into two separate transaction codes. While transaction code 5022 continued for some products, a new transaction code of 5000 was introduced for deposits made to others. However it appears that inadvertently, code 5000 was not linked to TTR reporting.

Impact

    The issue highlighted above resulted in the non-reporting of TTRs for 51,637 Threshold Transactions (from November 2012 to 18 August 2015). The number of affected transactions represents approximately 2.3% of the overall volume of TTRs reported by CBA over the same period.

459    The balance of Mr Toevs’ letter addressed the remediation action the Bank intended to take.

460    On the evidence before me, Mr Toevs was first alerted to a problem in relation to TTR reporting through the Bank’s IDMs on 20 August 2015: see [252] above. At that time, the scope of the problem, and the period over which it had occurred, was not known, but was in the course of being investigated.

461    By 4 September 2015, Mr Narev was aware of the late TTR issue. A briefing paper dated 4 September 2015, which was prepared at Mr Narev’s request, noted that, at that stage of the investigation, 51,637 TTRs had not been reported to AUSTRAC. Mr Narev said that he could not recall whether he received a copy of the briefing paper or was just provided with an oral briefing. He nevertheless said that the content of the briefing paper reflected his initial understanding of the late TTR issue.

462    When the Bank lodged the late TTRs on 24 September 2015, the late TTRs were for 53,506 cash transactions, not for 51,637 transactions as notified in the Bank’s letter dated 8 September 2015. AUSTRAC raised a query about this difference. Mr Toevs provided an explanation in a responding letter to AUSTRAC dated 26 October 2015:

The difference in the number of TTRs at the date of notification (8 September) relative to the number of TTRs reported (24 September) relates to the subset of relevant transaction that occurred between the date at which the coding issue was identified (18 August 2015) and the date at which the coding error was rectified (8 September 2015).

463    Although the error which caused the late TTR issue had been rectified on 8 September 2015, the evidence does not enable me to conclude, on the balance of probabilities, that, as at 8 September 2015, anyone at the Bank knew that the Bank had failed to give TTRs on time for 53,506 threshold transactions (integer (a) of the September 2015 Late TTR Information). This information only appears to have come to light at the time that the spreadsheet (to which I have referred) was prepared on 22 September 2015.

464    Recognising this difficulty, the applicants point to the fact that, as at 4 September 2015, officers of the Bank knew that, for the period November 2012 to 18 August 2015, 51,637 TTRs had not been reported to AUSTRAC. They also submit that, as pleaded, integer (a) of the September 2015 Late TTR Information refers to “approximately” 53,506 transactions and that officers (such as Mr Narev, Mr Comyn, and Mr Toevs) knew or ought to have known that a further number of TTRs had not been lodged between 18 August 2015 (when the issue was identified) and 8 September 2015 (when the issue was rectified).

465    I accept this submission. I am satisfied that the expression “approximately” has significant amplitude given the large number of transactions involved. I am also satisfied that, as at 8 September 2015, both Mr Narev and Mr Toevs must have known, or at least ought reasonably to have formed an opinion or drawn an inference, that, in the period between 18 August 2015 and 8 September 2015, a material number of TTRs which should have been lodged, had not been lodged (53,506), so that, as at 8 September 2015, the late TTRs numbered materially more than the known number of late TTRs (51,637) as at 18 August 2015.

466    I am also satisfied that the Bank was “aware” of integer (d) of the September 2015 Late TTR Information, because of evidence such as the briefing note discussed above.

467    As to integers (b) and (c) of the September 2015 Late TTR Information, the Bank admits that, from around November 2012 to September 2015, the late TTRs represented approximately 95% of threshold transactions that occurred through the Bank’s IDMs and that those transactions had a total value of approximately $624.7 million. The Bank puts in issue, however, the question of the Bank’s “awareness” of that information as at 8 September 2015.

468    In his evidence in chief, Mr Narev said that at the time that he first became aware of the late TTR issue on (around) 4 September 2015, “the exact number of affected transactions had not yet been finalised”. Nevertheless, Mr Narev said that, at that time, he understood the number to be above 50,000. He said that he was told that the affected transactions” were around 2.5% of the Bank’s total threshold transactions over the “affected period”. Mr Narev also said that he did not recall “being expressly informed of the proportion of affected transaction through IDMs specifically, or the dollar value of those transactions, at any stage prior to AUSTRAC commencing proceedings”.

469    Mr Narev was cross-examined on the two last-mentioned matters. The following exchange took place:

Now, both of those two items of information, that is, information about the proportion of affected transactions through IDMs and the dollar value, is part of the context of the late TTR issue. Do you accept that?---The number and the dollar value, part of the context – sorry, in what sense?

Well, just perhaps put it this way: you were briefed extensively on the late TTR issue, I take it?---At around that time, yes.

Yes. And I take it the purpose of the briefings was to give you a full understanding of the late TTR issues?---Yes, it would have been.

And as far as you were concerned, you did receive or obtain a full understanding of the late TTR issues through and by, or as a result of those briefings?---Well, a sufficient understanding, yes.

And you say in this paragraph:

I don’t recall being expressly informed of those two matters.

That’s in the fourth line. Do you see that?---Yes.

But you accept that, I take it, that even if you can’t expressly remember it, it’s likely in the course of the briefings you received information concerning a proportion of affected - - -?---Look, in fairness, I can’t recall, but it wouldn’t surprise me if I had heard that. I’m saying here I didn’t recall it, but it wouldn’t surprise me if I had heard the dollar value.

Well, heard the dollar value and also heard the proportion of - - -?---And the – yes.

- - - of affected transactions through IDMs?---Yes.

That was all. I wasn’t meaning anything else when I was putting to you - - -?---No, no. That’s fine.

- - - that it’s part of the context?---I understand.

I just mean it is likely that in those briefings you received both of those two items of information; correct?---I’m happy to say yes.

470    Although Mr Narev was prepared to make the concession recorded above, his evidence, given in the way it was, does not fill me with confidence. I am not persuaded, on the balance of probabilities, that, before 8 September 2015, he was informed of the proportion of “affected transactions” through IDMs specifically, or the dollar value of those transactions, as recorded in the September 2015 Late TTR Information.

471    In that regard, the applicants have not drawn my attention to any contemporaneous documents that record that information at that time. The briefing note that was prepared for Mr Narev on 4 September 2015 contains no such information.

472    Further, the cross-examination did not elicit that Mr Narev was told, or that it was likely that Mr Narev was told, the content of integers (b) and (c) (i.e., the actual proportion and dollar value of the late TTRs); nor could it be said that Mr Narev was in a position to form an opinion or draw an inference to the effect of integers (b) and (c) based on the information he did have.

473    Moreover, there is no evidence that any other officer of the Bank had that information, or could form an opinion or draw an inference to the effect of integers (b) and (c) as at 8 September 2015.

474    While integer (c) appears to have been discernible from the spreadsheet prepared on 22 September 2015, the source of integer (b) is the email of 22 January 2016, to which I have referred. The email of 22 January 2016 appears to have been part of an investigation to answer a request for information made by AUSTRAC on 15 December 2015. In that regard, AUSTRAC had asked the Bank to provide details of how many TTRs were reported during the period November 2012 to August 2015 in relation to the other two codes for which the Bank was lodging TTRs—transaction codes 5022 and 4013.

475    In the email of 22 January 2016, Ms Wood (who was the author of the email and Head of Financial Crime Compliance Policy & Framework, and who was relaying information internally to another employee of the Bank) appears to have ascertained, at around that time, that:

… only a very small number of TTRs were lodged in respect of the other two codes meaning that the 53,529 unreported TTRs is 95 per cent of all TTRs that should have been relating to IDMs during the period.

476    Therefore, I am not satisfied that the Bank was “aware” of the September 2015 Late TTR Information from around 8 September 2015 or shortly thereafter, as pleaded, because, at that time, the Bank did not have the information in integer (b), which only appears to have come to light in January 2016.

477    I am satisfied, however, that, as at 24 April 2017 (the date referred to in para 41C of the statement of claim), the Bank was “aware” of the September 2015 Late TTR Information.

The Account Monitoring Failure Information: the applicants’ submissions

478    As to the June 2014 Account Monitoring Failure Information, the applicants rely on the Bank’s admissions that, from about 20 October 2012 to about 12 October 2015, Part A of the Bank’s Joint AML/CTF Program provided that products or services subject to Priority Monitoring (as referred to in the program) would be subject to automated transaction monitoring as determined by the AML/CTF Compliance Officer and that, for some or all of that period, automated transaction monitoring did not operate as intended because of a computer coding error which occurred in the process of merging data from two systems. I have discussed the circumstances in which this error occurred at [155] – [161] above.

479    The applicants also rely on the Bank’s admissions that this issue was identified by the Bank on about 16 June 2014, and was progressively remedied until 12 October 2015. The applicants submit that there is “no real doubt” that, by 16 June 2014, the June 2014 Account Monitoring Failure Information “existed”.

480    As to the number of affected accounts, the Bank reported that 778,370 accounts were affected by this issue, over varying periods of time, in a letter to AUSTRAC dated 13 April 2017 (see [326] above). On the basis that the error was progressively remedied up to 12 October 2015, and assuming a steady rate of progression, the applicants have calculated that by 16 June 2014, approximately 676,454 accounts would have been affected. Thus, this integer of the June 2014 Account Monitoring Failure Information rests on the applicants own assumptions and calculations, rather than evidence that this information was a known fact as at 16 June 2014.

481    The applicants also rely on Mr Elliott’s evidence. Adopting similar reasoning as he had in relation to the June 2014 Late TTR Information, Mr Elliott expressed the opinion that the Bank should have detected the June 2014 Account Monitoring Failure Information by 16 June 2014. He based his opinion on four matters. First, the Bank had “the necessary data available in an accessible form, and had the requisite skills and knowledge to implement a reconciliation method”. Secondly, the Bank was required by the AML/CTF Act to implement appropriate controls and processes. Thirdly, the Bank had been “advised of deficiencies in their AML/CTF systems prior to the June 2014 Account Monitoring Failure being first identified” by the Bank (this was a reference to the TMP review report in 2011 by PwC). Fourthly, the Bank should have implemented Detection Methods, such as reconciliation controls in its IT processes and procedures.

482    Mr Elliott’s overall conclusion was:

… CBA had a regulatory requirement and had the necessary data to implement effective Detection Methods. Deficiencies in the AML/CTF systems had been identified by CBA. Having regard to these matters, CBA should have implemented effective Detection Methods and Compensating Controls contemporaneously with the production system which would have enabled them to detect the June 2014 Account Monitoring Failure Information on or before 16 June 2014.

483    Further, based on the four principles in the Bank’s Compliance Incident Management Group Policy ([69] above), the applicants submit that, by July to August 2014, the Bank had identified a “compliance incident” and “reportable breach”. In this connection, they submit that the June 2014 Account Monitoring Failure Information represented a contravention of s 36 of the AML/CTF Act (a failure to monitor customers in accordance with the AML/CTF Rules) or a contravention of s 82 (a failure to comply with Part A of the Bank’s AML/CTF Program). The applicants submit that had the Bank’s policy been followed, these matters would have been escalated.

484    In his evidence in chief, Mr Narev said that, until May 2017, he was not aware that, from at least 20 October 2012 to 8 September 2015, the Bank had failed to conduct account level monitoring with respect to 778,370 accounts. However, in cross-examination he accepted that knowledge as at June 2014 of the failure to monitor should have been escalated to officer level at that time:

You accept that not carrying out monitoring of priority accounts is a non-compliance with CBAs program?---Yes.

And do you accept that that issue having been discovered in June 2014, it should have been conformably with CBAs procedures, that breach should have been escalated to officer level at that time or shortly thereafter?---Yes. I am not familiar with exactly the nature of the discovery, but if as outlined here this sort of thing was discovered, then yes.

Yes, it should have been escalated to an - - -?---Yes.

- - - officer level shortly after June 2014?---Well, you know, again it should have been identified as a compliance breach, reported to AUSTRAC, and then I would expect it to show up in that regulatory report that I’ve said that we would get monthly.

485    The applicants submit that this evidence is supported by, amongst other things, the course of events that took place when “data integrity issues” with respect to upgrading and testing the FCP as part of work called Project Isaac came to light in October 2015. At that time, those particular issues were escalated to a number of the Bank’s officers.

486    The applicants submit that the August 2015 Account Monitoring Failure Information “existed” within the Bank by 11 August 2015. They submit that, given that 778,370 were, in fact, not subjected to transaction monitoring, it must be the case that by 11 August 2015—which was just two months before the error was fixed—“approximately” 778,370 accounts were affected.

487    The applicants rely on an internal email dated 13 April 2015 between employees of the Bank in which one employee stated that he was aware that “about 1 million CBA profiles are not being picked up by FCP/Pegasus”. The applicants submit that this email demonstrates that AML/CTF staff were aware in early 2015 of a compliance incident and reportable breach requiring escalation under the terms of the Compliance Incident Management Group Policy.

488    As to the September 2015 Account Monitoring Failure Information, the applicants rely on the fact that 8 September 2015 was only five weeks prior to the error being fixed. According to the applicants, it can be said, therefore, that, as at 8 September 2015, “approximately” 778,370 accounts would have been affected, and that this information “existed” within the Bank.

The Account Monitoring Failure Information: analysis

489    I am not satisfied that the Bank was “aware” of the Account Monitoring Failure Information in any of its pleaded forms as at 16 June 2014 or shortly thereafter or as at 11 August 2015 or shortly thereafter, or at 8 September 2015, or shortly thereafter.

490    There is no doubt that the account monitoring failure issue was identified on about 16 June 2014 by an employee of the Bank. However, this issue was not escalated at that time. I am satisfied that, had the Bank’s Compliance Incident Management Group Policy been adhered to, the account monitoring failure issue would have come to the attention of the responsible company officer at around that time.

491    However, this part of the applicants’ case relies on the same incorrect approach I have criticised at [441] – [442] above—it is based on an abstract inquiry, where the “existence” of the fact can be ascertained by an ex post facto investigation, divorced from whether a relevant person actually knew the fact at the relevant time or ought to have formed an opinion or drawn an inference to the effect of that fact from other known facts.

492    As to the June 2014 Account Monitoring Failure Information, I am not satisfied that, from around 16 June 2014 or shortly thereafter, it was known (and that the Bank was accordingly “aware”) that, from at least 20 October 2012, the Bank had failed to conduct account level monitoring with respect to approximately 676,000 accounts. Indeed, there is no evidence that, in fact, approximately 676,000 accounts were not monitored, as the applicants allege. As I have said, this integer of the June 2014 Account Monitoring Failure Information rests on the applicants’ own assumptions and calculations. There is certainly no evidence that this information existed at the relevant time.

493    Further, I am not satisfied that, from around 11 August 2015 or shortly thereafter (in respect of the August 2015 Account Monitoring Failure Information), or from around 8 September 2015 or shortly thereafter (in respect of the September 2015 Account Monitoring Failure Information), it was known (and that the Bank was accordingly “aware”) that, from at least 20 October 2012, the Bank had failed to conduct account level monitoring with respect to 778,370 accounts.

494    The figure of 778,370 accounts appears to have been obtained from the Bank’s letter to AUSTRAC on 13 April 2017 ([326] above). This letter was a response to a request for information made by AUSTRAC on 1 March 2017. In its letter of 1 March 2017, AUSTRAC referred to the internal email dated 13 April 2015 between employees of the Bank to which I have referred ([487] above). Based on that email, AUSTRAC sought a number of items of information, including the following:

Please confirm the exact number of CBA profiles that were not picked up by FCP/Pegasus and the dates between which these profiles were not being picked up by FCP/Pegasus.

495    In response to that request for information, the Bank provided a table in its letter of 13 April 2017, which recorded that, in total, 778,370 accounts were affected:

Period account affected

Number of Affected Accounts not subject to relevant TM by maximum time impacted*

<1 month

54,357

1-3 months

164,920

4-6 months

75,685

7 to 12 months

140,143

13 to 24 months

269,549

25 to 36 months

73,716

TOTAL

778,370

Notes

*Maximum time an account was an Affected Account, calculated from the first time the account was impacted to the last time the account was impacted. The account may not have been impacted for the entire period (as an Affected Account profile may have self-corrected (ie the 'account description' field may have updated and not have been blank during the period)), and may have been impacted more than once.

496    There is no evidence which persuades me that this figure was known to employees of the Bank earlier than sometime between 1 March and 13 April 2017. The figure appears to have been ascertained as a result of AUSTRAC’s request for information on 1 March 2017. Therefore, the figure of 778,370 accounts relies on information acquired well after the relevant pleaded dates for each form of the Account Monitoring Failure Information. It is also, self-evidently, information obtained as a result of a specific analysis undertaken in March/April 2017. It is not suggested that a relevant person could simply opine or infer, from known facts, that this particular number of accounts had been affected.

497    I should add, in this regard, that the applicants appear to rely on the internal email of 13 April 2015 only for the proposition that the Bank’s staff were aware in early 2015 of a compliance incident and a reportable breach that required escalation. Insofar as the applicants do seek to rely on the statement in the email that “about 1 million CBA profiles are not being picked up by FCP/Pegasus” as demonstrating the number of affected accounts or the scale of the affected accounts, it is not the information that the applicants plead in any form of the Account Monitoring Failure Information. What is more, the figure of “about 1 million CBA profiles”—if this is taken to be the number of affected accounts—is simply wrong, having regard to the later analysis that was carried out by the Bank for the purpose of responding to AUSTRAC on 13 April 2017.

498    As with the Late TTR Information, Mr Elliott’s evidence does not assist the applicants. It proceeds on Mr Elliott’s opinion as to what the Bank could have done, and should have done, to ascertain the Account Monitoring Failure Information as pleaded. As I have explained, what the Bank could have done, and should have done, are not relevant questions. Having reached this conclusion, it is not necessary for me to deal further with Mr Elliott’s evidence on this topic.

499    For the sake of completeness, I should record that it is not accurate to say that the Bank “failed to conduct account level monitoring” in the general terms in which the Account Monitoring Information is pleaded. As I have said, the number of the accounts affected by the account monitoring issue varied over time. The numbers are given in the analysis undertaken in March/April 2017 and reported to AUSTRAC at that time. In its letter to AUSTRAC dated 13 April 2017, the Bank pointed out that, in respect of the affected accounts, the account monitoring failure was intermittent for periods that varied between one day and 36 months; not all employee-related accounts were affected by the issue; and approximately 25% of the affected accounts were inactive. The applicants do not challenge these facts.

500    Further, the Bank’s letter to AUSTRAC recorded that only in some instances were the affected accounts not subject to customer level transaction monitoring in the FCP. Further, all the affected accounts were still otherwise subject to financial crime screening (screening against sanctions, politically exposed persons and terrorists lists). Once again, the applicants do not challenge these facts.

501    I am satisfied, however, that, as at 24 April 2017 (the date referred to in para 45AC of the statement of claim), the Bank was “aware” of the September 2015 Account Monitoring Failure Information.

The IDM ML/TF Risk Assessment Non-Compliance Information: the applicants’ submissions

502    In its defence, the Bank admits that it did not conduct an assessment of ML/TF risk in relation to the provision of designated services through its IDMs prior to their introduction in or around May 2012, or at any time prior to July 2015. The Bank also admits that, by not conducting an assessment of ML/TF risk prior to the introduction of IDMs, the Bank failed to comply with its AML/CTF Program.

503    The applicants submit that, given these admissions, there can be “no dispute” that the June 2014 IDM ML/TF Risk Assessment Non-Compliance Information “existed” as at 16 June 2014. The applicants submit that the question is whether that failure should have been elevated to officer level.

504    As I have noted, Part A of the Bank’s Joint AML/CTF Program required each Business Unit or Designated Business Group (where the reporting entities in the Group were related to each other) was required to conduct an assessment, using the Group’s ML/TF Risk Assessment Methodology (or another appropriate and approved method), of the inherent ML/TF risk posed by: (a) each new designated service prior to introducing it to the market; (b) each new method of designated service delivery prior to adopting it; and (c) each new or developing technology used for the provision of a designated service prior to adopting it.

505    As I have also noted, the applicants submit that the new IDM channel rolled out in May 2012 fits each of these descriptions (or at least (b) and (c)). They submit that had any or reasonable attention been given by the Bank’s staff to the requirements of the program, the failure to carry out an assessment in relation to IDMs would have been “obvious”.

506    The applicants also rely on the fact that the Bank was required to carry out periodic reviews (at a minimum every two years). Thus, a periodic review should have been carried out by at least May 2014 (two years after the introduction of the IDMs).

507    The applicants submit, therefore, that, by 16 June 2014, it is “plain” that the Bank’s staff should have detected that no ML/TF risk assessment of IDMs had been conducted as required.

508    The applicants submit, further, that the Bank’s failure in this regard was a breach of s 82 of the AML/CTF Act, and a compliance incident and reportable breach that would have been escalated to officer level had the Bank’s Compliance Incident Management Group Policy been followed. The applicants submit that a relevant officer would have, or ought to have, discerned the significance of the information.

509    The applicants repeat and rely on the same submissions with respect to the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information. In addition, they submit that, by mid-2015, numerous people within the Bank, who were at least executive managers (and who reported to senior personnel or officers), were aware that the Bank had failed to carry out an ML/TF risk assessment of IDMs prior to their rollout in May 2012 or at any time until July 2015.

510    In this regard, the applicants rely on the fact that, on 7 July 2015, Mr Kalra and Mr Dyordyevic were informed that Group Compliance had requested that a risk assessment be performed on IDMs in response to the receipt by Group Security of “some enquiries from the law enforcement agencies relating to use of IDM’s for deposits”. In furtherance of that task, Mr Kalra engaged someone from his “team” to “draft the risk assessment questions”. As events transpired, the IDMs were assessed as “high risk”.

511    The gravamen of this part of the applicants’ submissions appears to be that, because risk assessment questions were drafted in respect of this particular inquiry (which does not appear to have been made by AUSTRAC), and a risk assessment subsequently carried out, the Bank must have known, at that time, that no previous risk assessment of IDMs had been carried out.

512    For completeness, and for the avoidance of doubt, I record that the applicants do not advance any submissions in support of integer (b) of the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information.

513    I should also record that the applicants allege, alternatively, that the Bank was aware of the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information from 8 September 2015 or shortly thereafter (para 43B of the statement of claim) or as at 24 April 2017 or shortly thereafter (para 43C of the statement of claim). In closing submissions, the applicants did not address, separately, the Bank’s alleged awareness of the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information from 8 September 2015 or shortly thereafter beyond the submissions they made in respect of the Bank’s alleged awareness of that Information as at 11 August 2015. They did not address the Bank’s alleged awareness of the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information as at 24 April 2017 or shortly thereafter.

The IDM ML/TF Risk Assessment Non-Compliance Information: analysis

514    I am not satisfied that the Bank was actually aware of: (a) the June 2014 IDM ML/TF Risk Assessment Non-Compliance Information from around 16 June 2014 or shortly thereafter; or (b) the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information from 11 August 2015 or shortly thereafter, or from 8 September 2015 or shortly thereafter, or as at 24 April 2017, or shortly thereafter. Such a finding requires the constituent finding that, at a relevant time, the Bank was actually aware that, by not carrying out a separate and additional risk assessment in respect of its IDMs before they were rolled out in May 2012 or at any time up to July 2015, it had failed to comply with its AML/CTF Program.

515    I observe that, on the evidence before me, no question about risk assessments with respect to IDMs in the context of the Bank’s AML/CTF obligations was raised by anyone until 12 October 2015 when AUSTRAC sought information in relation to the late TTR issue. At that time, AUSTRAC sought all documents evidencing “any ML/TF risk assessment that [the Bank] conducted on the IDMs before rolling out these machines in May 2012”.

516    Within the Bank, this part of AUSTRAC’s request appears to have been directed to Mr Kalra who, on 19 October 2015, reported (internally):

No formal risk assessment document was created prior to the roll out of the IDMs in 2012 because this was only considered an enhancement to existing ATM functionality and not considered a roll out of new product. However Retail Bank’s AML Compliance team was heavily involved in this project and provided AML requirements which were documented in the Business Requirements Document …

517    The Bank replied to AUSTRAC by letter on 26 October 2015. The letter was written by Mr Toevs:

CBA considers that IDMs were an enhancement of the existing ATM functionality as a channel to provide designated services. As a result, CBA has relied upon the ML/TF risk assessments conducted on ATMs as a channel for providing designated services.

518    The Bank’s letter provided an extract of a risk assessment in relation to its ATMs that was undertaken in March 2011. The letter stated that AML/CTF compliance was a key consideration in the roll out of IDMs and that AML/CTF requirements were documented in the business requirements document. The letter also stated that no changes had been made to IDMs since 2012 to warrant any further risk assessment.

519    The Bank’s letter also stated that the AML/CTF systems and controls that the Bank implemented to address ML/TF risks associated with IDMs included TTR reporting and transaction monitoring “which were mandatory requirements in the context of the IDM roll-out project”, and that TTR reporting functionality was built and linked to IDMs. The letter also stated that, prior to roll out, certain transaction monitoring rules were linked to deposits via IDMs.

520    There is nothing in Mr Kalra’s internal communication or in the Bank’s reply to AUSTRAC that manifests any actual awareness by the Bank that, by not carrying out a formal and separate risk assessment with respect to the roll out of IDMs in 2012 or at any time up to July 2015, the Bank had not complied with its AML/CTF Program.

521    Also, I have not been taken to any correspondence from AUSTRAC, or any other document in evidence, which, before 3 August 2017, challenges the correctness of the view expressed in the Bank’s letter to AUSTRAC of 26 October 2015 or otherwise brings to the Bank’s attention that, by not carrying out a formal and separate risk assessment in respect of IDMs, it had failed to comply with its AML/CTF Program.

522    In this connection, I should point out that a file note of Mr Narev’s and Ms Livingstone’s meeting with Mr Jevtovic and Mr Clark on 21 March 2017 is in evidence. That note records, as one of AUSTRAC’s concerns, that the Bank had failed to undertake a proper risk assessment of IDMs when they were introduced.

523    This statement must be read in the context of other matters recorded in the note (which are restricted from publication). Properly understood, the concern, as recorded, appears to have been with the quality of the Bank’s assessment of the risk attending IDMs.

524    Mr Narev’s evidence was that Mr Jevtovic’s concern was that there should have been an earlier risk assessment, not that the Bank had failed to comply with its AML/CTF Program. Mr Narev said that he did not understand there to have been any allegation of non-compliance in this regard until AUSTRAC commenced proceedings against the Bank on 3 August 2017 making that allegation. I accept that evidence. There is no evidence that any other officer of the Bank held a different view.

525    Further, I am not persuaded that the risk assessment carried out by the Bank in about July 2015 has any bearing on whether the Bank was “aware” of the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information. This is because the inquiry was not prompted by AUSTRAC in respect of the Bank’s AML/CTF obligations but by other, “law enforcement agencies”, apparently for their own purposes. The evidence shows that, in relation to that inquiry, Mr Kalra’s task was “to refresh Product Risk Assessment for IDMs and identify any control enhancements”. This indicates that, in relation to those agencies, the Bank was of the view that an appropriate product risk assessment had been carried out and that the requested task was to update or “refresh” the assessment that had already been done.

526    Absent actual knowledge (which the applicants have not established), there is a question whether: (a) from around 16 June 2014 or shortly thereafter the Bank was constructively aware of the June 2014 IDM ML/TF Risk Assessment Non-Compliance Information; or (b) from around 11 August 2015 or shortly thereafter, or from 8 September 2015 or shortly thereafter, or as at 24 April 2017 or shortly thereafter, the Bank was constructively aware of the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information—that is, that a relevant person knew facts from which that person ought reasonably to have formed an opinion or drawn an inference consistent with either of the pleaded forms of the IDM ML/TF Risk Assessment Non-Compliance Information: Crowley FC at [182].

527    I am not satisfied that from around 16 June 2014 or shortly thereafter a relevant person knew facts from which that person ought reasonably to have formed an opinion or drawn an inference consistent with the June 2014 IDM ML/TF Risk Assessment Non-Compliance Information that, from May 2012, the Bank had failed to “carry out any assessment of ML/TF Risk in relation to or including the provision of designated services through [the Banks] IDMs, as required to comply with [the Bank’s] AML/CTF Program”. There is nothing in the evidence to suggest that any person within the Bank had turned his or her mind to that particular question or had been prompted to do so.

528    For the same reason, I am not satisfied that from around 11 August 2015 or shortly thereafter a relevant person knew facts from which that person ought reasonably to have formed an opinion or drawn an inference consistent with the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information that, between May 2012 and July 2015, the Bank had failed to “carry out any assessment of ML/TF Risk in relation to or including the provision of designated services through [the Bank’s] IDMs, as required to comply with [the Bank’s] AML/CTF Program”.

529    The position is otherwise as at October 2015. By its letter of 12 October 2015, AUSTRAC prompted the Bank’s consideration of whether the Bank had carried out a separate risk assessment in respect of its IDMs before rolling them out in May 2012. Given that no such assessment had been carried out, AUSTRAC’s query inevitably required the Bank to revisit why such an assessment had not been carried out. The Bank’s response, which I have no reason to conclude was not a genuine response, was, in effect, that it did not consider, as at May 2012 or as at 12 October 2015, that such an assessment was necessary. This, however, does not answer the critical question of whether such an assessment was nevertheless required for the Bank to comply with its AML/CTF Program.

530    Considering the matter objectively as at 26 October 2015, when it provided its response to AUSTRAC, the Bank: (a) must be taken to have known the requirements of its own AML/CTF Program, which required a separate risk assessment to be undertaken in respect of IDMs before rolling them out; and (b) knew that no such assessment had been undertaken. From those objective facts, the Bank ought reasonably to have concluded, at that time, that, in the period between May 2012 and July 2015, it had failed to “carry out any assessment of ML/TF Risk in relation to or including the provision of designated services through [the Bank’s] IDMs, as required to comply with [the Bank’s] AML/CTF Program”.

531    It follows that, as at 26 October 2015 (which I am prepared to accept is “shortly after” 8 September 2015), the Bank was constructively aware of the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information.

Potential Penalty Information: the applicants’ submissions

532    As with the other items of information, the applicants submit that there can be “no doubt” that the Potential Penalty Information “existed” at the pleaded times.

533    According to the applicants, this is because each item of information they allege the Bank failed to disclose was “information of, or relating to, multiple allegations of serious and systemic non-compliance with the AML/CTF Act”. As such, the Bank was “exposed to potential enforcement action in the form of civil penalty proceedings brought by AUSTRAC in respect of each allegation of contravening conduct”. The applicants submit that, having regard to “the number and systemic nature of the underlying contraventions”, the Bank was not only at risk that AUSTRAC would commence civil penalty proceedings against it, but also at risk that it would suffer a “significant penalty” in respect of each contravention, “amounting to a substantial penalty overall”.

534    With respect to the period up to around 16 June 2014 or shortly thereafter, the applicants submit that the Bank had the findings of the 2013 audit report (of which various officers were aware) from which it should have been inferred that the Bank had AML/CTF compliance issues that had given rise to risks, including the risk of “regulatory penalties”.

535    Further, the applicants submit that, as at 16 June 2014, the Bank had constructive awareness of the TTR issue. Having regard to the context in which this submission is made, I assume the applicants mean that the Bank had constructive awareness of the June 2014 Late TTR Information. They submit that, had this issue been appropriately escalated, then there is “no doubt” that it “would have been deemed as having the ‘implication’ of ‘regulatory penalties’”, in line with the “less serious” issues raised in the 2013 audit report.

536    With respect to the period up to 11 August 2015 or shortly thereafter, the applicants submit that “a significant number of events had come to pass which signalled to CBA officers that CBA was potentially exposed to enforcement action … and that this might result in CBA being ordered to pay a substantial civil penalty”.

537    In this connection, the applicants refer to the delivery of the Project Alpha Report ([196] – [201] above); the APRA Report ([202] – [204] above); and the 2015 audit report ([209] – [221] above), and knowledge of the findings of those reports. The applicants also refer to the commencement of the Tabcorp proceeding on 22 July 2015, and the Bank’s awareness of that fact. Further, the applicants refer to the Bank’s meeting with AUSTRAC on 30 July 2015 ([224] – [226] above).

538    The applicants submit that, as at 11 August 2015, the Bank had constructive awareness of the TTR issue”. Once again, having regard to the context in which this submission is made, I assume the applicants mean that the Bank had constructive awareness of the August 2015 Late TTR Information. The applicants submit that, had this matter been appropriately escalated in “October 2013” (I assume the applicants mean August 2015),

there is no doubt that CBA officers would reasonably have come into possession of the information that CBA was potentially exposed to enforcement action by AUSTRAC in respect of allegations of serious and systemic non-compliance with the AML/CTF Act, and that this might result in CBA being ordered to pay a substantial civil penalty.

539    In this latter regard, the applicants rely upon the following exchange in Mr Narev’s cross-examination, which took place in the context of discussing the Project Alpha Report:

So it was very obvious to, well, it would be appear Mr Toevs and to you, I suggest, as at 19 August 2014 that there were very significant problems in relation to the bank’s AML/CTF framework; correct?---Well, yes. Yes, I will accept that, yes.

And that those problems were likely to attract increased regulatory scrutiny; correct?---Yes.

And CBA was exposed to a very significant risk of non-compliance with its AML/CTF obligations?---Yes.

And that meant it was exposed to the risk of serious reputational damage; correct?---Yes, and that needs to be seen in the context of the fact as you will recall that monthly updates for remediation are being given to the regulator.

Yes. But it was also CBA was also exposed to the risk of regulatory action including fines; correct?---Yes.

540    The applicants also rely on the following exchange in Mr Narev’s cross-examination in relation to the 2015 audit report:

Did you understand at the time, at the time of this report, April – I’m sorry, May 2015, that any contravention of or any failure to lodge a timely TTR could result in a penalty of $18 million?---Well, I was certainly aware of the likelihood of penalties, yes, or the possibility of penalties I should say.

So you understood that failure to lodge TTRs could give rise to significant penalties?---Yes.

541    With respect to the period up to 8 September 2015 or shortly thereafter, the applicants submit that officers of the Bank had actual awareness of the “TTR issue”. Once again, having regard to the context in which the submission is made, I understand the applicants to mean that the Bank had actual awareness of the September 2015 Late TTR Information.

542    The applicants refer to the meeting with AUSTRAC on 19 August 2015 ([227] above). As I have already noted ([225] above), at an earlier meeting on 30 July 2015 (for a “general monthly update”), AUSTRAC had expressed concerns about the findings of the 2015 audit report. Bank employees (Mr Byrne and Ms Ishlove-Morris) were told at the meeting that AUSTRAC “would … consider if enforcement action would be necessary”. However, as I have also already noted, at the meeting on 19 August 2015 the Bank was told informally that “the enforcement comment” had been made incorrectly, although, according to Mr Dingley, “there was no firm retraction of the comment during the meeting”. In this part of their submissions, the applicants emphasise the latter matter—that there had been “no firm retraction” of the earlier “enforcement comment”.

543    The applicants also submit that “it had become apparent to the [Bank] that, if that issue was systemic”, AUSTRAC would take enforcement action”. The last-mentioned submission is made with reference to a number of documents, none of which support that particular submission. One of the referenced documents is an email from Mr Dingley to Mr Toevs dated 20 August 2015 about the discovery of the late TTR issue. In that email, Mr Dingley said:

… Tony Byrne is working with RBS and ES to get all the facts. If this is systemic, it will be very disappointing as Tony Byrne has had prior confirmation from RBS Risk that this was operating correctly.

544    The applicants also rely on the “short briefing paper” dated 4 September 2015, which Mr Narev had requested on the late TTR issue ([255] above). They emphasise the prefatory section of the report which states with respect to the obligation to lodge TTRs: “Failure to comply with this obligation can result in reputational damage and regulatory enforcement including fines and remedial action”.

545    They also refer to Mr Narev’s email to Mr Comyn on 6 September 2015 ([256] above), when Mr Narev said that the late TTR issue needed to be taken “extremely seriously”. The effect of Mr Narev’s cross-examination was that, based on discovery of the late TTR issue, he understood that from around 6 September 2015, there was a risk of regulatory action against the Bank by AUSTRAC, which could include the imposition of a significant fine.

546    With respect to the period up to 24 April 2017 or shortly thereafter, the applicants rely on the following matters.

547    First, on 12 October 2015, Mr Toevs had received a letter from AUSTRAC recording its serious concerns about the scale of the Bank’s non-compliance with s 43 of the AML/CTF Act in respect of the late TTR issue. On the same day, Mr Toevs, Mr Dingley and Ms Williams prepared a risk report which, in a prefatory section, noted that the failure to comply with AML/CTF obligations can result in reputational damage and regulatory enforcement action including “fines and remedial action”. The report drew attention to the existence of overseas and Australian regulatory action, including the action taken by AUSTRAC against Tabcorp.

548    Secondly, the applicants refer to the meeting between the Bank’s Board and Mr Jevtovic and Mr Clark, on 14 June 2015. The applicants contend that the holding of this meeting was “(c)ommensurate with an increasingly crystallised concern” within the Bank that “AUSTRAC may commence civil penalty proceedings against it, sometime in the following months”.

549    Thirdly, the applicants rely on AUSTRAC giving the first, second, and third statutory notices. In relation to the first statutory notice, Mr Comyn, Mr Craig, and Mr Toevs received an email on 23 June 2016 noting (amongst other things) the information collected under the notice could be used by AUSTRAC in “civil penalty proceedings against the Group”. The same information was provided to Mr Narev by email on 13 July 2016. This email was also sent to Mr Comyn, Mr Craig, and Mr Cohen, and noted that “(t)he maximum penalty that could potentially be applied by a court is $18 million per breach”.

550    Fourthly, the applicants rely on the matters communicated by Mr Jevtovic to Ms Livingstone at their meeting on 30 January 2017 (see [290] – [295] above).

551    Fifthly, the applicants rely on the meeting with AUSTRAC on 7 March 2017, in which AUSTRAC, according to Ms Watson, described its view of the TTR and associated matters as ‘serious, significant and systemic’” and said that the Bank’s “failure to immediately and proactively tell them about these and other problems … is a show of bad faith which leads them to wonder what else is broken across [the Bank’s] financial crime landscape. Relatedly, the applicants rely on the fact that the Bank’s legal team were, at that time, “helping draft a defence outline so we can work out what we do under a civil penalty scenario in particular”.

552    Sixthly, the applicants rely on Mr Narev’s preparation of a first draft “high level script” in anticipation of his and Ms Livingstone’s meeting with Mr Jevtovic and Mr Clark on 21 March 2017, in which Mr Narev proposed that the Bank would commit to a course of action, prior to AUSTRAC taking any formal action, which included the Bank paying a “fine”. Relatedly, the applicants rely on Mr Jevtovic’s indication at the meeting that AUSTRAC was considering options, which included applying to the Court for a civil penalty. Mr Narev accepted in cross-examination that, at that time, it was “highly likely”, but not inevitable, that AUSTRAC would be seeking a “fine” against the Bank.

553    The applicants contend that Mr Narev knew or was aware that the Bank might be ordered to pay a “substantial penalty”. However, the transcript reference on which they rely for that submission does not fully support it. Mr Narev’s evidence, which I accept, was that, at that time, there was, to his recollection, no discussion about what the “fine” might be, although he knew that the maximum penalty per breach was $18 million.

Potential Penalty Information: analysis

554    There are some preliminary observations I should make with respect to the definition of the Potential Penalty Information in the statement of claim before dealing with the case advanced by the applicants in closing submissions.

555    In a number of important respects the Potential Penalty Information is pleaded in vague terms. I refer, specifically, to the expressions “potentially exposed” and “might result” (emphasis added). It also employs evaluative terms. I refer, specifically, to “serious and systemic non-compliance”, and “a substantial civil penalty”. All these expressions are elastic expressions which are open to different interpretations depending on the individual’s own perceptions and appreciation of the context and circumstances in which the expressions are used. The evidence given by the Bank’s witnesses on this topic, in particular the evidence given by Mr Narev, Mr Apte, and Mr Cohen, must be understood accordingly.

556    In closing submissions, the Bank highlighted the difficulties presented for fact-finding by the Court through the imprecision that is imparted by these expressions. I am inclined to the view, however, that, for the purposes of establishing legal liability, these difficulties result in more challenges for the applicants than they do the Bank.

557    One thing that is tolerably clear is that, by their particularisation of the expression Potential Penalty Information, the applicants have firmly anchored this aspect of their case on the Bank’s alleged “awareness” of the various pleaded forms of the Late TTR Information, the Account Monitoring Failure Information, and the IDM ML/TF Risk Assessment Non-Compliance Information: see paras 48 and 49 of the statement of claim.

558    In other words, the Bank’s “awareness” of the Potential Penalty Information depends, fundamentally, on the applicants establishing the Bank’s “awareness” of the other pleaded categories of the Information. It is from this “awareness” that the applicants say that the Bank was also “aware” that it was potentially exposed to enforcement action by AUSTRAC which might result in the Bank being ordered to pay a substantial civil penalty (the “serious and systemic non-compliance with the AML/CTF Act” being evident with respect to each pleaded form of the Late TTR Information and each pleaded form of the Account Monitoring Failure Information, and the “serious non-compliance with the AML/CTF Act” also being evident with respect to each pleaded form of the IDM ML/TF Risk Assessment Non-Compliance Information).

559    For the reasons given above, I am not satisfied that the Bank was aware of:

(a)    the June 2014 Late TTR Information as at 16 June 2014 or shortly thereafter, the August 2015 Late TTR Information as at 11 August 2015 or shortly thereafter, or the September 2015 Late TTR Information as at 8 September 2015 or shortly thereafter;

(b)    the June 2014 Account Monitoring Failure Information as at 16 June 2014 or shortly thereafter, the August 2015 Account Monitoring Failure Information as at 11 August 2015 or shortly thereafter, or the September 2015 Account Monitoring Failure Information as at 8 September 2015 or shortly thereafter; or

(c)    the June 2014 IDM ML/TF Risk Assessment Non-Compliance Information as at 16 June 2014 or shortly thereafter or the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information as at 11 August 2015 or shortly thereafter.

560    To this extent, the applicants’ case on the Bank’s “awareness” of the Potential Penalty Information fails.

561    However, as discussed above, I am satisfied that, as at 24 April 2017, the Bank was aware of the September 2015 Late TTR Information and the September 2015 Account Monitoring Failure Information. I am also satisfied that, shortly after 8 September 2015 (namely, as at 26 October 2015), the Bank was constructively aware of the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information. The latter finding is, however, of little moment in relation to the Potential Penalty Information aspect of the applicants’ case because that case depends on the Bank’s awareness of “serious and systemic non-compliance” (my emphasis) and the applicants do not allege that the IDM ML/TF Risk Assessment Non-Compliance Information, taken alone, was “systemic” non-compliance: see the particulars to para 48 of the statement of claim. This is important because the applicants’ case is that, on becoming aware of the IDM ML/TF Risk Assessment Non-Compliance Information, the Bank should have immediately disclosed that information—here, on my finding, on 26 October 2015, before the Bank was aware of the September 2015 Late TTR Information and the September 2015 Account Monitoring Failure Information. With these findings in mind, I turn to consider the remaining aspects of the Bank’s awareness of the Potential Penalty Information.

562    I proceed on the basis that the word “potentially” as used in the definition of “Potential Penalty Information” bears its ordinary dictionary meaning of “not actually, but possibly”. By 24 April 2017, the Bank knew that it was possible that AUSTRAC could take enforcement action against it, particularly in relation to the late TTR issue. I also accept that the Bank knew that the same possibility existed in relation to the account monitoring failure issue.

563    The Bank also knew that, although enforcement action by AUSTRAC covered a range of possible actions, it certainly included commencing proceedings for a civil penalty. Although the Bank might not have had any firm idea of what the actual amount of any such penalty might be, it did know that the maximum penalty per breach was $18 million. I am satisfied, therefore, that, on any ordinary understanding of the word “substantial”, the Bank was aware that any possible penalty that might be ordered against it would be “substantial”.

564    I am satisfied that, by 24 April 2017, the Bank was also “aware” that AUSTRAC had expressed its view that the Bank’s non-compliance with its AML/CTF obligations was “serious, significant and systemic”. This certainly included, but was not confined to, the Bank’s non-compliance in relation to the late TTR issue. There may be differences as to whether the late TTR issue is properly regarded as “systemic”, but that was the allegation that AUSTRAC had made. I accept, therefore, that, in terms of the Potential Penalty Information, the Bank was “aware” that, by this time, AUSTRAC had made allegations that its non-compliance with the AML/CTF Act were “serious and systemic”.

565    I am satisfied, therefore, that, as at 24 April 2017, the Bank was “aware” of the Potential Penalty Information to the extent that it is related to the September 2015 Late TTR Information and the September 2015 Account Monitoring Failure Information. To this extent, the applicants have established their case on “awareness” in respect of the Potential Penalty Information.

Conclusion

566    I am satisfied that, as at 26 October 2015, the Bank was constructively aware of the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information.

567    I am also satisfied that, as at 24 April 2017, the Bank was aware of the September 2015 Late TTR Information and the September 2015 Account Monitoring Failure Information, together with the Potential Penalty Information (to the extent that it is dependent on the Bank’s awareness of the September 2015 Late TTR Information and the September 2015 Account Monitoring Failure Information).

The completeness and accuracy of the pleaded information

Legal principles

568    Before proceeding to consider questions of materiality, particularly in relation to the information of which the Bank was “aware”, it is appropriate to consider whether the information (which the applicants contend should have been disclosed) was information that was appropriate to be disclosed in its pleaded form. In this regard, I refer to my previous remarks concerning the applicants’ onus to plead, completely, the information which, they say, the ASX required the Bank to disclose under r 3.1 of the ASX Listing Rules.

569    Given that r 3.1 of the ASX Listing Rules provides that the information that an entity is required to disclose is information that a reasonable person would expect to have a material effect on the price or value of the entity’s securities, Guidance Note 8 published by the ASX emphasises that “(a)n announcement under Listing Rule 3.1 must be accurate, complete and not misleading”. Guidance Note 8 also emphasises that: (a) “an announcement must be couched in language that is appropriate for release to the market”; (b) the information should be “factual, relevant and expressed in a clear and objective manner”; (c) and the information should not be expressed in “vague or imprecise terms”, which “do not allow investors to assess the value of the information for the purpose of making an investment decision”: see section 4.15 which is headed Guidelines on the contents of announcements under Listing Rule 3.1.

570    Guidance Note 8 also emphasises that, in assessing whether or not information is market sensitive, and therefore needs to be disclosed under r 3.1, the information needs to be looked at in context, rather than in isolation, against the backdrop of (amongst other things) the circumstances affecting the entity at the time: see section 4.3

571    These considerations are important and are based on established legal principles. In Jubilee Mines NL v Riley [2009] WASCA 62; 40 WAR 299 (Jubilee Mines), Martin CJ said (at [87] – [88]):

87     There are a number of preliminary observations appropriately made in relation to these grounds. The first is that the evident purpose of each of the listing rule and the relevant statutory provisions is to ensure an informed market in listed securities. Put another way, the legislative objective is to ensure that all participants in the market for listed securities have equal access to all information which is relevant to, or more accurately, likely to, influence decisions to buy or sell those securities. It would be entirely contrary to that evident purpose to construe either the listing rule or the statutory provisions as countenancing the disclosure of incomplete or misleading information.

88     The next relevant general observation is that the ultimate determination of the ambit of the information appropriately disclosed, on the proper construction of the listing rule and the statutory provisions, was essentially a determination for the master drawing upon the facts established by the evidence. If the proper conclusion from the facts established by the evidence is that disclosure of the information gained from WMC without disclosure of the surrounding circumstances would have been incomplete or misleading, it would be wrong to award damages on the basis that Jubilee had failed to comply with its obligations in that way.

572    In the same case, McLure JA said (at [161] – [162]):

161    The ‘information’ must also include all matters of fact, opinion and intention that are necessary in order to prevent the disclosing company otherwise engaging in conduct that is misleading or deceptive or is likely to mislead or deceive which was prohibited by s 995(2) of the Corporations Law.

162     The respondent would narrowly confine the “information” by taking it out of its broader factual and commercial/corporate context then gauge whether that information has the deemed material effect on the price of the companies securities by reference to the common investor who assesses the information in the context of publicly available information. That in my view is inconsistent with the purpose of the disclosure regime which is a fully informed market. Where share price sensitivity depends upon the company having an expert assessment of core information and business decisions are made based on that expert assessment, the disclosure of only the core information (conveying an imputation that it is, in the company’s assessment, likely to have a material effect on the share price) may be misleading. The disclosure regime does not countenance disclosure of incomplete information just because that information alone would influence persons who commonly invest to buy or sell shares.

573    These principles resonate equally in relation to considering the materiality of information.

574    The Bank contends that the pleaded forms of the Information are incomplete or ambiguous in many respects. The Bank says that this is “no accident”. According to the Bank, it is the means by which the applicants are able to assert that the pleaded forms of the Information are material. While the applicants rely on the speculation that would be engaged in by investors who receive this information, and the fact that investors make decisions under circumstances of uncertainty (a matter to which I will return), the Bank argues that those matters do not “render the forms of information pleaded by the Applicants permissible”. To the contrary, the Bank submits that the pleaded forms of information in the present case are “likely to undermine the purpose of the continuous disclosure regime, rather than promote it”.

575    In oral closing submissions, the applicants submitted that Jubilee Mines is distinguishable from the present case. They sought to confine the remarks made by Martin CJ and McLure JA to the misleading omission of information that “negated” or “nullified” the information which, it was said, should have been disclosed to the market. I am not persuaded that the remarks in Jubilee Mines can be confined in this way. The applicants submitted, further, that, in this matter, the pleaded forms of the Information were “factually true”. They asked: “… how could disclosing … something that is true, not generally available and known to CBA either actually or constructively, be information that misleads the market? Known, factually true information can’t be misleading”. This submission, however, fails to recognise that information that is literally true may nevertheless be substantively misleading if important matters of context are not taken into account when considering the import of that information.

576    I now turn to consider the detail of the Bank’s submissions regarding the completeness and accuracy of the pleaded forms of the Information.

The Late TTR Information

577    The Bank submits that there are a number of matters affecting all pleaded forms of the Late TTR Information which, if not also disclosed, would “paint an entirely inaccurate and incomplete picture of the state of affairs”, and make the disclosure of the Late TTR Information misleading and deceptive.

578    First, the Bank submits that the integer that the Late TTRs represented between approximately 80% and 95% of threshold transactions that occurred through the Bank’s IDMs (in the relevant period) leaves out contextual information that the Late TTRs represented only between 1.08% and 2.3% of the total TTRs lodged by the Bank, and only between 0.0002% and 0.0007% of the total transactions monitored by the Bank, during the relevant period.

579    Secondly, the Bank submits that the integer that the Late TTRs had a total value of some hundreds of millions of dollars (given in respect of each pleaded period) leaves out the fact that the Bank monitors transactions worth between $200 billion and $300 billion per day.

580    Thirdly, the Bank submits that it would be misleading to say that the error which caused the Late TTRs not to be lodged on time was a “systems” error when, more precisely, the late lodgement of the TTRs was through a single coding error.

581    Fourthly, the Bank submits that it would misrepresent the position to say with respect to the June 2014 Late TTR Information and August 2015 Late TTR Information that the cause of the Late TTRs had not been rectified, and not to say with respect to the September 2015 Late TTR Information that the cause of the Late TTRs had been rectified.

582    Fifthly, the Bank submits that it would be misleading not to say that, while certain TTRs had not been lodged with the AUSTRAC CEO in time, the Bank’s transaction monitoring program continued to operate in other respects. This means, according to the Bank, that the transactions for which the TTRs were not lodged were not unmonitored during this period.

583    Sixthly, the Bank submits that, most significantly, the Late TTR Information omits any reference to the course of dealing between the Bank and AUSTRAC on this issue, and hence AUSTRAC’s attitude towards that issue.

584    Proceeding on the basis that investors must be put in a position that allows them the opportunity to assess the value of disclosed information for the purpose of making an investment decision, I am persuaded that the Late TTR Information, in all its pleaded forms, is incomplete in a number of important respects and omits a number of important contextual matters. I am persuaded that had the Bank disclosed that information in its various pleaded forms to the ASX without more information, a misleading picture would have been presented to the market. I am not persuaded, therefore, that the Bank was obliged to disclose, and should have disclosed, the Late TTR Information in any of its pleaded forms.

585    I accept that if the proportion of late TTRs in the pleaded periods (expressed as a percentage of all the threshold transactions that occurred through the Bank’s IDMs in those periods) is relevant to making an investment decision, then it is equally relevant, and important, for investors to know the relationship of this proportion to the total number of TTRs that the Bank did, in fact, lodge in that period. Without this information, the Late TTR Information would likely lead ordinary and reasonable investors into thinking, mistakenly, that threshold transaction monitoring relates only to IDMs or that IDMs are the principal source for monitoring threshold transactions when, in fact, neither proposition is true. By way of example, an article published in The Australian newspaper on 3 August 2017 (see [875] – [876] below) erroneously reported that “(t)he total number of late reports accounted for 95 percent of all notifiable transactions between 2012, when the bank launched its new “intelligent” ATMs, and September 2015, but were not reported to Austrac until that final month”. As I have noted, in the relevant period, the Late TTRs represented only between 1.08% and 2.3% of the total TTRs lodged by the Bank: see para 40B(e) of the defence. Without such information, the scale of the problem presented by the late TTR issue cannot be seen in the context of the Bank’s overall extensive threshold transaction monitoring activities.

586    The Bank submits:

360.     It is from one perspective understandable why the Applicants have sought to focus on only the proportion of TTRs through IDMs that the late TTRs made up. By so doing, they artificially inflate the significance of the late TTRs to CBA’s business operations, and to its compliance systems as a whole. But there is no principled basis that would support such an approach. It stands to reason that an investor would wish to place the late TTRs within the broad scope of CBA’s business. It is, after all, a part of that broad business into which an investor was buying when they purchased CBA shares. Yet, on the Applicants’ approach they would not only be denied such information, but instead pointed to other information that inflated the numerical significance of the late TTRs. This could only mislead as to the significance of that information.

587    I accept that submission.

588    I also accept that if it is relevant to making an investment decision that the cause of the late TTRs was a systems error, it is equally important for investors to know that the error was a single coding error, not multiple errors permeating the Bank’s systems and affecting more generally its ability to monitor transactions: see paras 40, 40A, and 40B of the defence.

589    In addition, the applicants’ case that the June 2014 Late TTR Information and the August 2015 Late TTR Information would include an important statement that the problem which caused the late TTRs had not been rectified is, with respect, incongruous. It posits a case on constructive awareness of the pleaded information that is at odds with the fact that, when it discovered the late TTR issue, the Bank promptly fixed the coding error and lodged the outstanding TTRs.

590    On the evidence before me, it is inconceivable that, knowing of the late TTR issue, the Bank would do nothing about it and, as part of an obligation of public disclosure, simply state to the market that there was an issue in relation to the late lodgement of TTRs and that the cause of that issue had not been rectified. In short, the applicants’ case on constructive awareness contemplates the disclosure of information that, in the practical world of actual awareness, would simply not have been disclosed because, contrary to the June Late TTR Information and the August 2015 Late TTR Information, the cause of the Late TTRs would, in all likelihood, have been rectified and investors would have been told of that fact.

591    With respect to the September 2015 Late TTR Information, I also accept that it would be misleading to omit any reference to: (a) the cause of the late TTRs having been rectified; and (b) the fact that the late TTRs had been lodged. The omission of these facts is important. Without that information, investors would likely be left with the wholly false impression that the problem had not been rectified and was ongoing, with no apparent solution in sight for past and present TTR reporting in respect of deposits made through the Bank’s IDMs.

592    The significance of this omission is highlighted by the applicants’ own expert, Mr Johnston, who gave this evidence in cross-examination about the position of a person tasked with deciding whether to release the September 2015 Late TTR Information:

MR JOHNSTON: There is no statement that it has been rectified. There is no statement that it – late TTRs are still being – upon this statement late TTRs might still be occurring, if that’s the right word, as at the date of the statement. I don’t – if I were advising CBA, if I were in an ECM person sitting with CBA I would be very worried that we were announcing to the market that we were – had been committing and we couldn’t say we had stopped committing serious crimes.

MR HUTLEY: Well, I see. So you would say the market would infer from this that we are continuing or we may well be, that is, the Commonwealth Bank, may well be continuing to fail to give TTRs; is that right?

MR JOHNSTON: Yes, that would be my concern, because in my experience investors are – investors get a bad wrap sometimes, but investors are seriously intelligent people who think seriously about protecting their own worth – their own wealth, and they are very mindful of the risk of companies putting the glossy side. So when they put out a statement like that, one of the many natural and sometimes perhaps cynical responses from investors is, they would say that, wouldn’t they? What they are not saying is we’ve stopped this. What they are not saying is I should stop worrying. So yes, in my opinion this statement would concern investors because there is no clear statement that the failings have ceased.

593    Finally, I accept that a significant omission from the September 2015 Late TTR Information (as it applies to the Bank’s “awareness” pleaded as at 24 April 2017) is any reference to AUSTRAC’s then known position as to the Bank’s failure and whether, and if so what, action it proposed to take on account of that failure.

594    As at 24 April 2017, there had been discussions between the Bank and AUSTRAC. AUSTRAC had told the Bank that it had a number of options at its disposal should it decide to take enforcement action because of the Bank’s AML/CTF non-compliance. AUSTRAC had told the Bank that it had not made a decision as to whether it would take enforcement action against the Bank or as to the form of any such action. Further, AUSTRAC had informed the Bank that it would provide it with notice before taking any such action. This was in the context of the Bank having informed AUSTRAC of the late TTR issue on 8 September 2015 (after being prompted by a request from AUSTRAC to locate TTRs relating to “two ATM deposits), some 19 months earlier.

595    Armed with the September 2015 Late TTR Information, and nothing more, the reasonable investor would be prompted to ask: Why am I being told this? What is the significance, and what are the consequences for the Bank, of not lodging the Late TTRs on time? In this scenario, the regulator’s then known attitude to the problem is highly significant information for investor decision-making. And, as to this, I do not think that the reasonable investor is concerned with mere theoretical possibilities. The reasonable investor wants meaningful information on the significance and consequences of what he or she is being told in order to make an informed and rational decision on whether to acquire or dispose of securities.

The Account Monitoring Failure Information

596    The Bank submits that disclosure of the Account Monitoring Failure Information, as pleaded, would leave unsaid “a vast amount of relevant information necessary to properly understand the matters disclosed” and that such omission “would have painted a misleading picture”.

597    In this connection, the Bank contends, firstly, that disclosure of the Account Monitoring Failure Information “would convey to an investor that in the period from October 2012 until the disclosure was made, all account monitoring had failed to operate in respect of all of the identified accounts at all times”.

598    The Bank points out that this is inaccurate because “it was not the case that throughout the entirety of [the] period from October 2012 [the Bank] had failed to conduct account level monitoring on between 676,000 and 778,370 accounts”. The evidence is that, because of the account level monitoring failure issue, account monitoring in respect of certain accounts did not operate for varying lengths of time over the pleaded period. I refer, in that regard, to the table set out at [495] above which records the numbers of affected accounts and the lengths of time for which those accounts were affected by this issue.

599    The Bank also points out that, within the period covered by the Account Monitoring Failure Information, a large number of accounts (195,000 accounts, representing 25% of the affected accounts) were, in fact, inactive. Further, the Bank submits that it is not the case that all monitoring did not operate for the affected accounts.

600    Still further, the Bank submits that the Account Monitoring Failure Information does not disclose that only a subset of accounts were affected, being accounts held by Bank employees or persons related to such employees. The Bank argues that this is an important matter because it makes clear that this was a “connected issue”. The failure to disclose this information would create the misleading impression that “all accounts were potentially affected, or a random selection of accounts were affected, rather than there being a common cause for the error”.

601    Finally, the Bank submits that, most significantly, the Account Monitoring Failure Information omits any reference to the course of dealing between the Bank and AUSTRAC on this issue, and hence AUSTRAC’s attitude towards that issue.

602    I am not persuaded that the Bank was obliged to disclose, and should have disclosed, the Account Monitoring Failure Information in any of its pleaded forms.

603    I am satisfied that the Account Monitoring Failure Information, as pleaded, conveys the misleading impression that, throughout the entirety of each pleaded period, the Bank failed to monitor the stipulated number of accounts. This is factually incorrect, for the reason I have explained at [499] above: the account monitoring failure was intermittent for periods that varied between one day and 36 months.

604    To compound the problem, the June 2014 Account Monitoring Failure Information stipulates a figure for the affected accounts (676,000 accounts) that is derived only from the applicants’ assumptions and calculations. This figure has not been shown to have any basis in fact. Indeed, the calculated figure appears to have been calculated in reliance on the very error that permeates the Account Monitoring Failure Information to which I just referred—that there was a static number of affected accounts that were not monitored for the entirety of each pleaded period.

605    These inaccuracies are reason enough to conclude that it would not have been appropriate for the Bank to disclose the Account Monitoring Failure Information as pleaded.

606    I am also persuaded, however, that the Account Monitoring Failure Information is incomplete in a number of respects. If the fact that the Bank failed to conduct account level monitoring in respect of a numerically large number of accounts is relevant to making an investment decision, then it is equally relevant, and important, for investors to know: (a) the context in which that occurred (it was a specific subset of accounts related to a single error); (b) the extent of the problem (a large number of the accounts were, in fact, inactive at the time and some were only affected for a short period of time); and (c) the implications that the problem had for the Bank’s overall monitoring activities (it did not mean that there was a complete absence of monitoring transactions in respect of those accounts). I accept that the absence of this information also means that the Account Monitoring Failure Information paints a misleading picture.

The IDM ML/TF Risk Assessment Non-Compliance Information

607    The Bank submits that disclosure of the IDM ML/TF Risk Assessment Non-Compliance Information would, similarly, have involved the disclosure of information that was misleading or otherwise incomplete.

608    The Bank submits, firstly, that this information leaves out the fact that the Bank had carried out a risk assessment in relation to ATMs generally in 2011, prior to rolling out its IDMs. As the Bank considered that IDMs were an enhancement of its ATM functionality, it held the view (erroneously, as it turns out) that it had been compliant with its AML/CTF Program.

609    Secondly, the Bank submits that the IDM ML/TF Risk Assessment Non-Compliance Information does not inform the reasonable investor of any effect of the failure to carry out a risk assessment prior to the roll out of the IDMs, or between May 2012 and July 2015.

610    In this regard, the Bank points to the fact that, at the time of the roll out: (a) the business requirements document for the IDMs addressed the Bank’s AML/CTF obligations in respect of threshold transaction and other monitoring, which were considered to be mandatory requirements as part of the IDM roll out project; (b) TTR reporting functionality was built and linked to IDMs; and (c) IDM deposits were linked to automated transaction monitoring rules that targeted certain practices.

611    The Bank also points to the fact that, when a separate risk assessment was carried out on IDMs in July 2015, transaction monitoring was in place and, based on its performance as at 28 July 2015, was considered to be “working well”. No further controls were envisaged as necessary at that time.

612    The Bank submits that these are not “trifling matters” but matters of context that “help understand the severity of the contravention and its consequences”. Absent the provision of this information, the IDM ML/TF Risk Assessment Non-Compliance Information gives a “misleading appearance” to the nature of the contravention involved.

613    Finally, the Bank raises, again, the absence in the IDM ML/TF Risk Assessment Non-Compliance Information of any mention of AUSTRAC’s attitude to the Bank’s failure in this regard. The Bank relies on the fact that, on being informed in October 2015 of the Bank’s view that IDMs were an enhancement of existing ATM functionality and that it had relied on the ML/TF risk assessment it had conducted on ATMs as a channel, AUSTRAC did not raise any issue in respect of that response at that time.

614    I am not persuaded that the Bank was obliged to disclose, and should have disclosed, the IDM ML/TF Risk Assessment Non-Compliance Information in any of its pleaded forms. I accept that the information that would be so conveyed is materially incomplete and, for that reason, misleading. If the fact that the Bank’s failure to carry out a formal and separate risk assessment in respect of its IDMs before their roll out in May 2012, or in the period May 2012 to July 2015, is relevant to making an investment decision, then it is equally relevant, and important, for investors to know the consequences of that failurenamely, that there were no known consequences.

615    The IDM ML/TF Risk Assessment Non-Compliance Information is conspicuously silent on this matter. In these proceedings, there is no evidence before me that the Bank’s failure to carry out a formal and separate risk assessment of IDMs before July 2015 had any direct consequences. The applicants certainly do not point to any consequences, apart from the simple fact that the Bank had not complied with its AML/CTF Program.

616    The late TTR issue, for example, cannot be attributed to the failure to carry out a risk assessment. The late TTR issue was caused by a coding error, in circumstances where the Bank understood (as expressed through its business requirements document for IDMs) that threshold transaction and other monitoring were mandatory requirements of the IDM roll out project and transaction monitoring rules were in place.

617    Without making clear that there were no known consequence of failing to carry out a formal and separate risk assessment on IDMs before their roll out in May 2012, or in the period May 2012 to July 2015, the IDM ML/TF Risk Assessment Non-Compliance Information is incomplete and liable to mislead investors as to the significance of that information for the purposes of their decision-making in relation to acquiring or disposing of CBA shares.

The Potential Penalty Information

618    The Bank submits that the Potential Penalty Information would have been “misleading or otherwise incomplete” if it had been disclosed to the ASX. The Bank submits that it is, therefore, “not a form of information that CBA could have been required to disclose under the continuous disclosure regime”.

619    The Bank also submits that the Potential Penalty Information is couched in “vague or imprecise terms. It points, in particular, to the statement that the Bank was “potentially” exposed to enforcement action by AUSTRAC that “might” result in the Bank being ordered to pay a substantial pecuniary penalty.

620    The Bank contends that “(i)t is difficult to imagine a more vague or imprecise announcement than the Potential Penalty Information”. It illustrates this submission in the following way:

… Such a disclosure would raise a panoply of questions. In what circumstance would the potential action come to fruition? What is the likelihood of AUSTRAC taking action, and when will AUSTRAC make a decision? What is the form of the proposed enforcement action? In respect of what? In what circumstances “might” there be a civil penalty imposed? What is the likely quantum of any penalty that might be imposed? All of these matters make clear that this is not a form of announcement that could have been approved for release by the ASX. …

621    The Bank makes other criticisms of the Potential Penalty Information.

622    First, the Bank submits that the Potential Penalty Information is incomplete because, throughout the relevant period, there were detailed dealings between the Bank and AUSTRAC on the question of the Bank’s non-compliance (particularly in relation to the late TTR issue), during which AUSTRAC consistently maintained that it had not made a decision whether to take enforcement action against the Bank or the form that any enforcement action might take. AUSTRAC also said that it would provide the Bank with notice before taking any such action. The Bank submits that the omission of these matters from the Potential Penalty Information “renders that information both incomplete and misleading”.

623    Secondly, the Bank points to the fact that the Potential Penalty Information is silent on what were the allegations of “serious and systemic non-compliance with the AML/CTF Act”. The Bank submits that identification of the matters of non-compliance, what caused the non-compliance, and what steps have been taken in relation to remedying the non-compliance, are all matters that would be “essential to investors understanding the import of the information disclosed”.

624    Thirdly, the Bank submits that the term “systemic” is “inherently ambiguous” and “capable of conveying a meaning that an entire system is flawed”. The Bank contends that it is “incorrect” to characterise the late TTR issue, the account monitoring failure issue, and the IDM ML/TF risk assessment non-compliance issue, as non-compliance affecting the entirety of the Bank’s systems. Each was the product of an individual mistake that did not affect the Bank’s transaction monitoring system as a whole.

625    Finally, the Bank contends that the Potential Penalty Information is misleading because it focuses only on the prospect of a civil penalty being imposed on the Bank, without reference to the other options available to AUSTRAC throughout the relevant period. The Bank submits that this particular focus of the Potential Penalty Information would, if disclosed, present investors with the misleading picture that a civil penalty against the Bank was “the only outcome that was possible” when that was not the case, and certainly not the position that AUSTRAC was taking with the Bank up to 3 August 2017.

626    I am not persuaded that the Bank was obliged to disclose, and should have disclosed, the Potential Penalty Information in any of its pleaded forms.

627    Taken by itself, I accept that the Potential Penalty Information is vague and imprecise in the ways that the Bank contends. Because it is expressed in such high level, contingent, and inconclusive language, I accept that, if it were to be disclosed, the Potential Penalty Information would likely raise the kinds of questions that the Bank rehearses in its submissions.

628    Further, I accept that the Potential Penalty Information’s deployment of the statement “allegations of serious and systemic non-compliance with the AML/CTF Act” begs the question: what non-compliance? This is another example of the vague and imprecise nature of the Potential Penalty Information.

629    For these reasons, I consider that the Potential Penalty Information, taken by itself, would more likely confuse, rather than inform, investors.

630    However, as I have noted, the applicants’ “awareness” case in respect of the Potential Penalty Information is, as a matter of pleading, anchored on the Bank’s alleged “awareness” of the various pleaded forms of the Late TTR Information and the Account Monitoring Failure Information (recognising that the IDM ML/TF Risk Assessment Non-Compliance Information is not alleged to have been “systemic” non-compliance). So understood, the Potential Penalty Information suffers the inaccuracies and deficiencies of those pleaded forms of the Information.

Conclusion

631    I am satisfied that there are a number of deficiencies in the expression of the Late TTR Information, the Account Monitoring Failure Information, the IDM ML/TF Risk Assessment Non-Compliance Information, and the Potential Penalty Information. Those deficiencies are such that I am not satisfied that r 3.1 of the ASX Listing Rules required the Bank to disclose that information in that form to the ASX.

The rule 3.1A exception

Legal Principles

632    Rule 3.1A of the ASX Listing Rules provides:

3.1A     Listing rule 3.1 does not apply to particular information while each of the following is satisfied in relation to the information:

3.1A.1     One or more of the following 5 situations applies:

    It would be a breach of a law to disclose the information;

    The information concerns an incomplete proposal or negotiation;

    The information comprises matters of supposition or is insufficiently definite to warrant disclosure;

    The information is generated for the internal management purposes of the entity; or

    The information is a trade secret; and

3.1A.2     The information is confidential and ASX has not formed the view that the information has ceased to be confidential; and

3.1A.3     A reasonable person would not expect the information to be disclosed.

633    As I have previously noted, the requirements of r 3.1A are cumulative.

The Bank’s submissions

634    Regardless of the conclusion I have expressed at [631] above, the Bank contends that r 3.1A of the ASX Listing Rules exempted it from disclosing Late TTR Information, the Account Monitoring Failure Information, the IDM ML/TF Risk Assessment Non-Compliance Information, and the Potential Penalty Information, in any event.

635    The Bank’s submissions proceed from a consideration of the Potential Penalty Information which, it says, “most neatly” illustrates the applicability of r 3.1A. The Bank submits that the Potential Penalty Information is inherently uncertain and involves matters of supposition. The Bank points to the contingent language in which the information is expressed—namely, there is the “potential” for regulatory action that “might” result in the imposition of a “substantial” penalty. The Bank submits that the Potential Penalty Information provides no guidance on these matters. It submits that the disclosure of the information would carry with it “the real capacity to misinform the market”.

636    The next step in the Bank’s reasoning is that the Late TTR Information, the Account Monitoring Failure Information, and the IDM ML/TF Risk Assessment Non-Compliance Information “have no stand-alone financial effect on the Bank. This contention concerns the materiality of these pleaded forms of the Information—a subject that is considered in a later section of these reasons. According to the Bank, these pleaded forms of the Information could only attain “financial significance” when viewed in the context of the features of the Potential Penalty Information. Therefore, the disclosure of each of these pleaded forms of the Information would also require disclosure of the Potential Penalty Information, with the consequence that the r 3.1A exception would apply to each of these pleaded forms of the Information in the same way it applies to the Potential Penalty Information.

637    The last step in the Bank’s reasoning is that each pleaded form of the Information is “internal operational information generated for the purposes of CBA’s internal management”, which is “not for public consumption” (i.e., according to the Bank, each pleaded form of the Information is confidential).

638    In this connection, the Bank points to the June 2014 Late TTR Information and the August 2015 Late TTR Information which, in terms, discloses an “unremediated compliance issue”. The Bank submits that to publish this information would “raise a real risk of signalling that there was an opportunity that could be exploited to launder money”.

Analysis

639    I am not satisfied that the r 3.1A exception applies to any of the pleaded forms of the Information. This is because, at the threshold, I am not satisfied that any of those forms was information that was confidential within the meaning of r 3.1A.2. Absent satisfaction on that matter, r 3.1A cannot apply.

640    The word “confidential” is not defined in Ch 19 of the ASX Listing Rules. However, Guidance Note 8 says that “confidential” in r 3.1A.2 means “secret”. Section 5.8 of the Guidance Note goes on to explain:

… Thus, information will be confidential for the purposes of that rule if:

    it is known to only a limited number of people;

    the people who know the information understand that it is to be treated in confidence and only to be used for permitted purposes; and

    those people abide by that understanding.

Whether information has the quality of being confidential is a question of fact, not one of the intention or desire of the entity. Accordingly, even though an entity may consider information to be confidential and its disclosure to be a breach of confidence, if it is in fact disclosed by those who know it, then it is no longer a secret and it ceases to be confidential information for the purposes of this rule.

(Footnote omitted.)

641    The applicants submit that the Bank has not attempted to identify or prove what is confidential about any of the pleaded forms of the Information.

642    The Bank submits that this submission should be “rejected out of hand” because it is obvious that the information was not generally available. The Bank also submits that it cannot be sensibly contended that the information was not confidential in circumstances where it concerns matters that were internal to the Bank.

643    I am not persuaded by the Bank’s submission. The fact that the pleaded forms of the Information (a) were not generally available, or (b) involved matters that were internal to the Bank, does not mean that, in the relevant period, the information was confidential.

644    It may be accepted (as a general proposition) that information that is, in fact, confidential is information that is also not generally available. However, the converse is not true. There may be many aspects of the Bank’s day-to-day business that are not generally available, but it does not follow that those aspects translate into information that is confidential.

645    Further, information that is generated for the internal management purposes of an entity (see r 3.1A.1) is not necessarily confidential information for the purposes of the exclusion. If it were confidential, r 3.1A.2 would be otiose.

646    Apart from these considerations, there is nothing in the nature or expression of the pleaded forms of the Information that persuades me that, in the relevant period, any of it was confidential. It may not have been information that the Bank would wish to disclose or have disclosed, but these considerations do not mean that, in the relevant period, the information was confidential. The Bank’s submissions about the problem of disclosing the June 2014 Late TTR Information and the August 2015 Late TTR Information (namely, that disclosure of an unremediated compliance issue would signal an opportunity to launder money) certainly indicates an arguable reason why it might be undesirable to disclose those particular forms of the Information. But undesirability of disclosure does not bespeak confidentiality.

647    Having reached the conclusion that r 3.1A.2 has not been satisfied, it is not necessary for me to address the other requirements of r 3.1A. I should record, however, that I do not accept the Bank’s analysis in any event.

648    In this connection, I accept (for the reasons given in the preceding section) that the Potential Penalty Information is vague, imprecise, and incomplete. For the purposes of r 3.1A.1, I would also accept that the Potential Penalty Information comprises matters of supposition or is insufficiently definite to warrant disclosure. But I do not accept that consideration of the Late TTR Information, or the Account Monitoring Failure Information, or the IDM ML/TF Risk Assessment Non-Compliance Information for the purposes of r 3.1A entails, in each case, consideration also of the Potential Penalty Information. Whilst, as a matter of pleading, the applicants’ “awareness” case in respect of the Potential Penalty Information is anchored on the Bank’s alleged “awareness” of other pleaded forms of the Information, the converse is not true: the Late TTR Information, the Account Monitoring Failure Information, and the IDM ML/TF Risk Assessment Non-Compliance Information are not anchored on the Potential Penalty Information. The Bank only reaches its position because it contends that each category of that Information has “no stand-alone financial effect on CBA”.

649    As I have noted, this contention concerns the materiality of these pleaded forms of the Information. While the question of materiality is central to the operation of r 3.1, r 3.1A provides an exception to r 3.1 with respect to the disclosure of “particular information” that meets all the requirements of the latter rule. The “materiality” of the “particular information” is not one of the requirements. Therefore, for the purpose of determining whether r 3.1A applies, each pleaded form of the Late TTR Information, the Account Monitoring Failure Information, and the IDM ML/TF Risk Assessment Non-Compliance Information must be considered in its own right.

Materiality

Introduction

650    Even though I am satisfied that the Bank was “aware” of: (a) the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information as at 26 October 2015; and (b) the September 2015 Late TTR Information and the September 2015 Account Monitoring Failure Information, and the Potential Penalty Information to the extent that it is dependent on the Bank’s awareness of those pleaded forms of the Information as at 24 April 2017, the conclusion I have expressed at [631] above means that the applicants’ continuous disclosure case fails before one even considers the materiality of that information.

651    Mindful of this consequence for the applicants’ case on liability, I will, nevertheless, proceed to consider the applicants’ case on materiality.

Legal principles

652    As I have noted, s 674(2) of the Corporations Act (as it applies in this case) requires a disclosing entity (such as the Bank) to disclose to the market operator (here, ASX) information that a reasonable person would expect to have a material effect on the price or value of the entity’s ED securities. This is the requirement of “materiality”. Section 677 provides that a reasonable person will have that expectation where the information would, or would be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of the entity’s ED securities.

653    In Babcock & Brown at [96], the Full Court explored the meaning of “material effect” as it is used in s 674(2)(c)(ii):

96     What is meant by “material effect” in s 674(2)(c)(ii)? As stated earlier, s 677 illuminates this concept and also identifies the genus of the class of “persons who commonly invest in securities”. It refers to the concept of whether “the information would, or would be likely to, influence [such] persons … in deciding whether to acquire or dispose of” the relevant shares. The concept of “materiality” in terms of its capacity to influence a person whether to acquire or dispose of shares must refer to information which is non-trivial at least. It is insufficient that the information “may” or “might” influence a decision: it is “would” or “would be likely” that is required to be shown: TSC Industries Inc v Northway Inc (1976) 426 US 438. Materiality may also then depend upon a balancing of both the indicated probability that the event will occur and the anticipated magnitude of the event on the company’s affairs (Basic Inc v Levinson (1988) 485 US 224 at 238 and 239; see also [TSC v] Northway). Finally, the accounting treatment of “materiality” may not be irrelevant if the information is of a financial nature that ought to be disclosed in the company’s accounts. But accounting materiality does have a different, albeit not completely unrelated, focus. ...

654    The Full Court also discussed the meaning of “persons who commonly invest in securities”, as used in s 677. Their Honours noted (at [98]) that the expression is not defined and does not use the language of small or large, sophisticated or unsophisticated, retail or wholesale investor. Their Honours also noted (at [99]) that “securities” in s 677 is not confined to listed securities, securities of the same type or class of the ED securities in question, or of the same sector as the entity that has issued the ED securities. At [100], their Honours said that the investors addressed by s 677 are not limited to those who commonly invest in securities of a kind whose price or value might be affected by the information in question.

655    At [115] – [116], their Honours addressed the meaning of “commonly invest”:

115     We are of the view that the expression “persons who commonly invest in securities” is a class description. First, the plural “persons” is used in contradistinction to the singular “a reasonable person” in s 677. Secondly, to treat this as a class description avoids distinctions dealing with large or small, frequent or infrequent, sophisticated or unsophisticated individual investors. Such idiosyncratic distinctions are made irrelevant if one is looking at a class of investors. There is no reason to confine “likely to influence persons … ” to the sophisticated. The unsophisticated also need protection. Likewise the small investor and likewise the infrequent investor. But not the irrational investor. Thirdly, in the context of s 676, the question is whether the information has been made known to the relevant class, albeit that the class may be narrower than for s 677. We accept that the phrase does not use the express language of “class”, but in using the plural “persons”, the legislature appears to be generalising to a group description.

116     The word “commonly” in s 677 has been employed to underline that the objective question of materiality posed by ss 674 and 675 by reference to the hypothetical reasonable person in turn has regard to what information would or would be likely to influence a hypothetical class of persons namely “persons who commonly invest in securities”.

656    In relation to these observations, the applicants submit:

A market necessarily involves a range of different persons taking a range of views on available information having regard to their own risk appetites and desired returns. Where a range of views are open, it is only at the point where it would be irrational (using the Full Court’s language) to take that view, that the Court can properly exclude that view from consideration. In that sense, the fact that the various experts in this case expressed competing views as to the relative materiality of items of information does not detract from the applicants’ case. …

657    This submission needs to be treated with some caution. Whilst it can be accepted that investors in securities may have a range of views on available information having regard to their own risk appetites and desired returns, the Full Court in Babcock & Brown emphasised that s 677 is directed to a class description, and a hypothetical class at that. The general approach in Australian law to assessing the influence or effect of conduct directed to a class of persons is to consider only the influence or effect of the conduct on ordinary and reasonable members of the class. The applicants’ submission should be qualified to this extent.

658    This approach was most recently described in Self Care IP Holdings Pty Ltd v Allergan Australia Pty Ltd [2023] HCA 8; 408 ALR 195 at [83] in language that is redolent of the Full Court’s observations in Babcock & Brown quoted above:

83     ... It is necessary to isolate an ordinary and reasonable “representative member” (or members) of that class, to objectively attribute characteristics and knowledge to that hypothetical person (or persons), and to consider the effect or likely effect of the conduct on their state of mind. This hypothetical construct “avoids using the very ignorant or the very knowledgeable to assess effect or likely effect; it also avoids using those credited with habitual caution or exceptional carelessness; it also avoids considering the assumptions of persons which are extreme or fanciful”. The construct allows for a range of reasonable reactions to the conduct by the ordinary and reasonable member (or members) of the class.

    (Footnotes omitted.) (Emphasis added.)

659    The applicants’ contention should also be qualified to the extent that the investing behaviour with which s 677 is concerned is not that of “speculators and day traders who seek to profit on the back of rumour or momentum rather than company fundamentals”: Australian Securities and Investments Commission v Vocation Limited (in liquidation) [2019] FCA 807; 136 ACSR 339 (Vocation) at [553].

660    The test under s 674 is also an objective and hypothetical one: James Hardie at [349]; National Australia Bank Ltd v Pathway Investments Pty Ltd [2012] VSCA 168; 265 FLR 247 (Pathway Investments) at [88]. As the Court of Appeal explained in James Hardie at [454], it is for that reason that the views of an entity’s senior management or its directors cannot determine whether disclosure of any given information is required. Nevertheless, those views—for example, if there was particular information that informed the decision-making of management—might be relevant in reaching the objective determination that is required.

661    It is, however, for the Court to reach a determination on the question of materiality after an evaluation of the whole of the evidence available on that question: James Hardie at [527], Pathway Investments at [87] [88]. The whole of the evidence can include the opinions of experts (Australian Securities and Investments Commission v Big Star Energy Limited (No 3) [2020] FCA 1442; 389 ALR 17 at [240]) as well as those of investors in the securities concerned (Pathway Investments at [90]). The Court can also draw inferences about the materiality of information from the nature of the information itself.

662    The determination of materiality is an ex ante question. Even so, it has been held that evidence of the actual effect of the information actually disclosed on the entity’s share price may be relevant to assist the Court in its determination: Australian Securities and Investments Commission v Fortescue Metals Group Ltd (No 5) [2009] FCA 1586; 264 ALR 201 at [477].

663    In assessing materiality, it is not permissible to divorce the information from its context: Jubilee Mines at [88] and [161] – [162]. In Cruickshank at [124], the Full Court approved the following observation by Nicholas J in Vocation at [566] in relation to the approach to be taken in determining the materiality of given information:

566     Properly understood, Jubilee is authority for the proposition that information that is alleged by a plaintiff to be material, may need to be considered in its broader context for the purpose of determining whether it satisfies the relevant statutory test of materiality. For that reason it will often be necessary to consider whether there is additional information beyond what is alleged not to have been disclosed and what impact it would have on the assessment of the information that the plaintiff alleges should have been disclosed. The judgment of the Court of Appeal in James Hardie is authority for the same general proposition.

664    Finally, I accept the Bank’s submission that the test of materiality focuses on matters that affect the financial performance of a company. In this connection, the Bank emphasises, and I accept, that, while the seriousness of a contravention of the AML/CTF Act would “quite rightly be the focus of any regulatory inquiry”, it does not automatically follow that the contravention is “financially significant”.

Investor decision-making

665    In closing submissions, the applicants drew attention to the nature of investor decision-making and its importance when considering the question of materiality.

The evidence of Professor da Silva Rosa

666    Professor da Silva Rosa discussed the role of information in influencing investors’ decisions. With reference to the academic literature, he explained that investors’ decisions to acquire or dispose of securities are based, largely, on their estimates of the securities’ expected cash flows, their estimates of the securities’ level of risk, and their own level of risk aversion. Therefore, the price of a security is a function of expected cash flows discounted at a rate that reflects perceived risk in the time value of money and investors’ aversion to risk (their appetite for accepting risk). It follows that the price of a share is influenced by changes in expected cash flows, in the discount rate, and in investors’ risk aversion.

667    If perceived risk and risk aversion remain unchanged, an increase (decrease) in expected cash flow will cause security prices to increase (decrease). Investors usually prefer less risk over more risk. So, if expected cash flows and risk aversion are unchanged, an increase (decrease) in risk will cause security prices to decrease (increase).

668    Information relevant to investors—“value-relevant information”—is news that leads them to revise their estimates of expected cash flows and/or the discount rate. Each is a channel of influence.

669    Professor da Silva Rosa said that shareholders generally invest in financial institutions with the expectation of earning more than the risk-free rate of return. Therefore, from the shareholders’ perspective, the optimal level of risk for a financial institution is not zero.

670    Professor da Silva Rosa explained that there are two broad kinds of risk: economic risk and operational risk. Economic risk refers to the probability of adverse outcomes outside the control of the firm. Operational risk refers to the probability of adverse outcomes potentially within the control of management, such as a failure to comply with regulation.

671    He said that, generally, equity investors consider a company’s exposure to operational risk in their assessment of the value of its shares. Information relevant to updating their estimates of operational risk is influential in their decisions to acquire or dispose of shares in the company.

672    Professor da Silva Rosa referred to literature which reported that the most important type of operational loss events for both banks and insurers are those involving “clients, products, and business practices”. Such events include “anti-money laundering … enforcement experience”. He referred to a 2021 study (Gowin et al) which found that the announcement of the imposition of a civil monetary penalty can trigger a loss in equity value that is substantially greater than the amount of the penalty itself. According to Professor da Silva Rosa, this implies that investors find the announcement of the imposition of a civil monetary penalty on a bank informative about the effectiveness of the Bank’s internal controls.

673    Professor da Silva Rosa said:

In my opinion, investors are about as well-placed as a firm to assess its exposure to risks outside its control because much of the relevant information, to the extent it exists, is publicly accessible. However, a firm’s capacity to manage its operational risk is far better known to its managers than to outsiders such as investors. Investors have to rely on what managers choose to tell them about the firm when estimating operational risk. Given that managers do not fully reveal all information that investors require, in my opinion, investors are more likely to evaluate economic risk more accurately than operational risk.

674    Professor da Silva Rosa said that this opinion was supported by another study (Perry and De Fontnouvelle) which found that, when a firm suffers a loss due to risks outside its control (i.e., economic loss) it loses market value on a 1 to 1 basis (a dollar decrease in market value for every dollar loss suffered). However, when a firm announces a loss as a result of operational risk surfacing, it suffers a loss of market value greater than 1 to 1 (the firm loses more than a dollar in market value for every dollar loss incurred). Professor da Silva Rosa said that the greater loss in market value usually suffered when loss occurs because of the crystallisation of operational risk, as opposed to economic risk, is due to investors upwardly revising their estimate of the firm’s operational risk in addition to the actual loss suffered.

675    With reference to a further study (Barakat et al), Professor da Silva Rosa said that investors use announcements about operational risk events to draw inferences about the effectiveness of the announcing firm’s internal control mechanisms, the behaviour of its management and employees, and ultimately the strength of the firm’s corporate governance mechanisms—which in turn affects the firm’s reputation. He said that the findings of this study that were relevant to his opinion were that: (a) investors penalise firms (i.e., offer lower prices and thereby lower market value) that are the subject of adverse media announcements regarding operational risk and the associated likelihood of litigation; (b) this negative impact is less to the extent that there is uncertainty about the bad news (i.e., investors give the firm the benefit of the doubt); and (c) third-party information (such as regulatory announcements about the operation loss event) “dissolve” the favourable impact of uncertainty.

676    Professor da Silva Rosa referred to the role of corporate governance and proper managerial incentives in mitigating operational risk. He said that investors’ concern is not the emergence of operational risks but how proactive a company is in addressing operational risks. Professor da Silva Rosa said that investors will not penalise but reward companies for proactively taking action that effectively addresses identified weaknesses in internal controls. He referred, in this regard, to a study (Ittonen) which reports that investors react positively to disclosures of internal control weaknesses when these disclosures are made by the firm without any prompting from an independent party (such as an auditor), but negatively to such disclosures when the weaknesses are identified and disclosed by the auditor.

677    Professor da Silva Rosa said that it is useful to distinguish between the circumstance where a company releases information about a weakness in its management of operational risk that it has identified as part of its normal monitoring practices, and the circumstance where a weakness in operational risk surfaces in the normal course of business and is subsequently investigated by a regulatory authority without a conclusion being reached. Professor da Silva Rosa said:

In the latter circumstance, investors are alerted to a hitherto unknown operational risk but without the assurance that the company had a sufficiently adequate program in place to identify it before it came to light in a potentially adverse way. The situation is roughly analogous to being fined for having dangerously bald tyres on a routine mandatory vehicle check as opposed to identifying the bald tyres and addressing the problem as part of a normal vehicle management care plan.

678    Professor da Silva Rosa also referred to an empirical study on the market reaction to operational risk events (Sturm) which concluded that one must account not only for the direct financial impact of an operational risk event but also for the share market losses that can arise from reputational damage, which “can be extremely costly”.

The evidence of Mr Johnston

679    Mr Johnston also discussed the types of information that might influence persons who buy and sell securities. He said that the information that might influence investors is “potentially unlimited”. It includes, however, as a minimum, information that would help investors to assess the risks and returns associated with the investment. Mr Johnston said that, in order to make an informed decision on acquiring or disposing of shares, investors need to know: (a) the rights and liabilities attached to the shares; (b) the relevant company’s assets and liabilities, financial position and performance, profits and losses and prospects; and (c) all other information that would have a material effect on the price or value of the shares, although an issuer and its advisors can only provide as much information as they know or ought reasonably know. Such information can be quantitatively material and, or alternatively, qualitatively material.

680    Mr Johnston said that quantitatively material information is information that is numerically material compared to “a relevant element of (say) the issuer’s assets or profits”. Qualitatively material information is information that “by its nature, require[s] disclosure because it was material to an investment decision once investors or their advisors assessed a company’s overall position, performance or prospects”. Mr Johnston said:

This could be the case, for example, if the information:

(a)     impacted an issuer’s ability to carry on business as in the past, or were outside its normal business course;

(b)    related to an area of significant or critical risk for the issuer’s business;

(c)    involved a significant and unexpected actual or potential liability;

(d)    had a long term effect on the issuer’s profitability or revenue although the effect in any one year may not have been quantifiable or deemed material;

(e)    inhibited the issuer’s ability to exploit and develop its market position to its full or expected potential;

(f)    had a material adverse effect on the issuer’s reputation, proposed activities, prospects or financial condition; or

(g)    might otherwise be reasonably expected to influence an investor’s decision to offer to buy shares pursuant to the relevant offer.

681    Mr Johnston said that qualitative information is less capable of “consistent, concise expression”. He said that “(o)ne common but loose description is that it would be information which could change the amount an investor would pay for a share in the relevant company”.

682    Mr Johnston also said that qualitative assessments require a context. Relevantly to the present case, he referred to AML/CTF compliance as an area of concern in light of AUSTRAC’s statements in its paper Money laundering in Australia 2011, for example:

Money laundering threatens Australia’s prosperity, undermines the integrity of our financial system and funds further criminal activity which impacts on community safety and wellbeing.

and in its paper Terrorism Financing in Australia 2014, for example:

Terrorism financing poses a serious threat to Australians and Australian interest at home and abroad.

683    In his second report, Mr Johnston discussed the role of “Market Advisors” and “Trade-Facing Advisors” who, he said, provide a proxy for the position of sophisticated investors and their advisors. He said that the position of these professional advisors can be contrasted with the position of the majority of investors who usually need much longer to become well-informed and cannot take the lead in making investment decisions based on new information.

684    Mr Johnston said:

29.    Market Advisors, Trade-Facing Advisors and their institutional and professional investor clients need to be able to give informed advice and make quick, professional trading and investment decisions. Research analysts and other advisors who are called on to provide immediate advice are in a similar position. The information available as the basis for those decisions may not be perfect or complete, but views have to be formed and decisions made, so that their decisions are professional, risk-weighted assessments of the information available at the time ...

30.    The immediacy of live markets means that Trade-Facing Advisors and their institutional and professional investor clients often need additional information immediately to help their investment advice and decision making. This additional information is usually sought from every conceivable potential source (including Market Advisors) and at a frantic pace in order to provide the fastest and broadest base for them to assess:

(a)    the probability of different risks being realised;

(b)    the impacts if those risks are realised; and

(c)    the potentially complex interaction of concurrent combinations of risks and results,

because markets will keep moving while they are trying to become better-informed, and less-well informed investors or traders are more likely to lose money.

31.    Information that is received is almost never verified (as would be expected, for example, in a prospectus) so it is subject to its own risk-weighting for credibility based on its source, the ability to be verified, its correlation with other information received and its perceived reliability. Markets will often factor in all or substantially all of the price effect of information before it is formally released as investors capitalise on their early intelligence and their assessments of credibility, probability and impact.

685    Based on this evidence, the applicants focused in closing submissions on the need of Market Advisors, Trade-Facing Advisors, and their institutional and professional investor clients to make quick professional trading and investment decisions.

686    The applicants submit:

430.     In other words, much of the decision-making involved in buying and selling shares is heuristic in its nature. That is, investors often do not have the luxury of time to dwell upon a detailed examination of the full universe of contextual matters that may have a bearing on the information disclosed to them. Instead, they will make real-time decisions based on what is known. The implication of this is significant. It means that disclosed information that might have lesser significance in other contexts may nonetheless influence investor decisions to buy and sell securities, i.e. be “material” within the meaning of s 677.

431.     The heuristic nature of investor decision-making also means that many investors are likely to take information basically at face value, and focus, in the first instance, upon obvious points of significance that emerge from it on a natural reading – and even more so if those points are capable of quickly being converted into numbers which can be used for the purpose of estimating financial impacts. In this case, for example, reporting an objectively large number (thousands, up to 53,000+) of instances of non-compliance with AML/CTF legislation which carries heavy financial penalties per breach would have attracted such immediate attention – and been processed by many investors very rapidly, both in terms of what it meant, first, for CBA’s reputation (and its associated premium in the market), and, secondly, what it meant in terms of the maximum possible fines to which it might lead. Investors seeking to process that information would not generally have time to study the law, and pedantically examine what the prospects were of CBA rehabilitating its reputation, or escaping meaningful consequences. Perhaps some investors will take more time, but the point is that investors will focus on key elements of information presented to them, and seek to draw conclusions as to the financial implications of it.

    (Footnotes omitted.)

The evidence of Mr Singer

687    Mr Singer also gave evidence on this topic, with particular reference to investors in CBA shares.

688    Mr Singer said that there are a number of factors that drive investor behaviour in the Australian market. One of the key drivers for investors making investment decisions in relation to property trusts, infrastructure stocks, industrial shares, and especially financial institutions such as the Bank, Australia and New Zealand Banking Group Limited (ANZ), Westpac Banking Corporation (Westpac), and National Australia Bank (NAB), (collectively, the four major banks), is the dividend paid on the shares and the historical dividend growth. He said that these shares tend to have a long history of sustainable and repeatable return, and are referred to as yield or income stocks. They represent an income stream on which investors can rely. In addition, the dividends paid by the four major banks have had, historically, a high payout relative to the market, relatively consistent returns, and been fully franked—thereby providing taxation benefits to both domestic individual and superannuation investors. Mr Singer said that, because of those benefits, investment decisions will in large part be influenced by the company’s dividend.

689    According to Mr Singer, the Bank generally pays a dividend between 55% and 80% of its net profit after tax, in the form of a fully franked dividend. Between June 2014 and April 2017, the Bank’s dividend policy was targeted at a full year payout ratio of between 70% and 80% of its net profit after tax.

690    Mr Singer noted that, as at 3 August 2017, companies comprising the banking sector of the S&P/ASX 200 index constituted the largest part of the Australian market (28.62%). CBA shares were the largest stock (by market capitalisation) within that sector, representing 9.59% of the S&P/ASX 200 index. As the Bank was the largest company in the largest sector of the S&P/ASX 200, Mr Singer said that a decision “to hold or not hold” CBA shares would have been an important part of portfolio construction as at 3 August 2017. Further, as bank stocks are an integral part of Australian retirement investing and portfolio construction, every Australian superannuation fund will have some exposure to CBA shares, directly or indirectly.

691    Mr Singer said that, generally, investors’ decisions to invest in shares will be affected by portfolio construction theory. (It is otherwise with index funds, where decisions to buy or sell shares are not determined by individual market announcements but by underlying mandated fund flow.) Mr Singer said that, with Australian stocks, “the simplest investment decisions boil down to income and growth”. Bank stocks provide both. Other investments opportunities for Australian investors are industrial stocks (such as Woolworths, Telstra, and Wesfarmers) and resource stocks (such as BHP, Rio Tinto, and Woodside Petroleum). A diversified portfolio will contain “a mixture of growth and income and be weighted to large market capitalisation Australian stocks”.

692    Mr Singer said that, because investors generally make decisions having regard to their overall portfolio, a large portion of investors will be “less influenced by micro announcements than by ensuring that their overall portfolio is constructed so as to provide them with the appropriate diversification and income and growth”.

693    In addition, Mr Singer said that the shareholder base in listed companies where there has been a transition from public to private ownership (such as the Bank and Telstra), has a higher retail portion than other listed companies. Mr Singer said:

In my experience, retail shareholders tend to hold shares for a longer duration and be “stickier” than institutional investors. This is because retail investors are principally interested in dividend stream from shares, such that as long as the dividend stream is maintained they will have no cause to sell their shares. In addition, because retail investors tend to look at investments on an after-tax basis, capital gains tax may serve as a disincentive for them to sell their shares. Consequently, shareholders in these shares tend not to buy or sell shares on the basis of individual announcements.

694    Mr Singer analysed the Bank’s shareholder base from the Bank’s 2014 to 2019 Annual Reports. He noted the number of “small” shareholders (owning < 5,000 shares) and concluded that these shareholders were most likely retail investors (i.e., personal investors, self-managed superannuation funds, and family trusts, as opposed to institutional investors). While the number of these shareholders had grown in that period, generally speaking, on a year-by-year basis, their number had not moved substantially more than 2% in either direction in any one year. Mr Singer concluded that the Bank has one of the most stable and long-term shareholder bases of any ASX-listed company.

695    More generally, Mr Singer said that context, and the way in which the market becomes aware of information, is important when assessing the potential price effect of the information. Context includes considerations of timing, the method by which information is released, the source of the information, and the prevailing market conditions.

696    As to timing, Mr Singer observed that price volatility around a “results release” will generally be higher pre- and post- the release than at other times of the year. He gave the example of a prospective buyer looking to purchase stock in the face of an imminent results release when market expectations are negative (as shown through, for example, broker price targets). In such a case, Mr Singer said that the buyer is likely to wait until the results are released so as to have full and fresh information to inform a buying decision. Mr Singer also gave the example of a prospective seller who has owned particular shares for some time in circumstances where those shares have outperformed the market. Mr Singer said that such a seller may well look to sell the shares ahead of the result and “the uncertainty relating to the impending financial reporting”.

697    As to the method by which information is released and the source of the information, Mr Singer said that information released by way of an ASX announcement may have a different level of materiality in terms of price effect than information received through a press release or social media. Further, certain statements made by a regulator will be taken more seriously or given more significance than statements made by a listed company.

698    Mr Singer said that, in his experience, the information that would be, or would likely be, material to an investor depends on whether the investor is an institutional investor or a retail investor.

699    According to Mr Singer, institutional investors will have accumulated knowledge across the fund they are managing through internal due diligence. Institutional investors are constantly and continuously monitoring information and will have acquired their own knowledge on a company’s balance sheet, management, and group strategy. They have the ability to do “deeper internal research”. On the other hand, retail investors are more likely to be interested in the value of fully-franked dividends rather than wanting to understand the rights and liabilities attached to shares, or the company’s assets and liabilities, its financial position and performance, or its profits, losses, and prospects. In this regard, Mr Singer disagreed with the contrary view expressed by Mr Johnston.

700    Mr Singer stressed that the “materiality threshold” is important because it avoids the risk that companies might “over-disclose” information of varying degrees of significance, from the trivial to the very important. In other words, “materiality” is a “filter” to ensure that too much information is not disclosed. Mr Singer observed that if information were to be disclosed to the market regardless of its materiality, the volume and frequency of announcements would be overwhelming and material announcements could be “missed in the noise”. Mr Singer said that market participants do not want companies to “cry wolf”. Mr Singer also said that the over-disclosure of information, regardless of its materiality, would create market uncertainty.

701    Mr Singer addressed investor expectations in respect of a company’s engagement with regulators, noting that, since the global financial crisis (GFC), the engagement between regulators and financial institutions has increased. Mr Singer said that it was generally well-understood by market participants that there was a “two-way engagement” between regulators and financial institutions involving dialogue, training, feedback, and a larger response to regulatory inquiries.

702    Mr Singer said that, in his experience, market participants well-understand that, from time to time, regulatory issues (including matters of non-compliance) arise in respect of large financial institutions (in particular, the four major banks) and that regulators conduct investigations in relation to those issues on a regular basis. Mr Singer said that there was no expectation in the market that these engagements would be disclosed by ASX announcements:

60.      To do so would be unduly onerous, having regard to the number of interactions that would be expected, and in my opinion would have risked flooding the market in such a way that would make it difficult to identify important information. I do not recall seeing announcements by which the companies disclosed as a matter of practice their dealings with particular regulators. The exception to this is circumstances where dealings with a regulator became part of the public domain through things such as press reports, or where there was a concluded regulatory action such as an enforceable undertaking. My own experience at UBS at the time was that there were frequent interactions with regulators, including ASIC.

703    Like Mr Johnston, Mr Singer said that market information might be material on either a quantitative or qualitative basis.

704    Mr Singer said that quantitative information is information that has a numerical effect on the financial forecast for a company, such as the movement up or down in a company’s earnings or profit guidance, or in analysts’ forecasts.

705    Mr Singer said that, in his experience (including in the relevant period), it was the expectation that a change in an amount of > 10% would be “material”. It was also the expectation that a change of < 5% would not be “material”. For a change of between 5% and 10%, the information might be material, but further consideration was required. I note that Guidance Note 8 to the ASX Listing Rules states that, “[v]ery large entities or those that normally have very stable or predictable earnings may consider that a materiality threshold closer to 5% than to 10% is appropriate”.

706    Mr Singer said:

In assessing quantitative materiality, the quantitative effect on a financial metric of a company would need to impact a metric that was considered by investors to be important and/or followed by the analyst community. In my experience, the relevant financial metrics for a company are its revenue, expenses and profit.

707    Mr Singer described qualitative information as “information that may not have a direct impact on a financial metric of a company, but which may translate indirectly to affect such metrics”. Such information may be reflected in the “price/earnings ratio premium/discount” that a company holds to its peers or the market. Mr Singer said:

88.     It was my experience that during the Relevant Period it was rarer for companies to disclose qualitative information as opposed to quantitative information. The market’s view on the consistency and deliverability of quantitative information or reliability and consistency of performance could have a qualitative effect on the stock’s rating. That is for example consistent earnings upgrades and a higher level of earning certainty and deliverability could demand a premium rating. During the Relevant Period companies would generally disclose qualitative information where that information would materially affect the markets’ perception of the ability of the company to generate earning or profit. For example, small companies may announce industry awards to highlight their progression while larger companies are unlikely to announce this.

708    Mr Singer stressed the importance of context in assessing whether information is qualitatively material. As to this, Mr Singer said:

89.    In my experience, to assess whether information is qualitatively material, it is necessary to consider this information within its context (including the timing, the method, the source and overall landscape in which the information is being provided). When I refer to:

(a)    timing, I mean the point in time at which the information is released. For example, in my experience volatility around a results release will generally be higher pre and post the release than at other times during the year, and the materiality and potential price effect will be impacted as I have described ;

(b)    method, I mean the means by which the information becomes available to the investor. For instance, whether the information is released by way of an ASX Announcement by CBA to the market, a joint media release by AUSTRAC and CBA, an AUSTRAC statement on its website or a tweet by AUSTRAC;

(c)    source, I mean how the information is received by the market, such as direct from the company, the regulator or media generally; and

(d)    the prevailing market conditions, I mean the macro factors:

i.    such as global environment, geopolitical risk, inflation, interest rates and regulatory and changing regulatory environments; and

ii.     which have a qualitative effect on how equities markets are rated versus other asset classes and therefore how individual shares such as CBA are priced and the decision of an investor whether or not to buy or sell shares.

709    Mr Singer also said:

91.     As I have explained , retail investors were principally concerned with yield stocks for income generation and dividend certainty. For this reason, it was my experience during the Relevant Period that materiality from the perspective of a retail investor was assessed by reference to whether the information would affect the dividend of a yield stock.

92.     From the perspective of institutional investors, the focus of those investors was on a comparison between the peer group, for instance in the case of banks (CBA, ANZ, Westpac and NAB), and in the case of resource stocks (BHP, Rio Tinto, Fortescue and Woodside). This was assessed by reference to each of those stocks as a discounted cash flow. One way of measuring this is the Gordon Growth model which determines a valuation of the company based on its forecast dividend divided by the expected rate of return minus the dividend growth ((D1/RE-RG)). For this reason, materiality was assessed by reference to whether the information affected cash flow for the stock going forward.

Materiality: The Late TTR Information

The applicants’ submissions

710    The applicants submit that the Late TTR Information is intuitively information that would, or would be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of CBA shares. In this regard, the applicants do not differentiate between the different pleaded forms of the Late TTR Information. They say that the differences in detail between the pleaded forms do not have a bearing on the materiality of the information concerned.

711    The applicants advance four reasons in support of their submission.

Serious non-compliance

712    First, the applicants argue that the Late TTR Information was “serious in its nature”. It concerned a large number of failures by the Bank to meet its regulatory obligations over a period of years, and “a large quantum of transaction value”. The information suggested that the Bank “had engaged in tens of thousands of contraventions of the AML/CTF Act in circumstances where the object of that Act is the prevention of serious criminal offences”.

713    Apart from the content of the information itself, the applicants call in aid the Bank’s own awareness that, as Australia’s largest financial institution, it had a major role to play in reducing the flow of money used to finance criminal activity. The applicants also call in aid the evidence given in cross-examination by Mr Narev, Mr Worthington, and Mr Cohen. Mr Narev accepted that AML regulation was an area of critical risk for the Bank’s business and that regular reporting (in relation to TTRs) was “a key regulatory outcome that AUSTRAC was focusing on”. Mr Worthington accepted that the regulation of “AML and CTF issues” was an area of significant or important risk. Mr Cohen accepted that the Bank had a vital role in assisting AUSTRAC in protecting the public from “money laundering and terrorism [financing] activities”.

714    The applicants submit that the “tens of thousands of failures” by the Bank to comply with “a basic regulatory obligation in an area of critical risk for [the Bank’s] business”, and a regulation “designed to reduce the risk of ongoing and serious financial crime”, would have been perceived by investors as objectively serious and, therefore, “plainly a matter that would influence their decision making”.

715    Further, the applicants call in aid the fact that, at the time, no other Australian financial institution or corporation had previously reported non-compliance of such obligations on such a large number of occasions over such a lengthy period of time. The applicants submit that this would have been known to investors and had greater significance following the commencement of the Tabcorp proceeding on 22 July 2015, with even greater significance in February 2017 when the settlement of the Tabcorp proceeding was announced.

716    The applicants also argue that the objective seriousness of the Bank’s non-compliance in relation to the late TTR issue can be measured by the large penalties that could be imposed for contravention of the AML/CTF Act. The applicants submit that this information was available and would have been known to “a portion of the broad cross-section of rational investors”, who would “take a pretty rough approach to try and work out what range the fine might be in” by multiplying the maximum penalty by the number of instances of non-compliance.

717    The applicants submit that the objective seriousness of the Late TTR Information is supported by AUSTRAC’s own assessment of the matter. They rely on AUSTRAC’s expression of “serious concerns” about the scale of the Bank’s non-compliance with s 43 of the AML/CTF Act in its letter of 12 October 2015, and the later expression of its view (at the meeting on 7 March 2017 with Ms Watson and Mr Keaney) that “the TTR and associated matters” were “serious, significant and systemic”.

718    In light of these matters, the applicants submit:

445.     Investor concerns would be around what the attitude of the regulator was likely to be, and they would consider that in the absence of confirmation to the contrary from a credible source, they should proceed on the basis that the regulator’s view would accord with their own, namely that the non-compliances were objectively large in number, affected a (sic) the whole IDM network, resulted in an objectively large amount of transactions in dollar terms going unreported, and were thus apparently serious, significant and systemic. Accordingly, a revelation by CBA that it had failed to comply with a basic obligation under the AML/CTF Act tens of thousands of times would have led investors to lower their assessment of CBA’s competence in complying with its regulatory requirements and upwardly revise their estimates of CBA’s operational risk. The number and apparent seriousness of the failures would have been influential upon their decisions as to whether to buy and sell CBA shares.

    (Footnote omitted.)

719    The applicants argue that it would only be of “secondary significance” to investors to know whether the systems error, which led to the TTRs not being lodged in time, had been fixed. According to the applicants, this is because investors would “naturally assume” that the issue would be fixed upon being identified. Investors would nonetheless appreciate that there was “an element of irremediability” because a failure to report on time could never be fixed. The applicants submit that investors would focus on the large scale non-compliance that had occurred over a long period of time.

Reputational damage

720    Secondly, the applicants argue that the Late TTR Information would have led investors to consider that the Bank’s reputation was “going to be damaged, perhaps irretrievably”. They argue that investors would have appreciated that this damage would influence the CBA share price.

721    In cross-examination, Mr Narev accepted that contraventions of the AML/CTF regime could give rise to reputational damage to the Bank, and “large reactive share price declines”. He accepted that such contraventions could lead the media to describe the Bank as “morally bankrupt”.

722    Specifically with respect to the late TTR issue, Mr Narev accepted that the Bank’s failure to give TTRs on time for some 53,000 threshold transactions over a three-year period could give rise to adverse publicity and consequential reputational damage for the Bank.

723     Mr Narev accepted that, from at least February 2017, the Bank was concerned about the management of the late TTR issue in the media: see [299] – [300] and [332] above in relation to Project Concord. One of the aims of this management was to seek to influence, to the extent possible, how the Bank’s customers and investors would react upon becoming aware of that issue.

724    The applicants submit that the academic literature (Sturm) supports the contention that reputational damage can result in a loss in value of an entity’s share price.

The perception of the risk of regulatory action

725    Thirdly, the applicants argue that the Late TTR Information would have suggested to investors that the Bank was at risk of regulatory action, including the risk of substantial pecuniary penalties being imposed. They advance this as a matter of common sense. They also advance this consideration independently of, and regardless of, whether the Potential Penalty Information should have been disclosed. According to the applicants, the substantive content of the Potential Penalty Information would arise in investors’ minds as a consequential inference to be drawn from the Late TTR Information itself, given the quantum of non-compliance in terms of the aggregate dollar value of the transactions for which TTRs had not been lodged on time. As the applicants put it:Regardless of how much had gone right (in the sense of regulatory compliance in other areas), what had gone wrong was objectively serious.

726    The applicants also point to Mr Narev’s evidence that, from October/November 2016, he considered that there was a serious risk that AUSTRAC might take regulatory action against the Bank in respect of the late TTR issue, and that one outcome of regulatory action could be the imposition of a significant fine on the Bank. In Mr Narev’s view, the primary concern of shareholders and investors would be around the attitude of the regulator.

The cost of remediation

727    Fourthly, the applicants argue that the Late TTR Information would have suggested that the Bank’s AML/CTF systems might require remediation at a “higher than anticipated expenditure in its compliance and systems improvement functions”. According to the applicants, this would be so because the non-detection of the late TTR issue for a significant period of time “would rather cast a pall over the quality of CBA’s detection systems, audit and compliance function and risk management culture”. Investors would fear that, regardless of the work that the Bank might have done in improving its compliance function, “not enough had been spent, and more could be required”. The announcement of the Late TTR Information “would be regarded by investors as a canary in a coal-mine, in terms of possible future remediation costs”.

The expert evidence

728    The applicants submit that the materiality of the Late TTR Information is supported by the evidence given by their expert witnesses, Professor da Silva Rosa and Mr Johnston. It is convenient to also refer, at this point, to the evidence given by the Bank’s expert witnesses, Mr Ali, Mr Singer, and Dr Unni.

729    As will become apparent, the applicants’ expert witnesses, and the Bank’s expert witnesses, presented opposing views on the materiality of the pleaded information.

Professor da Silva Rosa

730    Professor da Silva Rosa expressed the opinion that investors would consider, or would be likely to consider, the June 2014 Late TTR Information to be value-relevant for three reasons. First, it described a substantial breach by the Bank of its reporting obligations under the AML/CTF Act. Secondly, the late TTRs comprised the overwhelming majority of threshold transaction which occurred through IDMs for an extended period of time, such as to indicate that these reporting failures were substantial and systematic over an extended period of time. Thirdly, the dollar value of the TTRs was materially large, such as to indicate that the late TTRs concerned an economically substantive set of transactions.

731    Professor da Silva Rosa said that, in light of this information, investors would infer that the Bank had been substantially and systematically deficient in its compliance with the requirements of the AML/CTF Act. This information would, or would be likely to, influence investors to:

(a)    lower their assessment of the Bank’s competence in complying with its obligations under the AML/CTF Act;

(b)    upwardly revise their estimates of the Bank’s operational risk with economically significant adverse consequences (including regulatory penalties and the cost of remediation); and

(c)    increase their estimates of the Bank’s reputational risk (in the sense of adversely affecting the Bank’s ability to maintain existing, or establish new, business relationships and continued access to sources of funding).

732    Professor da Silva Rosa said that, while investors do not expect a financial institution such as the Bank to be entirely risk free, they do expect sufficient measures to be taken, and investments made, to mitigate operational risk to the extent required by legislation such as the AML/CTF Act.

733    Professor da Silva Rosa said that an additional reason why investors would infer that the Bank had been substantially and systematically deficient in its compliance with the requirements of the AML/CTF Act is that the cause of the late TTRs was a systems error that had not been rectified. I have already commented on the incongruity of that integer of the June 2014 Late TTR Information and the August 2015 Late TTR Information given that, had the Bank actually known that the TTRs had not been lodged, it is inconceivable that the Bank would not have promptly rectified the problem and informed the market accordingly.

734    Professor da Silva Rosa expressed the opinion that the August 2015 Late TTR Information and the September 2015 Late TTR Information are materially equivalent to the June 2014 Late TTR Information. In this regard, he said that the particular numerical values evidencing the Bank’s non-compliance is not critical beyond the point where it is evident that the non-compliance is “systematic and large in scale”. As Professor da Silva Rosa put it:

… the cause of a flooded bathroom is not affected by the amount of damage done. Further, once the extent of flooding reaches the point where, say, the whole bathroom has to be renovated the level of water in the bathroom is trivially consequential, if at all.

735    Professor da Silva Rosa sought to support his opinion on this topic by reference to academic literature reporting on research findings, and published analyst opinions. Professor da Silva Rosa said that professional analysts’ views are widely regarded as a valid proxy for investors’ views. Professor da Silva Rosa considered 11 such reports. Notably, the reports were based on the 3 August 2017 announcement, not the pleaded information as such. Even so, Professor da Silva Rosa read these reports as expressing views that were consistent with his opinion on the influence or likely influence of the Late TTR Information on investors’ decisions to acquire or dispose of CBA shares.

736    It is important to emphasise two matters here. First, Professor da Silva Rosa considered that the 3 August 2017 announcement would, or would be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of CBA shares. Secondly, he reasoned that the elements of the announcement that would have that influence did not convey anything more material than the cumulative effect of the pleaded forms of the Information. In this regard, he said that the material elements of the 3 August 2017 announcement, and the pleaded forms of the Information that the applicants say the Bank should have disclosed, were “economically equivalent”. Professor da Silva Rosa said that two sets of information will be “economically equivalent” when the information conveys the same implications as to risk and expected cash flows.

737    It is important to understand that Professor da Silva Rosa considered each of the pleaded forms of the Information would lead investors to infer that the Bank had been substantially and systematically deficient in its compliance with its requirements under the AML/CTF Act and that this would then lead to investors making the assessment and estimations I have noted above. On this reasoning, Professor da Silva Rosa considered that “each species of information was economically equivalent to each other species of information” and that “each species of information was economically equivalent to” the 3 August 2017 announcement. As Professor da Silva Rosa also put it, each of these forms of information (including the 3 August 2017 announcement) “conveyed the same value-relevant implications to investors”.

Mr Johnston

738    Mr Johnston’s opinion was that the Late TTR Information would be material to investors on a quantitative basis “because of their number and potential cost to CBA” (meaning, as I understand Mr Johnston’s evidence, that the potential penalty payable by the Bank for non-compliance was very large). Mr Johnston addressed the question of a “fine” by treating each failure to lodge a TTR on time as a separate contravention of the AML/CTF Act. He then multiplied the aggregate number of contraventions for each pleaded form of the Late TTR Information by the amount of the maximum statutory penalty for a contravention, to arrive at the quantum of each “fine”. On this basis, he said:

The Late TTR [I]nformation alone would therefore, on a quantitative basis, be material to investors when assessing CBA’s assets and liabilities, financial position and performance, profits and losses and prospects. There was no information indicating that CBA would escape a material fine.

739    However, having performed these calculations, Mr Johnston volunteered that “fines” of these magnitudes were “practically and politically inconceivable”. Nevertheless, he said that conjecture about the amount of the “fine” would have “spooked” the market.

740    Mr Johnston expressed the opinion that the Late TTR Information would be qualitatively material to investors. He said that:

(a)    the proportion of late TTRs relative to all threshold transactions through the Bank’s IDMs in each pleaded period indicated “persistent and seemingly systemic failings”;

(b)    the values of the affected transactions would likely seem material to investors when assessing the need for financial institutions to deter money laundering and terrorism financing;

(c)    the non-compliance for the pleaded periods indicates a level of ongoing and systemic failings that would have exposed Australia to the risk of serious and ongoing financial crime;

(d)    the Bank’s need to “remedy the issues causing the contraventions” would lead investors to expect that the Bank was exposed to “material remediation and ongoing systems costs”; and

(e)    the cost of doing business for the Bank (and other banks) was likely to increase materially (and revenues might decline) due to the “risk of increased regulatory and government intervention”.

741    In his second report, Mr Johnston also expressed this opinion:

36.    For completeness I note that in my opinion, independent advisors, corporate advisors, lead managers, underwriters, institutional sales forces, research analysts, retail investor advisors, brokers and other advisors would consider, and would conclude that investors would consider, that:

-    the potential reputational or brand damage to CBA ; and

-    the potential fines resulting from the material in the Information,

including multiple corporate failings causing multiple breaches of Australia’s AML/CTF legislation (which at different time periods went from around 12,000 breaches to over 53,000 breaches):

(a)    could impact on CBA’s ability to carry on business as in the past, and were definitely outside CBA’s normal business course ;

(b)    related to an area of significant or critical risk for CBA ;

(c)    involved a significant and unexpected actual or potential liability for CBA ;

(d)    could have a long-term effect on the CBA’s business and therefore its profitability or revenue ;

(e)    had a material adverse effect on CBA’s reputation, proposed activities, prospects or financial condition including affecting not only CBA’s prospects but also the extent to which investors price CBA shares at a premium or discount to shares in those comparable companies; and

(f)    might otherwise be reasonably expected to influence an investor’s decision to offer to buy CBA shares at the then current market price,

so that for any one or more of these reasons the Information would be material to an investor considering the sale or purchase of shares in CBA.

742    The applicants rely in particular on the following evidence given by Mr Johnston in the course of concurrent evidence as to the “health checks” or “sanity checks” he would have made if advising in the context of “due diligence and offer processes” on whether information should be disclosed. This approach was not expressed in Mr Johnston’s reports:

… So what I would have done in a normal issue would really do a number of health checks, sanity checks, on whether disclosure really was required.

The first one is the easy one: would a next day investor complaint lack any rational justification? And my view on the information is that a rational investor would be rightly upset if they invested without the information. My second sanity check is whether the information is adequately covered by existing disclosure, and my view there is that the generic risks previously disclosed weren’t equivalent to disclosing the actual failings or breaches or losses. The third sanity check would be to ask whether the information was trivial or immaterial ultimately, and, again, my view on the information that with 12,000 or 50,000 or 53,506 strict liability TTR failings depending on the period chosen with no permissible margin of error, the information was material. And with over half a billion dollars improperly reported over two years of sustained systemic failings and matters affecting the integrity and credibility of the financial system, the information would be material to investors.

A fourth sanity check is always whether the risks are effectively zero, meaning that there was no reasonably foreseeable impact regardless of the quantum involved. My view on the information is that was a real risk of reputational damage and regulatory sanctions, so it couldn’t be said the risk was zero and it could be said the information wasn’t material to investors. Fourth – sorry, the next sanity check is whether the impact is conditional on an unknowable third party action, and my view on the information is that there was no reasonable basis to assume there would be a lack of regulatory action or lack of brand damage. And I point out that brand damage would be substantially independent of the existence or size of financial penalties as seen in the NAB – market’s response to NAB’s 2021 disclosure and the Wells Fargo 2016 penalties, so it would have been material to investors.

The final check in issues is whether the disclosure is actually avoidable because it falls within an exception to any disclosure requirement, and my view on the information is that it didn’t fall within any of the ASX listing rule 3.1 carve-outs. …

743    It is appropriate at this point to note an aspect of Mr Johnston’s evidence on the question of materiality that was most clearly revealed during the course of cross-examination. In his first report, Mr Johnston addressed the following question:

Q1     Whether, during the whole or any part (and if so, which part) of the period between 16 June 2014 and 1:00pm on 3 August 2017 (inclusive) each of the following categories of information:

a)     the June 2014 Late TTR Information; the August 2015 Late TTR Information, and/or the September 2015 Late TTR Information;

b)     the June 2014 IDM ML/TF Risk Assessment Non-Compliance Information, and/or the August 2015 IDM ML/TF Risk Assessment Non-Compliance Information;

c)     the June 2014 Account Monitoring Failure Information, August 2015 Account Monitoring Failure Information, and/or the September 2015 Account Monitoring Failure Information;

d)     the Pre-16 June 2014 System Deficiencies, and/or the Ongoing Systems Deficiencies; or

e)     the Potential Penalty Information,

    (collectively the Information) was information that would, or would be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of CBA Shares.

744    In cross-examination, Mr Johnston volunteered that, in preparing his reports, he assumed for the purpose of assessing materiality that all the information identified in this question was disclosed, not just the Late TTR Information. He said that he was “hesitant to try and break out one of the five components in my head and give the court a considered opinion”.

745    It would appear, therefore, that, for the purpose of expressing his opinion on the question of materiality, Mr Johnston in fact considered the collective effect of the “Information” defined in the question, not just the Late TTR Information itself or a particular pleaded form of that information. This “Information” included information that the applicants no longer rely on (see integer (d) at [743] above) in their continuous disclosure case. Mr Johnston nevertheless said:

My only starting point would be that the late TTR information as at June 14 contained the 14,000 breach – or failings carrying a $200 billion penalty. I think that is still to my mind a heart-stopping and jaw dropping number which would cause concern about a lot of things within CBA, including potential management changes.

746    Mr Johnston also said that if the September 2015 Late TTR Information were to have been disclosed, “it would have [had] a massive impact on investors”.

747    Mr Johnston argued that the likely materiality of “the categories of Information and the Information collectively”, and its influence on persons who invest in securities in deciding whether to acquire or dispose of CBA shares, could be cross-checked against the commentary of banking analysts published in reports after the 3 August 2017 announcement. Mr Johnston considered four of the reports analysed by Professor da Silva Rosa. He said:

129.     In my opinion, themes that can be distilled from all four reports are:

(a)     on a quantitative basis - the fines payable by CBA were not capable of precise estimation, but the early $6bn fall in market capitalisation was seen as being at least as high as expected fines; and

(b)     on a qualitative basis - a bigger risk for investors in not just CBA brand damage and consequential costs for it (and potentially other Australian banks) but also the potential for greater regulatory intervention, leading to direct costs, greater supervision and more regulatory (ie lower-yielding) capital, which would reduce returns for investors in all banking stocks, including CBA . The specific areas and exact period of CBA’s non-compliance was not overly relevant to the research analysts, who would have known CBA investors well. Their concern was not the specific areas of AML/CTF laws that had been breached, but rather that CBA had been in serious and systemic non-compliance with AML/CTF laws generally.

748    Mr Johnston also addressed the market effect of the 3 August 2017 announcement. He opined that the major contributor to the decline in value of the Bank’s shares after the 3 August 2017 announcement was the market’s concerns about the penalty that the Bank would have to pay, with the penalties for Late TTRs being “the largest and most clearly identified concern”.

749    In this regard, he placed less significance on the fact that the 3 August 2017 announcement referred to the actual commencement of proceedings against the Bank. In cross-examination, he said:

MR JOHNSTON: I understand that lawyers would understand the process well, but as a market participant, people sit there wondering that there’s announcements of enforcement action, there are defences, there are filings, there are a huge range of steps; no one really knows, and no one really cares. The question is what’s going to happen at the end? Investors don’t really care to the extent that they’re all steps towards an outcome and they will – in my opinion, investors would have assumed there would be regulatory action, therefore they would have assumed these steps. They’re relative – their incremental materiality was minimal. They’re all steps towards something that was going to happen.

MR HUTLEY: That’s because you assumed proceedings was inevitable; correct?

MR JOHNSTON: I assumed regulatory action was inevitable, yes.

MR HUTLEY: Which involved penalty proceedings; correct? You thought there was 100 per cent certainty that penalty proceedings would be brought; correct?

MR JOHNSTON: I thought the – the risk was so high that it could be regarded as certain.

MR HUTLEY: Right. The risk was – all – most advisers would say legal proceedings are inevitable; correct?

MR JOHNSTON: If I had to put it in the terms advisers would put they would say, “CBA is going to be sued and they’re going to be fined,” yes.

MR HUTLEY: There’s nothing obscure about the concept of being sued, is there?

MR JOHNSTON: They would know that it was going to be sued.

MR HUTLEY: Quite. It’s not an obscured formal step – it’s not an obscure step; correct?

MR JOHNSTON: Again, I think we’re quibbling here, but the whole process of how are you sued, does AUSTRAC lodge a noticement (sic), is there a Twitter? In the end it’s being sued.

MR HUTLEY: It’s a very important event in the life of any public company to be sued by a regulator, isn’t it?

MR JOHNSTON: It would be, yes, to be sued.

MR HUTLEY: Right. It is a matter which I suggest to you the market would treat as vital in assessing the value of that company so far as they were concerned with regulatory departures; correct?

MR JOHNSTON: No, in the sense that, once you’ve assumed they will be sued, the fact that – that if the legal proceedings commenced the next week or the week after doesn’t matter, you’ve assumed it’s going to happen. There will be those steps.

750    In his first report, Mr Johnston expressed the opinion that:

… if the elements of the Information knowable in June 2014 (which included contraventions relating almost entirely to Late TTRs) had been disclosed in June 2014, the market reaction would not have been materially different to the market reaction following the [3 August 2017 announcement].

751    He expressed the same opinion with respect to Information knowable in August 2015” and “Information knowable in September 2015.

752    It would seem that, here, Mr Johnston was aggregating various forms of the pleaded Information, including information on which the applicants no longer rely in their continuous disclosure case.

753    Mr Johnston said that, although there were differences between the Information (at the variously pleaded points in time) and the information in the 3 August 2017 announcement, the differences in the information in the 3 August 2017 announcement had only an “incremental effect” which would be “parabolic and decreasing rather than linear”, given the “baseline disclosure of the Late TTR Information” (meaning, in the first instance, the June 2014 Late TTR Information). According to Mr Johnston, the additional integers of the information in the 3 August 2017 announcement (including the fact that proceedings against the Bank for civil penalties had been commenced) “made no material difference to the market’s overall reaction”. Mr Johnston expressed the same opinion taking the August 2015 Late TTR Information and the September 2015 Late TTR Information as “baseline” disclosures.

754    From this evidence, I understand Mr Johnston to say that each pleaded form of the Late TTR Information was (to use Professor da Silva Rosa’s expression) “economically equivalent” to the 3 August 2017 announcement. Therefore, had each pleaded form of the Late TTR Information been disclosed at the time when the applicants say it should have been disclosed, the market’s reaction to the disclosure would not have been materially different to the market’s reaction to the 3 August 2017 announcement.

755    The corollary of this approach is that disclosure of any of the pleaded forms of the Account Monitoring Failure Information, the IDM ML/TF Risk Assessment Non-Compliance Information, or the Potential Penalty Information, if disclosed by the Bank at the relevantly pleaded times, would also have had only “incremental effect” given the posited “baseline” of the Late TTR Information.

Mr Ali

756    Mr Ali’s opinion was that, in the absence of AUSTRAC actually commencing proceedings against the Bank on 3 August 2017, investors would have likely viewed the Late TTR Information as not material, and not information that would, or would be likely to, influence persons who commonly invest in securities in determining whether to acquire or dispose of CBA shares.

757    Mr Ali said that investors consider materiality in “a relative sense with the relevant context”. With specific reference to the September 2015 Late TTR Information (which Professor da Silva Rosa considered to be materially equivalent to the June 2014 Late TTR Information and the August 2015 Late TTR Information), Mr Ali referred to a number of contextual matters. He noted that the Bank was a large and complex financial institution with a very large customer base (in the millions) and also a very large number of accounts (in the tens of millions). It had “invested heavily on risk and compliance expenditure”, and had an extensive AML/CTF Program that incorporated elements to assess, identify, mitigate, and manage ML/TF risk. Its program incorporated reporting elements and associated processes to comply with its regulatory obligations, and automated processes to identify threshold transactions.

758    Mr Ali noted that the cause of the September 2015 Late TTRs was an operational error by way of a coding error. The cause was not fraud or other misconduct by the Bank’s staff or management. Mr Ali said that this was important because, in his experience, non-fraud related operational risk events are perceived to be less significant than fraud related operational risk events. Mr Ali noted that this operational error was substantially self-identified and self-reported to AUSTRAC and had been rectified within the space of several weeks. According to Mr Ali, this relatively swift remediation would indicate that the specific coding error was not complex or expensive to resolve once identified. Mr Ali said that this was relevant because investors would not perceive there to be a significant remediation related impost to rectify the error.

759    Mr Ali also noted that there was “no material profitability ascribable to [the Bank] as a result of the operational error”, and “no material loss of profitability expected pursuant to the resolution of the operational error”.

760    Further, the period of time between the Bank reporting the error relating to the late TTR issue, and AUSTRAC commencing proceedings against the Bank, was almost two years. Mr Ali said that this was relevant because investors “may perceive that AUSTRAC did not view this error to be a matter that required urgent action on its part”.

761    Mr Ali noted Professor da Silva Rosa’s comment that investors do not expect a financial institution, such as the Bank, to be entirely free of risk, including operational risk. Mr Ali said that investors would not expect that the Bank’s systems “would operate completely effectively 100% of the time”, including its systems relating to AML/CTF compliance and reporting processes.

762    Mr Ali acknowledged that the September 2015 Late TTRs concerned approximately 53,506 threshold transactions to the value of approximately $624.7 million, and that these were “large numbers in an absolute sense”. However, these transactions represented:

(a)    approximately 2.3% of all TTRs submitted by the Bank between November 2012 and September 2015 (indicating that, in that period, the Bank had submitted 97.7% of TTRs within the required timeframe);

(b)    the value of the September 2015 Late TTRs represented approximately 1.3% of the value of all TTRs submitted by the Bank between November 2012 and September 2015 (indicating that, in that period, the Bank had submitted 98.7% of the total value of TTRs);

(c)    the number of September 2015 Late TTRs represented approximately 0.76% of the average number of transactions per day and approximately 0.003% of the aggregate number of transaction per annum monitored by the Bank’s AML/CTF processes (indicating that the late TTRs comprised an extremely small fraction of the transactions monitored by the Bank); and

(d)    the value of the September 2015 Late TTRs represented approximately 0.29% of the value of transactions per day and approximately 0.001% of the aggregate value of transactions per annum monitored by the Bank’s AML/CTF processes (indicating that the value of the late TTRs comprised an extremely small fraction of the value of transaction that were being monitored by the Bank).

763    Mr Ali expressed the opinion that, given the increasingly extensive and complex regulatory environment in which the Bank operated, investors would reasonably expect that, from time to time, the Bank may experience errors of the nature that resulted in the September 2015 Late TTRs.

764    Mr Ali also expressed the opinion that generalisations based on academic research are not necessarily reliable predictors of how market investors will react.

765    Mr Ali’s opinion in relation to the materiality of the Late TTR Information, and the September 2015 Late TTR Information in particular, was influenced by the responses to AUSTRAC’s announcement on 3 August 2017 concerning the commencement of proceedings against the Bank.

766    Mr Ali said that the fact that AUSTRAC had commenced proceedings against the Bank was information that would, or would be likely to, influence investors in deciding whether to acquire or dispose of CBA shares. He considered that “the substantial majority of the market reaction” to the 3 August 2017 announcement was a consequence of the fact that AUSTRAC had commenced proceedings.

767    Mr Ali said that this fact had implications for investors’ assessments of:

(a)    the likelihood of any penalty being imposed on the Bank;

(b)    the potential amount of the penalty;

(c)    the potential for greater regulatory scrutiny;

(d)    the potential for increased risk in their expectations of the Bank’s future cash flows; and

(e)    the potential implications for the Bank’s share price.

768    However, Mr Ali did not consider that the fact that AUSTRAC had commenced proceedings was “economically equivalent” to the pleaded forms of the Information because the fact that AUSTRAC had commenced proceedings was not an integer of that information.

769    The applicants place much reliance on Mr Ali’s statement that “the substantial majority of the market reaction” to the 3 August 2017 announcement was a consequence of the fact that AUSTRAC had commenced proceedings. In cross-examination, Mr Ali accepted that this meant that some part of the market reaction may have been for reasons other than the commencement of proceedings. In this connection, Mr Ali said:

I wouldn’t be in a position to say conclusively that all of the … market reaction was as a result of the commencement of [the] AUSTRAC proceedings, but I wouldn’t necessarily rule that out.

770    When pressed on what might have contributed to a “minority” of the market reaction, Mr Ali said:

There are a number of aspects of the announcements that occurred on that day, including, for example, the references to the money laundering, the references to – the references to drug importation and facilitation of drug manufacture and drug importation. Any of those factors could have had – could have caused some part of the market reaction. Other factors such as the relatively negative press commentary, the relatively negative analyst commentary associated with the announcement on that day could have had – could have exacerbated the market reaction.

771    The applicants submit that Mr Ali did not exclude the possibility that, on 3 and 4 August 2017, the market was reacting to the facts underlying the AUSTRAC proceeding, not just its commencement. The applicants submit:

Once it is accepted that some of the market reaction is caused by the subject matter of the proceedings – such as the Late TTR Information (or other information alleged by the applicants for that matter) – that information is plainly material information within the meaning of s 677.

772    The difficulty with this submission is the qualification on which it is based. The submission is question-begging: Was the Late TTR Information a cause of the market reaction following the 3 August 2017 announcement? Nowhere in his evidence did Mr Ali accept that the market reaction was because of the Late TTR Information, or because of the other Information alleged by the applicants. Indeed, Mr Ali’s evidence was to the opposite effect.

773    By stating that “the substantial majority of the market reaction” to the 3 August 2017 announcement was a consequence of the fact that AUSTRAC had commenced proceedings, I am satisfied that Mr Ali was doing no more than expressing caution, and signifying an unwillingness to speak in absolute terms. His oral evidence quoted above indicates those aspects of the 3 August 2017 announcement that he considered might also have had a role to play in the market reaction.

774    The applicants criticise other aspects of Mr Ali’s evidence. They take issue with Mr Ali’s statement that the September 2015 Late TTRs were substantially self-identified and self-reported to AUSTRAC (they argue that this only occurred because AUSTRAC had identified that TTRs had not been lodged in respect of two transactions). They criticise Mr Ali’s reliance on the scale of the September 2015 Late TTRs compared to the scale of the Bank’s overall monitoring operations; his reliance on the fact that these contraventions were caused by “an operational error” that was a “coding error”; and his reliance on the fact that the error was relatively swiftly remediated. The applicants related these criticisms to similar criticisms they made of Mr Singer’s evidence, which I address below.

775    The applicants also criticise Mr Ali’s observation that, given the time between the Bank reporting the late TTR issue to AUSTRAC, and AUSTRAC commencing proceedings against the Bank, investors “may perceive that AUSTRAC did not view this error to be a matter that required urgent action on its part”. They submit that this is “nonsensical” because, on their case, this non-compliance should have been disclosed significantly earlier than 3 August 2017 and that when the “error” was “made known to the market on 3 August 2017 it caused a significant price reduction in CBA’s shares, irrespective of the alleged delay in AUSTRAC initiating proceedings”. As to this submission, I simply note that, here, the applicants once again equate the September 2015 Late TTR Information with the 3 August 2017 announcement—an equivalence that Mr Ali did not accept.

776    Most importantly, the applicants criticise Mr Ali’s performance of a beta analysis and certain conclusions that Mr Ali drew with respect to two case studies involving Westpac and NAB. I deal with the beta analysis and the case studies in later paragraphs of these reasons.

Mr Singer

777    Mr Singer’s opinion was that the Late TTR Information, in and of itself, would not, or would not likely, influence persons who commonly invest in securities in deciding whether to acquire or dispose of CBA shares at any time during the relevant period. Mr Singer advanced a number of reasons for this opinion.

778    First, considered in its numerical context, and against the scale of the Bank’s operations and larger TTR process, Mr Singer said that the number and value of the Late TTRs were not quantitatively material because it would not have a numerical effect on the Bank’s financial forecast. In this regard, Mr Singer compared the number and value of the transactions in the Late TTR information with the overall number and value of the transactions processed by the Bank in each pleaded period.

779    In relation to the June 2014 Late TTR Information, Mr Singer noted that, on his calculation, the June 2014 Late TTRs were only 0.0002% of the total transactions processed by the Bank, and 1.08% of the total TTRs reported by the Bank, in the pleaded period. Further, the June 2014 Late TTRs were a “statistically infinitesimal percentage” of the value of all deposits processed by the Bank, and only 0.6% of the total value of the threshold transactions processed by the Bank, in the pleaded period.

780    In relation to the August 2015 Late TTR Information, Mr Singer noted that, on his calculation, the August 2015 Late TTRs were a “statistically infinitesimal percentage” of the total transactions processed by the Bank, and 2.25% of the total TTRs reported by the Bank, in the pleaded period. Further, the August 2015 Late TTRs were a “statistically infinitesimal percentage” of the value of all deposits processed by the Bank, and 2.4% of the total value of the threshold transactions processed by the Bank, in the pleaded period.

781    In relation to the September 2015 Late TTR Information, Mr Singer noted that, on his calculation, the September 2015 Late TTRs were a “statistically infinitesimal percentage” of the total transactions processed by the Bank, and only 2.3% of the total TTRs reported by the Bank, in the pleaded period. Further, the September 2015 Late TTRs were a “statistically infinitesimal percentage” of the value of all deposits processed by the Bank, and 1.3% of the total value of the threshold transactions processed by the Bank, in the pleaded period.

782    Secondly, Mr Singer said that it was not market practice for a company to make a disclosure of every operational issue that arose. Investors had no expectation that information like the Late TTR Information would be disclosed.

783    Thirdly, the late TTR issue arose from a single IT coding error.

784    Fourthly, the Late TTR Information did not have any value-related implications for the Bank apart from the imposition of a “fine”. In relation to that matter, investors would consider it unrealistic that a “fine” would be calculated by simply multiplying the number of contraventions (TTRs late lodged) by the statutory maximum amount per contravention.

785    Fifthly, the late TTR issue was fixed within a relatively short period of time of becoming known.

786    Sixthly, there was a range of options available to AUSTRAC on becoming aware of the late TTR issue, and investors would have known that fact. Further, given this “range of incomplete potential outcomes” there would be no reason for the Bank to disclose the Late TTR Information.

787    Mr Singer analysed the analyst reports discussed by Professor da Silva Rosa and Mr Johnston. These reports covered the period 3 August 2017 to 9 August 2017 (the latter date being the date when the Bank released its 2017 results). Mr Singer prepared a table summarising each report and the valuation recommendation it made. He then made these observations:

114.     Of the 11 broker notes set out in the table above, four were published post the 3 August 2017 AUSTRAC announcement, but before the 9 August 2017 release of CBAs FY17 results and none of the four made any change to their valuation, recommendations or price target. Most reference the Tabcorp settlement in March 2017 as a benchmark, Morgan Stanley also gives a potential fine range and Bell Potter makes the point that any potential penalty not as excessive as claimed in press.

115.     Of the other 7 broker notes that I have analysed in the table above that consider the 9 August 2017 release of results and also reference the AUSTRAC announcement on 3 August 2017 all brokers reference the risks associated with potential penalty as a result of the AUSTRAC proceedings[,] most have left valuations unchanged or increased slightly as a result of the FY17 result[,] and there is only one broker (Macquarie) who has reduced their price target from $81.50 to $80.50; a move of just over 1%, which in my experience would not be considered material.

116.     Given the table above, and the 11 broker reports that I have looked at in conjunction with the Johnston report I note that after the actual release of the AUSTRAC proceedings no broker makes a material change to any valuation therefore any earlier release by CBA would be unlikely to have a material valuation effect by brokers.

788    Mr Singer also considered the “economic equivalence” of the 3 August 2017 announcement and the pleaded forms of the Information that the applicants say the Bank should have disclosed. He proceeded on the basis that “economic equivalence” meant that information had “an equal and or relatively similar economic effect on the share price such that it would have the same or a similar influence on a person’s decision to acquire or dispose of CBA shares”.

789    From an investor’s perspective, Mr Singer considered the “key components” of the 3 August 2017 announcement to be that:

(a)    AUSTRAC had commenced proceedings against the Bank (the most serious of the options available to AUSTRAC);

(b)    AUSTRAC would be seeking penalties for a range of contraventions for an unspecified amount (creating uncertainty around the magnitude of the penalties given the pecuniary penalty awarded against Tabcorp was the only market benchmark); and that

(c)    AUSTRAC had made the statement that the Bank had become aware of suspected money laundering or structuring on its accounts but did not monitor its customer to mitigate and manage ML/TF risk (an aggressive statement by the regulator bearing upon the level of the penalties to be imposed).

790    Mr Singer remarked that these “key components” were not part of the pleaded information.

791    Furthermore, according to Mr Singer, the context, and the prevailing market conditions, in which the 3 August 2017 announcement was made, are important. Mr Singer pointed to four matters. First, the 3 August 2017 announcement was made by a regulator, not by the Bank itself or the Bank in conjunction with the regulator. Secondly, even though the 3 August 2017 announcement referred to discussions between the Bank and AUSTRAC, it appeared that AUSTRAC had not foreshadowed that it would commence proceedings against the Bank. According to Mr Singer, this may have signalled a breakdown in the relationship between the Bank and AUSTRAC. Thirdly, in the period leading up to 3 August 2017 there had been a lot of regulatory commentary on banks, including the possibility of a Royal Commission. This meant that, as at 3 August 2017, there was a higher degree of sensitivity by market participants to any regulatory announcement. Fourthly, investors would be aware that companies like the Bank have operational issues, and dealings with regulators on a day-to-day basis. These dealings generally occur without proceedings being commenced, or announcements made that penalties will be sought.

792    For these reasons, Mr Singer did not consider the 3 August 2017 announcement to be economically equivalent to the pleaded forms of the Information. Nor did Mr Singer consider there to be economic equivalence between the various pleaded forms of the Information because, at each pleaded point in time, the content of the information was different and the context in which the information would have been received was different.

793    Similarly to the submissions they advance in respect of Mr Ali’s evidence, the applicants place reliance on Mr Singer’s statement during the concurrent evidence session that “the most serious – the most significant elements of the [3 August 2017 announcement] that would or would likely influence an investor is the actual commencement of proceedings seeking unquantified penalties”. The applicants submit that, by this statement, “Mr Singer was … not of the view that the commencement of proceedings was the only thing that mattered to investors” and that he had “abandoned the more extreme position articulated in his report”.

794    I do not accept that, by referring to “the most serious – the most significant elements” of the 3 August 2017 announcement, Mr Singer was resiling from the view expressed in his report concerning the materiality of the pleaded forms of the Late TTR Information. Mr Singer was merely emphasising the importance, from an investor’s perspective, that AUSTRAC had commenced proceedings against the Bank for civil penalties. As Mr Singer pointed out, there were, from an investor’s perspective, other “key components of the 3 August 2017 announcement (see [789] above), including that the Bank had become aware of suspected money laundering and structuring and had failed to monitor this activity—which Mr Singer said was an “aggressive” statement by the regulator.

795    The applicants criticise other aspects of Mr Singer’s evidence.

796    First, they criticise Mr Singer’s reliance on the “statistically infinitesimal percentage” of the Late TTRs in terms of number and value, compared to total transactions (deposits) processed by the Bank and total TTRs reported by the Bank at the pleaded times.

797    The applicants submit that, by making these observations, Mr Singer seemingly ignored the fact that the Bank’s non-compliance “affected the whole IDM product channel, the scale of non-compliance with the AML/CTF [A]ct was unmatched in Australian history, and the statistical size of the non-compliance relative to CBA’s volume of transactions mattered little to the market when the 3 August 2017 announcements were made”.

798    I am not persuaded by that submission. I do not accept that Mr Singer ignored the extent to which the IDM product channel was affected. His evidence was directed to putting that particular matter into the broader context of the Bank’s operations. Further, Mr Singer directed his attention to what, in his opinion, “mattered” to the market when the 3 August 2017 announcement was made. He did not ignore that question.

799    Secondly, the applicants take issue with Mr Singer’s evidence that it was not market practice for a company to make a disclosure of every operational issue that arose. They submit that this would depend on the nature and extent of the operational issue. So much can be accepted. I do not understand Mr Singer to say otherwise. Mr Singer made this point in the context of explaining why, in his opinion, investors would not have expected the Late TTR Information to be disclosed. He gave several reasons for that opinion.

800    Thirdly, the applicants submit that Mr Singer’s evidence was “predicated on false assumptions”.

801    In this regard, they take issue with his statement that the late TTRs arose from a single IT coding error. They point to a “bow tie analysis” which appears to have been prepared by Bank employees in April 2016. This analysis identifies a number of broadly-stated deficiencies feeding into the problem that led to the introduction of transaction code 5000 and the failure to factor this code into the downstream process by which threshold transactions were identified for reporting.

802    The applicants also take issue with Mr Singer’s statement that the error was fixed within a relatively short period of time. They submit that this statement ignores the fact that “the error had subsisted for a lengthy period of time.

803    The applicants also dispute Mr Singer’s opinion that, apart from the potential imposition of a pecuniary penalty, the Late TTR Information did not have any value-related implications for the Bank.

804    None of these matters make good the proposition that Mr Singer’s evidence was “predicated on false assumptions”. It is accurate, and apt, to say that the late TTRs arose from a single IT coding error. This was the immediate cause of the late TTR issue. For the purposes of considering the question of materiality in respect of the applicants’ continuous disclosure case, it is not necessary to regress to the multiple possible underlying causes of how a single IT coding error came to be made. It is accurate to say that the error was fixed within a relatively short period of time. To recognise this fact is not to ignore the period of time from the making of the error to the point of its detection. The applicants’ submissions about the value-related implications of the Late TTR Information are no more than a disagreement with the opinion that Mr Singer expressed.

805    Fourthly, the applicants contend that Mr Singer’s evidence in cross-examination was “generally” consistent with their case.

806    In this connection, the applicants commence with the proposition that Mr Singer accepted that if the September 2015 Late TTR Information had come to him in an ASX release in September 2015, he would have considered whether it might affect the price or value of CBA shares. However, this, of itself, says nothing about the materiality of that information.

807    Next, the applicants refer to Mr Singer’s evidence that domestic regulators seek to change corporate behaviour through enforcement action, including by seeking a “fine” that is “appropriate to the size of the institution”. Mr Singer accepted that, in light of the September 2015 Late TTR Information, investors would “take a pretty rough approach” to try to work out the “range” of that “fine”. He accepted that the pecuniary penalty imposed in the Tabcorp proceeding would provide a benchmark for the “fine” that might be imposed on the Bank in respect of the contraventions referred to in the September 2015 Late TTR Information. Mr Singer also accepted that the Bank was a much larger institution than Tabcorp and that the September 2015 Late TTR Information identified a larger number of contraventions than the contraventions involved in the Tabcorp proceeding. He accepted that a “fine” imposed on the Bank could be “an order of magnitude larger”.

808    It is important to understand that, although allied to the September 2015 Late TTR Information, this evidence was given by Mr Singer in the context of a domestic regulator seeking a pecuniary penalty as part of enforcement action. In other words, his evidence was predicated on investor knowledge that a regulator had commenced proceedings for a pecuniary penalty.

809    Next, the applicants refer to Mr Singer’s evidence that, in the relevant period, CBA shares traded at a premium compared to the price of the shares of the Bank’s competitors, as reflected in the Bank’s price/earnings ratio. Mr Singer accepted that such a premium could be associated with “a very good brand or reputation” and “excellence in management”. He accepted that the Bank had “one of the most recognisable and trusted bank brand[s] in Australia at the time” and that its reputation was “a function of delivering both earnings and compliance”.

810    Based on this evidence, the applicants submit:

This reputation of delivering compliance, which underpinned CBA’s reputation and consequent high P/E ratio, is precisely what would have been shattered had the Late TTR Information (or Potential Penalty Information) been disclosed to the market. It is also precisely what occurred when the information was released on 3 August 2017.

811    As will be apparent, this submission equates the economic effect of the Late TTR Information with the economic effect of the 3 August 2017 announcement. However, Mr Singer’s evidence was that neither the pleaded forms of the Late TTR Information, nor any of the pleaded forms of the other Information (when taken alone, or combined), were economically equivalent to the information disclosed in the 3 August 2017 announcement. I do not consider that Mr Singer’s evidence in cross-examination qualified that opinion.

812    Finally, the applicants refer to Mr Singer’s evidence that investors understand that from time to time large financial institutions experience “regulatory issues” involving regulators “conducting investigations in relation to those issues on a regular basis”. They point to Mr Singer’s acceptance in cross-examination that the market may be “surprised by non-compliances which are of a large scale” and that the period of time over which non-compliance occurs, and “the type of regulation breached”, “may matter to investors”. They also point to Mr Singer’s acceptance that, in the period from 2014 through to 2017, investors in the market had an appreciation that “AML/CTF legislation” was of great importance and that non-compliance would have been regarded as “a very serious matter”. I note, however, Mr Singer’s acceptance of the last-mentioned matter was qualified by the following statement:

Correct, depending on the non-compliance and benchmarking, various other issues, or looking at the context of how they were fined or received.

Dr Unni

813    Dr Unni’s opinion was that the Late TTR Information was not material in any of its pleaded forms.

814    First, he did not consider that the academic literature or the analysts’ reports on which Professor da Silva Rosa relied provided support for Professor da Silva Rosa’s contrary opinion.

815    Dr Unni distinguished the academic literature on the basis that, predominantly, it deals with the impact of the announcement of the realisation of an actual operational loss rather than the announcement of the risk that an operational loss may occur, which Dr Unni considered to be a fundamentally different economic event. Dr Unni said that a financial economist evaluating the materiality of the pleaded information would need to quantify not only the likely magnitude of the operational loss but also the probability of that loss occurring, which had not been done here. Further, Dr Unni said that, even if the pleaded information consists of the disclosure of an operational loss, it cannot be assumed, based on the literature, that there would be a negative stock price reaction. According to Dr Unni, one would need to examine the specific details of the particular episode at issue and evaluate how it ranks (or compares) to the events that are statistically analysed in the research papers.

816    Dr Unni noted Professor da Silva Rosa’s reference to Ittonen, which reported that investors react positively to disclosures of internal control weaknesses when those disclosures are made by a firm without prompting from an independent third party, and negatively when those weaknesses are identified and disclosed by an auditor. Relating that observation to the present case, Dr Unni reasoned that, since a hypothetical disclosure of the pleaded forms of the Information at earlier points in time during the relevant period would have involved a voluntary disclosure by the Bank, the implication must be that such a disclosure would be received more benignly by market participants compared to disclosure by the regulator in the adversarial circumstances of litigation.

817    With respect to Barakat et al (on which Professor da Silva Rosa relied for, amongst other things, the proposition that investors penalise firms that are the subject of adverse media announcements about operational risks, but less so where there is uncertainty about the bad news), Dr Unni argued that a hypothetical voluntary disclosure of the pleaded forms of the Information would likely leave significant uncertainty about potential penalties that might follow from the disclosure, such that the negative impact would be less.

818    With respect to Gowin et al, Dr Unni said that the paper does not provide statistical evidence that an announced operational loss reduces the market value of a firm by a greater amount.

819    With respect to Sturm, Dr Unni argued that the paper does not provide any basis to conclude that the Bank would suffer reputational harm from disclosure of the Late TTR Information.

820    Dr Unni made various other observations and comments about the academic literature. It is not necessary for me to descend to the detail of those observations and comments (or Professor da Silva Rosa’s responses to any of Dr Unni’s observations and comments) for the purposes of these reasons. This is because there are other aspects of the evidence that I consider to be far more influential in considering the question of materiality.

821    As to the analysts’ reports, Dr Unni noted that Professor da Silva Rosa’s treatment of the reports was based on the proposition that each of the pleaded forms of the Information was economically equivalent to the 3 August 2017 announcement. Dr Unni disputed that proposition. He said that the 3 August 2017 announcement was not economically equivalent to the pleaded forms of the Information. Indeed, he expressed the opinion that the 3 August 2017 announcement differed in economically significant ways from the pleaded forms of the Information, at least in the following ways.

(a)    the 3 August 2017 announcement represented the realisation of the risk that AUSTRAC would seek a pecuniary penalty against the Bank;

(b)    the 3 August 2017 announcement signified the materialisation of litigation, which the research evidence indicates is associated with operational harm and a reduction in the value of a company;

(c)    the 3 August 2017 announcement revealed information in the context of regulatory litigation, as compared to news voluntarily disclosed by the Bank;

(d)    the 3 August 2017 announcement was accompanied by negative media publicity due to the adversarial nature of the proceeding which AUSTRAC had commenced;

(e)    the 3 August 2017 announcement involved the increased likelihood of the forced removal of its CEO, which the research evidence indicates is associated with a decline in the market value of a company; and

(f)    the circumstances of the 3 August 2017 announcement raised the prospect of a Royal Commission, with potentially broader ramifications for the business prospects of the Bank.

822    As to the last two matters, Dr Unni noted that no economic basis had been established in the present case to conclude that a voluntary disclosure by the Bank of the pleaded forms of the Information at earlier times would increase the likelihood of those events coming to fruition.

823    As Dr Unni put it:

Analysts were reacting to the entire set of information arising from the announcement of the AUSTRAC litigation, including not only the collective allegations made by AUSTRAC but also that these claims were made in the adversarial setting of litigation, with foreseeable consequences of top executive turnover and regulatory inquiries. As an economic matter, the market’s reaction to this collective set of information revealed in litigation launched by a regulator cannot be used to determine the likely reaction of market participants to any individual element of the Information claimed by Applicants.

824    Dr Unni said that the significance of any disclosure of an operational error must be evaluated against the overall scale of the economic activity against whose backdrop the errors occurred. Here, the Bank faced the technology risks associated with being a complex financial institution, and was required to process and monitor, in many cases on a daily basis, a large number of transactions, many of which are highly complex.

825    Dr Unni also remarked that the occurrence of an operational loss does not, by itself, imply the existence of a lack of internal control. This is because adequate internal controls do not make businesses error free. As a conceptual matter, errors can be reduced or minimised, but not eliminated.

826    The applicants criticise a number of aspects of Dr Unni’s evidence.

827    First, they submit that the distinction between the announcement of a risk that an operational loss might occur, and the announcement that such a risk has been realised, is artificial. They submit that reliance on such a distinction implies that the 3 August 2107 announcement and the Late TTR Information have “economically different value”. They argue, however, that Dr Unni did not state in his report that the TTR Information had no value to investors. The applicants also argue that this distinction is irrelevant to the question of materiality.

828    I do not accept that this distinction is artificial or irrelevant. Further, as I have noted, Dr Unni’s opinion was that the 3 August 2017 announcement was not economically equivalent to any of the pleaded forms of the Late TTR Information, or any of the pleaded forms of the other Information (when taken alone, or combined).

829    Secondly, the applicants submit that Dr Unni mischaracterised the bases on which Professor da Silva Rosa relied on the academic literature. This, it seems to me, is simply a matter of debate that does not feature significantly in my analysis of the question of materiality. As I have said, I do not propose to descend to the detail of Dr Unni’s observations and comments on the academic literature (or Professor da Silva Rosa’s responses to any of Dr Unni’s observations and comments) for the purposes of these reasons, beyond what I have already noted.

830    Thirdly, the applicants point to Dr Unni’s observation that a financial economist evaluating the materiality of the pleaded forms of the Information would need to quantify not only the likely magnitude of the operational loss, but also the probability of that loss occurring. The applicants submit that this observation is “largely irrelevant” because the question of materiality focuses on the perspective of the investor, not on the perspective of a financial economist. Whilst I accept that, for the purposes of assessing materiality, the focus is on persons who commonly invest in securities, I do not accept that the perspective of a financial economist cannot inform the question of materiality, particularly when materiality is considered on a quantitative basis.

831    Fourthly, the applicants criticise Dr Unni’s comment that Professor da Silva Rosa did not evaluate the significance of a disclosure about operational errors against the overall scale of the economic activity in which the errors occurred. This criticism is a repetition of the same criticism made with respect to Mr Ali’s and Mr Singer’s evidence which directed attention to the scale of the Bank’s monitoring of transactions.

832    Fifthly, the applicants submit that Dr Unni failed “to grapple in any meaningful way” with the “central findings” of the Lieser paper. I discuss this paper at [836] – [841] and [1019] – [1020] below.

833    Sixthly, the applicants criticise the way in which Dr Unni, in oral evidence, distinguished the 3 August 2017 announcement from the pleaded forms of the Information, particularly in relation to the disclosure in the 3 August 2017 announcement of the Bank’s non-compliance facilitating specific crimes. The applicants accept that Dr Unni was correct to point out this difference. They argue, however, that this difference is only relevant if “one were to accept the false proposition that investors are unsophisticated and incapable of assessing information and drawing information on their own”. In this regard, the applicants submit:

The notion that investors would not be able to discern that CBA may have facilitated financial crime due to its non-compliance, or would not have been able to identify the seriousness of CBA’s pro-longed and record-breaking AML/CTF non-compliance without AUSTRAC informing them, has no semblance of common sense or reality.

834    I do not accept these submissions. It is one thing to think, in some abstract and generalised way, that the Bank’s non-compliance with its AML/CTF obligations may have facilitated financial crime. It is an entirely different matter to be told the detail, extent, and consequences of that non-compliance, as revealed in the 3 August 2017 announcement, particularly with reference to the Concise Statement. The point made by Dr Unni has nothing to do with a “false proposition” that investors are unsophisticated or incapable of assessing information.

835    Seventhly, the applicants submit that, in cross-examination, Dr Unni did not rule out the possibility that investors may consider the Late TTR Information to be material. However, properly understood, Dr Unni’s evidence went no further than accepting that the pleaded forms of the Information (other than the Potential Penalty Information) relate to an existing state of affairs (Dr Unni described these as “materialisations of operational error in the technical observance of reporting rules”) with the risk of operational loss in the form of penalties and other economic costs.

Other evidence

The Lieser paper

836    The Lieser paper (Securities class action litigation, defendant stock price revaluation, and industry spillover effects, Patrick Lieser and Sascha Kolaric (2016)) was introduced into evidence through Dr Unni but relied on by the applicants to support their case on materiality. It concerns a study that:

examines shareholder wealth effects of shareholder-initiated class action lawsuits for sued firms and their closest industry rivals. Based on the process of shareholder-initiated class action lawsuits, three critical events are identified that are expected to have a significant impact on stock prices. First, the revelation date of a potential misconduct: This date provides shareholders with a basis for potential claims against the firm, as it becomes clear that the firm did not act in accordance to the law. Second, the actual filing of a class action lawsuit. This filing should resolve any residual uncertainty that may still remain following the revelation, as it is not clear on the revelation date whether a lawsuit will actually be filed. Third, the date of the conclusion of the lawsuit, either by dismissal or settlement. On this day, any remaining uncertainty with regard to the litigation outcome should be resolved and therefore again impact the share price of the defendant firm.

837    With regard to the first two events, the authors made the following findings:

We find that shareholders are able to anticipate these critical events during a securities class action process and adjust their price expectation of the defendant firms’ shares accordingly. We conduct multiple event studies for sued firms and their closest rivals. In line with expectations, we find that the revelation of potential misconduct and the following filing event of shareholder class action lawsuits lead to consistently negative shareholder wealth effects. With an average of -20.06% abnormal return during the three days surrounding the revelation date of potential misconduct, losses are much larger in magnitude than the -3.25% during the three days surrounding the filing date. Both these results are highly significant and economically relevant. In addition, this (sic) results also shows that only investigating the filing day of a lawsuit potentially underestimates the actual losses in shareholder wealth. …

838    The authors concluded that the event study results for the conclusion of class action lawsuits were “less clear”. They found that the defendant firms “experience a slight positive price reaction during the three day period surrounding the conclusion day, primarily driven by lawsuits that are dismissed”.

839    The authors also made this observation:

… Furthermore, the results of the event studies also indicate that shareholders are capable of anticipating the outcome of securities class action lawsuits, showing a consistent pattern of larger negative returns for securities associated with lawsuits that will eventually be settled rather than dismissed. The pattern of a decreasing magnitude of abnormal returns with the progression of the lawsuit in time implies that shareholders efficiently incorporate the relevant information that becomes available at earlier stages, with subsequent events resolving residual uncertainty.

840    The applicants submit that there is no material difference between the cases analysed in the Lieser paper and the circumstances that ought to have prevailed in the present case:

Both sets of circumstances involve the fact of a company’s non-compliance with law becoming known to the market as a distinct and separate event to the commencement of the proceedings for non-compliance. Further, there is no material difference between a prosecution for that non-compliance by a regulator in a penalty proceeding and prosecution for that non-compliance by a representative plaintiff in a class action. The circumstances of the research are directly analogous, and the closest match of all the papers considered by the experts in this proceeding.

841    The applicants submit further that the results of the Lieser paper are “compelling, and entirely consistent with the views expressed by Mr Johnston and Professor da Silva Rossa [sic]…”.

Case studies

842    The Bank called in aid two case studies concerning disclosures made by, firstly, Westpac and, secondly, NAB, about their non-compliance with the AML/CTF Act. Both case studies relate to events after the relevant period, at a time when (in the Bank’s submission) “the market would have been sensitised to any AUSTRAC related announcement”.

843    The relevance of these disclosures to the Bank’s defence is that (in the Bank’s submission) the market “did not react in a meaningful way” to these disclosures. The Bank submits that this is “particularly striking” because:

… the presence of any reaction would be expected to have been heightened given that by the time each of Westpac and NAB made their disclosures, the market had already observed a marked difference in the approach of AUSTRAC from that which existed at the time the Applicants allege CBA should have made its disclosures. Moreover, and importantly, it was only once each of Westpac and NAB disclosed information that conveyed to the market that AUSTRAC would commence proceedings that their respective share prices reacted in a meaningful way.

844    It should be noted that the NAB disclosure on which the Bank relies is one which it contends would have been interpreted by the market as conveying a “high degree of certainty that AUSTRAC would commence proceedings”, even though the disclosure included a conditional statement that, at that time, AUSTRAC was not considering civil penalty proceedings to address its concerns.

The Westpac case study

845    On 20 November 2019, AUSTRAC published the following media release:

AUSTRAC, Australia’s anti money-laundering and terrorism financing regulator, has today applied to the Federal Court of Australia for civil penalty orders against Westpac Banking Corporation (Westpac).

The civil penalty orders relate to systemic non-compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). AUSTRAC alleges Westpac contravened the AML/CTF Act on over 23 million occasions.

AUSTRAC Chief Executive Officer, Nicole Rose, says that AUSTRAC’s decision to commence civil penalty proceedings was made following a detailed investigation into Westpac’s non- compliance.

It is alleged that Westpac’s oversight of the banking and designated services provided through its correspondent banking relationships was deficient. Westpac’s oversight of its AML/CTF Program, intended to identify, mitigate and manage the money laundering and terrorism financing risks of its designated services, was also deficient. These failures in oversight resulted in serious and systemic non-compliance with the AML/CTF Act.

Westpac failed to:

1.    appropriately assess and monitor the ongoing money laundering and terrorism financing risks associated with the movement of money into and out of Australia through correspondent banking relationships. Westpac has allowed correspondent banks to access its banking environment and the Australian Payments System without conducting appropriate due diligence on those correspondent banks and without appropriate risk assessments and controls on the products and channels offered as part of that relationship.

2.    report over 19.5 million International Funds Transfer Instructions (IFTIs) to AUSTRAC over nearly five years for transfers both into and out of Australia. The late incoming IFTIs received from four correspondent banks alone represent over 72% of all incoming IFTIs received by Westpac in the period November 2013 to September 2018 and amounts to over $11 billion dollars. IFTIs are a key source of information from the financial services sector that provides vital information into AUSTRAC’s financial intelligence to protect Australia’s financial system and the community from harm.

3.    pass on information about the source of funds to other banks in the transfer chain. This conduct deprived the other banks of information they needed to understand the source of funds to manage their own AML/CTF risks.

4.    keep records relating to the origin of some of these international funds transfers.

5.    carry out appropriate customer due diligence on transactions to the Philippines and South East Asia that have known financial indicators relating to potential child exploitation risks. Westpac failed to introduce appropriate detection scenarios to detect known child exploitation typologies, consistent with AUSTRAC guidance and their own risk assessments.

“These AML/CTF laws are in place to protect Australia’s financial system, businesses and the community from criminal exploitation. Serious and systemic non-compliance leaves our financial system open to being exploited by criminals,” Ms Rose said.

“The failure to pass on information about IFTIs to AUSTRAC undermines the integrity of Australia’s financial system and hinders AUSTRAC’s ability to track down the origins of financial transactions, when required to support police investigations.”

AUSTRAC’s approach to regulation is based on building resilience in the financial system and on educating the financial services sector to ensure they understand, and are able to comply with, their compliance and reporting obligations. Businesses are the first line of defence in protecting the financial system from abuse.

“We have been, and will continue to work with Westpac during these proceedings to strengthen their AML/CTF processes and frameworks,” Ms Rose said.

“Westpac disclosed issues with its IFTI reporting, has cooperated with AUSTRAC’s investigation and has commenced the process of uplifting its AML/CTF controls.”

Westpac is a member of the Fintel Alliance. The Fintel Alliance is a private-public partnership established by AUSTRAC to tackle serious financial crime, including money laundering and terrorism financing.

846    The announcement included links to the originating application, statement of claim, and a concise statement.

847    However, prior to that announcement, Westpac made the following disclosure on 5 November 2018 in its Group Annual Report for 2018 (under the heading “Anti-money laundering and counter-terrorism financing reforms and initiatives”):

The Group has recently self-reported to AUSTRAC a failure to report a large number of International Funds Transfer Instructions (IFTIs) (as required under Australia’s AML/CTF Act) in relation to one WIB product. These IFTIs relate to batch instructions received from 2009 until recently from a small number of correspondent banks for payments made predominantly to beneficiaries in Australia in Australian dollars. Through the product, Westpac facilitates payments on behalf of clients of certain of its correspondent banks. The majority of the payments are low value and made by Government pension funds and corporates. The Group is investigating and working with AUSTRAC to remediate the failure to report IFTIs. Further details regarding the consequences of the failure to comply with financial crime obligations are set out in the Risk Factors section of this report.

848    In an earnings call with analysts on the same day, Westpac’s then Managing Director and CEO, Mr Hartzer, reported:

So the AML issue that we talked about is not a suspicious matter reporting issue, like one of our colleague banks dealt with. It relates to something called an FTE [quaere, IFTI] which is an inward transaction in Australian dollars to an Australian payee that we process on behalf of correspondent banks. And were required to disclose those payments to AUSTRAC. We found in going through our checks that there were a couple of banks for whom those files for some reason werent passed. The composition of those files is pretty low value payments. They relate to things like pensions from foreign governments that are being paid to Australian residents. So were still working through that with AUSTRAC, but thats what it is.

849    On 6 May 2019, when publishing its interim results for the first half of the 2019 financial year, Westpac reiterated its earlier disclosure and made a statement that it was working with AUSTRAC to remediate its system.

850    On 4 November 2019, Westpac again referred to its non-compliance in its Group Annual Report for 2019, stating:

Any enforcement action against Westpac may include civil penalty proceedings and result in the payment of a significant financial penalty, which Westpac is currently unable to reliably estimate. Previous enforcement action by AUSTRAC against other institutions has resulted in a range of outcomes depending on the nature and severity of the relevant conduct and its consequences.

851    Dr Unni conducted event studies in respect of these voluntary disclosures and found that there was no evidence that they constituted material information for market participants. Dr Unni noted that Westpac’s share price declined at closing on 6 May 2019 and November 2019 (but not on 5 November 2018) but that these abnormal and negative returns were based on Westpac’s weak performance (6 May 2019) and its poor results and outlook (November 2019). But when AUSTRAC made its announcement on 20 November 2019 that it had commenced proceedings, Westpac’s share price declined to $25.67 (from a closing price of $26.55 on 19 November 2019), then to $25.16 (on 21 November 2019) to $24.77 (on 22 November 2019) and to $24.44 (25 November 2019)—a total decline of $2.11 (8%). Dr Unni concluded that this announcement “evoked a significant and negative market reaction”.

852    The Bank submits that this evidence is important for two reasons. First, the Bank submits that it falsifies the case theory that the mere fact that there have been contraventions of the AML/CTF Act is material because, when Westpac made such disclosures, “there was no reaction to that matter”.

853    Secondly, the Bank submits that the negative effect on Westpac’s share price upon AUSTRAC’s announcement that it had commenced proceedings for a pecuniary penalty demonstrates that it is the actual commencement of proceedings that the market considers to be material. This, the Bank submits, contradicts Mr Johnston’s evidence that investors would assume that the disclosure of AML/CTF contraventions meant that proceedings would be commenced. As the Bank puts it:

Were Mr Johnston’s evidence to be correct, then Westpac’s share price would not have reacted on the commencement of proceedings against Westpac by AUSTRAC as that matter would already have been assumed by reason of the previous announcement of AML/CTF related contraventions.

854    Mr Ali also analysed the decline in Westpac’s share price following the commencement of proceedings by AUSTRAC. He said that this decline was notable notwithstanding the fact that Westpac had previously provided disclosure of its AML/CTF issues and of its self-reporting to AUSTRAC on several occasions. Mr Ali said:

It is readily observable that the Westpac share price decline could not have been due to new revelations regarding Westpac’s AML/CTF issues because those issues had already been disclosed by Westpac. Accordingly, in my opinion, the Westpac share price decline was substantially the result of the market reaction to the fact that AUSTRAC had commenced proceedings, which is consistent with my opinion regarding the CBA share price decline.

855    For their part, the applicants submit that AUSTRAC’s announcement on 20 November 2019 concerned substantially similar events to those covered by the media release it made on 3 August 2017 in relation to the Bank, in that both announcements concerned serious and systemic contraventions of the AML/CTF Act involving, primarily, large-scale non-reporting. The applicants submit that the “overwhelming inferences” the Court should draw are that, on 6 May 2019 and 5 November 2019, the market reacted to partial information about the potential enforcement action and penalties to which Westpac was exposed, and that the market’s reaction on 20 November 2019 was driven, at least in part, by learning of the number of contraventions involved (approximately, 23 million), which was an indicator of Westpac’s “serious, systemic and large scale AML/CTF compliance problems”.

The NAB case study

856    On 7 June 2021, NAB made the following announcement:

National Australia Bank Limited (NAB) has been informed by AUSTRAC it has identified serious concerns with NAB’s compliance with the Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) Act 2006 and the Anti-Money Laundering and Counter-Terrorism Financing Rules 2007.

AUSTRAC advised NAB in a letter dated 4 June, 2021, (attached) that it is AUSTRAC’s view that there is “potential serious and ongoing non-compliance” with customer identification procedures, ongoing customer due diligence and compliance with Part A of NAB’s AML/CTF Program.

These concerns have been referred to AUSTRAC’s enforcement team, which has initiated a formal enforcement investigation.

In the letter to NAB, AUSTRAC stated that it has not made any decision about whether or not enforcement action would be taken. AUSTRAC stated that, at this stage, it is not considering civil penalty proceedings and that this decision is “reflective of the work undertaken” by NAB to date.

AUSTRAC’s referral to its enforcement team follows regular engagement by NAB with AUSTRAC over a long period of time, both to report issues and keep AUSTRAC informed of progress in uplifting and strengthening the Group’s AML/CTF Program.

NAB has disclosed the existence of AML/CTF compliance issues in various public disclosures since 2017, including most recently in NAB’s 2021 Half Year Financial Report

AUSTRAC has a wide range of enforcement options available to it, including civil penalty orders, enforceable undertakings, infringement notices and remedial directions.

NAB CEO Ross McEwan said NAB would continue to cooperate with AUSTRAC in its investigations.

“NAB takes its financial crime obligations seriously. We are very aware that we need to further improve our performance in relation to these matters. We have been working to improve and clearly have more to do,” Mr McEwan said.

“NAB has an important role in monitoring and reporting suspicious activity and keeping Australia’s financial system, our bank and our customers safe.

“It is a key priority for everyone at NAB to uplift our financial crime capabilities, minimise risk to customers and the bank, and improve operational performance. That’s why we are so focused on getting the basics right every time to protect our customers and our bank.”

Since June 2017, NAB has invested about $800 million as part of a multi-year program to uplift its financial crime and fraud controls and has more than 1,200 people dedicated to managing financial crime risks.

857    The announcement was accompanied by a copy of AUSTRAC’s letter to NAB. In that letter, AUSTRAC stated that, although it was not considering civil penalty proceedings at that stage, “this position may be subject to change and you [NAB] will be notified if that occurs”.

858    Prior to this announcement, since 2017, NAB had disclosed that it had identified various types of AML/CTF compliance issues.

859    On 2 November 2017 NAB made the following disclosure when providing its 2017 Full Year Results:

Where significant AML/CTF compliance issues are identified, they are notified to AUSTRAC or equivalent foreign regulators, and those regulators are typically consulted and updated about progress in investigating and remediating the relevant issues. The Group is currently investigating and remediating a number of identified issues, including certain weaknesses with the implementation of ‘Know Your Customer’ requirements and systems and process issues that impacted transaction monitoring and reporting for some specific areas.

860    On 3 May 2018, when providing its 2018 Half Year Results, NAB disclosed continuing compliance issues with its KYC requirements:

Investigation and remediation activities [of AML/CTF compliance issues] are currently occurring in relation to a number of identified issues, including certain weaknesses with the implementation of ‘Know Your Customer’ requirements and systems and process issues that impacted transaction monitoring and reporting for some specific areas.

It is possible that, as the work progresses, further issues may be identified and additional strengthening may be required. The outcomes of the investigation and remediation process for specific issues identified to date, and for any issues identified in the future, are uncertain.

861    On 1 November 2018, when providing its 2018 Full Year Results, NAB disclosed:

Investigation and remediation activities are currently occurring in relation to a number of identified issues, including certain weaknesses with the implementation of ‘Know Your Customer’ requirements, as well as systems and process issues that impacted transaction monitoring and reporting in some specific areas. NAB continues to keep AUSTRAC (and where applicable, relevant foreign regulators) informed of its progress in resolving these issues, and will continue to cooperate with, and respond to queries from, such regulators.

862    On 2 May 2019, when providing its 2019 Half Year Results, NAB reiterated its non-compliance problems:

Investigation and remediation activities are currently occurring in relation to a number of identified issues, including certain weaknesses with the implementation of ‘Know Your Customer’ requirements, other financial crime risks, as well as systems and process issues that impacted transaction monitoring and reporting in some specific areas.

863    On 7 November 2019, in an earnings call, NAB disclosed that it had reported further breaches to AUSTRAC:

So we observed 2 years ago off the back of the initial CBA issues, that we had reported a number of breaches to AUSTRAC. I think we have subsequently reported some further breaches. We have been working with AUSTRAC on those. And we’ve been very cooperative with AUSTRAC in making sure that not only do we meet the letter of the law but we meet the spirit of the law by alerting them to a range of issues even we’re (sic) not strictly required.

864    On 27 April 2020, in an earnings call, NAB disclosed:

We’ve been quite clear for the last 18 to 24 months that we are in conversation with AUSTRAC about our remediation of anti-money laundering. There’s no change to that. There hasn’t been any change to that wording for the last 18 months. We just want to be clear about that. We are not aware of anything that will come out of the blue in the nest week or 2. But that’s not in my hands. It’s purely in AUSTRAC’s hands. We’re not aware of anything of that nature. But we haven’t changed our wording and our risk factors, so no change whatsoever.

865    On 5 November 2020, when providing its 2020 Full Year Results, NAB disclosed:

The Group has reported compliance breaches to relevant regulators, including over the last financial year, and has responded to a number of requests from regulators requiring the production of documents and information. Identified issues include certain weaknesses with the Group’s implementation of ‘Know Your Customer’ (KYC) requirements, other financial crime risks, as well as systems and process issues that impacted transaction monitoring and reporting in some specific areas. In particular, the Group has identified issues with collection and verification of identity information and enhanced customer due diligence for non-individual customers. This is the subject of a dedicated remediation program that is underway.

866    On 6 May 2021, when providing its 2021 Half Year Results, NAB disclosed:

Identified issues include certain weaknesses with the Group’s implementation of ‘Know Your Customer’ (KYC) requirements, other financial crimes risks, as well as systems and process issues that impacted transaction monitoring and reporting in some specific areas. In particular, the Group has identified issues with collection and verification of identity information and enhanced customer due diligence for non-individual customers. This is the subject of a dedicated remediation program that is underway.

867    Dr Unni conducted event studies in respect of the voluntary disclosures. In respect of the disclosures in the period 2 November 2017 to 6 May 2021, he found that NAB’s share price declined at close of trading on 2 November 2017, 3 May 2018, 2 May 2019, 27 April 2020, and 6 May 2021, and increased at close of trading on 1 November 2018, 7 November 2019, and 5 November 2020. He reviewed the commentaries of analysts on each date and noted that, in the main, the analysts discussed NAB’s earning results and its higher cost guidance. Importantly, not one analyst commented on the first disclosure on 2 November 2017, nor on the subsequent disclosures made on 3 May 2018, 1 November 2018, 2 May 2019 and 5 November 2020. There was, however, limited mention of NAB’s AUSTRAC “news” (J.P Morgan on 7 November 2019, Morgan Stanley on 27 April 2020, and Morgan Stanley and Morningstar on 6 May 2021, with Morningstar estimating a penalty of $700 million). Dr Unni’s opinion was that, despite the share price movements on these days, the voluntary disclosures about “AML violations” were not material to market participants.

868    With respect to the disclosure on 7 June 2021, Dr Unni noted that NAB’s share price declined. When analysing NAB’s announcement, three analysts commented on the size of penalties paid by the Bank and Westpac for non-compliance, with Credit Suisse suggesting that, although AUSTRAC had stated that it was “not considering civil penalties at this stage”, “the market will mostly dismiss this statement”. I note that an article published in The Sydney Morning Herald on 7 June 2021 referred to “the financial intelligence regulator” having “ramped up” an investigation into NAB amid fresh revelations that its AML department was “struggling to cope with a blow-out in processing times for suspicious transactions and a year-long backlog for reviewing high-risk customers”, despite the fact that the article noted that AUSTRAC had not decided whether enforcement action will be taken against NAB. This article also revealed opinions expressed by former employees of NAB about the backlogs, and the reasons for the backlogs, the bank was experiencing. The article referred to “multiple sources” claiming that NAB had “hired under-qualified people to fill the gaps, creating further problems”.

869    Dr Unni opined that the market reaction on 7 June 2021 was likely due to three matters: (a) NAB’s announcement occurred after the Bank and Westpac had faced litigation in which sizeable penalties had been awarded (and which saw the ouster of their CEOs); (b) the market’s assessment of AUSTRAC’s resolve to pursue AML/CTF violations was likely magnified by AUSTRAC’s announcement that it had simultaneously brought action against three other companies; and (c) allegations had been made by former NAB employees regarding significant underlying problems within NAB’s AML compliance department.

870    Mr Ali also analysed the decline in NAB’s share price following its announcement on 7 June 2021. He observed that this decline occurred notwithstanding that NAB had provided disclosure of its AML/CTF issues on numerous occasions, including in its financial results for the 2017, 2018, 2019 and 2020 years. He said:

214.     It can be readily observed that the NAB share price decline could not have been due to new revelations regarding NAB’s AML/CTF issues because those issues had already been disclosed by NAB.

215.     I believe investors would have had regard for the fact that:

a)    AUSTRAC had already commenced proceedings against CBA in August 2017;

b)    AUSTRAC had already commenced proceedings against Westpac in November 2019; and

c)    it was relatively unusual for a financial institution such as NAB to publicly release a copy of correspondence from a regulator relating to an enforcement investigation,

and, in my opinion, many investors would have likely perceived this disclosure by NAB as conveying a high degree of certainty that commencement of proceedings by AUSTRAC was likely, notwithstanding the fact that the correspondence from AUSTRAC stated that “at this stage, AUSTRAC is not considering civil penalty proceedings…”.

216.    Accordingly, in my opinion, the NAB share price decline was substantially a result of the market reaction to what was perceived by investors to be disclosure by NAB conveying a high degree of certainty that commencement of proceedings by AUSTRAC was likely.

217.    This view is consistent with that of market analysts as indicated by a Reuters article which noted that, “Credit Suisse analysts told clients in a note that the market was likely to "dismiss" the regulator's statement that it was not considering financial penalties”.

    (Footnotes omitted.)

871    The Bank submits that NAB’s announcement on 7 June 2021 was “very much akin to an announcement of AUSTRAC commencing proceedings”, particularly given the conditional manner in which AUSTRAC had expressed its then view about whether civil penalty proceedings would be commenced, and the scepticism expressed by Credit Suisse (referred to above).

872    The applicants submit that the share price reaction on 7 June 2021 was entirely consistent with NAB’s announcement marking the first occasion that the public became aware that NAB’s non-compliance with the AML/CTF Act was serious and ongoing. In this connection, the applicants submit that NAB’s earlier disclosures never rose above general statements that it was investigating and remediating a number of identified issues, and that NAB had reported AML/CTF compliance breaches to AUSTRAC and other regulators.

873    The applicants contrast NAB’s earlier disclosures with the disclosure made on 7 June 2021, which revealed that NAB did not just have weaknesses but “‘potential serious and ongoing non-compliance’ with its customer identification procedures, ongoing customer due diligence and compliance with Part A of its joint AML/CTF Program” which had taken place over a prolonged period. The applicants also refer to AUSTRAC’s identification (in the letter accompanying NAB’s disclosure) that NAB’s “closure rates” of compliance issues were “concerning”. The applicants submit that this information is “arguably analogous to the nature of the information the subject of this proceeding”. They point to the evidence given by Mr Johnston in cross-examination:

Market response was because this indicated another bank with AML/CTF problems. The brand damage didn’t depend on penalties being issued. Even if AUSTRAC had never taken civil enforcement action or even if AUSTRAC were not to take civil enforcement action, investors basically marked down the price by several billion dollars because they were worried about the brand and other damage flowing to NAB, costs of remedial action, the costs of being involved in the AUSTRAC enforcement process, that they were material worries to investors absent the existence of a civil penalty.

Media and analysts’ reports

874    The applicants seek to support their case on the materiality of the Late TTR Information by reference to media and analyst’s reports given on 3 August 2017 (or shortly thereafter), even though those reports were prompted by AUSTRAC’s announcement of the commencement of proceedings against the Bank for a civil penalty based on a range of contraventions of the AML/CTF Act.

875    In closing submissions, the applicants referred to two articles in particular which reported on the late TTR issue. The first article was in The Australian published online on 3 August 2017. While the article referred to “53,506 instances of deposits of more than $10,000 through CBA’s ‘intelligent’ deposit machines that were either not reported or were slow to be reported” which “accounted for 95 per cent of all notifiable transactions between 2012 … and September 2015”, and provided other information on this issue, the article, in fact, referred to “a host of failings” in respect of other AML/CTF compliance issues.

876    What is more, the article made a number of other serious claims and accusations. For example:

(a)    The Bank was accused of “ignoring warnings”.

(b)    The Bank’s breaches of financial reporting rules resulted in “the financing of drug manufacturing and importation, money laundering and terrorism as well as hindering authorities’ efforts to gather evidence and intelligence”.

(c)    AUSTRAC’s commencement of proceedings against the Bank was “the latest of scandals to engulf Australia’s biggest bank” and that the Bank had been “the centre of a number of customer failings in recent years, paying out tens of millions of dollars in compensation for issues ranging from poor financial advice and the denial of claims in its life insurance division”.

(d)    Even after “law enforcement agencies” brought suspicious matters to the Bank’s attention, it “did not perform mandatory checks to establish the source of a customer’s wealth or terminate the account until after multiple issues were raised by police”.

(e)    When the Bank did shut down accounts, it “gave 30 days’ notice to the account user and allowed suspicious transactions in the account to continue during that period”.

(f)    In some cases, the Bank “ignored tip-offs from Federal Police about accounts being used for illegal activity”.

(g)    The Bank failed to review “alerts” in a timely manner with regard to ML/TF risks, until “often months later”.

877    The second article was in the Chanticleer business column published in the Australian Financial Review on 4 August 2017. While this article also referred to the late TTR issue, it did so in conjunction with a number of other matters, including comment. For example:

(a)    When “problematic issues” were identified by regulators or the media, “Narev and his leadership team have been slow to respond”.

(b)    Major issues that followed “this pattern” included “the financial planning scandal” and the “CommInsure scandal”.

(c)    CommSec (the Bank’s online broking platform, which was also Australia’s largest online broking platform) was a “serial offender” with “a culture of non-compliance going back almost eight years”.

(d)    There were “six separate prongs” to AUSTRAC’s allegations, “the worst of which is the claim that even after it became aware of suspected money laundering or structuring on CBA accounts it did not monitor its customers to mitigate and manage the risks of money laundering and terrorism financing”.

878    I pause here to note that, in closing submissions, the applicants referred to articles that mentioned the IDM ML/TF risk assessment non-compliance issue, and the account monitoring failure issue, or which reflected on the size of the potential penalty that might be imposed on the Bank. Similar comments can be made with respect to these references, as made above.

879    The applicants draw attention to an analyst report by Goldman Sachs (3 August 2017) commenting on the fact that AUSTRAC had commenced civil proceedings against the Bank. The report referred to AUSTRAC alleging “over 53,700 contraventions of the Act, particularly relating to the use of” IDMs. Goldman Sachs said that it “[did] not take a view on the outcome” but noted, amongst other things, that Tabcorp had paid a civil penalty of $45 million in respect of 108 contraventions of the Act and that the maximum civil penalty for each contravention of the AML/CTF Act was $21 million. The report noted that the Bank’s capital generation was “strong” but said:

… any material fines that could potentially result from these proceedings might require CBA’s capital strategy to extend beyond just non-discounted DRPs.

880    As to valuation, the report said:

CBA currently trades at a 16% premium to its peers. If CBA were to move to its 5 year peer relative valuation low due to a potential hit to its reputation, the implied downside to the stock price would be 9%.

881    Importantly, however, when discussing implications, the report said:

At this early stage, we make no changes to our earnings estimates or target price, and maintain our Neutral rating.

882    The applicants also draw attention to an analyst report from Morgan Stanley (4 August 2017). This report also refers to the late TTR issue, but in conjunction with all the allegations of contravention made by AUSTRAC, as well the allegations that:

(a)    Even after the Bank became aware of suspected money laundering or structuring, “it did not monitor its customers to mitigate and manage ML/TF risk, including the ongoing ML/TF risks of doing business with those customers”.

(b)    In its Concise Statement, AUSTRAC had provided “details in relation to four money laundering syndicates and one ‘cuckoo smurfing’ syndicate.

(c)    The Bank’s conduct had “exposed the Australian community to serious and ongoing financial crime”.

883    The report noted the potential civil penalty that could be imposed on the Bank by reference to the civil penalty imposed on Tabcorp. It observed, however, that “it should not be assumed that the method for determining any penalty will be similar”.

884    As to implications, the report said:

In addition to penalties, we see six other potential implications for CBA: (1) brand damage; (2) material costs for process and system remediation; (3) management changes; (4) changes to CBA’s sales and growth strategies arising from broader concerns about conduct; (5) greater oversight from APRA; (6) higher probability of a Royal Commission into the banking sector, or other inquiries into conduct and pricing.

885    The applicants referred to other analyst reports commenting on AUSTRAC’s commencement of proceedings against the Bank. It is not necessary for me to summarise the detail of the reports in these reasons.

886    The applicants submit that commentary from media and analysts showed that they were concerned by the Bank’s “serious and longstanding non-compliance with the AML/CTF Act”. I note, however, that, of the 11 analyst reports published in the period immediately after 3 August 2017, only one analyst (Macquarie) decreased its share price target for CBA shares. Even then, the decrease was only $1.00 ($81.50 to $80.50). All other analysts either increased or maintained their price targets for CBA shares.

887    Professor da Silva Rosa gave evidence that analysts are often very reluctant to change their price targets and that this is “one of the least accurate things about analysts’ reports”. Even if this be so, these were the rational views of informed market participants. I do not accept that their views can be dismissed in the way that Professor da Silva Rosa sought to dismiss them. It is notable that the conduct disclosed by AUSTRAC in the 3 August 2017 announcement—which, on any view, was far more egregious than the Late TTR Information (or any of the other pleaded forms of the Information)did not move analysts, in the main, to revise their estimates of the Bank’s share value.

888    The Bank submits that the analyst reports represent an “unvarnished view” of the effect that analysts expected the 3 August 2017 announcement to have on the Bank’s share price. The Bank submits that this is an indication that the “less significant” information that the applicants allege the Bank should have disclosed to the market, was not material.

The beta analysis

889    It will be recalled that Professor da Silva Rosa was of the opinion that investors would consider, or would be likely to consider, the Late TTR Information to be value-relevant, such as to lead them to infer that the Bank had been substantially and systematically deficient in its compliance with the requirements of the AML/CTF Act. According to Professor da Silva Rosa, this would then lead investors to (amongst other things) upwardly revise their estimates of the Bank’s operational risk with economically significant adverse consequences. Based on his view of investor decision-making, Professor da Silva Rosa opined that, if expected cash flows and risk aversion remained unchanged, an increase (decrease) in investor perception of risk would cause security prices to decrease (increase).

890    To test this proposition, Mr Ali undertook an empirical analysis of the “riskiness of CBA’s share price” as measured by its historical “beta” (the beta analysis). The “beta” of a share is the measure of its price volatility relative to the market’s volatility.

891    Mr Ali analysed the historical price volatility of CBA shares (and of ANZ, NAB, and Westpac shares) relative to the volatility of all shares comprising the All Ordinaries Index, for the 24 month periods immediately preceding and immediately following the 3 August 2017 announcement. This analysis showed that the market perception of the “riskiness” of CBA shares did not increase following the 3 August 2017 announcement. Rather, it decreased.

892    Specifically, Mr Ali observed that the Bank’s historical beta for the 24 month period immediately following the 3 August 2017 announcement was 9.9% lower than the Bank’s historical beta for the 24 month period immediately preceding the announcement. This reduction was broadly in line with the reduction in the corresponding 24 month historical betas for ANZ and Westpac. The reduction in NAB’s corresponding 24 month historical beta was greater, as shown in the following chart:

893    For completeness, Mr Ali also measured the historical betas for 12 month, 6 month, and 3 month periods immediately preceding and following the 3 August 2017 announcement, and observed similar results.

894    Mr Ali then analysed the rolling 24 month historical beta of CBA shares and the peer major banks over time. (This is the daily observable historical market beta of the share, calculated each day based on the preceding 24 month historical prices for the share, and market index data). As this is a rolling series, the addition of each new data point sees the oldest historical data point correspondingly removed from the calculation.

895    Care must be taken in interpreting rolling historical beta in the present case because the rolling historical beta for CBA shares in the months immediately following the 3 August 2017 announcement will include data from the months preceding 3 August 2017, in which there was relatively higher share price volatility.

896    Mr Ali analysed the rolling historical beta for CBA shares against both the All Ordinaries and ASX200 indices and noted that there was no observable increase in the rolling 24 month historical beta around the time of the 3 August 2017 announcement. He said that this was consistent with his earlier analysis that the “riskiness of CBA shares” actually fell in the period immediately following the 3 August 2017 announcement:

897    The Bank submits that Mr Ali’s beta analysis demonstrates, empirically, that the theory on which Professor da Silva Rosa’s opinion was expressed on the value-relevance of the Late TTR Information is incorrect. The evidence does not show that, when informed of the matters in the 3 August 2017 announcement, investors upwardly revised their estimates of the Bank’s operational risk with economically significant adverse consequences.

898    I note, in this regard, that Mr Ali’s beta analysis is relevant not only to my consideration of the materiality of the Late TTR Information but of each of the other pleaded forms of the Information.

899    I should record that Professor Easton criticised Mr Ali’s analysis on the basis that Mr Ali had used historical beta, not expected future beta. This criticism was based on academic literature which cautions that, in valuing a company, the objective is not to precisely measure historical beta but to estimate future beta.

900    I accept the Bank’s submission that this criticism is misdirected. Mr Ali was not seeking to value CBA shares. Rather, he was seeking to ascertain the market’s historical perception of risk attaching to CBA shares around the pivot of the 3 August 2017 announcement. I am satisfied that his use of historical beta was suitable for that purpose.

Materiality: The account monitoring failure information and the IDM ML/TF Risk Assessment Non-Compliance Information

The applicants’ submissions

901    In closing submissions, the applicants made clear that they do not advance the materiality of the Account Monitoring Failure Information and the IDM ML/TF Risk Assessment Non-Compliance Information in isolation from the Late TTR Information. Their justification for closing their case in this way was that these pleaded forms of the Information “would have been liable to be disclosed at the same time”. This assumption is questionable given that the applicants have pleaded that different forms of the various categories of the Information should have been disclosed at different times. Nevertheless, this is the way the applicants chose to put their final case on materiality. Indeed, in their submissions on causation and loss, the applicants went so far as to say that “there was no world” in which the Account Monitoring Failure Information and the IDM ML/TF Risk Assessment Non-Compliance Information “would be disclosed individually”.

902    Having chosen this course, the applicants still referred briefly to Professor da Silva Rosa’s evidence and Mr Johnston’s evidence on these topics.

Professor da Silva Rosa

903    I have already referred to the fact that Professor da Silva Rosa considered that “each species of information was economically equivalent to each other species of information”. This was because each of the pleaded forms of the Information would lead investors to infer that the Bank had been substantially and systematically deficient in its compliance with its requirements under the AML/CTF Act. This would then lead investors to:

(a)    lower their assessment of the Bank’s competence in complying with the requirements of the AML/CTF Act;

(b)    upwardly revise their estimates of the Bank’s operational risk of presently being non-compliant in a substantial way with the AML/CTF Act and consequently risking economically significant adverse consequences; and

(c)    increase their estimation of the Bank’s reputational risk.

Mr Johnston

904    As to the Account Monitoring Failure Information, Mr Johnston said that it was not possible to determine whether the information would be quantitatively material to investors. However, he said that the Account Monitoring Failure Information would be qualitatively material because:

(a)    the failure to monitor the accounts was a failing in the Australian banking system (the integrity and credibility of the Australian financial system relied on preventing ML/TF, which required the four major banks to have compliant and appropriate risk-based systems and controls in place);

(b)    the failure would materially damage the Bank’s market standing (its contraventions related to an area of concern to the Government and of relevance to the national interest);

(c)    the failure of the Bank to comply with its own AML/CTF Program would add to “the sense of material failings under AML/CTF”;

(d)    the Bank had seemingly allowed inappropriate monitoring to continue even after it was aware, or ought reasonably to have been aware, of its monitoring failures and the underlying cause;

(e)    the Bank’s contraventions continued over the pleaded periods of time;

(f)    the Bank was likely to be exposed to material remediation and ongoing systems costs as well as penalties; and

(g)    the cost of doing business for the Bank and other banks was likely to increase materially (and revenues might decline) due to the risk of increased regulatory and government intervention.

905