Commonwealth Bank of Australia Tries to Explain Coding Errors Found After 4 Years

A coding error in new intelligent deposit machines failed to report 53,506 suspicious transactions

Photograph of a man exiting a building labelled with a Commonwealth Bank of Australia sign in Sydney, New South Wales, Australia.
Photo: iStockphoto
Advertisement

The Commonwealth Bank of Australia, the country’s largest bank, finally got around to explaining last week why two software coding errors first disclosed in 2016 laid hidden for more than four years. The errors allowed the approval of personal overdrafts for 9,577 of its customers that should have been declined, while also approving another 1,152 customers for higher overdraft limits than they were qualified for. Many of the customers were in financial distress, and the erroneous approvals allowed them to dig themselves into even deeper financial trouble. The interest rate the bank charged customers on an overdraft was a hefty 16.6 percent.

The coding errors were created in July 2011 when the bank introduced an automated decision tool to process customer overdraft applications, but the problems weren’t discovered until September 2015. During the calculations that decided whether a customer could actually afford an overdraft, one software error in the decision tool’s algorithm failed to count a customer’s rental expenses, while another error accessed a wrong data field that was used for determining a customer’s overall household expenditures. The result was that a customer’s true expenses where likely underestimated or under-assessed. The Australian Securities and Investments Commission (ASIC) fined the bank AU $180,000 for the coding errors on top of the AU $2.5 million the bank had to write off in customer loan balances.

How was the error discovered?

Essentially, it was by luck. At ongoing hearings, senior bank executive Clive van Horen explained that the error had escaped numerous internal bank controls that should have caught it. The error was finally uncovered after troubling questions were raised over the bank’s overdraft application process by the Consumer Action Legal Centre and ASIC, and a new manager decided to take a deep dive into it. That’s when the coding error was revealed; the bank then took another 17 days to fix it.

These overdraft-related software errors, however, were small potatoes when compared to one that was also discovered in September 2015.

The bank disclosed in August of last year that another “coding error” unintentionally allowed 53,506 suspicious transactions totaling some AU $77 million that occurred at its new intelligent deposit machines to not be reported as required under the anti-money laundering and counter-terrorism financing (AML/CTF) laws between late 2012 to September 2015. The machines are ATMs but with the added capability of being able to automatically count up to AU $20,000 in cash deposits per transaction. This feature allows the deposited cash to be immediately credited to a customer's account. The funds in the account can then be electronically transferred into accounts in Australia or overseas. The bank set no limit on the number of cash transactions that could be executed per account per day.

Much of the AU $77 million deposited but not reported is suspected by the authorities to have gone to criminal gangs or possibly terrorist organizations. Again, internal controls that should have caught the suspicious transactions failed to do so largely because first the bank failed to assess the risk of how criminals or terrorists could use the new machine’s additional features for money laundering or counter-terrorism financing before they were introduced in May 2012. As a result of the failure, the machines used the existing AML/CTF internal control policies used for ATMs, which were later found to be woefully deficient.

Compounding the internal control weaknesses was an error in a software update in late 2012 that caused the machines to not report any transaction amounting to AU $10,000 or more, as required by law. Both issues didn’t fully come to light until Australian law enforcement arrested a number of individuals for using the bank’s new machines for money laundering in 2015, thereby forcing the bank to review in detail how the machines were being (mis)used by its customers.

The bank expects Australian financial regulators to impose at least AU $375 million in fines for violations, although it could be fined much more as each late-report violation can incur a hefty fine of AU $18 million in itself. The bank, however, argues [pdf] that it should only be fined for one of the 53,506 instances of failing to report violations since a single software error was responsible for all them. I don’t think that logic will fly with the regulators, but give credit to the bank for its sheer chutzpah in making the argument in the first place in light of obviously inadequate IT governance.

The Commonwealth Bank of Australia isn’t the only Australian bank with long-term hidden software errors. Last December, Westpac revealed that it had a 23-year glitch that miscalculated home loan payments for more than 9,400 of its customers. From 1992 until late 2016, an error in Westpac’s systems “meant that these interest-only home loans were not automatically switched to principal and interest repayments at the end of the contracted interest-only period,” ASIC stated in its accounting of the error. This meant that those Westpac customers affected by the error did not start paying on their loan principal at the time agreed, had less time to pay off their principal, and paid more interest to Westpac than they owed. The bank has had to refund its customers AU $11 million as a result.

Information technology systems at Australian banks have been a mess for years, despite billions of dollars in investment. The Royal Banking Commission, which is looking into a wide-range of irresponsible and poor Australian banking practices, will no doubt be digging even deeper into the state of the banks’ IT systems since they have been enablers of these practices. No one should be surprised if more IT-related problems are uncovered.

The Computing Technology Newsletter

Biweekly newsletter about advances in hardware, software and systems.

About the Risk Factor blog

IEEE Spectrum’s risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.