GoComply Sentinel · Historical Back-Test

We back-tested CBA's 2018 AUSTRAC failure.
Here's what our methodology would have caught.

Five specific signals were present in CBA's own data between October 2012 and August 2015. None were detected. AUSTRAC found the bug, not CBA. The result: a A$700M federal court penalty — at the time, the largest corporate civil penalty in Australian history. Every fact on this page traces to the Statement of Agreed Facts and Admissions filed in Chief Executive Officer of AUSTRAC v Commonwealth Bank of Australia Limited (NSD1305/2017) or the APRA Prudential Inquiry Final Report (30 April 2018).

Scope: retrospective analysis of one public, court-filed case. Nothing on this page claims live monitoring of CBA or any other institution. The diagnostic engagement (below) runs the same methodology against your systems, not CBA's.

Civil Penalty

A$700M

2018-06-20 · Yates J

+ APRA Capital Add-On

A$1B

Imposed 1 May 2018

Day-1 Market Cap Loss

A$5.6B

4 Aug 2017

Late TTRs

53,506

34 months silently missed

Accounts Unmonitored

778,370

NULL field, 36 months

SMR Failures

149

8 syndicates + 1 remittance dealer

Sentinel Back-Test

The five signals that would have fired

Each signal below was present in CBA's own data at the time. Each maps to a specific SAFA-documented failure. Each is defined by a rule that, applied to the public ledger in the back-test, would have fired on the date shown.

SIGNAL 1 / 5

Codebook-Drift Detection

CRITICAL

A new transaction code (5000) appeared in CBA's general ledger that was not enumerated in the TTR pipeline's allowlist. The Codebook-Drift signal fires when a new enum value appears in a regulated data dictionary and downstream compliance pipelines have not been updated to handle it. Against CBA's historical ledger, this signal would have fired on 5 Nov 2012 — the day code 5000 entered the GL.

Would Fire

2012-11-05

Days Missed

1054 days (2y 324d)

Evidence In CBA Data

transaction_code 5000 in GL not in TTR_ALLOWED_CODES enum (5022, 4013)

Expected Response

Block deployment OR raise P0 alert within 24 hours of new code appearing

SIGNAL 2 / 5

Coverage-Ratio Anomaly

CRITICAL

The ratio of (IDM cash deposits ≥ A$10k) / (TTRs filed for IDM channel) collapsed from ~1.0 (full coverage) to ~0.05 (5% coverage) on 5 November 2012 and stayed there for 34 months. The Coverage-Ratio signal is defined as (obligations_generated / obligations_filed) per regulated channel, evaluated against a rolling baseline. It fires on any > 50% drop. Against CBA's historical data, this signal would have fired on 6 Nov 2012.

Would Fire

2012-11-06

Days Missed

1053 days (2y 323d)

Evidence In CBA Data

Daily ratio: IDM_cash_deposits_over_10k / TTRs_filed_IDM_channel

Expected Response

P0 alert within 24 hours; investigation within 72 hours

SIGNAL 3 / 5

NULL-Rate Data-Quality Metric

CRITICAL

The share of FCP accounts with account_type_description = NULL spiked on 20 October 2012 from a data merge. The NULL-Rate signal is defined as the percentage of NULL values on fields designated critical for compliance monitoring. It fires on any step-change > 5% against the prior 30-day baseline. Against CBA's historical data, this signal would have fired on 21 Oct 2012.

Would Fire

2012-10-21

Days Missed

1078 days (2y 348d)

Evidence In CBA Data

FCP.accounts WHERE account_type_description IS NULL

Expected Response

P0 alert within 24 hours of step-change

SIGNAL 4 / 5

Alert-Rate Drift By Segment

CRITICAL

The 778,370 affected accounts produced a flat-line alert rate while the rest of the book tracked the historical baseline. The Alert-Rate Drift signal is defined as per-cohort alert rate normalised against peer cohorts. It fires on statistical divergence > 2 standard deviations sustained over 14 days. Against CBA's historical data, this signal would have fired on 15 Nov 2012.

Would Fire

2012-11-15

Days Missed

1062 days (2y 332d)

Evidence In CBA Data

Alert rate per account_segment over time, comparing affected vs unaffected populations

Expected Response

P1 alert within 7 days; root cause analysis within 30 days

SIGNAL 5 / 5

SOP-to-Regulation Drift

HIGH

CBA's internal '3-month SMR policy' SOP text diverged from the plain reading of section 41(2)(a) of the AML/CTF Act. The SOP-to-Regulation Drift signal uses LLM-based semantic comparison between internal SOPs and authoritative regulatory text, flagging divergence for legal review. Against CBA's SOP corpus, this signal would have fired the moment the 3-month policy was first codified.

Would Fire

When 3-month policy was first published

Days Missed

—

Evidence In CBA Data

Internal SOP document text vs s 41(2)(a) AML/CTF Act 2006

Expected Response

Legal review within 14 days; policy correction within 30 days

Root Cause

One transaction code. 34 months of silent failure.

Not malice. Not a sophisticated attack. A configuration gap that any codebook-drift monitor would have caught on day one.

Transaction code 5000 allowlist gap

SAFA paragraph 44 · category: configuration_drift

In June 2012, a Netbank display error appeared for IDM cash deposits. To fix it, transaction code 5000 was introduced in November 2012. However, the TTR generation pipeline was never updated to include code 5000 in its allowlist (it only checked codes 5022 and 4013). For 34 months, every IDM cash deposit tagged with code 5000 silently failed to generate a TTR.

Discovered by: AUSTRAC (not CBA) — AUSTRAC asked CBA about two missing TTRs referenced in an SMR filed 7 Aug 2015

778,370 accounts with NULL account_type_description

SAFA paragraph 51-53 · category: data_quality_silent_failure

On 20 October 2012, a data merge between two systems left the 'account_type_description' field NULL for 778,370 accounts. CBA's Financial Crime Platform (FCP) used rules-based monitoring keyed off this field. With NULL values, every rule that depended on the field silently did nothing — leaving 778,370 accounts unmonitored for nearly 3 years.

The 3-month SMR suppression policy

SAFA paragraph 55(a) · category: policy_drift_from_regulation

CBA had a deliberate (but legally incorrect) policy that suppressed Suspicious Matter Reports if a similar SMR had been filed for the same account within the prior 3 months. Section 41(2)(a) of the AML/CTF Act requires an SMR on EACH occasion. This caused 40 of the 149 SMR contraventions (22 never filed, 18 filed late).

Timeline

From bug introduction to A$700M penalty

The contraventions began 5 November 2012. AUSTRAC found the missing reports on 11 August 2015. The Federal Court ordered the penalty on 20 June 2018. Five years and seven months end-to-end.

2012-05

IDMs go live with 5 machines. First month deposits A$868,825. No IDM-specific risk assessment performed. (SAFA 26-29)

2012-06

Netbank display error identified for IDM cash deposits (SAFA 44)

2012-10-20

🔴 Data merge leaves account_type_description NULL for 778,370 accounts. TM gap begins. (SAFA 51-52)

2012-11-05

🔴 Transaction code 5000 introduced for Netbank fix. TTR pipeline NOT updated. Late-TTR period begins. (SAFA 44)

2014-03

CBA itself files SMRs identifying IDM money laundering. No control change. (SAFA 30, 63(d))

2014-06-16

CBA identifies the FCP NULL-field bug internally (SAFA 52, 76)

2014-09-19

FCP code fix deployed (no new affected accounts) (SAFA 52, 76)

2015-07

CBA has evidence criminal syndicates laundering 'several millions' through IDMs. Still no controls. (SAFA 31-32, 63(d))

2015-08-07

CBA files an SMR referencing two threshold transactions (SAFA 45)

2015-08-11

🟢 AUSTRAC contacts CBA about two missing TTRs. Discovery moment. (SAFA 45)

2015-08-24

First 2 late TTRs filed (SAFA 47)

2015-09-08

CBA discloses the full TTR backlog to AUSTRAC (SAFA 70(b))

2015-09-24

Remaining 53,504 late TTRs filed (total: 53,506) (SAFA 47)

2015-10-12

All 778,370 affected accounts restored to monitoring (SAFA 52-53)

2015-12-18

AUSTRAC issues confidential Methodologies Brief warning. CBA does not act. (SAFA 33-34)

2017-08-03

🔴 AUSTRAC files civil penalty proceedings (NSD1305/2017) (SAFA 2)

2017-08-04

🔴 CBA share price down 4.2%. ~A$5.6B wiped from market cap. (Livewire)

2017-08-08

🔴 Board cancels Narev's A$1.43M cash bonus and zeroes group exec STVR. Director fees cut 20%. (Bloomberg, SAFA 101)

2017-08-14

🔴 Catherine Livingstone announces Narev will 'retire' by end FY2018 (InDaily)

2017-08-28

APRA announces Prudential Inquiry into CBA (APRA)

2017-11-21

First daily IDM limit imposed: A$20,000/day, personal accounts only, CBA cards only (SAFA 36, 116(b))

2018-04-09

Matt Comyn replaces Narev as CEO (SBS, CBA)

2018-04-12

A$10,000/day account-based limit fully rolled out (SAFA 37, 116(d))

2018-04-30

🔴 APRA Prudential Inquiry Final Report. A$1B capital add-on. Enforceable Undertaking. (APRA)

2018-06-04

Settlement announced: A$700M penalty + A$2.5M legal costs (CBA newsroom)

2018-06-20

🔴 Federal Court (Yates J) orders A$700M civil penalty. Largest corporate civil penalty in Australian history at the time. ([2018] FCA 930)

2020-11

APRA reduces capital add-on by A$500M (APRA)

2022-09

APRA removes remaining A$500M capital add-on. EU obligations met. (APRA)

2024-05-10

Federal Court dismisses Zonia Holdings shareholder class actions ([2024] FCA 477)

APRA Prudential Inquiry · 30 April 2018

"Continued financial success dulled the senses of the institution."

Panel: Dr John Laker AO (former APRA Chair) · Professor Graeme Samuel AC (former ACCC Chair) · Jillian Broadbent AO. These are the cultural traits the panel identified as the root cause of non-financial risk failure at CBA.

"CBA's continued financial success dulled the senses of the institution."

— APRA Prudential Inquiry Final Report, Executive Summary, p. 3

Complacency

"A widespread sense of complacency has run through CBA, from the top down. CBA was desensitised to failings with customers."

Reactivity / Chronic Ease

"Complacency and reactivity led to a sense of 'chronic ease' in CBA, rather than the 'chronic unease' that has proven effective in driving safety cultures in other industries."

Insularity

"CBA became insular. It did not reflect on and learn from experiences and mistakes. CBA turned a tin ear to external voices and community expectations."

Collegial / Good intent excuses poor outcomes

"Good intent has been too readily used to excuse poor risk outcomes."

Now what?

Run Sentinel against your AI systems.

The Sentinel Assurance Diagnostic is a bounded 14-day engagement: signal-level back-test of your current AI governance posture, CPS 230 material-service-provider gap list for your AI vendor stack, and Privacy Act APP 1.7 readiness review. Board-pack-ready artefacts. Fixed fee.

Book a 20-min scoping call →

Fact-Check Notes

Every number on this page is defensible.

We've flagged the easy traps where secondary reporting gets it wrong. Use this section to verify our claims against the primary sources.

53,506 vs 53,750

53,506 is the count of s 43(2) TTR contraventions specifically. The total contraventions including s 82(1)/41(2)(a)/36(1) is 53,749 specific + 1 continuing = 53,750. Use 53,506 for the TTR headline.

A$624.7M vs 'A$625M criminal proceeds'

A$624.7M is the VALUE of missed TTRs (cash deposits that should have been reported), NOT the laundered proceeds. Only A$17.5M is linked to AFP investigations. Actual laundered proceeds are 'several million'. Do not conflate.

Largest civil penalty

A$700M was the largest as of June 2018. Westpac's 2020 AUSTRAC settlement at A$1.3B is now the largest. Always cite the date qualifier.

8 syndicates

SAFA para 82(c) says '8 money laundering syndicates and 1 suspected unregistered remittance dealer'. 7 are clearly identifiable in our data; cite as '8 syndicates plus 1 remittance dealer'.

Number of IDMs

5 at launch (May 2012), 1,118 at time of SAFA (June 2018). Do not say 'thousands of IDMs' — that's wrong.