🎂 Turned 31 this year? Get health insurance before your price rises.
Get cover

To blockchain: $700m CBA fine is just a normal part of AML/KYC today

Andrew Munro 5 June 2018 NEWS

The largest civil penalty in Australian corporate history is just another day at the office.

On 4 June, AUSTRAC (Australian Transaction Reports and Analysis Centre) and Commonwealth Bank (CBA) agreed on the largest civil penalty in Australian corporate history, landing the bank with a $700 million penalty, plus $2.5 million of spare change to cover AUSTRAC legal expenses.

The previous record was held by Tabcorp, which paid $45 million for breaches of AML/KYC (anti money-laundering/know your customer) laws.

In taking the agreement, CBA accepted the following:

  • It failed to punctually report 53,506 transactions of $10,000 or more through its "intelligence deposit machines." (IDMs).
  • It failed to appropriately carry out risk assessments of its IDMs, and mitigate IDM money laundering and terrorism financing risks.
  • It did not adequately monitor transactions on 778,370 accounts over a three-year period.
  • It did not report suspicious matters on time, or at all, involving transactions in the tens of millions of dollars.
  • It did not take action even after becoming aware of suspected money laundering or structuring by CBA account-holders.


The cost of compliance

CBA investors rejoiced as the penalty landed, and CBA share prices quickly bounced up following the news, adding $1.6 billion to CBA's market cap. The settlement removed one source of uncertainty from the market, plus CBA also managed to haggle the penalty to a quite reasonable price.

Either way, it had all been budgeted for and the fine was only 0.6% of CBA's market cap.

"In that context, the fine is well and truly in the price," said Regal Funds Management portfolio manager Omkar Joshi to the Australian Financial Review.

CBA chief executive Matt Comyn also pointed out that the bank had so far spent around $400 million trying to fix the problems with technology and people which allowed it to happen.

AML/KYC compliance is one of the few bank costs which keeps growing even as automation shrinks expenses elsewhere, largely because of the inevitability of fines and the potential for minor problems to cause expensive ripples. For example, it was just a single IDM coding error which let so many transactions go unreported for so long.

The current state of bank KYC/AML means catastrophic systemic failure and record-shattering civil penalties are just another day at the office – and a pretty good day too.

On the blockchain

For many reasons, blockchain technology may be the only realistic way of actually changing the AML/KYC status quo. In the smallest of nutshells, distributed ledger technology is the most promising option because:

  • It can be almost entirely automated
  • It can largely eliminate single points of failure
  • It can be oriented around identity rather than transactions without causing new privacy-related problems

In depth: Why blockchain is the AML/KYC solution

However, implementation is easier said than done.

Making it happen

"Banks will, theoretically, benefit in more ways than none when implementing digital identity solutions," said Fernando Albarrán, executive chairman of BidiPass, and a former cybersecurity expert at Santander and BBVA bank. "The current validation system is based upon a centralized trust where a singular entity verifies one's legitimacy. This goes for payments, wire transfers, and any monetary transaction; the level of protection digital identities can be provided exceeds current protocols. The implementation is the core problem."

Decentralisation is a drastic shift, so established institutions can't simply switch on a blockchain. It also doesn't help that the current state of the blockchain art is scattered and relatively little-used in the real world. This makes it extremely difficult to find a fresh protocol that can work at every level. Plus, when you're introducing a drastically new protocol, it's vital to make sure that every single step is done right, and that all preceding and subsequent steps can continue to work.

"The level of usage within current day is the problem, and you’re seeing the same issue with usable blockchains such as Ethereum," they said. "Of course, if it were a switch to flip, one would obviously choose the more efficient option, but it's not that simple. You have millions of users, and implementing a fresh protocol isn’t a one stop solution. It involves modifying each preceding change. Decentralisation is a scary thing at first glance, so banks must approach it cautiously, which is what they're doing. Small steps is key for not only decentralisation, but optimal efficiency when speaking of transactional discretion."

Depending on how ambitious a bank is, they might approach the challenge of blockchain KYC/AML implementation in different ways. Many are waiting for established protocols to ease the way.

But others, potentially driven by the enormous costs of simply maintaining routine AML/KYC measures and paying the fines when they inevitably fail, are biting the bullet and trying to find ways of establishing their own protocols.

"Capital One recently bought the fintech startup Confyrm, which is, not surprisingly, a digital identity focused company," they gave as an example.

It's safe to assume that most solutions will be largely focused on identity, however.

"Digital identity solutions work differently per system. Regarding the systems that I have worked with, they are encrypted via bi-dimensions. Systems decentrally confirm the validity of a user, transaction, or asset. Since the operations are connected directly it enables you to utilize mobile devices to serve as an authenticator – that is the future of not only digital identities but nearly all transaction systems."

Waiting and seeing

The institutions that choose to wait for a more established protocol, rather than trying to get ahead of the game by blazing their own trail, might not have to wait too long though. Several startups are racing to create a globally effective blockchain KYC/AML solution, and can get a leg up on real-world trialling – the key ingredient – through force-multiplying partnerships.

An example of this is the recent partnership between the Trunomi and Shyft platforms to work on different facets of blockchain ID, with help from the Bermudan government which is aiming to redesign its financial sector around blockchain technology.

Essentially, Shyft brings the core blockchain technology and protocol to the table; Trunomi brings its expertise in consumer-consent frameworks to help shape it into a viable form; and Bermuda provides the real world.

These kinds of arrangements may stand to put a functional, effective and real-world-tested blockchain AML/KYC solution on the market extremely quickly. From there, adoption might be substantially spurred by Bermuda's hub-like role in global financial services, spreading like a friendly virus to the financial institutions that come in contact with it.

"The Government of Bermuda has decided to lead the way and build interoperability into the government legislation, in essence, approach regulatory frameworks with exportability in mind. This is our Bermuda jurisdiction as a service, the high level of exportability 'stack' that includes technology, regulation, process and protocols," said the premier of Bermuda, David Burt in a statement on the trilateral-ish partnership.

"Trunomi's immutable consent framework and data rights management technology is an integral part of our global ID and KYC vision by enabling privacy by design, and proving accountability in data use and full transparency and interoperability across multiple markets and systems," said Shyft CEO Bruce Silcoff. "Global data privacy laws now firmly put the customer in control of the relationship and ultimately their own data and identity, which can only be shared with the consent of the consumer, for a specific purpose and they need to be able to easily revoke this consent. Trunomi is capturing, tracking, proving and sharing these data permissions to all parties and providing real time tools to adjust these rights."

The end result, and potential current state of the art in terms of real-world use and broad adoption potential, is an e-ID system that will initially be rolled out in Bermuda, then expanded to a growing range of participating nation states and large companies that sign up to join the network.

If it means accessing a working, adoptable blockchain ID protocol, and finally putting a stopper on the sheer wastefulness of traditional transaction-focused AML/KYC systems, banks might be eager to sign up.


Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VEN, XLM, BTC and XRB.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms and Conditions and Privacy Policy.
Ask a question
Go to site