Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Australia Businesses The Almighty Buck IT Technology

Buggy Software Made Us Miss Money Laundering Scam, Says Australian Bank ( 57

An anonymous reader shares a report: Australia's Commonwealth Bank has blamed a software update for a money laundering scam that saw criminals send over AU$70m (US$55m) offshore after depositing cash into automatic teller machines. News of the Bank's involvement in the laundering scam broke last week, when Australia's financial intelligence agency AUSTRAC announced that it had found over 53,500 occasions on which the Bank failed to submit reports on transactions over $10,000. All transactions of that value are reportable in Australia, as part of efforts to crimp the black economy, crime and funding of terrorism. The news was not a good look for the Bank (CBA), because most of the cash was deposited into accounts established with fake drivers licences. Worse still is that each failure of this type can attract a fine of AU$18m, leaving CBA open to a sanction that would kill it off. Today the bank has explained the reason for its failure: "a coding error" that saw the ATMs fail to create reports of $10,000+ transactions. The error was introduced in a May 2012 update designed to address other matters, but not repaired until September 2015.
This discussion has been archived. No new comments can be posted.

Buggy Software Made Us Miss Money Laundering Scam, Says Australian Bank

Comments Filter:
  • Office Space (Score:5, Informative)

    by Nidi62 ( 1525137 ) on Monday August 07, 2017 @10:52AM (#54955883)
    Sounds to me like a couple programmers found a way to take their retirement accounts into their own hands.
    • Sounds to me like a couple programmers found a way to take their retirement accounts into their own hands.

      And how the changes passed the QA anyway? I think the QA could also be involved. :p

      • by Anonymous Coward

        I bet they cheaped out on QA.

      • Have you ever worked in a software company? QA gets the least resources, the least respect, and typically no veto rights whatsoever. When management decides that on date X the product ships then it ships. And when developers claim that QA is full of hooey then the developers are always considered to be right. That assumes that there is dedicated QA in the first place. There are plenty of places that ship as long as the compiler does not throw any hard errors.
  • by hey! ( 33014 ) on Monday August 07, 2017 @10:55AM (#54955917) Homepage Journal

    I didn't know they held a pageant for that.

    • “a coding error” that saw the ATMs fail to create reports of $10,000+ transactions.

      How about ATMs that don't allow you to withdraw or deposit more than $10,000 in cash?
      No, I'm guessing that they made transfers between accounts using the ATMs. but shouldn't the reporting be done at a centralized level?
      e.g. ATM requests that a service transfers funds, the transfer service is used by all software to access the accounts (online, teller, ATM, phone), and THAT is responsible for logging $10k+ tr
  • by Anonymous Coward

    Oh wait... Us

  • "a coding error" (Score:5, Insightful)

    by nastyphil ( 111738 ) on Monday August 07, 2017 @11:00AM (#54955959) Homepage

    A coding error that was not caught in regression testing, and remained undetected and thus unpatched for years, breaking your organization's compliance... IS A BUSINESS ERROR.

    • ree-gressi-on? What is that some sort of crazy MBA buzzword?

      Regression testing, for complicated applications can still miss a lot of bugs. To do a full regression test, it could put the company at a full stand still. I remember the boss asking to process a sample of data with a 5% margin of error. We calculated the sample size, and we needed to process 100,000 records... Giving them that number, no one wanted to do it. So that fell by the wayside.

      Not for the Australian bank. How much did this Hack cost

      • by dwywit ( 1109409 )

        The $10K reporting requirement has been around for a long time. The bug is that they *stopped* reporting the transactions. Previous to this software update, the transactions were being reported, so the reporting was either deliberately stopped (possible, but unlikely), or the trigger wasn't pulled because some flag wasn't set because Total_A 10,000.00, even though it was.

        How does a programmer turn off a process that should have "WARNING - THIS IS REQUIRED BY LAW" written all over the comments?

      • You're correct of course, it can be expensive to test thoroughly. Depends on where your model and risk extend. The functional aspects of design? The maintenance of the software? Correct functioning of the ATM HW? Support procedures? Escalation? Audit? Independent verification? Monitoring of operational performance of it and other applications that provide inputs or consume outputs, etc ...the division, governance, the business?

        My point is that especially in a fashionable Dev Ops world, the 'system' includ

  • Why ATM (Score:4, Interesting)

    by Luthair ( 847766 ) on Monday August 07, 2017 @11:45AM (#54956229)
    Why exactly is the ATM machine the piece that is doing the reporting? Shouldn't it be a central authority not some piece of hardware the a large number of people have physical access to?
    • The reporting is not for a standard ATM, these are for deposit ATM's placed around the world where deposits can be very large and from the sounds of it when a large deposit is received they are supposed to trigger a report (larger than $10,000 AUD). the coding error gives them an excuse for the majority however there is also a chunk of them (around 100 or so) where they also failed to monitor and report known suspicious accounts for which they have no excuse for. In theory total fines could be as much as $1
      • by Luthair ( 847766 )
        Not sure what you mean by standard ATM, here virtually every machine accepts deposits barring the shady ones in bars. I stand by my point, reporting standards aren't only for deposits, they are also for transfers, cheques, etc.
        • by Anonymous Coward
          these ATM's accepted and counted cash which could be placed into accounts anonymously. ATM's have long been able to accept deposits but "most" required you to use a card or access your account first and then would provide a deposit envelope, the net effect was really the deposit was processed much later when a bank staffer checked the deposit. with the IDM ATM's the deposit is instant and anonymous so criminals could then immediately transfer the funds seconds are the cash is deposited making them highly at
  • by Anonymous Coward

    Money laundering laws remind me of stuff like DRM, where it's primarily known for being a pain in the ass for completely innocent people, and it's assumed that crooks already know how to get around it anyway and are therefore not as inconvenienced or violated as everyone else.

    Any time a money laundering law comes into play, it's very likely that it's just making things harder for (or compromising the privacy of) a non-criminal. Ergo, the laws have little legitimacy and no person worries if they're circumven

    • The $10000 reporting limit is transparent to the end user unless the transaction is made in cash (and not, it seems, a deposit through one of these machines) or triggers the "suspicious activity" criteria (e.g. repeated $9000+ deposits). I have moved close to $30000 electronically to other parties, in both AUD and USD through a forex service, in past weeks for a trip to Patagonia/Antarctica: not a piece of paper in sight. The machines in question are for deposits, primarily for out-of-bank-hours busines
  • by GrumpySteen ( 1250194 ) on Monday August 07, 2017 @12:43PM (#54956625)

    I read the headline as "Buggy software made the United States win the Miss Money Laundering Scam according to an Australian bank." I think it's a title we would live up to.

  • by Anonymous Coward

    They got letters regarding the transactions from the Australian Federal Police and continued to allow it to happen... so... it sounds like being complicit to me.

    Secondly... you wiuldn't out the reporting in ATM soace either. You'd build this stuff into the core transaction code that does the ledgering between accounts...fot all accounts.

    I call bull.

  • Maybe they just Can't Be Arsed
  • Firstly I love to kick the crap out of Aussie banks as much as the next person. It is a national past time down her under the rest of the world.
    The Aussie banking system is regulated up the wazoo,with APRA and ASIC constantly moving the regulations around to protect people from the perceived 'predatory' ways of the 'Big' Banks, being NAB, Westpac, ANZ and CBA in recent time. Now firstly these banks make obscene amounts of profits, and in the past have made some monumental screw ups/crap decisions, as hav

    • The benefit of compliance, is the license to trade.

      • Absolutely agree with this comment. But with any large organisation, it is a lumbering beast, and when asked to run it tends to fall over. Structured change is better than constant change, and with many sections of government 'decisions' it tends to be reactive rather than tempered pro-activity.

        • IKR?

          I worked most of career in .au, the last 10 years as a contract Information Architect. All industries NGO, .gov, Big 4s, SMEs, Energy etc are depressingly not self aware. Like a complicated soup, they struggle with the laws of thermodynamics, Chinese whispers and too many chefs.

          It's depressing as a stakeholder (ie citizen, customer, investor etc) to observe. OTH, it's been a lucrative career and I am enjoying a multi year sabbatical in Europe, studying Art History and (barely) managing a porn startup.


To write good code is a worthy challenge, and a source of civilized delight. -- stolen and paraphrased from William Safire