CBA drama is massively overblown

In the AFR I argue that CBA's stock price has bounced back for good reason: the hysterical reaction to an isolated 2012 coding error that resulted in 53,000 delayed money laundering reports has been massively overblown. CBA is not going to pay a business-threatening fine, its outstanding chief executive Ian Narev will not lose his job, and the bank does not remotely have any cyber-security or financial crimes culture problems. Quite the contrary. If you speak to senior government security and intelligence officials, they will tell you that there is no better resourced or committed business in Australia than CBA when it comes to combating cyber-crime, fraud and information security threats. Excerpt below (AFR subs can read directly here):

No Australian business spends more money on, or has more people and technology resources dedicated to, thwarting financial crime, including money laundering.

And no business burns as much cash on corporate compliance, or is more heavily regulated by a multiplicity of government agencies, than CBA.

In fact, it now pays hundreds of millions of dollars a year in extra taxes via the new big bank levy precisely because it is one of the most important companies in the country.

For years the Australian Security Intelligence Organisation (ASIO) and the Australian Signals Directorate (ASD) have privately highlighted that CBA, and to a slightly lesser extent the other three major banks, have been best-of-breed in respect of their defences against digital crime.

A former senior ASIO cyber official, Scott Ceely, who is managing director of Seer Security, says he is "surprised by the news concerning CBA, as they are considered a leader in the Australian cyber-security sector".

"CBA's investment in cyber security over the past five or so years has been unmatched in our industry," Mr Ceely says.

Richard Byfield spent much of his career working in the upper echelons of the nation's electronic espionage agency, the Australian Signals Directorate, which is charged when protecting public assets from state and non-state hackers.

He says that "everybody in the security and intelligence worlds knows that CBA is first-rate when it comes to cyber-security, fraud-detection and the amount of money and people it pours into protecting its customers and preventing crimes".

"Security agencies often refer to CBA and the other major banks, alongside Telstra, as "islands of excellence" in regard to information security and their cultural commitments to mitigating cyber-crime," Mr Byfield, who runs Datacom Technical Security Services, says.

In its ASX announcement CBA explained that the 53,000 threshold transaction reports (TTRs) that were delayed in their transmission to AUSTRAC were attributable to "a single course of conduct".

This is crucially important in relation to the court's determination regarding penalties. In CBA's opinion, there will likely be one penalty for the coding error, not 53,000.

"Ultimately, a Court will seek to ensure that, overall, any civil penalties are just and appropriate and do not exceed what is proper having regard to the totality of established contraventions," the bank added.

Privately AUSTRAC is understood to have been blindsided by the media response to its claims and silly suggestions they might lead to penalties approaching one trillion dollars, which would destroy CBA almost 10 times over (and the Aussie banking system to boot).

Read full article at AFR here.