Details of CBA’s audit woes are laid bare in a confidential paper prepared for a meeting on October 23 of an executive committee set up by new chief executive Matt Comyn to deal with non-financial risks by the bank’s internal audit and assurance team.

The audit team said CBA’s anti-money-laundering and counter-terror financing (AML/CTF) program was “rated red, reflecting the significant number of issues already known to management and the additional issues found by Group Audit & Assurance [internal audit] during the review”.

Internal audit’s review of the program followed the bank’s $700 million payout in June to settle a lawsuit in which the payments regulator, Austrac, accused it of failing to comply with AML/CTF laws more than 53,000 times.

Yesterday, CBA chairman Catherine Livingstone told the royal commission she challenged bank management — at the time led by then-chief executive Ian Narev — about Austrac’s concerns at a board meeting in October 2016, when she was relatively new as a director.

“I did not receive a satisfactory answer to my challenge, because it did not accord with my understanding of Austrac,” Ms Livingstone told the hearing.

“That response served to confirm the concern that I had been developing, based on my experience as a non-executive director, that management, at that time, did not have the capacity to respond to what was, clearly, an escalating, significant and serious control challenge. Management did not have the capacity, either because they couldn’t or they wouldn’t.”

In last month’s note, the audit team told CBA executives a probe of the bank’s compliance with responsible lending rules for personal loans “found weaknesses in being able to evidence customer product needs, and with the verification of customer income, liabilities and expenses during the loan assessment process”.

“We highlighted concerns with the risk-based pricing approach and customer remediation activity that has been ongoing since 2015.”

They expressed concerns about data management and security and the international money transfer message system SWIFT at CBA’s Indonesian subsidiary, Bank Commonwealth.

“The audit found inappropriate access to bank and customer records and inappropriate access rights allowing staff to bypass controls,” the audit said. “Management are addressing these control matters by November 2018.”

Across the group, AML/CTF received a red audit result last month after it found the control environment “unsatisfactory”.

The team said a review of the bank’s AML/CTF framework added 45 new issues — including seven of high severity — to an existing 199 known problems.

However, increased focus on the area, including “a significant board-driven injection of capital” following the bank’s Austrac debacle meant problems were being solved faster than before.

“Employee Due Diligence (EDD) and oversight of ‘High Risk’ roles continues to be weak,” the team said. “EDD processes are not compliant with the requirements of the CBA Financial Crime EDD Standard.’’

The report shows that the entire Aussie Home Loans business has been red-rated since December last year due to the risk of poor conduct, with a follow-up audit put off because the business is to form part of the wealth business that CBA hopes to spin off.

The wealth management division received two red audits — one for compliance with licensing obligations and another for advice given out by the Commonwealth Financial Planning business. CFP’s red rating has been on foot for two years, the report reveals, and is being monitored quarterly.

More related stories

Banking royal commission

ASIC to pursue fiscal rogues

ASIC has vowed to test the law to its fullest in tackling financial crime and deterring future misconduct within the fiscal sector.

Read more

Financial Services

Bligh urges legal action to build trust

ABA chief Anna Bligh is urging the next government to introduce an industry reform bill within 100 days.

Read more