Australia’s third-largest bank also failed, over five years to late 2017, to conduct “quality assurance checks” on its customer due diligence for almost 10,000 accounts before those customers transacted, while for nearly a decade the bank did not complete any “Know Your Customer” checks — in line with the requirements of anti-money-laundering laws — for almost 8000 secondary credit card holders who were added to the line of credit.

The failure to block these additional customers who were added to credit cards before the bank had completed due diligence on the customers potentially allowed criminals to access money through the bank.

According to compiled internal breach logs, NAB’s internal monitoring systems between 2008 and 2016 also failed to automatically update customer risk profiles when there was a change to an overall risk rating for the country in which those customers were transacting or operating in when the government applied sanctions or took other actions against rogue nations.

Worryingly, there was also “no manual process” in place at the bank to apply red flags to these customers when NAB reported the issue to Austrac in 2016.

Customers in countries subjected to sanctions — such as North Korea, Iran and Libya — are banned from trading in goods and services with Australian individuals and companies.

The Weekend Australian can reveal NAB also told anti-money-laundering regulator Austrac it had “incorrectly risk-rated” almost 5000 customer profiles “resulting in lower than required due diligence being completed on 1690 customer profiles”.

According to the internal logs, system failures also affected almost 150,000 customer records that were not “properly screened” and rated for money-laundering and terrorism-financing risk because the records were not readily available in its compliance monitoring system.

The revelations are the first indications of the size and scale of NAB’s non-compliance with anti-money-laundering and counter-terrorism financing laws since it warned investors it may have breached the legislation in its November 2017 annual report. The bank quietly made the admission just months after Commonwealth Bank was sued in the Federal Court by Austrac over 50,000 ­instances where it broke the law, ultimately leading to a record-breaking $700m fine.

This month Austrac accused Westpac of 23 million breaches of anti-money-laundering legislation, including allegations it failed to act when it was facilitating thousands of child exploitation payments to The Philippines and Southeast Asia.

Westpac is expected to face a fine of close to $1bn after failing to properly monitor billions of dollars in international transfers, known as IFTIs, or ­report those transactions to ­regulators.

While NAB told shareholders this month in a note attached to its annual report that it believed it may be involved in a breach, or ­alleged breach, of laws governing “bribery, corruption and financial crime”, the bank has so far declined to give further details, other than that it found “certain weaknesses with the implementation of ‘Know Your Customer’ requirements, other financial crime risks, as well as systems and process ­issues that impacted transaction monitoring and reporting in some specific areas”.

Know Your Customer rules require banks to conduct due diligence on their depositors to ensure their businesses are not being used to funnel money for terrorists, criminal syndicates and drug and firearm cartels.

“NAB has reported a number of compliance breaches to relevant regulators and has responded to a number of requests from regulators requiring the production of documents and information,” the bank said in its annual report.

“NAB continues to keep Austrac (and where applicable, relevant foreign regulators) informed of its progress in resolving these ­issues, and will continue to co-operate with, and respond to queries from, such regulators.”

There is no certainty NAB’s confessed failures will result in any action by Austrac.

According to the bank’s internal breach registers, for a month in 2013 NAB failed to update its lists that it uses to screen transactions through countries subjected to sanctions in its international funds transfer system, known as SWIFT.

In 2016, the bank also found it had failed to conduct due diligence “within prescribed time frames” for 33 international partner lenders “due to missing information or non-responsiveness” from the correspondent banks.

Meanwhile, NAB did not include relevant “cross-border transactions” made from and to its JBWere wealth management arm in IFTI reports to Austrac between May and November 2017. On top of this, between 2014 and 2017, about 70,000 customer profiles were “excluded” from automatic anti-money-laundering monitoring. These transaction monitoring and reporting issues were the subject of continued correspondence with Austrac into at least early last year.

While NAB reported the sanctions screening issue to the Department of Foreign Affairs and Trade, it later found no “positive alerts” would have been triggered had the correct “world checklist” been in place. NAB has now deployed a new system that has “additional manual processes to mitigate against further country code rating changes”.

In an addendum of data ­attached to the bank’s initial response to the royal commission, seen by The Weekend Australian, NAB blamed its “ineffective” Know Your Customer compliance on processes that “allowed bankers to avoid system controls that were intended to ensure minimum KYC standards were met, or the lack of any such system controls” when the bank signed up new customers.

In relation to failing to conduct proper due diligence on secondary credit card holders, NAB said a block that would have prevented the customer from using the card until its KYC processes were completed had not been placed on the credit accounts.

NAB blamed its failure to properly screen customers on “flaws in IT system design or deficient IT systems or IT operations failure caused by human error”.

While the NAB board decided to upgrade its anti-money-laundering compliance systems in August 2016, the bank decided to commit “further resources” to the project in September 2017, after Austrac’s case against CBA was made public.

At the bank’s full-year results in November, NAB chairman Phil Chronican said the bank had been “very co-operative with Austrac in making sure that not only do we meet the letter of the law, but we meet the spirit of the law”.

More related stories

Business

QIC’s $91m exec bonus pot in spotlight

Generous bonuses paid to QIC executives could turn into a political issue with performance payments in excess of $91m paid out last financial year.

Read more

Financial Services

QBE misled half a million customers, lawsuit alleges

The insurance major is accused of misleading customers on discounts for products including home, contents and car protection.

Read more