← Blog
enforcement 2026-03-01 6 min read

What CBA's $700M Penalty Teaches About AML/CTF Compliance Gaps

The Commonwealth Bank penalty wasn't about missing controls — it was about gaps in obligation coverage that a manual review couldn't catch. Here's what went wrong and how to prevent it.

By AuditDSS Team

In June 2018, the Commonwealth Bank of Australia agreed to pay $700 million — at the time, the largest civil penalty in Australian corporate history — for systemic breaches of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

The penalty wasn’t for a single spectacular failure. It was for 53,750 threshold transaction reports that were never filed, combined with failures in transaction monitoring, customer due diligence, and suspicious matter reporting.

The gap wasn’t in the rules — it was in the obligations

CBA had an AML/CTF program. They had policies. They had controls. What they didn’t have was coverage at the obligation level.

Consider transaction monitoring alone. The AUSTRAC AML/CTF Rules don’t simply say “monitor transactions.” They contain multiple interconnected obligations:

  • The reporting entity must monitor transactions for consistency with the entity’s knowledge of the customer
  • Monitoring must be proportionate to the assessed ML/TF risk
  • The entity must maintain adequate systems and controls to identify suspicious transactions
  • These systems must be reviewed and updated at appropriate intervals

CBA’s Intelligent Deposit Machines (IDMs) were processing cash deposits but the monitoring system wasn’t generating threshold transaction reports for deposits over $10,000. The rule-level assessment might say “transaction monitoring: in place.” The obligation-level assessment would have caught that specific conditions weren’t met.

Why rule-level compliance isn’t enough

A typical compliance review works at the rule level: for each of the 768 rules across both the AUSTRAC AML/CTF Rules 2007 (614 rules) and Rules 2025 (154 rules), is there a policy or control in place?

The problem is that a single rule can contain 5-10 separate obligations, each with different conditions and thresholds. Marking a rule as “covered” when only some of its obligations are addressed creates a false sense of compliance.

In CBA’s case:

  • Transaction monitoring had 5+ obligations — the system existed but specific conditions weren’t met
  • Threshold reporting had specific timing and completeness requirements — the IDM reporting gap violated these
  • Customer due diligence had ongoing obligations — not just at onboarding but throughout the relationship

The cost of obligation-level gaps

The penalty breakdown tells the story:

  • 53,506 threshold transaction reports not filed: systematic gap in a specific obligation
  • Suspicious matter reporting failures: gap in the trigger conditions for escalation
  • Customer due diligence failures: gap in ongoing monitoring obligations, not initial verification

Each of these was a gap in a specific obligation within a broader rule that CBA was nominally “compliant” with at the rule level.

How probabilistic risk scoring would have flagged this

AuditDSS scores every obligation across four risk axes:

  1. Obligation Weight: Transaction monitoring and reporting obligations sit at the structural centre of the AML/CTF framework — high weight
  2. Violation Likelihood: These categories have historically high breach rates across the industry — elevated likelihood
  3. Enforcement Evidence: AUSTRAC had already taken enforcement action on transaction reporting before CBA — high enforcement evidence
  4. Cascade Dependency: Transaction monitoring failures cascade to reporting, suspicious matter identification, and customer due diligence — high blast radius

A gap in any of these obligations would have scored in the top risk band, flagging them for immediate remediation rather than being hidden inside a “compliant” rule-level checkbox.

Lessons for compliance teams

  1. Decompose your regulatory obligations: Don’t assess at the rule level. Break each rule into its component obligations, conditions, and thresholds.

  2. Score gaps by risk, not just presence: Not all gaps are equal. A gap in customer identification carries more enforcement risk than a gap in record-keeping format requirements.

  3. Model dependencies: Understand which obligations depend on others. A failure in upstream customer identification cascades through due diligence, monitoring, and reporting.

  4. Calibrate against enforcement data: If the regulator has already enforced a particular obligation category, your gap in that category carries substantially more risk.

  5. Assess regularly: Compliance posture changes as policies are updated, systems change, and new products are introduced. A quarterly or monthly assessment catches gaps before they become enforcement actions.

AuditDSS maps the full AUSTRAC AML/CTF framework — both the 2025 and 2007 Rules, 768 rules, 5,534 obligations — and scores every gap across four risk axes calibrated on real enforcement data. Start your first assessment.

Ready to score your compliance?

Upload your compliance document and get a risk-scored gap analysis in under 5 minutes.

Get started