ME Bank has been sentenced to pay $820,000 for making misleading representations to its home loan customers in breach of the ASIC Act – the first criminal charge ever brought under this section of the ASIC Act – and the National Credit Code. A natural instinct on seeing such a ground-breaking criminal charge would be to assume a particularly egregious and intentional action – but a few things stand out when we look under the covers.
This blog examines:
- A summary of the breaches
- What makes the case interesting
- What you can learn and apply
Subscribe to our knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:
The breaches
You can view the media release here, but the more interesting details learn from are in the full judgement. There were four charges raised against ME Bank, which can be collapsed into three main issues occurring at various times between 2016 and 2018:
- Misrepresentations about the price of financial services in letters sent to customers ($750,000 fine)
- Failures to give written notice of a change in interest rate prior to the change ($30,000 fine)
- Failures to give written notice of a change in minimum payments ($40,000 fine)
The first relates to the misleading conduct under the ASIC Act; the latter two relate to specific breaches of the National Consumer Credit Protection Act.
The misleading representations were letters sent to home loan customers advising them of changes to their minimum payments – but the amount stated on the letter was incorrect. No customers were charged an incorrect amount. However, some customers did not keep sufficient funds to make the actual payment and suffered a total of $3854 in missed payment charges. All were refunded to those customers.
The other breaches did not result in direct impact to customers.
ME Bank self-reported the issues and began addressing them once they became aware of them in 2018. ME pleaded guilty to the raised charges, though there was dispute about the seriousness of those charges.
What makes it interesting
My instinct when I hear criminal charges for misleading representations is to think of ill-intentioned people trying to take advantage of others for their own profit – but that wasn’t the case here.
To summarise the misleading representations:
- While it was reduced to $0, the potential impact to the customers was $3854 (and presumably some inconvenience).
- There was no intent to mislead (we’ll cover system issues shortly)
- ME Bank did not profit from the misrepresentation.
- The conduct affected 589 customers, significantly less than 1% of their customer base
- The fine on the ASIC charges was $750,000 – 214 times the initial financial impact to their customers
The judgment and comparative value of the fine hammers home that the core issue is the misleading representation itself, not the intent, harm, or potential profit.
Let’s turn to why the misleading representations were made. System errors were at fault, with ME stating that “incorrect population of data fields resulted in a mismatch between actual and quoted repayments, which were correct in the system, but incorrect in the letter”. There’s little more to go on, with the inference that the incorrect population was a technical error, rather than initiated by a person.
However, in November 2015, an internal audit notified ME Bank of system deficiencies in statement calculations, noting that this may signify additional uncovered defects, as well as lack of controls to ensure compliance with requirements for timely and sufficient statements to customers – rated ‘Severe’ and ‘High’ respectively.
When considering the severity of the sentence, the CPDD stated “each representation was committed after ME Bank had been put on notice by an audit in 2015 of the possibility of further unknown defects”. While ME Bank did not know about the specific defect, the fact that it did not respond to those audit findings did not work in its favour.
Frankly, I wouldn’t be surprised if other corporations find themselves in a similar position unintentionally. The bar is set high for financial services (which isn’t a bad thing), with many having a complex web of systems, some of which may be provided by third parties.
What can you learn?
Here are my key messages or take-aways from this case:
- The cost of noncompliance – One of the key messages is that, even when there is no ill-intent, the regulatory costs of misleading representations can significantly outweigh the direct impact.
- Pay attention to assurance findings and other early warning indicators – It sounds obvious, but once you are put on notice of a potential issues, especially with significant findings, you need to act. Once aware, key stakeholders should allocate resources as required to address them. This may include sources such as internal audit findings, key risk indicators, or root cause analysis.
- Know your compliance obligations – Nothing in the judgement indicates ME Bank did not know their obligations, but it is essential to know them intimately. Particularly when it comes to obligations that apply broadly such as avoiding misleading representations, it may warrant targeted analysis of your processes to identify which may be particularly prone to noncompliance.
- Implement or review relevant controls over system and data integrity – When considering the sentence, the CDPP noted “The offending was only technical because ME Bank (legitimately) chose to use automated systems… But when such systems are used, very high levels of diligence are required and are to be encouraged and, correspondingly, inadequate diligence deterred”. Controls need to be implemented and documented appropriately. Every financial services organisation will provide information to its customers that are developed, stored or extracted from systems. In this type of context, control design is incredibly important. Ensure that the control objective and related testing are relevant to the deficiencies you want to identify and avoid, or otherwise ensure compliance.
- Obtain assurance from your vendors – An extension to the above is that controls assurance may also need to extend to material service providers. If you outsource a function (such as issuing statements), it’s not the same the same as outsourcing the risk or compliance obligation.
Conclusions and next steps
Understanding the intricacies of IT systems and the risks associated with them is crucial, not just for IT professionals but for the entire organisation. As this case shows, it’s not only cyber security that you need to worry about, but also the risk of being held responsible for internal software issues and malfunctions.
Protecht’s Information Technology Risk Management eBook dives deeper into the topics we've touched upon here, providing you with a practical and thorough understanding of IT risk management. This eBook is an essential tool for risk managers looking to challenge and support their IT teams effectively and for IT managers aiming to align their strategies with organisational goals. It's about transforming IT from a mere operational tool into a strategic asset.
Find out more and download the eBook now: