Australia's ME Bank has been sentenced to pay nearly AUD $1 million for making misleading representations to its home loan customers in breach of the Australian Securities and Investments Commission Act (ASIC Act) and the National Credit Code. ME Bank, founded in 1995, was acquired by the Bank of Queensland in July 2021.
An instinct on seeing such a ground-breaking criminal charge would be to assume a particularly egregious and intentional action – but a few things stand out when we look under the covers, which are also worth considering for financial institutions in the United States.
This blog examines:
- A summary of the breaches
- What makes the case interesting
- What you can learn and apply
Subscribe to our knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance.
The breaches
You can view the media release here, but the more interesting details are in the full judgment.
The Federal Court of Australia judgement made four charges against ME Bank, which can be collapsed into three main issues occurring between 2016 and 2018:
- Misrepresentations about the price of financial services in letters sent to customers (AUD 750,000 fine)
- Failures to give written notice of a change in interest rate before the change (AUD 30,000 fine)
- Failures to give written notice of a change in minimum payments (AUD 40,000 fine)
The first relates to the misleading conduct under Australia's ASIC Act; the latter two relate to specific breaches of its National Consumer Credit Protection Act.
The misleading representations were letters sent to home loan customers advising them of changes to their minimum payments – but the amount stated in the letter was incorrect. No customers were charged an incorrect amount. However, some customers did not keep sufficient funds to make the actual payment and suffered a total of AUD 3854 (US $2500) in missed payment charges. All were refunded to those customers.
The other breaches did not result in a direct impact on customers.
ME Bank self-reported the issues and began addressing them once they became aware of them in 2018. ME Bank pleaded guilty to the raised charges, though there was a dispute about the seriousness of those charges.
What makes it interesting
My instinct when I hear criminal charges for misleading representations is to think of ill-intentioned people trying to take advantage of others for their own profit – but that wasn’t the case here.
To summarize the misleading representations:
- While it was reduced to zero, the potential impact to the customers was AUD 3854 (and presumably some inconvenience).
- There was no intent to mislead (we’ll cover system issues shortly)
- ME Bank did not profit from the misrepresentation.
- The conduct affected 589 customers, significantly less than 1% of their customer base
- The fine on the ASIC Act charges was AUD 750,000 – 214 times the initial financial impact to their customers
The judgment and comparative value of the fine hammers home that the core issue is the misleading representation itself, not the intent, harm, or potential profit.
Let’s turn to why the misleading representations were made. System errors were at fault, with ME stating that “incorrect population of data fields resulted in a mismatch between actual and quoted repayments, which were correct in the system, but incorrect in the letter”. There’s little more to go on, with the inference that the incorrect population was a technical error, rather than initiated by a person.
However, in November 2015, an internal audit notified ME Bank of system deficiencies in statement calculations, noting that this may signify additional uncovered defects, as well as a lack of controls to ensure compliance with requirements for timely and sufficient statements to customers – rated "Severe" and "High" respectively.
When considering the severity of the sentence, Australia's Commonwealth Director of Public Prosecutions (CDPP) stated “each representation was committed after ME Bank had been put on notice by an audit in 2015 of the possibility of further unknown defects.” While ME Bank did not know about the specific defect, the fact that it did not respond to those audit findings did not work in its favor.
Frankly, I wouldn’t be surprised if other corporations find themselves in a similar position unintentionally. The bar is set high for financial services (which isn’t a bad thing), with many having a complex web of systems, some of which may be provided by third parties.
What can you learn?
Here are my key messages or takeaways from this case:
- The cost of noncompliance – One of the key messages is that, even when there is no ill intent, the regulatory costs of misleading representations can significantly outweigh the direct impact.
- Pay attention to assurance findings and other early warning indicators – It sounds obvious, but once you are put on notice of potential issues, especially with significant findings, you need to act. Once aware, key stakeholders should allocate resources as required to address them. This may include sources such as internal audit findings, key risk indicators, or root cause analysis.
- Know your compliance obligations – Nothing in the judgment indicates ME Bank did not know their obligations, but it is essential to know them intimately. Particularly when it comes to obligations that apply broadly such as avoiding misleading representations, it may warrant targeted analysis of your processes to identify which may be particularly prone to noncompliance.
- Implement or review relevant controls over system and data integrity – When considering the sentence, the CDPP noted “The offending was only technical because ME Bank (legitimately) chose to use automated systems… But when such systems are used, very high levels of diligence are required and are to be encouraged and, correspondingly, inadequate diligence deterred.” Controls need to be implemented and documented appropriately. Every financial services organization will provide information to its customers that are developed, stored or extracted from systems. In this type of context, control design is incredibly important. Ensure that the control objective and related testing are relevant to the deficiencies you want to identify and avoid, or otherwise ensure compliance.
- Obtain assurance from your vendors – An extension to the above is that controls assurance may also need to extend to material service providers. If you outsource a function (such as issuing statements), it’s not the same the same as outsourcing the risk or compliance obligation.
Conclusions and next steps
Understanding the intricacies of IT systems and the risks associated with them is crucial, not just for IT professionals but for the entire organization. As this case shows, it’s not only cybersecurity that you need to worry about, but also the risk of being held responsible for internal software issues and malfunctions.
Protecht’s Information Technology Risk Management eBook dives deeper into the topics we've touched upon here, providing you with a practical and thorough understanding of IT risk management. This eBook is an essential tool for risk managers looking to challenge and support their IT teams effectively and for IT managers aiming to align their strategies with organizational goals. It's about transforming IT from a mere operational tool into a strategic asset.
Download the eBook now: