CBA IT corruption exposed

Ian Rogers
CBA

A confronting judgement of the District Court of New South Wales uncovers a cell of corruption involving two of the most senior executives in the technology division of Commonwealth Bank more than 10 years ago.

Last week Judge Phillip Mahony convicted Jon Waldron – formerly the general manager IT engineering at the bank – on 10 counts of corruptly receiving a benefit, or aiding and abetting corruption sponsored by US-based supplier ServiceMesh in 2014.

All up, the bribes amounted to $2 million. Waldron’s salary was $600,000 at the time.

Waldron elected for a trial by judge alone, and thus there is a lengthy and fascinating judgment that dives deep into the strategic priorities, management and methods in the IT division of CBA in the early 2010s.

The background to this affair is the high tempo efforts by Commonwealth Bank at the time to pivot to cloud computing, a now common approach and one in which CBA was an early mover.

In 2009 ServiceMesh started supplying software services to the CBA. In 2011 ServiceMesh signed a Master Service Agreement with CBA. Pursuant to that agreement ServiceMesh supplied software services known as Agility Platform to CBA as the cornerstone of its cloud computing system.

In 2013 ServiceMesh was in negotiations to sell the business to NYSE-listed Computer Sciences Corporation, with a sale agreed in October 2013 for US$291 million.

The terms included an earnout provision subject to revenue thresholds, and with the shareholders in ServiceMesh entitled to receive 10 per cent of revenue in excess of these thresholds.

Eric Pulier was the principal shareholder in ServiceMesh and Pulier, the judgement explains, was the instigator of the bribes paid to Jon Waldron.

CSC ended up paying a US98 million earnout to ServiceMesh, with US$30 million received by Pulier.

In 2017 a grand jury in the US charged Pulier with 15 counts of bribery and kickbacks. Jon Waldron was also charged at the same time. 

Then in 2018 the charges against Pulier were “dismissed with prejudice”. In 2021 following proceedings bought by the Securities and Exchange Commission Pulier consented to a civil judgement that made him liable for US$5 million in penalties.

One of the chief witnesses against Waldron was his co-offender at CBA, his boss Keith Hunter. Hunter was CBA’s executive manager in charge of operations, IT security, application development and IT engineering, reporting directly to CBA’s chief information officer at the time Michael Harte.

Following a guilty plea in 2016 Keith Hunter was convicted and sentenced to a term in prison of three and a half years.

Seduced by representations from Pulier that “he would look after them” Hunter and Waldron conspired to accelerate the purchase of McAfee security software via ServiceMesh as reseller, even though the bank had supply arrangements through HP and McAfee at the time.

Pulier, in his desperation to generate more revenue from CBA – the largest customer of ServiceMesh at the time – even attempted to interest CIO Michael Harte in “compensation”.

Readers of the judgement may find Harte’s role in this affair murky, but in his conclusions Judge Mahony made clear there is no evidence Harte received any bribe.

Waldron’s crime was detected when, in the course of routine scrutiny by the finance team of the CBA bank account linked to his corporate credit card, unusual transactions were detected.

This rookie error was later compounded by emails and messages between Hunter and Waldron on devices supplied by the bank, including messages exchanged once a bank investigation was underway.

In one message “Hunter said, ‘I am so shocked. I want to vomit. I cannot believe we were this stupid’, evidence referring to the fact they had allowed the payments to go into accounts that were discoverable by the CBA” Judge Mahoney said in his judgement.

The two perpetrators then set out to concoct a cover story, claiming the payments were for work done on behalf of a non-profit with close links to ServiceMesh.

To back this up Hunter and Waldron engaged in clumsy attempts to manufacture false invoices, with forensic analysis of metadata exposing this further misconduct.

Waldron gave evidence in his defence, none of which the judge accepted.

First charged in early 2015, it took an excessively long time for Waldron’s case to come to trial.

Jon Waldron will be sentenced at a later date.