How much security is too much? At Commonwealth Bank (CBA), the answer appears to be: whatever it takes to protect profits, even if it comes at the expense of basic customer service and common sense.

CBA promotes itself as a technology-driven bank, leaning heavily on claims of artificial intelligence, real-time analytics, and advanced fraud prevention systems. But for customers on the receiving end, the experience tells a very different story—one of excessive friction, inconsistent decision-making, and systems that seem designed as much to reduce staffing costs as to enhance security.

Take something as simple as verifying your identity.

Recently I was subjected to seven separate questions just to speak with a representative and even that was not enough for this so called AI led Company.

This goes far beyond reasonable due diligence and highlights that CBA management don’t care about customer service with AI systems now implemented that are more about make more money, money, money.

CBA puts customers  secondby  using systems that are not user friendly or appropiate considering they are getting rich using AI off the back of their customers money.

After providing an account number and PIN to reach an operator, I was asked to repeat personal details, name, address, date of birth, before being sent a one-time code to a registered device that is already linked to the bank’s records via an IMI unique phone code.

Even that isn’t enough.

Additional questions—such as recalling the last time you visited a branch or naming a “best friend”, push the process into the realm of absurdity.

By any modern risk assessment standard, the probability of correct identification at that point is already overwhelming but in my case they wanted answers to what was my first ever car despite answering all of the earlier questions rught.

Yet the interrogation continues at CBA, not because it meaningfully enhances security, but because the system appears rigid, outdated, and poorly calibrated.

The result is not security, it’s security theatre.

This disconnect becomes even clearer when examining how CBA handles actual transactions. In my case, a legitimate $588 payment to a major hotel chain was blocked without explanation, despite more than sufficient funds being available.

The same transaction was immediately approved using another bank’s card.

This raises a critical question: what exactly is CBA’s system detecting, and why is it failing to distinguish between genuine and suspicious behaviour?

The aftermath only compounds the problem.

Customers are forced into a binary choice through the NetBank app—confirm the transaction and risk duplication, or deny it and trigger a cascade of consequences, including card cancellations and the administrative nightmare of updating dozens of direct debits.

There is no nuanced option, no ability to simply clarify intent.

For a bank that claims to empower users, the design is strikingly inflexible.

CBA frequently highlights its “real-time behavioural analytics” as a cornerstone of its fraud prevention strategy. Yet this system often fails at the most basic level: recognising consistent, long-term payment patterns. Regular subscriptions—streaming services, software, financial tools—trigger repeated approval requests despite years of identical transactions to the same accounts. If this is artificial intelligence, it is remarkably unintelligent in practice.

Meanwhile, genuine concerns remain unresolved.

Customers have reported delays in receiving notifications for fraudulent transactions, sometimes discovering issues days later when reviewing statements manually.

At the same time, legitimate payments are blocked with frustrating regularity, requiring lengthy and intrusive verification processes to resolve.

CBA describes its approach as “defence-in-depth”, a layered system of detection, blocking, alerts, and verification. In theory, this sounds robust. In reality, it often translates into a fragmented and inefficient customer experience, where the burden of navigating the system falls squarely on the user.

What’s most concerning is the imbalance.

When opening an account, customers are required to provide identification documents totalling 100 points, a standardised and logical framework.

Yet once inside the system, that clarity disappears.

Customers who have already proven their identity to a high standard are treated as ongoing risks, subjected to repeated and often redundant checks that add little value with call centre staff working to a script approved by management.

This raises a broader issue: is CBA’s investment in AI and automation truly about improving security, or is it about reducing operational costs?

The evidence suggests the latter.

Automation has replaced human judgment in many customer-facing scenarios, but without delivering the sophistication needed to justify it.

In the end, customers are left dealing with a system that is simultaneously overbearing and ineffective, quick to block legitimate activity, slow to respond to real threats, and indifferent to the inconvenience it causes.

Security is essential in banking. But when it becomes excessive, inconsistent, and disconnected from real-world behaviour, it stops protecting customers and starts punishing them.

CBA’s challenge isn’t a lack of technology. It’s a lack of balance, and until that changes, its “advanced” systems will continue to feel anything but intelligent.

In the end I told them to get stuffed which of course the CBA employee who was most probabally oversea’s said he was offended, there was no mention of the offensive way that the CBA treats it’s customers especially ones who have traded with them for years has no debt and no borrowing with the bank.