07 April 2014

Audit of the Central Movement Alert List

Belatedly catching up with the 136 page Australian National Audit Office (ANAO) Management of the Central Movement Alert List: Follow-on Audit report [PDF].

The Central Movement Alert List (CMAL) is a border electronic watch list
containing information about individuals who pose either an immigration or national security concern to the Australian Government as well as information on lost, stolen or fraudulent travel documents. It is an integral part of Australia’s layered approach to border security, identifying people of concern prior to their arrival at the border. 
CMAL is managed by the Department of Immigration and Border Protection (DIBP). Other  agencies  with an interest in CMAL include the Australian Security Intelligence Organisation (ASIO), Australian Customs and Border Protection Service (Customs), Australian Federal Police (AFP)  and Department of Foreign Affairs & Trade (DFAT).

The report notes that
Australia’s universal visa system requires non-Australian citizens or permanent residents intending to enter or transit through Australia to obtain either a visa or an Electronic Travel Authority. All travellers entering Australia are therefore checked against CMAL, usually at several points along the travel pathway and generally at some distance from the physical border. CMAL information is also taken into account when DIBP assesses applications for Australian citizenship. 
Passenger movements into and out of Australia are increasing annually: from approximately 17 million per annum in 2000–01 to almost 30 million in 2011–12. This number is expected to rise to 50 million per annum by 2020. DIBP will need to have the capability and capacity to meet the challenges presented by these expected demands.
CMAL comprises two databases -
  • the Person Alert List (PAL), which stores the biographical details of identities of concern. As of 30 November 2013 it contained 683,287 primary identities. 
  • the Document Alert List (DAL), which is a list of lost, fraudulent or stolen travel documents. As of 30 November 2013 it contained 969,320 travel documents
CMAL is reported by ANAO to have  "generated 306,509 potential match cases per month on average, which resulted in 174 415 true matches between November 2012 and November 2013". Using name matching software, the CMAL system queries its data holdings and identifies and presents potential or likely matches for assessment by Border Operations Centre (BOC) staff.

PAL records are categorised according to the alert reason code (ARC), i.e. the reason for listing the identity. There are 19 ARCs with each being categorised as high, medium or low risk. The national security ARC comprises approximately half the PAL database. ARCS include Interpol listings of serious criminals, United Nations travel sanctions, and lists regarding war crimes and weapons of mass destruction.

Generally Australian citizens are free to enter and leave Australia at will. In 2008 there were 772 Australians listed on MAL; by May 2013 the number of Australians listed on CMAL was down to 172.  Listings of adult Australians are confined to three ARCs only: national security, organised immigration malpractice and ‘surrender Australian travel document’. ANAO notes that  approximately 10,500 children are listed on CMAL, e.g. for child custody concerns or because they simply a member of a family.
For example United Nations travel sanctions will apply to the whole family, and DIBP lists children where there is a debt to the Commonwealth but that debt may have been incurred by a parent. Just over 2,500 children are listed under health concerns and almost 3,000 children are listed under child custody concerns. In addition, 1,315 children are listed on CMAL for debts to the Commonwealth. 
In assessing visa or citizenship applications the DIBP decision maker must take CMAL information into account

ANAO comments that
CMAL was introduced progressively in 2008 and 2009, replacing the previous decentralised Movement Alert List (MAL) system as the operational database. Successive reviews of MAL had judged it to be conceptually sound, but had also identified a number of operational and management deficiencies. The Wheen review, undertaken in 2003, in particular found that:
  • there was an increasing number and proportion of data deficient alerts, emphasising the need for effective quality assurance processes; 
  • effective reporting was needed to promote awareness of MAL’s performance and to manage the business to achieve optimal outcomes; 
  • future management arrangements should include quality assurance processes to monitor and analyse trends and patterns of data, as well as feedback from users; 
  • MAL had become a system serving the whole of government and an inter-agency forum should be established to consider agencies’ interests in the operations and future directions of CMAL; 
  • negotiation of a formal understanding with ASIO to establish the extent of DIBP’s responsibility for the acceptance of and processing of national security alerts; and 
  • ‘instructions’ to be developed covering the limited circumstances in which it would be appropriate to record Australian citizens on MAL.
The Wheen review also identifed the future need for MAL to have the capability to incorporate new technologies, such as biometrics as valuable additions in the identification of people of concern. 
 ANAO's  2008–09 performance audit of the management of the MAL indicated that "the lack of strategic or management planning for the database and the poor quality of the data contained within it, particularly its ‘completeness, quality and currency’, compromised the system’s effectiveness".

In its latest report ANAO characterises CMAL as "a key instrument" -
used to manage the entry into and presence in Australia of non-citizens who are of concern for immigration or border security reasons. CMAL information is taken into account when a person applies for a visa to come to Australia, to cross its borders, or applies for Australian citizenship. 
ANAO found that -
  • CMAL works effectively at an operational processing level. Centralised data input has seen the overall data quality of CMAL improve, particularly for more recent records and around 92% of records now meet DIBP’s minimum data standards. System updates have also delivered improved technical functionality and DIBP’s centralised data matching expertise, together with upgraded data matching rules, now provide a high degree of data matching accuracy. 
  • DIBP has also developed a close and effective relationship with its key external stakeholders, particularly ASIO and Customs. 
  •  DIBP’s strategic management arrangements for CMAL still require development. There has been no strategic planning undertaken to guide the future direction of CMAL nor is there a clearly stated strategic objective for CMAL. Whole-of-government discussions have taken place in recent years to develop an integrated border security alert capability, through the establishment of a National Targeting Centre, that will have ramifications for the operation of CMAL. 
  • DIBP needs to consider how it will manage CMAL in the years ahead for its own immigration purposes. In particular, technological advances in biometrics now make identification of individuals less dependent on biodata and intelligence gathering. 
  • The ownership of CMAL data and consequential responsibility for data quality and integrity are unresolved issues. Addressing these issues, at both the data input stage and through the ongoing review of CMAL records, is important for the operational effectiveness and longer term sustainability of CMAL. 
  • Until DIBP develops cost effective arrangements to measure CMAL’s outcomes and its impact on visa and citizenship decisions, the department will not be in a position to report on the system’s outcomes and its contribution to Australia’s border security arrangements. 
  • Progress in implementing the recommendations in the 2008 audit report has been slow. Of five recommendations in the 2008 audit, only two have been implemented, so that: 
  • there is no plan for the population, maintenance and review of the database, 
  • performance reporting, particularly to demonstrate where CMAL has contributed to the reason for decisions in visa and citizenship applications, is not routinely undertaken 
  • systems quality assurance reporting mechanisms have not been finalised 
  • agreed formal reporting arrangements between DIBP and Customs  remain the subject of negotiation. 
  • Given the centrality of CMAL information, there is a compelling case for the department to provide a stronger focus on its strategic positioning, in particular CMAL data ownership and quality control and performance reporting. 
The ANAO notes that
Despite CMAL’s significance to border security, DIBP still does not routinely collect performance information on the role CMAL plays in visa and citizenship decisions. 
In 2010, DIBP undertook an exercise to assess CMAL’s effectiveness in the context of visa and citizenship applications, where it was possible to identify that CMAL information was a factor in the decision making process. This process was largely manual and resource intensive. The exercise identified that, between November 2008 and October 2010, 201,532 individual clients had been matched to an alert. In 78% of these cases (156,520), the decision maker chose not to seek an override and declined the citizenship or visa outcome. In 22% of cases (45,012), the decision maker chose to override the red status and continue the visa or citizenship application process. 
This exercise provided helpful performance information about the extent to which CMAL information had been a factor in visa and citizenship decsions. However, it has not been repeated and, in the absence of any alternative arrangement, there is no information available to provide insights into CMAL’s current contribution to Australia’s border security arrangements. While recognising there is a cost associated with collecting such information, there would be benefit in DIBP building on this baseline data and investigating stream-lined and cost effective options for obtaining information about CMAL’s contribution to Australia’s border security. This information would assist DIBP to better advise the Government and Parliament and also provide a basis for more informed decision making in relation to CMAL.
ANAO comments that DIBP investigates "missed matches if and when they come to light".
From January 2010 until February 2011, nine missed matches were detected and individually investigated, with reports going to the Secretary and the Director-General of ASIO. 
In all instances, the missed matches were the result of human error and changes were made to BOC procedures.
It refers to
analysis of override data, which is where the decision maker, having checked CMAL, decides to proceed with the visa or citizenship application, notwithstanding the information contained in CMAL. The ANAO analysis of override data showed that low and medium risk ARCs were overridden more frequently than high risk ARC alerts, a finding indicative of a system working effectively. The override data also shows that some alerts have consistently high rates of overrides, suggesting that their ongoing inclusion in CMAL could warrant review by DIBP. For example, since 2011, alert matches for debts to the Commonwealth have been overridden by decision makers in over 55% of cases.