The global business press has widely covered the US$1.9b fine against HSBC for AML related problems in the United States.
Financial firms the world over a very curious about this case. It also comes hot on the heals of another settlement for a smaller amount involving Standard Chartered.
FINCEN has filed in court its "Assessment of Civil Money Penalty" in relation to some US$500m of the $1.9b fine. Some interesting extracts of that filing are set out below:
[HSBC] provided a full range of consumer and commercial products and services to individuals, corporations, financial institutions, non-profit organizations, and governments in the United States and abroad, including in jurisdictions with weak anti-money laundering and counter-terrorist financing (“AML/CFT”) controls. [HSBC] did not effectively conduct enterprise-wide, risk-based assessments of potential money laundering risks, given its products, clients, and geographic reach, and [HSBC] failed to adequately identify potential money laundering vulnerabilities. The Bank’s failure to adequately assess risk negatively impacted the effectiveness of its transaction monitoring, which already suffered from additional systemic weaknesses.
Some of the Bank’s products and services involved significant anti-money laundering risks, including but not limited to: correspondent accounts, embassy banking, wire transfers, automated clearinghouse (“ACH”) transfers, banknotes, lockboxes, clearing of bulk traveler’s checks, bearer share accounts, pre-paid cards, foreign exchange, cash letters, international pouch activity, and remote deposit capture. [HSBC] failed to take appropriate steps to adequately assess the AML/CFT risks posed with respect to many of its products and services.
For instance, the Bank failed to manage money laundering risks associated with its pouch services and did not provide for appropriate controls and monitoring to address the underlying risks posed by this transaction activity. In one example, until November 2008, the Bank cleared traveler’s checks received from a foreign respondent bank without monitoring systems in place that were reasonably designed to detect, investigate, and report evidence of money laundering. Several individuals purchased sequentially numbered traveler’s checks at a Russian bank in transactions totaling more than $290 million over several years. These traveler’s checks were signed in a uniform illegible scrawl and made payable to approximately 30 different customers of a Japanese bank. The Japanese bank was a [HSBC] correspondent customer and for several years regularly delivered multi-hundred-thousand-dollar batches of these sequentially numbered traveler’s checks to [HSBC] via pouch. During the relevant period of time, [HSBC] knew or should have known that uniformly signed, sequentially numbered traveler’s checks in such high volume are a money laundering “red flag.”
The Bank’s written policies, procedures, and controls did not effectively risk rate customers. The Bank’s risk rating methodologies were not designed to evaluate customers based on specific customer information and balanced consideration of all relevant factors, including country/jurisdictional risk, products and services provided, expected transaction volume, and nature of customer profiles. Failure to consistently gather reasonably accurate and complete customer documentation undermined the Bank’s ability to conduct customer risk assessments. These deficiencies prevented the Bank from performing adequate analysis of the risks associated with particular customers and from determining whether transactions lacked an apparent business or lawful purpose or fell within the particular customer’s normal and expected range of conduct.
The Bank lacked adequate country risk rating processes reasonably designed to capture readily available information about countries’ AML/CFT risks and failed to ensure uniform compliance with risk rating standards through complete internal reviews. The Bank lacked a precise structure to ensure systematic country risk assessments, including updates, as prudent and necessary, which resulted in [HSBC] making inappropriate country risk assessments in some instances. The Bank used four labels (“standard,” “medium,” “cautionary,” or “high” risk) to identify a country’s anti-money laundering risk. From 2002 until 2009, [HSBC] rated Mexico as having “standard” anti-money laundering risk, the lowest of the Bank’s four possible country risk ratings, despite publicly-available information to the contrary. In 2006, the Financial Crimes Enforcement Network issued an advisory, FIN-2006-A003, notifying financial institutions of the potential threat of narcotics-based money laundering between Mexico and the United States. In addition, the United States Department of State International Narcotics Control Strategy Reports dating back to 2002 have consistently rated Mexico as a country of primary concern for money laundering and financial crimes. The inappropriate country risk rating, together with other AML/CFT deficiencies, including the monitoring failures described below, resulted in [HSBC] failing to identify and thereby facilitating the flow of illicit proceeds between Mexico and the United States.
[HSBC] failed to implement and maintain an adequate transaction monitoring regime reasonably designed to detect and report money laundering and other illicit activity. The transaction monitoring procedures failed in a number of ways, including but not limited to:
(1) The Bank’s transaction monitoring procedures governing the review of foreign correspondent account wire transactions excluded from review transactions originating from countries that the Bank had risk rated less than “cautionary” or “high,” with limited exceptions. This policy excluded approximately $60 trillion per year from review. In addition, the Bank’s transaction monitoring procedures governing the review of foreign correspondent account wire transactions were ineffective when [HSBC], in 2008, summarily cleared more than 4,000 unaddressed alerts after changing a country’s risk rating from “cautionary” to “medium.” Subsequent delayed reviews of thousands of backlogged or cleared alerts resulted in [HSBC] filing hundreds of suspicious activity reports more than a year after the underlying transactions, which totaled in the billions of dollars.
(2) The Bank’s transaction monitoring procedures failed to provide for effective monitoring of bulk cash movements, which were reviewed manually. From mid-2006 through mid-2009, the Bank did not perform automated and effective monitoring on banknote (bulk cash) transactions conducted with HSBC Group affiliates, including taking delivery of more than $15 billion in U.S. currency, relying on manual targeted and quarterly reviews. The absence of effective bulk cash monitoring placed [HSBC] at risk of receiving illicit proceeds. The Bank’s failure to collect or maintain customer due diligence information regarding any HSBC Group affiliates with correspondent accounts at the Bank, including types of customers in Mexico and other high-risk jurisdictions, also thwarted the Bank’s ability to effectively monitor affiliates’ transactions and to determine if actual activity was commensurate with expected activity and/or lacked an apparent business or legal purpose. [HSBC] exited the banknote (bulk cash) business in 2010.
(3) The Bank’s transaction monitoring procedures relied heavily on manual transaction reviews. Despite such reliance, the Bank’s department responsible for investigating suspicious activity alerts was severely under-staffed, resulting in thousands of unprocessed (“backlogged”) alerts. Furthermore, staff often cleared alerts without adequate review.
(4) [HSBC] did not acquire an automated system equal to the needs of the Bank, i.e., a system with sufficient capacity to support the volume, scope, and nature of transactions conducted by and through [HSBC], until April 2011. It took another year for [HSBC] to validate the system for effective detection of suspicious activity.
(5) [HSBC] did not adequately integrate subpoenas and Section 314(a) information sharing requests into automated transaction monitoring to identify and report potential suspicious activity associated with these inquiries, as appropriate and practical.
For a number of years, [HSBC]’s Bank Secrecy Act compliance function suffered from an insufficient number of appropriately trained professionals responsible for coordinating and monitoring day-to-day compliance. [HSBC] did not have sufficient staff to review suspicious activity alerts resulting from the Bank’s monitoring processes. The Bank’s compliance staff was frequently unable to initiate and complete investigations and file complete and timely suspicious activity reports. In light of the global risk profile of [HSBC], Bank management failed to establish and maintain adequate staffing and continuity in the anti-money laundering compliance operation. Moreover, a corporate culture persisted at the Bank in the past that effectively denied compliance officials with the requisite authority over the business and account relationship business lines to manage the Bank’s risk profile.
In sum, [HSBC] failed to dedicate sufficient human and technological resources to meet its AML/CFT obligations. Such failures were repeatedly evidenced by the Bank’s deficient responses to adverse supervisory findings and mandates requiring it to implement effective measures to ensure the filing of accurate, timely, and complete suspicious activity reports and compliance with other Bank Secrecy Act requirements.
These are certainly very serious allegations that HSBC has consented to. It is worth noting however that there is a lack of case specific actual money laundering allegations as opposed to breakdowns in control processes. It would appear from all of the commentary on this issue that there were indeed a number of case specific money laundering issues that HSBC failed to appropriately deal with. Some more disclosure on these would be useful for other financial firms.
We did note that FINCEN is adamant that HSBC should have classified its Mexico related dealings as high risk. Banks would benefit greatly from either FATF or other international bodies having the guts to set out publicly what risk levels banks should adopt in relation to country risk. One of the great failings of FATF is how it now seems beholden to diplomatic protocols rather than its original mission to promulgate international standards in the fight against transnational crime.