Compliance lessons: U.S. Senate report on HSBC AML failings
By Susannah Hammond
LONDON/NEW YORK, July 20 (Thomson Reuters Accelus) – The United States Senate Permanent Sub-Committee on Investigations has published a report into U.S. Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing using HSBC Group plc as a case history. The report does not detail enforcement action taken, though there are several likely fines being considered by a number of U.S. authorities regarding HSBC’s anti-money laundering (AML) failings; it is however a valuable insight into the operations and associated compliance, risk and AML issues arising in a global financial services firm. The detailed 300 page plus report makes a number of findings of fact, offers opinions and comment throughout and makes 10 recommendations, some aimed at HSBC and some aimed at the Office of the Comptroller of the Currency (OCC) which is HSBC’s regulator for AML in the U.S. HSBC is recommended to:
- Screen high risk affiliates
- Respect the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) prohibitions
- Close accounts for banks with terrorist financing links.
- Revamp travellers cheque AML controls
- Boost information sharing among affiliates
- Eliminate bearer share accounts, and
- Increase AML resources.
The OCC is recommended to
- Change its supervisory approach to AML deficiencies and align its practice with that of other federal bank regulators by treating AML deficiencies as a “safety and soundness” issue, rather than a consumer compliance matter
- Act on multiple AML problems by establishing a policy directing the Supervision Division to coordinate with the Enforcement and Legal Divisions to conduct an institution-wide examination of a bank’s AML program and consider use of formal or informal enforcement actions, whenever a certain number of “matters requiring attention” or legal violations identifying recurring or mounting AML problems are found through examinations.
- Strengthen AML examinations by citing AML violations, rather than just matters requiring attention, when a bank fails to meet any one of the statutory minimum requirements for an AML program, and, in addition, by requiring AML examinations to focus on both specific business units and a bank’s AML program as a whole.
Overall, from the Senate Committee’s report using HSBC’s approach to AML as a case study there are a number of compliance lessons for firms, both large and small, to consider.
HSBC is one of the biggest and most geographically diverse financial institutions in the world which has grown organically and by purchasing other firms. By most standards the business is complex. Complexity is not, in and of itself, a problem but it becomes an issue when the systems and controls infrastructure is not sufficiently well designed or resourced to manage the complexity effectively. A key element of system and controls is well resourced risk, compliance and AML functions which have sufficient specifically skilled employees deployed with appropriate authority to act. The report shows that HSBC sought for instance to cut costs, including AML and compliance costs, while the business was growing leaving AML and other risks unmanaged. In a similar vein HSBC bought a bank in Mexico which had “no functioning compliance programme”.
The bank in Mexico was known to be a high-risk entity in a high-risk jurisdiction but despite the fact it took more than three years and repeated attempts to introduce an appropriate control framework, HSBC’s Mexican bank was treated as low risk for AML purposes. Enormous volumes of business (the focus of the report being U.S. dollar-denominated business) flowed in and out of the various HSBC group entities around the world but it would appear that the sheer size and complexity of the business hindered a clear line of sight to both identifying risks themselves and then the ability to manage or offset those risks.
Firms need to ensure that no matter how large or geographically diverse the business becomes that risk management does not suffer. Further, given the speed of risk contagion, it is critical that firms are able to evidence to their supervisors that all potentially significant risks remain identified, managed and followed up no matter where in the world they arise.
In many ways culture and complexity are linked — a strong compliance culture would not permit a firm to become so complex that it out grew an appropriate systems and controls infrastructure. Throughout the report compliance issues are highlighted which call in to question the standing of the risk, compliance and AML functions within HSBC.
A U.S. compliance officer was exited for requesting additional resources, compliance and AML efficacy in Mexico was questioned while the local chief executive officer was promoted, HSBC group compliance appear to have only been able to give “advice” rather than to instruct action to be taken, inexperienced compliance officers were knowingly appointed to key roles, consultants were relied on to fill compliance knowledge gaps, when instructions to say close accounts were given it often took months to implement and issues highlighted by the OCC were repeatedly not remediated, to name but a few.
While the report gives selected highlights it paints a picture of a business where compliance was knowingly poorly resourced in terms of skills and numbers, the business routinely over-ruled risk-based decisions and a “please the client” approach was paramount. It is perhaps also telling that the head of group compliance at HSBC resigned during the Senate hearing which accompanied the publication of the report. This is not to say that HSBC took a decision to be deliberately non-compliant but rather that there would appear to have been more focus on keeping clients happy rather than promoting a compliant culture uniformly throughout the firm
Following the financial crisis and with regulators themselves under increasing pressure all financial services firms need to be able to demonstrate consistently that they have not only understood their regulatory obligations but have complied with them. Around the world regulatory obligations are not limited to knowledge of a particular rule-book but require sufficient skilled risk, compliance and AML resources, a strong, management-led compliance culture as well as the diligent follow up of any and all remedial actions found to be required. In a big complex firm this is easier said than done but it should be seen as nothing less than a core competency.
The report itself recommends that HSBC affiliates share more information amongst themselves and while this is specifically in the context of data on high AML risk clients and accounts the recommendation holds true in a much wider context. HSBC is one of the 29 globally systemically important financial institutions (G-SIFIs) as named by the Financial Stability Board (FSB) in November 2011. G-SIFI is not just about the management of the too-big-to-fail issue but also formalizing the development of international regulatory cooperation and data sharing. In simple terms, a key feature of the FSB’s work has been to open and encourage communication channels so that regulators around the world can share data on G-SIFIs operating in their jurisdictions and then use that shared pool of knowledge to better inform their local supervisory approach, including any additional prudential measures required.
It is more than likely that in future regulators will seek to share data at an early stage and then also seek to act on it in a coordinated manner. All firms and particularly those which are deemed to be G-SIFIs need to be aware of the genuine costs of widespread non-compliance. Whereas in the past regulatory issues and concerns could often be limited to and dealt with domestically, the contagion risk within global financial services firm groups seen at the height of the financial crisis has meant that the future will be one of supervisory sharing across borders.
This change in supranational supervisory approach should also drive a change in the dynamic of the governance and compliance of global firms themselves. In contrast to the report’s findings which found an approach which was “left in the dark by own colleagues” and sharing to be “guarded rather than automatic”, policies should be implemented, evidenced and controlled carefully whereby any, and all, substantive discussions with and information submissions to local regulators are shared within the global firm. This routine sharing should go down to the level of risk alerts regarding clients, accounts and products and should expressly include the closure of a business relationship for any kind of risk-related reason.
One global standard
In April 2012, HSBC announced internally the intention of the bank to use the highest global compliance standards for every HSBC affiliate. The internal note stated: “We must adopt and enforce the adherence to a single standard globally that is determined by the highest standard we must apply anywhere. Often, this will mean adhering globally to U.S. regulatory standards, but to the extent another jurisdiction requires higher standards, then that jurisdiction’s requirements must shape our global standard.”
In the view of the report the new approach “could represent a groundbreaking approach for the bank if it, in fact, pushes its affiliates toward uniform and high compliance standards.”
As a G-SIFI and as a truly global firm, HSBC’s decision to launch a single standard for compliance based on the highest standards around the world is ambitious but, if executed well, could set the benchmark for all G-SIFIs. Other firms which operate in a number of jurisdictions would be well advised to consider the ramifications of adopting a similar approach and should be prepared to discuss the concept with local regulators.
Undue regulatory forbearance or the lack of will by regulators to act, for whatever reason, has featured prominently in discussions of the supervisory response to the financial crisis. It has also featured heavily in the Senate committee’s report which criticized in detail both the OCC’s approach to and execution of AML supervision with regard to HSBC in the U.S. It is clear that undue regulatory forbearance helps no one — not the firm, not the regulator and not the jurisdiction in which compliance failings persist.
All firms should be aware that there is likely to be much less regulatory forbearance in future. Regulators are not only likely to insist on higher-quality and more detailed evidence to demonstrate how issues have been resolved on a timely basis but also to consider any issues found in a wider context. Firms need to ensure that they are geared up to respond to an increasingly intrusive and intensive supervisory approach. Having been criticized themselves, regulators are much less likely to be tolerant of any instances of repeat issues being found or lack of skilled dedicated compliance resources to be in place.
The scale of the U.S. Senate’s investigation is sweeping and a clear warning of a willingness to deploy substantial resources to consider risk, compliance and AML issues. During the course of the investigation multiple subpoenas were issued and more than 1.4 million documents were collected and reviewed including bank records, correspondence, emails, and legal pleadings. More than 75 interviews were conducted with officials at HSBC as well as with U.S. banking regulators. In addition, numerous briefings from HSBC legal counsel were received, inquiries with foreign banks initiated and experts on AML and terrorist financing issues consulted. It is to HSBC’s credit that it produced documentation and witnesses from around the world, including in particular documents for which it could have claimed privilege.
HSBC has again set another potential benchmark for other firms with regard to cross-border regulatory investigations. The FSB’s expectations with regard to regulators sharing knowledge amongst themselves is one thing but for a firm to cooperate so fully with an inquiry that it effectively waives privilege on a global basis has set a regulatory expectation for the future behaviour of other firms. While there are occasional redactions in the evidence referred to in the report it is clear that the HSBC handed over vast swathes of relevant information even when it did not paint the bank in a favourable light. Firms will need to factor in the impact of HSBC’s approach when setting their own strategy for responding to regulatory or other similar inquiries.
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. <a href=”http://accelus.thomsonreuters.com/solut ions/regulatory-intelligence/compliance- complete/” target=_new”>Compliance Complete</a> provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 230 regulators and exchanges.)
(Susannah Hammond is a regulatory intelligence expert in the Compliance, Audit and Risk division of Thomson Reuters Governance Risk and Compliance; the views expressed are her own.)