AML Compliance Back in the Spotlight

Well, one explosive report about drug cartels and terrorist groups funneling money through U.S. banks, plus one compliance officer announcing his resignation during a U.S. Senate committee hearing, and presto—anti-money laundering efforts, and the lack thereof, are back in the news.

The specific bank on the anvil of public discontent right now is HSBC, the subject of a year-long investigation into allegations that Mexican drug cartels and terrorist groups used the bank for money laundering. That led to a hearing on July 17 by the Senate Permanent Subcommittee on Investigations, where HSBC compliance chief David Bagley announced that his head would be among the first to roll. It is not likely to be the last; the Justice Department has also initiated criminal investigations.

HSBC subsequently announced it will set aside $700 million to cover any fines, settlements or legal fees it might incur from the Senate investigation. That is on top of $1.3 billion earmarked to cover fallout from separate allegations that it improperly sold “payment protection insurance” to customers in the United Kingdom.

In a statement on July 30, HSBC Group Chief Executive Stuart Gulliver promised that, going forward, HSBC will be managed "as a genuinely global firm, making it easier to set, monitor, and enforce standards.”

“Our central compliance team, whose role in the past consisted primarily of giving advice, can now control and enforce these standards,” he said of the shamed institution. “And we are driving a change in culture so that our conduct matches our values.”

Banking regulators aren't in good standing right now either. Senate investigators found that HSBC's primary regulator, Office of the Comptroller of the Currency, took exactly one enforcement action against the bank in 2010—despite finding scores of “matters requiring attention” in the previous six years. The 2010 enforcement was to cite HSBC for numerous severe AML deficiencies, including a failure to monitor $60 trillion in wire transfer and account activity and a backlog of 17,000 un-reviewed account alerts regarding potentially suspicious activity.

“This is bigger than a single report on a specific bank,” says Amir Orad, CEO of NICE Actimize, a provider of risk and compliance software for the financial services industry. He says the outcome of this investigation creates a “seismic shift” in the way that AML will be regulated in future. It can no longer be treated as a consumer compliance issue; it's now a systemic issue.

That will mean more pressure from regulators on banks, an expectation of faster responses when regulators do come knocking, a wholesale review of current standards, and an “institution-wide” approach to bank examinations.

“The bar is being raised every day when it comes to compliance,” Orad says, because AML touches upon issues that are politically charged and headline-grabbing: terrorism, international sanctions, drug money, and tax evasion.

The global nature of modern banking will only make that regulatory enforcement, and compliance department oversight, more difficult.

“Even if you had a single global regulation, which is certainly not the case, you have to successfully [manage compliance] in different countries with different cultures, languages and behaviors,” Orad says. “That is an operational nightmare for a very large bank. Enforcement is more complex. You have a customer who is in Switzerland, opening an account in the U.K., managing the cash in New York, and taking money from an ATM in Brazil. How do you handle that? Who owns that? That's why a holistic view is so important.”

Justin Fuller, a director at Fitch Ratings, expects that the increased visibility of regulatory oversight will likely be accompanied by an uptick in fines levied against banks. Regulatory costs will also push higher as banks re-evaluate and ramp up their AML compliance efforts. Fuller also expects that financial firms of all sizes will feel the pinch of accelerated regulatory scrutiny, not just big banks.

Old National Bank, for example, a lender in rural Indiana with roughly $10 billion in assets, disclosed on July 20 that it entered into a consent order issued by the OCC over its need to step up compliance with AML regulations. Old National will be required to implement a program to identify Bank Secrecy Act risks, focusing on the need to improve its risk management processes in obtaining and analyzing customer due diligence information.

While compliance costs are significant but manageable for large banks, they can be tougher to absorb for smaller institutions, especially as they also face increasing regulatory costs associated with the Dodd-Frank Act and international capital and liquidity regulations. These costs will continue to weigh on overall bank profitability and possibly harm credit availability.

“Even if you had a single global regulation, which is certainly not the case, you have to successfully [manage compliance] in different countries with different cultures, languages and behaviors. That is an operational nightmare for a very large bank.”

—Amir Orad,

CEO,

NICE Actimize

“Already you've got smaller banks that are at a competitive disadvantage because they don't have enough scale given their cost structure,” Fuller says. “This will make it difficult to operate at the profitability levels they have historically had.”

Fuller says compliance necessities will manifest themselves in additional hiring.

“Head counts may remain flat, but there is a lot of hiring going on in compliance, which is a cost, and not so much in revenue-generating areas,” he says. “Ultimately, for the industry, does it mean that smaller banks have to get together and merge to get better scale? Probably.”

Henry Balani, managing director of BankersAccuity, a firm that specializes in software and consulting for the banking industry, expects increasing regulatory focus on institutions that try to side-step sanctions.

For example, as the registrar for the American bankers Association, BankersAccuity provides and oversees the routing codes used by every bank in the United States. “Wire stripping” removes references to prohibited nations during wire transfers, to avoid filters that detect when a transaction involves a prohibited government. That was one of the charges leveled at HSBC. Along similar lines, Dutch bank ING paid $619 million in June to settle charges that it shifted billions of dollars through U.S. institutions for customers in Iran and Cuba since the 1990s.

Get Help

Guidance offered by the OCC, Securities and Exchange Commission, Financial Industry Regulatory Authority, and the Commodity Futures Trading Commission all explain the basics that firms need to follow for AML compliance. Those suggestions include a detailed study the Patriot Act and Treasury Department rules and regulations regarding AML programs for financial institutions.

AML LAWS

The following is an excerpt from the report “U.S. Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History, prepared for the U.S. Senate's Permanent Sub-committee on Investigations.

AML laws are not intended to protect bank customers or the bank; they safeguard the U.S. financial system and the nation as a whole.

As the regulator of nationally chartered banks, which are among the largest, most complex, and global of U.S. banks, the OCC plays a critical role in ensuring AML compliance. It is the OCC that needs to ensure the U.S. affiliates of global banks function as well-guarded gateways that keep out risk rather than invite it in.

To fulfill its AML obligations, the OCC needs to strengthen its AML oversight and revamp its AML supervisory and enforcement approach to bring them into closer alignment with other federal bank regulators. Five reforms are key.

First, it should treat AML deficiencies as a matter of safety and soundness, not consumer protection, and ensure ineffective AML management is taken into consideration when assigning a bank's CAMELS [Capital adequacy, Asset quality, Management quality, Earnings, Liquidity, Sensitivity to market risk] management and composite ratings.

Second, the OCC should allow its examiners to cite violations of law for individual pillar violations as well as program-wide violations.

Third, the OCC should ensure that narrowly focused examinations are considered in tandem with examinations that take a holistic view of a bank's AML program.

Fourth, the OCC should make more use of informal enforcement actions and reconsider its standards for issuing formal enforcement actions to compel AML reforms. Finally, the OCC should instruct its Examiners-In-Charge to accurately reflect AML examination findings, without turning them into such mild recommendations that they mislead bank management into thinking their AML programs are functioning well, when they are not. Many OCC examiners see the problems; it is OCC supervisors and enforcement that need to act to strengthen the OCC's AML oversight efforts.

Source: U.S. Senate's Permanent Sub-committee on Investigations.

Beyond those basic instructions, specific regulations exist for mutual funds, credit card companies, exchange-based broker-dealers, insurance companies and any company involved in the sale and purchase of precious metals, gems and minerals. Among the requirements is ongoing training for employees on AML compliance and the red flags they need to watch for. An independent audit is required to test and document the existing AML program and BSA compliance.

And not only banks are under the money laundering spotlight.

As of August 13, for the first time, all non-bank residential mortgage lenders and originators will be required to establish an AML program and file both mandatory and voluntary suspicious activity reports (SARs) with the government through an e-filing system established by the Treasury Department's Financial Crimes Enforcement Network (FinCEN). These firms will be required to designate a compliance officer and develop independently audited policies, procedures, and controls.

A client advisory by the law firm Ballard Spahr offers detail on what steps these firms need to take. AML policies, procedures, and controls need to be overseen by a compliance officer and approved by the board of directors or similar governing body. These policies must delineate the responsibilities of each management position, and procedures for handling wire transfers and financial instruments.

The SAR policy must detail when such a report is required, and by whom. Procedures for monitoring suspicious activity and handling requests from law enforcement and regulators must be detailed.

Requirements under the Patriot Act also require the establishment of a customer identification program (CIP), procedures for conducting customer due diligence (CDD) and enhanced due diligence (EDD). Firms must also have a system in place to monitor and update the specially designated nationals (SDN) list, which details nations facing U.S. sanctions.

Ultimately, what will protect an entity goes beyond the technology, policies and systems put in place.

“If you don't have a culture of compliance that is pervasive throughout your organization; if you look at profit first and risk second—you're going to have an issue,” Balani says. “If HSBC had a culture of compliance, they would have first looked at potential risk and, if it was in doubt, not take on that business. Instead, they had managers who said, ‘I want that business at any cost, I don't care how risky it is.' You've got to be able to establish a culture of compliance in any organization or it doesn't matter what systems you have.”