Learning points from HSBC’s fine for AML failings

Even significant investment in systems has not been fully effective in reducing this risk and might not lead to the right regulatory outcomes. A hefty fine of nearly 64 million pounds (then-U.S. $84 million) imposed on HSBC by the U.K. Financial Conduct Authority (FCA) in December is a particularly potent example.

Why was HSBC fined?

The FCA’s decision  notice highlighted three areas with deficiencies related to systems and controls:

Scenario coverage: In particular “a failure to consider whether scenarios covered risk indicators faced by HSBC until 2014 and a failure to carry out timely risk assessments for the new scenarios rolled out after 2016.”

Parameters: Highlighting deficiencies regarding “thresholds set in such a way that it was almost impossible for the relevant scenarios to identify potentially suspicious activity” and “the inclusion of rules that suppressed instances of potentially suspicious activity prior to August 2016 and a failure to understand those rules.”

Data: Most notably “a failure throughout the relevant period to check the completeness and accuracy of data fed into [the bank’s] transaction monitoring systems.”

HSBC had taken significant steps to enhance its systems and controls, something the FCA took into consideration.

The fine the bank received will undoubtedly prompt many money laundering reporting officers to reflect on whether their firm could be similarly affected and whether the existing transaction monitoring process, system, and resourcing are sufficiently robust to withstand regulatory scrutiny.

What can firms do?

A gap analysis is a good starting point to attempt to “self-diagnose” and identify any potential new risk areas, considering whether the existing anti-money laundering/countering the financing of terrorism (AML/CFT) risk assessment can be enhanced to account for issues identified by the regulator and their potential significance to the firm’s overall systems and controls.

The key learning points from the enforcement action should be presented to the board of directors, together with the outputs from the gap analysis and initial recommendations for enhancing the systems and controls, if appropriate.

Effective utilization of the three lines model

It is important annual plans allow for event-driven changes to be made, including capacity to introduce new reviews or amend the scope of existing ones, following a significant enforcement action.

Given the complexity of the issues, it might also be appropriate for different teams to work together to review the systems, scenarios, and data feeds.

Although the HSBC fine related to the U.K. entity only, the FCA highlighted the fact that “HSBC was also put on notice of the potential weaknesses in this area in 2012 when the U.S. Department of Justice found that HSBC Group’s U.S. subsidiary failed to monitor wire transactions from Mexico,” according to its decision notice.

This makes it clear the regulator expected learning points from regulatory action in all jurisdictions should have been considered by all companies in the HSBC Group to enhance their systems and controls.

Although significant work had been undertaken already by the bank to address this, it appears not all issues were considered in sufficient detail. Interdependencies should have been looked at holistically, and the sheer complexity of the project led to insufficient coverage of some areas.

The same principle of learning from issues identified elsewhere in the firm might also be applied to any findings from assurance reports (i.e., compliance monitoring and internal audit), highlighting the importance of timely communication and management buy-in.

Underlining this point, in its recently updated “Financial Crime Guide,” the FCA recommended that ”financial crime risks are addressed in a coordinated manner across the business and information is shared readily.”

A reminder of the importance of recordkeeping

Large-scale remediation programs take time and are resource intensive. Following enforcement action in the United States, HSBC commenced its remediation program back in 2013, before the regulatory inspection leading to the fine.

Issues with data completeness, data accuracy, and quality; maintaining audit trails for decisions (for example, in relation of certain alerts); and complete client records (for example, correspondent banking) were all quoted in the enforcement action at the time.

While on their own any of the issues noted above might not have significantly increased risk exposure, their cumulative impact had a snowball effect, with far-reaching consequences.

Are firms adequately resourced to prevent financial crime?

”The risk-based approach means a focus on outputs,” the FCA stated on its website in guidance updated in November. “Firms that apply a risk-based approach to (AML) will focus AML resources where they will have the biggest impact.”

The regulator’s enforcement action against HSBC tested the practical application of this principle. It served as a timely reminder a firm cannot correctly ascertain its areas of risk and “blind spots” without sufficient resourcing being allocated to financial crime prevention.

The identification of areas that have the biggest impact is often a subjective judgement call, informed by experience. Compliance professionals and senior management are today increasingly aware the complexity of the tools required to fight financial crime requires the right blend of knowledge and skills.

In its Financial Crime Guide, the FCA provided the following example of good practice: “The firm bolsters insufficient in-house knowledge or resource with external expertise, for example in relation to assessing financial crime risk or monitoring compliance with standards.”

While not all firms will be able to increase the resourcing allocated to their financial crime high-risk areas, it is important to recognize fighting financial crime cannot be done on a shoestring.

The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.