HSBC, one of the grande dames of international banking, celebrates its 150th anniversary on March 3. The bank is not celebrating much else these days.

HSBC published 2014 financial results last week that impressed nobody: profit down 17 percent, driven largely by regulatory fines and penalties last year totaling $2.4 billion. CEO Stuart Gulliver spent part of his earnings announcement apologizing for HSBC’s Swiss private bank unit, under investigation for helping customers to evade taxes. Gulliver himself had one such account in the 2000s, adding to criticism of his tenure.

In November 2014, HSBC’s Swiss unit agreed to pay $12.5 million to the Securities and Exchange Commission for failing to register before providing cross-border brokerage and investment advisory services. Two months earlier, the bank paid $550 million to the Federal Housing Finance Agency to resolve allegations that it misrepresented the quality of mortgage-backed securities. The Commodity Futures Trading Commission is investigating whether the bank is guilty of manipulating the price of metal commodities. International regulators are eyeing HSBC as they investigate LIBOR and foreign currency manipulations.

Digging further back, HSBC paid $1.9 billion in 2012 to settle charges with the U.S. Justice Department for anti-money laundering and sanction violations. Earlier in the year its then chief compliance officer, David Bagley, resigned right in the middle of a Senate hearing into HSBC misconduct.

How does a good bank fall into such dire straits? The problem, experts say, is the perilous intersection of rapid growth and insufficient internal controls.

The original sin committed by HSBC, banking experts say, was growing too fast, diversifying too broadly, and lacking the internal controls needed to protect itself. International expansions grew the bank from $47 billion in assets under management in 1980 to $2.5 trillion by 2008. As the Justice Department pointed out in the DPA, the bank’s compliance program failed to grow and evolve in lockstep. Foreign subsidiaries were run independently by managers who, critics say, were allowed to ignore corporate mandates and standards if doing so helped them grow their business.

“There was a failure to communicate across business lines,” says Stephen King, compliance director for Boston-based consulting firm Wolf & Co. “They had a whole bunch of analysts reviewing transactions and relations, but they were not looking at things from a global perspective. You had various business lines and functionalities within HSBC that were not sharing information or communicating potential threats back to the parent.”

“You had various business lines and functionalities within HSBC that were not sharing information or communicating potential threats back to the parent.”
Stephen King, Compliance Director, Wolf & Co.

“You have to evaluate an entity’s relationships throughout the entire bank, including transactions, customer profiles, relationships, and types of transactions being conducted,” he adds. “HSBC was good at analyzing the components. What it didn’t do was correlate those components to give them a holistic risk profile.”

That lack of an enterprise-wide view, King says, is a problem for banks of all sizes amid pressures from the commercial side of the house to grow revenue, often at the expense of governance, compliance, and risk programs.

HSBC has taken a variety of actions intended to resolve its failings and satisfy regulators. Many were required by a five-year deferred-prosecution agreement with the Justice Department that was finalized in 2013.The bank separated its legal and compliance teams; subjected executive pay to clawback provisions; exited high-risk businesses, shed more than 100 correspondent relationships; and is leaving risky geographies by the dozens.


The following is from the 2012 deferred prosecution agreement between HSBC and the U.S. Department of Justice. It details compliance improvements pledged by the bank.
The HSBC Parties have taken, will take, and/or shall continue to adhere to, the following remedial measures:

As a result of its AML violations and program deficiencies, HSBC North America and HSBC Bank USA “clawed back” deferred compensation (bonuses) for a number of their most senior AML and compliance officers, to include the Chief Compliance Officer, AML Director and Chief Executive Officer.

HSBC Bank USA has reorganized its AML department to strengthen its reporting lines and elevate its status within the institution as a whole by separating the Legal and Compliance departments; requiring that the AML Director report directly to the Chief Compliance Officer; and providing that the AML Director regularly report directly to the Board and senior management about its Bank Secrecy Act and anti-money laundering program.

The bank has revamped its KYC program and now treats HSBC Group Affiliates as third parties that are subject to the same due diligence as all other customers.

HSBC Bank USA has implemented a new customer risk-rating methodology based on a multifaceted approach that weighs the following factors: the country where the customer is located, the products and services utilized by the customer, the customer’s legal entity structure, and the customer and business type.

The bank has exited 109 correspondent relationships for risk reasons.

The bank has a new automated monitoring system that monitors every wire transaction that moves through HSBC Bank USA. The system also tracks the originator, sender and beneficiary of a wire transfer, allowing HSBC Bank USA to look at its customer’s customer.

HSBC Group has simplified its control structure so that the entire organization is aligned around four global businesses, five regional geographies, and 10 global functions. This allows HSBC Group to better manage its business and communication, and better understand and address risks worldwide.

Since January 2011, HSBC Group has begun to apply a more consistent global risk appetite and as a result has sold 42 businesses and withdrawn from nine countries.

All HSBC Group Affiliates will, at a minimum, adhere to U.S. anti-money laundering standards.

The Head of HSBC Group Compliance has been given direct oversight over every compliance officer globally, so that both accountability and escalation now flow directly to and from HSBC Group Compliance.
Source: Justice Department.

HSBC’s most recent response to its past, and current compliance woes, was a statement released to the media in February. It explains that the Swiss private bank, acquired in 1999, “was not fully integrated into HSBC, allowing different cultures and standards to persist.” “The compliance culture and standards of due diligence...were significantly lower than they are today,” it says. Clients are now required to affirm they are in compliance with tax obligations and there are “strict controls” on withdrawals over $10,000. The bank also pledged to continue efforts to maintain “a robust, sustainable anti-money laundering and sanctions compliance program.”

Without question, HSBC also poured money into hiring new compliance and risk-management professionals. From 2012-2013, the bank increased that specialized staff to 1,750; as 2014 drew to a close, the bank was well on its way toward a goal of 7,000 employees. Still, observers say quality of staff is just as important as quantity.

“The solution is not just manpower, although lack of manpower can certainly create problems,” says Ed Wilmesherr, a banking expert with the law firm Butler Snow. “It’s a balancing act. You have to have enough people, but they have to be trained in the necessary procedures. They have to know what their part of the puzzle is–what their job is–and go out and do it. Then there has to be monitoring and follow-up, including testing to make sure everything runs the way it is supposed to.”

“Too many banks and financial institutions think of their compliance people as administrators or clerks who check boxes, rather than subject matter experts of a dynamic new profession that arose because other gatekeepers before them failed to find and fix the problems,” says Donna Boehme, principal with the consulting firm Compliance Strategists.

HSBC’s initial reforms “were striking and showed real strategic thinking and promise,” Boehme says. She applauds how, post-DPA, HSBC restructured compliance, “giving it line of sight and seniority and raising its chief compliance officer to the rank of its top 50 managers.”

That being said, the “follow-through has been very disappointing,” Boehme says. “They have succumbed to throwing money at the problem without much thought to empowering and positioning the function for success.” For example, the bank’s hiring of former MI5 and drug enforcement agents “ignores the need for demonstrated subject matter expertise and looks like it was driven by a hope to impress regulators, the media, and stakeholders with their magical thinking,” she says.

Boehme fails to see “any real professional subject matter expert in a position to advocate for a strong compliance program, or with any experience in how to do it,” adding that “maybe they hope that with high-profile stars in place, everyone can join hands and sing ‘Kumbaya’ to make it all happen.”

So long as internal controls are weak, scattered, and prone to failure, big banks will continue to have problems, says Ed Wilson, a partner with the law firm Venable and former acting general counsel at the Treasury Department. His advice:

Leadership starts at the top, and the board should direct an independent review of its own internal control policies and those of its organization.

Train to the controls. The board should set the example by ensuring that its structure, procedures, and actions reinforce the company’s internal controls.

A regular audit cycle should focus on compliance with internal controls and effectiveness of the controls.

Banks grow, in both size and complexity, implementing those controls is increasingly difficult. Systems for even the most basic functions, like depositor information, might be siloed among units, and diversity at the operational level can therefore impede the detection of money laundering and corruption risks. “You can’t just put in one set of compliance procedures, because they have to match the operational procedures,” Wilson says.


“We can all agree that, in a perfect world, there are things that institutions of all sizes should already be doing,” says John Bowman, a partner in Venable’s financial services group and former acting director of the Office of Thrift Supervision. “The fact that a regulator has to write them down is an expression of their concerns about how the world works.”

“How hard it is it to bring disparate cultures together? You’re talking different lines of business different cultures, different regulatory overlays. Wow, is it hard,” Wilson says of the challenge HSBC faces.

[Disclosure: Wilmington PLC, the parent company of Compliance Week, provides training services to HSBC in another line of business it owns.]