Readers of this blog know that I strongly believe that the entire AML community (private and public sector) can benefit from studying the themes from enforcement actions.
No matter how dramatic the penalty, we need to remember that these actions are negotiated and what is public is never the whole story. Also, you won't benefit from just skimming an action; you need to go beyond summaries. Actually read the financial institution's response and compare the themes in the government's announcement to your own institutions' or clients' policies and procedures.
You can't simply throw up your hands and say the compliance obligations expected today are unattainable--learn from these situations.
Case in point--HSBC.
Reading and learning beyond the headlines
I leave to others the task of breaking down all of the documents from the Treasury's collective settlement announced this week. But I want to offer something you don't see mentioned very often--what the institution is doing in response to the action and has been doing for a period of time before the issuance of the fine, as well as the themes we must continue to address.
The comprehensive statement by HSBC is particularly compelling. This is both because of the acceptance by the bank of its past mistakes and its outline of how the institution has fundamentally changed and continues to address any deficiencies.
For example, the bank has increased their AML spending nine-fold between 2009-11. And there has been a ten-fold increase in AML staffing from 2010-2012. In addition, the bank exited a large number of correspondent bank relationships for risk reasons and dramatically changed the institution's overall control structure through changes such as creation of "a set of guidelines limiting business in countries that pose high financial crime risk." To ensure continued improvements, there is a five-year agreement with the Justice Department for an independent monitor to evaluate the bank's progress in implementing these and other measures.
A final note about HSBC's statement--the Justice Department also publicly stated that the institution's management has "made significant strides in improving ‘tone at the top' and ensuring that a culture of compliance permeates the institution."
In the Treasury Department's statement on the action, the emphasis is on how AML compliance failures impact an institution's ability to detect and report suspicious activity and that leads to law enforcement being placed at a distinct disadvantage in combating money laundering, terrorist financing, transnational organized crime, and both domestic and global financial threats.
Reading between the lines here tells me what I firmly believe--that AML obligations are not an end in themselves; the goal is law enforcement support, not regulatory compliance. (Note: As I have mentioned many times before, the AML community needs to take advantage of government outreach that seeks recommendations on modifications or changes to the range of AML and related laws. This is as good a time as any.)
Themes to understand
While I won't suggest that all actions are similar, many bankers have told me that an enforcement action against a peer institution does not make anyone feel anything other than--"It can happen to any of us."
There are a number of reasons for this view and I'll tackle them in future blogs. But suffice it to say we need to call out the major themes from this action and try to learn and improve from these penalties.
Today's AML program needs qualified personnel with appropriate training on how the vast number of banking products present vulnerabilities for money laundering , financial crime, and a whole host of illegal activity.
With these complicated products comes a need for "enterprise-wide, risk-based assessments of potential money laundering risks" because a failure to effectively put those controls in place will negatively impact the effectiveness of transaction monitoring. The last failure harms law enforcement, as mentioned above.
Returning to product risks, it is clear (and has also been constantly emphasized in the FFIEC Examination Manual) that the AML community needs to wrap its arms around the ability of criminals to misuse:
- • Prepaid cards
- • Cash letters
- • Banknotes
- • Lockboxes
- • Remote deposit capture, and
- • Many other bank products and services.
No AML process can be effectively maintained without proper independent testing that determines where risks are located and a proper notification of management of any discovered deficiencies.
There is more to understand in this week's actions. So continue to review, study, and perform gap analysis.
If you handle these announcements well, you will be able to say, "Don't Bring Me Down"* because I will learn from this.
* Jeff Lynne, one of the most underappreciated music producers of the last 30 years and known for his work with George Harrison, the Traveling Wilburys , among many others, wrote this song for his group--Electric Light Orchestra, or ELO.
For further reading, the November Banking Exchange contains a feature article by contributing editor Nancy Derr-Castiglione--who co-authors the Common Sense Compliance blog--on lessons from a number of recent enforcement actions issued prior to HSBC. Don't miss it!
Disclaimer: John Byrne's views do not necessarily reflect those of the American Bankers Association.