US banking reports put compliance in the spotlight

The role and efficiency of the compliance function in financial institutions is targeted by two reports published by US regulators. The report by New York's Department of Financial Services (DFS) on Standard Chartered Bank described breaches of sanctions (primarily related to Iran) concerning $250 billion worth of funds. The report of the Senate Subcommittee on investigations into HSBC claimed the bank was involved in several billion dollars worth of money laundering, primarily involving fund transfers from Mexico into the United States.

Standard Chartered has put a line under its alleged malfeasance with a $340 million settlement and the agreement to install a monitor. HSBC is understood to be discussing a settlement closer to $1 billion. In both cases, the banks' chairmen have apologised and HSBC's global head of compliance, David Bagley, has also resigned. He said at the Senate committee hearing that "despite the best intentions of many dedicated professionals, HSBC has fallen short of our own expectations and the expectations of our regulators".

Key issues for compliance that surface from the report include the status of compliance in a financial organisation driven by deal-makers; the structure of compliance in fast-growing and globally located institutions; and the role of compliance in institutions linked to banks based or operating in countries black-listed by the US Office of Foreign Assets Control (Ofac). The two reports show compliance failures from which lessons need to be drawn quickly and implemented thoroughly.

The HSBC report points out that when a compliance function lacks power and status at the centre of a complex financial organisation, wrongdoing is all but inevitable. This was demonstrated at HSBC in the United States and Mexico.The global bank had failed to integrate and raise the standards of compliance inside a local Mexican bank it had acquired. This structural weakness meant that the group headquarters was not only unable to ensure its protocols were enforced, but also it received poor compliance data from the local operation on which it based its compliance decisions.

Sources inside the Senate subcommittee, speaking on condition of anonymity, said HSBC's capacity to answer to global regulators for its group compliance was compromised by the autonomy it allowed to compliance officers at a local level.

David Kwan, director of anti-money laundering (AML) product management at the online security provider Nice Actimize, says: "Both reports noted lapses in communications between compliance groups across jurisdictions. They also cited lapses in oversight of compliance not just in a particular jurisdiction, but overall. Many financial institutions are re-evaluating the oversight, the checks and balances, with regards to how their employees and analysts deal with AML."

HSBC has responded to the lessons of the report by reinforcing its compliance team (the Senate subcommittee had earlier noted it was very severely underpowered) and pulling it under the global umbrella in the wake of the original Senate investigations. However, observers argue that the lesson of the report is that the status of compliance needs to enhanced by giving greater authority and a board position to the chief compliance officer.

Compliance at the bank's US operation was no more scrupulous than at its Mexican operation, although the evidence of money laundering risk was strong, the Senate report said. For example, the US bank cleared more than $290 million in bulk US dollar travellers cheques in less than four years for a Japanese regional bank, Hokuriku Bank, "despite evidence of suspicious activity". Cheques to the value of $500,000 or more each day in denominations of $500 or $1,000 between 2005 and 2008 were submitted in large blocks of sequentially numbered cheques, and "signed and countersigned with the same illegible signature".

The US Office of the Comptroller of the Currency prevailed on the US bank to investigate, and the bank found that the travellers' cheques were purchased by Russians from a bank in Russia, "a country at high risk of money laundering". The report also said that the Japanese bank "had little know-your-customer information or understanding of why up to $500,000 or more in bulk US dollar travellers' cheques purchased in Russia were being deposited on a daily basis into one of 30 different Japanese accounts of persons and corporations supposedly in the used car business".

Kwan expects banks to tighten control of some very basic banking products including travellers' cheques, bulk cash handling, anonymous accounts and stored value cards in the wake of the report. "Financial institutions will re-evaluate what they are doing from an AML compliance viewpoint. These include correspondent banking, private wealth management and private banking, and the payments group and cross-border payments systems," he says.

Certain areas of the financial industry have high potential for AML risk, Kwan adds. "Financial institutions are going to look at those areas. Some lines of business are more familiar with AML and won't get as much focus. Retail banking is one of the most mature areas for AML, with the Bank Secrecy Act issued in 1970."

Standard Chartered, meanwhile, has disputed the allegations, citing an exemption for funds originated offshore by non-Iranian banks and only passed through the US financial system in transit to other non-Iranian foreign banks. This exemption, says Standard Chartered, was in force during the period (between 1995 and 2008) when the activity occurred. Whereas the regulator has cited a figure of $250 billion of illegal transactions, the bank has claimed that it breached US sanctions on Iran with transactions worth no more than $14 million.

Perhaps more than the monetary issues arising from the Standard Chartered case is the question of how much oversight was given to the general counsel's alleged decision to work around a US executive order prohibiting US banks from converting Iranian wire transfers into dollars. John Allan James, executive director of Pace University's Centre for Global Governance, Reporting and Regulation, says: "An effective governance process would have dictated a review of the general counsel's decision and then some monitoring and testing of that decision, as should happen with all important policies and procedures.This type of review typically will enable the firm to ascertain when a course of action will break the law, which should be the general counsel's main concern, and when it will break the spirit of the law, a concern often within the compliance officer's remit." The structures for monitoring and testing the decisions of both the general counsel and the compliance officer must be there, but the compliance officer must be invited to the table, he adds.

The regulator described the use of disguises in making fund transfers involving Iran and said that these demonstrated a pattern of deliberate deception. The use of two classic layering techniques appeared to disguise the fact that the bank was handling money with an Iranian source. The first, called the ‘U-turn', involves sending a transaction involving a politically exposed country through a number of other jurisdictions so that it gives the appearance of having an uncontroversial source. The second, called ‘stripping', involves removing from the transaction documentation the name of a country that might raise a red flag with regulators.

The limitation of the compliance function is exposed by the two high-profile US cases, says David Porter, a senior analyst at information security specialist Primary Key Associates in the UK. "Compliance is easy in theory but the practice is harder. In theory you set out your policy and the processes that underpin it, then get your people and technology to execute it. But things have a habit of falling through the cracks."

The risk of failing in compliance in these high-profile cases is not of course merely in terms of the fines that the banks have to pay, but also in reputational terms. This was demonstrated by a 15% drop in Standard Chartered's share price. Legal fees and the cost of a monitor, required by the regulator. added to the damage. The role of compliance in guarding reputation needs to be appreciated, notes Jay Jhaveri, head of compliance information specialist World-Check Asia in Singapore. "Compliance is a cost centre and is not responsible for the top line, but they are the guardians of a bank's reputation," he says.