The Mexican subsidiary of the Hong Kong and Shanghai Banking Corporation (HSBC) was, a few months ago, penalised $27.5 million for facilitating money laundering — the biggest such penalty so far in that country. Its US subsidiary has recently set aside $1.5 billion for likely penalties in similar charges pertaining to 2001-10. There are demands that the bank be asked to wind up operations in the US. The following broad lessons for better conduct of global banking and compliance with anti-money laundering (AML) regulation could be drawn from the 335-page US senate subcommittee report and its voluminous supporting documents.
Adherence to international standards: Global banks are expected to proactively comply with best practices as laid down in international standards, including the Wolfsberg AML Principles, the private AML initiative to which HSBC is one of the 11 signatory banks. This would have helped avoid opening accounts in the name of companies with bearer shares and operating a shell branch in Cayman Islands with no office or employees, but assets of over $2 billion.
Infusing group culture in subsidiaries: HSBC became the world’s fourth-biggest bank mainly through acquisitions. This strategy highlights the need for instilling in all such acquired entities a compliance culture appropriate to the group’s philosophy. The roots of HSBC’s problems include the acquisition in 2002 of Grupo Financiero Bital, a Mexican bank with known AML weaknesses, and Republic Bank of New York, whose clients included Al Rajhi Bank, a Saudi Arabian bank with which HSBC Group compliance had recommended severing ties, citing terrorist financing concerns. This was advice disregarded by some of the affiliates. The failure to ensure a compliance culture of global standards across the group resulted in subsidiaries behaving like fiefdoms and challenging group compliance advice to sever links with certain clients or discontinue certain products.
Due diligence on affiliates: In the absence of a consistent group level compliance, the need to conduct due diligence on affiliates is greater. An automatic qualification for an affiliate or its transactions – as was the case in HSBC – is risky, as they may be operating in high-risk jurisdictions (such as Mexico), have high-risk clients (casas de cambio — foreign exchange bureaus), high-risk products (US dollar Cayman accounts) or have weak AML controls.
Respect other jurisdictions’ laws, regulations and controls: This is an essential ingredient for compliance culture at global banks. In HSBC, the possibility of transactions from Iran being subjected to detailed examination was circumvented by turning off online filters, not disclosing the identity of the sender/jurisdiction, routing through other banks/jurisdictions or by showing them as bank-to-bank transactions. The bank’s functionaries actively advised on how to dodge the filter. In numerous cases, the relevant field would show: “Do not mention our name in New York.” Processing of certain transactions was re-routed through a UK server to avoid stringent US regulations.
Effective risk management: Mexico was rated as low risk, despite its decidedly high-risk environment. Export to the US of currency notes valued up to $4.2 billion in a year, with no relation to known legitimate trade or other requirements, were therefore not followed up.
Reliance on technology: While technology aids AML, over-reliance could be counterproductive unless combined with appropriate human intervention. If this were done, the process would have recognised Yangon as Rangoon, Mynmar as Myanmar and “Sudanese Petroleum Corporation” as having a link with Sudan.
“Creative compliance” is no compliance: Travellers cheques are known conduits for money laundering. But the bank had no effective monitoring of this business. Hokuriku Bank, a Japanese bank with weak AML controls, was routing large volumes of sequentially-numbered high-denomination travellers cheques through HSBC, apparently for Russian customers stated to be in the used car business. When advised to close the account, HSBC closed one of the two accounts in 2009, transferred the balance to the other, and continued the business till May 2012.
Compliance versus business: Compliance may involve trade-off with business growth and profits, but needs to be given priority. The bank’s gross violations and omissions even when profits were only $10 million a year from its Iranian business and $47,000 in one year from Hokuriku Bank are telling in itself.
The thumb rule is that criminals may be willing to forgo up to 50 per cent of their ill-gotten wealth to be able to show it as legitimate. Given this, the moot question is what level of penalty would be sufficient deterrence for a bank with profits of $22 billion (2011), when the amount laundered through negligence, incompetence and wilful non-compliance, could run into a few hundred billion, with untold social, political and economic consequences. Considering the long period of non-compliance, movement of personnel across banks, and what the institutional literature calls “mimetic” and “normative” pressures, it is highly likely that these issues would have spread to other banks and other jurisdictions.
While “tailoring banking solutions to suit individual needs” and “personalising services”, banks need to ensure that they do not tread on legal and regulatory requirements. It may be “one world”, but jurisdictions are many, and being present in several at the same time entails having to tailor ones processes and compliance to meet stringent requirements across the world.
Sreekumar is general manager of the Reserve Bank of India, currently on sabbatical at the Indian Institute of Technology, Madras. Sai is Professor at the Department of Management Studies at IIT Madras. These views are their own