The Financial Conduct Authority (FCA) has imposed a financial penalty on HSBC Bank plc (HSBC) of £63.9 million, using its powers as a designated authority under the Money Laundering Regulations 2007 (ML Regulations). The fine included a 30% settlement discount. In 2017 the ML Regulations were superseded by the Money Laundering Regulations 2017, but the FCA's findings in this case relate to failings which took place over a period of eight years from 31 March 2010 to 31 March 2018.
Under the ML Regulations, banks are required to conduct ongoing monitoring of customer relationships. This involves scrutinising transactions and making appropriate enquiries of customers, such as to establish or verify the source of funds.
Like all major retail banks, HSBC used automated processes to monitor hundreds of millions of transactions a month to identity possible financial crime. However, the FCA found that policies and procedures for its key transaction monitoring systems were not appropriate or sufficiently risk-sensitive and HSBC did not ensure that policies which managed and monitored those systems were adequately followed.
Deficiencies involved failures relating to "scenarios", "parameters" and "data".
The FCA found that HSBC's systems were not adequately updated to recognise new "scenarios" which might indicate a high risk of money laundering. For example, systems did not adequately flag:
- activity which was not in line with account expectations (based on onboarding information);
- transactions from high risk countries (other than by wire transfer);
- repeated transactions in round amounts;
- non-cash structuring activity (e.g. writing multiple cheques to disguise a larger transaction, sometimes called smurfing);
- changes in customer activity over time.
The FCA also found that HSBC failed properly to monitor correspondent banking activity (which is higher risk for money laundering because it involves the underlying customers of a third party financial institution over which the bank has little visibility).
As part of its transaction monitoring a bank needs to set thresholds which trigger alerts for review and potential follow up. The FCA found that the parameters set by HSBC were inadequate. Banks need to ensure parameters are monitored, reviewed and adjusted to ensure that unusual activity is identified. This involves balancing the need to identify higher risk transactions against the difficulties presented where too many false positives are generated.
The FCA found that there was a failure to test and update thresholds prior to 2016 or test thresholds rollout out after 2016. Certain thresholds were set in such a way that it was almost impossible for the relevant scenarios to identity potentially suspicious activity and thresholds used were too numerous to allow testing to determine whether they were appropriate.
A bank's transaction monitoring is naturally dependent on the quality of data which is fed into the system.
The FCA determined that HSBC failed to check the completeness and accuracy of data that was being fed into its systems, despite being recommended to do so by a number of external advisory parties over a prolonged period of time. HSBC also failed to maintain a list of correspondent banking relationships which meant that not all relevant data for correspondent banking was being fed into the transaction monitoring systems. As a result, HSBC failed to adequately monitor all of its respondent banks’ activity.
The FCA’s decision notice also sets out two examples of where the bank failed to spot suspicious activity. A director of a construction company was part of a conspiracy to set up a string of fake companies as part of a tax fraud scheme. The bank failed to spot 16 suspicious deposits into his account on a single day.
HSBC also failed to detect or close the account of a customer imprisoned for smuggling cigarettes and ordered to pay £1.2 million to HMRC in 2013. From July 2014 until March 2017, whilst the customer was still in prison, there was a sustained period of unusual activity without triggering alerts.
This case demonstrates an evolution of the FCA's approach to enforcement of AML requirements in retail and commercial banks. For a number of years, enforcement has tended to focus on deficiencies in onboarding, particularly in relation to collecting source of funds and source of wealth information on high-risk customers. More recently, this and other cases (including the criminal prosecution of NatWest) have involved deficiencies in transaction monitoring.
In setting penalty, the FCA imposed two separate fines one for the retail/commercial banking business, and a separate penalty for the correspondent banking business. In each case the FCA considered that the seriousness of the breaches were level 4 on its 5 level sliding scale, reflecting the seriousness which the FCA places on financial crime controls and despite the FCA recognising that the breaches were limited to automated transaction monitoring only - which, whilst important, is only one aspect of its AML framework. The FCA also acknowledged that whilst HSBC had a very large volume of transactions to monitor, the vast majority of customers (84%) were assessed as having a very low financial crime risk.
Nevertheless, as the FCA pointed out HSBC was on notice of the potential weaknesses in this area in 2012, when the U.S. Department of Justice found that HSBC Group’s U.S. subsidiary failed to monitor wire transactions from Mexico, partly due to failings in transaction monitoring systems.