Written by Teodora Harrop, FICA on Monday 14 March, 2022
No regulator in any jurisdiction prescribes the use of automated systems to carry out transaction monitoring. Yet increasingly, those institutions handling larger numbers of transactions are finding the manual approach problematic in mitigating financial crime risk.
Even significant investment in systems has not been fully effective in reducing this risk, and may not lead to the right regulatory outcomes; the recent hefty fine of almost £64 million imposed on HSBC by the Financial Conduct Authority (FCA), the UK financial services regulator, is a particularly potent example.
Why was HSBC fined?
The FCA’s Decision Notice highlighted three areas with deficiencies related to systems and controls.[1]
- Scenario coverage – in particular ‘a failure to consider whether scenarios covered risk indicators faced by HSBC until 2014 and a failure to carry out timely risk assessments for the new scenarios rolled out after 2016’.
- Parameters – highlighting deficiencies regarding ‘thresholds set in such a way that it was almost impossible for the relevant scenarios to identify potentially suspicious activity’ and ‘the inclusion of rules that suppressed instances of potentially suspicious activity prior to August 2016 and a failure to understand those rules’.
- Data – most notably ‘a failure throughout the relevant period to check the completeness and accuracy of data fed into its transaction monitoring systems’.
HSBC had taken significant steps to enhance their systems and controls, something the FCA took into consideration:
HSBC invested heavily in the next generation of automated transaction monitoring. The Authority recognises the importance of innovation in this area, and notes the commitment already made by HSBC in the use of new and market leading technologies.
The FCA also acknowledged:
…HSBC’s commitment to its large-scale global remediation programme (which was a key priority for senior management and the Board of Directors), the [existing] enhancements and the significant increase dedicated to managing financial crime risk including the tripling of personnel working on transactions monitoring related activity.
This fine will undoubtedly prompt many money laundering reporting officers (MLROs) to reflect on whether their firm could be similarly affected and whether the existing transaction monitoring process, system and resourcing are sufficiently robust to withstand regulatory scrutiny.
What can firms do?
A gap analysis is a good starting point to attempt to ‘self-diagnose’ and identify any potential new risk areas, considering whether the existing AML/CFT risk assessment can be enhanced to take into account the issues identified by the regulator, and their potential significance to the firm’s overall systems and controls.
The key learning points from the enforcement action should be presented to the board of directors, together with the outputs from the gap analysis and initial recommendations for enhancing the systems and controls, if appropriate.
Effective utilisation of the three lines model
By the time this article is published, most firms will have already completed their annual assurance planning process and commenced the delivery of assurance reviews, in accordance with their plan. But it is important that annual plans allow for event-driven changes to be made, including capacity to introduce new reviews or amend the scope of existing ones, following a significant enforcement action.
Given the complexity of the issues, it may also be appropriate for different teams to work together to review the systems, scenarios and data feeds.
Although the HSBC fine related to the UK entity only, the FCA highlighted the fact that:
HSBC was also put on notice of the potential weaknesses in this area in 2012 when the U.S. Department of Justice found that HSBC Group’s U.S. subsidiary failed to monitor wire transactions from Mexico, partly due to failings in CAMP.[2]
The extract above makes it clear that the regulator expected that learning points from regulatory action in all jurisdictions should have been considered by all companies in the HSBC Group to enhance their systems and controls.
Although significant work had been undertaken already by the bank to address this, it would appear that not all issues were considered in sufficient detail; inter dependencies should have been looked at holistically, and the sheer complexity of the project led to insufficient coverage of some areas.
The same principle of learning from issues identified elsewhere in the firm may also be applied to any findings from assurance reports (i.e. compliance monitoring and internal audit), highlighting the importance of timely communication and management buy-in.
Underlining this point, in its recently updated Financial Crime Guide, the FCA recommends that ‘financial crime risks are addressed in a coordinated manner across the business and information is shared readily’.[3]
A reminder of the importance of recordkeeping
Large scale remediation programmes take time and are resource intensive; following enforcement action in the US, HSBC commenced its remediation programme back in 2013, before the regulatory inspection leading to the fine.
Issues with data completeness, data accuracy and quality, maintaining audit trails for decisions (for example, in relation of certain alerts) and complete client records (for example, correspondent banking) were all quoted in the enforcement action at the time.
Whilst on their own any of the issues noted above may not have significantly increased the risk exposure, their cumulative impact had a snowball effect, with far-reaching consequences.
Are firms adequately resourced to prevent financial crime?
On its website, the FCA stated that:
The risk-based approach means a focus on outputs. Firms that apply a risk-based approach to [AML] will focus AML resources where they will have the biggest impact.[4]
This enforcement action certainly tested the practical application of this principle. It serves as a timely reminder that a firm cannot ascertain correctly its areas of risk and ‘blind spots’ without sufficient resourcing being allocated to financial crime prevention.
The identification of areas which have the ‘biggest impact’ is often a subjective judgement call, informed by experience. Compliance professionals and senior management are today increasingly aware that the complexity of the tools required to fight financial crime requires the right blend of knowledge and skills.
In its Financial Crime Guide, the FCA provided the following example of good practice:
The firm bolsters insufficient in-house knowledge or resource with external expertise, for example in relation to assessing financial crime risk or monitoring compliance with standards.[5]
Whilst not all firms will be in a position to increase the resourcing allocated to their financial crime high-risk areas threefold, it is important to recognise that fighting financial crime cannot be done ‘on a shoestring’.
You may also like:
[1] Financial Conduct Authority, ‘Decision Notice for HSBC plc’, 17 December 2021: https://www.fca.org.uk/news/press-releases/fca-fines-hsbc-bank-plc-deficient-transaction-monitoring-controls - accessed January 2022
[2] Financial Conduct Authority, Decision Notice HSBC, 14 December 2021: https://www.fca.org.uk/publication/decision-notices/hsbc-bank-plc.pdf – accessed January 2022
[3] Financial Conduct Authority, Financial Crime Guide – a firm’s guide to countering financial crime risks (FCG), January 2022: https://www.handbook.fca.org.uk/handbook/FCG.pdf – accessed January 2022
[4] Financial Conduct Authority, ‘Money Laundering and Terrorist Financing’, 2 August 2015: https://www.fca.org.uk/firms/financial-crime/money-laundering-terrorist-financing – accessed January 2022
[5] Financial Conduct Authority, Financial Crime Guide – a firm’s guide to countering financial crime risks (FCG)