The report released by the Permanent Subcommittee on Investigation, of the US Senate examined the anti-money laundering (AML) and terrorist financing vulnerabilities created when a global bank uses its US affiliate to provide US dollars, US dollar services, and access to the US financial system to high risk affiliates, high risk correspondent banks, and high risk clients. HSBC was taken as a case study, where the Bank was found wanting.
Over the last decade, the US Senate Permanent Subcommittee on Investigations has worked to strengthen US AML efforts by investigating how money launderers, terrorists, organized crime, corrupt officials, tax evaders, and other wrongdoers have utilized US financial institutions to conceal, transfer, and spend suspect funds. In 2001, the Subcommittee focused, in particular, on how US banks, through the correspondent services they provide to foreign financial institutions, had become conduits for illegal proceeds associated with organized crime, drug trafficking, and financial fraud. Correspondent banking occurs when one financial institution provides services to another financial institution to move funds, exchange currencies, cash monetary instruments, or carry out other financial transactions. The Subcommittee’s 2001 investigation showed not only how some poorly managed or corrupt foreign banks used US bank accounts to aid and abet, commit, or allow clients to commit wrongdoing, but also how US financial institutions could protect themselves and the US financial system from misuse.
In response to that investigation and the money laundering vulnerabilities exposed by the 9/11 terrorist attack, Congress enacted stronger AML laws as part of the Patriot Act of 2002, including stronger provisions to combat the misuse of correspondent services. Federal bank regulators followed with stronger regulations and examination requirements to guard against money laundering through correspondent accounts. In response, over the next ten years, US banks substantially strengthened their correspondent AML controls. Before the 2002 Patriot Act, for example, most US banks opened correspondent accounts for any foreign bank with a banking license; now, most US banks evaluate the riskiness of each foreign bank’s owners, business lines, products, clients, and AML controls before agreeing to open an account. They also routinely monitor account activity and wire transfers for suspicious activity, with enhanced monitoring of high risk correspondents. In addition, before the 2002 Patriot Act, some US banks readily opened accounts for foreign shell banks, meaning banks without any physical presence in any jurisdiction; today, in accordance with the Patriot Act’s ban on shell bank accounts, all US banks take measures to ensure they don’t provide services to such banks, the ban on shell bank accounts has become an international AML standard, and the thousands of stand-alone shell banks licensed by the Bahamas, Cayman Islands, Nauru, and other jurisdictions have virtually disappeared.
At the same time, the money laundering risks associated with correspondent banking have not been eliminated. Correspondent accounts continue to provide a gateway into the US financial system, and wrongdoers continue to abuse that entryway. This investigation takes a fresh look at the US vulnerabilities to money laundering and terrorist financing associated with correspondent banking, focusing in particular on the operations of global banks with US affiliates that enable foreign financial institutions to gain access to the US financial system.
HSBC Case Study. To examine the current money laundering and terrorist financing threats associated with correspondent banking, the Subcommittee selected HSBC as a case study. HSBC is one of the largest financial institutions in the world, with over $2.5 trillion in assets, 89 million customers, 300,000 employees, and 2011 profits of nearly $22 billion. HSBC, whose initials originally stood for Hong Kong Shanghai Banking Corporation, now has operations in over 80 countries, with hundreds of affiliates spanning the globe. Its parent corporation, HSBC Holdings plc, called “HSBC Group,” is headquartered in London, and its Chief Executive Officer is located in Hong Kong.
Its key US affiliate is HSBC Bank USA NA (HBUS). HBUS operates more than 470 bank branches throughout the United States, manages assets totaling about $200 billion, and serves around 3.8 million customers. It holds a national bank charter, and its primary regulator is the US Office of the Comptroller of the Currency (OCC), which is part of the US Treasury Department. HBUS is headquartered in McLean, Virginia, but has its principal office in New York City. HSBC acquired its US presence by purchasing several US financial institutions, including Marine Midland Bank and Republic National Bank of New York.
A senior HSBC executive told the Subcommittee that HSBC acquired its US affiliate, not just to compete with other US banks for US clients, but primarily to provide a US platform to its non-US clients and to use its US platform as a selling point to attract still more non-US clients. HSBC operates in many jurisdictions with weak AML controls, high risk clients, and high risk financial activities including Asia, Middle East, and Africa. Over the past ten years, HSBC has also acquired affiliates throughout Latin America. In many of these countries, the HSBC affiliate provides correspondent accounts to foreign financial institutions that, among other services, are interested in acquiring access to US dollar wire transfers, foreign exchange, and other services. As a consequence, HSBC’s US affiliate, HBUS, is required to interact with other HSBC affiliates and foreign financial institutions that face substantial AML challenges, often operate under weaker AML requirements, and may not be as familiar with, or respectful of, the tighter AML controls in the United States. HBUS’ correspondent services, thus, provide policymakers with a window into the vast array of money laundering and terrorist financing risks confronting the US affiliates of global banks.
The Subcommittee also examined HSBC because of its weak AML program. In September 2010, the OCC issued a lengthy Supervisory Letter citing HBUS for violating federal AML laws, including by maintaining an inadequate AML program. In October 2010, the OCC issued a Cease and Desist Order requiring HSBC to strengthen multiple aspects of its AML program. The identified problems included a once massive backlog of over 17,000 alerts identifying possible suspicious activity that had yet to be reviewed; ineffective methods for identifying suspicious activity; a failure to file timely Suspicious Activity Reports with US law enforcement; a failure to conduct any due diligence to assess the risks of HSBC affiliates before opening correspondent accounts for them; a three year failure by HBUS, from mid-2006 to mid-2009, to conduct any AML monitoring of $15 billion in bulk cash transactions with those same HSBC affiliates, despite the risks associated with large cash transactions; poor procedures for assigning country and client risk ratings; a failure to monitor $60 trillion in annual wire transfer activity by customers domiciled in countries rated by HBUS as lower risk; inadequate and unqualified AML staffing; inadequate AML resources; and AML leadership problems. Since many of these criticisms targeted severe, widespread, and longstanding AML deficiencies, they also raised questions about how the problems had been allowed to accumulate and why the OCC had not compelled corrective action earlier.
During the course of its investigation into HSBC’s AML deficiencies, the Subcommittee issued multiple subpoenas and collected and reviewed over 1.4 million documents, including bank records, correspondence, emails, and legal pleadings. The Subcommittee staff also conducted over 75 interviews with officials at HSBC Group, HBUS, and other HSBC affiliates, as well as with US banking regulators. In addition, the Subcommittee received numerous briefings from HSBC legal counsel, initiated inquiries with foreign banks that had HSBC accounts, and consulted with experts on AML and terrorist financing issues. HSBC was fully cooperative with the inquiry, producing documentation and witnesses from around the world, including documents for which it could have claimed privilege.
During The Course Of Its Investigation Into HSBC’s AML Deficiencies, The Subcommittee Issued Multiple Subpoenas And Collected And Reviewed Over 1.4 Million Documents, Including Bank Records, Correspondence, Emails, And Legal Pleadings.
As a result of its investigation, the Subcommittee has focused on five issues illustrating key AML and terrorist financing problems that continue to impact correspondent banking in the United States. They include opening US correspondent accounts for high risk affiliates without conducting due diligence; facilitating transactions that hinder US efforts to stop terrorists, drug traffickers, rogue jurisdictions, and other from using the US financial system; providing US correspondent services to banks with links to terrorism; clearing bulk US dollar travelers cheques despite signs of suspicious activity; and offering high risk bearer share corporate accounts. Avoiding the money laundering risks involved in these activities requires an effective AML program, with written standards, knowledgeable and adequate staff, the infrastructure needed to monitor account and wire transfer activity for suspicious transactions, effective AML training, and a compliance culture that values obtaining accurate client information. In addition to focusing on these five issues at HBUS, the Subcommittee investigation examined the regulatory failures that allowed these and other AML problems to fester for years.
Servicing A High Risk Affiliate.In 2001, the Subcommittee’s investigation debunked the notion that US banks should open a correspondent account for any foreign bank with a banking license, establishing instead the need to use due diligence to evaluate the money laundering and terrorist financing risks posed by a specific foreign financial institution before opening an account. Today, some US affiliates of global banks engage in an equally ill-advised practice, opening correspondent accounts for any affiliate owned by the parent holding corporation, with no analysis of the AML or terrorist financing risks.
Until recently, HSBC Group policy instructed its affiliates to assume that all HSBC affiliates met the Group’s AML standards and to open correspondent accounts for those affiliates without additional due diligence. For years, HBUS followed that policy, opening US correspondent accounts for HSBC affiliates without conducting any AML due diligence. Those affiliates have since become major clients of the bank. In 2009, for example, HBUS determined that “HSBC Group affiliates clear[ed] virtually all USD [US dollar] payments through accounts held at HBUS, representing 63% of all USD payments processed by HBUS.” HBUS failed to conduct due diligence on HSBC affiliates despite a US law that has required all US banks, since 2002, to conduct these due diligence reviews before opening a US correspondent account for any foreign financial institution, with no exception made for foreign affiliates.
One HSBC affiliate that illustrates the AML problems is HSBC Mexico, known as HBMX. HBUS should have, but did not, treat HBMX as a high risk correspondent client subject to enhanced due diligence and monitoring. HBMX operated in Mexico, a country under siege from drug crime, violence and money laundering; it had high risk clients, such as Mexican casas de cambios and US money service businesses; and it offered high risk products, such as US dollar accounts in the Cayman Islands. In addition, from 2007 through 2008, HBMX was the single largest exporter of US dollars to HBUS, shipping $7 billion in cash to HBUS over two years, outstripping larger Mexican banks and other HSBC affiliates. Mexican and USauthorities expressed repeated concern that HBMX’s bulk cash shipments could reach that volume only if they included illegal drug proceeds. The concern was that drug traffickers unable to deposit large amounts of cash in US banks due to AML controls, were transporting US dollars to Mexico, arranging for bulk deposits there, and then using Mexican financial institutions to insert the cash back into the US financial system.
In addition to its high risk location, clients, and activities, HMBX had a history of severe AML deficiencies. Its AML problems included a widespread lack of Know-Your Customer (KYC) information in client files; a dysfunctional monitoring system; bankers who resisted closing accounts despite evidence of suspicious activity; high profile clients involved in drug trafficking; millions of dollars in suspicious bulk travelers cheque transactions; inadequate staffing and resources; and a huge backlog of accounts marked for closure due to suspicious activity, but whose closures were delayed. For eight years, from 2002 to 2010, HSBC Group oversaw efforts to correct HBMX’s AML deficiencies, while those efforts fell short. At the same time, HSBC Group watched HBMX utilize its US correspondent account, without alerting HBUS to the AML risks it was incurring.
HBUS compounded the AML risks it incurred from HBMX through its own AML deficiencies, which included failing to investigate or evaluate HBMX’s AML risks. HBUS also failed, from mid-2006 to mid-2009, to conduct any AML monitoring of its US dollar transactions with HSBC affiliates, including HBMX, despite the obvious well-known risks attendant with large cash transactions. In addition, because HBUS deemed HBMX to be located in a low risk country, HBUS failed until 2009, to monitor HBMX’s wire transfer or account activity. HBMX illustrates the money laundering and drug trafficking risks that result when the US affiliate of a global bank serves as the US gateway for a high risk affiliate allowed to operate with no initial due diligence or ongoing monitoring.
Circumventing OFAC Prohibitions. The United States has devoted significant resources to stopping some of the most dangerous persons and jurisdictions threatening the world today from utilizing the US financial system, including terrorists, persons involved with weapons of mass destruction, drug traffickers, and persons associated with rogue jurisdictions such as Iran, North Korea, and Sudan. To implement the law, the US Treasury Department’s Office of Foreign Assets Control (OFAC) has developed a list of prohibited persons and countries which banks use to create an “OFAC filter” to identify and halt potentially prohibited transactions. Transactions stopped by this filter typically undergo an individualized review to see if the transaction can proceed or the funds must be blocked.
Because the OFAC filter can end up delaying or blocking transactions that are permitted under US law or by other jurisdictions, some non-US financial institutions have used tactics to circumvent it. Common tactics include stripping information from wire transfer documentation to conceal the participation of a prohibited person or country, or characterizing a transaction as a transfer between banks in approved jurisdictions, while omitting underlying payment details that would disclose participation of a prohibited originator or beneficiary. In the case of Iran, some foreign banks also abused what were known as “U-turn” transactions, which were allowable transactions under Treasury regulations prior to November 2008. In recent years, the United States has imposed steep penalties on banks that violated the OFAC prohibitions.
For Decades, HSBC Has Been One Of The Most Active Global Banks In The Middle East, Asia, And Africa, Despite Being Aware Of The Terrorist Financing Risks In Those Regions. In Particular, HSBC Has Been Active In Saudi Arabia… Al Rajhi Bank
At HBUS, documents provided to the Subcommittee indicate that, for years, some HSBC affiliates took action to circumvent the OFAC filter when sending OFAC sensitive transactions through their US dollar correspondent accounts at HBUS. From at least 2001 to 2007, two HSBC affiliates, HSBC Europe (HBEU) and HSBC Middle East (HBME), repeatedly sent U-turn transactions through HBUS without disclosing links to Iran, even though they knew HBUS required full transparency to process U-turns. To avoid triggering the OFAC filter and an individualized review by HBUS, HBEU systematically altered transaction information to strip out any reference to Iran and characterized the transfers as between banks in approved jurisdictions. The affiliates’ use of these practices, which even some within the bank viewed as deceptive, was repeatedly brought to the attention of HSBC Group Compliance, by HBUS compliance personnel and by HBEU personnel who objected to participating in the document alteration and twice announced deadlines to end the activity. Despite this information, HSBC Group Compliance did not take decisive action to stop the conduct or inform HBUS about the extent of the activity. At the same time, while some at HBUS claimed not to have known they were processing undisclosed Iranian transactions from HSBC affiliates, internal documents show key senior HBUS officials were informed as early as 2001. In addition, HBUS’ OFAC filter repeatedly stopped Iranian transactions that should have been disclosed to HBUS by HSBC affiliates, but were not. Despite evidence of what was taking place, HBUS failed to get a full accounting of what its affiliates were doing or ensure all Iranian transactions sent by HSBC affiliates were stopped by the OFAC filter and reviewed to ensure they were OFAC compliant.
In addition, documents show that, from 2002 to 2007, some HSBC affiliates sent potentially prohibited transactions through HBUS involving Burma, Cuba, North Korea, Sudan, and other prohibited countries or persons. Other documents indicate that some HSBC affiliates may have sent non-US dollar messaging traffic through US servers in which the OFAC filter was not turned on or was restricted.
An outside auditor hired by HBUS has so far identified, from 2001 to 2007, more than 28,000 undisclosed, OFAC sensitive transactions that were sent through HBUS involving $19.7 billion. Of those 28,000 transactions, nearly 25,000 involved Iran, while 3,000 involved other prohibited countries or persons. The review has characterized nearly 2,600 of those transactions, including 79 involving Iran, and with total assets of more than $367 million, as “Transactions of Interest” requiring additional analysis to determine whether violations of US law occurred. While the aim in many of those cases may have been to avoid the delays associated with the OFAC filter and individualized reviews, rather than to facilitate prohibited transactions, actions taken by HSBC affiliates to circumvent OFAC safeguards may have facilitated transactions on behalf of terrorists, drug traffickers, or other wrongdoers. While HBUS insisted, when asked, that HSBC affiliates provide fully transparent transaction information, when it obtained evidence that some affiliates were acting to circumvent the OFAC filter, HBUS failed to take decisive action to confront those affiliates and put an end to the conduct. HBUS’ experience demonstrates the strong measures that the US affiliate of a global bank must take to prevent affiliates from circumventing OFAC prohibitions.
Disregarding Links to Terrorism. For decades, HSBC has been one of the most active global banks in the Middle East, Asia, and Africa, despite being aware of the terrorist financing risks in those regions. In particular, HSBC has been active in Saudi Arabia, conducting substantial banking activities through affiliates as well as doing business with Saudi Arabia’s largest private financial institution, Al Rajhi Bank. After the 9-11 terrorist attack in 2001, evidence began to emerge that Al Rajhi Bank and some of its owners had links to financing organizations associated with terrorism, including evidence that the bank’s key founder was an early financial benefactor of al Qaeda. In 2005, HSBC announced internally that its affiliates should sever ties with Al Rajhi Bank, but then reversed itself four months later, leaving the decision up to each affiliate. HSBC Middle East, among other HSBC affiliates, continued to do business with the bank.
Due to terrorist financing concerns, HBUS closed the correspondent banking and banknotes accounts it had provided to Al Rajhi Bank. For nearly two years, HBUS Compliance personnel resisted pressure from HSBC personnel in the Middle East and United States to resume business ties with Al Rajhi Bank. In December 2006, however, after Al Rajhi Bank threatened to pull all of its business from HSBC unless it regained access to HBUS’ US banknotes program, HBUS agreed to resume supplying Al Rajhi Bank with shipments of US dollars. Despite ongoing troubling information, HBUS provided nearly $1 billion in US dollars to Al Rajhi Bank until 2010, when HSBC decided, on a global basis, to exit the US banknotes business. HBUS also supplied US dollars to two other banks, Islami Bank Bangladesh Ltd. and Social Islami Bank, despite evidence of links to terrorist financing. Each of these specific cases shows how a global bank can pressure its US affiliate to provide banks in countries at high risk of terrorist financing with access to US dollars and the US financial system.
Clearing Suspicious Bulk Travelers Cheques. Another AML issue involves HBUS’ clearing more than $290 million in bulk US dollar travelers checks in less than four years for a Japanese regional bank, Hokuriku Bank, despite evidence of suspicious activity. From at least 2005 to 2008, HBUS cleared bulk travelers cheques for Hokuriku Bank on a daily basis, at times clearing $500,000 or more in US dollars per day. The cheques were in denominations of $500 or $1,000, submitted in large blocks of sequentially numbered cheques, and signed and countersigned with the same illegible signature. An OCC examination which determined that HBUS was clearing travelers cheques with inadequate AML controls, discovered the stacks of Hokuriku travelers cheques being processed on a daily basis, and directed HBUS to investigate. When HBUS sought more information, Hokuriku Bank at first delayed responding, then provided minimal information, and finally declined to investigate further, claiming to be constrained by bank secrecy laws from disclosing client-specific information. HBUS eventually learned that the travelers cheques were purchased by Russians from a bank in Russia, a country at high risk of money laundering. HBUS also learned that the Japanese bank had little KYC information or understanding why up to $500,000 or more in bulk US dollar travelers cheques purchased in Russia were being deposited on a daily basis into one of 30 different Japanese accounts of persons and corporations supposedly in the used car business.
In October 2008, under pressure from the OCC, HBUS stopped processing the travelers cheques, but continued the correspondent relationship, despite the Japanese bank’s poor AML controls. Two years later, in 2010, an OCC examination uncovered the ongoing relationship, between HSBC and Hokuriku, which the OCC thought had ended. In 2012, after the Subcommittee inquired about the account, HBUS closed it. Since travelers cheques have been misused by terrorists, drug traffickers, and other criminals, the HBUS experience shows how a US affiliate with ineffective AML controls can end up clearing suspicious bulk travelers cheques and facilitating the movement of hundreds of millions of US dollars across international lines to unknown recipients.
Offering Bearer Share Accounts. Over the course of a decade, HBUS opened over 2,000 accounts in the name of bearer share corporations, a notorious type of corporation that invites secrecy and wrongdoing by assigning ownership to whomever has physical possession of the shares. At its peak, HBUS’ Miami office had over 1,670 bearer share accounts; the New York office had over 850; and the Los Angeles office had over 30. The Miami bearer share accounts alone held assets totaling an estimated $2.6 billion, and generated annual bank revenues of $26 million. Multiple internal audits and regulatory examinations criticized the accounts as high risk and advocated that HBUS either take physical custody of the shares or require the corporations to register the shares in the names of the shareholders, but HBUS bankers initially resisted tightening AML controls, and regulators took no enforcement action.
Two examples of the accounts illustrate the risks they posed. In the first, Miami Beach hotel developers, Mauricio Cohen Assor and Leon Cohen Levy, father and son, used bearer share accounts they opened for Blue Ocean Finance Ltd. and Whitebury Shipping Time-Sharing Ltd. to help hide $150 million in assets and $49 million in income. In 2010, both were convicted of criminal tax fraud and filing false tax returns, sentenced to ten years in prison, and ordered to pay back taxes, interest, and penalties totaling more than $17 million. A second example involves a wealthy and powerful Peruvian family which pressed HBUS to grant a waiver from its AML requirements that bearer share corporations either register their shares or place those shares in bank custody. Bank documents showed how HBUS bankers pressed Compliance personnel to grant the waiver to please a wealthy client. These accounts demonstrate the AML risks associated with bearer share accounts, whose owners seek to hide their identities. Today, following an initiative that concluded in 2011, HBUS has reduced its bearer share accounts to 26, most of which are frozen, while at the same time maintaining a policy that allows the bank to open new bearer share accounts in the future.
Regulatory Failures. HBUS’ severe AML deficiencies did not happen overnight; they accumulated over time, even though its primary regulator, the OCC, conducted regular AML examinations. Part of the reason HBUS’ AML problems were not cured is attributable to certain peculiar and ineffective aspects of the OCC’s AML oversight effort.
First, unlike other US bank regulators, the OCC does not treat AML deficiencies as a matter of bank safety and soundness or a management problem. Instead it treats AML deficiencies as a consumer compliance matter, even though AML laws and consumer protection laws have virtually nothing in common. One consequence of this approach is that the OCC considers AML problems when assigning a bank’s consumer compliance rating, but not when assigning the bank’s management rating or its overall composite rating. As a result, AML deficiencies do not routinely lower the ratings that national banks receive as part of their safety and soundness evaluations, and so do not increase the deposit insurance that banks pay for incurring heightened risk, contrary to how AML problems are handled at other federal banking agencies. At HBUS, after citing the bank for severe AML deficiencies, the OCC lowered its consumer compliance rating but not its management rating.
A second problem is that the OCC has adopted a practice of foregoing the citation of a statutory or regulatory violation in its Supervisory Letters and annual Reports of Examination when a bank fails to comply with one of the four mandatory components of an AML program. The four minimum statutory requirements of an AML program are AML internal controls, an AML compliance officer, AML training, and independent testing of the effectiveness of its AML program. By consistently treating a failure to meet one or even several of these statutory requirements as a “Matter Requiring Attention” instead of a legal violation, the OCC diminishes the importance of meeting each requirement, sends a more muted message about the need for corrective action, and makes enforcement actions more difficult to pursue if an AML deficiency persists. In contrast, citing a violation of law when one critical component of a bank’s AML program is inadequate sends a strong message to bank management that its AML program is deficient, does not meet minimum statutory requirements, and requires remediation to ensure compliance with the law. At HBUS, the OCC identified 83 Matters Requiring Attention over five years, without once citing a legal violation of federal AML law. It was only when the OCC found HBUS’ entire AML program to be deficient that the OCC finally cited the bank for a legal violation.
Additional problems illustrated by the HBUS case history include the OCC’s practice of conducting narrowly focused AML examinations of specific banking units without also assessing HBUS’ overall AML program; the OCC’s reluctance, despite mounting AML deficiencies, to make timely use of formal and informal enforcement actions to compel improvements in HBUS’ AML program; and the practice by some OCC examiners to issue Supervisory Letters that sometimes muted AML examination criticisms or weakened recommendations for AML reforms at HBUS.
While the OCC insists that its AML approach has merit, the HSBC case history, like the Riggs Bank case history examined by this Subcommittee eight years ago, provides evidence that the current OCC system has tolerated severe AML deficiencies for years, permitted national banks to delay or avoid correcting identified problems, and allowed smaller AML issues to accumulate into a massive problem before OCC enforcement action was taken. An experienced OCC AML examiner told the Subcommittee: “I thought I saw it all with Riggs but HSBC was the worst situation I’d ever seen,” yet during the six-year period from 2004 to 2010, OCC officials did not take any formal or informal enforcement action to compel HBUS to strengthen its AML program, essentially allowing its AML problems to fester. In 2009, after learning of two law enforcement investigations involving AML issues at the bank, the OCC suddenly expanded and intensified an ongoing AML examination and allowed it to consider a wide range of AML issues. The OCC examination culminated in the issuance, in September 2010, of a blistering supervisory letter listing numerous, serious AML problems at the bank. In October 2010, the OCC also issued a Cease and Desist Order requiring HBUS to revamp its AML controls.
In response, HBUS has announced a number of key organizational and policy initiatives to improve its AML program in the United States and globally. While those initiatives are promising, HBUS announced similarly promising AML reforms in 2003, when confronted with an AML enforcement action by the Federal Reserve Bank of New York and New York State Banking Department. Even before the OCC lifted that order in 2006, HBUS’ AML program deteriorated. Both HBUS and the OCC will have to undertake a sustained effort to ensure the newest round of changes produce a better AML outcome.
HSBC is the quintessential global bank, operating hundreds of affiliates in 80 countries, with its US affiliate acting as the gateway into the US financial system for the entire network.
The OCC allowed AML problems at HBUS to build up until they represented major AML vulnerabilities for the United States. Going forward, HBUS needs far stronger controls to ensure it doesn’t leave AML risks to the US financial system unattended; the OCC needs a much better approach to resolve AML problems in a more effective and timely manner.
A. Findings
(1) Longstanding Severe AML Deficiencies. HBUS operated its correspondent accounts for foreign financial institutions with longstanding, severe AML deficiencies, including a dysfunctional AML monitoring system for account and wire transfer activity, an unacceptable backlog of 17,000 unreviewed alerts, insufficient staffing, inappropriate country and client risk assessments, and late or missing Suspicious Activity Reports, exposing the United States to money laundering, drug trafficking, and terrorist financing risks.
(2) Taking on High Risk Affiliates. HBUS failed to assess the AML risks associated with HSBC affiliates before opening correspondent accounts for them, failed to identify high risk affiliates, and failed for years to treat HBMX as a high risk accountholder.
(3) Circumventing OFAC Prohibitions. For years in connection with Iranian U-turn transactions, HSBC allowed two non-US affiliates to engage in conduct to avoid triggering the OFAC filter and individualized transaction reviews. While HBUS insisted, when asked, that HSBC affiliates provide fully transparent transaction information, when it obtained evidence that some affiliates were acting to circumvent the OFAC filter, HBUS failed to take decisive action to confront those affiliates and put an end to conduct which even some within the bank viewed as deceptive.
(4) Disregarding Terrorist Links. HBUS provided US correspondent accounts to some foreign banks despite evidence of links to terrorist financing.
(5) Clearing Suspicious Bulk Travelers Cheques. In less than four years, HBUS cleared over $290 million in sequentially numbered, illegibly signed, bulk US dollar travelers cheques for Hokuriku Bank, which could not explain why its clients were regularly depositing up to $500,000 or more per day in US dollar travelers cheques obtained in Russia into Japanese accounts, supposedly for selling used cars; even after learning of Hokuriku’s poor AML controls, HBUS continued to do business with the bank.
(6) Offering Bearer Share Accounts. Over the course of a decade, HBUS opened over 2,000 high risk bearer share corporate accounts with inadequate AML controls.
(7) Allowing AML Problems to Fester. The OCC allowed HBUS’ AML deficiencies to fester for years, in part due to treating HBUS’ AML problems as consumer compliance matters rather than safety and soundness problems, failing to make timely use of formal and informal enforcement actions to compel AML reforms at the bank, and focusing on AML issues in specific HBUS banking units without also viewing them on an institution-wide basis.
B. Recommendations
(1) Screen High Risk Affiliates. HBUS should reevaluate its correspondent relationships with HSBC affiliates, including by reviewing affiliate AML and compliance audit findings, identifying high risk affiliates, designating affiliate accounts requiring enhanced monitoring, and closing overly risky accounts. HBUS should conduct a special review of the HBMX account to determine whether it should be closed.
(2) Respect OFAC Prohibitions. HSBC Group and HBUS should take concerted action to stop non-US HSBC affiliates from circumventing the OFAC filter that screens transactions for terrorists, drug traffickers, rogue jurisdictions, and other wrongdoers, including by developing audit tests to detect undisclosed OFAC sensitive transactions by HSBC affiliates.
(3) Close Accounts for Banks with Terrorist Financing Links. HBUS should terminate correspondent relationships with banks whose owners have links to, or present high risks of involvement with, terrorist financing.
(4) Revamp Travelers Cheque AML Controls. HBUS should restrict its acceptance of large blocks of sequentially numbered US dollar travelers cheques from HSBC affiliates and foreign financial institutions; identify affiliates and foreign financial institutions engaged in suspicious travelers cheque activity; and stop accepting travelers cheques from affiliates and foreign banks that sell or cash US dollar travelers cheques with little or no KYC information.
(5) Boost Information Sharing Among Affiliates. HSBC should require AML personnel to routinely share information among affiliates to strengthen AML coordination, reduce AML risks, and combat wrongdoing.
(6) Eliminate Bearer Share Accounts. HBUS should close its remaining 26 bearer share corporate accounts, eliminate this type of account, and instruct financial institutions using HBUS correspondent accounts not to execute transactions involving bearer share corporations. US financial regulators should prohibit US banks from opening or servicing bearer share accounts.
(7) Increase HBUS’ AML Resources. HBUS should ensure a full time professional serves as its AML director, and dedicate additional resources to hire qualified AML staff, implement an effective AML monitoring system for account and wire transfer activity, and ensure alerts, including OFAC alerts, are reviewed and Suspicious Activity Reports are filed on a timely basis.
(8) Treat AML Deficiencies as a Matter of Safety and Soundness. The OCC should align its practice with that of other federal bank regulators by treating AML deficiencies as a safety and soundness matter, rather than a consumer compliance matter, and condition management CAMELS ratings in part upon effective management of a bank’s AML program.
(9) Act on Multiple AML Problems. To ensure AML problems are corrected in a timely fashion, the OCC should establish a policy directing that the Supervision Division coordinate with the Enforcement and Legal Divisions to conduct an institution-wide examination of a bank’s AML program and consider use of formal or informal enforcement actions, whenever a certain number of Matters Requiring Attention or legal violations identifying recurring or mounting AML problems are identified through examinations.
(10) Strengthen AML Examinations. The OCC should strengthen its AML examinations by citing AML violations, rather than just Matters Requiring Attention, when a bank fails to meet any one of the statutory minimum requirements for an AML program; and by requiring AML examinations to focus on both specific business units and a bank’s AML program as a whole.