Much has been written, including the 300-page U.S. Senate Subcommittee report itself, on the AML issues at HSBC. This writing includes front page news articles in major news publications, which gets management’s attention. The intent of this article is not to rehash what went wrong at HSBC, as that has been amply covered elsewhere, but rather to look at what AML professionals can do now to prevent a similar situation from occurring on their watch. What has happened cannot be changed, but we can learn from the mistakes of others — it is far easier and less costly that way. Following the PSI report, the rules of the game seem to have changed significantly, as they did in the wake of the 2004 Senate Committee report on Riggs Bank.
Not only did the report cite the bank for failings, but it also chastised the bank’s regulator, the Office of the Comptroller of the Currency (OCC) for weak oversight of the known issues. This once again raises the regulatory expectations on institutions, as long-time AML practitioners will recall this happened after the 2004 report. The impact has been felt far beyond the OCC, as regulators across the globe have announced that they will look more closely at HSBC in particular; it is likely that this scrutiny will not stop at just HSBC, but will extend to other supervised entities.
This increase in regulatory scrutiny will create a need for institutions to critically assess their AML programs in light of some of the issues raised at HSBC. Since the swarm of publicity has grabbed management’s attention, it would be a good time to present them with a summary of the case — as it stands now, as there is ample hint that more is to come — and an assessment of the institution’s risk, controls and an action plan for how-to improve weaknesses.
Assessment of Inherent Risk
It should be well known by now that the core of an institution’s risk-based AML program is a risk assessment that determines the risk within the institution. This is not to say that HSBC did not have one; they did. However, the risk assessment was deemed flawed in hindsight; and as noted above, the regulators are looking more critically at institutions. Risk assessments will need to be improved so that they can withstand an after the fact review.
This will not require AML professionals to accurately predict where regulatory scrutiny will arise in the future, but rather will require them to be able to think critically about their programs and the risks presented — as seen through the eyes of their regulators.
As an example, in the HSBC report and a recent Financial Services Authority (FSA) case against Habib Bank, when institutions downgrade the risks of jurisdictions normally regarded as high risk by regulators, often by subjective factors such as the institution’s experience and knowledge of the country, this can lead to regulatory criticism. While an institution may be able to justify a lower risk rating to itself, ultimately, the regulators are the ones the institution must be able to convince. Perhaps an analogy of a trial is in order here. Institutions will need to be able to convince the judge of their position and that they have done enough. Simply rationalizing the position to themselves is no longer enough.
Regulators will see certain business that institutions engage in to be inherently risky — far more so than the institutions will see the risks. This is in part a matter of institutions better understanding the business. The financial community must take certain risks in order to stay in business — one could say they are in the business of managing risk. However, while regulators understand this basic concept, they often strongly frown on risk, as it endangers the safety of the supervised institutions. The institution’s job is to set forth a solid case for why the risk should be lower than what the regulator perceives. When an institution makes a case that a normally high-risk situation is anything but, it will need to make a strong case. Thus, an institution banking Mexican casas de cambio or engaging in correspondent banking should strongly consider the regulator’s position that these are inherently risky and develop a strong case for why the risk is anything but high.
Since so much of the risk-based AML program relies on a correct assessment of inherent risk, it is critical that the institution gets this right.
Assessing the Controls
Much of the business that financial institutions provide is considered inherently high risk. In essence, if you can think of a way to launder money through a product or service, the regulators will often equate this as a high-risk one. The key to reducing risk is to implement appropriate risk-based controls. This requires an honest assessment. As noted Hungarian philosopher Dr. Thomas Szasz said, “man’s ability to deceive others is only exceeded by his ability to deceive himself.” All too often, we may think we know the answers, but we do not realize that someone else will be making the judgment at some time in the future. It is critical that we document this carefully, thoroughly and honestly. Just because you have operations in a country or have a monitoring system does not mean you have strong controls, this is where the deception comes into play. You will need to demonstrate how those controls actually work to reduce the risk. Having evidence of your controls’ effectiveness will go a long way to making your case to the regulators, such as through a solid monitoring and testing program.
The key to reducing risk is to implement appropriate risk-based controls
To show how this might work in practice, imagine an institution that has strong client selection criteria (e.g., the institution does not take anyone who walks in the door and will not accept certain high-risk clients) with stringent know your customer (KYC) requirements backed by a finely tuned and extensively documented monitoring system. To assess the effectiveness of these controls, it should have a system of monitoring and testing to assess how well the internal systems work. This could include running reports of new clients to see if any prohibited high-risk clients appear on these lists, checking new client records to see that all required KYC information is captured and is meaningful, and to show that the monitoring system’s established parameters will actually detect activity that meets the parameters. The program’s effectiveness would be further supported by a fully staffed investigation team that follows well-established procedures to terminate relationships after set thresholds for unusual or suspicious behavior are identified, regardless of the customer’s profitability. In this case, the institution should document the results of monitoring and testing that shows how these controls effectively mitigate the specific risks presented, such as by screening out undesirable customers before they come into the institution, actively monitoring for unusual activity and removing the customers who engage in risky behavior.
To start a control assessment, one should start with the risks that need to be mitigated. To achieve this, one should focus on the particular area to be mitigated rather than to try to tackle the issue of overall AML/CTF risk to the institution. For example, when looking at the HSBC case, the report cited several specific weaknesses; when conducting an assessment, an institution should determine whether it has some of the same risks. While an institution may not be engaged in correspondent banking or have foreign affiliates, one of the issues was the insufficient resources dedicated to compliance.
To be clear, this is not an issue specific to HSBC, regulators have been continually stressing the need for increased resources. One of the main things regulators have cited in this regard is the issue of addressing risk by means of the staff available to handle it. Several enforcement actions have noted that scenarios were turned off, filters were tweaked, backlogs created and reduced by under-qualified staff. A risk assessment needs to take an honest look at this. Rather than look at it strictly as a matter of resources decked against a particular issue and conduct an analysis based solely on the numbers, the analysis should look more at the risk — remember, it is the risk as viewed by the regulators — and how it is being mitigated. As an example, instead of focusing the analysis solely on having each analyst handling 100 alerts per day, specifically address the level of risk presented by the alerts and how the highest risk ones are addressed first. This way, if there is a backlog, it is the lower risk ones that are falling behind. This can be justified and this is better than allowing high-risk cases to fall behind. This is a simple matter of prioritization.
Regulators have been continually stressing the need for increased resources
A useful exercise to address such issues, instead of simply turning off filters because there are not enough warm bodies to review the output, is to assess the effectiveness of the alerts. If the alerts are scored on a range of 1-100 with 100 being high, some analysis could be done on the level of the alert that generates a sufficient percentage of required suspicious activity reporting. If all alerts scored above, say 50 are reviewed, but the rate of SARs filed is less than 10 percent for alerts under 75 and there is a notable increase in the SAR/case ratio, for example it jumps to 25 percent at a score of 75, it may make sense to indicate that the institution will revise its filters — instead of turning them off — to address the risk that is actually found. While regulators may still care about the alerts that are no longer examined as closely (those between 50 and 75 in our example), perhaps the institution can address this by reconfiguring the alert scoring system such that these almost-but-not-quite-investigated alerts will impact the scoring of future alerts. That is, while the first alert may not become a fully investigated case, the next one will trigger a higher score, thus increasing the likelihood that the customer’s activity will be reviewed. This way, the decision to better allocate resources is focused on the risks involved, not a simple matter of profitability — or worse, trying to run compliance on the cheap. In this new regulatory environment, this will not be viewed favorably.
Action Plans
As noted above, honest risk and control assessments will help institutions determine the residual risks that need to be addressed. An institution should develop some means of combining the inherent risk and the controls in place to mitigate that risk to determine the residual risk to the institution; what risk still sits unmitigated. While it is unlikely that an institution will be able to remain profitable if it eliminates all risk, it needs to be sure it is comfortable with the risk that still remains. The results of the residual risk determinations should enable an institution to figure out where its highest risks are and where it should focus its attention. Some of this residual risk will be influenced by things such as the impact of the assessed area to the company. A retail bank that deems its thousands of checking accounts a high residual risk will likely consider this a higher risk than its two correspondent relationships with the smaller credit unions in the same town that use the bank for providing physical cash for their operations. However, the details of the risk analysis will help the institution determine how to prioritize this risk.
A key item cited in various enforcement actions is a centralized compliance oversight function. The Board of Governors of the Federal Reserve Board (“the Fed”) issued Supervision and Regulation Letter SR 08-08, http://www.federalreserve.gov/boarddocs/srletters/2008/SR0808.htm, in October 2008, which focuses on enterprise-level oversight of compliance at institutions. While its target audience is large U.S. banks subject to Federal Reserve oversight and the overall compliance function, its principles apply to AML at any institution. The concept is simple: there needs to be a central function that understands the overall AML risk within the institution, monitors and tests the effectiveness of line of business AML compliance and that function needs to be sufficiently independent of the lines of business to be able to operate effectively. There is a separate component that requires management to be accountable for AML compliance, but that is a separate issue not addressed here.
Having a centralized function that could understand the full scope of the AML issues at many of the cited institutions, particularly one that would have had the independence and authority to enforce AML policies and procedures, could have prevented a lot of the issues. In many of these actions, one can see that there were a number of issues arising, but there was no central function that could see this in the aggregate and take action to address the larger issue. This criticism is not limited to the financial community; the Senate report cited the OCC for not taking action on the accumulated issues faster. This is not to point fingers at any of these institutions or regulators. Rather, this is a sign of how the regulatory environment is making a significant change by taking a holistic view of the AML issues at an institution rather than looking at things in a piecemeal manner. In fact, the OCC has indicated that it will revise its enforcement efforts and will likely be quicker to cite an AML program violation than it has in the past.
As institutions get larger, it is more essential that lines of escalation are clearly defined and remain open, without fear of retribution. With the development of new whistleblower incentives in the U.S., it is critical that institutions allow internal whistleblowers the opportunity to raise concerns without fear of being penalized. It is far better for them to raise the matter internally first than to be dissuaded by the perception that this could hurt their job — particularly with the incentive offered by the new whistleblower laws.
Summary
The Senate report on HSBC has introduced a new level of focus on AML issues at institutions. Many of the issues cited in the report, which while specifically focused on HSBC, are quite likely around at other institutions. The additional criticism of the OCC, who has already indicated that it will be revising the way it rates AML issues, further focuses its lens on the institutions it supervises. However, the scrutiny is not limited to just the OCC; many other examiners likely have seen how the Senate Subcommittee criticized the OCC and will realize that they too need to shift their focus to a more holistic one and act more quickly and strongly to get gaps and issues resolved. It is not just the financial industry that can learn from the publicly aired misfortunes of their peers. It is likely that they will take the lessons they’ve learned from this report as well as the enhanced scrutiny of HSBC and apply that in their future examinations. As stated before, this is not to criticize any of the institutions or regulators for their actions that are being judged after the fact; this is more a matter of pointing out a significant shift in the regulatory environment and all parties — the regulated and the regulators — need to be aware of the changes and take appropriate action.
Hopefully the advice presented above will help you prepare for this new regulatory scrutiny. By taking an honest look at the inherent risks your institution faces and the effectiveness of the controls in place to mitigate these risks, focusing on the risk, not the profitability, institutions can determine where they really need to apply their limited resources. However, the risk assessment results, in conjunction with the enhanced regulatory scrutiny and negative press, should help justify a case to management of the need for additional resources to bolster compliance in the near future. It is far better to learn from the mistakes of others than to have to experience it firsthand.
