Lessons from the HSBC case

In 2012, noncompliance with Anti-Money Laundering regulation resulted in penalties being imposed on HSBC to the extent of USD 1.9 billion. This article, written jointly with Prof. L. Prakash Sai of IIT Madras, and published in Business Standard on 17 November 2012 (see here), draws lessons from the case. The contributing factors include fast expansion of operations through acquisitions without infusing group culture in the new subsidiaries, and lack of due diligence on affiliates. The case also underlines the need for internationally active banks to understand, appreciate, and respect the regulations of other jurisdictions. Over reliance on technology also contributed to noncompliance. The case also points to the need for giving due regard to the compliance function and making the right choices when compliance is in conflict with business considerations. The case is also a warning against creative compliance, the need to ensure sustained compliance, and above all the need to adhere to international standards.

Read the article below:

Stuart Gulliver, CEO, HSBC said: “What happened in Mexico and the U.S. is shameful, it’s embarrassing, it’s very painful … ” The bank’s Mexican subsidiary was recently penalised USD 27.5 million for facilitating money laundering. Its US subsidiary has set aside USD 700 million for likely penalties in similar charges pertaining to 2001-10. There are also demands that the bank be asked to wind up operations in USA. Lessons for better conduct of global banking and compliance with anti-money laundering (AML) regulation could be drawn from the 340-page US Senate Sub-Committee Report and supporting documents.

Adherence to international standards. Global banks are expected to proactively comply with best practices as laid down in international standards, including the Wolfsberg AML Principles, the private initiative to which HSBC is a signatory. This could help avoid opening accounts in the name of companies with bearer shares and operating a shell branch in Cayman Islands with no office or employees, but assets of over USD 2 billion.

Infusing group culture in subsidiaries.  HSBC became the fourth biggest bank mainly through acquisitions. This strategy requires instilling a compliance culture appropriate to the group’s philosophy. The roots of HSBC’s problems include the acquisition in 2002 of Grupo Financiero Bital, a Mexican bank with known AML weaknesses, and Republic Bank of New York, whose clients included Al Rajhi Bank, a Saudi bank with alleged terrorist links. The failure to ensure a compliance culture of global standards across the group resulted in subsidiaries behaving like fiefdoms and challenging Group Compliance advices to sever links with certain clients or discontinue certain products.

Due diligence on affiliates. In the absence of a consistent group level compliance, the need to conduct due diligence on affiliates is greater. An automatic qualification for an affiliate or its transactions, as was the case in HSBC, is risky as they may be operating in high risk  jurisdictions (such as Mexico), have high risk clients ( Casas de Cambio    –  foreign exchange bureaus), high risk products (US dollar Cayman accounts) or have weak AML controls.

Respect other jurisdictions’ laws, regulations and controls. This is an essential ingredient for compliance culture at global banks. In HSBC, the possibility of transactions from Iran being subjected to detailed examination was circumvented by turning off online filters, not disclosing the identity of the sender/jurisdiction, routing through other banks/jurisdictions or by showing them as bank to bank transactions. The bank’s functionaries actively advised on how to dodge the filter. In numerous cases, the relevant field would show “Do not mention our name in New York ” . Processing certain transactions was rerouted through a UK server to avoid stringent US regulations.

Effective risk management.  Mexico was rated as low risk, despite its high risk environment and exports to the US of currency notes valued up to USD 4.2 billion in a year, with no relation to known legitimate trade or other requirements. Cross-border verification of suspicious activity alerts, done to clear huge backlogs and to meet regulatory deadline, is also risky as employees in other countries may not be fully conversant with local requirements.

Reliance on technology. While technology aids AML, overreliance could be counterproductive unless combined with appropriate human intervention. If this were done, the process would have recognised Yangon as Rangoon, Mynmar as Myanmar and “Sudanese Petroleum Corporation” as having a link with Sudan.

Due regard for compliance function. The function   should be adequately resourced and staffed with knowledgeable persons. In HSBC, AML compliance saw frequent changes, combining of responsibilities and was placed under inexperienced persons. A compliance head, frustrated with mounting backlogs in verifying suspicious activity reports, raised the matter of inadequate resources directly with the Audit Committee and was dismissed within a month. In other cases, those who raised objections were overlooked or replaced.

“Creative compliance” is no compliance. Travellers cheques are known conduits for money laundering. But, the bank had no effective monitoring of this business. Hokuriku Bank, a Japanese bank with weak AML controls, was routing large volumes of sequentially numbered high denomination travellers cheques through HSBC, apparently for Russian customers stated to be in the used car business. When advised to close the account, HSBC closed one of the two accounts in 2009, transferred the balance to the other, and continued the business till May 2012. Even in other jurisdictions, numerous accounts ordered to be closed were found to be active years later. Compliance vs. business. Compliance may involve trade-off with business growth and profits, but needs to be given priority. The bank’s gross violations and omissions even when profits were only USD 10 million per year from its Iranian business and USD 47,000 in one year from Hokuriku Bank are telling in itself.

Sustaining compliance.  Commitments to regulators are to be taken seriously, and compliance sustained, avoiding repeat observations. Apparently unrelated violations, symptomatic of a deeper malaise, could otherwise fester and swell into major violations, attracting parliamentary intervention, media attention and serious reputational consequences.

The thumb rule is that criminals may be willing to forgo up to 50% for laundering their wealth. Given this, the moot question is what level of penalty would be sufficient deterrence for a bank with profits of USD 22 billion (2011), when the amount laundered through negligence, incompetence and wilful noncompliance, could run into a few hundred billions, with untold social, political and economic consequences.

Gulliver summarises: “We need to execute on the compliance changes and then prove ourselves worthy and rebuild this over a number of years. There are no quick and easy fixes.” While “ tailoring banking solutions to suit individual needs ” and “personalising services” , banks need to ensure that they do not tread on legal and regulatory requirements. It may be “ one world ” , but jurisdictions are many and being present in several at the same time entails having to tailor ones processes and compliance to meet stringent requirements across the world.

The authors are respectively General Manager, Reserve Bank of India, and Professor, Department of Management Studies, IIT Madras. Views are personal. (Author bio relates to 2012)

© G Sreekumar 2021

For periodical updates on all my blog posts, subscribe for free at the link below:




error: Content is protected !!