Ryan McConnell
Charlotte Simon
On Tuesday, the U.K. bank HSBC agreed to pay $1.9 billion—including $1.2 billion in forfeiture—to resolve allegations that the bank violated the Bank Secrecy Act by failing to maintain an effective anti-money-laundering compliance program and follow U.S. trade control laws for conducting transactions on behalf of customers in sanctioned countries including Cuba, Iran, Libya, Sudan, and Burma. Though monitors appointed by the U.S. Department of Justice are increasingly uncommon, HSBC agreed to a monitor who will oversee the bank's compliance program for the next five years—the maximum potential period of corporate probation and the longest monitorship in recent memory. The U.K. Financial Services Authority is pursuing a separate action against the bank.
The big forfeiture numbers grabbed the headlines, but the real lesson for corporate compliance officers is found in the five pages worth of remedial measures to address sanctions and money-laundering risk (see pages 5-9 of the HSBC Deferred Prosecution Agreement [PDF]).
The Bank Secrecy Act requires banks such as HSBC to maintain a system of internal controls to prevent money laundering and identify customers who may seek to use the bank to conceal the proceeds of criminal conduct from crimes ranging from terrorism to drug trafficking. Recognizing that proceeds of any successful criminal activity will likely find their way into the financial system, U.S. money-laundering laws are generally designed to ensure that transactions do not conceal the source of the money (for example, by making cash deposits in amounts under $10,000 to avoid financial institution reporting requirements) or facilitate criminal conduct. If banks suspect a customer is conducting transactions in a way that looks fishy, they are supposed to file a suspicious activity report with the U.S. Department of Treasury through the Financial Crimes Enforcement Network (FinCEN).
Banks are also supposed to know their customers. The success of money-laundering laws depends, in large part, on banks maintaining adequate controls to identify suspicious transactions and customers. U.S. sanctions prohibit any transaction involving sanctioned countries, entities, or individuals. Just like anti-money-laundering controls, companies with effective sanctions compliance programs must, at a minimum, screen their customers, where their products go, and who uses them. HSBC is the latest bank whose compliance program proved ineffective in addressing both sanctions and money-laundering risks.
In addition to the five-year monitorship and $290 million for remedial measures (not including the millions that will go to the monitor), HSBC agreed to undertake a number of significant compliance reforms including "claw[ing] back" bonuses for a number of senior money-laundering compliance officials, including the chief compliance officer and CEO. HSBC's compensation system for senior executives was redesigned so that meeting compliance obligations has a significant impact on bonuses—with failure to meet compliance objectives potentially voiding the executives' entire year-end bonuses. The agreement mandates structural reporting compliance reforms to strengthen reporting lines and leverage additional compliance resources.
The agreement also endorses the risk-based approach published in the Foreign Corrupt Practices Act guidance issued by the Justice Department and Securities and Exchange Commission last month. HSBC's prior approach for evaluating risk was flawed—allowing the bank to rank Mexico in the lowest risk category, despite the obvious risks of doing business there, and exclude $670 billion from adequate monitoring. After the investigation, HSBC revised its approach and now has "a new customer risk-rating methodology based on a multifaceted approach that weighs the following factors: (1) the country where the customer is located, (2) the products and services utilized by the customer, (3) the customer's legal entity structure, and (4) the customer and business type."
This may seem like basic blocking and tackling for an effective risk-based compliance program driven by empirical data (the so-called Moneyball approach to compliance), but many companies have yet to adopt the risk-based approach now expected by enforcement authorities.
Unlike the fines paid in most criminal cases (such as a typical FCPA case) which go into the black hole of the general Treasury fund, the $1.2 billion in forfeiture paid by HSBC goes into the government forfeiture fund for law enforcement officers to fight crime. (Imagine your local sheriff's office purchasing a fleet of new Dodge Challengers after a large drug money seizure.) This will provide agencies such as the Justice Department with a wealth of resources to prosecute future money laundering cases—an early Christmas gift for the DOJ.
As more banks focus efforts on money-laundering compliance, they will begin to ask questions of their customers and develop more robust anti-money-laundering and sanctions compliance programs. If publicly available codes of conduct are any indication, many companies are behind the curve in addressing compliance.
Our 2011 review of the Fortune 500 companies' codes of conduct revealed that only 90 have anti-money-laundering policies, and 201 have trade-control policies in their codes. These companies may have anti-money-laundering or trade-control (including sanctions) policies lurking somewhere on their internal websites, but omitting them from the code of conduct says they are viewed as less significant than other risks. We are in the process of finalizing the 2012 data and remain optimistic that, after hundred-plus-million-dollar settlements involving institutions such as Credit Suisse, the ING Group, and Standard Chartered, these numbers will improve. While the FCPA has underwritten an entire compliance industry, these multimillion-dollar settlements remind companies that terrorism and drug trafficking are priorities for the Justice Department, too.
If the publicity surrounding these settlements does not get the attention of companies, banks will begin to remind them of the importance of these risks. Banks that have been in trouble or are under investigation will be incentivized to drop customers without effective compliance programs or report those customers with potential sanctions violations to the Justice Department. HSBC is a prime example—the U.K. bank's remediation efforts require that it report any attempts to violate sanctions laws to the DOJ. And with another billion-plus dollars available to prosecute these violations, the Justice Department will listen.
Ryan McConnell is a partner at Baker & McKenzie in Houston and former federal prosecutor. Charlotte Simon is an associate at Baker & McKenzie in Houston and former federal law clerk. Both teach a course on International Corporate Compliance at the University of Houston Law Center that focuses on building risk-based compliance programs using empirical data.
See also: "HSBC Agrees to $1.9B Penalty in Money Laundering Probe," New York Law Journal, December 2012.
