The HSBC AML Settlement - Lessons Learned for the AML Compliance Practitioner

by Thomas Fox

I recently wrote about banks behaving badly. Currently, Exhibit A in that list is HSBC. In December, 2012, the UK banking giant HSBC agreed to pay a fine of $1.92 billion for its transgressions involving money laundering. Today I want to look at the violations which the company engaged in and its resolution.

I.                   HSBC AML Violations

Regarding the HSBC AML claims there were four major areas of money laundering violations by HSBC. As listed in the Statement Facts to the Deferred Prosecution Agreement (DPA) they read:

10. There were at least four significant failures in HSBC Bank USA’s AML program that allowed the laundering of drug trafficking proceeds through HSBC Bank USA:

  1. Failure to obtain or maintain due diligence or KYC information on HSBC Group Affiliates, including HSBC Mexico;
  2. Failure to adequately monitor over $200 trillion in wire transfers between 2006 and 2009 from customers located in countries that HSBC Bank USA classified as “standard” or “medium” risk, including over $670 billion in wire transfers from HSBC Mexico;
  3. Failure to adequately monitor billions of dollars in purchases of physical U.S. dollars (“banknotes”) between July 2006 and July 2009 from HSBC Group Affiliates, including over $9.4 billion from HSBC Mexico; and
  4. Failure to provide adequate staffing and other resources to maintain an effective AML program.

We will review each of these in more depth to provide guidance to the AML compliance practitioner on the steps that their financial institution needs to take.

a.      HSBC Bank USA Failed to Conduct Due Diligence on HSBC Group Affiliates

One of HSBC Bank USA’s high risk products was its correspondent banking practices and services. Correspondent accounts were established at banks to receive deposits from, make payments on behalf of, or handle other financial transactions for foreign financial institutions. They are considered high risk because the US bank does not have a direct relationship with the clients and, therefore, has no diligence information on the foreign financial institution’s customers who initiated the wire transfers. To mitigate this risk, the Bank Secrecy Act (BSA) requires financial institutions to conduct due diligence on all non-US entities for which it maintains correspondent accounts. There is no exception for foreign financial institutions with the same parent company.

HSBC Bank USA was required under the BSA to conduct due diligence on all foreign financial institutions with correspondent accounts, including HSBC Group Affiliates, which it failed to do, from at least 2006 to 2010.  The decision not to conduct due diligence was guided by a formal policy memorialized in HSBC Bank USA’s AML Procedures Manuals.

b.      HSBC Bank USA Failed to Adequately Monitor Wire Transfers

From 2006 to 2009, HSBC Bank USA monitored wire transfers using an automated system called the Customer Account Monitoring Program (“CAMP”). The CAMP system would detect suspicious wire transfers based on parameters set by HSBC Bank USA under which various factors triggered review, in particular, the amount of the transaction and the type and location of the customer. However, HSBC Bank USA knowingly set the thresholds in CAMP so that wire transfers by customers located in countries categorized as standard or medium risk, including foreign financial institutions with correspondent accounts, would not be subject to automated monitoring unless the customers were otherwise classified as high risk.

Between 2000 and 2009, HSBC Bank USA, specifically disregarded numerous publicly available and industry-wide advisories about the money laundering risks inherent to Mexican financial institutions. These included the following:

  1. The U.S. State Department’s designation of Mexico as a “jurisdiction of primary concern” for money laundering as early as March 2000;
  2. The U.S. State Department’s International Narcotics Control Strategy Reports from as early as 2002 stating that Mexico was and continues to be one of the most challenging money laundering jurisdictions for the United States;
  3. The April 2006 Financial Crimes Enforcement Network (“FinCEN”) Advisory concerning bulk cash being smuggled into Mexico and deposited with Mexican financial institutions;
  4. The federal money laundering investigations that became public in 2007-08, involving Casa de Cambio Puebla, a Mexican-based money services business that had accounts at HSBC Mexico, and Sigue, a U.S.-based money services business, that had accounts at HSBC Mexico; and
  5. The federal money laundering investigation into Wachovia for its failure to monitor wire transactions originating from the correspondent accounts of certain Mexican money services businesses, which became public in April 2008.

 c.       HSBC Bank USA Failed to Monitor Banknotes’ Transactions with HSBC Group Affiliates

HSBC Bank USA’s Banknotes business (“Banknotes”) involved the wholesale buying and selling of bulk cash throughout the world. The Banknotes business line was a high risk business because of the high risk of money laundering associated with transactions involving physical currency and the countries where some of its customers were located. In an attempt to mitigate these risks, Banknotes’ AML Compliance monitored customer transactions.  The purpose of transaction monitoring was to identify the volume of currency going to or coming from each customer and to determine whether there was a legitimate business explanation for buying or selling that amount of physical currency.

Despite the high risk of money laundering associated with the Banknotes business and FinCen advisories to the contrary, the HSBC Banknotes’ AML compliance consisted of one, or at times two, compliance officers. Unlike the CAMP system for wire transfers, Banknotes did not have an automated monitoring system, and, as a result, the Banknotes’ compliance officers were responsible for personally reviewing the transactions of approximately 500 to 600 Banknotes customers. These attempted reviews were deemed wholly insufficient.

d.      HSBC Bank USA Failed to Provide Adequate Staffing and Other Resources to Maintain an Effective AML Program

HSBC’s conduct regarding its AML policy was found to be completely wanting. Not only did the Bank fail to fill senior compliance officer positions after personnel left the Bank but it actually reduced the resources available to the compliance program by cutting funding in 2007. In 2008, the Chief Operating Officer (COO) for Compliance conducted an internal review of the AML compliance program and found it to be “behind the times” and noted that the program was under-resourced and understaffed. Despite these findings the Bank did not begin to address the resource problems until late 2009.

II.                      HSBC Remedial Measures

The Department of Justice (DOJ) listed the remedial actions which HSBC engaged in that led, in part, to successfully avoiding a Criminal Indictment by the DOJ.

  1. Change in Leadership and increase in resources. The Bank hired a new leadership team. In 2011, the Bank spent more than $244 on its compliance program. The Bank substantially increased the personnel in its compliance function from 92 full time employees and 25 consultants in 2010 to 880 full time employees and 267 consultants as of May 2012.
  2. Claw Backs. The Bank ‘clawed back’ compensation from senior company executives.
  3. Compliance Function. The Compliance Department was separated from the legal department and given direct reporting lines to the Board of Directors.
  4. Exiting high risk business lines. The Bank exited the Banknotes business and ended 109 high risk business relationships.

The HSBC investigation and enforcement action took years and cost the Bank millions of dollars. The Bank ignored not only its internal compliance requirements but also outside information about the high risk nature of many of its business relationships. Banks must review their compliance programs to determine if any of the factors present in the HSBC matter are risks to their business models and remediate them as soon as possible to avoid a similar fate.

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.