On 17/12/21 the FCA issued a fine of almost £64m against HSBC for failing to have an effective anti-money laundering processes in relation to automated transaction monitoring (TM). This follows on from the fine of £265m against RBS for similar failures and is a clear indication of the increasing enforcement actions that are being undertaken by the FCA.
The intention of imminent FCA action was also clearly signalled in the FCA’s ‘Dear CEO’ letter which was sent to retail banks at the end of June 2021.
The letter specified a number of areas where the FCA were seeing consistent AML issues arising within the industry, one of the areas highlighted was transaction monitoring and in particular, understanding the calibration of TM systems and the accuracy of the data that is needed by these systems.
It is also interesting to note that in the decision notice issued by the FCA to HSBC, was under specific sections of the 2007 Money Laundering Regulations. In the majority of the previous final notices by the FCA for money laundering, action has been taken under the FCA System and Control Regulations.
The use of criminal legislation is a further indication of the intent of the FCA and seriousness that is being attached to such failures.
The key areas identified in the FCA Final Notice issued to HSBC focused on: –
• Understanding whether the scenarios deployed where aligned to the AML risks that have been identified;
• Understanding review and test parameters and thresholds to determine whether they are effective;
• Determining the accuracy and completeness of the data that is used by TM systems.
Knowing and understanding the risks that your customers present to your financial institution is fundamental in creating an effective financial crime framework.
All regulated institutions need to undertake an enterprise-wide AML risk assessment, which is normally an annual exercise. The output of this assessment should shape your firms risk appetite, polices and procedures.
Firms are required to undertake ongoing monitoring of their clients on a risk sensitive basis which will permit flexibility in approach depending on the financial crime risk. That approach must be documented in detail.
It should be noted that not all products are suitable for complex automated TM systems but where an automated TM system is deployed the firm needs to be able to demonstrate that the scenarios that are deployed to identify unusual or suspicious behaviour are designed to cover the AML risks identified in the risk assessment. Any assessment of the scenarios should be a dynamic exercise with the ability to alter or amend TM systems to meet new and changing risks.
In HSBC’s case, there were 6 scenarios in place from 2002 to 2016 which were not deemed sufficient given the size, complexity, geographic reach and volume of transactions.
The risk of financial crime is constantly evolving with organised crime designing new scams and frauds. Regulated entities must be aware of those designs and amend their controls accordingly. The effectiveness of a TM system will depend on the parameters that have been set and the number of alerts those parameters generate.
Historically, many TM systems have been designed on a set of specific ‘rules’ that provide an alert when the rule is triggered. These ‘rules’ need to be reviewed regularly to ensure that they remain effective.
It is important that changes to customer details are assessed on an ongoing basis as the impact of change may take the customer outside the firm’s risk appetite.
Firms need to understand the impact of the scenarios that they are using to identify suspicious behaviour. Alerts generated from unrealistic or unfeasible scenarios, will not be assessed as being effective.
The accuracy and completeness of data that is being used by a TM system is critical. Understanding the source of the data and how it has migrated and possibly changed as it passes from system to system through a firm is essential.
Whilst the findings against HSBC may be considered historic the principles remain valid. Firms need to understand and document the risks that they face. Polices and procedures need to reflect the risk appetite of the organisation and controls need to be regularly reviewed and adjusted according to the risk.
The advent of new technology such as machine learning and use of artificial intelligence tools will no doubt assist in managing vast number of transactions. However staff within regulated firms will need to understand how such systems work and ensure those systems are attuned to the risks of financial crime that their financial institution faces.
The FCA decision notice can be found at https://www.fca.org.uk/publication/decision-notices/hsbc-bank-plc.pdf.
John Flynn
10 January 2022