The U.S. operations of London-based HSBC hit a key regulatory milestone Tuesday as one of the plethora of regulatory agencies that has chastised the institution in the past for financial crime failings has terminated one of the many overlapping orders, penalties and agreements the bank has been juggling.

The Federal Reserve announced it has terminated a cease-and-desist order it leveled against HSBC – this one hanging around for nearly a decade and predating a later historic compliance penalty by two years, another validation that the bank’s anti-money laundering (AML) program is building positive momentum through investments in top talent, new systems and core philosophies.

The original prescriptive 12-page action issued by the Federal Reserve in October 2010 ordered the bank to strengthen board oversight, review documentation and decision-making around suspicious activity reports and engage in a broad and detailed compliance risk assessment.

That issue alone, the data going into, and backend methodology calculating, the customer risk assessment is a current regulatory focal point that has seen many large domestic and international banks broadly fail in calibrating risk at the outset of a relationship and keeping those analyses fresh, relevant and infused by transaction monitoring changes.

The Fed order exhorted HSBC to retool how it crafts customer, jurisdiction and other risk scores and better pair with the proper depth of corresponding controls, just to name a few. Those, and other problems, led to HSBC paying federal regulators and investigators $1.9 billion in a December 2012 deferred prosecution agreement (DPA).

As part of the penalty, the bank also had to pledge to improvements with the U.S. Treasury’s Office of the Comptroller of the Currency (OCC), the top regulator of the country’s largest and most complex banks.

The OCC had issued a lengthy, 29-page consent order against HSBC for AML failures in September 2010, which, presumably, is still in effect.

The order, similar to the Fed order, noted AML failures related to properly risk assessing customers and regions, the sophistication of the transaction monitoring system, decision-making of analysts and missed suspicious activity reports.

The penalty related to extensive and longstanding AML failings and sanctions missteps, resulting in the bank being hauled before Congress for laundering billions of dollars for some of the most feared criminal organizations on the planet.

That milestone is even more of a major accomplishment considering that in February 2017, in its annual report, a corporate monitor expressed “significant concerns” over HSBC’s progress in being able to comply with the encroaching December 2017, five-year DPA deadline.

Those fears ended up being unfounded.

In December 2017, the bank stated its DPA with the U.S. Department of Justice had expired. Failure to comply with the terms and timetables of the agreement could have meant the bank would be essentially “convicted” of money laundering, resulting in the bank potentially losing its charter in the United States.

Other lesser, but still very expensive, penalties were also on the table, including extending the length of the agreement and related remediation, bringing new charges against the bank or even handing down additional monetary penalties.

Continual improvement of processes, personnel

“Any time an organization is moving toward improvement in financial crime compliance operations and processes, we should applaud it,” said Debra Geister, chief executive officer of Section2 Financial Intelligence Solutions, a risk mitigation and investigations consultancy.

“Does that mean they are done? No,” said Geister, also a former compliance officer and consultant for large banks. “It’s a journey, not a destination, and they should continue the improvement process and continue to define how they approach the problem. All of us need to do that.”

One of the most difficult parts of closing multiple regulatory matters requiring attention (MRAs), is that the bank has to remediate a problem while compliance systems are still running, and keep up with day-to-day operations, she said.

“Change management is always a difficult thing,” Geister said. “As human beings, we don’t want change. And now we have to create a whole culture of change based on that enforcement action.”

That mantra also goes beyond processes, policies and procedures, but also must be instilled into people, she said.

“People can get to the point of change fatigue,” Geister said. “That becomes even more challenging. They get so tired of constant change, they check out. That is part of the challenge of the [AML remediation] process, either choosing to change personnel or get them over the hump to keep them focused. It’s very dynamic and challenging to manage an enforcement action for that long.”

Growing compliance confidence

That the Fed terminated the order evinces more confidence in the bank, something that was nigh unthinkable during the high-stakes settlement negotiations years ago and acrimonious Congressional hearings.

In penalty documents and Congressional proceedings HSBC admitted that over a decade it laundered more than $1.2 billion for illicit drug trafficking groups and rogue regime Iran.

During its long commercial relationship with Mexican drug cartels, HSBC was accused of moving $7 billion in drug cash to the U.S. in 2007 and 2008, chiefly through its Mexican affiliate. No top bank executives were prosecuted or went to jail.

The narrative, however, appears to be changing.

In the last few years, HSBC has gone from compliance pariah to law enforcement partner, snapping up some of the biggest names in the fincrime space and placing them in top program positions.

That storied list includes many former top U.S. Treasury officials, including Robert Werner, Stuart Levey, and, most recently, Jennifer Shasky Calvery, a trail blazer at the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN).

Also factoring into the government’s analysis of compliance with the DPA and prior enforcement orders were broad improvements in HSBC’s systems to analyze for both aberrant behavior and illicit actors and being part of initiatives by global watchdog groups to counter specific crimes, such as human trafficking.

In a rare move by the Paris-based Financial Action Task Force (FATF) earlier this month, it also explicitly stated the red flags and transactional details in a lengthy report on human trafficking could not have been gleaned without analysis and data from many of the largest banks and money remitters in the world.

The group mentioned by name the vital aid provided by HSBC and other banks, including Barclays, Standard Chartered, Western Union, Ria Financial, the Wolfsberg Group and European and American Bankers’ Alliances.

In April, the bank confirmed it was tinkering with artificial intelligence to strengthen is AML systems and better spot a broad range of crimes, according to the Financial Times.

The move was expected to increase the accuracy of alerts generated by AML transaction monitoring systems, mesh those with social media and other open source data sources, and present a fuller picture to analysts, who can then make better decisions to turn those data points into rich intelligence for law enforcement.

Progress, but pitfalls aplenty

Those accolades and innovations are tempered, though, with reports that the U.K.’s Financial Conduct Authority (FCA), and DOJ, are also analyzing the bank’s AML controls related to a South African graft scandal and the sprawling FIFA corruption probe, among other still wriggling strands of outstanding compliance, investigative and regulatory risks.

The bank also stated in financials recently it potentially processed transactions related to an individual on U.S. sanctions lists for proliferation offenses.

Overall, however, since 2015, HSBC has “substantially improved” its IT infrastructure to better uncover and analyze financial crime, investing $1 billion in new and upgraded systems, according to its website.

As part of that initiative, the bank built a “single environment that takes all the data from our millions of customers worldwide and brings it together in an integrated way.”

On the whole, HSBC’s compliance team is five times bigger than in 2013, according to its site.

In recent years, the bank has also created a dedicated Financial Crime Risk (FCR) to merge risk management and compliance across the spectrum of financial crime, along with strengthening public-private partnerships to better understand and react to criminal trends directly from law enforcement.

The terminating of the Fed enforcement, however, will also go a long way to validating the hard work of a dedicated compliance team, refilling their passion and purpose, said a compliance officer at a large bank.

“I have helped banks in those situations and its multiple years of working seven days a week, working until the wee hours of the night and it is draining,” said the person, who asked not to be named. “So, seeing that win, means a lot to folks. There are a lot of unsung heroes behind the lifting of an enforcement action.”