Last July 17, the US Senate Permanent Subcommittee on Investigations held a public hearing that revealed many serious violations HSBC had committed over several years under the eyes of examiners of the Office of the Comptroller of the Currency. During the lengthy worldwide probe by the subcommittee, which has a staff of nine, the OCC brass in Washington and hundreds of its supervisors and examiners in the United States, became aware of the findings that included severe OCC supervisory failures.
The findings and the resulting subcommittee report, titled “US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History,” documented in great detail both sets of abuses and failures by the giant institution and by the OCC, its principal regulator.
New OCC Comptroller of the Currency vowed reforms
Thomas Curry, the new head of the Office of the Comptroller of the Currency, told the subcommittee he would implement major changes in the oversight of financial crime and money laundering controls at institutions it supervises. Flanked by top colleagues, he said the OCC would adopt the Subcommittee’s recommendations to strengthen examination policies for the nearly 2,000 national banks and US affiliates of international institutions it regulates. Those institutions account for 75 percent of all assets that US commercial banks hold.
Two months later, the promised reforms have been slow to emerge. The OCC issued no new guidance to financial institutions on changes they may expect or the timing.
An OCC spokesperson told ACFCS.org the agency has no information or timeline on implementation of Curry’s promised reforms beyond what he told the Senate panel on July 17.
Several financial crime compliance professionals say they have seen no evidence of guidance or publicly announced regulatory changes from the OCC. While all report that pressure on AML compliance departments has intensified in the wake of the Senate hearing, some question if the HSBC scandal – and the stinging criticism the bank and OCC received – will leave a lasting structural impact on the regulatory and compliance fields.
“The expectation is that everyone is going to have an epiphany on compliance after these major cases,” says Laura Goldzung, principal of AML Audit Services, in New Jersey. “So far, at least, the guidance coming from the OCC is the same. Nothing has changed.”
Andrew Ittleman, a Miami attorney who specializes in AML matters at Ittleman & Associates, says in view of the HSBC fallout, “the message on compliance should be loud and clear. Is it being felt? I don’t think so. For whatever reason, the message to banks and regulators just isn’t getting out there.”
OCC promised three major changes in supervisory policies
At the hearing, Curry and other OCC officials announced they would implement three major revisions in how financial crime and money laundering compliance programs are reviewed and rated:
- Altering examination policies so AML and Bank Secrecy Act “deficiencies are fully considered in a safety and soundness context, and are taken into account as part of the “management” component of a bank’s… rating.” Presently, the OCC is the only federal financial institution regulator that counts weaknesses in AML/BSA compliance as part of a bank’s “consumer compliance” rating. Senator Carl Levin, of Michigan, the Subcommittee chair, told Curry this approach mischaracterizes money laundering violations and lessens incentives to HSBC and other banks to correct compliance failings. Bad marks in an institution’s “consumer compliance” do not carry over to its CAMEL ratings that have far more weight in assessing a bank’s vulnerabilities.
- “[Revamping] our… approach to citing BSA/AML violations to provide more flexibility for individual ‘pillar’ violations to be cited.” This means the OCC would inform a bank of the laws it violated when an examination discloses failures in the four so-called “pillars” of a good money laundering and financial crime control program: 1. internal controls, 2. a competent AML compliance officer, 3. an adequate AML training, and 4. independent testing of the program to assure proper functioning. The OCC now rarely cites statutory violations. Instead, it designates “Matter Requiring Attention” by the bank, a softer and more bland approach. This change would signify another OCC alignment with other regulators, such as the FDIC. The Subcommittee report notes that from 2007 to 2011 the FDIC cited 156 AML violations, while the OCC cited 16.
- “Revising… the operation of [the OCC’s] Large Bank BSA Review Team to enhance our ability to… react on a more timely basis… where a bank has multiple… matters requiring attention, or apparent violations of the… components of its BSA/AML program.” The Large Bank Team was sharply rebuked by the Subcommittee for its extremely slow pace in responding to the many violations and failings at HSBC. Curry admitted that OCC examiners had found “severe pre-existing BSA/AML deficiencies” at HSBC as far back as 2004. Even with that evidence in hand, the OCC waited six years to issue a Cease and Assist order against HSBC. Still, no monetary penalty or other public sanction has been imposed by the OCC or any other US regulatory agency on the Hong Kong and British-based institution.
Shining light on management ‘scorecard’ a likely compliance boost
Placing financial crime and AML compliance failures in the category of bank management ratings may cause the greatest improvement in financial crime compliance at OCC-supervised banks. Goldzung notes that ratcheting up regulatory pressure on an institution’s leadership makes sense, given that managerial neglect or malfeasance played a key role in the global financial crime debacle at HSBC.
The debacle included serial violations of US sanctions laws that diverted funds to countries like Iran, which increased the risk of terrorism against the United States. Other violations included the laundering of drug proceeds for Mexican drug cartels and the possibility of corruption proceeds being laundered through HSBC offshore facilities.
“Usually in cases of systemic breakdown it’s management that massed up, not compliance,” says Goldzung. “The compliance team may be raising objections, but management just rolls right over compliance, making excuses for what’s wrong.”
“Everybody needs a scorecard,” Goldzung adds. “It’s about reputational assets. Hopefully, this keeps the management team committed to doing things ethically and correctly.”
Individual accountability at institutions still an issue
The promised actions by the OCC do not address the wider issue of individual accountability for institutional lawlessness, says Ittleman. He notes that the seemingly large monetary penalties that sometimes follow regulatory actions, which are minor to global institutions whose profits range amount to dozens of billions of dollars yearly, fall on the institution. The senior leaders who made and executed the decisions to break the law and ignore compliance go scot free, and sometimes even receive increases in their handsome compensation packages.
“I don’t know if [financial institutions] can feel pressure. I’m not sure there’s anyone there to feel it,” Ittleman says. “An institution is an institution. If you come to my home and put a gun to my head, I’m going to feel it. If you put a gun to a house, it’s not going to feel anything. It’s a house.”
Congressional inquiries usually spawn regulatory flurry
Congressional action usually spawns a flurry of activity by regulators who are anxious to show Congressional committees that approve their budgets and write the laws that govern them that they are not pushovers to the institutions they regulate. Not unexpectedly, that has been the result of the HSBC criminality by the Levin subcommittee.
“The pressure on compliance has definitely increased,” says Goldzung. “People doing these jobs already work really hard, and it only creates more challenges when cases like this come down.”
“Compliance is facing even more scrutiny now, but I don’t think anyone in-house would say the scrutiny ever let up,” says a senior AML compliance professional, who asked not to be identified because her institution does not approve such comments. She said she hopes the OCC shake-up does not simply translate to more strain on compliance teams.
“AML compliance walks around with a target on its back all the time,” she says. “These jobs suck badly enough as it is.”