Who is Responsible for Complying with the FCPA?

The Department of Justice (DOJ) still faces criticism over its Foreign Corrupt Practices Act (FCPA) enforcement strategy. Some decry that it is too aggressive, that the DOJ has moved into waters Congress never intended the DOJ to navigate into regarding the FCPA. Others worry that the DOJ, through its use of settlement mechanisms such as Deferred Prosecution and Non-Prosecution Agreements (DPAs and NPAs), let corporations off to easily with fines and other monetary penalties being the equivalent of a slap on the wrist. Yet another school of thought says that it is up to the DOJ to tell companies how not to engage in bribery and corruption by specifying precisely what type of anti-corruption compliance program to put into effect.

One thing these commentariat all have in common is that they generally do not look to those responsible for obeying the law, i.e. companies and persons who are subject to the FCPA, for their responsibility of complying with the law. Such failure seems to me to be sadly misplaced. But it is not simply Mike Volkov’s FCPA Paparazzi who fail to assess a corporation’s role in their failure to comply with the law; unfortunately it is also company leaders themselves.

We recently were treated to another such display of ‘What Me Worry?’ mentality by HSBC Chief Executive Officer (CEO) Stuart Gulliver when he said, “Can I know what every one of 257,000 people is doing?” Leaving aside the issue of whether a corporate CEO who has signed one of the largest DPAs in the history of the world (for money-laundering, not FCPA violations); should admit he (1) he doesn’t care or (2) his company is too unwieldy for it to obey the laws that you and I follow everyday; Gulliver inadvertently hit upon one of the key concepts of a best practices compliance program. That concept is a well-rounded program that assures compliance, not some all knowing, all seeing narcissist at the top.

In a Financial Times (FT) article entitled “Too big to manage”, Andrew Hill blasted Gulliver’s statement as “disingenuous” but went on to state, “Knowing what every employee is doing is not the leader’s responsibility. But by using a combination of the right structure, the latest technology and, above all, by imbuing a company with the correct culture and reinforcing regular communication with visits to the shop floor, he or she should be able to limit the chance of a major scandal.” Hill quoted management thinker Henry Mintzberg for the following, ““You can’t excuse [scandals] by saying we have so many employees. You . . . have got to be on the ground to have a sense of what your organisation is all about.””

This means a CEO is not required to know everything but he does need to have an overall sense of whether his company is moving in a direction to do things such as follow the law. I would say this is even truer when you have promised (yet again) in a DPA that your company will follow the law. It also means that the leader sets the tone. If your leader takes the position that he or she cannot know what everyone is doing; that tone will be communicated down to the field troops but the message will be that said maximum leader does not care what the middle and lower levels are doing. Hence the DOJ would say that it all starts with Tone at the Top. Sadly Gulliver does not seem to acknowledge, let alone understand, that issue.

But more than simply having a leader that cares and is engaged; Gulliver’s statement belies other aspects of a best practices compliance program. Technology provides a mechanism for oversight of a compliance regime. Under the FCPA Ten Hallmarks of an Effective Compliance Program, monitor is recognized as a key element so your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with the finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally, the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

In addition to monitoring, structural controls are recognized as an important element. Hill said that large companies “must use structural means to maintain control.” One of the best explanations of the use of internal controls as a structural component of any best practices compliance program comes from Aaron Murphy, a partner at Foley and Lardner in San Francisco, in his book entitled “Foreign Corrupt Practices Act”, where he said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

I would advocate that it is the interplay of the right message, tools in place to communicate and enforce the message and then oversight to ensure compliance with the message that allows a 250,000 plus employee base company to have a chance to operate in compliance with their legal obligations. Echoing this maxim, Hill quoted Rick Goings, Chairman and CEO of Tupperware Brands Corporation, for the following, “Wars are won not by generals, but by non-commissioned officers. If you have the right kind of structure…and behind that a value system, I think you can do it.”

HSBC continues to be the poster child for compliance lessons learned, whether intentional or not. Hill concluded his piece with the following, “The lesson may be that, irrespective of the size of the company, executives who lose touch with how their staff are using the culture they preach are courting embarrassment and scandal. The trend towards large companies operating through smaller units, with more autonomy and accountability for their actions, does not absolve leaders from meeting their traditional responsibilities to know what is happening on the frontline. As Prof Fischer suggests, they should manage according to the old Russian proverb that Ronald Reagan adopted when dealing with the Soviet Union in the 1980s: trust, but verify.”

There is a plethora of compliance regimes that companies can look to in order to create a best practices compliance program. Simply put, it is a relatively straightforward exercise; perhaps not easy but certainly there are well-articulated compliance programs that companies can follow. To continue to criticize the DOJ (and Securities and Exchange Commission) for failing to communicate what they wish to see in a best practices compliance program, simply fails to take into account the responsibility that corporations have in complying with US laws. The information is out there in abundance. Even a weekend article in the FT lays it out for you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

The HSBC AML Settlement – Lessons Learned for the AML Compliance Practitioner

I recently wrote about banks behaving badly. Currently, Exhibit A in that list is HSBC. In December, 2012, the UK banking giant HSBC agreed to pay a fine of $1.92 billion for its transgressions involving money laundering. Today I want to look at the violations which the company engaged in and its resolution.

I.                   HSBC AML Violations

Regarding the HSBC AML claims there were four major areas of money laundering violations by HSBC. As listed in the Statement Facts to the Deferred Prosecution Agreement (DPA) they read:

10. There were at least four significant failures in HSBC Bank USA’s AML program that allowed the laundering of drug trafficking proceeds through HSBC Bank USA:

1. Failure to obtain or maintain due diligence or KYC information on HSBC Group Affiliates, including HSBC Mexico;
2. Failure to adequately monitor over $200 trillion in wire transfers between 2006 and 2009 from customers located in countries that HSBC Bank USA classified as “standard” or “medium” risk, including over $670 billion in wire transfers from HSBC Mexico;
3. Failure to adequately monitor billions of dollars in purchases of physical U.S. dollars (“banknotes”) between July 2006 and July 2009 from HSBC Group Affiliates, including over $9.4 billion from HSBC Mexico; and
4. Failure to provide adequate staffing and other resources to maintain an effective AML program.

We will review each of these in more depth to provide guidance to the AML compliance practitioner on the steps that their financial institution needs to take.

a.      HSBC Bank USA Failed to Conduct Due Diligence on HSBC Group Affiliates

One of HSBC Bank USA’s high risk products was its correspondent banking practices and services. Correspondent accounts were established at banks to receive deposits from, make payments on behalf of, or handle other financial transactions for foreign financial institutions. They are considered high risk because the US bank does not have a direct relationship with the clients and, therefore, has no diligence information on the foreign financial institution’s customers who initiated the wire transfers. To mitigate this risk, the Bank Secrecy Act (BSA) requires financial institutions to conduct due diligence on all non-US entities for which it maintains correspondent accounts. There is no exception for foreign financial institutions with the same parent company.

HSBC Bank USA was required under the BSA to conduct due diligence on all foreign financial institutions with correspondent accounts, including HSBC Group Affiliates, which it failed to do, from at least 2006 to 2010.  The decision not to conduct due diligence was guided by a formal policy memorialized in HSBC Bank USA’s AML Procedures Manuals.

b.      HSBC Bank USA Failed to Adequately Monitor Wire Transfers

From 2006 to 2009, HSBC Bank USA monitored wire transfers using an automated system called the Customer Account Monitoring Program (“CAMP”). The CAMP system would detect suspicious wire transfers based on parameters set by HSBC Bank USA under which various factors triggered review, in particular, the amount of the transaction and the type and location of the customer. However, HSBC Bank USA knowingly set the thresholds in CAMP so that wire transfers by customers located in countries categorized as standard or medium risk, including foreign financial institutions with correspondent accounts, would not be subject to automated monitoring unless the customers were otherwise classified as high risk.

Between 2000 and 2009, HSBC Bank USA, specifically disregarded numerous publicly available and industry-wide advisories about the money laundering risks inherent to Mexican financial institutions. These included the following:

1. The U.S. State Department’s designation of Mexico as a “jurisdiction of primary concern” for money laundering as early as March 2000;
2. The U.S. State Department’s International Narcotics Control Strategy Reports from as early as 2002 stating that Mexico was and continues to be one of the most challenging money laundering jurisdictions for the United States;
3. The April 2006 Financial Crimes Enforcement Network (“FinCEN”) Advisory concerning bulk cash being smuggled into Mexico and deposited with Mexican financial institutions;
4. The federal money laundering investigations that became public in 2007-08, involving Casa de Cambio Puebla, a Mexican-based money services business that had accounts at HSBC Mexico, and Sigue, a U.S.-based money services business, that had accounts at HSBC Mexico; and
5. The federal money laundering investigation into Wachovia for its failure to monitor wire transactions originating from the correspondent accounts of certain Mexican money services businesses, which became public in April 2008.

 c.       HSBC Bank USA Failed to Monitor Banknotes’ Transactions with HSBC Group Affiliates

HSBC Bank USA’s Banknotes business (“Banknotes”) involved the wholesale buying and selling of bulk cash throughout the world. The Banknotes business line was a high risk business because of the high risk of money laundering associated with transactions involving physical currency and the countries where some of its customers were located. In an attempt to mitigate these risks, Banknotes’ AML Compliance monitored customer transactions.  The purpose of transaction monitoring was to identify the volume of currency going to or coming from each customer and to determine whether there was a legitimate business explanation for buying or selling that amount of physical currency.

Despite the high risk of money laundering associated with the Banknotes business and FinCen advisories to the contrary, the HSBC Banknotes’ AML compliance consisted of one, or at times two, compliance officers. Unlike the CAMP system for wire transfers, Banknotes did not have an automated monitoring system, and, as a result, the Banknotes’ compliance officers were responsible for personally reviewing the transactions of approximately 500 to 600 Banknotes customers. These attempted reviews were deemed wholly insufficient.

d.      HSBC Bank USA Failed to Provide Adequate Staffing and Other Resources to Maintain an Effective AML Program

HSBC’s conduct regarding its AML policy was found to be completely wanting. Not only did the Bank fail to fill senior compliance officer positions after personnel left the Bank but it actually reduced the resources available to the compliance program by cutting funding in 2007. In 2008, the Chief Operating Officer (COO) for Compliance conducted an internal review of the AML compliance program and found it to be “behind the times” and noted that the program was under-resourced and understaffed. Despite these findings the Bank did not begin to address the resource problems until late 2009.

II.                HSBC Remedial Measures

The Department of Justice (DOJ) listed the remedial actions which HSBC engaged in that led, in part, to successfully avoiding a Criminal Indictment by the DOJ.

1. Change in Leadership and increase in resources. The Bank hired a new leadership team. In 2011, the Bank spent more than $244 on its compliance program. The Bank substantially increased the personnel in its compliance function from 92 full time employees and 25 consultants in 2010 to 880 full time employees and 267 consultants as of May 2012.
2. Claw Backs. The Bank ‘clawed back’ compensation from senior company executives.
3. Compliance Function. The Compliance Department was separated from the legal department and given direct reporting lines to the Board of Directors.
4. Exiting high risk business lines. The Bank exited the Banknotes business and ended 109 high risk business relationships.

The HSBC investigation and enforcement action took years and cost the Bank millions of dollars. The Bank ignored not only its internal compliance requirements but also outside information about the high risk nature of many of its business relationships. Banks must review their compliance programs to determine if any of the factors present in the HSBC matter are risks to their business models and remediate them as soon as possible to avoid a similar fate.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013