(That’s German for “Fame at last!”) I’ve been a bit quiet this morning – someone even emailed to ask whether I was stuck under a large piece of furniture, preventing me from having my say on HSBC. But no: I was having my say here. It’s a German website, although this bit is in English – apparently it’s “Germany’s international broadcaster”, so that’s jolly exciting. So while you lot were scoffing dinner and watching “Holby City” last night, I was reading a rather long US Senate report in order to sound vaguely intelligent this morning. Did it work? Please do let me know!
The specifics about HSBC’s failings are everywhere, so I don’t want or need to rehash those. What does concern me, as I tried to make clear to the Germans, is the vexed and contradictory role of compliance within HSBC. Mr Bagley – head of group compliance – has fallen on his sword, after saying that despite his job title he had not had authority to act over all parts of the bank. This mismatch between title (and indeed legal responsibility) seems common within the HSBC AML function, as detailed at several points in the report. For instance, in 2009 HBUS (HSBC Bank USA NA) hired a new AML Director, Wyndham Clark. He was required to report to Curt Cunningham, “an HBUS Compliance official who freely admitted having no AML expertise”. As the report continues: “After 30 days at the bank, Mr Clark sent Mr Cunningham a brief memorandum with his observations, noting that HBUS had an ‘extremely high risk business model from AML perspective’, had seen recent high turnover in its AML directors, and [although the] AML Director has the responsibility for AML compliance, [he has] very little control over its success.”
Poor Mr Clark became more and more concerned, eventually meeting in February 2010 with the Audit Committee of the HNAH (HSBC North America Holdings Inc) board of directors to tell them “that he had never seen a bank with as high of an AML risk profile as HBUS”, that “AML resources were insufficient versus current risks and volumes” and that “the bank’s systems and controls were inconsistent with [its] AML risk profile”. On 10 May 2010, he wrote to a more senior HBUS Compliance official that “with every passing day I become more concerned…if that’s even possible”. In July 2010, Mr Clark decided to resign and sent an email to David Bagley: “The bank has not provided me the proper authority or reporting structure that is necessary for the responsibility and liability that this position holds, thereby impairing my ability to direct and manage the AML program effectively. This has resulted in most of the critical decisions in Compliance and AML being made by senior management who have minimal expertise in compliance, AML or our regulatory environment, or for that matter, knowledge of the bank (HBUS) where most of our AML risk resides.” This is the very worst of all possible worlds for the compliance officer: legal responsibility with no independence or Board support.
HSBC has of course promised all sorts of things to put it right, from a collective mea culpa by senior executives to the rewriting of their AML procedures and, for all I know, the ritual flogging of all compliance staff. But if I ruled the world, I would ask for two things:
- Every client-facing employee of a regulated firm must do a three-month stint in the compliance department at the start of their career, topped up by a fortnight every other year for the rest of their working life – like National Service in Singapore, but without the mosquitoes or the excellent Hainanese chicken rice.
- Every third CEO (or equivalent – senior partner, etc.) of a regulated firm must have come up through the compliance route rather than the sales route.
If you need me, I’ll be brushing up on my German. Wo sind die Jaffa Cakes?