HSBC fined: TM failings, but broader issues
The FCA have fined HSBC £64m for persistent transaction monitoring control weaknesses. The Final Notice provides insight into the technical deficiencies with the Bank’s TM systems as well as highlighting a number of Governance related issues that underpin the specific control failings.
We have summarised three messages the senior management community should take heed of:
If issues are identified, they need to be fixed in a timely manner. The ‘relevant period’ in this case was 8 years (2010 – 2018). The FCA afforded the Bank a number of years to address the weaknesses. Additionally, the Bank were under scrutiny from a number of Regulators, notably their US Monitor. Institutions with huge change agendas need to make sure that focus is maintained on the purpose – easier said than done.
New controls / systems need to be implemented and embedded effectively. In this case what was delivered did not meet the requisite standards. So, spending money on control upgrades is not enough – senior management need to get comfort that what is being delivered is achieving the intended outcome. And perhaps worth remembering that working well is better than something working perfectly. It can be daunting trying to get everything perfect and harmonised, but rarely is this the regulatory benchmark – there will always be ongoing improvements, so solid foundations and ongoing enhancements may be the order of the day.
Words matter. If a policy says that something happens, it needs to happen. Policies and standards need to be unambiguous. In this case the TM system should have been reviewed on an annual basis. Senior management need information telling them that obligations have not been met. Rarely do we see documented roles and responsibilities be consistent across documents, or actually aligned into role descriptions, management responsibility matrices, balanced scorecards etc.
In relation to the technical TM aspects, the failings can be summarised as follows:
Scenario Coverage
The rules in the automated TM system, did not cover the risks faced by the bank. From 2002 to 2016 the Retail and Commercial bank had the same 6 TM scenarios. And risk indicators relating to correspondent banking were absent. This was not appropriate for the nature, scale, and complexity of the bank.
Despite the Bank’s policy stating that scenarios should be reviewed annually, this was not followed.
When rolling out new scenarios the bank did not conduct adequate risk assessments of these scenarios. These design flaws led to a large backlog of alerts, delaying the reporting of potentially suspicious activity.
Parameters
There was a failure to test and update thresholds prior to 2016, and new thresholds rolled out post 2016 to ensure potential suspicious activity was being identified.
Certain thresholds configured in such a way that they were virtually impossible to trigger.
Using rules that suppressed potentially suspicious activity AND failing to understand (and explain to Regulators) those rules.
Data
There was a failure to check the completeness and accuracy of the data that fed into the TM systems.
There was no list of correspondent banking relationships maintained so that all requisite data could be fed in and monitored.
Incomplete and inaccurate data was fed into the TM system. This meant that transactions were either monitored incorrectly or not at all.
As with other recent fines, it comes down to the question of – how do you know that your controls are operating effectively?
We’ve also prepared a two-page, summary of the issues and captured some self-assessment questions to help you challenge yourself as to whether the matters of the case apply to you. The two pager can be a great tool for non-SMEs to get a comprehensive but simple grasp of what went wrong. If you’d like to receive a copy, drop us a line at contact@avyse.co.uk.
