FinCEN leak fallout shows size of KYC challenge for banks

Radical reforms of know your customer laws are looming after the FinCEN leaks exposed painful flaws in banks’ anti-money laundering (AML) systems.

Shockwaves are still reverberating around the sector after leaks of Financial Crimes Enforcement Network (FinCEN) files showed top global banks – including HSBC and JP Morgan – allowing suspected criminals to launder massive amounts through their accounts.

Many banks responded that they have already bolstered their AML processes since the suspicious activity in the leaked files took place, between 2000 and 2017, and now have robust controls. But a collapse in banks’ share prices since the leaks showed investors are concerned. Meanwhile, a wave of reaction among governments and regulators is building momentum.

The leaks, published on 20 September, emanated from the US but are likely to have global repercussions. They showed banks transferred $2 trillion through their accounts when they knew it could be linked to criminal activity such as fraud and money laundering, and had filed suspicious activity reports (SARs).

The leaks published information from a small fraction of all the SARs filed in the 17-year period.

Jailing bankers

In the wake of the leaks, a top Democrat in the US Senate Banking Committee has called for bankers who allow money laundering to be jailed.

The UK government has started a fresh inquiry into AML systems, and Companies House will overhaul its AML programme.

Belgian banks have proposed a new system for sharing money laundering information.

On 15 September, FinCEN tried to pre-empt the leaks by expanding customer and beneficial owner identification programmes.

But more regulation looks likely. Any new laws will add to AML and KYC reforms in Europe’s fifth and sixth money laundering directives (5MLD and 6MLD). Meanwhile the UK is recommending improvements to its SARs regime.

Holistic reform

A journalist from the International Consortium of Investigative Journalists (ICIJ), which published the leaks, said he hoped this will be an ‘enough is enough moment’ for law enforcers, who have continually allowed banks to get off serious money laundering related crimes with a fine and no prosecutions.

The ICIJ said banks and their compliance staff need better tools and resources to investigate suspicious transactions. Many effective regulation technology (regtech) tools have become available in the last few years to assist with KYC, and a regulatory crackdown would likely see banks adopting more regtech.

Consultant Capgemini said the leaks highlight banks’ need to identify and fix control gaps immediately. This could include introducing machine learning to ensure consistency and automation for common use cases; and a technology and data-driven compliance infrastructure across the banking sector.

It said banks are investing more in regtech, but they immediately need to:

• optimise control and reporting automation to combat the increasing volumes and sophistication of financial crimes
• use transaction pattern recognition, machine learning, and artificial intelligence to improve detection and remediation
• embed analytics across AML processes as disaggregated controls are key causes of failures and regulatory fines
• centralise financial crime systems, teams, and data.

Fintech consultant 11:FS said banks are adopting some regtech but most still use outdated techniques. Banks have reacted to previous failings by adding people and processes, but not better processes or data, it said. Regulators also focus on whether processes exist, rather than their effectiveness.

This is despite the emergence of some exciting regtech that can perform KYC and AML better than humans in many areas. The technology for data-driven AML prevention and control is already available. The leaks create an opportunity to make a huge difference, 11:FS said.

HSBC failures highlight broken system

A SAR is not necessarily proof of wrongdoing. ICIJ said the US system was broken because banks can, but are not necessarily required to, block or close accounts suspected of money laundering. They can fulfil a legal obligation by simply reporting the transactions to FinCEN.

Consequently, many banks tend to submit SARs to FinCEN and wait for a reply. But 2 million SARs were sent to FinCEN in 2019 alone, far more than its 300 staff could process. Consequently, the reports often lead to no action, and suspicious accounts stays open.

These problems were exemplified at HSBC, which continued to transfer millions of dollars it knew were linked to suspected criminal activity, including Ponzi schemes and drug trafficking, ICIJ said.

HSBC’s US compliance staff filed reports on 16 shell companies that had processed nearly $1.5 billion through its Hong Kong operations. More than $900 million of that was linked to alleged criminal networks, ICIJ said. Some of this occurred even while the bank was on probation and under scrutiny after previous AML problems.

HSBC staff also filed at least three SARs about Ponzi scheme World Capital Market, while continuing to handle $80 million through WCM’s accounts. HSBC responded by saying: ‘From 2012, HSBC embarked on a multi-year journey to overhaul its ability to combat financial crime. HSBC is much safer than it was in 2012… we seek ways to improve continually.’

The bank said it increased compliance staff from a few hundred in 2012 to several thousand in 2017, and invested over $1 billion in compliance initiatives since 2015. However, more than a dozen former HSBC compliance officers expressed deep concerns about the bank’s AML programme, even during its probationary period. One said submitting SARs did little to stop suspicious activities. He would wonder: ‘Why are we filing SARs? The account is still open. Nothing is done.’

Another employee said the banking industry’s profit-focused incentive structure can undermine the fight against financial crime: ‘You can’t get a man to believe in something when a salary depends on him not believing it. That’s the biggest challenge.’

Ben Cowdock, investigations lead at Transparency International UK, told Arachnys ICIJ’s investigation may help KYC and AML workers convince senior managers that short-term gains from a questionable client are not worth the long-term risk. ‘For some banks, the FinCEN files should be a wake up call to the daily money laundering risks they are exposed to,’ he said. ‘For example, banks continue to face challenges understanding who owns the companies they serve. There are technological solutions to this, using open company registers to check the information. But these are limited by the ongoing presence of secrecy jurisdictions around the world that prevent checking of registered company owners.’

Arachnys Data Sources

ICIJ is expected to release more information and Arachnys will monitor and add this to its database helping customers with their KYC and AML processes.