Well-publicized bank transgressions are frequently labeled "compliance failures." However, to those of us who work in the industry, this sometimes feels like an insult. Anyone, like me, who has worked in banking, anti-money laundering (AML), software creation, audit readiness, compliance and process engineering, knows how easy it is to blame "the system." That excuse is often coupled with process lapses, and the official explanation of failure becomes "we need new software and better training of our (low-level) back-office staff." This may be true. It is quite difficult to grasp the totality of compliance mandates and then implement effective software and process solutions, especially in huge financial institutions. Geographic spread and fuzzy organizational lines can also cause compliance problems.
But after reading the report on HSBC from the Permanent Subcommittee on Investigations and from my own experience working in the field, I see a pattern of denial and insider misconduct. In HSBC's case, it appears that the bank knew exactly what it was doing. It wasn't just skirting Bank Secrecy Act (BSA) and AML mandates; it actively helped criminal enterprises by hiding their egregious transactions from scrutiny. HSBC isn't alone here; it shares the following modus operandi (MO) with a long list of financial institutions:
Because one of the topics of the International Financial Crime Conference & Exhibition is "Guarding against the Enemy Within" I think it is only fair that we point to the willful acts of insiders as the proximate cause of some of these egregious "lapses." Only the strongest process and IT controls, along with organizational clarity, can protect a financial institution from the enemy within. Let's look at an example of how an insider can try to disable controls by using their high position and firing authority to intimidate/persuade a lower-level person to commit or enable malfeasance. Overrides and walk-throughs, both of which mean "we're ignoring controls," are occurrences that may be difficult to find by those tasked with oversight, yet are not uncommon.
Here's an example of an override: a wires clerk is asked to not enter certain data for certain international wires. Perhaps the reason is "they're swamped, understaffed" and perhaps the Wires department is organized along customer/country lines and "we don't need to enter details for Iran." This low-level person might be unaware of the intent behind the order (to hide these wires from the detection system) and might be the only one not following proper procedures. This override is not documented, so policies and procedures remain intact and no one is the wiser. If the wire issue is eventually uncovered by an audit, the take-away might be that this specific back-office employee needs more training.
In a walk-through, a high-level manager has an important client (or need) that requires something to be done NOW, so policies and procedures are pushed aside. The walk-through demands immediate attention, and as such, there is no time to follow the written procedures. An example is a lower-level person being asked by a high-level executive to rush through a loan without sign-off from the Loan Committee or without mandatory key supporting documents, like an enhanced due diligence (EDD) report. Audit sampling may never find the dubious loan.
When individuals within an organization are determined to commit a financial crime, especially if they are in cahoots with others in the organization, it is difficult to prevent crimes. However, there are some defenses against the enemy within, and the key word is CONTROLS. Controls can be put in place in every organizational unit (permanent and ad-hoc); within every IT system, through the understanding of processes, and via regular, smart audits.
Here are some ways the data stripping, override, walk-through and dubious risk assignment could have been prevented, with an emphasis on making multiple groups responsible-in different ways-for enforcing policies:
In the walk-through case, training should say never let this happen; and IT and documentation controls could automatically disable the processing of this loan if key supporting documents (KSDs) are missing or dubious. Such cases should be reported to audit/security/risk management.
Controls don't have to be onerous, just specific, with double/triple protections built in and a repeatable process that ensures that control "lapses" are presented to the people committed to fraud detection and compliance. Insider fraud will always be with us, but with strong, multi-discipline controls, these enemies can be stopped in their tracks.
Marie G. Kerr specializes in Financial Fraud. She is a Certified Financial Crime Specialist, Certified Anti-Money Laundering Specialist (CAMS), and Project Management Professional (PMP). Ms. Kerr is a financial industry veteran with a deep understanding of how financial institutions work. She has served as a Homeland Security Program Advisor and Fraud Detection Subject Matter Expert (SME) and an IT and AML Advisor for a three-bank merger.
©Copyright - All Rights Reserved
DO NOT REPRODUCE WITHOUT WRITTEN PERMISSION BY AUTHOR.