banner ad

Share |
Marie Kerr - Financial Fraud Expert

Well-publicized bank transgressions are frequently labeled "compliance failures." However, to those of us who work in the industry, this sometimes feels like an insult. Anyone, like me, who has worked in banking, anti-money laundering (AML), software creation, audit readiness, compliance and process engineering, knows how easy it is to blame "the system." That excuse is often coupled with process lapses, and the official explanation of failure becomes "we need new software and better training of our (low-level) back-office staff." This may be true. It is quite difficult to grasp the totality of compliance mandates and then implement effective software and process solutions, especially in huge financial institutions. Geographic spread and fuzzy organizational lines can also cause compliance problems.

But after reading the report on HSBC from the Permanent Subcommittee on Investigations and from my own experience working in the field, I see a pattern of denial and insider misconduct. In HSBC's case, it appears that the bank knew exactly what it was doing. It wasn't just skirting Bank Secrecy Act (BSA) and AML mandates; it actively helped criminal enterprises by hiding their egregious transactions from scrutiny. HSBC isn't alone here; it shares the following modus operandi (MO) with a long list of financial institutions:

  1. Wire and other data stripping - data elements from wires and other transaction types were removed before being sent on to other banks and most importantly to screening and detection/transaction monitoring systems. The banks knowingly removed data that would identify banned countries or entities. This effectively disabled the detection systems because what isn't captured isn't monitored. Organizations and people protected by the bank did not produce Alerts from the detection system although they would have, given their glaring red flags. This was willful flouting of US and international AML mandates and sanctions compliance, and it enabled financial fraud.
  2. Risk assessments - the bank assigned low-risk scores to countries and customers that did not pass the most rudimentary smell test. This also disabled the detection systems as risk scores are integral to analytic algorithms. Data stripping + low-risk scores = junk from the detection system. Money laundering, terrorist financing and tax evasion were happening under their noses, perpetrated by known criminals (money launderers, terrorist financers, tax evaders) but the bank did what it could to disable controls and system(s) logic.
  3. Organizational bullying - despite pleas from people within the company who knew these things were wrong, they were: dismissed, ignored, reassigned.
  4. Revolving door - an adjunct to organizational bullying. A "Who's on First" scorecard is always needed in megabanks, but these banks made keeping up with the scorecard next to impossible. People came and went with regularity and some were dismissed for "cause" when trying to do the right thing. The brave ones anyway; faced with dismissal many people go along with the wrong to save their jobs.
  5. Temporary Organizational Units - ad-hoc groups such as committees, task forces and project teams can often serve unwittingly as push back against controls and oversight. While these groups may be tasked with "figuring this mess out" they have no real authority and may be the dupes of malefactors within. Ad-hoc groups can serve as a cover for those with intent to commit a financial crime as they give the appearance that progress is being made. Comprised of inside staff and outside subject matter experts, these teams-sometimes one right after the other doing the exact same thing-try to fix the systems and processes- and enforce controls- but are stymied by insiders determined to evade the law.
  6. Consultants and more consultants - one of a consultant's mantras might be "you take the glory and I'll take the money," but when financial institutions are guilty of insider misconduct (criminal intent?), the bank's mantra becomes "you take the blame because you're the expert." Financial institutions whose failures match the MO of HSBC were filled with big-name consultancies, experts in their field, unjustly maligned. Consultants were also shown the revolving door.

Because one of the topics of the International Financial Crime Conference & Exhibition is "Guarding against the Enemy Within" I think it is only fair that we point to the willful acts of insiders as the proximate cause of some of these egregious "lapses." Only the strongest process and IT controls, along with organizational clarity, can protect a financial institution from the enemy within. Let's look at an example of how an insider can try to disable controls by using their high position and firing authority to intimidate/persuade a lower-level person to commit or enable malfeasance. Overrides and walk-throughs, both of which mean "we're ignoring controls," are occurrences that may be difficult to find by those tasked with oversight, yet are not uncommon.

Here's an example of an override: a wires clerk is asked to not enter certain data for certain international wires. Perhaps the reason is "they're swamped, understaffed" and perhaps the Wires department is organized along customer/country lines and "we don't need to enter details for Iran." This low-level person might be unaware of the intent behind the order (to hide these wires from the detection system) and might be the only one not following proper procedures. This override is not documented, so policies and procedures remain intact and no one is the wiser. If the wire issue is eventually uncovered by an audit, the take-away might be that this specific back-office employee needs more training.

In a walk-through, a high-level manager has an important client (or need) that requires something to be done NOW, so policies and procedures are pushed aside. The walk-through demands immediate attention, and as such, there is no time to follow the written procedures. An example is a lower-level person being asked by a high-level executive to rush through a loan without sign-off from the Loan Committee or without mandatory key supporting documents, like an enhanced due diligence (EDD) report. Audit sampling may never find the dubious loan.

When individuals within an organization are determined to commit a financial crime, especially if they are in cahoots with others in the organization, it is difficult to prevent crimes. However, there are some defenses against the enemy within, and the key word is CONTROLS. Controls can be put in place in every organizational unit (permanent and ad-hoc); within every IT system, through the understanding of processes, and via regular, smart audits.

Here are some ways the data stripping, override, walk-through and dubious risk assignment could have been prevented, with an emphasis on making multiple groups responsible-in different ways-for enforcing policies:

Data stripping

  • Allow only a special group, with regular oversight, to handle complicated and/or high-risk wires.
  • Enforce data entry rules in the Wires system so high-risk wires cannot be processed without all its information.
  • Create an analytic query in the detection system to list all the countries-in any field in the records-in all the transactions, and their quantity. Missing countries or volumes that seem odd (given the financial institution's profile and known customer base) might be obvious. These systems are terrific at spotting anomalies and patterns.


  • Add a layer of review. While a multi-discipline group should create the algorithms for assigning risk scores, their decisions need oversight by audit/security/external groups-anyone with no skin in the game.
  • Use sophisticated/ predictive analytics to update risk scores. They're initially calculated and assigned at onboarding, but they can change.

In the walk-through case, training should say never let this happen; and IT and documentation controls could automatically disable the processing of this loan if key supporting documents (KSDs) are missing or dubious. Such cases should be reported to audit/security/risk management.

Controls don't have to be onerous, just specific, with double/triple protections built in and a repeatable process that ensures that control "lapses" are presented to the people committed to fraud detection and compliance. Insider fraud will always be with us, but with strong, multi-discipline controls, these enemies can be stopped in their tracks.

Share |

Marie G. Kerr specializes in Financial Fraud. She is a Certified Financial Crime Specialist, Certified Anti-Money Laundering Specialist (CAMS), and Project Management Professional (PMP). Ms. Kerr is a financial industry veteran with a deep understanding of how financial institutions work. She has served as a Homeland Security Program Advisor and Fraud Detection Subject Matter Expert (SME) and an IT and AML Advisor for a three-bank merger.

©Copyright - All Rights Reserved