United Kingdom Prudential Regulation Authority Issues Second Warning to HSBC Over Non-Financial Risks

On November 7, Bloomberg reported that the United Kingdom Prudential Regulation Authority (PRA) warned HSBC Holdings, for the second year in a row, that HSBC has not done enough “to tackle concerns about how the bank handles risks including financial crime and staff conduct.”  In a conference call this week, Samir Assaf, CEO of HSBC Global Banking & Markets, reportedly told executives that the PRA, an arm of the Bank of England, “informed the firm that it was making insufficient progress on non-financial risks.”  As the article explained, non-financial risks “are unrelated to credit quality and include problems such as financial crime, staff misconduct, compliance breaches and issues related to a bank’s culture.”

Assaf also stated, according to Bloomberg, that the PRA has issued the warning last year and this year.  He considers it “an emergency requiring attention.”  Accordingly, HSBC Global Banking & Markets is scheduling “a summit of top executives this month to discuss the problems.”

One measure of the concerns facing HSBC is a confidential survey that the United Kingdom Banking Standards Board (BSBP) conducted in 2019.  The survey results showed — as Bloomberg reported based on nonpublic documents it reviewed — that “out of seven investment banks, HSBC’s ranked last when staff were asked about colleagues ‘acting honestly and ethically,’ ‘flexing ethical standards to make career progression’ and ‘turning a blind eye to inappropriate behavior, according to documents seen by Bloomberg.

N.B.:  Notwithstanding the other challenges that HSBC faces as it seeks to reshape its business, Assaf is right to consider the PRA’s more recent admonition an emergency.  For most of the past decade,  Bloomberg noted, “conduct issues have bedeviled HSBC,” as the following examples indicate:

  • 2012: HSBC paid nearly $2 billion in settlements with U.S. authorities in part for failing to maintain an effective anti-money laundering program and to conduct appropriate due diligence on its foreign correspondent account holders. Its settlement with the U.S. Department of Justice included a five-year obligation “to undertake enhanced AML and other compliance obligations and structural changes within its entire global operations to prevent a repeat of the conduct that led to [the U.S. investigation and] prosecution.”
  • 2017: HSBC entered into a civil settlement with the Justice Department, requiring it to pay $2.1 million, to resolve a complaint that it had submitted dozens of loans for payment on Small Business Administration (SBA) guarantees without disclosing to the SBA that those loans had been identified as fraudulent or potentially fraudulent.
  • 2018: HSBC Holdings entered into a deferred prosecution agreement with the Justice Department, requiring it to pay to pay a $63.1 million criminal penalty and $38.4 million in disgorgement and restitution, to resolve charges that HSBC had engaged in a “front-running” fraud scheme to defraud two bank clients.
  • 2018: HSBC agreed with the Justice Department to pay $765 million as a civil penalty, to settle claims related to its packaging, securitization, issuance, marketing and sale of residential mortgage-backed securities between 2005 and 2007.
  • 2019: HSBC’s Swiss private banking unit reached an agreement with Belgian prosecutors, requiring it to pay almost $336 million, to resolve prosecutors’ allegations “that HSBC helped and encouraged the avoidance of the [European Union] savings tax by creating offshore companies in Panama and other tax havens in the Caribbean for wealthy Belgian clients ‘with no other purpose but to hide money’.” Prosecutors reportedly stated that HSBC “has now made and committed to a significant overhaul of its practices to counter financial crime risks.”
  • 2019: The Hong Kong Securities and Futures Commission (SFC) imposed on HSBC a $2.1 million fine (based in part on HSBC’s self-reporting to the SFC and taking remedial action), for non-compliance with telephone recording requirements under the Code of Conduct governing SFC-registered entities.
  • 2019: HSBC Bank N.A. reached a settlement with the U.S. Commodity Futures Trading Commission, requiring it to pay a $650,000 civil penalty (reduced to reflect HSBC’s cooperation and remediation), for “failing to establish appropriate risk management systems for its swap activities or to properly report swap data in certain categories, for certain swap transactions, to a swap data repository.”

There is no question that global financial institutions face considerable challenges and costs in maintaining and improving effective financial-crimes compliance programs, and that even the best of those institutions sometimes run afoul of various statutory or regulatory requirements.  The range of criminal and civil sanctions imposed on HSBC, however, are at variance with HSBC’s professed aspiration “to set the industry standard for knowing our customers and detecting, deterring and protecting against financial crime.”

Such a statement can come back to haunt the bank unless it takes prompt action to demonstrate that it has made meaningful progress across the board on non-financial risk areas, including anti-bribery and corruption, anti-money laundering, and sanctions.  When HSBC is already down two strikes to the PRA, it would do well to avoid a third.

Lloyd’s Announces University of Cambridge Centre for Risk Studies Report on Cyber Risks to Asia-Pacific Ports

On October 29, the global insurance market Lloyd’s announced that the University of Cambridge Centre for Risk Studies released a report showing that a single attack on major ports across the Asia-Pacific region “could cost $110 billion, which is roughly equivalent to half of all losses from natural catastrophes globally in 2018.”  The Centre produced the report – titled “Shen attack: Cyber risk in Asia Pacific ports”  — on behalf of the Cyber Risk Management (CyRiM) project, a Singapore-based public-private initiative that assesses cyber risks of which Lloyd’s is a founding member.

The report was based on a hypothetical scenario in which a computer virus infects 15 ports across Japan, Malaysia, Singapore, South Korea and China.”  Such a cyberattack, the report stated,

via a computer virus carried by ships could scramble the cargo database records at major ports and lead to severe disruption . . . . Although the virus only directly affects ports in Asia-Pacific, economic losses would be felt around the world due to the global interconnectivity of the maritime supply chain.

An attack of this scale targeted at ports would cause substantial economic damage to a wide range of businesses through reduced productivity and consumption, incident response costs, and supply chain disruption.

The report also estimated two categories of losses:

  • The transportation, aviation, and aerospace sectors would be the most affected (with total economic losses of $28.2 billion), followed by the manufacturing and retail sectors (with total losses of $23.6 billion and $18.5 billion, respectively).
  • “Productivity losses would affect each country that has bilateral trade with the attacked ports.” Asia would be the worst affected region (with total indirect losses of up to $27 billion), followed by Europe (indirect losses of $623 million) and North America ($266 million).

Other key findings in the report included the following:

  • “The transportation sector in Singapore would take the biggest economic hit, followed by the same sector in South Korea.
  • “‘Business interruption’ and ‘contingent business interruption’ insurance coverages would be the main drivers of the insured losses (60% of the loss in the most extreme version of the scenario).”
  • “Non-affirmative cyber, meaning cyber risk that is not explicitly mentioned in an insurance policy, would account for up to 57% of the total insured losses.”
  • “Insurance claims would arise from port operators (50% of insured losses), companies along the supply chain (21% of insured losses), and logistics and cargo handling companies (16% of insured losses).”
  • “There are opportunities for insurers and policyholders to expand their view of cyber risks ahead of the next event and the report helps to inform in a way to support new products, services and mitigation strategies that make businesses and communities more resilient.”

Finally, the report made clear that “the global economy is underprepared for such an attack, as 92 percent of the total economic costs would be uninsured, leaving an insurance gap of $101 billion.

N.B.:  While Lloyd’s termed the report’s scenario “an extreme scenario,” the number of instances over the last decade in which state actors or surrogates thereof have carried our devastating cyberattacks suggest that the scenario is, regrettably, entirely plausible.  Information-security, strategic-risk, and political-risk teams at companies doing business in the Asia-Pacific region should take the time to read the complete report, and to use its findings as a basis for reviewing the adequacy of their firms’ current cyber-risk insurance coverage.

CSSF Director General Warns About Money Laundering Risks for Private Banks in Luxembourg

On October 29, the Luxembourg Times reported that Claude Marx, the Director General of the Luxembourg Commission de Surveillance du Secteur Financier (CSSF), warned in a recent interview “that the risk of money laundering in Luxembourg’s private banks is increasing.”  Marx attributed the increased risk to two factors.

The first is the continuing increase in ultra-high net worth clients in Luxembourg private banks.   The Luxembourg Times stated that such clients “bring in more than half of the money managed in Luxembourg, and those clients’ deposits increased by 4 percent (€32 billion) last year, according to Association des Banques et Banquiers, Luxembourg (ABBL) (Luxembourg Bankers’ Association).  The second is the increasing number of non-European clients at private banks.  Although the year-on-year percentage of non-European clients has remained steady at 11 percent, that percentage translates to “real-term growth of €3.4 billion to €40 billion, given that the overall market expanded by 9%.”

One Luxembourg-based private bank, the Russian East-West United Bank, confirmed that Luxembourg is increasingly popular with its clients from Russia, Ukraine, Kazakhstan, and Belarus.  The Luxembourg Times article also speculated that “[t]he numbers for third-country clients could be even higher,” as ABBL data “include legal structures that are domiciled in Luxembourg, but whose beneficial owners are outside the [European Union].”

While the CSSF declined to name specific countries that prompt its concern, the Luxembourg Times reported that “industry participants speculated that China and Russia are in its crosshairs,” in part because “Luxembourg has especially close business ties to China,” with seven Chinese banks headquartered there.

N.B.: Bank regulators have long recognized that private banks are susceptible to money laundering.  As the European banking sector continues to reel from the effects of the Danske Bank scandal, financial institutions doing business in Europe need to recognize that criminal enterprises have an active interest in identifying and exploiting new channels for laundering.  Certainly those responsible for directing the $234 billion in potentially suspect transactions that flowed through Danske Bank’s Estonian branch did not wait to seek out those new channels, and the information in the Luxembourg Times provides sufficient cause for concern by European financial institutions and financial regulators like the CSSF.

Accordingly, anti-money laundering compliance officers at financial firms doing business in Europe should incorporate this information into their money laundering risk assessment processes.  They also need to be thinking now about how to refine their AML compliance programs to address private banking-related risks, and how best to respond when regulators over time expand their oversight of AML compliance to include private-banking concerns.

Spanish High Court Charges Spanish Construction Company FCC with €82 Million Bribery in Panama

On October 30, Spain’s National High Court, the Audiencia Nacional, formally charged Spanish construction company Fomento de Construcciones y Contratas, S.A. (FCC) with corruption and money laundering in connection with €82 million ($92 million) in payments that FCC allegedly made in Panama.  The charges, which are directed at three FCC entities, relate to allegations that FCC paid bribes to obtain metro and hospital contracts in Panama between 2010 and 2014.

An Audiencia Nacional release stated that its investigation began in 2017, after a complaint against a legal advisor of Brazilian construction company Odebrecht for possible violations of money laundering, bribery, and criminal organization committed between 2009 and 2015.  According to the release, Odebrecht used Spanish companies to launder amounts from bribes paid by various construction companies, in exchange for contract awards.  In particular, the Spanish Anti-Corruption Prosecutor’s Office asserted that the three FCC companies “constituted a consortium” with Odebrecht as its leader, to participate in public-contract awards in Panama.  That consortium succeeded in winning contracts for two Panamanian metro lines.

By “oversizing the supply of steel needed to build the Panama metro and billing it at double its price,” the release stated, the companies obtained funds “to pay gifts to employees and political leaders of Panama.” The diversion of these funds “was done through screen companies managed by FCC and Odebrecht executives.”

The release also stated that after analyzing the documentation in the case, Audencia Nacional Judge Ismael Moreno determined that there are indications that the three FCC companies were able to participate in events that may constituting crimes of corruption in international transactions (under article 286 ter of the Spanish Penal Code (CP) and money laundering (under PC articles 301 and 302.2).  Judge Moreno also noted that there are indications that several senior FCC executives (since dismissed) participated “in the alleged corruption agreements regarding 13 infrastructure works that tendered in Panama, Costa Rica, Salvador and Nicaragua.”

Judge Moreno also took note of the fact that in In May and June 2019, FCC filed two complaints with the Anti-Corruption Prosecutor about the commercial agreements relating to the facts under investigation.  In particular, FCC provided 38 invoices and transfers totaling €82,768,849 between 2010 and 2014 “for services not provided, according to the company, and to cover payments for alleged corruption.”  Nonetheless, Judge Moreno concluded that criminal responsibility should extend beyond the former FCC executives because FCC “did not activate or apply any protocol aimed at preventing the commission of criminal acts, nor effectively implemented appropriate control or reaction mechanisms to detect criminal actions committed within the company .”

In an October 31 statement, the Barcelona-based company reported that it was aware of the alleged corruption, which had occurred before the new controlling shareholders of FCC  took overt in 2015.  It stated that FCC has been cooperating with the authorities, and “ratifies its commitment and collaboration with the judicial authorities to clarify the facts.”  It also declared that “a total commitment to the principle of zero tolerance for corruption is established” throughout the enterprise.

N.B.:  This case provides yet another indication of how far the ripple effects of the Odebrecht scandal continue to be felt.  Under the Audencia Nacional’s procedures, FCC was given five days to appoint a representative and an attorney to represent the defendant companies.  It seems likely that FCC will now seek to reach some kind of criminal resolution with the Spanish prosecutors and the court, as the fact that current management reportedly had no hand in the alleged Panamanian bribery scheme will not be dispositive of the charges.

Tech Companies, Kuwaiti Authorities Respond to BBC Investigation of Modern Slavery in Kuwait Via Apps

On October 31, BBC News reported that an undercover investigation by BBC News Arabic found that domestic workers in Kuwait “are being illegally bought and sold online in a booming black market”  through readily available apps.  Some of the trafficking of domestic workers reportedly “has been carried out on Facebook-owned Instagram, where posts have been promoted via algorithm-boosted hashtags, and sales negotiated via private messages.”  Similar listings “have been promoted in apps approved and provided by Google Play and Apple’s App Store, as well as the e-commerce platforms’ own websites.”

Despite the fact that Kuwait has laws to help protect domestic workers in the country, BBC News reported that various apps, such as 4Sale and Instagram, “enable employers to sell the sponsorship of their domestic workers to other employers, for a profit.”  This practice bypasses the agencies that ordinarily bring domestic workers into the country, and “creates an unregulated black market which leaves women more vulnerable to abuse and exploitation.”

According to the BBC, nine out of 10 Kuwaiti homes have a domestic worker.  In the BBC Arabic investigation, two members of the investigative team posed as a couple who was newly arrived in Kuwait.  They reportedly “spoke to 57 app users and visited more than a dozen people who were trying to sell them their domestic worker via a popular commodity app called 4Sale.”  That app “allowed you to filter by race, with different price brackets clearly on offer, according to category.”  One “seller”, a policeman seeking to sell his domestic worker, told the couple that “You will find someone buying a maid for 600 KD ($2,000), and selling her on for 1,000 KD ($3,300).”

Various “sellers” “almost all advocated confiscating the women’s passports, confining them to the house, denying them any time off and giving them little or no access to a phone.”  The undercover team were told by app users, “who acted as if they were the ‘owners’ of these women, to deny them other basic human rights, such as giving them a ‘day or a minute or a second’ off.”

In addition to the apps being used in Kuwait, the investigation found hundreds of women being sold on Haraj, a popular commodity app In Saudi Arabia and “hundreds more” on Instagram.

After the BBC team “contacted the apps and tech companies about their findings,” multiple companies took various actions:

  • 4Sale “removed the domestic worker section of its platform.”
  • Facebook, which owns Instagram, said that it had banned the Arabic hashtag that translates as “#maidsfortransfer,” and pledged to “continue to work with law enforcement, expert organisations and industry to prevent this behaviour on our platforms.”
  • Google stated that it was “deeply troubled by the allegations,” and that it had asked the BBC “to share additional details so we can conduct a more in-depth investigation.”
  • Apple stated that it “’strictly prohibited’ the promotion of human trafficking and child exploitation in apps made available on its marketplace,” adding that app developers “are responsible for policing the user-generated content on their platforms.”
  • Haraj reportedly had no comment.

As of October 31, certain firms had continued to distribute the 4Sale and Haraj apps, “on the basis that their primary purpose is to sell legitimate goods and services.”  Consequently, hundreds of domestic workers were still being traded on Haraj, Instagram, and other apps.

The next day, however, the BBC reported that Kuwaiti authorities had “officially summoned the owners of several social media accounts used to sell domestic workers as slaves, ordered those responsible to take down their ads, and compelled them “to sign a legal commitment, promising no longer to participate in this activity.”  In addition, Instagram stated that “it had removed further content across Facebook and Instagram, and would prevent the creation of new accounts designed to be used for the online slave market.”  Google and Apple also stated that “they were working with app developers to prevent illegal activity on their platforms.”

N.B.: These BBC reports not only show another dimension of how modern slavery is conducted, but also provide evidence that tech companies need to incorporate into improving their Modern Slavery Act compliance programs.  App developers should also take note of these reports, and take action to see that their apps are not used for such repellent practices.