IOM FSA fined HSBC Bank PLC IOM Branch ("HSBC") £293,930.00 (after discount) for two payment errors
26/11/2024
- Introduction
- On November 26, 2024, the Isle of Man Financial Services Authority (the “Authority”/”FSA”) made a significant public statement regarding the HSBC Bank PLC IOM Branch (“HSBC”).
- The FSA announced in its statement that it had fined "HSBC" £419,900.00, discounted by 30% to £293,930.00 for two payment errors.
- Background of HSBC - Licensing and Regulatory Framework
- HSBC operates under a license granted by the Authority, allowing it to conduct Class 1 (Deposit Taking) regulated activities.
- This licensing is essential for ensuring banks adhere to strict regulatory standards to protect consumers and the financial system.
Details of the Regulatory Contraventions
- First Matter: Breach of Court Order
- In August 2023, HSBC discovered that it had inadvertently processed THREE RECURRING PAYMENTS for a client despite these payments being subject to a Restraint Order from the Isle of Man Courts.
- This Court Order was issued under the Proceeds of Crime Act 2008, restricting dealings with specific funds.
- HSBC promptly notified the Authority, demonstrating its commitment to compliance.
- Second Matter: Issuing Cheque Without Consent
- In a separate incident, the Authority learned that HSBC had issued a cheque WITHOUT THE NECESSARY CONSENT from the Financial Intelligence Unit (FIU).
- This oversight occurred during a client relationship review, leading to an unintentional breach of protocol.
- Analysis of the First Matter
- In the first matter, HSBC's preventative controls failed to reapply a necessary block after processing consented payments.
- However, the bank's detective controls were adequate, as it quickly identified the breach and notified the relevant authorities.
- Analysis of the Second Matter
- In the second matter, HSBC's Risk Committee had decided to exit a client relationship, but a cheque was issued inadvertently before obtaining the required consent from the FIU.
- This lapse highlighted the need for stricter adherence to internal controls.
- Key Learning Points for the Financial Industry –
- Importance of Compliance
-
-
- This case serves as a reminder for all firms in the regulated sector to conduct their affairs responsibly.
- Compliance with Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) legislation is paramount to maintaining the Isle of Man's reputation as a well-regulated financial centre.
- Risks of Weak Controls
- Weaknesses in internal controls can expose banks to exploitation by those seeking to launder money or finance terrorism.
- The Authority's National Risk Assessment highlights the medium-high risk rating for the banking sector, underscoring the need for robust control environments.
-
READ THE FULL STATEMENT HERE
Public statement concerning the imposition of a civil penalty under the Financial Services (Civil Penalties) Regulations 2015 in respect of HSBC Bank PLC IOM Branch ("HSBC")
Published on: 26 November 2024
- Action
1.1. The Isle of Man Financial Services Authority (the “Authority”) makes this public statement by powers conferred upon it under section 13 of the Financial Services Act 2008 (the “Act”).
1.2. The making of such a public statement supports the Authority’s statutory objectives of, among other things, securing an appropriate degree of protection for customers of persons carrying on a regulated activity, reducing financial crime and maintaining confidence in the Isle of Man’s financial services industry.
1.3. Following regulatory contraventions being identified about two unconnected matters (one of which was proactively self-reported to the Authority by HSBC), the Authority has deemed it appropriate, necessary and proportionate, in all the circumstances, that HSBC be required to pay a discretionary civil penalty imposed under section 16 of the Act and in accordance with the Financial Services (Civil Penalties) Regulations 2015 in the sum of £419,900 discounted by 30% to £293,930 (the “Civil Penalty”).
1.4. HSBC has proactively brought about operational changes to address the issues identified. Further, the Authority acknowledges the constructive and pragmatic dialogue between HSBC and the Authority and gives credit for the engagement in this regard.
1.5. The level of the Civil Penalty reflects the isolated nature of the issues, HSBC’s proactive implementation of operational enhancements to address the issues identified and the fact that HSBC co-operated with the Authority and agreed settlement at an early stage. As with all discretionary civil penalties issued by the Authority, the level of the Civil Penalty is calculated as a percentage of HSBC’s relevant income at the time that the contraventions noted within this public statement were identified. The absolute amount of the Civil Penalty relative to other civil penalties that have been issued by the Authority previously is not necessarily indicative of the seriousness of the contraventions and is determined each time on the facts of a particular matter. In this case, the Authority is assured that the contraventions were isolated in nature rather than being systemic across the business and that there were significant mitigating factors at play.
- Background
2.1. HSBC is licensed by the Authority in accordance with section 7 of the Act. HSBC is licensed to undertake, among other things, Class 1 (Deposit Taking) regulated activity.
2.2. In the first matter, HSBC discovered in August 2023 that earlier the same month it had paid away funds in the form of three recurring payments for a client that were subject to a Restraint Order issued by the Isle of Man Courts pursuant to the Proceeds of Crime Act 2008 (the “Court Order”). The Court Order restrained, inter alia, dealing with funds in respect of specified bank accounts (“the “Restrained Accounts”) in the name of a client of HSBC but permitted certain monthly payments to be made. HSBC notified the Authority of this matter pursuant to its obligations under Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) legislation, and the Financial Services Rule Book 2016.
2.3. In the second matter, on 4 September 2023 the Authority became aware that HSBC had issued a cheque without the required consent from the Financial Intelligence Unit (“FIU”). Following a request from the Authority, HSBC subsequently submitted the relevant notification.
- Investigation conclusions
3.1. In relation to the first matter involving the Court Order, HSBC operates procedures such that it can apply ‘Blocks’ against selected accounts. Such ‘Blocks’ and related controls are designed to prevent transactions from being processed. For this purpose, these ‘Blocks’ and related controls are referred to as ‘preventative controls’.
3.2. The preventative controls that were applied at the time the funds subject to the Court Order were paid away required the manual lifting and replacement of a Block each time a permitted batch of monthly payments needed to be made. The contravention arose because the preventative controls were not manually reapplied to the account after consented monthly payments had been made resulting in three recurring payment transactions leaving the account.
3.3. In addition to preventative controls, banks also operate what are commonly referred to as “detective controls”; these being designed to find issues quickly, including where preventative controls may have failed.
3.4. HSBC had good detective controls as evidenced by the fact that the breach of the Court Order was discovered quickly by HSBC and it made prompt notifications to the Attorney General’s Chambers and the Authority. The funds were recovered in full, within two months of the notification to the Restrained Accounts.
3.5. In relation to the second matter involving the paying away of funds without consent, HSBC submitted a disclosure to the FIU in relation to a client’s bank account. HSBC advised that following a review of the customer relationship, HSBC’s Risk Committee had decided to exit the relationship and notice had been given to the client regarding the account closure. The balance on the account had been issued inadvertently to the client by way of cheque prior to the necessary engagement with the FIU to request consent to process the transaction.
3.6. The contraventions in the above two cases resulted in breaches of the Financial Services Rule Book 2016 (the “Rule Book”) by HSBC, which included:-
3.6.1 Breaches of Rule 6.1 of the Rule Book in that HSBC did not act with due skill, care and diligence in carrying on regulated activity;
3.6.2 a breach of Rule 8.3(2) of the Rule Book. This Rule requires that “The responsible officers of a licenceholder must establish and maintain appropriate internal and operational controls, systems, policies and procedures relating to all aspects of its business to ensure appropriate safeguards to prevent and detect any abuse of the licenceholder’s services for money laundering, financial crime, the financing of terrorism, or the proliferation of weapons of mass destruction”.
3.7. Those same contraventions also resulted in HSBC contravening paragraph 4(1)(a)(iii) of the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (the “Code”) which requires HSBC not to enter into or carry on a business relationship unless HSBC establishes, records, operates and maintains procedures and control in relation to internal controls and communication matters that are appropriate for the purpose of forestalling and preventing Money Laundering and Terrorist Financing.
- Statement
The Authority is satisfied that the imposition of the Civil Penalty on HSBC appropriately reflects the nature of the contraventions by HSBC and the importance the Authority places on all parties in the regulated sector, in particular banks who are critical gatekeepers, complying with all elements of AML/CFT legislation.
HSBC entered settlement discussions with the Authority and, having accepted the conclusions of the Authority’s investigation, sought to finalise matters expeditiously.
- Cooperation and Remediation
5.1. The Authority is satisfied that HSBC cooperated fully and engaged positively.
5.2. The Responsible Officers of HSBC at the relevant time have taken full responsibility for the issues identified by the Authority.
5.3. At the date of the settlement agreement made between the Authority and HSBC, HSBC has confirmed to the Authority that the relevant operational controls have been enhanced to prevent any similar breach occurring.
- Key Learning Points for Industry
6.1. All firms undertaking business in the regulated sector have an obligation to conduct their affairs in a manner that adequately mitigates the risks faced by them in order to ensure that the Isle of Man retains its reputation as a responsible, and well-regulated, international financial centre.
6.2. Any weaknesses in the design, implementation and operation of controls, may expose a licenceholder to being exploited by persons who may wish to launder money or finance terrorism. The AML/CFT risks faced by banks is recognised in the Isle of Man Government’s National Risk Assessment 2020 which applies an overall risk rating of Medium High to both the international retail, and corporate and trust parts of the banking sector. Persons in this sector, such as HSBC, will be required by the Authority to have and to maintain a very robust control environment at all times.
6.3. The design and operation of any effective suite of AML/CFT controls, particularly any systems-driven solution, needs to appropriately reflect the risk environment faced by the particular business in terms of preventing and detecting breaches of the Island’s regulatory framework.
SOURCE
The Team
Meet the team of industry experts behind Comsure
Find out moreLatest News
Keep up to date with the very latest news from Comsure
Find out moreGallery
View our latest imagery from our news and work
Find out moreContact
Think we can help you and your business? Chat to us today
Get In TouchNews Disclaimer
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.