Public statement concerning the imposition of a civil penalty under the Financial Services (Civil Penalties) Regulations 2015 in respect of HSBC Bank PLC IOM Branch ("HSBC")

1. Action

 

1.1.  The Isle of Man Financial Services Authority (the “Authority”) makes this public statement in accordance with powers conferred upon it under section 13 of the Financial Services Act 2008 (the “Act”).

 

1.2.  The making of such public statement supports the Authority’s statutory objectives of, among other things, securing an appropriate degree of protection for customers of persons carrying on a regulated activity, reducing financial crime and maintaining confidence in the Isle of Man’s financial services industry.

1.3.  Following regulatory contraventions being identified in relation to two unconnected matters (one of which was proactively self-reported to the Authority by HSBC), the Authority has deemed it appropriate, necessary and proportionate, in all the circumstances, that HSBC be required to pay a discretionary civil penalty imposed under section 16 of the Act and in accordance with the Financial Services (Civil Penalties) Regulations 2015 in the sum of £419,900 discounted by 30% to £293,930 (the “Civil Penalty”).

 

1.4.  HSBC has proactively brought about operational changes to address the issues identified. Further, the Authority acknowledges the constructive and pragmatic dialogue between HSBC and the Authority and gives credit for the engagement in this regard.

 

1.5.  The level of the Civil Penalty reflects the isolated nature of the issues, HSBC’s proactive implementation of operational enhancements to address the issues identified and the fact that HSBC co-operated with the Authority and agreed settlement at an early stage. As with all discretionary civil penalties issued by the Authority, the level of the Civil Penalty is calculated as a percentage of HSBC’s relevant income at the time that the contraventions noted within this public statement were identified. The absolute amount of the Civil Penalty relative to other civil penalties that have been issued by the Authority previously is not necessarily indicative of the seriousness of the contraventions and is determined each time on the facts of a particular matter. In this case, the Authority is assured that the contraventions were isolated in nature rather than being systemic across the business and that there were significant mitigating factors at play.

 

2. Background

2.1.  HSBC is licensed by the Authority in accordance with section 7 of the Act. HSBC is licensed to undertake, among other things, Class 1 (Deposit Taking) regulated activity.  

2.2.  In the first matter, HSBC discovered in August 2023 that earlier the same month it had paid away funds in the form of three recurring payments for a client that were subject to a Restraint Order issued by the Isle of Man Courts pursuant to the Proceeds of Crime Act 2008 (the “Court Order”). The Court Order restrained, inter alia, dealing with funds in respect of specified bank accounts (“the “Restrained Accounts”) in the name of a client of HSBC but permitted certain monthly payments to be made.  HSBC notified the Authority of this matter pursuant to its obligations under Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) legislation, and the Financial Services Rule Book 2016.        

 

2.3.  In the second matter, on 4 September 2023 the Authority became aware that HSBC had issued a cheque without the required consent from the Financial Intelligence Unit (“FIU”). Following a request from the Authority, HSBC subsequently submitted the relevant notification.

 

 

3. Investigation conclusions

 

3.1.  In relation to the first matter involving the Court Order, HSBC operates procedures such that it can apply ‘Blocks’ against selected accounts. Such ‘Blocks’ and related controls are designed to prevent transactions from being processed.  For this purpose, these ‘Blocks’ and related controls are referred to as ‘preventative controls’.

 

3.2.  The preventative controls that were applied at the time the funds subject to the Court Order were paid away required the manual lifting and replacement of a Block each time a permitted batch of monthly payments needed to be made. The contravention arose because the preventative controls were not manually reapplied to the account after consented monthly payments had been made resulting in three recurring payment transactions leaving the account.

 

3.3.  In addition to preventative controls, banks also operate what are commonly referred to as “detective controls”; these being designed to find issues quickly, including where preventative controls may have failed.

 

3.4.  HSBC had good detective controls as evidenced by the fact that the breach of the Court Order was discovered quickly by HSBC and it made prompt notifications to the Attorney General’s Chambers and the Authority. The funds were recovered in full, within two months of the notification to the Restrained Accounts.

 

3.5. In relation to the second matter involving the paying away of funds without consent, HSBC submitted a disclosure to the FIU in relation to a client’s bank account. HSBC advised that following a review of the customer relationship, HSBC’s Risk Committee had decided to exit the relationship and notice had been given to the client regarding the account closure. The balance on the account had been issued inadvertently to the client by way of cheque prior to the necessary engagement with the FIU to request consent to process the transaction.

 

3.6. The contraventions in the above two cases resulted in breaches of the Financial Services Rule Book 2016 (the “Rule Book”) by HSBC, which included:-

3.6.1 Breaches of Rule 6.1 of the Rule Book in that HSBC did not act with due skill, care and diligence in carrying on regulated activity;                


3.6.2 a breach of Rule 8.3(2) of the Rule Book. This Rule requires that The responsible officers of a licenceholder must establish and maintain appropriate internal and operational controls, systems, policies and procedures relating to all aspects of its business to ensure appropriate safeguards to prevent and detect any abuse of the licenceholder’s services for money laundering, financial crime, the financing of terrorism, or the proliferation of weapons of mass destruction”.

3.7. Those same contraventions also resulted in HSBC contravening paragraph 4(1)(a)(iii) of the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (the “Code”) which requires HSBC not to enter into or carry on a business relationship unless HSBC establishes, records, operates and maintains procedures and control in relation to internal controls and communication matters that are appropriate for the purpose of forestalling and preventing  Money Laundering and Terrorist Financing.

 

4. Statement

The Authority is satisfied that the imposition of the Civil Penalty on HSBC appropriately reflects the nature of the contraventions by HSBC and the importance the Authority places on all parties in the regulated sector, in particular banks who are critical gatekeepers, complying with all elements of AML/CFT legislation.

 

HSBC entered settlement discussions with the Authority and, having accepted the conclusions of the Authority’s investigation, sought to finalise matters expeditiously.

 

5. Cooperation and Remediation

 

5.1.  The Authority is satisfied that HSBC cooperated fully and engaged positively.

 

5.2.  The Responsible Officers of HSBC at the relevant time have taken full responsibility for the issues identified by the Authority.

 

5.3.  At the date of the settlement agreement made between the Authority and HSBC, HSBC has confirmed to the Authority that the relevant operational controls have been enhanced to prevent any similar breach occurring.

 

6. Key Learning Points for Industry

 

6.1.  All firms undertaking business in the regulated sector have an obligation to conduct their affairs in a manner that adequately mitigates the risks faced by them in order to ensure that the Isle of Man retains its reputation as a responsible, and well-regulated, international financial centre.

 

6.2.  Any weaknesses in the design, implementation and operation of controls, may expose a licenceholder to being exploited by persons who may wish to launder money or finance terrorism. The AML/CFT risks faced by banks is recognised in the Isle of Man Government’s National Risk Assessment 2020 which applies an overall risk rating of Medium High to both the international retail, and corporate and trust parts of the banking sector. Persons in this sector, such as HSBC, will be required by the Authority to have and to maintain a very robust control environment at all times.

 

6.3.  The design and operation of any effective suite of AML/CFT controls, particularly any systems-driven solution, needs to appropriately reflect the risk environment faced by the particular business in terms of preventing and detecting breaches of the Island’s regulatory framework.