The travails of HSBC in the US Senate
investigation into money laundering risk being
trivialized, when in reality the careless acts of
a few can compromise the lives of thousands. That
said, governments and banks are massively ill
equipped on both the people and systems fronts to
handle the complexities of today's technological,
privacy and transactional challenges.
Gather around, children and let me tell
you a little story. So it was in the 1990s that a
bank from Europe decided to rapidly expand its
business in Asia out of its base in one of the
financial centers. With strong growth and booming
economies, the bank met heavy competition for both
its direct lending and bond underwriting efforts.
Deals were difficult to come by until one day a
respectable businessman with impeccable
credentials hailing from an Islamic
country in the region
popped into their radar. Apparently the
businessman was having some relationship problems
with his existing bank that was of American
vintage because his key contacts had resigned
recently to pursue other careers.
This
gave a golden opportunity for the bank from Europe
to get into the relationship. After some minimal
due diligence, the thrilled bankers agreed to
underwrite a US$250 million (equivalent) bond
issue for the construction materials plant of the
businessman. Hardly had the ink dried on their
transaction than the 1997 Asian financial crisis
struck, and left the bank with bonds that it
simply couldn't sell as investors fled the region.
After holding the bonds for a while, the
bank decided to reclassify the position as a
"loan" and transferred it to its internal unit
specializing in loans. When that unit sent its
folks to the Islamic country where the businessman
was located, they uncovered the rather shocking
news that there was no actual factory or indeed
any structure of any value in the area against
which the loan had been given.
So the bank
wrote off the position internally but engaged some
folks to try and get the money back. As these
hired agents started chasing the businessman
around his country, the businessman got religion -
quite literally, coming under the wings of some
local fundamentalists who promised to protect him
from their government as long as some money could
be "re-circulated in the community". Rather than
risk losing all $250 million of his ill-gotten
gains, the businessman quietly spent over $50
million on religious schools and "social"
organizations aligned with the fundamentalists.
Then it starts getting all murky, but the
end result could well be that one of the
fundamentalist organization in turn ended up
donating money to a group of fighters hailing from
Saudi Arabia. This donation in late 1998 or so
could well have been the first major step in the
expansion of that little outfit into a global
terrorist organization that killed thousands of
people, which in turn resulted in bloody wars
springing up in a lot of places including in the
country where the businessman had been based
originally.
Right - so here's the quiz:
how much of that story is real, and how much is
complete fabrication?
You see, that is the
wrong question at this stage. The point here is to
examine the thread of events, and focus one's
energies on understanding the nexus between
multiple factors: a. Ambitious banks; b.
Over competition for certain key market positions;
c. Underinvestment in infrastructure; d.
Underinvestment in due diligence; e. Lack of
follow through; f. Game theory - or how
cornered people are likely to react; g. Links
between organized crime and terrorism.
In
the above case, the bank clearly failed on all
counts from "a" through "e". In particular, its
lack of physical presence in the country "c" where
the loan was directed meant that it wasn't able to
fulfill its others duties under "d" and "e",
essentially being unable to do anything till it
was all way too late. The management of the bank
failed to spot the risks highlighted in "a"
through "e"; specifically the board of directors
and the regulator of the bank failed in their
duties.
Given the above context though,
let us examine the situation that banking giant
HSBC stands accused of in front of the US Senate.
For starters, the bank does not come across as
particularly aggressive; indeed it has a
well-documented history of giving up market share
if controls aren't fully in place. Neither does
the bank compete above its weight: for example, it
famously walked away from investment banking
before the madness really took hold of the likes
of Bank of America and Citibank in the early parts
of the last decade.
HSBC has a strong
physical presence around the world - hence the
motto "the world's local bank", and its origins in
Scottish banking ethos have served it well during
turbulent times. As such, on pretty much all
accounts, HSBC doesn't present itself in the same
category of the bank in my story above.
Yet, as with strong governments, the
banking sector also has a weakness that it has
thus far failed to spot or take operational action
in; that is in the area of integrating data logic
across information systems in order to perform the
kind of cross-checks that today's breed of
criminals use. Put more simply, banks and
governments lag hopelessly behind in the world of
technology.
Let me give you two examples -
one each from government and banking. The first
involves the use of sophisticated scanning
technology to read emails. Let us ignore the
presence of certain technology like the 15-year
old PGP system that renders most government
scanners useless; but look at some simpler
workarounds.
When terrorist organizations
and drug cartels started noticing that their
calls, text messages and emails were being
scanned, they resorted to some interesting
workarounds - for example, the use of "draft"
emails wherein a person in Location A logs into a
shared web-based mail system, and composes a
detailed message but instead of sending the
message just saves it as a draft message. Then he
logs out, for a user in another country to log
into the same account and read the "draft"
message. Since no email was ever actually
transmitted, the government agencies responsible
for monitoring traffic have no idea of what just
happened.
In a parallel example in the
world of banking, say that a particular person has
the kind of profile that would guarantee he
wouldn't be able to open a bank account (you all
know what type of people I mean). So he opens his
mailbox and there is a little ATM card from his
contact in another country. So he pops over to the
local ATM, enters the pin communicated to him and
hey presto, full banking services. The bank has no
clue that such an event occurred - as far as it is
aware, the original cardholder travelled to the
other country and used his card there. There are
many variations of this theme that organizations
may use to provide a complete alibi to the
original account holder.
The point from
all of this is that governments and banks lag
behind in technology and specifically their
ability to integrate data across multiple systems
that would facilitate clear analysis. In the first
example, the bank would ideally have been looking
for the following information on the businessman:
; a. His land purchase records and building
permits; b. His orders and payments for
building the factory that was to manufacture the
construction materials; c. His bank account
history in his home country; d. Details of his
assets outside his home country; e. The
businessman's police record if any.
Go and
ask any bank based in an offshore location, and
they would tell you that they couldn't possibly
get the records mentioned in "a", "b" and "c" due
to the banking secrecy acts in his home country;
they wouldn't get "d" due to the banking secrecy
in the offshore location, and there is no way most
countries would hand over "e" because of risks
pertaining to national security and the potential
to compromise sovereignty.
None of that
though is the main reason why banks will continue
to be haunted by such risks for decades to come.
Instead, the problem is simply that 99.9% of all
banking transactions are genuine with no ulterior
motives for tax dodging or money laundering. To
catch the 0.1% (and some have suggested the figure
is far higher albeit almost never more than 5%) of
potential criminals, banks will have to risk the
wrath of 99.9% of their customer base.
An
IT manager of my acquaintance described a Game
Theory-based software codenamed "pebbles" that was
developed in the Cold War era to sort out dummy
warheads from the real ones as the US military
feared having its radar tracking facilities
compromised if the Russians simply fired 20 dummy
missiles for every real one that was aimed at a US
city. This person told me that some central banks
had adopted a modified version of the "pebbles"
software but generally to no avail and therefore
had started investing more money in direct due
diligence of suspicious transactions: the kind of
hardnosed human intel that helped to track the
money laundering mentioned by the US Senate.
As with intrusive airport security, the
time may well have come for banks and their
customers to embrace the new world of risks;
accepting greater intrusion into the affairs of
both customers and companies worldwide. The
reason: that story I relayed at the beginning of
this article is mostly true with a bit of
embellishment around the edges.
(Copyright
2012 Asia Times Online (Holdings) Ltd. All rights
reserved. Please contact us about sales,
syndication and
republishing.)
Head
Office: Unit B, 16/F, Li Dong Building, No. 9 Li Yuen Street East,
Central, Hong Kong Thailand Bureau:
11/13 Petchkasem Road, Hua Hin, Prachuab Kirikhan, Thailand 77110
