HSBC paid $1.9 billion. Their compliance team was filing reports the entire time.

Issue #8 | June 17, 2026 | 7 min read

In December 2012, HSBC entered a deferred prosecution agreement and paid $1.9 billion to resolve findings that it had laundered $881 million for the Sinaloa and Norte del Valle cartels. The transaction monitoring system was operational throughout. CTRs were being filed. Alerts were being generated. None of it was enough to interrupt the business relationship.

This issue looks at how that happens and what it means for programs that can detect problems but can't act on them.

ENFORCEMENT ACTION

HSBC's $1.9 billion settlement isn't a story about a missing program. It's about one that was structurally unable to affect outcomes.

In December 2012, HSBC Holdings and its U.S. subsidiary HSBC Bank USA entered a deferred prosecution agreement with the DOJ and settled simultaneously with FinCEN, the OCC, the Federal Reserve, and the New York Department of Financial Services. Total penalties: $1.9 billion. The core finding: between 2006 and 2010, HSBC Mexico laundered at least $881 million in drug trafficking proceeds for the Sinaloa cartel and Colombia's Norte del Valle cartel. During a related period, HSBC processed approximately $660 million in transactions for customers in OFAC-sanctioned countries (Iran, Sudan, Cuba, and Libya) through subsidiaries with no sanctions screening program.

The Senate Permanent Subcommittee on Investigations released a 340-page report in July 2012 that documented how it happened. Its findings weren't about an institution with no AML infrastructure. HSBC had compliance officers. It had transaction monitoring. It had a risk-rating framework. What the report documented was the systematic failure of each of those components to produce consequences.

HSBC Mexico had been classified as the highest-risk affiliate in the bank's global network. The response was a management initiative called the "Simplification Project," which reduced compliance requirements for HSBC Mexico's customer base and lowered the thresholds at which enhanced due diligence applied. The rationale was operational efficiency. The effect was less oversight on the most dangerous book of business in the institution.

Cartels adapted to whatever compliance environment they were operating in. The Sinaloa cartel used cash deposit boxes engineered to fit through HSBC Mexico's teller windows. According to the Senate PSI report, approximately $7 billion in physical currency was moved from Mexico to the United States between 2007 and 2010. More than 373,000 transactions went through without adequate monitoring. CTRs were filed on some of those deposits, however SARs weren't.

The OCC had flagged AML deficiencies at HSBC for four consecutive examination cycles before the DOJ action. The compliance function was generating documentation. Regulators were issuing findings, however the business continued.

What distinguishes this case

TD Bank's leadership treated compliance as an operational obstacle and wrote that approach down. Binance built a platform with no compliance infrastructure and made deliberate decisions not to register with FinCEN. HSBC's failure was different in character. The program existed. The monitoring ran. The risk-rating framework was in place. None of it was empowered to produce different outcomes when compliance findings conflicted with revenue.

The compliance function at HSBC could file a CTR. It couldn't close a profitable account relationship. It could generate a monitoring alert. It couldn't override a business line decision about customer retention. When both of those things are true simultaneously, the AML program is capable of meeting technical regulatory requirements while failing at the purpose those requirements are meant to serve. The OCC caught this through examination four times and HSBC management didn't fix it.

Red Flags in This Case

The practitioner question

The regulatory response to HSBC was structural: a five-year monitorship, enhanced compliance requirements, and a DPA that was eventually extended after reports that HSBC had violated its terms. The DOJ declined to reopen prosecution. No senior executives were charged. Three years before the Yates Memo, individual accountability wasn't yet a stated enforcement priority.

The more useful question isn't about the penalty. It's about the internal dynamic the case documented.

A compliance program that can identify risk but can't close relationships, file SARs against profitable customers, or escalate findings to someone with authority to act on them isn't a functioning AML program. It's a documentation program. Those look identical from the outside, both have policies, both generate reports, both satisfy the structural requirements of an examination. They diverge at the point where a finding would require the business to do something it doesn't want to do.

Most compliance programs can detect unusual activity. Fewer have tested whether the escalation path from detection to consequence actually functions when the consequence involves business disruption. The HSBC record suggests that gap can persist across four regulatory examination cycles without being resolved and that resolving it after a $1.9 billion settlement, under a federal monitor, still took years.

Your program's ability to act on what it finds matters more than its ability to find it.

Sources: DOJ Deferred Prosecution Agreement — HSBC Holdings plc and HSBC Bank USA, N.A., December 11, 2012 | FinCEN Assessment of Civil Money Penalty — HSBC Bank USA, N.A., December 11, 2012 | U.S. Senate Permanent Subcommittee on Investigations, "U.S. Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History," July 17, 2012 | OCC Consent Order — HSBC Bank USA, N.A., October 6, 2010

INTELLIGENCE BRIEFING

FinCEN — On June 12, FinCEN issued updated guidance on fraud information sharing under Section 314(b) of the USA PATRIOT Act. The guidance clarifies that institutions may share information about suspected fraud — not just money laundering or terrorist financing — with other 314(b)-enrolled institutions, and explicitly includes video surveillance footage and cyber data such as IP addresses in the category of shareable information. The practical implication: 314(b) is more useful than many institutions treat it. If your fraud and AML teams aren't already coordinating on 314(b) outreach when investigating accounts with potential fraud-to-laundering typologies, this guidance gives you the framework to do it. Source: FinCEN, Section 314(b) Fact Sheet, June 12, 2026.

OFAC — On June 11, OFAC designated 10 individuals and entities across the Middle East, Asia, and Eastern Europe for enabling Iran's procurement of components for its Shahed-series unmanned aerial vehicles and ballistic missile program. The network includes front companies and brokers operating through jurisdictions that are not themselves subject to comprehensive Iran sanctions, which is the standard evasion architecture. For institutions with correspondent relationships or cross-border payment exposure in those regions, the designations mean SDN list updates are live and screening queues should be current. Source: Treasury, June 11, 2026.

FinCEN — FinCEN's NPRM to reform AML/CFT program requirements remains in the comment review period following the June 9 close of the public comment window. The proposed rule would shift the examination standard from structural compliance to demonstrated effectiveness — the HSBC case is a useful illustration of why that distinction matters — and would require AML officers to be U.S.-based and accessible to regulators. No final rule timeline has been published. Source: FinCEN NPRM, April 2026.

FROM THE SOURCE

Four examination cycles. Four sets of findings. Each one acknowledged and not resolved. The Senate PSI framed this as a failure by both the institution and the regulator — which is accurate, but it elides the more specific failure. HSBC's compliance program wasn't hiding the deficiencies. The OCC was finding them through normal examination. The gap was between finding and consequence, at both the institutional and regulatory level. That gap — between identifying a problem and having the authority or will to resolve it — is the structural issue this case put on the record.

Source: U.S. Senate Permanent Subcommittee on Investigations, July 17, 2012

If someone forwarded this to you, welcome.

The AML Brief goes out every Tuesday. Subscribe for free and get the Top 10 AML Red Flags cheat sheet as a thank-you:
[Subscribe → theamlbrief.com]

Already subscribed? Forward this to one colleague who works in financial crimes. That's how we grow.

The AML Brief | theamlbrief.com

Disclaimer: The AML Brief is an independent financial crimes intelligence publication. All content is sourced from publicly available regulatory documents, enforcement actions, and published research. Nothing published here constitutes legal, compliance, or regulatory advice. The AML Brief is not affiliated with any financial institution, regulator, law firm, or employer. For advice specific to your situation, consult a qualified attorney or compliance professional.