Revenge of the Money Launderers

The "FinCen files" story reveals: getting caught doesn't stop banks from taking dirty money. It may even encourage them

Sincere apologies to subscribers who received a fragmented article previously. This is the complete piece:

On December 11, 2012, U.S. Justice Department officials called a press conference in Brooklyn. The key players were once and future bank lawyer Lanny Breuer (disguised at the time as Barack Obama’s Assistant Attorney General in charge of the DOJ’s Criminal Division), and Loretta Lynch, the U.S. Attorney for the Eastern District of New York, and future Attorney General. The duo revealed that HSBC, the largest bank in Europe, had agreed to a $1.9 billion settlement for years of money-laundering offenses.

An alphabet soup of regulatory agencies was represented that day, from the Justice Department, to Immigration and Customs Enforcement (ICE), the U.S. Treasury, the New York County District Attorney, and the Office of the Comptroller of the Currency, among others.

The regulators outlined a slew of admissions, with HSBC’s headline offense being the laundering of $881 million for Central and South American drug outfits, including the infamous Sinaloa cartel.

The laundering was so brazen, regulators said, the bank’s Mexican subsidiary had developed “specially shaped boxes” for cartels to pack with cash and slide through teller windows. The seemingly massive fine reflected serious offenses, including violations of the Bank Secrecy Act (BSA), the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA).

The next years would follow up with a flurry of similar settlements extracting sizable-sounding fees from other transnational banks for laundering money on behalf of terrorists, sanctioned businesses, mobsters, drug dealers, and other malefactors. Firms like JP Morgan Chase ($1.7 billion), Standard Chartered ($300 million), and Deutsche Bank ($258 million) were soon announcing settlements either for laundering, sanctions violations, or both.

Even seasoned financial reporters accustomed to seeing soft-touch settlements scratched their heads at some of the deals. In the case of HSBC, the stiffest penalty doled out to any individual for the biggest drug-money-laundering case in history — during which time HSBC had become the “preferred financial institution” of drug traffickers, according to the Justice Department — involved an agreement to “partially defer bonus compensation for its most senior executives.” If bankers can’t get time for washing money for people who put torture videos on the internet, what can they get time for?

When I did a story on the case in early 2013, I found the HSBC settlement was the latest step in a dizzying, decade-plus cycle of offenses and ignored reprimands, involving multiple regulatory bodies. The number of times HSBC had blown off compliance orders seemed too absurd to be real. In one stretch between 2005 and 2006, the bank received (and, apparently, ignored) 30 formal warnings just from the Office of the Comptroller of the Currency.

Prosecutors insisted the deferred prosecution settlements slapped on companies like HSBC, Standard Chartered, and JP Morgan Chase were tougher than jail terms. The deals would place banks in a permanent state of quasi-arrest, with regulators granted enormous supervisory power and serious charges pre-filed and hanging over the firms going forward.

As one federal investigator put it to me back then, “This way, we have them by the short ones.”

Fast-forward eight years. On September 20th, a combination of Buzzfeed and the International Consortium of Investigative Journalists (ICIJ) published the details of a major document leak highlighting a decade of money-laundering incidents, involving hundreds of billions of dollars and a number of the world’s biggest banks. The leak centered on a cache of over two thousand “suspicious activity reports,” or SARs, filed by those banks to the Financial Crimes Enforcement Network, a regulatory arm of the U.S. Treasury.

Though the ICIJ was also behind the release of the Panama Papers, investigative editor Michael Hudson told me he believes the FinCen leak is “the most important” project they’ve worked on. Instead of being about one group of actors, or one jurisdiction, these revelations span the banking sector as a whole.

“It shows the widest set of problems,” he says.

The story has been covered around the world, but some press accounts particularly here in the States seem to have missed the punchline, i.e. that the banks figuring most prominently in the FinCen leak are exactly the same institutions paraded before the public as subjects of “message-sending” punishments back in 2012-2014.

HSBC, for instance, continued to take in questionable money through 2012 and beyond, including $30 million from Hong Kong accounts related to a Ponzi scheme called World Capital Market. WCM was suspected of bilking “investors” — most of them ordinary people scraping together five or ten thousand dollars and throwing them at false promises of guaranteed returns — of nearly $80 million.

The leaked records show HSBC flagged the account as suspicious as early as 2013, but continued to take the money from this and a wide variety of other dicey accounts. Although regulators saw all of this information, the Department of Justice not only didn’t take action, it announced in 2017 that HSBC had “lived up to all of its commitments” and agreed to file a motion to lift the deferred prosecution deal.

A similar pattern held with JP Morgan Chase, which in 2013 was hit with a cease and desist order over “systemic deficiencies” in its money-laundering controls, yet continued to do business with rogue accounts, including some infamous and obvious ones. To give some sense of the sums involved, JPM made roughly a half-billion dollars just servicing the accounts for con artist Bernie Madoff.

As far back as 2006, JP Morgan Chase knew enough to pull its own money out of investments in hedge funds tied to Madoff, but never told investors, and continued to manage his accounts for years. The bank ultimately settled with the government over the Madoff episode in 2014, after the 2013 “cease and desist” order, while continuing to manage money for other malodorous accounts — including, according to the ICIJ, more than $1 billion for Jho Low, the fugitive financier behind Malaysia’s infamous 1MDB fund.

In a detail that should infuriate the #Resistance crowd, Jamie Dimon’s bank also continued to do business in huge sums for former Trump campaign manager Paul Manafort even after Manafort stepped down in scandal, and even after the bank flagged Manafort’s accounts. From the ICIJ report:

JPMorgan also processed more than $50 million in payments over a decade, the records show, for Paul Manafort, the former campaign manager for President Donald Trump. The bank shuttled at least $6.9 million in Manafort transactions in the 14 months after he resigned from the campaign amid a swirl of money laundering and corruption allegations spawning from his work with a pro-Russian political party in Ukraine.

“If you look at the cases where they tried to punish and deter the big banks, the headline-making efforts just haven’t worked,” says Hudson. “In the aftermath of these supposed crackdowns, the banks continued to move money in staggering amounts, for powerful and dangerous characters.”

“The big takeaway is, the system just doesn’t work,” adds former federal prosecutor Paul Pelletier. “I think these SARs represent about $2 trillion in suspicious transactions, and nearly all of it went through. And this is just a small fraction of the overall amount of money.”

According to Hudson, the FinCen files represent about two-tenths of one percent of the suspicious activity reports filed between 2011 and 2017.

In the aftermath of the HSBC deal in 2012, money laundering cases began to attract a fair amount of press attention. HSBC’s case even became one of the subjects for Oscar-winning documentarian Alex Gibney’s “Dirty Money” series:

At the time, there was an expectation that these stories could be told in the past tense, because firms like HSBC had been busted. The FinCen leaks show the opposite. The settlements may actually have been an accelerant, allowing for the appearance of regulation, while alerting banks to broader weaknesses that encouraged more brazen behavior going forward. We may have to change the way we think about “dirty money,” from being an outside contaminant, to endemic to the system at its core.


Public legend about movement of ill-gotten cash usually centers on crooks sitting under ceiling fans in tropical locales, receiving mysterious wire transfers in places outside the physical reach of American regulators, like VanuatuPanama, or the British Virgin Islands. The FinCen leaks make clear the real hub of money laundering is in what Hudson calls the “choke point” of New York, where the world’s largest financial institutions have streamlined the process of moving shady money.

SARs don’t always indicate a crime. They’re the regulatory equivalent of a call to police to check something out that doesn’t add up. Bank monitors who compile them might be spotting something in their account rolls like high numbers of cash transactions, large numbers of wire transfers to a country where the customer doesn’t do business, etc.

The requirement to produce these reports creates a cat-and-mouse game for banks. Every time compliance officers discover derogatory information that leads to an account being closed, it’s a direct hit to a bank’s revenues. On the other hand, to keep regulators off their backs, banks have to be seen to be doing all they can to sniff out illegalities. Therefore there’s an incentive for banks to cycle through creative ways of looking like they’re engaging in compliance, without actually doing so.

A bank might create sizable AML departments, but pad them with inexperienced, entry-level employees incapable of spotting problems (see here for the HSBC example I wrote about years ago). A firm may hire a top-of-the-line department head, but not give him or her real resources. Required hiring boxes may be checked, but the company may non-report or under-report problems. Companies may even generate huge numbers of suspicious activity reports while leaving key data like names or addresses missing.

In a different scenario, reports are filed too late for action to be taken. SARs are supposed to be filed within 30 days, for instance, but the FinCen documents were filed to the government an average of 166 days after the initial detection of a potential problem.

In another stalling method, banks informally agree not to close suspicious accounts until a certain number of SARs have accrued. When the Senate Permanent Subcommittee on Investigations looked at HSBC in 2012, for instance, they found internal emails from bank executives suggesting that HSBC’s Mexico operations had settled on a policy of not closing accounts until four SARs had been filed.

When the company’s chief compliance officer found out about its subsidiary HMEX’s standard, he wrote, in a bemused tone, “4 SARs seems awfully indulgent, even by local standards.” HMEX later cut the standard to two SARs, which seems to be the exception rather than the rule. In the FinCen leaks, companies are seen repeatedly filing reports about the same actor, each time implying they’ve dug just enough to write a report, but never quite enough to actually close the account.

Of course, in banking, size matters. “Maybe the bank looks at a wire transfer and says, ‘This smells.’ Do that in a $12,000 transaction, and they’ll kick you out of the bank,” says Pelletier. “Do it at $12 million, and they’ll let it go.”

What’s unique about this leak it shows bad behavior the banks actually reported. As one former investigator put it this week, “This is the stuff they actually have a suspicious activity report for!” That banks keep taking the money is bad, but the fact that regulators keep receiving the reports and letting shady transactions slide makes the dirty-money problem a bizarre symbiosis of private rapaciousness and (at best) governmental apathy.

While credit card companies are able to detect fraud and banks are able to detect suspicious activity thanks to technological advances, the government lacks the same capability, in part perhaps because the reporting system is not automated. Since it’s a crime to leak a “SAR” — you “literally have to steal one” to make one public, as one former investigator puts it — they’ve rarely been seen by the public. The ICIJ has now put them on display:

The government receives millions of these written reports, which often appear to reflect a fair amount of person-hours of research by the bank. However, the government lacks what one investigator described to me as an “AI-type test” for passive review of this material, and lacks the personnel to go through it all individually.

At best, a federal investigator may go through the SAR database to check an individual or company already targeted in another probe. This particular batch of SARs seems to have been gathered as part of a congressional investigation into Russian interference, for instance. The rest of the reports are fated to be memory-holed by overwhelmed regulators.

What do you get in this seeming worst-case scenario, when banks pretend to monitor, and regulators pretend to collect the monitoring? A short list of some of the messes found in the FinCen docs:

— In one ridiculous case, Deutsche Bank’s New York branch processed $2.6 billion and $700 million, respectively, for a pair of companies called Ergoinvest and Chadborg trade. Both companies declared annual incomes of $35,000, and the statements for both firms bear the signature of the same obscure dentist in Belgium, who claims he doesn’t even own a car. Yet the money kept rolling through! The companies earned British registrations through “formation agencies” located in the Baltics, where investigators have found a rat’s nest of problems in recent years. Deutsche Bank, the originator of 62% of the leaked SARs (perhaps reflecting the focus of the Russia investigation that produced the FinCen docs), moved at least $150 billion just from one small Tallinn-based bank, Danske Estonia, for instance.

— Ukrainian Ihor Kolomoisky was the subject of raids by federal investigators earlier this summer, and has been profiled in colorful news reports that read like movie scripts. In one piece, he allegedly dropped crayfish meat by remote control into a tank to be devoured by sharks in the middle of a meeting, as a Dr. Evil-style intimidation tactic.

The crux of accusations by prosecutors is that Kolomoisky employed gangland tactics at home (including using “armed goons” to take over an oil company), then funneled the money to places like the States, to be invested in legit vehicles like real estate. This is exactly the kind of person the SAR process is designed to identify and disqualify quickly. Nonetheless, the FinCen files show Deutsche Bank, which had entered into a settlement deal in 2015 for moving over $11 billion in suspicious transactions, moved at least $240 million for a Kolomoisky-connected account at exactly that time, between 2015 and 2016.

— Even as Russian aluminum baron Oleg Deripaska garnered enormous media attention in recent years, including during the Russiagate furor, he continued to move money freely through the American banking system. The FinCen files contain a total of 58 SARs related to Deripaska, issued between 1997 and 2017, covering an amazing $12.41 billion in transactions. The Bank of New York Mellon flagged 16 transactions involving a Deripaska subsidiary company called Mallow Capital, but apparently kept doing business. To quote the ICIJ, “Mellon said Mallow Capital appeared to be a shell company operating in a high-risk area with no known legitimate business purpose. In 2012 and 2013, Mallow sent itself nearly $420 million using different British Virgin Islands addresses and different banks…”

The FinCen leaks highlight two major weaknesses of the regulatory system. One is the longstanding absence of a requirement that anyone opening a U.S. account name a “beneficial owner,” i.e. who is really controlling the account. The other is correspondent banking. Banks in the U.S. are required to “know your customer” in addition to monitoring and reporting domestic accounts. Still, any foreign bank with a license may open “correspondent” accounts in those same regulated Western banks. A lot of the worst instances catalogued in the FinCen leaks involve these correspondent accounts, opened in Asia, Eastern Europe, the Middle East, etc.

In the long run, the regulatory system ends up serving as a de facto partner for banks that all but admit they’re taking in money from Ponzi schemers, mobsters, drug lords, and rogue states.

This is a “feature, not a bug” problem. Going back to the years after the crash, regulators spoke often about the need to carefully construct settlements, so that even repeat offenders might remain viable.

In late 2012, for instance, at a press conference announcing a market manipulation settlement for the Swiss Bank UBS, Breuer told reporters, "Our goal here is not to destroy a major financial institution."

"This is a bank that has broken the law before," a reporter said that day. "So why not be tougher?"

"I don't know what tougher means," Breuer answered.

Some time later, then-Attorney General Eric Holder gave a video message on the theme, “There is no such thing as Too Big to Jail.” While insisting “no one is above the law,” Holder pointed out that some criminal charges carried automatic regulatory penalties that “may even trigger the loss of that institution’s charter.” This, he implied, is not always a good thing.

This issue had come up at the HSBC press conference the previous year, when Breuer said, “had the US authorities decided to press criminal charges, HSBC would almost certainly have lost its banking license in the US.”

For that reason, Holder insisted, regulators often “must go the extra mile to coordinate closely with the regulators who oversee these institutions’ day-to-day operations.”

Translated, this meant the Justice Department was crafting punishments to make sure banks landed on their feet and remained functional as American businesses, even in the face of public reprimand.

A typical settlement involved a fine that sounded large but was really equal to months or weeks of profit, with penalties in some cases also being deductible, so taxpayers could share in the joys of paying a bank’s debt to society. In other words, settlements were designed not to hurt too much, but just the right amount.

Even a “record” harsh settlement doled out to the French bank BNP-Paribas in 2014 for sanctions violations, which included a rare plea to a real criminal charge in addition to a $9 billion penalty, only incurred a one-year exile from U.S. dollar transactions. Even when throwing the proverbial book at firms, regulators made sure to pave clear roads to redemption.

This was not necessarily a bad thing. There’s no reason why anyone should want systemically-important institutions (who are often major employers) to be wiped off the face of the earth, willy-nilly. The problem is that if you completely remove the threat of a lost charter, it signals to everyone that regulators will tolerate even open repeat violations. In this light, even a “tough” public punishment becomes a license to steal.

Hudson, for instance, notes that announcements of many of the biggest money laundering settlements involving the firms in the FinCen files were accompanied by jumps in the company’s share prices. HSBC’s shares rose in London and Hong Kong after the 2012 settlement, and even BNP’s criminal plea deal prompted a 3.6% jump in share price. Markets see the settlements as seals of approval going forward, and “send the signal that the regulators are looking to do a deal,” Hudson says.

The irony of all this is that the Trump era has seen much gnashing of teeth over America’s withdrawal from global bureaucracies like the Paris Agreement, the “Open Skies” arms control treaty, the Iran deal, and other conventions. Meanwhile, in the one place we want an isolationist-style wall, around the Federal Reserve-connected American banking system, barriers are wearing away. Only in crime, it seems, is America becoming more global in outlook.


Note: the International Consortium of Investigative Journalists is a model that should appeal to Substack subscribers interested in alternative media concepts. It operates according to a interesting collaborative arrangement, whereby reporters in countries around the world can join in any investigative project as long as they adhere to two major rules: everyone publishes on the same day, and all discoveries must be shared with the collective as investigations progress, so reporters can augment each other’s work.

For this story, for instance, the ICIJ organized a team of more than 400 journalists from 110 news organizations in 88 countries. With a team this big, the ICIJ was able to manually check 60,000 addresses. The fact-checking alone “took seven months.” It’s an approach that offers some hope that the press will be able to tackle complex issues in an increasingly global news environment. To check out the ICIJ’s reporting on the FinCen files — they’ve published multiple features, bolstered by interactive graphics — click here.