Nobody from HSBC (HBC) is going to prison because of its money laundering (AML) settlement with the government, but the penalties will cause at least some pain, particularly in the IT and risk departments.

The bank will have to pay $1.92 billion in fines and must submit to an external monitor of corrective measures, which may cost hundreds of millions of dollars in technology and other expenses over the next few years. No indictments were included in the settlement with the U.S. Department of Justice, which covers money laundering by Mexican drug cartels, as well as the bank's doing business with clients in Iran, Cuba and other countries on the bad side of the U.S. government. HSBC has settled separately with U.K. banking regulators.

HSBC did not provide details on the corrective IT projects, but in its public statement it put a $700 million price tag on its Know Your Customer (the anti-money laundering law) review over the next five years, and noted it was only the first stage. The bank is also conducting an overhaul of structures, controls and procedures, and has already spent more than $290 million on what it calls "remedial expenses." It also said it had increased spending on AML tech and processes 900% over the past three years, hired ten times as many AML staff, and had "clawed back bonuses" for some senior officers.

Technology analysts say that for a bank of HSBC's size, a review of Know Your Customer files and a subsequent upgrade of tech and policies to correct oversight can be an extensive and costly enterprise-wide undertaking.

"The key for such a project is to use strong analytics that work across potentially hundreds of millions of daily transactions and keep false positive rates to a manageable level while spotting the bad and suspect activity," says Avivah Litan, a vice president and security expert for Gartner.

Neil Katkov, senior vice president, Asia, for Celent, says AML reviews and audits can take many forms. They can look at the financial institution's formal written program and procedures, at the technology and at the bank's controls. "The most exhaustive and expensive type of review is a transaction 'look-back,' which regulators may order a financial institution to carry out if it deems the financial institution's AML processes are lacking," Katkov says.

He says a typical look-back audits past transactions at the financial institution for a period of time — about two years or so — in order to assess the risk of the transactions and use the information to develop a risk-based AML program appropriate to that institution's business, products, customer base and regions of operation. "A number of the major accounting and consulting firms offer look-back services. For a large financial institution, a look-back will cost $1 million for starters," Katkov says. Litan also says the "people, process and organization must be aligned and be able to effectively utilize the technology, which is always the hardest part."

That was indeed the hard part for HSBC, according to the government.

The HSBC money laundering saga has already produced embarrassing details for the bank over the past year, but more spilled out this week from new government documents.

The government says the bank placed Mexico in the lowest risk category and ignored internal warnings of inadequate monitoring. What kinds of warnings? The head of HSBC's Mexican bank was reportedly told that a Mexican drug lord had been recorded saying HSBC Mexico "was the place" to launder money, and that drug traffickers had built special boxes that fit the specifications of the bank's teller windows. Also, the bank's compliance officers were each responsible for hundreds of different customers in the region.

HSBC did not provide an executive for an interview. In its public statement, Stuart Gulliver, HSBC Group Chief Executive, said that "over the last two years, under new senior leadership, we have been taking concrete steps to put right what went wrong and to participate actively with government authorities in bringing to light and addressing these matters."

HSBC can take some solace in that it's not alone in the government's AML dog house. Standard Chartered (STAN) also in the past few days agreed to pay $327 million to the U.S. government, following an earlier $340 million settlement with New York state regulators over AML claims.

Across the industry, spending on AML tech is on the rise. Celent says investments in technology and operations will hit $5.8 billion globally in 2013, up from about $5 billion in 2011. Analysts say it's not a good time for banks to look at AML tech or staff as a place to cut costs.

"The regulators are getting much more heavy-handed, and it's affecting all banks. There is a lot of money being spent on AML right now. So what it means for all banks is they have to pay attention," Litan says.