As Compliance Risks Keep Rising, Banks Keep Rethinking

Sure, the biggest albatross around the banking world’s neck right now is the Federal Reserve and its continued efforts to keep interest rates low. That policy has been punishing to banks’ bottom line.

But make no mistake, banks have plenty of other albatrosses around their necks too—and most have to do with regulatory compliance risks.

Think of stress tests and visits from regulatory examiners; think of heightened capital requirements and nine-figure monetary penalties for legal violations. Banks have shuttered branches in risky geographies, are retreating from market making activities, cut formerly profitable correspondent banking relationships, and closed their doors to what some consider unsavory businesses (from strip clubs to marijuana dispensaries).

All of it to stay on the right side of regulatory compliance.

Some banks now even want to avoid taking large cash deposits. State Street recently started charging many of its customers for large dollar deposits. Likewise, JPMorgan Chase reportedly cut its own unwanted deposits by more than $150 billion by tacking on fees. Why give up the money? Near-zero interest rates are one reason, but there is also regulatory concern that this so-called “hot money” might cause systemic damage if too many customers try to take it back too quickly during a financial crisis.

These specific actions illustrate a broader picture: Banks are increasingly shifting their focus to non-financial risks.

According to EY researchers in a recently released survey of 52 financial firms across 27 countries, 89 percent of respondents reported a heightened focus on non-financial risks, including conduct, compliance, reputation, money laundering, and systems.

Many of the responding banks shared a similar opinion: the events that led to the large operational losses sustained during the past five years (fines, payments to purchasers of products, and fraud losses among them) were the result of weak oversight and control processes.

“You can have adequate capital, adequate liquidity; but if you have the wrong kind of culture, that is where the problems are going to come from.”
Andrés Portilla, Managing Director of Regulatory Affairs, Institute of International Finance

“This has triggered risk and control reviews in a number of banks and spurred changes to accountability to ensure the front office focuses on the quality of the controls in the end-to-end activity,” the EY report says. “Banks have also increased evaluation of near-miss events and have sought mechanisms to improve information channels up through the organization, including whistleblower arrangements.”

Banks have “to take a knife to any part of the business that is dragging down return,” says Patricia Jackson, lead author of the EY report. Nearly a quarter of the surveyed firms are retreating from geographic areas, double the number who said they were last year. More than 40 percent are exiting business lines, and 90 percent are reevaluating them.

“We are sending whole reams of activity no longer in banking over to shadow finance,” she says. “Project financing, infrastructure lending, energy finance are not in traditional banking now.”

“The initial focus was on capital and liquidity,” says Peter Davis, a principal in EY’s financial services office. “This year, we saw the focus on non-financial risk and techniques for testing those.” Those efforts include a sharper focus on culture and conduct. A considerable challenge is the ongoing struggle to embed risk appetite across the enterprise.

“Internally banks have understood that to embed significant changes to management practices, controls, they need to have a solid culture that provides the foundation for those changes to take place,” Andrés Portilla, managing director of regulatory affairs for the Institute of International Finance, said during a webcast to discuss the EY study. “You can have adequate capital, adequate liquidity; but if you have the wrong kind of culture within the financial institution that is where the problems are going to come from.”

Getting to Non-Financial

To bring greater focus to non-financial risk, many banks are creating new functions, often mandated by their boards, which review conduct risk as stringently as the firms historically looked at financial risk. “This conduct risk requires the education and training of internal personnel as well as current and potential third parties,” says Greg Dickinson, CEO of Hiperos, a provider of risk-related technology to global banks. “Codes of Conduct, if not in existence already, are being created and personnel and external parties need to attest to them. All of this, of course, is based upon the bank’s risk appetite and that too is being reexamined in light of the additional conduct issues that need to be incorporated into an overall risk score.”  

BANKS RANK RISK

The following are top risk concerns for financial institutions as detailed in Wolters Kluwer’s recent Financial Services’ Regulatory & Risk Management Indicator.

Source: Wolters Kluwer.

The focus on improving “culture,” as demanded by banking regulators presents a considerable challenge: How to develop a comprehensive framework, rather than simply add another layer of checks and metrics of questionable value. Banks also report that implementing risk-sensitive compensation policies effectively is difficult.

“It’s difficult to assess,” Portilla says. “There are no numbers or metrics that show what kind of a culture you have within a financial institution.” Supervisory assessments rely on interviews with the board and with senior and middle management as they “try to grasp what culture and environment they live with day to day.”

A supervisory look at culture and risk appetite is nothing new, Jackson says, “but pressure on the industry in this area has intensified and intensified” and “there is still a large majority of firms who are struggling to link it to business decisions.”

“That’s got to be the next task,” she says. “If you want to get accountability with your business lines, you need to tell them how much risk you are willing to run.”

In response, expect banks to continue ongoing investments in technology that can assist with granular risk analysis and provide both qualitative and quantitative metrics. “It has to mesh together,” Jackson says. “You can’t just go on chucking another thousand people at the problem. It is too costly.”

The attention paid to bank culture and other non-financial risks will continue as institutions are prodded by regulators. Dickinson refers to recent guidance by the Office of the Comptroller of the Currency that delineates new responsibilities banks must assume as they assess risk and compliance before entering into a third-party relationship.

“These risks can range from information security to bribery, corruption, and beyond,” he says. “We all have read about breaches that occurred to financial organizations caused not by their own data security, but by a third party whose cyber-security was not secure enough.”

Banks are “taking serious and comprehensive steps to expand their risk programs to incorporate conduct and compliance into third-party risk assessments,” Dickinson says. “They are instituting internal codes of conduct as well as ensuring third parties attest to them.”

He recalls a recent conversation with one bank executive who detailed a litany of recent institutional changes: “We’ve completely overhauled our enterprise risk management framework, including all of the supporting key risk frameworks and policies; re-evaluated and articulated the firm’s culture and values; created a single code of conduct across the firm; and clarified roles and responsibilities, as well as the performance appraisal and compensation process.”