Compliance officers in the banking sector face a difficult choice these days while helping their firms with de-risking exercises: whether to use a scalpel or an axe.
The axe has its appeal. Financial firms are suffering under rising compliance costs and regulatory pressures, so slicing away broad swaths of people, places, or product lines that no longer fit the risk-reward analysis makes lots of sense.
Regulators, on the other hand, want to see changes a bit more precise and surgical. Enter the scalpel approach—and just like scalpels in the operating room, you need lots of time and practice to use it well.
“Regulators are talking from both sides of their mouth, and banks face a de-risking dilemma,” says David Gibbons, a managing director at professional services firm Alvarez & Marsal and a former chief risk officer at HSBC. “Banks are caught between conflicting mandates. Regulators are instructing them to be alert for customers who could be engaged in illegal activities, but at the same time urging them to continue providing banking services to legal, but potentially high-risk businesses.”
Examples? Take your pick. The notorious Operation Choke Point, a Justice Department effort to restrict industries deemed as “high risk” from banking access, effectively closed banking doors to legally operating gun merchants, strippers, coin collectors, and payday lenders. Legally operating marijuana-based enterprises and bitcoin startups have drawn both scrutiny, and wholesale rejection, from mainstream banks.
Most notable is the example of money services businesses (MSBs)—operations that, for example, let immigrant workers send cash to relatives back home, or exchange currency, or cash checks without asking too many questions. Over the years, regulatory guidance has both urged banks to accommodate and to avoid MSBs, which are indeed high-risk lines of business for more prim and proper financial institutions.
The Federal Deposit Insurance Corp. in January published an open letter to banks demanding that they “take a risk-based approach in assessing individual customer relationships, rather than declining to provide banking services to entire categories of customers without regard to the risks presented by an individual customer or the financial institution's ability to manage the risk.”
“The interesting thing about all this is that I don’t think the regulators find their efforts conflicting.”
Rick Aragon, Solutions Consultant, LexisNexis Risk Solutions
Other banking regulators have echoed that message: They want to see case-by-case customer due diligence, not wholesale de-risking. Just to underline that point, as recently as late July legislation was making its way through Congress to prohibit regulators from restricting bank services to legal marijuana businesses.
The challenge, however, is that if some rogue business partner does slip through your net of due diligence procedures, enforcement actions will surely follow.
“Even though regulators say you should absolutely be looking at things on a case-by-case basis, we are still dealing with a situation where they are taking a more hardline approach,” says Amber Scott, founder of the AML consultancy Outlier Solutions.
In fairness to regulators, broad-based de-risking programs do have their side effects. The threat to international money remittances is a growing concern of the G-20, the Financial Action Task Force, and the World Bank. “There are certain countries that are very reliant on remittance payments, such as Somalia, and they are having a whole lot of trouble getting those payments,” Scott says.
Also, stripped of access to traditional banking services, affected businesses may need to exist as cash-based operations, using the services of check-cashing storefronts or turning to the seedier alleys of shadow banking. The distinction between legitimate businesses performing transactions that look like money laundering, versus actual money laundering, becomes blurry. That complicates due diligence and undermines AML regimes, Scott says.
Gauging the Best Path Forward
As for resolving the de-risking dilemma, Scott hopes that regulators will become more aware of the problem. “What would be helpful for bankers is very clear guidance in terms of when you should be banking these types of businesses and what standards they are expected to comply with,” she says. “What types of evidentiary pieces will a regulator want to see from a bank? When is it good enough?”
FDIC ON RISK
The following is an excerpt from a January 2015 Financial Institution Letter, issued by the Federal Deposit Insurance Corporation, on its views of banks taking a risk-based approach to customers.
The FDIC encourages insured depository institutions to serve their communities and recognizes the importance of the services they provide. Individual customers within broader customer categories present varying degrees of risk.
Accordingly, the FDIC encourages institutions to take a risk-based approach in assessing individual customer relationships rather than declining to provide banking services to entire categories of customers, without regard to the risks presented by an individual customer or the financial institution’s ability to manage the risk. Financial institutions that can properly manage customer relationships and effectively mitigate risks are neither prohibited nor discouraged from providing services to any category of customer accounts or individual customer operating in compliance with applicable state and federal law.
The FDIC is aware that some institutions may be hesitant to provide certain types of banking services due to concerns that they will be unable to comply with the associated requirements of the Bank Secrecy Act (BSA). The FDIC and the other federal banking agencies recognize that as a practical matter, it is not possible for a financial institution to detect and report all potentially illicit transactions that flow through an institution.
Isolated or technical violations, which are limited instances of noncompliance with the BSA that occur within an otherwise adequate system of policies, procedures, and processes, generally do not prompt serious regulatory concern or reflect negatively on management’s supervision or commitment to BSA compliance. When an institution follows existing guidance and establishes and maintains an appropriate risk-based program, the institution will be well-positioned to appropriately manage customer accounts, while generally detecting and deterring illicit financial transactions.
Source: Federal Deposit Insurance Corporation.
Banks may also want to refrain from over-thinking the situation. “The interesting thing about all this is that I don’t think the regulators find their efforts conflicting,” says Rick Aragon, solutions consultant for LexisNexis Risk Solutions. Parsing speeches and statements by leadership at these agencies reveals a mindset that “this is what we have always said” and “regardless of what the business is you need to understand it, understand the risks, and mitigate those risks appropriately,” he says. “From their point of view it is a consistent message even if, from the view of the financial institutions, it is frustrating.”
Banks may even find the regulatory pushback to broad de-risking beneficial to their bottom line. The success stories may not be as well-known as failures, but there are banks that, for example, successfully maintain abundant relationships with money services businesses. The key to success, Aragon says: price the business appropriately and have adequate resources to deal with the enhanced risk.
Also, de-risking isn’t always the simplest or cheapest option. “It is going to be very hard and expensive in many cases to de-risk completely,” Aragon says. Today’s complicated web of business relationships will require added due diligence to ensure that you actually did distance your institution from a concerning party and all its relationships and subsidiaries. Technology and automation can help better understand customer relationships, link data together, and analyze transactions for suspicious patterns, he adds.
Gibbons says banks need to ask themselves some difficult questions: How much does your bank really want to do business with a customer? What is that relationship worth, and what do you have to do to control it? If the answer is “lots,” then enhanced customer due diligence and transaction monitoring will need to be tailored to the relationship.
That, in turn, means some long and possibly pointed conversations between compliance officers and business-unit executives who want the relationship to exist.
“That’s all petty labor intensive, so the question then becomes whether it is worth it from a business standpoint,” Gibbons says. “What controls can I put around the inherent risk, what’s the residual risk once I do that, and is the relationship still profitable or not?” Another factor to consider when developing an institutional risk appetite is reputation. How would customers and shareholders react if they knew your bank was financing a certain type of business?
The bad news: compliance and risk management will likely continue to be a confusing and expensive endeavor. “Banks are caught between a rock and a hard place,” says Ivan Garces, a risk advisory and AML expert with the firm Kaufman Rossin. “They are trying to grow their business, but constantly under regulatory pressure to beef up and intensify internal controls and monitoring related to AML.” The cost of compliance has driven the de-risking movement and will continue to do so, he says.
Consistent, more specific guidance and exam procedures would help banks get a better grip on whether or not to de-risk, Garces says, adding that regulators do need to resolve different interpretations that may exist between their leadership and front-line examiners.
“The question really is where do they draw their line in the sand for what is enough to mitigate risk,” he adds. “Unfortunately, for now, that line seems to continually move.”