On 4 May 2015, the FCA published the report it had commissioned from an external third party on de-risking in the UK banking sector called, “Drivers and Impacts of De-Risking: A study of representative views and data in the UK” (“Report”). The Report follows on from the FCA’s publication of its statement on de-risking in 24 February 2016. (See: https://www.the-fca.org.uk/money-laundering-and-terrorist-financing/derisking-managing-money-laundering-risk)
The objective behind the commissioning of the Report was to a short study undertaken that would provide reliable evidence of the reasons underpinning de-risking, the nature, scale and impact of those activities and the extent to which anti-money laundering (“AML”) and the countering the financing of terrorism (“CFT”) considerations were part of those reasons.
This post takes a look at the points raised in the Report and makes some observations from an anti-financial crime (“AFC”) perspective.
Reaffirmation of the Already Known – De-Risking has and does Happen
The Report’s findings reaffirm what has been discussed extensively for some by the AFC community – banks have been and continue to engage in de-risking by refusing to open new or closing existing customer accounts.
The Report also reaffirms the sectors most adversely affected by de-risking – money service businesses (“MSBs”), pawnbrokers, charities and financial technology (“fintech”) companies. It also reiterates the well-known face that there has been a contraction of correspondent banking and other interbank relationships.
What the Report fails to clarify is the extent to which de-risking has taken place due to AML/ CFT considerations. The Report notes that this is because these statistics are not maintained by the banks. The Report makes no comment about whether such statistics would be a good thing for banks to maintain or how those statistics might assist the banks in having a clearer view around possible AML/CFT de-risking activities.
The Report identifies “drivers” behind the de-risking. These include the higher costs of compliance, stricter regulatory requirements and the deterrent effect created because of criminal, civil and regulatory prosecutions and penalties. Again, in the absence of statistical information, the Report does not provide greater clarity about the extent of the drivers’ impacts or whether some of them contribute to de-risking more than others.
Regulation and Regulator Conduct & Unintended Consequences
One of the “drivers” the Report examines more closely is the application of risk-based approach and the risk assessment of banking customers. Throughout the Report, reference is made to weaknesses in the application of the risk-based approach methodology and the actual impact which regulatory conduct has had in influencing de-risking activities.
The Report notes that there is, as yet, no broadly agreed quantitative method for assessing AML/CFT risk factors, whether individually or collectively. UK-based banks are expected to develop their own measures and weightings. The Report suggests that banks are responding to “signalling” undertaken by authorities who oversee and set AML/CFT standards. The sectors most affected by de-risking have all been identified those such authorities as being of higher risk and therefore requiring additional scrutiny. Signals are also be given during routine regulatory reviews or on-site visits. The unintended consequence of these signals has been the refusal or exiting of business relationships. The Report notes that some banks’ feel there is a ‘zero tolerance’ to all AFC risks by its regulators. There is also scepticism towards relying upon assurances contrary this perception by those regulators, especially given the global jurisdictional reach by regulators such as OFAC.
These observations are again not new as has been seen most recently with resumption of business activities involving Iran.
One area not explored in the Report is the methodology that regulators apply to assess the appropriateness and effectiveness of a bank’s risk-based approach. The pressure placed on regulators by various stakeholders, especially following the 2008 financial crisis, has meant that regulators are reluctant to tell banks whether their approach is appropriate, for fear that if this is wrong, the regulator along with the bank will be held responsible for any subsequent failings.
The Report also does do not explore the tension on the one hand between the concept of risk management and the prescriptive requirements of several AML regulatory requirements. Where specific requirements must be applied, the ability to flexibly mitigate risks is drastically reduced. This compromises the efficiencies that could be gained from using a risk-based approach – allowing resources to be more effectively allocated to where risk has been assessed to the greatest. This cannot happen where, regardless of the results of a risk assessment, enhanced due diligence measures must still be applied to all customers with particular high risk characteristics according to prescriptive regulatory requirements and expectations.
It therefore seems, from both a cost and risk-based approach, that the most efficient option to mitigate AFC risks would be to avoid them altogether or end those relationships where the cost of applying controls outweighs the financial benefit gained over the long-term business relationship.
Cost of Compliance Part I – Should High Risk Customers Pay for AML/CFT Controls?
The Report notes that there are some situations where banks believe the underlying AFC risks are too great and cannot be mitigated. In risk management “speak”, the residual risk of these relationships cannot be reduced to a level where a bank feels it could manage those risks. The Report records that, “In these cases, no amount of extra spend by the bank, however funded, would offset either the risk of criminal activity or the banks perceived regulatory responsibility for preventing it”.
In other cases where higher risks could be mitigated, the Report suggests that the banks have not yet embraced an opportunity to retain high risk customers by transferring the cost associated with enhanced AFC controls to the customer.
However, charging customers to finance the costs associated with additional due diligence measures or controls only works if the risks involved can actually be mitigated. This may also be misunderstood by customers to be a sort of “insurance policy” to be accessed if the business is subsequently penalised by a regulator for having taken on the customer or failing to apply sufficient AFC controls.
Such a charge is seen as unethical, as the Report notes, “Some [banks] thought this might be seen as a “bribe” to keep undesirable business; concerns were also expressed that this would reveal risk ratings to customers, which would be bad practice and lead them to ‘game’ the system. Some feared the FCA would frown on such differential pricing as an example of not treating customers equitably”.
These concerns are very real but are not addressed in a substantive way in the Report. What is also not acknowledged is how this could further limit certain customer’s access to the banking system. This could certainly happen – with only those wealthy high risk customers capable of paying the fee needed to fund necessary controls able access to the UK banking system. This could result over the long-term in a distinction between those high risk customers who can afford the “risk premium” and those who cannot.
Costs of Compliance Part II – Two Steps Backwards for One Step Forward
What the Report fails to delve into further is the “driver” associated with the cost of remedial measures which can arise when it is discovered that the KYC held for existing customers are deficient. It can also lead to regulatory scrutiny and the imposition of an accelerated remediation program requiring periodic progress reports to the regulator. This has often been of some banks without assessment of whether the required work will enhance the bank’s understanding about the nature and purpose of the business relationship. It is open question whether an updated utility bill will assist in identifying transaction activity that is inconsistent with the expected activity of the customer.
Given this, the decision to simply close accounts with deficient KYC is one way in which to avoid the potential financial crime risks while at the same time reallocate resources more effectively to existing KYC compliant customers.
While the Report briefly acknowledges the staffing costs associated with such “catch up” activities, further review would have been of benefit.
Risk Appetite – Who is Ordering off of the Menu?
Regulators across the globe have not yet clearly defined what is considered to be an acceptable statement of risk appetite. The Report quotes some examples provided by the banks. It also acknowledges the BBA’s to call for discussions to promote a closer common understanding with the FCA on the practical application of the risk-based approach, which includes a statement of risk appetite.(See: BBA response to the Cutting Red Tape Review – Effectiveness of the UK’s AML Regime, November 2015: https://www.bba.org.uk/policy/bba-consultation-responses/bba-response-to-cutting-red-tapereview-effectiveness-of-the-uks-aml-regime/ ). It is here that the Report again could have benefited from further examination.
The Report notes that banks also need to consider how the regulator will assess their approach. It was concluded that banks were more likely to de-risk in order to minimize difficulties with their regulators. The risk appetite of the business is therefore influenced by the level of perceived regulatory risk (or uncertainty) a bank is prepared tolerate.
In my personal experience, I have noticed a move by banks away from focusing on mitigating financial crime risks and more towards mitigating AFC regulatory risks. There has been a growing shift towards trying to keep regulators “happy” and evidence compliance with the regulations, and less on understanding and mitigating the financial crime risk profile of the business itself. An unease has developed, where greater focus has been placed upon avoiding regulator scrutiny and less on working collaboratively to address financial crime. While initiatives such as the Joint Money Laundering Intelligence Taskforce (“JMLIT”), are helping to change this, greater consistency of approach as between local, national and supranational regulators in their interpretation and understanding of the risk-based approach would be welcomed.
While the Report’s authors conclude there is no “silver bullet” to end de-risking, I would suggest that the problem would not be solved by transferring compliance costs to customers. The solution to de-risking may actually lie in redirecting the focus of towards the use of a risk-based approach and examining whether the panoply of regulatory requirements is helping or hindering banks to mitigate of financial crime risks. Either banks can be trusted to risk assess and implement controls to mitigate these risks and resource them accordingly, or the AFC regulatory framework will continue to move towards a costly, prescriptive, rules-based system where even more de-risking could possibly occur.
Final Word on ACAMS
The Report makes reference to report co-sponsored by ACAMS in the context of rising compliance costs. The authors of the Report disagreed with the findings made, stating that it was not “wholly borne out in our research in the UK and may reflect a bias in the LexisNexis/ACAMS survey towards North American based institutions”.
The authors’ assumption is incorrect. The Lexis/Nexis report, “2015 Compensation Guide for AML/ CFT/ FCP Professionals”, reported on a study undertaken of anti-financial crime specialists across the globe. Approximately 44% of respondents in the study were located outside the U.S., including with Europe, Canada and Asia as the largest regions represented with participation also received from India, Pakistan, and China, South America, the Middle East, Central America And the Caribbean.