The increasing sophistication of money laundering and electronic banking fraud has led regulatory authorities worldwide to heighten their focus on Bank Secrecy Act/anti-money laundering (BSA/AML) risk. High on the regulators’ examination priority is evidence that an institution’s AML and compliance program is driven from the top down and includes stronger risk management controls particularly for high-risk customers.
In this environment of unprecedented regulatory scrutiny, huge penalties and the recent threat of individual prosecutions, institutions face another conundrum. They must determine how to maintain high-risk accounts and satisfy due diligence expectations for ongoing monitoring while contending with rising costs and a limited pool of resources and expertise. De-risking has emerged as an extreme response to this challenge.
An Emerging Trend
While not a new concept, de-risking is becoming more common as a consequence of the growing threat of reputational risk and criminal prosecution. De-risking is the purposeful rejection or termination of financial relationships with groups of customers or lines of business considered high risk under BSA/AML standards. Money services businesses (MSBs), including check cashing and third-party payment processors, embassies, correspondent banks and the more recent spate of medical marijuana and virtual currency enterprises are just some of the types of high-risk accounts and relationships that institutions are avoiding. Rather than engage in the comprehensive know your customer (KYC) and enhanced due diligence (EDD) requirements that make these customers very costly to maintain, larger banks in particular are reacting to heightened regulatory scrutiny and record-breaking fines by de-risking.
However, de-risking is not confined to banks; rather, it is a standard business practice for any enterprise. For example, American Express and Discover will not do business with certain industry categories they deem to be high risk. PayPal and other transaction processing firms refuse to offer services to cannabis shops as a result of pressure from the federal government.
Reputation and compliance risk are driving factors in the decision to accept or avoid risk. Other factors that may influence an institution’s decision to de-risk include:
- Change in policy and/or risk appetite
- Perceived risk is greater than the expected value of the business
- Inadequate budget to support increased due diligence and monitoring activities
- Unfavorable remarks from regulatory examination
Determining which accounts and whether or not entire groups of customers will be rejected or terminated often results in conflicting strategies between compliance and the line of business impacted. Although accounts targeted for de-risking may generate substantial revenue and be highly profitable, an institution may be influenced by regulatory guidance when determining which accounts to close. For example, the Federal Deposit Insurance Corporation (FDIC) lists 30 business categories they consider to be elevated risk, including gambling (casinos and online), virtual currencies, gun retailers, adult entertainment and marijuana. Institutions are more likely to employ a strategy of across-the-board de-risking on those high-risk categories designated by regulatory and government agencies.
In May 2014, one of the four largest financial institutions in Australia closed accounts held by customers trading in Bitcoin, citing reputational risk. Likewise, the largest U.S. bank in assets is scaling back lending to pawn shops, payday lenders, check cashers and car dealerships. Approved at the highest levels within the institution, this commercial bank initiative is designed to improve oversight, risk and compliance as a result of regulatory pressure to address several problems. If the regulators wanted to elicit an immediate compliance response, they certainly have done so—but not without cost.
The Impact of De-Risking
Barring complete industries from banking services based on perceived risk has numerous downsides
Excluding entire industry sectors based solely on perceived risk simplifies onboarding policies and review processes for new accounts as well as provides a clear strategy for closing existing accounts. De-risking specific accounts may be necessary to protect the financial and reputational assets of an institution. However, barring complete industries from banking services based on perceived risk has numerous downsides:
- Lost revenue and profit: Cutting out lines of business and specific customer groups will impact revenues both short term and going forward where potentially profitable business will be passed over.
- Reputation and public relations compromised: De-risking is not a policy well understood by the average banking customer and not one that banks wish to broadcast. The fallout from a de-risking strategy can be great as demonstrated by the negative press, public criticism and even the threat of lawsuits when a major U.S. bank opted to preemptively close porn stars’ bank accounts.
- Collateral damage: When de-risking entire categories, respectable individuals and legitimate businesses within the group may be prevented from accessing banking services, penalizing them unnecessarily. Hardship can result, forcing individuals to seek more expensive check cashing services or payday lenders for basic banking needs while merchants might turn to unscrupulous lenders or enter into black market transactions to keep their businesses operating.
- Transfer of risk, not decreased risk: When large banks de-risk their higher risk customers, those customers will often migrate to smaller banks that may be pressed for new sources of income but lack adequate resources and expertise to manage that level of risk. The question then becomes: At what point will the flow of financial crime start to hit these institutions?
- Broader financial concerns: Limiting access to correspondent banking and trade finance for emerging markets will impact global trade.
A Lesson in Contradiction
Although regulatory authorities recognize that it is each bank’s decision to determine with whom it wishes to do business, regulators have nevertheless been quite vocal on the subject of de-risking. Senior officials of the Office of the Comptroller of the Currency (OCC), Financial Crimes Enforcement Network (FinCEN) and Financial Conduct Authority (FCA) have weighed in, criticizing the practice of de-risking and urging banks to stop treating entire groups as pariahs. In his speech at the March 2014 ACAMS AML & Financial Crime Conference in Hollywood, Florida, Thomas Curry, Comptroller of the Currency, noted that, “higher risk categories of customers call for stronger risk management and controls, not a strategy of total avoidance.” He went on to qualify that if the risk posed by a particular business or customer is too great to manage successfully, the decision to de-risk should only be made after careful due diligence.
Yet, contrary to regulators’ admonitions to the financial community is Operation Choke Point, an ongoing initiative of the U.S. Department of Justice (DOJ) to cut off financial services to businesses it deems risky or objectionable. Operation Choke Point involves investigating banks and the business they do with payment processors, payday lenders and other companies believed to be at higher risk for fraud. Adding further contradiction and confusion is the FDIC’s July 28, 2014 notification withdrawing its list of high-risk merchant categories. Especially ironic is that while the DOJ and bank regulators are pressuring institutions to de-risk legal industries, they are also encouraging banks to provide banking services to state-sanctioned marijuana businesses. The U.S. Treasury and Justice Department guidance issued to persuade banks to serve these businesses has had little, if any effect, since federal law still bars marijuana sales and there is no provision for safe harbor from prosecution.
Earlier in July, it was announced that the U.S. House of Representatives passed legislation prohibiting the use of federal funds to penalize banks and credit unions for providing financial services to state-licensed pot businesses. While this marks another step in the direction of bringing marijuana enterprises into the financial mainstream, the current conflict with federal law continues to put banks in a difficult position.
A More Balanced Approach to Risk
The trend continues globally for institutions to exit relationships with entire categories or groups of customers because they believe that is the easiest and least expensive way to manage risk within a high-risk category. However, across-the-board de-risking is not the only viable solution.
A more balanced approach to risk that avoids mass de-risking is achievable
A more balanced approach to risk that avoids mass de-risking is achievable but requires the acceptance of a new paradigm for customer due diligence (CDD) and EDD. Institutions must recognize that the traditional risk assessment categorization of low-, medium- and high-risk customers does not accurately reflect enterprise-wide risk on an ongoing basis. It merely provides a static, point-in-time view of customer risk rather than capturing hidden risk in a dynamic environment where customer, web and other information sources change daily. For example, a customer initially categorized as low risk might be deemed to present greater exposure once their links and newsworthiness are factored in. Analyzing an individual profile in conjunction with its social network (who they are linked to) and any negative media (direct or through links) provides a more accurate view and ranking of risk.
The volume and velocity of news makes it highly probable that hidden risk will be missed when manual news searches are conducted on a limited population of customers. In the new paradigm, technology drives dynamic risk management with a daily surveillance model capable of screening entire customer databases for sanctions, politically exposed persons (PEPs) and reputationally exposed persons (REPs) found in negative media. Daily monitoring and surveillance presents a true picture of risk, addresses the temporal nature of adverse media and ensures an effective process for identifying REPs. The ability to efficiently identify REPs obviates the need for wholesale de-risking and enables institutions to keep accounts that otherwise might have gone on the chopping block.
Concern over heightened regulatory scrutiny, hefty fines and reputational damage has fueled across-the-board de-risking. As long as institutions continue to believe that the easiest and least expensive way to manage exposure is by preemptively closing broad categories of accounts and businesses deemed high risk, the de-risking trend with its negative fallout will continue. Only institutions willing to embrace the new paradigm will discover an optimal balance of risk mitigation and efficiency that enables them to maintain and monitor profitable accounts in high-risk businesses while technology does the heavy lifting to keep compliance costs within reason.