AML De-Risking: Regulators Warn No Big Brooms

Regulators on both sides of the Atlantic are putting banks in a Catch-22 of established regulatory penalties for serving financial criminals while simultaneously warning them that cleaning house by category will attract their attention.

Recent announcements by the UK’s Financial Conduct Authority (FCA) and the US Office of the Comptroller of the Currency (OCC) suggest that banks better have good reason to reject a potential new customer or shut down an existing customer’s account. Both regulatory agencies are turning a close eye on “de-risking,” recently defined by the US Treasury’s anti-money laundering arm Financial Crimes Enforcement Network (FinCEN) as a financial institution’s efforts to avoid a perceived regulatory risk by terminating, restricting or denying services to broad classes of clients without an analysis on a case-by-case basis.

“Regulators might be complaining about de-risking, but they were the ones who prompted the trend in the first place by emphasizing the need for rigorous onboarding, including customer due diligence and enhanced due diligence procedures,” says Ross Delston, a Washington DC attorney and anti-money laundering (AML) specialist. “Banks are concerned about either being criticized or fined by regulators for any mistakes.”

Customer due diligence refers to the process of identifying and verifying the identity of a client, its beneficial owners, as well as subsequent monitoring of account activity. Enhanced due diligence goes even further, including scanning for negative news items and verifying the sources of funds.

Regulatory concerns over de-risking are nothing new. Banking watchdogs have always been worried that they won’t be able to monitor and prevent money laundering and terrorist financing if de-banked customers migrate to underground financial systems. What is different is that banks are now getting the impression they not only could be penalized for failing to adequately assess the risk posed by customers, but also for going beyond some unclarified standard of dumping the highest-risk customers.

The MBS Problem

The OCC and other banking regulators have consistently acknowledged that certain types of clients pose higher risk than others. These include foreign embassies, international charities, defense and financal technology companies, correspondent banks and money services businesses (MSBs),  which provide services such as money orders and wire transfers to customers who have no formal banking relationships.

Nevertheless in March 2016, the OCC announced that it will be reviewing the procedures banks use to de-risk, particularly across broad customer categories. Two months later the deputy director of the US Treasury’s FinCEN unit, Jamal El-Hindi called for federal and state cooperation to combat the wholesale de-risking of money services businesses. Reportedly MBS’s are being rejected or ejected from banking relationships en masse in the US, UK and Australia leaving poor, migrant and rural communities without the regulated financial services the MBS firms provide.

In May 2016, the UK’s Financial Conduct Authority (FCA) also warned that by avoiding certain classes of customers, banks could be fined for violating anti-competition rules. “We are aware that some banks are no longer offering financial services to entire categories of clients that they associate with higher money laundering risks. Banks have told us that this helps them comply with their legal and regulatory obligations in the UK and abroad,” wrote the FCA in its report of its findings of UK banks. The FCA didn’t buy that explanation and called banks to the carpet for using AML concerns as an excuse for their actions, when it was more likely to be about how profitable those clients were.

Despite the sword-rattling, it may not be easy for regulators to penalize banks for being arguably too risk adverse. Banks have their own criteria for risk-profiling a client, which includes the decision of who they do or don’t want as a new customer, and how deeply they investigate and how intensively they monitor existing clients.  “Considering how subjective the decision-making process is. banks will have tough time balancing their needs to reduce risk and increase profitability with regulatory demands.” says Kathleen Nandan, co-chair of AML and trade sanctions team at law firm Reed Smith in Pittsburgh.

In March, the OCC said it would come up with guidance on how banks can avoid unnecessary de-risking, but as the US’ AML regime already calls for an individual risk-based approach, the OCC is unlikely to create specific rules that would apply across the board even though banks crave the certainty the rules would provide. “The most they can hope for are examples of what might constitute inappropriate de-risking,” says Nandan.

The FCA suggested that, in the absence of easy quantitative metrics for deciding whether or not to onboard potential clients, banks identify risk factors based on geography, sector, type of business, political risk and distribution channels among others. They should then consider enhanced due diligence and ongoing monitoring correlated to the institution’s risk profile and the heightened risk posed by the customer. All of this is standard operating procedure in know-your-customer operations, but the new emphasis is the focus on the customer, not the category.

“The message is for each client to be judged on its individual merits and not part of a collective group,” says Micah Willbrand, director of global AML product marketing for NICE Actimize, a New York and London-based financial crimes and compliance technology firm. “The bank cannot cast a broad brushstroke over an entire group of clients because of a few bad apples.”

Precautionary Steps

Although banks may have established policies for which clients they will accept and when they will end the relationship, Delston suggests they go the extra mile. “If it isn’t documented, it doesn’t exist is the regulatory mantra,” he explains. Staffers need to spend more time documenting the reasons for either refusing to accept a client or shutting down a client account. Those reasons must include an explanation of all the factors taken under consideration. It won’t be enough for the bank to say it was because of “AML concerns” when there could have been legitimate business reasons.

Starting off with an integrated analysis of the client will also go a long way in justifying any decision a bank makes. KYC and AML officials will need to not only come up with an accurate risk profile but, when conducting ongoing analysis of the client’s transactions, match those up to expectations — or what the client had indicated would be the “normal” course of its business activity. Monitoring transactions alone won’t be sufficient, says Willbrand.

Even the best risk profiling and transaction monitoring technology and procedures can’t prevent all false positives — or the alerts generated for suspicious transactions which are really legit. Banks may need to hire additional staff to investigate each alert before taking steps to increase the frequency of account monitoring, report a customer to regulators or drop the customer altogether. Naturally, given just how difficult it is to find qualified KYC and AML executives or train existing staff, banks should be prepared to incur exponentially higher compliance costs, according to Delston. That’s simply the cost of doing business.

Rejecting or eliminating a single customer from a bank’s rosters is hard enough. Dumping an entire category may seem like a time-saver, but not if it leads to regulatory enforcement. Banks need to more carefully connect the dots between the AML, compliance and business line units when it comes to defending their de-risking decisions. While the AML or compliance departments might make recommendations, the buck ultimately stops with the business line and C-level executives.

When it comes to identifying legitimate business reasons for rejecting a customer, profitability does count. The bank should be able to weigh the costs of keeping the client — including financial and legal risk — against the benefits, namely the revenues generated. Although banks may publicly deny that lucrative clients are given preferential treatment, the reality is that business lines may tolerate more risk for the sake of making more money.

“The bank will need to carefully explain how the decision was related to its revenue requirements or the methodology it has established for the fees it needs to earn to offset the costs involved,” says Willbrand. “The compliance department can’t simply say let’s drop this entire client base just to make its job easier.”