By: Dan Frechtling, SVP of Marketing and Chief Product Officer
The concept of de-risking continues to hold sway when compliance and AML leaders get together. This was true at the ABA Money Laundering Enforcement Conference in Washington, DC November 14 – 17. It was a double-ABA, co-hosted by the American Banking Association and the American Bar Association.
In one of the main sessions, there were four types of de-risking categories discussed:
1. Customer or client types, such as MSBs
2. Products and services, such as exotic dancing performed in a bar
3. Lines of business, aka LOBs, such as funds transfers
4. Geographies, such as Southern US border states like Arizona, Texas and New Mexico
Indeed there was a fifth — combinations of the above — such as a prepaid cell phone vendor in Texas doing business in Mexico.
I came away with four primary observations from the conference:
Observation #1: De-risking has a cousin named “de-costing”
Banks sometimes exit relationships based not on too much risk but rather too much expense. With certain customer types, the buyer-seller relationship expands to buyer-seller-rulemaker. The rulemaker imposes costs of compliance that are material to the P&L. The question changes from “am I taking on too much risk by doing business with this client?” to “am I spending too much money by doing business with this client?” The costs of KYC can exceed acceptable levels in relation to the fees earned.
This imbalance is more pronounced in transaction products, like funds transfer or remittance businesses. The fees are lower, but the compliance costs can be the same.
Observation #2: De-risking is the ultimate risk-based approach
This seems like a paradox. The two are supposed to be opposite policies, according to regulators. It’s like the paradox that a number just slightly less than 10 really is 10. Take the number “3,” followed by a decimal and an infinite number of 3s. Multiplying that by 3 equals 9.999999…, or slightly less than 10. But 3.3333…. is also 3 and one-third. Multiplying that by 3 = 10. So a number just less than 10 IS NOT 10 and IS 10.
In this case, de-risking both is and is not the ultimate risk-based approach. On one hand, the risk-based approach is different because it instructs bankers to look at individual business risk, not group business risk like de-risking. On the other hand, said an EVP of a top 10 US bank, business categories like MSBs carry greater regulatory risk than others because examiners scrutinize them. So choosing to bank these groups (NOT de-risking) accommodates one side of the regulations but exacerbates another.
Said another panelist, when recent enforcement actions are about failure in controls, not actual money laundering, we are clearly in the realm of regulator risk, not actual risk.
Observation #3: Prohibited customers should be set by the board, and interpreted by the LOB
De-risking is driven by a list of prohibited customers. There was universal agreement at one session that this should be set at the board level. Boards of banks should analyze risks and determine classes of business they want to avoid. Otherwise, asking LOBs and compliance departments to sort this out causes unnecessary arguments to break out.
But the board isn’t the full story. While a firm may have classes of customers its board declares it won’t do business with, individual lines of business may restrict further. If the RDC line of business doesn’t have experience managing casinos, it shouldn’t take on that uncertainty.
Observation #4: The decision to onboard a customer is owned by the LOB, but Compliance weighs in
At one very large US bank, the firm sets the industry standards around how to onboard and monitor customers. The LOB follows those standards and Compliance verifies that standards are followed.
When a particular customer outside normal risk tolerance seeks to do business with that bank, Compliance will advise the LOB, but not decide. In exceptional cases, Compliance can veto, and the LOB rarely overrides. This can vary bank to bank. At smaller banks, the BSA officer may be asked by regulators to sign off on high risk accounts. And if an enforcement Action were to occur, Compliance carries greater authority.
A meta-theme coming out of the conference was that there were no clear-cut rules. Said an OCC representative with tongue-in-cheek, “don’t ask for a compliance blueprint because you may get a consent order.” Banks need to set their own policies based on best judgment. Once you’ve chosen your policies on acceptable and prohibited businesses, whether defined by industry, product, service, geography or combinations of factors, you need current, accurate information on the customers in your portfolio.
Use KYC Protect to stay up to date and in command of your business banking relationships.