Friday, 23 September 2016

Bank De-Risking Likely to Trump Calls for Financial Inclusion

For Some Activities Risk Avoidance Makes More Sense Than Risk Management

On September 8th, the Hong Kong Monetary Authority (HKMA) issued a circular to the CEOs of all Authorized (financial) Institutions (AIs) in the HKSAR (Hong Kong Special Administrative Region) entitled “De-risking and Financial Inclusion”.
The circular sets forth the HKMA’s expectations (read “instructions”) that AIs adopt a risk based approach (RBA) to implementing anti-money laundering AML) and countering the financing of terrorism (CFT) regulations and cease the practice of de-risking, that is refusing to open or maintain accounts for certain customers.

As outlined below, the HKMA is rowing against some very powerful tides.  The circular is unlikely to have the stated desired effect.

Some quotes from the circular to set the stage for this post.  I’ve added boldface to highlight certain points. 

Noting the progressive tightening of AML regulations over recent years the HKMA states “While it is important to ensure that AML/CFT controls are sufficiently robust and comply with all the relevant regulatory requirements, the HKMA expects AIs to adopt a risk-based approach (RBA) and refrain from adopting practices that would result in financial exclusion, particularly in respect of the need for bona fide businesses to have access to basic banking services.”  

In a similar vein, the HKMA defines “de-risking” as “The phenomenon of banks declining or discontinuing business relationships with customers or categories of customers to avoid, rather than manage, the risk involved.

On the subject of an RBA, the HKMA makes the following points: 

"RBA does not require or expect a “zero failure” outcome. While AIs should take all reasonable measures to identify ML/TF risks at the account opening stage and, for existing customers, on an ongoing basis, it is unrealistic to expect that no ML/TF activities would ever occur through the banking system. AIs are not required to implement overly stringent CDD processes with a view to eliminating, ex-ante, all risks. Otherwise, such an approach would result in a large number of bona fide businesses and individuals not being able to open or maintain accounts. CDD is only one part of an effective AML/CFT regime. AIs are also required to implement a system that can monitor and detect suspicious transactions in order to report them to the relevant authorities and take the necessary mitigating measures, such as enhanced CDD."
News reports suggest that the HKMA's action was occasioned by several banks “tossing” existing customers.   Bloomberg refers to the alleged abrupt closure by HSBC of accounts of a long standing client that is an offshore fund. 
That’s borne out in the circular itself which also notes the refusal of some unnamed FIs in the HKSAR refused to accept new clients or set “onerous” requirements.  See the annex to the circular.
The HKMA’s circular follows one issued in late August by five US regulators of financial institutions in the country.  Yes, you read that right “five”.   Apparently one regulator is insufficient for the USA's financial sector.  It's that big!  That circular also contained an appeal for banks to adopt a RBA, but did not include the HKMA’s statement that it didn’t expect RBA AML/CFT to prevent all illegal transactions.  Instead the five US regulators offered the comforting thought that “the Treasury and the FBAs do not utilize a zero tolerance philosophy that mandates the strict imposition of formal enforcement action regardless of the facts and circumstances of the situation”.  

I trust like AA you find those words comforting in a particularly baffling way.  Are these regulators saying that existing regulations allow them to take formal enforcement action regardless of facts and circumstances but that they will kindly forbear from exercising these powers?  Instead might they apply strict non formal enforcement actions? On that score, what is a “strict” imposition and how does it differ from a “strict” enforcement action?  Or are they saying that existing US laws and regulations are so written that they could impose draconian penalties for a “slip or two” in compliance?  Finally, if the posture of the regulators is based on a “philosophy” and not the law, could that “philosophy” change with the next administration? If that’s the case, should banks be advised to prepare for the worst?       

The widespread use of the US dollar in both commercial and financial transactions and the propensity of the US to use that position to levy fines and impose extraterritorial requirements make US regulations and the “philosophy” of the US regulator of paramount concern to internationally active banks. 

The HKMA may have “expectations” but Hong Kong and other foreign banks are likely to be more sensitive to what the US “expects” as evidenced by its past behavior.   Thus, the HKMA’s appeal is almost certain to collide with banks’ self-interest and certain “objective conditions”.

First, banks are profit oriented not public service institutions despite some manifestly absurd industry positioning / brand development advertising campaigns that are currently running. 
In other words, profit is job #1.  Financial “inclusion” like charity work is well down the list of priorities.  And is a miniscule part of activities.  Thus, despite its ad campaign running on the Bloomberg TV, Bank of America Merrill Lynch doesn’t devote a major portion of its efforts to bring clean water to folks in Africa.
Profit on an account is a function of revenues less costs.
Providing bank accounts and related services is a low margin high volume business. Contrast that with investment banking transactions where the volumes are significantly lower but the margins are immense.  
Considering only operating costs, many SME accounts at best offer marginal profitability. We’re talking about maybe tens of thousands of dollars profit per account for many accounts. 
When the costs of customer due diligence, monitoring, preparing and filing of suspicious transaction reports are included, profit is even less.  Customer due diligence (CDD) at the inception of a relationship is particularly labor intensive.  Much of the subsequent monitoring can be done via computer programs, but at the end of the day someone has to review the reports generated, decide whether to investigate further, and ultimately whether to approach the customer for more information and/or file a suspicious transaction report STR).  
On that score, banks file a good portion of their STRs for defensive (CYA) reasons.  It demonstrates they have a working compliance system.  If something untoward about a customer turns up in the future, the bank can say to the regulators “But I reported to you.  By the way you never got back to me.”  Thus, monitoring “risky” customers taken on to promote financial inclusion may trigger the need for a CYA STR even if the bank thinks the customer is "clean".  One can't be too careful because regulatory hindsight is often more than 20/20.
Fines take a potential bite out of profit.  But by increasing expenses they can also affect the capital a bank is required to maintain for operational risk under the Basel framework.  Lower Basel capital adequacy ratios can affect credit and stock ratings.  Increasing capital can lead to declines in ROE if the profits do not cover the cost of capital.  If capital cannot be increased, then the bank may have to reduce certain other activities (e.g. credit or market risk related) thus reducing income/profit.  
Second, it’s important to remember that banks are free to select or reject customers according to their own criteria.  Even in countries that have laws to prevent discrimination, banks may reject customers as long as the as criteria used are business principles-based, e.g., risk not race and are consistently applied.  Not every applicant for a new loan or new account will get one.  Not every customer with an existing loan will be granted a renewal or extension.  Similarly, not every customer with an account is guaranteed the right to retain it. So the appeal is a request not a command.
Third, there are a variety of objective conditions and not simply bloody-mindedness that are pushing banks to “de-risk”.
Chief among these are regulatory and legal risks, but there are others.
Regulatory Risks.
Billion dollar fines concentrate the minds or bankers quite sharply.  Settlements with regulators include more than fines.  Often settlements are (legally) structured as deferred prosecution agreements or DPAs.  As the name suggests, the DPA holds a sword over the head of the financial institution and compel compliance on an extraterritorial basis.
But don’t take AA’s word for it. 
Here are two 2016 quotes attributed to Assistant Attorney General Leslie Caldwell. “[w]e can require that the banks cooperate with our ongoing investigations, particularly in our investigations of individuals. We can require that such compliance programs and cooperation be implemented worldwide, rather than just in the United States. We can require periodic reporting to a court that oversees the agreements for its terms.”
Under the right circumstances, the government “will not hesitate to tear up a DPA or NPA and file criminal charges, where such action is appropriate and proportional to the breach.”
Here are some illustrative examples of DPAs.  Standard Chartered 2014 with DFS New York State The consent order triggered significant de-risking by SCB in the UAE as you may recall.  Here’s  HSBC 2012. 
So if you were a financial institution considering opening or maintaining an account relationship, would one of your key risk mitigation concerns be avoiding the risk that a regulator could suddenly be dictating how you run your business worldwide?  See the requirements in the HSBC DPA Paragraph #5.  Note not only the number of requirements but also the short leash in later points Paras 8 and 14-16. 
But as they say on late night TV.  “Wait there’s more”.
­Civil Lawsuits
Lawsuits such as that against the Arab Bank or the one in progress against HSBC, Barclays, Standard Chartered, the Royal Bank of Scotland and Credit Suisse are no doubt worrisome.  The latter suit is predicated on these banks’ admission of transferring money for Iran which the plaintiffs assert helped finance terrorist attacks against US military personnel in Iraq. There is to my knowledge no assertion that these banks actually transferred money for those attacks.  More here.  
Banks might be forgiven--particularly in light of the Arab Bank case—for questioning whether fair trials or impartial juries are available in certain jurisdictions.
Both the regulatory and legal actions highlight what is perhaps the key factor here.  Banks are subject not only to their own regulators and laws but to those of other countries.  The primary role of the US dollar in international financial transactions exposes not only major international banks but also smaller banks to US enforcement or legal actions.
Staff Risks
International banks operate in many countries.  Staff attitudes toward government regulations vary greatly.  In many countries the population treats their own government's laws and regulations as suggestions rather than binding constraints.  In some countries as a direct challenge to find a creative workaround.  An even more casual attitude often applies to laws of foreign countries.   Bank managements have to deal with the staff they have not the staff they wish they had.  In which case exposure can be neatly mitigated by not doing certain types of business or dealing with certain customers.  Eliminate discretion and one eliminates potential problems.
Recidivism Risk
If a bank is unfortunate enough to have encountered enforcement action, a further “slip” could trigger a severe response from at least one particular country, e.g., “tearing up DPAs” “filing criminal charges” as AAG Caldwell is quoted above.  Or additional fines or additional business conditions imposed.  Or even the threat of such action could cloud an institution’s stock price, customer confidence, etc.  Here’s an example.
When the risk reward ratio is highly skewed, the most effective risk management is risk avoidance.  
I suppose I could construct an RBA for running with scissors. But I will forgo running with scissors rather than “managing the risk” of doing so.  Simply because the potential return is dwarfed by the risk.
Banks are likely to do the same with respect to financial inclusion.   The lesson of Nogales Arizona and other similar stories of US banks closing branches on the US-side of the border with Mexico and “tossing” customers may be illustrative on this point.  Banks are likely to be much less solicitous of foreign than domestic customers. And the solicitude for domestic customers seems minimal in these cases. 
As outlined in the above press report, the US banks apparently claimed that their domestic de-risking was related to revised regulations requiring additional regulatory reporting and closure of “risky” accounts.  If you close your branch, you neatly “solve” both problems. 

No comments: