For Some Activities Risk Avoidance Makes More Sense Than Risk Management |
On September 8th, the Hong Kong Monetary
Authority (HKMA) issued a circular to the CEOs of all Authorized (financial)
Institutions (AIs) in the HKSAR (Hong Kong Special Administrative Region)
entitled “De-risking
and Financial Inclusion”.
The circular sets forth the HKMA’s expectations (read
“instructions”) that AIs adopt a risk based approach (RBA) to implementing
anti-money laundering AML) and countering the financing of terrorism (CFT)
regulations and cease the practice of de-risking, that is refusing to open or
maintain accounts for certain customers.
As outlined below, the HKMA is rowing against some very
powerful tides. The circular is unlikely
to have the stated desired effect.
Some quotes from the circular to set the stage for this
post. I’ve added boldface to highlight
certain points.
Noting the
progressive tightening of AML regulations over recent years the HKMA states “While it is important to ensure that
AML/CFT controls are sufficiently robust and comply with all the relevant
regulatory requirements, the HKMA expects AIs to adopt a risk-based approach
(RBA) and refrain from adopting practices that would result in financial
exclusion, particularly in respect of the need for bona fide businesses to have
access to basic banking services.”
In a similar vein, the HKMA defines “de-risking” as “The phenomenon of banks declining or
discontinuing business relationships with customers or categories of customers to
avoid, rather than manage, the risk involved. “
On the subject of an RBA, the HKMA makes the following
points:
"RBA does not require or expect a “zero failure” outcome. While AIs should take all reasonable measures to identify ML/TF risks at the account opening stage and, for existing customers, on an ongoing basis, it is unrealistic to expect that no ML/TF activities would ever occur through the banking system. AIs are not required to implement overly stringent CDD processes with a view to eliminating, ex-ante, all risks. Otherwise, such an approach would result in a large number of bona fide businesses and individuals not being able to open or maintain accounts. CDD is only one part of an effective AML/CFT regime. AIs are also required to implement a system that can monitor and detect suspicious transactions in order to report them to the relevant authorities and take the necessary mitigating measures, such as enhanced CDD."
"RBA does not require or expect a “zero failure” outcome. While AIs should take all reasonable measures to identify ML/TF risks at the account opening stage and, for existing customers, on an ongoing basis, it is unrealistic to expect that no ML/TF activities would ever occur through the banking system. AIs are not required to implement overly stringent CDD processes with a view to eliminating, ex-ante, all risks. Otherwise, such an approach would result in a large number of bona fide businesses and individuals not being able to open or maintain accounts. CDD is only one part of an effective AML/CFT regime. AIs are also required to implement a system that can monitor and detect suspicious transactions in order to report them to the relevant authorities and take the necessary mitigating measures, such as enhanced CDD."
News reports suggest that the HKMA's action was occasioned
by several banks “tossing” existing customers. Bloomberg refers to the alleged abrupt
closure by HSBC of accounts of a long standing client that is an offshore
fund.
That’s borne out in the circular itself which also notes the
refusal of some unnamed FIs in the HKSAR refused to accept new clients or set
“onerous” requirements. See the annex to
the circular.
The
HKMA’s circular follows one issued
in late August by five US regulators
of financial institutions in the country.
Yes, you read that right “five”. Apparently one regulator is insufficient for the USA's financial sector. It's that big! That circular also contained an
appeal for banks to adopt a RBA, but did not include the HKMA’s statement that
it didn’t expect RBA AML/CFT to prevent all illegal transactions. Instead the five US regulators offered the
comforting thought that “the
Treasury and the FBAs do not utilize a zero tolerance philosophy that
mandates the strict imposition of formal enforcement action regardless of
the facts and circumstances of the situation”.
I
trust like AA you find those words comforting in a particularly baffling way. Are these regulators saying that existing
regulations allow them to take formal enforcement action regardless of facts
and circumstances but that they will kindly forbear from exercising these powers?
Instead might they apply strict non formal
enforcement actions? On that score, what is a “strict” imposition and
how does it differ from a “strict” enforcement action? Or are they saying that existing US laws and
regulations are so written that they could impose draconian penalties for a “slip
or two” in compliance? Finally, if the
posture of the regulators is based on a “philosophy” and not the law, could
that “philosophy” change with the next administration? If that’s the case,
should banks be advised to prepare for the worst?
The
widespread use of the US dollar in both commercial and financial transactions
and the propensity of the US to use that position to levy fines and impose
extraterritorial requirements make US regulations and the “philosophy” of the
US regulator of paramount concern to internationally active banks.
The HKMA may have “expectations” but Hong
Kong and other foreign banks are likely to be more sensitive to what the US “expects” as
evidenced by its past behavior. Thus, the HKMA’s appeal is almost certain to collide with
banks’ self-interest and certain “objective conditions”.
First, banks are profit oriented not public service
institutions despite some manifestly absurd industry positioning / brand
development advertising campaigns that are currently running.
In other words, profit is job #1. Financial “inclusion” like charity work is well down the list of priorities. And is a miniscule part of
activities. Thus, despite its ad
campaign running on the Bloomberg TV, Bank of America Merrill Lynch doesn’t
devote a major portion of its efforts to bring clean water to folks in
Africa.
Profit on an account is a function of revenues less costs.
Providing bank accounts and related services is a low margin
high volume business. Contrast that with investment banking transactions where
the volumes are significantly lower but the margins are immense.
Considering only operating costs, many SME accounts at
best offer marginal profitability. We’re talking about maybe tens of
thousands of dollars profit per account for many accounts.
When the costs of customer due diligence, monitoring,
preparing and filing of suspicious transaction reports are included, profit is
even less. Customer due diligence (CDD)
at the inception of a relationship is particularly labor intensive. Much of the subsequent monitoring can be done
via computer programs, but at the end of the day someone has to review the
reports generated, decide whether to investigate further, and ultimately
whether to approach the customer for more information and/or file a suspicious
transaction report STR).
On that score, banks file a good portion of their STRs for
defensive (CYA) reasons. It demonstrates
they have a working compliance system.
If something untoward about a customer turns up in the future, the
bank can say to the regulators “But I reported to you. By the way you never got back to me.” Thus, monitoring “risky” customers taken on
to promote financial inclusion may trigger the need for a CYA STR even if the bank thinks the customer is "clean". One can't be too careful because regulatory hindsight is often more than 20/20.
Fines take a potential bite out of profit. But by increasing expenses they can also affect the capital a bank
is required to maintain for operational risk under the Basel
framework. Lower Basel capital adequacy
ratios can affect credit and stock ratings.
Increasing capital can lead to declines in ROE if the profits do not
cover the cost of capital. If capital
cannot be increased, then the bank may have to reduce certain other activities
(e.g. credit or market risk related) thus reducing income/profit.
Second, it’s important to remember that banks are free to
select or reject customers according to their own criteria. Even in countries that have laws to prevent
discrimination, banks may reject customers as long as the as criteria used are
business principles-based, e.g., risk not race and are consistently applied. Not every applicant for a new loan or new
account will get one. Not every customer
with an existing loan will be granted a renewal or extension. Similarly, not every customer with an account
is guaranteed the right to retain it. So
the appeal is a request not a command.
Third, there are a variety of objective conditions and not
simply bloody-mindedness that are pushing banks to “de-risk”.
Chief among these are regulatory and legal risks, but there
are others.
Regulatory Risks.
Billion dollar fines concentrate the minds or bankers quite
sharply. Settlements with regulators
include more than fines. Often settlements are
(legally) structured as deferred prosecution agreements or DPAs. As the name suggests, the DPA holds a sword
over the head of the financial institution and compel compliance on an
extraterritorial basis.
But don’t take AA’s word for it.
Here are two 2016 quotes attributed to Assistant Attorney General Leslie Caldwell. “[w]e can require
that the banks cooperate with our ongoing investigations, particularly
in our investigations of individuals. We can require that such compliance
programs and cooperation be implemented worldwide, rather than just in
the United States. We can require periodic reporting to a court that
oversees the agreements for its terms.”
Under the right
circumstances, the government “will not hesitate to tear up a DPA or NPA and
file criminal charges, where such action is appropriate and proportional to
the breach.”
Here are some illustrative examples of DPAs. Standard Chartered 2014 with DFS New
York State. The consent order triggered significant de-risking
by SCB in the UAE as you may
recall. Here’s HSBC 2012.
So if you were a financial institution considering opening
or maintaining an account relationship, would one of your key risk mitigation
concerns be avoiding the risk that a regulator could suddenly be dictating how
you run your business worldwide? See
the requirements in the HSBC DPA Paragraph #5. Note
not only the number of requirements but also the short leash in later points Paras 8 and 14-16.
But as they say on late night TV. “Wait there’s more”.
Civil Lawsuits
Lawsuits such as that against the Arab Bank or the one in
progress against HSBC,
Barclays, Standard Chartered, the Royal Bank of Scotland and Credit
Suisse are no doubt worrisome. The latter suit is predicated on these banks’
admission of transferring money for Iran which the plaintiffs assert helped
finance terrorist attacks against US military personnel in Iraq. There is to my
knowledge no assertion that these banks actually transferred money for those
attacks. More here.
Banks might be
forgiven--particularly in light of the Arab Bank case—for questioning whether fair
trials or impartial juries are available in certain jurisdictions.
Both the regulatory
and legal actions highlight what is perhaps the key factor here. Banks are subject not only to their own
regulators and laws but to those of other countries. The primary role of the US dollar in
international financial transactions exposes not only major international banks
but also smaller banks to US enforcement or legal actions.
Staff Risks
International banks operate in many countries. Staff attitudes toward government regulations
vary greatly. In many countries the
population treats their own government's laws and regulations as suggestions rather
than binding constraints. In some countries
as a direct challenge to find a creative workaround.
An even more casual attitude often applies to laws of foreign countries. Bank managements have to deal with the staff
they have not the staff they wish they had.
In which case exposure can be neatly mitigated by not doing certain
types of business or dealing with certain customers. Eliminate discretion and one eliminates potential problems.
Recidivism Risk
If a bank is unfortunate enough to have encountered
enforcement action, a further “slip” could trigger a severe response from at
least one particular country, e.g., “tearing up DPAs” “filing criminal charges”
as AAG Caldwell is quoted above. Or
additional fines or additional business conditions imposed. Or even the threat of such action could cloud
an institution’s stock price, customer confidence, etc. Here’s an
example.
Conclusion
When the risk reward ratio is highly skewed, the most
effective risk management is risk avoidance.
I suppose I could construct an RBA for running with
scissors. But I will forgo running with scissors rather than “managing the risk”
of doing so. Simply because the
potential return is dwarfed by the risk.
Banks are likely to do the same with respect to financial
inclusion. The lesson of Nogales
Arizona and other similar stories of US
banks closing branches on the US-side of the border with Mexico and “tossing” customers may be
illustrative on this point. Banks are
likely to be much less solicitous of foreign than domestic customers. And the solicitude for domestic customers seems minimal in these cases.
As outlined in the above press report, the US banks
apparently claimed that their domestic de-risking was related to revised
regulations requiring additional regulatory reporting and closure of “risky”
accounts. If you close your branch, you
neatly “solve” both problems.