Regulators Foster De-Risking More than They Admit
We regularly hear calls from prominent observers who wish to turn back the clock on the banking industry. They propose a return to a prelapsarian state that they believe existed before the enactment of the Gramm-Leach-Bliley Act in 1999 and the perceived excesses of the new millennium. The proposed 21st Century Glass-Steagall Act of 2015 is the latest example in this vein, promising a return to “boring banking.”
Nostalgia may be soothing to the psyche, but it cannot be allowed to substitute for analysis. The problem with encouraging banks to be boring is that banks are risk-takers by design. Boring banking can be risky too. But more to the point, the push by some lawmakers and regulators for banks to become less risky backfires when banks respond by curtailing services that are vital in a functioning financial system. Indeed, the message from some policymakers and regulators fosters the very de-risking that other policymakers and regulators are trying to combat.
Several traditional banking functions, which would be allowed under a modern Glass-Steagall framework, still present much higher legal, compliance and reputational risk today than in the past. Besides any legislative reforms, those risks cannot easily be mitigated by regulator-mandated requirements. In fact, increasing regulatory expectations, if not outright mandates, now facing banks are actually exposing them to much higher risk in their traditional banking activities.
Take correspondent banking, for example. Correspondent banking was once the epitome of boring banking, but not anymore. Correspondent banking is perhaps the most prominent example of a traditional banking function that now presents much higher legal and compliance risks. Treasury officialsacknowledge the critical role that U.S. correspondent banks play in the global finance system based on the indispensability of the U.S. dollar to the global system.
That acknowledgment, however, must be accompanied by the recognition that financial crime has become a growth business on a global scale. Much of that crime is conducted – or the proceeds ultimately transferred – in U.S. dollars. Banks are expected to monitor for, detect and report signs of money laundering, terrorist finance activity, tax evasion, official corruption, sanction violations, and, indeed, any other criminal or suspicious activity passing through them. Severe consequences, including criminal charges and billion dollar fines, can result from the failure to meet the rising regulatory expectations for such monitoring, detection and reporting.
How are banks responding to the heightened regulatory requirements and expectations for their traditional banking functions? The initial answer is by implementing enhanced controls, such as more robust financial crimes compliance programs than those historically required. Judging by the increased level of recent enforcement activity and supervisory criticism, however, the regulatory authorities continue to find the programs of many institutions inadequate, often based on new supervisory expectations or the benefit of 20/20 hindsight. Examiners regularly criticize and regulators regularly sanction firms, publicly or privately, for programmatic failures. Regulatory action is often taken based on program weakness alone, irrespective of whether the weakness resulted in an actual pattern of criminal activity conducted through the bank. This may be the case even when the same program was found to be satisfactory by the examiners in the last examination.
Faced with these regulatory criticisms and sanctions, banks have two choices. The more complex and resource-intensive response of the two options is to further enhance controls – particularly as they pertain to high risk businesses. This requires collecting, maintaining and regularly updating customer due diligence, not only to ensure that inherent risks are understood, but also to ensure that all transactional activity is normal for that customer. It may entail enhancing transaction monitoring to include not only the detection of red flags, but also predictive analytics and other more sophisticated monitoring techniques. But the implementation of such processes requires significant time and resources with no assurance that the resulting processes will pass muster with the regulators.
Which brings us to the second option. Increasingly, banks have been inclined to “just say no” – that is, they have engaged in de-risking by exiting certain product lines, customer types or geographies. Firms can mitigate the prospect of regulatory sanctions if they limit their services to those customers or areas more easily controlled. This approach is likely to be adopted where the cost of controlling the risk exceeds what an institution can reasonably charge for its services or where reputational concerns for the business are simply perceived as too high.
The government is sending conflicting signals to the banking sector. Some regulatory officials and transnational bodies have roundly criticized banks for de-risking. Senior officials from the U.S. Treasury Department and the Financial Action Task Force have expressed concerns that higher-risk clients, if not banked by larger, more sophisticated banks, will seek out banking relationships with smaller, less-well-governed financial services firms or go underground altogether. Such nested or hidden activity will be less transparent to law enforcement, increasing risk to the financial system. Public-sector officials have also expressed concerns that de-risking will result in denying developing countries or categories of customers’ access to needed financial services. However, even as some regulatory authorities have criticized banks for de-risking, other regulatory authorities have made it clear that they will seek to hold not only banks, but also individuals civilly, and perhaps criminally, liable for program failures, adding to the impetus to de-risk.
The U.S. authorities have taken the global lead in enforcement and standard setting for financial crime prevention. They must now take the lead in crafting a balanced and coordinated approach to the issues that prompt de-risking. A recent World Bank report observed that de-risking is a “complex and manifold” phenomenon and that addressing the issues underlying de-risking is a “joint public-private responsibility that needs to be dealt with in partnership.”
Neither the authorities nor the banks can turn back the clock on the increased legal and compliance risks in traditional banking activities. Instead they have to work together to manage the risks more effectively and equitably.
Paul L. Lee is of counsel and a member of the Financial Institutions Group at Debevoise & Plimpton LLP. Teresa A. Pesce is a principal in KPMG’s Forensic Advisory Services practice and global head of anti-money-laundering services.