As tightened regulatory controls continue to squeeze the banking industry, institutions must juggle providing continued service while identifying potentially high-risk customers. Although a heavy-handed approach to eliminating riskier programs and customers may help financial firms to ensure compliance, regulators are also applying pressure on banks to continue providing services to legal, albeit higher risk, businesses on a case-by-case basis.
A former bank regulator and practicing Chief Risk Officer, Alvarez & Marsal Managing Director David Gibbons spoke with Global Marketing to discuss these risks and potential value-loss in the current heavily-regulated environment.
Q. Can you describe the challenging directives that the financial industry is receiving from regulators regarding their de-risking strategies?
The current challenge to the financial industry is that on one hand, regulators are warning banks about the perils of doing business with high-risk customers, such as third-party payment processors. Certain guidance issued a few years back actually listed a number of these types of businesses, and bankers’ natural reaction was to shy away from servicing them, either by not opening accounts or by closing existing accounts, aka de-risking.
This issue becomes more complex because not all of these types of customers actually engage in high-risk activities and not all of theircustomers are engaged in high-risk transactions. Even high-risk customers can carry out lower risk transactions, so restricting their access to banking services could be inappropriate and potentially unhealthy for the payment systems and economy overall.
Regulators have recently recanted a bit on their earlier directives and issued further guidance that categorical de-risking was not their intent. Rather, they want a risk-based approach in which banks perform due diligence on their customers and their customers’ customers, and make decisions based on that analysis and their ability to control the risks.
The big issue for the bankers is whether the risk versus reward relationship warrants accepting the business. Another key question is whether regulators will, after an event, deem that an institution did all it could to know its customer and customer’s customers, and to control and actively monitor their activities accordingly.
Q. How successful have firms been to date in taking a case-by-case approach to customer due diligence, and avoiding more severe tactics for curtailing their inherently riskier activities?
To me, success in a case-by-case scenario is performing thorough up-front due diligence, limiting customers to activities and transactions to what you are comfortable with and then monitoring and managing the risks day-to-day to ensure that transactions and patterns thereof do not deviate from expectations. The riskier the activities, the more costly and intensive the monitoring and controls will need to be. At some point, there is a risk versus reward decision that needs to be balanced and made. In some cases, the risk after applying all of the controls may not be something worth taking at any price.
I have also seen success turn to abject failure when companies allow business drivers to justify risks that the risk and compliance teams cannot manage, or where inappropriate exceptions are made. Some exceptions simply cannot be made when it is clear that the activity is illegal or even in a gray area.
Q. As a former Chief Risk Officer, how do you think banks can successfully perform this balancing act while keeping their own business interests in mind?
The banks that do this well have clear risk tolerances, good risk cultures and competent compliance and risk officers, both within their businesses and in risk and audit. They also employ sound policies and procedures, as well as compensation systems that help communicate and enforce their business and risk cultures and expectations. These banks do their initial homework and apply appropriate risk management throughout the lifecycle with the customer. They also account for the costs of implementing all of these processes versus the reward. Sometimes it is worth the residual risk, and sometimes the residual risk is just too high relative to the return.
Q. What factors should firms take into consideration as they contemplate how to manage customer relationships while ensuring regulatory compliance?
Firms need to take into account their customers’ risk, as well as their customers’ customer risk – how do they conduct business and who do they do business with, and their reputational risks. Banks should also consider the type and patterns of transactions, and the volumes and velocity of activity. They must have the capability of people, systems, programs and processes to identify errant behavior, and the will to deal with it head on.
Q. For the higher risk client relationships that firms consider worth maintaining, how can these institutions properly put in place controls to mitigate their risks?
These firms should know what types of customers and activities they are comfortable with, limit their activities to that comfort zone, and monitor, monitor, monitor to ensure activity does not deviate from the comfort zone. If activities, or patterns thereof, deviate from expectations and comfort zones, they must be investigated and firmly dealt with. Repeat deviations cannot be tolerated as they are telling you something about the character of the customer. Once trust is violated, it’s a different game.
Q. What types of consequences do banks face if they fail to properly de-risk their customer activities? What consequences do they face if they employ an overly heavy-handed approach to restricting services to certain risky clients?
Banks that fail to appropriately manage and mitigate these risks face significant financial, reputational and legal consequences, including fines/penalties, credit risk, adverse publicity and loss of business. Remember, bank customers and other constituencies (investors, lawmakers, regulators, etc.) will have their own opinions about the bank’s behavior and may choose to de-risk from the bank, or attack it if the offense is significant enough.
Overdoing the de-risking, or doing it inappropriately, will have the adverse effects of inappropriately restricting credit and other banking services, which is not necessarily good for banks or the overall economy in which they play such an important role. We don’t have to be talking terrorism financing or illegal drug financing here. We can be talking about just plain higher risk forms of lending such as subprime lending, leveraged finance and or/commercial real estate.
Some may shy from, or severely restrict, these higher risk forms of lending while others will take on the business and do their best to balance the risk versus reward relationship. Let’s also be clear that there is nothing wrong with prudential prohibitions; in fact, I expect to see them incorporated into well-done risk appetites and tolerances. These are the qualitative aspects of risk management that shape what banks will and won’t do.
Q. Do you expect the financial industry to receive additional guidance and standards from regulators on how to appropriately de-risk their businesses moving forward?
Regulators have clarified their expectations to some degree since their initial guidance, so the issue will not necessarily be with further guidance, but how banks and regulators behave. If a bank were to really do all the things they need to per industry sound practice and regulatory expectations and an adverse event still occurs, the question is whether the regulator will still severely punish the bank. If they do, either the bank was not really walking the walk, or the regulatory guidance does in fact need further clarification.