The amount of anti-financial crime regulation continues to grow. How do you think this is impacting both the front office and the wider market?
They are very different questions. I’ll start with the front office, and I would say at board level, for those banks that have been subject to regulatory intervention, we have seen quite a lot of blood spilt at very senior levels, some very large fines and some massive remediation spending. In some cases, we’ve also seen some quite consequential changes in risk appetite.
As a result, there has been change in general understanding of fin crime risk and how it affects banking and particular roles. I don’t necessarily think though this has led to universal changes in behaviours. Culture change. That’s a challenging issue.
But those largely big Western banks that have been through one if not two phases of regulatory remediation, now understand the risks and have spent a lot of money in trying to implement a system of controls to manage it. And now perhaps they are in a phase 3 and realising that all that money hasn’t necessarily well spent. A lot of the systems don’t actually provide good intel or controls, they might still be getting into trouble with their regulators and they are wondering if there is a better way of doing things?
Whether it’s finding more cost efficient processes, changing the organisation governance structure, evolving their overall risk appetite or changing behaviours and culture. They know they need to do something.
In terms of risk appetite, I’ve seen banks pull out of significant tranches of business that with hindsight they may not have done. They did this because at the time they didn’t really understand the risks, or they realised it was easier to pull out than try to manage the risks properly.
Currently we’re seeing banks pull out of certain markets, sectors, products. Deliberately. And often this is a really good thing. But in some cases, there has been an unintentional consequence that many bankers have become scared of doing business. A culture of fear has been created, people are afraid of saying yes – it’s perhaps easier to say no.
Both of these influences have an impact on a macro level. For example, some bigger banks in some countries have found it difficult to access the global payments market. In some cases this has resulted in firms going to secondary or tertiary providers with weaker risk controls which actually impacts on the efficiency and the safety of the financial payment system.
So there’s a balance to be found. I think in some banks that went too far, not that it was the wrong thing to do at the time as undoubtedly some banks had not been as focussed on this as they should have been. We really need to consider how much risk is being found – what is the cost benefit?
In your experience, have you seen a risk-based framework applied well in institutions?
Good question. I’ve seen frameworks evolve towards better risk management but I think this has been constrained by rules based regulation. So the answer’s probably, no, I haven’t seen any true risk based frameworks – I think it will come but it is some way off yet. I’ve seen one that’s probably as good as it can get in terms of the balance of what is reasonable in the markets that bank is operating in.
I think what we are after is an intelligence based financial crime risk management framework where there is much better relevant information sharing across banks, crime prevention agencies and enforcement.
There are three core axes of anti-financial crime, Anti Money Laundering (AML), Sanctions, and Anti Bribery and Corruption (ABC). Should banks be focusing on one more than the other depending on their particular business?
Well, that comes back to my point about understanding the risks of your business. Undoubtedly in parts of the business that I was responsible for (large corporates), a key aspect of financial crime risk was sanctions based. Conversely, the most risk by value and volume was AML (through correspondent banking), despite it being only one element of the business.
So within the boundaries of regulation, we aim to develop and weight the control framework to take account of the significant AML risk in correspondent banking and a different sanctions based risk weighting in other parts the business.
We faced very different types of AML risk concentration across different countries and markets and these took some time to model and to mitigate. We tried to apply fundamentally the same framework (with localised adjustments for specific scenarios) otherwise you end up either missing some important stuff or over engineering the approach entirely.
It’s very easy to disappear down a series of rabbit holes and /or over engineer but I would advise you to focus on understanding your real risks and manage towards mitigating them.
There are new anti-financial crime technologies, particularly around automation, coming out all the time. Are you seeing organisations use these tools well in practice?
It’s a very mixed bag. Some banks are making big investment in these technologies, and certainly machine learning, robotics, AI and intelligence based financial crime risk management are buzz words. But it is still quite early days and we are still largely working within the confines of old rules based regulatory frameworks and in many cases, woefully inadequate data sources and intelligence sharing capabilities.
I’ve seen cloud-based CDD procedures enabling significant efficiencies and encouraging and effective forensically targeted use of AI data mining, I’m confident it will come.
There has also been encouraging signs from regulatory agencies that more effective risk based methodologies that harness tech will be encouraged. I think all acknowledge that an ability to share risk information dynamically cross border, cross institution, intra institution between FI’s and Agencies must be a good thing. But there are years of mistrust and prejudices to overcome.