De- Centralised Due Diligence
Most nations’ financial regulations copy those drafted in the US and the EU. These regulations have been promulgated by the Bank for International Settlements (bis.org) through a publication by the Basel Committee on Banking Supervision – October 2001 on Customer Due Diligence for Banks.
There is a theme in the October 2001 document that has percolated and grown stronger through repetition and reiteration. That theme has been the idea of centralisation. In several places, you can see the desire for the idea of people behind the regulations drafting them to fit their idea of the regulation of the management of risks. It does not take into account real management of risks evidenced by the persistent idea of “…a senior officer should be designated to be directly responsible…” Look at the laws across the EU, the United States, and now the developing nations – all laws look to have a single point of contact for the regulators for the entire bank. They are looking for a single responsible party within any given organisation to be the contact person.
From a regulatory point of view, I get it. The regulators do not want to have to work harder than they have to (no one does) and since they are penning the regulations, the regulations are bent to fit their management wants – not the diffuse operational landscape of modern banking. The regulators are also concerned about regulatory arbitrage. I understand that too. Heck, the entire international financial community’s industry is built on regulatory and legal arbitrage. However, as – Know Your Customer (KYC) and Anti Money Laundering (AML) is in pursuit of a noble cause, our (the regulator’s) prognostications and rules must be followed. Be warned if you challenge the rules – you confront and question the noble cause.
Well – one size and one model does not fit all. And while again and again I have seen in writing that each bank can customise their approach based upon their risk assessments, and I have heard similar statements out of regulator’s mouths in many countries – it is not the approach that actual regulators have been taking. The approach has been to find compliance errors – note that those errors are inconsistent with other banks they have seen who have approaches that cover the error found, and the regulators fine the bank. The banks are giving up.
I have concluded from my conversations with financial institutions across the globe that the banks are factoring in the cost of compliance fines. Fines are expected and are now just considered a cost of doing business. One banker described it as the “spanking tax”. The compliance team’s cost and economic drag is weighed against the cost of fines – stop.
Why has this come about? Why has the noble cause been sacrificed? Why is it now just a business cost decision? The answer is simple – the senior management of the financial institutions – when they honestly believe they are doing everything logically possible – make mistakes and get fined. There is no forgiveness and no quarter taken. The banks in return have surrendered to the fact that they will be hit with an irregular ‘spanking tax’.
What many have pointed out to me is that the potential for mistakes is built into the very design and fabric of the laws and regulations. That “… a senior officer should be designated to be directly responsible…” implies that the AML and KYC should all be centralised. It does not say it has to be centralised – but implies that it must be centralised – that is what the regulators want to see, and that is how many of the large financial institutions now deal with AML and KYC and similar compliance matters.
Why does this centralised model have built into it the fabric of failure? It is simple risk management or due diligence 101. The centralised office is too remote from the risks to either know or care. The larger the bank, the less they know and the less they care. If the centralised office does not either know or care, and fines are now but a cost of doing business – it is ‘game over’ for the spirit of compliance. It is now managing the cost of overhead and potential ‘spank tax’ events. It is a vicious circle if not confronted.
One financial service firm with offices in 16 countries, including the US, EU and Middle East has taken a different approach to compliance – KYC, AML and sanctions. All responsibility has been shifted to the local manager for all accounts at that location. The local manager is not only responsible for the gathering and sorting of the required documents – they are also required to have the database record pulls done and reconciled with the application. The local managers are also required to monitor and report on any suspicious activities or even activities that are anomalous for an applicant or a current account holder. If there are local office failures – there are local office penalties that come out of the bonus structure. If there are fines – the fines come out of their bonuses and the responsible parties could be subject to immediate dismissal.
Actions are taken locally, client processing and analysis are done locally, and responsibility is retained locally. This local retention of analysis, reporting and responsibility has also become a key point to the defense of their brand. It is not just compliance but defense of the brand. All employees, not just location managers, are deputised to ask and raise questions either openly or via a blind internal hot line.
This does not mean banks have avoided the regulations of a central contact person for the regulators to visit. That is still a requirement and has been met. The central responsible party and staff do monitor all offices and the company as a single unit – but actions and accountability are delegated to local managers who are nearest to the risk and nearest to the information to make more fully informed choices.
It would be nice to say conversion was accomplished with few problems. It was not easy – but difficult. Not one local manager wanted the responsibility or accountability. It was their belief that as long as they made the office profitable – they should get their bonuses and if the company had a compliance problem – well too bad, it was not going to affect their wallet.
Offices were converted one by one over a year. As each office was set up for responsibility and accountability, something new was learned that could be applied to the next office. There was a great deal of training for people in the local offices on how to search and read some of the database information as well as how to develop their own information from visiting the customer and by speaking to people in their community. As most of their clients were very high net worth individuals, this transition and the ensuing requirements had to be done with grace and tact.
Link to article – https://www.ifcreview.com/articles/2013/september/de-centralised-due-diligence/
PDF Version – IFC-Review-De-Centralised-Due-Diligence