Nov. 3, 2016
Without any formal consultation process or industry input, the federal Office of the Comptroller of the Currency (OCC), the supervisor of some of the most internationally active banks providing U.S. dollar-based foreign correspondent banking activity, published “Risk Management Guidance on Periodic Risk Re-evaluation of Foreign Correspondent Banking” on October 5, 2016. The guidance advises financial institutions to routinely re-evaluate foreign correspondent banking portfolios and provides best practices for updating customer risk assessments.
The risk management guidance was seemingly prompted by industry claims that the large fines handed out by the regulators, including the OCC, have encouraged, if not forced, de-risking of correspondent banking activities in an effort to reduce anti-money laundering (AML) risk. De-risking is a phenomenon where financial institutions are increasingly electing to terminate or restrict business relationships to avoid, rather than manage, risk. Thomas Curry, U.S. comptroller of the currency, spoke out against this increasingly common practice in September and indicated that new guidance was forthcoming to encourage firms to re-evaluate their risk profiles rather than de-risk. It remains to be seen whether the guidance will have any meaningful impact on de-risking.
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act), drafted in response to the September 11, 2001, terrorist attacks, was developed based on many findings, one of which was that correspondent banking facilities, specifically U.S. dollar clearing provided by U.S. banks, were found to be susceptible to money laundering and terrorist financing. As a result, the USA PATRIOT Act prohibits U.S. banks from maintaining account relationships with certain types of entities (i.e., shell banks) and requires enhanced due diligence (EDD) to open and maintain certain other foreign correspondent banking accounts.
The OCC’s guidance arrived on the heels of a progress report published by the Financial Stability Board (FSB) summarizing its plan to assess the decline in correspondent banking, a source of significant concern for the international banking community. Further, just prior to the issuance of the OCC’s guidance, the U.S. Department of the Treasury and the Federal Banking Agencies issued a joint fact sheet summarizing key aspects of examination and enforcement processes, highlighting concerns that regulatory risk avoidance by skittish financial institutions is playing a significant role in the decline of foreign correspondent banking relationships.
The ongoing tension between financial institutions and regulatory agencies may be further aggravated by the latest guidance. Although regulators can discourage de-risking and encourage banks to develop enhanced programs to effectively manage risks posed by foreign correspondent banking relationships, banks are still empowered to operate their businesses according to their own best economic interests. If building the compliance infrastructure necessary to effectively manage risks associated with these relationships yields little reward, meaning the bank may face shrinking profits and an increased risk of prosecution and penalties, the current risk-reward equation for participants considering maintaining such relationships could compel some financial institutions to forgo them altogether.
The OCC guidance does not address how to alleviate the risk-versus-reward conundrum. However, to the distaste of many financial institutions, it may provide regulators with yet another ground to discipline banks offloading risk without performing objective analyses as part of their decision-making processes to terminate or retain such risky relationships.
The OCC claims that it “does not direct banks to open, close or maintain individual accounts”; the guidance, in some aspects, may undermine this intent because it establishes a range of expectations and best practices relating to terminating and retaining accounts. Even more important, some institutions may believe that the guidance and its assertion that the decision to retain or terminate a correspondent relationship rests with the offering bank contradicts the messages they have been receiving from their examination teams.
The OCC’s guidance on foreign correspondent banking risks has similar tones to its “Statement on Risk Management Associated with Money Services Businesses” (MSBs), issued in November 2014, as both statements indicate that the OCC does not direct banks on whether they should retain or terminate accounts. That guidance stemmed from concerns that banks were exiting relationships with check cashers and MSBs out of fear of enforcement actions and, as a consequence, there was growing concern that lesser-developed economies would be subject to financial exclusion. When the 2014 guidance was released, some industry observers noted that it was too little, too late, and that the damage to the MSB market was already done. It is likely that some will react similarly to the OCC’s guidance on foreign correspondent banking risks.
Providing correspondent services to a foreign financial institution (FFI) and its customers may be deemed detrimental to the risk profiles of U.S. financial institutions because of the perceived compliance hurdles required to convince examiners that these relationships are appropriately managed when the offering institution must rely, at least in part, on the effectiveness and strength of the FFI’s AML compliance program. This principle of reliance poses a significant money laundering concern to U.S. financial institutions because FFIs are responsible for, among other things, identifying and knowing their customers, performing adequate customer due diligence (CDD) and EDD, determining beneficial ownership, and performing ongoing risk monitoring.
AML compliance requirements vary by jurisdiction, many of which operate with significantly more lenient standards than those imposed by U.S. regulators. This dichotomy of AML compliance program standards between the United States and other regions adds to the complexity of managing foreign correspondent banking relationships. U.S. financial institutions are struggling to find the delicate balance of maintaining the integrity of the U.S. and international financial system while also supporting business and investment in lesser-developed regions and economies.
Summary of the Guidance
The OCC’s risk management guidance is applicable to all OCC-supervised institutions (i.e., national banks, federal savings associations, and federal branches and agencies of foreign banking organizations) that maintain foreign correspondent banking relationships. The guidance focuses on best practices for periodic risk re-evaluation and account retention and termination.
Supervisory Expectations to Perform Periodic Risk Re-evaluations
The OCC guidance emphasizes the importance of ongoing monitoring and taking a proactive approach to address inherent risks in maintaining foreign correspondent banking relationships. The guidance presents three primary practices for banks to consider:
- Defining processes to help ensure that risk re-evaluations are conducted on a periodic basis and informing foreign correspondent banking risk management practices: Each bank should define risk criteria to use when performing re-evaluations; establish and implement processes that align with its own articulated risk appetites, including determining ongoing due diligence and EDD protocols; and define the period of time that accounts can remain dormant and processes to assess the implications of account closures.
- Implementing procedures to perform re-evaluations on an ongoing basis and making account closure decisions: Using a risk-based approach, each bank should perform re-evaluations on all of its foreign correspondent banking relationships, ensure alignment with the bank’s own risk appetite, and escalate accounts subject to closure to appropriate levels of management prior to executing the closure process.
- Ensuring decisions to terminate or retain accounts are well-informed and derived from risk re-evaluations: A bank’s decision to exit a relationship should be based on the level of risk the bank is willing to accept, the strength of the bank’s control environment, and the scope and effectiveness of the AML regulatory and supervisory regime of the jurisdiction associated with the FFI.
Best Practices for Account Retention and Termination
The OCC highlights best practices for retention and termination of both active and dormant foreign correspondent banking accounts. These practices include:
- Establish and maintain a governance function to review the method of performing risk re-evaluations and the appropriateness of account closure or retention recommendations: The governance function, which may be the bank’s oversight committee, should review the policies and procedures relating to risk re-evaluations, evaluate the method the bank employs when determining whether to terminate accounts, monitor CDD and EDD performed on these accounts, and review and opine on account closure recommendations.
- Communicate foreign correspondent account termination decisions to senior management: Banks should establish risk rating changes and escalation protocols, communicate potential adverse effects resulting from account closures, and, when possible, identify mitigating controls (e.g., temporary account restrictions) in lieu of account closures.
- Communicate with FFIs to better understand and assess their control environments: Banks should provide FFIs with the opportunity to provide information about their mitigating control environments, including providing customer-specific information as needed, and in cases where a bank chooses to terminate the relationship, provide sufficient time for the FFI to establish an alternative banking relationship, as appropriate.
- Document account closure decisions and maintain supporting rationale: Banks should ensure they preserve a clear audit trail of rationale and methods used to arrive at account closure decisions.
Know Your Customer’s Customer
Although the OCC’s guidance suggests that banks establish procedures to address ongoing due diligence “which may include periodic site visits based on risk” and also to “provide for follow-up by bank personnel” on activity that deviates from an established customer risk profile, banks are still struggling to understand to what extent they are expected to perform comprehensive CDD on their correspondents’ customers. Knowing your customers’ customer (KYCC) is a term used to describe due diligence of account holders of a respondent bank in a correspondent banking relationship. Many banks have implemented KYCC to evidence their understanding of potential risks stemming from their correspondents’ customers. Many banks would argue that they developed KYCC programs at the insistence, or at least strong encouragement, of their field examiners.
The OCC’s recent guidance on foreign correspondent banking risks is silent on whether, and to what extent, KYCC is required, leaving the onus with the offering bank to implement KYCC standards according to its own risk assessments and risk appetite. Rightfully so, it is not always easy for banks to know what level of due diligence is expected, which practices are too intrusive and which practices are not intrusive enough. The lack of mention of KYCC in the OCC’s recent guidance may seem to be in contradiction to what banks have heard from their examiners and may diminish banks’ confidence in relying on the guidance to decide to stay in the foreign correspondent banking business.
Challenges in Maintaining Foreign Correspondent Banking Relationships
Notwithstanding the realized benefits of foreign correspondent banking relationships, including providing access to the U.S. dollar, arguably the most important currency in global business, banks face significant regulatory hurdles and risks in maintaining these relationships. Beyond the common foreign correspondent banking challenges of detecting and avoiding shell and nested accounts and performing effective ongoing monitoring of their correspondents’ activity, banks also face additional challenges when defining their sanctions screening criteria. Specifically, banks seek to ensure comprehensive domestic and international coverage to address the often vast and far-reaching geographical exposure associated with correspondents’ activity. Banks struggle to find the appropriate balance between establishing a risk-based approach that is both realistic and comprehensive, yet does not hamper the operational efficiency of resources reviewing alerts.
Gaining access to reliable documentation and data to perform effective transaction monitoring, conduct informed risk assessments and develop comprehensive profiles is another ongoing challenge for banks. The myriad international data privacy laws have become of paramount concern as banks’ know your customer (KYC) and KYCC visibility is stymied by jurisdiction-specific regulations mandating how certain customer information can be collected and stored and where it can be transmitted. As banks become more effective in these practices, one method to overcome data reliance and completeness challenges is to make better use of formalized information sharing channels and KYC utilities, which are centralized noncompetitive units designed to improve quality, reduce costs and share information.
As noted above, the risk management guidance is applicable to all OCC-supervised banks that maintain foreign correspondent banking relationships. However, each bank’s approach to consider and apply this guidance to its own programs will vary based on the size, nature and risk profile of the bank. Institutions are encouraged to begin taking the following steps:
- Re-evaluations: Establish and/or review the methodology and frequency by which re-evaluations are performed on all foreign correspondent banking relationships. Frequency should be determined, for example, by current risk rating, status of documentation collected, actual activity, geographical exposure, nature and scope of correspondent activities, changes in ownership structure, and alignment with the bank’s risk appetite. Prioritization of re-evaluations should be based on both the amount of time since last review and the correspondent’s risk status.
- Policies and procedures: Ensure policies and procedures are comprehensive and risk-based to adequately assess the inherent risk of foreign correspondent banking relationships. Procedures should include escalation protocols to and approvals from senior management to onboard, retain and terminate foreign correspondent banking accounts, minimum documentation requirements, KYCC practices, and protocols for ongoing reviews and risk-scoring changes. Policies and procedures should be reviewed and approved annually or more frequently, as needed, to address emerging risks and regulatory developments.
- Creating a single view of your customers: Develop robust oversight practices in the customer profile creation and maintenance of foreign correspondent banking accounts to allow for more informed termination and retention decision-making. Having a holistic and accurate view of the customer’s profile, including timely feedback from ongoing transaction monitoring, risk assessment results and KYC information changes, enables financial institutions to better detect when relationships exceed risk thresholds and require escalation to senior management for review. Where possible, consolidate customer profiles into a single centralized system to provide a consistent view of the customer and ensure that profile information is accessible to relevant parties throughout the organization.
- Risk assessment: Perform risk assessments annually to review the adequacy of the bank’s existing AML program, its ability to manage inherent risk of existing foreign correspondent banking relationships, and the effectiveness of its mitigating control environment. Risk assessments should take into consideration, for example, the bank’s customer onboarding controls with regard to foreign correspondent banking relationships, the review-and-approval process to onboard and terminate such relationships, geographical reach of its correspondents’ activity, and training of its personnel.
- Enhance internal audit’s scope: Internal audit’s scope should be reviewed to ensure it includes assessing adequacy of re-evaluations for foreign correspondent banking relationships, proper treatment of dormant accounts, escalation and approval of account terminations, and maintaining adequate documentation evidencing key decisions throughout the lifecycle of the relationship.
- Risk appetite: Banks should articulate an AML-specific risk appetite statement and include quantitative and qualitative statements around the level of foreign correspondent banking risk that the institution is willing to manage. Consider including specific statements around how increased risk levels will be addressed prior to account termination.