On the 5th of January 2022 the European Banking Authority (EBA) published their opinion on de-risking (EBA/Op/2022/01). The EBA is taking a critical stance towards the de-risking strategies used by many institutions today. The authority sees the broad application of de-risking as an indication that some institutions lack relevant knowledge of their risks and/or lack effective measures against their risks.
De-risking significantly impacts financial inclusion
There is a wide spectrum of parties effected by de-risking and the following groups are mentioned by the EBA:
- Respondent Banks in certain jurisdictions
- Non-Governmental Organizations
- FinTechs, Money Service Business, Third Party Payments, and other PSD2 licensed institutions
- Remittance to non-European countries
- Natural persons with citizenship, place of birth, or tax residency in certain jurisdictions
De-risking leads to the de-coupling of the European financial system and the financial systems of jurisdictions that are perceived to have issues related to financial crime or their tax systems. De-coupling can harm the financial systems of the targeted countries, and as well drive the financial activities linked to those countries towards channels that are neither transparent nor properly regulated, thus being detrimental to Europe’s ambition to combat financial crime.
The financial and social inclusion of guest workers, asylum seekers and other migrants are at risk due to de-risking. De-risking strategies where whole countries are banned as payment destinations or where a citizenship, place of birth or tax residency in certain jurisdictions prevents you from access to basic financial services are hindering the free movements of individuals and makes it considerably more difficult for individuals to integrate and participate in society.
The European ambition to increase competition within financial services is also hurting by de-risking of smaller institutes and newer payment technologies by bigger institutions.
Poor quality financial crime risk assessments can result in de-risking
EBA has identified three main drivers for the de-risking:
- ML/TF risks or reputational risks exceed institutions’ risk appetite,
- the institutions lack the relevant knowledge or expertise to assess the risks associated with specific business models or
- the real or expected cost of compliance exceeds profits.
All drivers can be tied back to the Money Laundering (ML) and Terrorist Financing (TF) Risk Assessment:
- A relevant and actionable risk appetite should be based on the actual risks the institution faces. That means that the risk appetite should be based on the insights gained through the Business Wide Risk Assessment. The stakeholders deciding on the institutions risk appetite also needs to make an informed decision and this needs to be based on knowledge of the threats and risks in the market as well as the threats and risks relevant to their institution.
- There is plenty of information readily available in open sources today on what threats and risks European financial institutions faces. However, many institutions lack the relevant knowledge to identify the relevant information. If they manage to identify the relevant information, many institutions lack the capacity and skill to collate and analyze the intelligence. If the relevant information/intelligence is in place, then it is not always communicated to the right parties (risk owners) within the organization, and/or the institution struggles to go from the abstract/aggregated intelligence to actionable insights.
- Even if the institution has intelligence and it has been able to turn it into actionable insights, it does not guarantee that the institution is able to accurately assess the risk on the books. The insights that the intelligence brings must be put into perspective of the products, customers, geographies, channels, transactions, and controls at hand. The absence of a proper assessment can lead to excessive de-risking while it can also lead to that other risk are ignored.
- Before an institution has a well thought out risk appetite statement and the relevant knowledge of it the risks and threats facing it, it cannot accurately assess the cost of compliance and even if the two first points are handled well within the institution, that does not mean that the understanding of the controls and their cost is good. The controls need to be well documented and as well as the associated costs. If you do not understand the risk, you cannot understand the control and if you do not understand the control, you cannot understand the costs associated with said controls.
Nuance is key and context is king
This EBA guidance suggests that it’s not good enough to blanket de-risk customers based on an arbitrary indicator, such as their country of operation. We need to go many steps further to understand who we are dealing with, how they operate, what the real risks are and whether those are within risk appetite. We need to understand the context within which our customers operate, to ensure fair treatment and stop un-necessary de-risking of underserved communities.