De-Centralised Due Diligence

By L Burke Files, CDDP, President, Financial Examinations & Evaluations, Inc (01/09/2013)

Most nations’ financial regulations copy those drafted in the US and the EU. These regulations have been promulgated by the Bank for International Settlements ( through a publication by the Basel Committee on Banking Supervision - October 2001 on Customer Due Diligence for Banks. 


There is a theme in the October 2001 document that has percolated and grown stronger through repetition and reiteration. That theme has been the idea of centralisation.   In several places, you can see the desire for the idea of people behind the regulations drafting them to fit their idea of the regulation of the management of risks. It does not take into account real management of risks evidenced by the persistent idea of “...a senior officer should be designated to be directly responsible...” Look at the laws across the EU, the United States, and now the developing nations - all laws look to have a single point of contact for the regulators for the entire bank.  They are looking for a single responsible party within any given organisation to be the contact person. 


From a regulatory point of view, I get it.  The regulators do not want to have to work harder than they have to (no one does) and since they are penning the regulations, the regulations are bent to fit their management wants - not the diffuse operational landscape of modern banking.  The regulators are also concerned about regulatory arbitrage.  I understand that too.  Heck, the entire international financial community’s industry is built on regulatory and legal arbitrage.  However, as – Know Your Customer (KYC) and Anti Money Laundering (AML) is in pursuit of a noble cause, our (the regulator’s) prognostications and rules must be followed.  Be warned if you challenge the rules - you confront and question the noble cause. 


Well - one size and one model does not fit all.  And while again and again I have seen in writing that each bank can customise their approach based upon their risk assessments, and I have heard similar statements out of regulator’s mouths in many countries - it is not the approach that actual regulators have been taking.  The approach has been to find compliance errors - note that those errors are inconsistent with other banks they have seen who have approaches that cover the error found, and the regulators fine the bank.  The banks are giving up.


I have concluded from my conversations with financial institutions across the globe that the banks are factoring in the cost of compliance fines. Fines are expected and are now just considered a cost of doing business. One banker described it as the “spanking tax”.  The compliance team’s cost and economic drag is weighed against the cost of fines - stop. 


Why has this come about?    Why has the noble cause been sacrificed? Why is it now just a business cost decision?   The answer is simple - the senior management of the financial institutions - when they honestly believe they are doing everything logically possible - make mistakes and get fined.  There is no forgiveness and no quarter taken.  The banks in return have surrendered to the fact that they will be hit with an irregular ‘spanking tax’. 


What many have pointed out to me is that the potential for mistakes is built into the very design and fabric of the laws and regulations. That “... a senior officer should be designated to be directly responsible...” implies that the AML and KYC should all be centralised.  It does not say it has to be centralised - but implies that it must be centralised - that is what the regulators want to see, and that is how many of the large financial institutions now deal with AML and KYC and similar compliance matters. 


Why does this centralised model have built into it the fabric of failure?  It is simple risk management or due diligence 101.  The centralised office is too remote from the risks to either know or care.  The larger the bank, the less they know and the less they care. If the centralised office does not either know or care, and fines are now but a cost of doing business - it is ‘game over’ for the spirit of compliance.  It is now managing the cost of overhead and potential ‘spank tax’ events. It is a vicious circle if not confronted. 


One financial service firm with offices in 16 countries, including the US, EU and Middle East has taken a different approach to compliance - KYC, AML and sanctions. All responsibility has been shifted to the local manager for all accounts at that location. The local manager is not only responsible for the gathering and sorting of the required documents - they are also required to have the database record pulls done and reconciled with the application.  The local managers are also required to monitor and report on any suspicious activities or even activities that are anomalous for an applicant or a current account holder.  If there are local office failures - there are local office penalties that come out of the bonus structure.  If there are fines - the fines come out of their bonuses and the responsible parties could be subject to immediate dismissal. 


Actions are taken locally, client processing and analysis are done locally, and responsibility is retained locally. This local retention of analysis, reporting and responsibility has also become a key point to the defense of their brand.  It is not just compliance but defense of the brand. All employees, not just location managers, are deputised to ask and raise questions either openly or via a blind internal hot line.


This does not mean banks have avoided the regulations of a central contact person for the regulators to visit.  That is still a requirement and has been met.  The central responsible party and staff do monitor all offices and the company as a single unit - but actions and accountability are delegated to local managers who are nearest to the risk and nearest to the information to make more fully informed choices. 


It would be nice to say conversion was accomplished with few problems.  It was not easy - but difficult. Not one local manager wanted the responsibility or accountability.  It was their belief that as long as they made the office profitable - they should get their bonuses and if the company had a compliance problem - well too bad, it was not going to affect their wallet. 


Offices were converted one by one over a year.  As each office was set up for responsibility and accountability, something new was learned that could be applied to the next office.  There was a great deal of training for people in the local offices on how to search and read some of the database information as well as how to develop their own information from visiting the customer and by speaking to people in their community.  As most of their clients were very high net worth individuals, this transition and the ensuing requirements had to be done with grace and tact.  


The manager of the second or third office had a novel idea - tell the client exactly what was going to happen.  Tell the current clients and the prospective customers that all compliance and KYC, AML, is going to be shifted to the local offices as part of a strategy to increase the strength of the brand.  Further, to ensure that they - either the client or the financial institution - would not be associated with the likes of financial companies who do bad things for bad people.  With this simple idea of the truth - current customers came forward and asked if there was anything they could do and the prospective customers felt like they were applying to an exclusive club. 


It is still a work in progress.  It has saved a great deal in duplicative effort between local managers and the head office, saving time and non-revenue generating labour. It increased expense in the upgrades required for the computer systems so that the central office had all of the information - per regulatory requirement - as well as current account notes not just for each accounts but also for each customer who may possess or be a signatory on multiple accounts.  



In the short term:


  •   There was a flash of Suspicious Activity Reports SARs, from each office as the changes took place.  Some were as a result of bad people newly discovered, and some were the result of an unfamiliar staff over reacting.  This occurred for each office as the office was shifted from a centralised model to one of responsibility and accountability.  Three months post transition fewer SARs were filed for each office than from before the transition.
  •   No one was ever turned down for a new account, but many applicants when asked for more documentation never returned. 
  •   Current clients have referred more clients and /or the increase that appeared could be concurrent with an upturn in the economy. 

  •   Questions from local managers on transactions are not met with hostility. Most often, the questions are answered within minutes - only a few have taken more time. 
  •  Some accounts were closed by the beneficial owners and went to other institutions. In total, half of the accounts closed were accounts marked for special monitoring due to suspicious activity.

  •   Local managers have taken a sense of ownership for their office. The sense of ownership is considered by senior management as good for performance, but has lead to conflict with the central office on strategic directions and marketing.  Most conflicts have been resolved in favour of the local manager, with the understanding of their responsibility and accountability for their choices.


The change - in which I participated - makes logical operational sense and correctly aligns pay and incentives. The cost of the changes was offset in lower costs - mostly labour. Following the change, it looks to break even on costs within 12 months or less. The Chief Financial Officer’s office is following the fines of institutions in their market space and is comfortable that any fines if assessed will be small.  All fines are also going to be contested as a matter of policy.  The fear in the back of the heads of those in favour of centralised control is that if a manager goes bad - they will go really bad.  Consequently, the selection process and oversight of managers has increased - wisely so if you ask me.  Also, more of the manager’s time is being spent with other managers than at the home office.  Forced vacations or ‘relocations’ are part of the new process.  When one manager is away for a period of time - another from a different office is brought in to run the operations, for a period of time. The idea is that any fraud or mischief should be detected and some valuable cross training occurs. 


De-centralised due diligence makes all the sense in the world.  Those closest to the risks of operation are making informed choices. But it cannot just be done and walked away from.  The information must still be gathered and centralised, responsible management must be sought, trained and properly incentivised.  Oversight must be as keen as the selection and training, remembering all the time that these managers must be left free to choose, but also to be held accountable.