How to manage financial crime compliance risks without de-risking

The NBB reminds to financial institutions the importance of having a solid and effective AML/CFT Framework in order to avoid de-risking.

Where does de-risking come from?

Early January, the European Banking Authority (‘EBA’) published an opinion on the detrimental impact of unwarranted de-risking practices and ineffective management of money laundering and terrorist financing (‘ML/FT’) risks (see EBA_Op_2022_01 Opinion and annexed report on de-risking). In this document, the EBA described what steps competent authorities should take to cope with the problem of de-risking. This prompted the National Bank of Belgium (NBB) to issue a new circular on the subject on the 1^st of February (see Circular NBB_2022_03 on Prudential expectations in relation to the "de-risking” phenomenon).

What is de-risking?

The NBB Circular defines de-risking as “the decision in principle, taken a priori by a financial institution, to refuse to enter into business relations with potential customers or to terminate existing business relations with current customers on the grounds that these potential or existing customers belong to a category of persons which the financial institution alleges is linked to excessive risks of money laundering or terrorist financing (“ML/FT”), inter alia in view of its risk appetite or the AML/CFT system it has put in place.”

Who is in scope of the NBB Circular on de-risking?

The NBB Circular applies to the following institutions regulated under Belgian law (or branches in Belgium of equivalent foreign institutions):

• Credit institutions;
• Stockbroking firms;
• Insurance undertakings authorized to exercise life assurance activities;
• Payment institutions and electronic money institutions;
• Central securities depositories.

The NBB currently recognizes that de-risking is more relevant to banking than it is to  insurance. However, the NBB stresses that the principles underlying its circular apply to all sectors under its supervision, because it cannot be ruled out that the phenomenon of de-risking may extend to the entire financial industry.

Furthermore, it points out that the scope of application of its circular is specifically limited to de-risking resulting from insufficient implementation by the financial institutions of their legal and regulatory obligations applicable in the field of AML/CFT.

How does de-risking articulate with other applicable legal provisions?

In its circular, the NBB states that since the entry into force of the Law of 18 September 2017 on the prevention of money laundering and terrorist financing and on the restriction of the use of cash (the “AML/CFT Law”), it has noticed a sharp increase in the number of de-risking actions from financial institutions.

It emphasizes that the business relationships between a financial institution and its clients are primarily governed by the principle of contractual freedom. However, regardless of their effective compliance with AML/CFT-legislation, financial institutions must still comply with other binding legal provisions that also apply to them. One of those legal provisions is the anti-discrimination legislation. Another example is the article VII.55/12 of the Belgian Code of Economic Law, which requires credit institutions to ensure that their customer acceptance policies and internal procedures guarantee objective, non-discriminatory and proportionate access to credit institutions’ payment account services.

Therefore the use of de-risking can be problematic, as it can undermine basic legal banking services, to which every individual is in principle entitled. The EBA has  already confirmed this  in its opinion, which reported that de-risking occurs across the EU and that it affects a great variety of customers: financial institutions such as correspondent banks and payment institutions, as well as certain categories of individuals associated with higher ML/TF risks such as asylum seekers. De-risking may therefore lead to adverse economic outcomes and financial exclusion which, in turn, can have a detrimental impact on the achievement of the EU’s objectives (e.g. effectively fighting financial crime, promoting financial inclusion and competition in the single market, etc.).

What are the potential impacts on financial institutions?

1. Overall risk assessment and customer acceptance policy

In application of the risk-based approach, financial institutions are required to take measures that are appropriate and proportionate with their nature and their size to identify and assess the ML/FT risks to which they are exposed (articles 7 and 16 of the AML/CTF Law). Such assessment should be performed taking into account the characteristics of the institutions’ customers, the products, services or transactions offered, the countries or geographical areas concerned and the distribution channels used, and should provide a risk-based classification of an institution’s customer base. Financial institutions are also required to adopt a customer acceptance policy which takes into account the overall risk assessment.

In its circular, the NBB clarifies what financial institutions can and cannot mention in their acceptance policy with regard to preventing unlawful de-risking:

Allowed:

• Making acceptance of certain high-risk categories subject to specific due diligence measures, such as guarantees on the fairness and transparency of a customer’s transactions (e.g. copy of invoice to be paid).

Not allowed:

• Exclude/offboard entire categories of business relationships based on general criteria such as their economic sector or link with a high-risk country, instead of on the basis of an individual risk assessment.
• Prohibiting a priori the provisions of a service offered because the potential customer belongs to a specific (high-risk) industry, such as the diamond sector. 

As a consequence thereof, financial institutions may be required to review their overall risk assessment and customer acceptance policy.

2. Individual risk assessment and refusal to enter into a business relationship on grounds related to AML/CFT

Article 19 of the Anti-Money Laundering Law contains the obligation for financial institutions to carry out an individual risk assessment on each of their customers. On this basis, financial institutions can determine which due diligence measures are appropriate for each customer using a risk-based approach.

• Financial institutions cannot justify their refusal to enter into business relationships with customers claiming that the AML/CFT Law prohibits them to do so where there is a high risk of ML/FT.
• The refusal to enter into a business relationship is only possible in the situations provided in the AML/CFT Law and where financial institutions can prove that it cannot meet the due diligence obligations imposed by law.
• In such cases, they have to comply with two other requirements: (i) keeping record of the individual risk assessment and the justification for the impossibility of fulfilling the legal due diligence obligations on which the refusal to enter into a business relationship is based; (ii)  analyzing the reasons why it could not meet these obligations, on the basis of which it was determined whether a notification to the CTIF had to be carried out.
• Example: a financial institution cannot refuse an individual a priori  just because (s)he has crypto-assets, which brings a high risk of ML/FT.

This may, once again, lead to financial institutions being obliged to review their individual risk assessment and acceptance criteria.

3. Due diligence and its cost

Financial institutions try to justify their refusal to enter into a business relationship or the termination of an existing business relationship by invoking the high costs of performing the due diligence as required by the AML/CFT Law. Furthermore, they indicate that their pricing does not necessarily differ for customers with or without high ML/FT risks.

On this topic, the NBB notes the following:

• Financial institutions can, within what is permissible, take into account in their pricing the costs that comes with the due diligence measures as required by the AML/CFT Law. As a result, it may be legitimate to apply different price levels according to the nature and level of due diligence required. However, such price differentiations must remain legitimate and not qualify as discriminatory or prohibitive.
• Consequently, the higher cost of AML/CFT due diligence is not a valid ground for de-risking entire customer categories.

This may have several consequences for financial institutions. Those currently relying on the above argument, will probably need to adjust their pricing by, for example, integrating due diligence costs.

Conclusion: The risk of administrative sanctions/civil or criminal convictions

Financial institutions fear remedial measures and sanctions in case their customers  abuse the business relationship to carry out ML/FT-related transactions, which is why they tend to engage in de-risking practices.

The NBB states that measures and sanctions can best be avoided by effective implementation of appropriate and effective AML/CFT prevention measures, and this especially in situations where the identified ML/FT risks are high.

It is therefore of the utmost importance that financial institutions have a solid and effective AML/CFT framework with adequate policies, procedures, internal control measures and an adequate record-keeping procedure.