FINMA Issues New Risk Monitor Identifying Key Risks for Financial Institutions

On December 10, the Swiss Financial Market Supervisory Authority (FINMA) announced that it is publishing a Risk Monitor report for the first time.  FINMA stated that previously the Risk Monitor has been solely an internal instrument that it used as part of a risk-assessment tool, but that it would issue the Risk Monitor annually in the future.

This Risk Monitor, in FINMA’s words, “provides an overview of what FINMA believes are the most important risks currently facing supervised institutions and describes the resulting focus of its supervisory activity.”  The new Risk Monitor identifies six principal risks for its supervised institutions and the Swiss financial center:

  1. The persistent low interest-rate environment.  The Risk Monitor stated that

[p]ersistently low interest rates in both Switzerland and the European Union (EU) over both short-term and long-term horizons are having a detrimental impact on the profitability of supervised institutions. This situation increases the risk of asset price bubbles and sudden reversals and may potentially undermine the viability of certain business models.”

The Risk Monitor also commented that “if interest rates were to stagnate at their current low levels for a very long time, this would pose a risk to certain business models. This is particularly true of banks focused on the interest margin business and life insurers.”

2. “[A] possible correction on the real estate and mortgage market, especially in the investment property segment.” The Risk Monitor observed that “[t]he sharp rise in vacancy rates for investment properties, combined with the ongoing boom in construction activity, is exacerbating the risks in the Swiss real estate and mortgage market.”  It added that “[p]revious crises have shown that financial institutions which expand their activity in the late phase of an economic cycle are particularly exposed to the risks of an ensuing economic downturn.”

3. Cyberattacks. The Risk Monitor highlighted the fact that “[t]he high and ever-growing dependency on and interconnectivity of information and communication technologies give rise to pronounced vulnerabilities among Swiss financial institutions.” It cited, as one example, that

outages of and disruptions to IT systems, particularly those resulting from cyberattacks, can jeopardise the availability of critical services and functions.  Depending on the nature of the cyberattack in question, this can have repercussions for individual financial institutions and threaten the functioning of the Swiss financial centre as a whole.

Recognizing that “[t][he number and intensity of cyberattacks are growing strongly,” the Risk Monitor also stated that “[a] successful cyberattack can have serious consequences for the functioning of the Swiss financial centre,” particularly if an institution that provides integrated or interlinked services (e.g., a systemically important financial institution) were successfully attacked.  Such an attack, the Risk Monitor warned, “could prove damaging both to other financial institutions and the Swiss economy as a whole. The reputational damage would be significant, and confidence in the Swiss financial centre would be affected.”

4. What FINMA termed “a disorderly abolition of LIBOR benchmark interest rates.” Because LIBOR benchmark interest rates continue to be widely used in financial instruments,” the Risk Monitor identified “[i]nadequate preparation for the replacement of LIBOR interest rates (envisaged by the end of 2021), including Swiss franc LIBOR,” as a key risk.

5. Money laundering. The report commented that the fact that the Swiss financial center “is a leading global crossborder wealth management hub for private clients   . . . makes it particularly exposed to money-laundering risks.”  It  took note of two specific concerns.  First, in light of the spate of recent corruption scandals involving entities such as 1 MDB and Petrobras, it stated that “the risks for financial institutions involved in the cross-border wealth management business remain high.” It also warned that the complexity of the structures involved in bribery and corruption, “particularly when domiciliary companies are used, can increase the risk of money laundering.”  Second, it specifically stated that

the financial industry also faces new risks in the area of blockchain technology and the cryptoassets that are attracting growing interest from clients. Although these new technologies promise efficiency improvements in the financial industry, they also accentuate the threats posed by money laundering and the financing of terrorism due to the greater potential anonymity they involve, as well as the speed and cross-border nature of the transactions. Malpractice by the financial institutions active in FinTech could significantly damage the reputation of the Swiss financial centre and slow down the development of digitalisation.

6,  Increased impediments to cross-border market access, particularly in the EU. Given the “trend towards tougher market access rules for foreign providers in a number of jurisdictions,” which “is occurring against a backdrop of increasing friction in international trade and uncertainties relating to Brexit,” the report stated that “[f]or Swiss financial institutions, this gives rise to legal uncertainties and risks, as well as the possibility of additional costs.”

In addition to these six principal risks, the Risk Monitor report identified other long-term risks.  It described “the financial risks arising from climate change as one of the most important long-term risks,”  but included comments about other long-term risks such as “an ageing society, the increasing individualisation of insurance based on big data, and risks for wealth management in a market with falling values of financial instruments.”

N.B.:  Risk and compliance teams at financial institutions with international operations should value the public issuance of the Risk Monitor for three reasons.  First, it provides them with an unprecedented level of insight into the thinking of FINMA about key risks in the financial sector, even if the report understandably focuses on risks affecting Swiss institutions and the Swiss financial  center.  Second, it also gives them a new source of analysis and perspectives that should be incorporated into their risk assessment processes.  Third, they should welcome FINMA’s willingness to make its own risk-assessment process more transparent and to commit to doing so in future versions of the Risk Monitor.

Some in the fintech sector may be surprised by the Risk Monitor’s admonitions concerning blockchain technology.  In separate remarks on December 10, however, FINMA Chief Executive Officer Mark Branson took pains to explain to reporters that FINMA wants to give blockchain developers “a chance and we have done a lot to remove unnecessary barriers to enable projects based on digital currencies.”  At the same time, Branson said, “we are also not starry-eyed as these new business models come with new risks, or old risks in new shapes.”

Institutions under FINMA’s authority should therefore be prepared, if they intend to push for greater adoption of blockchain technology, to present specific factual information and analysis to FINMA demonstrating how those institutions intend to modify their risk assessments and compliance programs to mitigate those “new risks” or “old risks in new shapes.”

Frankfurt Prosecutors End Money Laundering and Tax-Evasion Investigation of Deutsche Bank Employees, But Require €15 Million Payment for AML Controls Defects

On December 6, according to the Financial Times, Frankfurt prosecutors announced that they were ending a criminal investigation of two Deutsche Bank employees for suspected money laundering and tax evasion via a former Deutsche Bank subsidiary, but were requiring the bank to pay €15 million “for shortcomings in money-laundering controls.”

This action ends, at least for Deutsche Bank, a lengthy investigation by the prosecutors that focused on potential misconduct at the former Deutsche subsidiary, Regula, in the British Virgin Islands.  By far the most visible facet of that investigation was a two-day raid on Deutsche Bank headquarters and other premises in November 2018 “by 170 armed police looking for evidence of suspected wrongdoing.”  Worldwide media reporting on that raid had what a Deutsche Bank spokesperson recently described as a “heavy impact” on the bank, including plummeting share prices and mounting funding costs.

At the time, according to the Financial Times,

German law enforcement authorities suspected that Deutsche Bank clients transferred money linked to illegal activities to offshore accounts and that the bank failed in its legal duty to flag those transactions as suspicious between 2013 and 2018.

The criminal investigation focused on two managing directors in the bank’s compliance and wealth management units.

A Deutsche Bank statement reported that the investigation was ended “due to lack of sufficient suspicion.” Prosecutors nonetheless required Deutsche Bank to pay €5 million for shortcomings in its control environment, and confiscated €10 million in financial gains that they asserted the Regula-related transactions had generated for the bank.  The Frankfurt prosecutors reportedly plan to continue to investigate German customers of Regula that they suspect of tax evasion.

N.B.:  The Frankfurt prosecutors’ announcement brings to an abrupt and puzzling end a highly visible criminal investigation, in which the prosecutors, only six months ago, reportedly had considered about 80 current and former Deutsche Bank employees, including senior executives, to be suspects.  How long the prosecutors will sustain their interest in other German lenders’ and individuals’ possible involvement in tax evasion remains to be seen.

Football Association of Ireland Discloses €84 Million in Liabilities and Debts After Departure of Former CEO John Delaney

In the latest reporting on the financially troubled Football Association of Ireland (FAI), on December 7 The Times reported a series of new developments, since former FAI Chief Executive John Delaney’s resignation in September, that indicated how dire the FAI’s situation has become:

  • On December 6, the FAI publicly presented its accounts for 2018 and reconstituted accounts for 2017 and 2016. Those accounts show that–
    • The FAI has total liabilities of more than €55 million and bank debts of more than €29 million. Moreover, those bank debts “are in ‘technical default’ due to errors in the 2017 accounts. The FAI said that it was attempting to refinance its debts, and the loans have been categorised under liabilities.”
    • The FAI had “seriously overstated its financial position in previous years.” In 2016, the FAI reported a profit of €2.3 million, but its actual profit was only €66,000.  In 2017, the FAI reported a profit of €2.8 million, but it actually had a loss of €2.9 million.  In 2018, the FAI had a loss of €8.9 million, “including a voluntary disclosure of underpaid employment taxes and VAT,” plus interest and penalties of €2.7 million for the period between 2015 and 2018.
    • At the time of his departure from the FAI, Delaney received a settlement of €462,000, including a €372,000 contribution to his pension fund and €90,000 in lieu of notice. Donal Conway, who also announced on December 6 that he is to step down as FAI President in January 2020, said “that he was not aware of the details of the payout to Mr Delaney as it did not come before the entire board.”
  • Conway, who had been on the FAI board for more than then years, also stated “that he had no idea the association’s finances were in such bad shape.” He admitted that “[t]he board I was a member of as a collective did not do its job well,” and stated, “I was part of a board that should have scrutinised more seriously than it did.  I feel responsible for not having discharged that responsibility to a higher standard.”
  • Paul Cooke, who recently took over as the FAI’s executive lead and had been a longtime critic of Delaney’s conduct as CEO, said that “[w]hat we found in [the accounts] in addition to pension payments, loyalty bonuses, there were other payments that would have been paid on behalf of the former CEO, and items that should have been recognised as benefit in kind.”

In addition, Deloitte, the FAI’s auditors, stated that since the end of 2018, the FAI “has had negative operating cashing. The Association is reliant upon continued financial support from UEFA and the Association’s bankers.”  It also stated that since the end of 2018, the FAI “has received ‘continuous financial support” from UEFA to help meet its “ongoing operations.”  It reported that the FAI “was in ‘advanced discussions’ with its bankers to try to agree long-term funding to help it meet its liabilities and provide ‘financial stability to the balance sheet in the short and medium term’.”  Although Deloitte noted that the FAI’s current directors “are optimistic that an agreement can be reached, however note that this presents a material uncertainty as regards the ability of the association to meet its liabilities as they fall due.”

N.B.:  In light of these latest reports concerning the FAI’s financial woes, it is not surprising that the FAI’s plight has become a matter of national concern.   The ripple effect of the FAI’s situation has caused great distress among local football clubs, even prompting Taoiseach Leo Varadkar to “pledg[e] to save grassroots football.”

These reports also indicate that the FAI has now become a case study in how the failure to conduct appropriate board oversight of senior leadership and finances,  and to maintain effective internal controls, can have devastating consequences for an organization.  Even with new executive leadership and new independent directors, the FAI faces a long and hard road in restoring its financial affairs and public confidence in its stewardship.

Chinese Court Sentences Former National Official and Xinjiang Governor to Life Imprisonment for Accepting $11 Million in Bribes

On December 3, the South China Morning Post reported that on December 2, the Shenyang Intermediate People’s Court in Liaoning Province sentenced the former Governor of Xinjiang Province and former director of the Chinese National Energy Administration (NEA), Nur Bekri, to life imprisonment after Bekri admitted to accepting more than ¥79 million (equivalent to $11.2 million) in bribes between 1998 and 2018.

Bekri, reportedly one of China’s most senior Uighur officials, said that he would not appeal the sentence.  The Xinhua News Agency characterized Bekri’s sentence as “lenient,” because Bekri “had confessed to crimes that prosecutors had not known about and volunteered to return some of his ill-gotten gains.”

The Morning Post also reported that soon after Bekri left his post as Xinjiang Governor to accept a higher-level position in Beijing in 2014, “a widespread anti-corruption campaign” ensued that led to the firing of dozens of senior officials, including Bekri’s chief of staff Alimjan Mehmet Emin and Bekri’s deputy land chief Li Jianxin.

After Bekri rose to head the NEA in 2018, that same year the National Supervisory Commission (NSC) announced that Bekri himself had been placed under investigation.  At that time, the NSC declared that Bekri was suspected of a “serious violation of discipline and law.”  Subsequently, in 2019 the Central Commission for Discipline Inspection (CCDI) announced that Bekri had been expelled from the Communist Party and accused him “of abusing his position to live a “lavish life.”  The CCDI stated  that Bekri had engaged in “family-style corruption,” involving illegal acceptance of property directly or through his relatives and demands of luxury cars for his relatives, as well as participating in lavish banquets and accepting expensive gifts from those seeking favors.

N.B.:  Bekri’s case in one sense is typical of the severe sentences that former Chinese officials and Communist Party leaders have been receiving for their participation in longstanding corruption.  The timing of the sentence, however, may be significant, because it occurs in the midst of what numerous media have reported as the Chinese government’s continuing harsh repression of the Uighur population in Xinjiang.  While most of that repression is directed at the mass of Uighurs in Xinjiang, Bekri’s sentence may serve an additional purpose of implying that even Uighur leaders are untrustworthy and unfaithful to the Party and the Chinese people.

UK Competition and Markets Authority Directs HSBC and Santander to Refund Money to Clients for Violating Retail Banking Market Investigation Order

On November 29, the United Kingdom Competition and Markets Authority (CMA) announced that it was directing global banks HSBC and Santander to refund money to customers for multiple breaches of Part 6 of the CMA’s Retail Banking Market Investigation Order (Order).

In 2018, after the CMA’s retail banking market investigation “identified a number of competition problems in both the personal current account (PCA) and small and medium-sized enterprise (SME) banking markets,” the CMA Order came into force.  Part 6 of that Order, as the CMA stated, “ensures customers receive text alerts before banks charge them for going into an unarranged overdraft, giving them time to take action to avoid any charges.”

Starting in February 2018, however, both HSBC and Santander “failed to send alerts in all of the circumstances required by the CMA.”  HSBC reportedly breached the Part 6 requirements twice:

  • Breach One: The CMA’s Directions to HSBC explained that its first breach stemmed from HSBC’s commitment “to implementing its ‘unsociable hours’ policy to minimize disturbance to customers.” That meant, according to the CMA, that HSBC “did not contact customers between 10:45pm and 7:30am on weekdays and 10:45pm and 10am on weekends and bank holidays.”  As a result, HSBC did not send alerts to customers during those specified hours

even though HSBC continued to charge customers for using an unarranged overdraft. This meant that customers who triggered an Alert between 10:45pm and 11:45pm (when balances were calculated) did not get an Alert that complied with the Order and continued to be charged by HSBC. Most customers received an Alert the next day after incurring the charge, which is in breach of the Order.

  • Breach Two: The CMA’s Directions stated that

HSBC’s systems for storing the mobile phone numbers of customers that applied for PCAs through certain application methods (including its digital current account, digital credit card and digital loans applications) stored numbers in a format that was incompatible with the text alert system used to comply with Part 6 of the Order. As a result, HSBC did not process these Alerts and some customers were not notified before incurring charges related to unarranged overdrafts.

Santander reportedly breached the Part 6 requirements six times:

  • Breach One: Santander failed to enroll some customers’ mobile phone numbers into its system of Alerts in two specific situations: (1) “where a customer previously registered for email Alerts has added a mobile phone number for Alerts to be sent to, their mobile phone number has not been registered”; and (2) “when a customer updates the mobile phone number registered for Alerts, Santander has de-registered the old number, but has not been registering the new number.”
  • Breach Two: Santander “Santander failed to issue an Alert to each customer who at the start of the day (10.00) was in an arranged overdraft position at the end of the previous day (22.00) and a direct debit (but no other payment) is processed overnight (between 22:00 and 05:00) that puts them into an unarranged position.”
  • Breach Three: Santander “failed to provide an Alert where the amount authorised and withheld on an account exactly matches the value of a single direct debit amount being processed and no other payments are made.”
  • Breach Four: Santander “On 72 occasions, Santander failed to send Alerts to customers until later in the day (after 10.00) due to high volumes of overnight batch payment processing.”
  • Breach Five: “Certain of Santander’s retail platforms that capture new customer data allow a customer’s mobile telephone number to be stored in data fields that are not specific to mobile telephones. This means that such numbers are not enrolled for mobile alerts, because Santander’s alerts system only uses numbers stored in the mobile field. As a consequence of Santander not enrolling some of their customers into its system, these customers have not received Alerts when required by the Order.”
  • Breach Six: The CMA noted that there were “limited instances where three categories of error message were generated within Santander’s alerts system resulting in alerts not being sent.”

In both HSBC’s and Santander’s case, the CMA deemed their failure to issue the alerts a serious matter.  With regard to HSBC, it stated that to date (November 29), approximately 115,754 of HSBC’s  customers have been affected.  HSBC committed to refunding all affected customers and has already started to refund those customers, with an estimated total of £8 million in refunds.  With regard to Santander, it stated that Santander “has been unable to provide figures for the numbers of customers affected or the value of refunds to be made for each of the six breaches.”

N.B.:  These cases generally indicate the importance of companies’ making timely preparations for full implementation of compliance requirements and measures by the time that those requirements come into force.  They also indicate the importance of banks’ paying attention to even small details that, whether or not inadvertently overlooked, cause needless hardship for customers and needless cost and reputational damage to the banks.