White paper

Financial Institutions and Reputational Risk: Consistent Closure Consistent closure: Formalizing the reputational risk review and exit process in the customer banking relationship

Scope of the problem

One of the broadest and least codified areas of financial crime compliance (FCC) is the idea of reputational risk. Broadly, reputational risk has been interpreted to mean anything from “Do we want to be the bank that maintains relationships for this client?” to “What would it look like if this illicit client or the client’s activity were divulged in the media?”

The reputational risk spectrum is meant to encompass the idea that a financial institution could suffer a legal, operational, or perceived loss of reputation/ credibility or even “likeability” as a result of maintaining such a relationship. This concept is compounded by the likelihood that, where there is a reputationally linked incident, there is also a potential—if not a certainty—that regulatory enforcement action is looming.

Understanding the scope

The concept of reputational risk is aligned to other intangibles, such as continuous monitoring and negative media screening. While not sharply defined by regulatory guidance, the expectation is that financial institutions will engage in perpetual scanning of reliable data (this is a dead link, FYI) (i.e., media reports, public notices, etc.) for stories that are not only financial/crime related but also correlate to their clients.

The expectation is that, once a match from media event to the client is established, it will cause a so-called trigger event that will merit an investigation of the named client. Through subsequent enforcement actions and practical experience, the expectation has further been fleshed out to require a review process and audit trail for the decision making around why a client was or was not retained, and the strength and depth of their exit.

While this expectation is relatively clear as it pertains to money laundering, fraud, corruption, or other patently financial crime-related incidents, it is much less certain as it relates to reputational risk. The regulatory expectation and practice around external environment monitoring then becomes even more ambiguous the further an incident gets from clearly criminal activity.

The old maxim, “where there’s smoke there’s fire,” holds particularly true in the case of the opioid crisis and the pharmaceutical company executives purportedly behind it. To explore this further, there is no more prescient example than the nexus between the Sackler family and the opioid crisis. This demonstrates a significant case for the establishment and use of a reputational risk matrix for customer acceptance, retention, and exit. 

Corruption-enabled dependence: Understanding the broader scope 

According to the National Institute on Drug Abuse, there are well over 100 deaths linked to opioid misuse every single day. This estimate includes both opiates and pharmaceutical opioids like fentanyl. At the root of this issue was pharmaceutical companies providing specious reassurances that despite opioids being profoundly effective at pain management, they weren’t addictive by nature.

According to a report issued by two bipartisan members of Congress, one pharmaceutical company routinely pushed the narrative that “[opioid] dependence occurs in less than 1% of patients, despite no scientific evidence supporting this claim.” (too long of a link; shorten it to just this part)

As a result of these reassurances, medical practitioners began prescribing opioids (both legitimately and oftentimes illicitly) in astonishing quantities. According to the Center for Disease Control (CDC), beginning in 2006 through its peak in 2012, the rate of prescriptions for opioids hit about 255 million in the United States.

To put that number in perspective, it would mean one prescription for 81 out of every 100 people in the country. Still, according to the CDC’s own data, the prescription rates did not abate dramatically. Through 2017, there were more than 191 million prescriptions which, when mapped out across affected geographies, represents enough opioid referrals so that in 16% of the counties in the United States, there was one prescription for every resident of that county.

The statistics are not necessarily misrepresentative. Studies have shown that specific geographies were more affected than others. This is due in part to physician and medical practitioner abuses in those geographies, as well as employment linked to use and abuse. According to one report, construction workers and miners tend to be the most linked to opioid use. 

Indeed, the opioid epidemic has historically been linked to areas (remove link; same as 3 paragraphs ago) where those occupations are central to residents’ livelihoods. Still, these dependencies are correlative if not entirely exacerbated by practitioners that illicitly over-prescribed fentanyl, oxycodone, or their counterparts.

One doctor in rural Virginia wrote more than 500,000 prescriptions for these pharmaceuticals as part of a drug-trafficking ring. The doctor would run his cash-only practice on an almost 24- hour basis, prescribing painkillers to every single patient in the Martinsville, Virginia area—one of the geographies hardest hit by the crisis. There was another doctor in Long Island, New York who literally prescribed opioids out of abandoned storefronts and from his car. Prosecutors alleged that the doctor had issued more than 1.8 million prescriptions and, as with the Virginia doctor, at least one fatal overdose had been linked to his activity.

These doctors were detected through a complex patchwork of investigations, including tracking the number of prescriptions requested or issued by their practices. Still, the medical practitioners at issue would not have been as enabled in their alleged crimes had there not been a support network of pharmaceutical companies to generate a supply for the demand.

From a compliance perspective, there are parallels to be drawn between media reports describing not only the typologies but geographies of illegal and unethical pharmaceutical distribution, and geographic targeting orders issued by the Financial Crimes Enforcement Network (FinCEN). Both events would carry an implication that the affected regions or identified activity merit some form of heightened monitoring or escalation for anti-financial crime purposes.

As it pertains to continuous monitoring requirements, media reports suggesting which cities or regions had been hardest hit by the opioid crisis give an inkling as to where enhanced monitoring may be required. However, when looking at the opioid crisis, in particular by examining the legal but potentially exploitative sale of pharmaceuticals, the concept of reputational risk becomes clearer.

Never discuss the family business — A Purdue Pharma case study

As of the third quarter of 2019, there were about 2,000 lawsuits pending against OxyContin manufacturer Purdue Pharma and its owners, the Sackler family. While the company and its owners have routinely denied any responsibility for creating or sustaining the nation’s opioid crisis, the company did issue marketing material for physicians in which it coined the term “opiophobia” in an effort to dissuade doctors from being afraid of potential dependence or death linked to opioid use.

Coincidentally, as the use of opioids like OxyContin increased, Purdue saw revenue of more than $35 billion starting with the drug’s introduction in 1995 as the Sacklers moved up the list of the wealthiest families in America.

In recent years, the dam finally broke and attention shifted from prosecuting the individual users and prescribers of opioids to the pharmaceutical companies manufacturing and distributing the drugs. The total estimated cost of the crisis is somewhere in the neighborhood of $700 billion, or 3.4 percent of US GDP for 2018.

In the face of the thousands of state, individual, and class-action suits, Purdue and the Sacklers declared bankruptcy. This announcement came just about one month after the Financial Crimes Enforcement Network (FinCEN) issued an advisory on the red flags associated with the illicit trafficking of fentanyl.

Embedded in that advisory was caution about the misuse of shell companies to launder the proceeds of the illicit sales of opioids. Shortly thereafter, the office of the New York State Attorney General announced it had uncovered another pattern of shell company abuse. The Sackler family had allegedly used secret Swiss bank accounts to transfer $1 billion from Purdue Pharma to a number of shell companies, trusts, advisors’ services, and business entities under their control.

To be very clear, the Sacklers have not been charged with any crime to date. Nor has any financial institution been identified as having facilitated or failed to identify and flag any potentially suspicious financial transactions. Still, in an age where more and more stories surface about financial institutions hosting reputationally and legally challenging clients, there are action points that come out of incidents like this.

From a reputational risk perspective, for example, client risk must tie back to a financial institution’s risk appetite (dead link). More frequently, but nonetheless anecdotally, a risk statement must contain both qualitative risk limits as to customer typologies (e.g., marijuana, crypto, bearer shares, etc.) and quantitative limits for high-risk products or services (e.g., dollar limits on international wire transfers, X-number of third-party payment processor clients, etc.). 

Within that analysis, one clear best practice would be to entwine the bank’s policies in the risk appetite—that means taking the spirit behind the initiative, formalizing that appetite into an agreed-upon statement, and then testing against those requirements as with any other control.

This encompasses both continuous monitoring of those higher-risk entities for potential breaches of risk tolerance limits and an escalation process for those breaches. Using a clear example, such as an unlicensed online casino, a risk appetite statement might say that the financial institution will have no appetite for such businesses maintaining accounts or relationships.

The exploration of that declarative should include a documented process to consider if “no appetite” means no new clients, or also means that, as a result of this policy shift, all existing clients like that will be exited.

Furthermore, there could be an escalation path for clients that are in related or adjacent businesses to the high-risk entity (too long of a link; plus there were 2 here. Just use this last bit for the link out), so that in the face of a potential question, those clients are given further due diligence and not swept under the rug. As with the Sackler family, financial institutions could do an even deeper dive and include a sub-component in that analysis of whether or not the beneficial owners or proprietors of such a business could or should be retained, even if they are not in the same product space.

The process would then require the codification of risk tolerance for having, for example, personal accounts for those individuals whose reputationally challenged businesses may not be at the same bank.

De-risking, re-risking, and the risk of inaction

Back in 2009, an international bank was fined for having used a number of mechanisms to facilitate international tax evasion. As a result of that fine, the bank exited droves of clients in an effort to de-risk its portfolio. As that bank exited those clients, another international bank developed a documented growth initiative to expand its business by picking up those very same clients.

The subsequent bank actually pursued those exited clients and then offered them similar—if not the same—legally questionable practices to aid them in tax evasion. That bank was then fined by the US Department of Justice specifically for the way that they had “re-risked” those clients.  

While this is a broad example, one with more specifics that emerged over a longer period of time is that of Jeffrey Epstein. Epstein was charged with two crimes which, at the time, did not reflect any more ominous connections than would be later revealed. In the early 2000’s, he was charged with two counts of what were effectively prostitution-related crimes. The charges carried a 13-month sentence, which Epstein served and ostensibly did not receive much attention for afterwards. Subsequent civil settlements with accusers similar to those of the 2005 complaints surfaced, but Epstein was able to maintain a degree of secrecy around those settlements.

It wasn’t until early 2019 that both new and renewed allegations of sexual abuse surfaced, along with a broader implication that Epstein had engaged in domestic and international trafficking of victims. Along with those allegations came reports from media outlets about how Epstein had financed his alleged activity and where he had kept and moved his money.

As the media reported it, a foreign bank operating in the US had maintained accounts (remove link; same as previous paragraph. Reference correct link) (personal and more complex structured accounts) and relationships for Epstein since at least 2013. To that end, the bank had flagged unusual activity in those accounts for escalation as possibly being linked to sex trafficking (remove link; wrong reference). However, it wasn’t until 2019 that, according to those same reports, the bank closed its relationships with Epstein.

These allegations surfaced at the same time the bank was already under scrutiny for its handling of and retention of Donald Trump and Jared Kushner’s accounts, retaining Trump’s despite numerous reported red flags, defaults, and operational losses.

Returning to Epstein, subsequent stories reflected that after the hosting bank had jettisoned the accounts, another financial institution had taken on the relationship. Interestingly, the article referencing the presumably newly formed relationship also referenced previous blemishes for that bank, including its involvement in—and accused facilitation of—a Ponzi scheme. In short, all of the bank’s previous dealings were conflated into a broader inference of poor judgment or a lack of risk foresight. Moreover, the article carries an embedded tone, portrayed as the bank’s desperate hyper-capitalism driving the decision to take on a client of such profound risk while ignoring the likelihood that at least some of their assets were used in or generated from a predicate offense. 

From a compliance perspective, the heart of the issue is the lack of a matrix to clearly prioritize compliance concerns when it comes to client onboarding, retention, and subsequent exit. The recent US Department of Justice Guidance on effective compliance programs clearly outlines that compliance should not only have a voice in commercial conversations, but a prominent seat at the table for those considerations. Still, absent a clear process and procedure for reputational risk, the institution hosting the client at issue—whether politically divisive, ethically questionable, or in the gray area of potential illicit activity—will suffer the consequences after the fact. 

The process of exit management has to be tailored to the size, complexity, and risk exposure of a financial institution. While this facet of FCC risk hasn’t been fully vetted in enforcement actions, there are a few industry best practices to be gleaned from exit/risk assessment-based penalties

Arguably, the expectation is that an exit management procedure exists which includes strict governance over how clients are exited from the bank, and stronger oversight into whether or not those clients are allowed to retain or reenter the bank at a given point in time. Concurrently, the institution’s risk tolerance and appetite should be reviewed to gauge whether or not this client exit merits an update to the existing parameters. Below is a suggested template for exit risk management and auditability.  

Exit auditability

Gone but not forgotten

If the risk assessment and appetite-to-tolerance testing is the initiation and maintenance of reputational risk, escalation and exit management are the terminus. As noted previously, the continuous monitoring process should include an analysis of both direct and indirect exposure to an issue as something that bank does consider a material, reputational issue. That materiality, like any other good policy, should be documented and periodically reviewed.

If, for example, a bank no longer wanted to maintain accounts for a gun manufacturer, pharmaceutical manufacturers, or for-profit prisons, then the policy documents would need to be updated. Subsequent self-testing should serve to identify existing clients that fit those profiles and, to the extend codified by the bank, adjacent businesses and account holders should be marked for escalation as well. That escalation should relate back to the risk tolerance parameters of the bank to determine if the exit/closure requirements pertain to all accounts, or only new relationships going forward.

To ensure reputational risks are mitigated, this should extend to the beneficial owners or directors of those entities to determine whether or not even their personal accounts should be exited based on their nexus to the now-disfavored business/client type. Next comes the exit.

As with a purely financial crime exit, the bank may consider the complexity of an account’s closure (dead link) before determining whether or not to close it at all. The available regulatory guidance gives a “reasonable” timeframe to close accounts, and allows for a financial institution to maintain a loan/line of credit for a client with the implication that the account is subject to enhanced monitoring.

Still, for accounts which are relatively simple to close, such as checking and savings products, a bank that decides on an exit for reputational risk purposes would need to not only ensure the accounts are closed but that there is some form of reentry prevention depending on the severity of the issue. As a best practice, a risk-based approach is recommended to determine whether the client is exited but allowed to return (and if so, after how long and across what products/services), not allowed to return subject to consideration, or never allowed to use that financial institution again (i.e., blacklisted).

This same analysis could be applied to related businesses and parties of that client to ensure there is no potential for proximate reputational risk, for example, exiting Epstein’s personal accounts but retaining a trust in his name, or the account of a long-time friend/associate.  

Testing the theory

Like more traditional financial crime compliance controls, the only way to gauge if these processes (once formalized) are working as intended is through quality assurance/control, testing, and audit. Key gaps to be aware of include the lack of escalation mechanisms for reputationally questionable incidents, the absence of a leadership forum—or a forum which does not include financial crime compliance in its consideration of reputational risk—and, most importantly, the correlative weight that compliance and reputational risks are given during decision making.

While testing or audit should reflect that there is a clearly documented rationale for any compliance-oriented decision, this takes on additional gravitas in the face of an issue that might give rise to a combined reputational, compliance, legal, or operational risk. While it might be worthwhile to develop a tool that helps gauge those exposures to assist in making a client exit versus retention decision, testing should reflect that the tool is a floor for decision making, with the previously mentioned leadership forum as the ceiling.

To that end, if this were a financial institution’s first time testing the tools and processes for exit, the first step in the sampling would need to be focusing on those reputationally questionable clients that were in the gray zone between “immediately exit” and “unquestionably retain.” The focus would then need to be on whether the right (or wrong) amount of emphasis was given to commercial concerns, as opposed to a policy-aligned decision.

As with traditional financial crime compliance controls, the anomalies are the biggest concern. Particular concentration should be placed on those client types which are referenced in the reputational risk policy and haven’t been exited, as well as those clients which could be aligned to the “high” risk typologies but aren’t succinctly defined.

At the end of the process, there is no one-size-fits-all approach to risk, but the bedrock tenet of a risk-based approach would serve its user well. How that pertains to reputational risk is also up to the individual institutions. However, with the continued increase in regulatory expectation, the idea that a financial institution didn’t know, didn’t ask, or didn’t want to know about the reputational risk of its client base is clearly unacceptable.

Just as with financial crime compliance concerns, regulators will likely infer that the bank was demonstrating a pattern of reputational willful blindness, and they had reason to know and act better.