The New York branch of an international bank was recently assessed a fine by the Office of Foreign Assets Control (OFAC) in connection with 7 wire transfers it facilitated totaling $58K. The wires were sent to an entity that turned out to be on OFAC's Specially Designated Nationals and Blocked List. It seems that the bank's screening software failed to identify the match between the name of the entity and the organization receiving the funds. OFAC gave the bank a bit of a break in fining the bank "only" $28K in that the issue was not due to internal staff error, but rather was a software provider error (the normal base amount for this fine is $64K). This still is a lot of money considering the amount of money transferred. Either way, the software provider will likely lose a contract and the bank is out a chunk of change.
Some would say it was just another day in any bank risk management officer's life. For this bank, though, we expect there will be some modifications to the vendor screening process and extra consideration on how vendors can create risk for an institution.
Every bank we know has some sort of an Enterprise Risk Management (ERM) plan in place, but whether the plan goes beyond just having a document in the policies and procedures and is more of a strategy for managing the bank, depends upon the institution. The Risk Management Association (RMA) describes ERM by asking a set of questions that begin with "What are all the risks to our business strategy and operations?" It then fills in detail by asking: (1) How much risk are we willing to take? (2) How good are we at overseeing risk? (3) How do we ensure we have the right information to manage risk? (4) How do we determine the size and scope of those risks? (5) How well do we manage those risks? (6) What are we doing about those risks? (7) What else can go wrong and how are risks interconnected?
An effective ERM process should be a discipline. It should support the institution's objectives by addressing the full spectrum of risks and the management of those risks. Risk management should be handled individually and in terms of the combined impact. It's also not just about risk mitigation, but instead should be a process built into the bank's strategic plan.
When dealing with ERM, the goal is to promote proactive action within the bank. Bankers should also understand the areas of primary difficulty in creating a working ERM. These include: 1) Buy-in from the top - if there is not enough authority designated to those tasked with carrying it out, then there will never be full integration. 2) It is also critical that different areas of the bank work together - expertise in one department may serve to understand the elements of risk in that particular business line, but a silo mentality will not assist in understanding how the interaction of risks between departments can combine to create a bigger problem. 3) Risk management strategies must be linked.
There can also be conflict between business development areas and those tasked with managing risk, therefore honest questions must be asked. For business developers, question whether the reward is great enough for the amount of risk the bank is taking on. For risk managers, challenge whether a recommendation will reduce the ability of business development efforts to the point the bank can no longer achieve its goals. Senior management must be involved to settle the differences and define the direction of the institution.
Having an integrated, strategic and proactive ERM process is expected by regulators and beyond that, it's just good business. Whether a better ERM process would have protected the NY bank from its OFAC violation is unknown, but chances are that weakness in the software provider might have surfaced earlier with a more integrated approach to risk management.