Top 10 op risks 2019: regulatory risk

Money laundering and threats to personal data have regulators spooked

For the specialists who nail down regulatory requirements at banks, the first thing they need to know is what they’re supposed to do. This year, that will be a little more complicated.

Take the sizzling topic of money laundering. Amid a spate of incidents, the European Union in February produced its latest blacklist of 23 places at high risk of money laundering and terror financing, naming Saudi Arabia and US territories like Puerto Rico. About two weeks later, the EU’s member states – voting nearly as one – struck it down in the wake of a diplomatic furore. The EU’s next move is anyone’s guess, but regulators are starting to push hard.

“On AML [anti-money laundering], there are huge regulatory expectations there,” says one operational risk executive at an international bank.


Another question mark hangs over Europe’s General Data Protection Regulation (GDPR), which took effect last May and governs personal data relating to anyone in the EU. In the event of a breach, a business has 72 hours to report it to the local regulator – subject to anything from warnings to fines peaking at €20 million ($22.5 million), or 4% of worldwide revenue, whichever is larger. Banks with so much as a toehold in Europe may be subject to it.

The budding field of regulation technology, or regtech, will continue to make inroads, with all the growing pains of new systems. The arrival of blockchain, and how it may be used in regulation, will continue apace.

This year, the usual complement of regulation plus roiling new issues placed regulatory risk in sixth position on’s survey of top 10 risks.

Anti-money laundering compliance has taken centre stage since the Danske Bank Estonian episode came to light in 2017. As much as €200 billion in ‘non-resident’ money coursed through Danske’s modest Tallinn branch from 2007 to 2015.

Danske’s chief and chairman were ousted. The Danish financial regulator has imposed higher capital requirements, and the US Department of Justice has begun a criminal investigation. The European Banking Authority is looking into whether regulators in Denmark and Estonia were remiss. Estonia has ordered Danske to shut the branch.

More recently, the Troika Dialog ‘laundromat’ is alleged to have filtered $8.8 billion for Russian oligarchs and politicians into banks from Oslo to Istanbul. How far the network seeped into European banks is emerging day by day; how the EU will vouchsafe the integrity of banks over its large porous territory is unclear.

In the meantime, local regulators are scrambling to toughen standards and penalties. Without regional co-ordination, though, banks may wrestle with compliance.

The operational risk executive at the international bank says regulators worldwide are amping up on a number of fronts, like cyber and risk reporting. But money laundering is a priority.

“We have a huge programme in the group to try and comply with their requirements,” he says.

Fines for money laundering are way up. According to ORX News, between 2014 and 2017, fines in Europe and the UK totalled $214 million, and $1.96 billion in the US. By 2018, fines in Europe and the UK had jumped to $979 million and $1.3 billion in the US.

As with money laundering, data protection presents its own cross-thatch of requirements for banks spanning continents, beginning with the EU’s GDPR and its implications for privacy law.

Under GDPR, no consumer should be subject to a solely automated decision that “produces legal effects concerning him or her, or similarly significantly affects him or her”. One interpretation holds that it prohibits banks from making automated decisions that would affect a customer without their explicit permission; another is that those decisions can proceed without the person’s consent if they were part of a contract or if it is required by local law.

“There are so many privacy regulations that raise issues from a regulatory risk standpoint. It’s a patchwork of regulations at the state and federal levels,” says an operational risk executive at a second North American bank.

GDPR’s fines may be bringing more breaches to light. At the Financial Conduct Authority in the UK, reported breaches were up nearly fivefold last year, according to research by the UK law firm RPC.

Another evolving area is regtech. Besides automating reporting and compliance, it might be used to identify changes to rules and regulations across multiple jurisdictions – it might even proactively check for compliance before a transaction is executed.

Even regulators are looking at its uses. The FCA and the Bank of England launched a pilot programme in 2018 with several large UK banks to evaluate machine-readable and -executable regulatory reporting. The goal is to improve accuracy in reporting, get regulatory changes moving faster and cut compliance costs.

The US Commodity Futures Trading Commission is on board. Chairman Christopher Giancarlo waxed digital in a speech last November, veering into a related topic: blockchain, or distributed ledger.

“We envision the day where rule books are digitised, compliance is increasingly automated or built into business operations through smart contracts, and regulatory reporting is satisfied through real-time DLT [distributed ledger technology] networks.” He added: “The machines here at the CFTC would have the ability to communicate regulatory requirements and consume and analyse the data that comes in through such systems.”

Regulators have also warned however that blockchain raises a host of legal and regulatory issues. The CFTC has a tech advisory committee studying distributed ledger and cryptocurrencies.

But regulatory risk continues to involve the usual complement of acronyms and shorthand: FRTB (Fundamental Review of the Trading Book), Mifid II (revised Markets in Financial Instruments Directive), CECL (Current Expected Credit Loss) and the big tent of Basel III.

CECL, and how it will be included in stress tests, may be the most debated new regulation. The rule, which goes into effect from the beginning of 2020, will require expected losses over the lifetime of loans be recognised at the time loans are booked. At present, losses are recognised only after a loan has begun to deteriorate. The US Federal Reserve has said it will not require CECL in stress tests until 2022.

Return to index

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact or view our subscription options here:

You are currently unable to copy this content. Please contact to find out more.

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here