The United States has a long history of welcoming foreign financial institutions (FFIs) to operate from within its borders. Their presence is seen as providing both competitive and countercyclical benefits. The decades-long evolution of their business models from traditional lending to encompass capital-markets activities underscores the important contributions of FFIs in the US financial system.
But deficiencies in compliance with US laws and regulations are a serious matter for any financial institution, and FFIs are no exception. Last year, several Asian and European FFIs with US operations entered into consent agreements with both the New York State Department of Financial Services (NYSDFS) and the Federal Reserve. Tripped up by lapses in the Bank Secrecy Act/anti-money-laundering programs or foreign-exchange controls, they ended up paying more than $600 million in aggregated fines.
Even more than their US counterparts, FFIs in the US may operate under a wide range of business models and structures, depending on the needs of their parent organizations. They may be banks, branches or agencies; they may hold state or federal licenses or charters. All are overseen by their licensing regulator—typically either the NYSDFS, reflecting New York’s status as a global financial center, or the federal Office of the Comptroller of the Currency. And they are all subject to regulation by the Federal Reserve, which has statutory authority over domestic operations of all FFIs in the US.
Regulators expect FFIs to navigate this regulatory maze, comply with US laws, and maintain robust programs for enterprise-wide risk management (ERM). But in our era of rising regulatory expectations, it sometimes seems that the last word on what is enough may never be written. Scrutiny of FFIs has been greatly increased since the financial crisis. In 2017, the Federal Reserve raised the bar again for all large financial institutions—not just FFIs— with proposals and guidance on supervisory expectations for boards of directors and senior management, the management of business lines and independent risk management. FFIs that have not yet immersed themselves in the Fed’s latest directions are well-advised to do so.
No FFI wants to find itself in the US regulators’ line of fire. In our practice, we see four broad areas that FFIs can focus on to stay in regulators’ good graces:
Insist on effective governance of the FFI’s US operations. There is no substitute for oversight by and close coordination with the parent company. Operating in silos or letting the US operation fend for itself is a recipe for failure. Most FFIs that have faced enforcement actions had deficiencies in governance that led to control breakdowns, yielding a supervisory response. Regular reporting, including metrics such as key risk indicators, and communication with managers at the parent company are required. Simply put, the parent must oversee and support the US operation.
Recognize the US operation as a business in its own right. The US operation requires the robust infrastructure of a separate legal vehicle. A simple test is to ask whether a bank of the same size and risk profile would have the same budget and staffing as the US operation. FFIs need to understand their US operational needs and risks in order to be able to provide the support necessary to operate the branch in a safe, sound and compliant manner. The “three lines of defense” model must be deployed in order to maintain an effective ERM program. While smaller operations may have room for some cross-functionality of the first two lines of defense, a clear delineation and control by and between each line needs to be established and maintained. The independence of the risk, compliance and audit functions is paramount to an effective ERM program.
Follow US regulatory guidance for overseeing third parties. You can outsource a function, but you can’t outsource your risk. Too many FFIs, with large or small US operations, forget this. Many smaller US operations outsource their data. This is fine, provided the FFI ensures that the third party has the requisite controls and processes to protect and manage the data. If data is corrupted, the FFI’s risk-management systems may be rendered ineffective. For example, Office of Foreign Asset Control sanctions screening is only as good as the data being fed into the screening tool. If the US operation relies on the FFI for data management, that data must be made available to the US operation. Another area that smaller FFIs often outsource is internal audit, the last line of defense between the US operation and its regulators. To ensure that audits are effectively executed, FFIs require robust planning and testing, along with highly qualified staff who understand the business and the regulatory requirements and can spot emerging issues. A completely clean internal audit report should give pause to management, because no financial institution is perfect.
Provide a sufficient budget. A branch simply cannot be run on a shoestring. Don’t under-fund US operations that don’t make money but provide an important service for the FFI’s clients, such as US-dollar clearing. Enforcement actions often show a fundamental failure to give FFIs the budget required to ensure safety, soundness and compliance. If the FFI wants to operate in the US, but can’t make money doing so, it needs to accept the US operation as a loss while providing clients with valuable services.
In the end, operating a business within the US is no different than operating a business outside the US. You must understand and comply with the laws, and implement and maintain an enterprise risk-management program that is commensurate with the risks. Oversight of and communication with the US operation is critical to ensuring this.