FAQs > Institutions > Legal and reputational risks in cross-border financial services print

Legal and reputational risks in cross-border financial services

(19 June 2012) 

A. CARRYING OUT IN-DEPTH ANALYSES

1. Is it also necessary to analyse and address legal risks for cross-border business that arise out of regulations other than supervisory rules (such as tax law)?

Yes. In principle, all the legal areas set out in the position paper must be considered in order to identify, measure, assess and manage the risks arising out of the cross-border business. They include, in particular, tax laws and the associated criminal law. It is particularly important to establish whether and under what circumstances the foreign legal frameworks and the authorities charged with enforcing them view acts or omissions by financial institutions as aiding and abetting tax crimes. This is also relevant even if the activities concerned are solely carried out in Switzerland. No effective risk mitigation can take place without analysing this issue and the related risks to which the institution and its staff are exposed.

2. When analysing the cross-border legal and reputational risks and taking steps to reduce them, is it sufficient to only consider investment advice and asset management services? 

No. In the retail clients business, legal and reputational risks can also arise in areas of cross-border activity other than asset management services. The same applies in principle to the wholesale business; although here, the legal situation appears in general to be less clear, which makes it all the more necessary to assess each business interaction individually, taking account of the various potential risks. Furthermore, the misuse of certain products can have a major influence on an institution’s legal and reputational risks; for example the misuse of debit and credit cards, accounts with internally restricted access to the client’s identity ("numbered accounts"), and hold mail services. For this reason, it is especially important to take account of bank-specific services and products offered when relying on standardised legal opinions.  

B. RESPONSIBILITIES AND MEASURES AT STRATEGIC AND OPERATIONEL LEVEL

3. Who is responsible for implementing appropriate cross-border risk management within the institution?

Responsibility for fundamental strategic decisions concerning risks lies with the body responsible for ultimate management, supervision and controlling (in a public limited company, for example, the board of directors). As part of its systematic risk analysis and the internal control system based on it, this body is charged with supervising and controlling, capturing, limiting and monitoring all substantial risks (see FINMA Circular 08/24 "Supervision and internal control – banks"). This also includes the legal and reputational risks associated with the cross-border business. Executive management, for its part, must develop appropriate processes that enable cross-border business risks to be identified, measured, evaluated, assessed and controlled. In the context of the cross-border business, high importance should be attached to establishing risk tolerance, defining target countries (e.g. countries from which a large proportion of existing clients come, or in which clients are to be actively solicited in future) and the associated marketing strategies, because these factors have a substantial impact on an institution’s strategic orientation. 

4. Is it sufficient to provide client advisors with "dos and don’ts", traffic-light systems or guidelines indicating which activities are permitted in a given country?

No. Brief and concise country manuals, checklists, "dos and don’ts", traffic-light systems or guidelines that provide client advisors with a set of answers to certain standard questions are undoubtedly useful. On their own, however, they are not sufficient to indicate which activities are permitted or prohibited in a target market. They inevitably involve a substantial degree of simplification, since many of the questions that arise in practice cannot be answered with standardised responses. For this reason, such documents are not a substitute for organisational measures such as restricting operations in selected target markets, forming specialised country teams, or using consultants. Qualified experts must be available to train, advise and answer questions from client advisors, to ensure they acquire the country-specific expertise and other specialised knowledge they need.

5. Is it mandatory for foreign clients to be managed by specialised country desks?

No. However, sensible measures must be adopted to take account of the risks arising out of the requirements of foreign law. Client advisors for different countries and markets must be sufficiently familiar with the laws that apply there. This is especially important when a bank intends to commence active operations in a new target market. Where organisationally practicable and sensible, foreign clients should be managed by country desks. Alternatively, they should be managed by appropriately specialised teams or with the assistance of experts. The requirements concerning the organisation of client management in target markets are significantly more exacting than for other markets. In general, it is highly unlikely that a client advisor could specialise in more than a small number of countries and actively work all these markets without running increased legal risks.

6. Is it also necessary to put in place rules for accepting and managing clients from abroad who themselves approach an institution in Switzerland with a view to entering into a client relationship?

Yes. Even if the initiative for entering into a relationship with the institution in Switzerland comes from the client, this relationship could give rise to risks for the institution – during day-to-day management, for example, or when providing investment advice. This is true even if the activities concerned are carried on exclusively in Switzerland. For this reason, the institution must set out in writing how existing and future clients from markets that are not categorised as target markets – and hence are not covered by a detailed country-specific analysis – are to be dealt with. There must also be requirements concerning the acceptance of such clients. It is therefore necessary for all institutions to draw up and implement basic rules covering the treatment of all foreign clients that are not actively managed. The latter rules are in addition to the cross-border rules for specific markets and for clients who are actively acquired and managed and who, as a rule, entail a proportionally higher degree of risk.

C. REMUNERATION, CONTROL AND SANCTION SYSTEMS

7. Is it permissible for the criteria determining the variable remuneration of employees in front-office units to be based on purely financial objectives?

No. Systems in which remuneration criteria are based disproportionately on the achievement of financial objectives or have an excessive leverage effect on the level of remuneration may also prove problematic. Given that the activities of front-office units may constitute a significant source of risks in the area of cross-border financial activities, it is vital that the remuneration policy for staff in those units attaches major importance to criteria that, in general, promote good compliance and, more particularly, adherence to internal directives covering the cross-border financial activities that are permitted or prohibited. In particular, this means that breaches of internal rules or of legal provisions governing cross-border financial activities should, depending on their severity, be sanctioned by a reduction in, or forfeiting of, the variable remuneration component (see also question 8).

8. Should internal control and sanction processes also cover breaches of the regulatory framework applicable to cross-border financial activities?

Yes. Implementing internal control systems (within the meaning of FINMA Circular 08/24) and systematic, transparent and deterrent sanction processes is the only way to ensure that the internal directives are sufficiently applied in practice and that the risk management concept is effective. These processes must also cover the issue of cross-border financial activities and, in particular, include effective information and escalation processes. The sanction process should include other elements than just a reduction in, or forfeiting of, the variable remuneration component. The control and sanction systems must both be formalised and documented.

D. COLLABORATION WITH EXTERNAL ASSET MANAGERS (EAMs)

9. Is it reasonable to assume that, in general, cross-border business relationships that are referred and/or managed by external asset managers (EAMs) involve fewer legal and reputational risks?

No. The involvement of an external asset manager (EAM) may actually involve specific risks that also need to be identified and minimised. For instance, the institution must determine the risk to which it is exposed if the collaboration with an EAM results in the application of foreign supervisory and regulatory law (see FINMA Bulletin 1/2010, 102 ff., 114 and 115). It should also consider the risk that foreign authorities may hold the institution liable for violations committed by the EAM if – unlike Swiss law – the foreign legal system concerned does not distinguish in principle between the area of responsibility of the institution and that of the EAM. The mere act of outsourcing client management to an EAM does not relieve the institution of its duty to carry out an analysis and take appropriate steps to minimise risks. Consequently, interposing an EAM between the supervised institution and the clients is not of itself an adequate measure to limit the risks in cross-border business. Similar considerations also apply in respect of other external financial intermediaries (such as lawyers, introducing brokers, and so on).

10. What criteria should EAMs meet in terms of cross-border financial activities before a supervised institution can collaborate with them?

From a regulatory perspective, collaboration with an EAM must not lead to a situation in which the supervised institution’s business and risk policy concerning cross-border financial activities is circumvented. This means that a supervised institution must require the EAM to pay the same attention to the risks associated with such activities as the institution does itself. Accordingly, EAMs must also comply with the institution’s general business and risk policy in this area (for the consequences for a supervised institution of failure to comply with these rules, see questions 11 and 12).

11. Is the supervised institution obliged to take special measures to minimise and manage risks in the context of its relationships with EAMs?

Yes. In order to minimise the risks arising out of the business activities of third parties (see question 9) and prevent the internal business and risk policy in connection with cross-border financial activities being circumvented (see question 10), supervised institutions are, in particular, required to select their business partners with care and to give them appropriate instructions (see Position Paper on Legal Risks, pp. 3 and 16).

  • As regards selection, the institution must obtain information about EAMs with whom it wishes to collaborate, and apply appropriate selection criteria (key concepts: due diligence and "know your intermediary"). These criteria must also capture the risks the EAMs take in conducting their cross-border financial activities as well as potential risks that may already have materialised (such as the EAM’s risk policy and organisational structure, any outstanding legal issues in Switzerland and abroad, etc.). The supervisory or regulatory regime applying to the EAMs in their country of domicile must also be clarified (this would include issues such as possession of the necessary licences). Compliance with the selection criteria should be reviewed both when the business relationship is commenced and at periodic intervals throughout it, especially if there are indications that the criteria are no longer being adhered to (see question 12). The institution should also establish whether it is in a position to make organisational adjustments of its own, e.g. by setting up special organisational units that manage business relationships with EAMs centrally. 
  • The term "instruction" used in the Position Paper on Legal Risks is not to be understood in the narrow contract-law sense. Rather, it is a supervisory requirement imposed on the supervised institution to explain its business and risk policy in connection with certain target markets to the EAMs in unambiguous terms and to ensure that the cooperation agreement with the EAMs is in line with this policy. The institutions must notify the EAMs of possible restrictions arising out of their own business and risk policy, and it must be comfortable that the EAMs are prepared to comply with the rules communicated to them. 

Pursuant to Article 9 paragraphs 2 and 3 BO, a supervised institution must document processes in connection with collaboration with EAMs and other external financial intermediaries in the form of guidelines or other internal regulations.

12. Does current supervisory law require the supervised institution actively to check that EAMs are complying with their obligations under the cooperation agreement?

In principle, no. However, the assurance of proper business conduct requires the supervised institution to comply with a certain duty of due diligence. From a supervisory perspective, this imposes a minimum requirement to take active measures if the supervised institution becomes aware of events suggesting that its business partner is breaching commitments entered into in connection with cross-border financial activities. This means that any signs of such breaches having occurred must be further investigated. In particular, supervisory law does not permit the supervised institution to tacitly tolerate infringements it has become aware of, thereby accepting substantial legal and reputational risks. Consequently, the institution may be compelled to reject clients proposed by the EAM or even terminate its business relationship with the EAM concerned.

E. FURTHER INFORMATION

13. Whom can I contact if I have additional questions?

The institutions are requested to contact the FINMA team responsible for their supervision.