The Power of Perspectives

The Canadian Bar Association

Stuart Hoegner

Clarifying ‘de-risking’ and what it means for Bitcoin

November 12 2014 12 November 2014

It’s a sign of the times: major financial institutions have ended relationships with clients because of perceived money laundering risks and worries about regulatory scrutiny.

But this practice, known as de-risking, has raised concerns, including from the Financial Action Task Force (FATF), that it is too blunt an instrument in following a risk-based approach.

On October 23rd, the FATF, the inter-governmental body set up to fight money laundering, issued a short bulletin clarifying its risk-based approach and locating it in the move to ‘de-risk.’ (Thanks to FATF Watch and Marc Hochstein of American Banker for bringing this to my attention.) The bulletin is instructive and shows that the FATF, at least, understands the risks associated with excluding whole categories of persons from the financial system. It should give ammunition to those in the cryptocurrency space—including those in bitcoin—that have been trying to work with banks for some time. Unfortunately, whether the bulletin will have much effect on the behaviour of global banks is open to some question.


The FATF is an inter-governmental body established in 1989 in response to growing concerns about global money laundering. The FATF also now addresses terrorist financing. It sets standards and promotes measures to combat threats to the global financial system. As part of its mandate, it also works with international stakeholders to identify national-level anti-money laundering (AML) and counter-terrorist financing (CFT) vulnerabilities. The FATF’s 40 Recommendations on money laundering and terrorist financing have been called the accepted international standard for AML principles and procedures.

Front and centre is the first of 40 recommendations, the so-called risk-based approach. Countries should identify and assess money laundering and terrorist financing risks and take action designed to mitigate those risks. They should also require financial institutions and what are called “designated non-financial businesses and professions” to identify and assess those risks and to take action to mitigate them. The risk-based approach is then given specific voice through other recommendations, for example, the different ways of gathering customer due diligence in recommendation ten.


Enter the concept of de-risking. According to the FATF, “de-risking refers to the phenomenon of financial institutions terminating or restricting business relationships with clients or categories of clients to avoid, rather than manage, risk in line with the FATF’s risk-based approach.” The FATF says that the 40 recommendations require financial institutions to end relationships with customers on a case-by-case basis only: “What is not in line with the FATF standards is the wholesale cutting loose of entire classes of customer, without taking into account, seriously and comprehensively, their level of risk or risk mitigation measures for individual customers within a particular sector.”

In other words, financial institutions (and others) are not supposed to blacklist entire industries, which are legal, and categories of customers. They are supposed to assess each customer on its merits and the risk associated with that customer. The FATF commented on the dangers of de-risking entire groups in the bulletin. Conceptually, the FATF says that this misstates the AML–CFT standard. Wholesale de-risking can introduce opacity and risk into the global financial system—the opposite of what the 40 Recommendations are designed to achieve. On a practical level, it can force customers into “unregulated channels” where AML and CFT protocols are weak and can undercut financial inclusion.

What does the bulletin mean?

According to P. Faisal Islam, an AML expert at DC Fintech Co., this bulletin was meant to address money services businesses (MSBs). In certain de-risking undertaken by financial institutions, MSBs “took the biggest hit,” said Islam. “Certain banks just outright closed all their Latin and African remittance companies. The Somali remittance companies, for example, were quite vocal about these events. Several banks in a few jurisdictions closed all their accounts, again, either voluntarily or by threat from regulators, simply because the country beneficiary, Somalia, is considered a high risk country.” (Islam suggested that the reference in the bulletin—confirmed by the FATF—to recent “supervisory and enforcement actions” concern the money laundering scandals at BNP Paribas and HSBC. The bulletin also noted that these cases need to be contextualized: “these were extremely egregious cases involving banks who deliberately broke the law, in some cases for more than a decade, and had significant fundamental AML/CFT failings.”)

Islam says that the bulletin is consistent with the 40 Recommendations and the FATF’s risk-based approach, and says that financial institutions can draw some salutary lessons from this guidance: “For starters, financial institutions shouldn’t group risk a customer segment based on one parameter. Next, risk rate a customer case-by-case.” This will be more expensive, but long-term customer retention is more likely, he added.

Cryptocurrencies like bitcoin are not mentioned in the bulletin, but the FATF’s pronouncement applies directly to the bitcoin space. Actors in this sector have been struggling to get banking—certain business models in the cryptocurrency space still do require some banking services—often without success. Many banks in Canada have essentially tried to embargo the bitcoin industry without regard to individual customer circumstances, which is what the FATF is expressly telling private actors to avoid. This is in spite of a relatively welcoming and engaging legal and regulatory environment (at least so far) in Canada.

Amber D. Scott, an AML expert and founder at Outlier Solutions Inc. in Toronto, thinks that banks may just need more education about cryptocurrency. She calls the FATF’s clarification “positive as it essentially states that banks should manage such risk where they have the sophistication to do so (rather than de-risking).” She says that banks in Canada are responsible for demonstrating that they are managing risk but without a step-by-step, “prescriptive” guide describing how regulators want to see it managed. “This isn’t necessarily a bad thing, as we don’t advocate for more regulation, but guidance in the form of best practices could be tremendously helpful in allowing financial institutions to understand the steps that they could take to effectively manage the risk related to MSBs and cryptocurrency businesses.”

In my view, this bulletin shows that the FATF understands AML–CFT better than most banks and also gets the law of unintended consequences. If you turn away from financial inclusion and innovation that you do not monopolize, then you are effectively forcing people into value transfer systems that are less transparent and riskier. Some banks in Canada have raised consumer protection as an objection to dealing with bitcoin businesses, ignoring the built-in consumer protections in transparent, decentralized ledger technology. But the problem only gets worse if you try to choke off bitcoin—which is likely impossible, anyway—and force people further underground.

While this statement may resonate in the cryptocurrency sector and other industries, its effect will be limited unless the financial intelligence units in the FATF member countries  get on board and actually encourage this approach. (The US Financial Crimes Enforcement Network (FinCEN) issued guidance on November 10th in direct response to the FATF bulletin. In that guidance, they agree that MSBs should be assessed for risk by financial institutions on a case-by-case basis. Note that FinCEN’s 2005 advisory suggests the same individualized approach. Thanks to Juan Llanos for pointing this out.) Financial institutions and other regulated non-financial actors can’t be expected to change their ways unless the FATF membership starts to back up the organization’s good policy.

No comments

Leave message

 Security code

Stuart Hoegner is an international gaming and cryptocurrency attorney and accountant. He's the managing director at Gaming Counsel P.C. in Toronto.

Current Issue

Editor's Picks

SCC backs law societies in denying accreditation to TWU

Editor's Picks

Global cybersecurity: Do we need more law?

Editor's Picks

Canada’s trade fight: The legal options are slim