AML and framework change at Nordea

“Because we are a G-sifi, the bar is higher for us compared to probably some of our local competitors,” Jørgensen explains. “Again that drives us to strive towards becoming increasingly compliant with international standards. So you could expect that both now and in the future we would start to comply to a higher level than our main regulator tells us to, simply because we feel that we have to comply with international standards.”

On top of this, there is also the continuing uncertainty in the regulatory environment to deal with. “We see so many regulations coming or that we know that the regulators are working on so that we actually don’t know precisely what we need to comply with in one year’s time or a year and a half ahead.” He adds that overshooting in terms of regulatory demands is also a concern for him because the ultimate consequence of this is the potential for even greater impacts on customers than they may already be subjected to.

An area where overshooting might occur is banks’ capital requirements, Jørgensen says. And this, of course, adds to the bank’s running costs. However, he also points out that with new regulation, the processes the bank would need to run within operational risk and compliance also become demanding. “Process-wise the costs of running the bank become very high and that again affects the pricing for the customers because in the end we would want to deliver the same return on equity. So we have to consider how much impact it will have on our business model.”

He adds to this the concern that regulators will start to regulate at a much more detailed level, removing flexibility for financial institutions to design a framework that is most fitted for them. He acknowledges, however, that the last few years have shown that financial institutions don’t always get it right when it comes to designing their own frameworks.

“I fully understand the drive for regulation becoming more detailed, but it is a very brave thing for the regulator to do because what if the approach is wrong?” he asks. “If you start to regulate down into what kind of key risk indicators we need to have or how exactly a small part of the framework should look, you have to be pretty sure that you are right. And I think when you look at the differences in the operational risk setups in banks, you can see that banks do not agree on what the best way is.”

Sound structures

Jørgensen describes 2012 as a “very hectic year” for Nordea in terms of changes to its operational risk management framework. The bank overhauled its risk and controls self-assessment processes, and implemented a scenario analysis process. The bank now has a framework consisting of internal data, external data, risk and control self-assessment and scenario analysis – the four categories recommended by the Basel capital regulations. Developing the framework in this way was not simple, he points out.

“Implementing such big processes or improving such big processes in a bank of our size is extremely time consuming both for us – the central teams – but also for the business units, so 2012 was very challenging that way.”

This year he expects the focus to be on improving these four building blocks, specifically looking more at internal data to fine-tune and secure all the sources and to ensure it is all categorised and described correctly, analysing internal incident data, and using external help to sense-check that data. With the risk control self-assessment, Jørgensen intends to work more on controls and ensure that in the future the bank will be able to have these inherent risk controls and as such residual risk overview. And the bank is also seeking external help to improve its scenario analysis procedures.

Jørgensen says: “The external support helps us to find best practice and then based on that input we work on our processes. On the internal incident data, we go into our business areas and check the incident reporting process and find any gaps we have there, find any sources we are missing and get that up and running to ensure the quality and the number of incidents that we capture.”

He adds that the pace of development for the framework has gone up over the last year and a half. And he puts this down to regulatory pressure. “We recognise that we simply need to change faster because the expectation from the regulator is that we have to change faster, so that’s driving it.”

To deal with this increased pace of framework development, the bank has had to make some operational changes. Jørgensen says the bank has increased headcount within both AML and operational risk departments. He points out, though, that it is not just about increasing headcount. Competence is also key, so it is important to find people who have worked in these areas before in a bank not only the size of Nordea but also with the same level of operational complexity, he says.

He also says that prioritising is very important in the ‘new normal’ phase that banks now find themselves in. “It is difficult to get extra resources because we have to be able to deliver a good return-on-equity to our investors. And not only that, there are simply things we need to stop doing, which is a healthy exercise I think.”

He cites dividing roles and responsibilities between group functions and the business units as one of these areas. “I think we probably had a tendency to service business a little bit too much in some areas where we have now stopped servicing them. For example, we had a helpdesk where business could call in on AML matters, but we have now pushed that out to business in order to relieve some resources.”