Just when you felt you had heard the names of most risk categories, up pops another one – tail risks! In an acquiring transaction, when one company buys another, the acquisition includes not just all the assets but also all the liabilities – past and present. There could be a claim lurking in the shadows or an act of negligence that has not yet revealed itself. These items of potential future liability from past events are tail risks.
In the normal course, an acquirer will carry out due diligence on the operations of the target company. Traditionally, this has focused on financials and little else. The examination is concerned with proving that the bank balances are truly accurate; that turnover can be verified; that the recorded transactions are legitimate; that there are no surprises. Auditors often applaud themselves for discovering numerical discrepancies, which in the greater scheme of things, are not material. Acquirers often miss much more significant operational issues.
This is not a new phenomenon and the risk is well understood in the insurance world. Companies sometimes agree to recognise the unknowns by insisting that the target company continues to hold distinct “run-off” insurance that does not interfere with day-to-day operations. This provides assurances to the acquirer that there will be no unexpected claims in the future from activities that occurred before the date of the acquisition. But many acquirers, eager to conclude a deal, either waive or ignore this risk. They do so at their peril!
But what a “run-off” insurance policy cannot cover is a regulatory sanction, which will always attach to the regulated company regardless of past, current or future subsidiary ownership. A European Central Bank recently fined one of its authorised banks for incidents that apparently happened several years ago in a subsidiary company that it formerly owned. A cyber-security breach involving fraudsters impersonating a client seemingly was at the centre of the regulatory sanctions.
Fraudsters apparently hacked the client’s email account mischievously impersonating the client’s instructions to withdraw funds. Once successful, the fraudsters deceived the bank into transferring funds from other clients’ accounts. It beggars belief that this wasn’t captured within the bank’s procedural controls; but the real contraventions may have been the withholding of information from the bank’s group functions; from the Fraud Unit at law enforcement; from the country’s tax authorities; from the bank’s supervising regulator.
The fine ran to several millions (reduced by agreement) for negligence that occurred years previously in a company that the bank no longer owns. It is a salutary lesson that should have worrying repercussions for all those who seek to behave arrogantly. On discovery of a fraud, one course of action is to attempt to cover it up; refund the clients in full and secure copious non-disclosure agreements. But this is absolutely the wrong approach. Positive outcomes for all clients must be the number one priority. This means full disclosures to all and sundry to prevent a recurrence elsewhere. Arrogance and hubris result in tail risks!