On June 17, 2020, despite having found no incidences of a “financial crime” Britain’s Financial Conduct Authority (FCA) fined Commerzbank AG, London Branch £37,805,400 (~$46,684,640) for inadequate controls and procedures related to the bank’s financial crime control framework. The fine is to be paid no later than July 1, 2020.
From the FCA’s 50-page Final Notice, “Commerzbank London was unable to adequately identify, assess, monitor or manage its money laundering risk. The Authority notes that there is no evidence of financial crime having been occasioned or facilitated by Commerzbank London’s failings.” The time period under consideration for determination of the breaches and resulting fine was between October 23, 2012 and September 29, 2017.
More to the story
The issues raised by the FCA in its Final Notice are both complex and unfortunately familiar. The Notice is an interesting read for a compliance professional because it lays a roadmap for remediation of internal deficiencies associated to Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD). The actions taken by the FCA also connect directly back to US federal and New York state authorities’ actions in 2015 relating to violations of economic sanctions and Anti-Money Laundering (AML) deficiencies by the bank.
Germany’s second largest bank was found to have violated US sanctions laws in 2015 targeting Iran, Cuba, Burma, and specially designated persons. Separately, US action was taken against the bank for violations of the Bank Secrecy Act and deficiencies in their AML programs. Commerzbank dealt with a litany of federal agencies, both criminal and civil, to resolve the matters. That episode ended with a $1.45 billion dollar fine and the imposition of a corporate monitor for three years, according to the 116-page deferred prosecution agreement.
The FCA action
The two key principals employed by the FCA for undertaking the action cited were:
- “The Authority has the operational objective of protecting and enhancing the integrity of the UK financial system.”
- “UK firms must take reasonable care to organise and control their affairs responsibly and effectively and to establish and maintain an effective risk-based anti-money laundering (“AML”) control framework, and also must comply with the applicable Money Laundering Regulations.”
In the meticulously documented Notice, the FCA cited numerous failings in Commerzbank’s compliance program that undermined the bank’s financial crime control framework. As is typical in these cases is the fact that the true cost of these compliance failures was far more than the fines imposed. Additionally, there were familiar themes, all previously highlighted by regulatory guidance cited in this Notice. A few of the notable highlights:
- There were 3 full-time employees devoted to customer vetting, when in mid-2018, following an acknowledgement by Commerzbank London of the need to dramatically increase staff in this area, this was increased to 42 full-time.
- By the end of the Relevant Period, total headcount in Regional Compliance had increased from 23 to 43 and, by May 2019, total Compliance resource had increased to 52.
- A “lack of clarity around responsibilities”, which impacted the Front Office, CLM (Customer Lifecycle Management) and Compliance.
- Both senior branch management and Compliance lacked understanding and adequate awareness of the process.
- The automated tool for monitoring money laundering risk on transactions for clients was not fit for purpose.
“Throughout the Relevant Period, Commerzbank London’s procedures stated that no transaction or other business activity was permitted until the due diligence process had been completed and all necessary approvals obtained.” Senior management within Compliance decided to disable the automated function that changed the status of a client from ‘green’ to ‘red’ in circumstances where the client’s KYC refresh was overdue.
Ignoring repeated warnings
Another familiar theme was the ignoring of repeated warnings of control framework deficiencies. It is my opinion that the ignoring of those warnings, coming from both internal and external stakeholders that prompted the FCA action. The FCA notes the seriousness of the deficiencies in the control framework by stating:
“Commerzbank London’s failings are particularly serious because they occurred following visits by the Authority to Commerzbank London in 2012, 2015 and 2017 to discuss issues relating to its AML control framework, during which the Authority identified weaknesses that Commerzbank London was to address. They also occurred against a background of heightened awareness within Commerzbank of weaknesses in its global financial crime controls following action taken by US regulators in 2015, although the AML failings identified by US regulators did not involve Commerzbank London.”
One of the more significant external stakeholders was the US Monitor. In November 2016, the US Monitor recommended that Group Compliance carry out reviews on a global basis of transactions carried out by the Trade Finance business area, which took place between October 2015 and October 2016.
“The US Monitor reviewed and reported on weaknesses in the AML control framework at Commerzbank London in March 2018, July 2018 and October 2018. The US Monitor’s engagement ended on 24 June 2019.”
Internal stakeholders including Compliance and Internal Audit also cited concerns with the firm’s CDD and EDD process. Internal audit stated, “policy documentation used by CLM and Compliance was not consistent, and this had led to discrepancies in the due diligence undertaken.” The Compliance function then undertook a complete review of the due diligence held on approximately 350 business partners (third party intermediaries), identifying material concerns, including a lack of adequate due diligence being performed.
“Consequently, Commerzbank London was aware, or ought to have been aware, of the importance of putting in place and maintaining effective procedures to detect and prevent money laundering.”
High level intervention
In early 2017, the Commerzbank Board commissioned a special investigation to be conducted by internal audit. On May 22, 2017, a requirement by the FCA was to appoint a “Skilled Person” (the UK version of a corporate monitor) to review and analyze the firm’s processes and procedures.
“The Skilled Person identified weaknesses with the way in which risk ratings were calculated, and how this impacted the extent of due diligence undertaken for customers.” and “The Skilled Person found that the lack of resource in Compliance impeded the effectiveness of the Compliance function.”
The Skilled Person reported on these matters on September 28, 2017, highlighting a range of weaknesses in respect of Commerzbank London’s financial crime controls, including in relation to CDD, EDD, ongoing monitoring and transaction monitoring, and the related governance arrangements.
All these actions resulted in Commerzbank undertaking what was referred to as the London Remediation Programme. As a result, and in addition to focusing on attending to the control infrastructure problems the FCA imposed business restrictions. The London branch, per a September 2017 order ceased the following revenue generating activities:
- trade finance new business activities were suspended,
- no new demand deposit accounts,
- no new custody accounts,
- no onboarding of new high-risk customers,
- conduct no new business with existing high-risk customers
These restrictions could only be modified with approval from the Authority. Irrespective of the fact that the London Remediation is now closed, and “the business restrictions remain in place, albeit with modifications approved by the Authority” as of the issuance date of the Final Notice.
The fine determination
While a fine of £37,805,400 for infractions that the firm did not derive a “financial benefit” from is significant it could have been worse. The FCA follows a five-step process in the determination of fines. The first step is disgorgement. As there was no financial benefit derived there was no disgorgement. Given the seriousness of the breach the FCA next went to determine the amount of revenue produced during the relevant period that being £1,091,067,000 – that was the base amount for determining the fine amount. After applying a relevant percentage (20%) based on the seriousness of the breach the starting point for fine determination was £163,660,050.
Other factors such as mitigating or aggravating factors and adjustments for deterrence brought the potential fine amount down to £54,007,816. The firm was given a “30% discount” resulting in a final fine amount of £37,805,400. A significant number.
It is more than just the fine amount.
What this story shows is that once in the crosshairs of the regulators after a serious breach of regulatory obligations the cost is more than the fine. In addition to the $1.45 billion paid to US authorities, other costs include at least seven years’ worth of legal fees, the costs associated with a Corporate Monitor and a Skilled Person, a significant increase cost of staffing as well as a regulatorily imposed reduction in revenue generating activity.
According to a February 2018 Reuters article Commerzbank has spent over 600 million Euros on compliance based on the work of the US Corporate Monitor. The bank also increased its compliance headcount to more than 700 people.
That said, the final report of the Skilled Person stated the following in the final report from April 2020, “although Commerzbank London was “not at the end of its journey as certain issues still require attention”, Commerzbank London’s financial crime framework has “continued to mature” and Commerzbank London is now “a completely different institution” to the one it reviewed in September 2017.”
That is a lot of money, time, and effort to transform an institution.