UK FCA Imposes £37 Million Penalty on Commerzbank for AML Failures

On June 17, 2020, the Financial Conduct Authority (“FCA”) announced[1] that it had imposed a financial penalty of £37,805,400 against the London Branch of Frankfurt-based Commerzbank AG (“Commerzbank London” or the “firm”) for failures in anti-money laundering (“AML”) systems and controls between October 2012 and September 2017. The FCA’s Final Notice^[2] notes that the firm received a 30% discount under the FCA’s executive settlement procedures for agreeing to resolve the matter at an early stage. Without the discount, the financial penalty would have been £54,007,800.

Key Takeaways

• This action reinforces the importance for financial institutions of ensuring that the expectations of their regulators are met, and that any issues that are identified are promptly addressed. In particular, regulators remain focused on ensuring that banks: (i) devote sufficient resources to AML compliance; (ii) formally document and clearly define roles and responsibilities for AML compliance programs; and (iii) appropriately calibrate transaction monitoring systems to monitor potentially suspicious transactions.
• This action also underscores the need for firms to move quickly to fix issues identified by regulators. Although Commerzbank undertook significant remedial measures in 2017, the FCA faulted the firm for failing to move fast enough to update its automated transaction monitoring systems, clarify essential roles and responsibilities between the Front Office, Client Lifecycle Management and Compliance teams with respect to its AML compliance program, and eliminate a backlog of customers requiring Know Your Customer (“KYC”) checks at Commerzbank London. Both the FCA and the independent monitor appointed by the New York Department of Financial Services (“DFS”) in the United States[3] had raised specific concerns about Commerzbank London’s financial crime controls in 2012, 2015, 2017 and 2018. This action makes it clear that the FCA expects firms to apply regulatory findings and lessons learned across jurisdictions and business lines.
• The significant fine levied on Commerzbank London demonstrates that in this instance, the FCA appeared to consider the risk of financial crime as seriously as the crime itself. The Final Notice does not identify any evidence that financial crime was committed as a result of Commerzbank London’s compliance weaknesses. Nevertheless, the FCA stressed that Commerzbank London’s conduct created a significant risk that the firm might be used to further financial crime.

The FCA’s Final Notice to Commerzbank London

The Final Notice describes Commerzbank London’s compliance failings as “particularly serious” because they occurred (i) after the FCA and the DFS independent monitor^[4] identified weaknesses in Commerzbank London’s AML control framework that required correction, and (ii) at a time when there was a “heightened awareness” within Commerzbank AG regarding weaknesses in its global financial crimes controls as a result of a billion dollar resolution with U.S. regulators in 2015,^[5] although the resolution did not directly involve Commerzbank London. The FCA press release further notes that the control weaknesses persisted despite “clear warnings” from the FCA in the form of published guidance and enforcement actions against a number of other firms for inadequate AML controls.

The Final Notice states that failures in Commerzbank London’s AML control framework between October 2012 and September 2017 breached Principle 3 of the FCA’s Principles for Businesses[6] (“Principles”), which requires firms to take “reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems,” as well as the firm’s obligations under the U.K. Money Laundering Regulations 2007^[7] and left the firm unable to identify, assess, monitor or manage its money laundering risk. Specifically, the FCA identified:

• Shortcomings in financial crime controls applicable to intermediaries, politically exposed persons (“PEPs”) and verification of beneficial ownership of clients.
• Failure to timely refresh KYC information, in part because Commerzbank London’s first and second lines of defense were understaffed. In 2016, Commerzbank had a backlog of 2,350 clients awaiting onboarding or KYC refresh and instituted an exceptions process that allowed existing clients to continue to transact without timely KYC checks.
• A lack of clarity regarding responsibilities for AML risks. The FCA identified “uncertainty” among senior staff at Commerzbank London regarding which employees were responsible for financial crime controls, which contributed to a lack of clarity around AML responsibilities.
• Failure to maintain adequate policies and procedures sufficient to ensure adequate mitigation of the risk that the firm might be used to further financial crime.
• Use of ineffective transaction monitoring tools the firm itself identified as “not fit for purpose” as early as 2013. The FCA stated that Commerzbank London’s automated tool for transaction monitoring was “not fit for purpose” and did not have access to key information from other transaction systems at Commerzbank AG.

The FCA’s Final Notice discusses, in detail, specific weaknesses in Commerzbank London’s compliance program with respect to financial crime, as well as its efforts to remediate these issues, from 2012 to 2017.

Remediation

The FCA required Commerzbank London in May 2017 to appoint a Skilled Person under section 166 of the U.K. Financial Services and Markets Act 2000 to independently assess the adequacy of the firm’s financial crime controls. In response to the FCA’s concerns with respect to its financial crime control framework, Commerzbank London initiated “a large-scale remediation project” in March 2017 to address underlying weaknesses and implement certain enhancements identified from business as usual processes, observations from the U.S. monitor, Skilled Person and the FCA. Notably, the remediation project included two extensive lookback exercises to identify potentially suspicious activity that was missed by the firm’s automated transaction monitoring tool as a result of poor upstream data quality, a lack of calibration, and the firm’s failure to apply updates to high-risk client and country lists within the tool. These lookbacks, which examined more than 5 million transactions, did not identify any financial crime.  

Additionally, on September 28, 2017, the firm, working with the Skilled Person, voluntarily implemented a wide range of business restrictions that included (i) a temporary halt to onboarding new high-risk customers, (ii) cessation of new business with existing high-risk customers with overdue periodic or material change reviews and (iii) suspension of all new trade finance business activities. Although the FCA has determined that Commerzbank London’s remediation program is now complete, these business restrictions remain in place and will be lifted gradually with FCA consent. According to the Final Notice, the Skilled Person has continued to evaluate the firm’s financial crime controls and issued reports on the effectiveness of the remediation work performed by Commerzbank London in 2018, 2019 and 2020, which noted that although certain issues still require attention, Commerzbank London was “a completely different institution” than the one it reviewed in September 2017.

Manual Override Process for Client Risk Ratings

The Final Notice outlines several issues the FCA identified with respect to Commerzbank London’s due diligence on new clients. Specifically, the FCA identified instances where a client’s risk rating was inaccurate and/or did not impact the level of due diligence applied. Additionally, the FCA observed that until October 2015 Commerzbank London lacked a documented policy that prohibited staff from performing a manual override in the firm’s system to downgrade a customer’s risk rating. The FCA identified 159 instances from 2012–2017 where a client’s risk rating was manually lowered by staff at Commerzbank London (although not all instances would have been in violation of the applicable policy).

Intermediaries

In 2012, Commerzbank London identified deficiencies in its due diligence on all intermediaries in its Private Banking Sales business, which provides “bespoke investment products” to private banks and wealth managers acting as intermediaries for third parties, such as high net worth individuals. Despite taking steps to reduce the number of intermediaries, the firm’s Internal Audit (in 2016) and the Skilled Person identified deficiencies in the firm’s financial crime controls that led to inadequate and inconsistent due diligence performed on intermediaries, including failure to identify red flags and the lack of a “risk-based” approach to due diligence.

PEPs

The Skilled Person’s review identified inadequacies in the identification and screening of PEPs at Commerzbank London. The Final Notice described several instances where (i) files contained no evidence that PEP and sanctions screening was performed on the customer or related parties, (ii) PEP alerts were discounted for little or no clear reason, (iii) PEPs were identified, but the file contained no evidence that the AML risks posed by the PEP were considered, (iv) PEP information was not uploaded to shared systems to alert others across Commerzbank AG that were transacting with the client of the potential risks and (v) Commerzbank London could not demonstrate that it conducted ongoing screening for PEPs on its customers in Commerzbank AG’s Corporates & Markets Division.

Beneficial Owners

The FCA found that certain business areas did not always follow Commerzbank London’s policy of verifying the beneficial ownership of clients from an independent and reliable source, and were “too willing” to accept assurances from the clients themselves regarding the veracity of beneficial ownership information. In particular, the FCA notes that Commerzbank London relied on email confirmation from clients to verify beneficial ownership information.

Offboarding Clients

The Final Notice observed that in instances where Commerzbank London did not receive sufficient KYC information to onboard a new client or complete a KYC refresh for an existing client, it generally did not offboard clients, even when an account was dormant. Additionally, the FCA found that there was no uniform process in place to ensure that accounts were closed after they went dormant. As a result, the FCA identified several instances in which the firm continued to transact with clients that should have been offboarded, such as in instances where the firm could not complete periodic KYC reviews.

Although Commerzbank London subsequently began a process in January 2015 that identified more than 1,500 accounts to be closed, the Skilled Person found that the lack of a comprehensive, documented process to terminate relationships with existing clients constituted a “material risk” to the firm. The FCA also observed that Commerzbank London placed “too much emphasis” on a single employee to identify clients that posed an unacceptably high financial crime risk to the firm.  

KYC Backlog and Exceptions Processes

Commerzbank London had a continuous backlog of clients overdue for a KYC refresh from 2012–2016. Pursuant to firm policy, its systems utilized a functionality that automatically prevented customers without current KYC information from transacting with the firm. In 2012, senior management in Compliance disabled this functionality in response to a large backlog of KYC files that needed to be refreshed. The Final Notice attributed the backlog to a variety of factors, including understaffing, and cited a 2015 Internal Audit report that described the backlog as a result of, among other things, (i) a lack of coordination between the Front office and the Client Lifecycle Management Team, (ii) Commerzbank London’s decision not to rely on group introduction certificates for certain clients and (iii) a lack of “clarity, transparency and pace” of communications between Commerzbank London and other Commerzbank AG branches regarding KYC.

Although the automatic function that disabled the accounts of customers with overdue KYC reviews was restored in 2016 pursuant to an Internal Audit finding, senior Compliance management subsequently implemented a similar exceptions process called the “Expiry Exceptions List” that continued to permit customers without current KYC information on file to transact with Commerzbank London.

Commerzbank London undertook several measures from 2012–2017 to reduce the KYC backlog which included (i) increasing headcount from three full-time employees in 2016 to 43 full time employees by 2017, (ii) engaging a third-party vendor in 2016 and (iii) commissioning a special investigation through Internal Audit into the Expiry Exceptions List in 2017. Additionally, Commerzbank London began a comprehensive KYC refresh for all 2,226 clients on the Expiry Exceptions List in 2017, but as of 2019, 33 clients still had not been subject to a KYC refresh. The FCA ultimately concluded that these measures were “taken too late and effected too slowly.” Notably, the FCA observed that senior management lacked oversight of key issues related to the backlog because reporting to senior management did not clearly identify the number of clients on the Expiry Exceptions List or the fact that these clients were still able to transact with the firm.

Transaction Monitoring

The FCA identified several weaknesses associated with Commerzbank London’s automated transaction monitoring tool. The Final Notice cited a 2013 Commerzbank London Compliance report that described the automated monitoring tool as “not fit for purpose,” a finding that was reiterated in the Final Notice. The FCA identified the following weaknesses with respect to the automated monitoring tool:

• The setup of the automated monitoring tool had “been fundamentally unchanged since its original implementation.” As a result, the automated monitoring tool generated high volumes of false positives that had strained the already limited resources of the Compliance group.
• The poor quality of upstream information consumed by the automated monitoring tool prevented it from functioning effectively. Compliance highlighted this issue on more than one occasion, flagging that it lacked sufficient resources to enhance or maintain the automated monitoring tool, which required more accurate information regarding source of wealth and the nature of Commerzbank London’s clients to function accurately.
• The automated monitoring tool was missing critical updates to its high-risk countries list and its list of high-risk clients. Further, Compliance did not always record that it had checked clients that alerted against the sanctions lists and failed to perform or document regular reviews of the applicable rules or thresholds used by the automated monitoring tool.

In addition to identifying weaknesses in Commerzbank London’s other transaction monitoring systems with regards to cash services and trade finance transactions, the FCA also referenced an October 2016 Internal Audit report noting that certain automated pre-trade controls relating to sanctions screening had not been put into place as expected by senior management in 2015, and that a global “blacklist” had not been implemented across all jurisdictions, creating the risk that business that was offboarded in one jurisdiction could continue in another.

Commerzbank AG began to implement a new transaction monitoring system globally in 2017, which was implemented in Commerzbank London in 2018.

We will continue to monitor and report on further developments in this area.

                                                                                          *       *       *

[1]        Fin. Conduct Auth., Press Release, FCA Fines Commerzbank London £37,805,400 Over Anti-money Laundering Failures (June 17, 2020), available here.

[2]       Fin. Conduct Auth., Final Notice to Commerzbank AG, June 17, 2020 (124920), available here.

[3]       On March 12, 2015, Commerzbank AG reached a multi-agency settlement to resolve Bank Secrecy Act/AML and sanctions allegations. See supra note 6. Commerzbank AG’s settlement with the New York Department of Finance (“DFS”) required Commerzbank to engage an independent monitor selected by DFS to conduct a comprehensive review of the Bank Secrecy Act/AML and the Treasury Department’s Office of Foreign Assets Control (“OFAC”) compliance programs, policies and procedures that pertain or affect activities conducted by or through Commerzbank’s New York Branch. N.Y. Dep’t of Fin. Servs., Consent Order Under New York Banking Law §§ 39 and 44 at 16 (Mar. 12, 2015), available here.

[4]       The Final Notice states that the U.S. monitor selected by DFS in response to actions taken by DFS against Commerzbank and Commerzbank’s New York branch reviewed and reported on weaknesses in Commerzbank London’s AML control framework in March 2018, July 2018 and October 2018.

[5]       On March 12, 2015, Commerzbank AG reached a multi-agency settlement to resolve allegations that Commerzbank remitted cross-border payments involving sanctioned clients through its New York branch as well as failures in its Bank Secrecy Act/AML compliance programs. Commerzbank AG entered into deferred prosecution with the DOJ and the Manhattan District Attorney’s Office, and also entered into Consent Orders with OFAC, DFS and the Federal Reserve Board of Governors. Commerzbank paid $1.45 billion in civil and criminal penalties to the agencies and agreed to undertake remedial measures, take certain disciplinary actions regarding employees engaged in the misconduct and engage an independent compliance monitor. See U.S. Dep’t of Justice, Press Release, Commerzbank AG Admits to Sanctions and Bank Secrecy Violations, Agrees to Forfeit $563 Million and Pay $79 Million Fine (Mar. 12, 2015), available here.

[6]       Fin. Conduct Auth., Principles for Business, Financial Conduct Authority Handbook 2.1, 2.1.1 (2018) (published April 21, 2016), available here, requiring firms to take “reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”

[7]       The Money Laundering Regulations, 2007, S.I. 2007/2157.