Ensuring Your Compliance: Lessons From Commerzbank London

On 17 June 2020, the London branch of Commerzbank AG (“Commerzbank London”) was fined £37,405,400 by the Financial Conduct Authority (“FCA”).¹ The FCA’s fine against Commerzbank emphasises a continued focus on Anti-Money Laundering (“AML”) controls and follows the FCA’s record fine of £102,163,200 imposed on Standard Chartered Bank in 2019 for its AML failings.

In relation to Commerzbank London, Executive Director of Enforcement and Market Oversight at the FCA, Mark Steward, said, “Firms should recognise that AML controls are vitally important to the integrity of the UK financial system”. Whilst no evidence of criminality was found, the failures by Commerzbank London in not having adequate policies and procedures in place was sufficient to warrant this significant penalty.

Key Takeaways

• As evidenced by the size of the fine, the FCA views the risks of exposure to financial crime as seriously as the crime itself.
  
• Firms need to adopt a global approach to AML. Dislocation of information and poor communication across business lines and international offices exposes firms to unnecessary risk and creates gaps in compliance.
  
• Firms should act expeditiously to implement regulatory recommendations and industry guidance.
  
• Firms should implement AML policies and procedures in response to lessons learned across their business lines, and not limit remediation to office jurisdictions.

The FCA Findings

Between 23 October 2012 and 29 September 2017, Commerzbank London failed to meet its money laundering obligations pursuant to Principle 3 of the FCA’s Principles for Businesses. Key failings highlighted by the FCA included:

1. Shortcomings in the financial controls applicable to intermediaries.
   
   
2. The ability of Commerzbank London to identify and consider risk in relation to politically exposed persons (“PEPs”) was inadequate.
   
   
3. Certain business areas occasionally failed to adhere to internal policies for independently verifying the beneficial ownership for clients, including high-risk clients.
   
   
4. Due to understaffing, a backlog of existing clients subject to refreshed ‘know-your-client’ (“KYC”) checks developed. By February 2017, 2,226 existing clients were overdue refreshed KYC checks. The steps taken to reduce the backlog were taken too late and effected too slowly.
   
   
5. An exceptions process to allow existing clients to continue to do business with the bank, despite not having been subject to timely periodic KYC checks, became “out of control”, with senior management and Compliance lacking understanding of the process.
   
   
6. The automated tool for monitoring money laundering risks on transactions did not have access to key information and was not fit for purpose, having been designed by a third-party software licensor who developed and set the rules.

The Penalty

The penalty of £37,405,400 was aggravated by Commerzbank London’s slow response to remediate earlier AML concerns which had been previously raised by the FCA, and the failure to fully address AML failings at group level previously identified by the U.S. regulators.

In this instance, the starting point for the fine was the amount of revenue derived from Commerzbank London’s clients during the relevant period, which was £1.1 billion. However, that figure was subsequently reduced to reflect, amongst other things, their co-operation and undertaking of a significant remediation exercise, as well as a 30 percent discount for their early agreement for resolution.

Ensuring Compliance

AML compliance remains the focus of regulators around the world and whilst the U.S. penalties over the past five years have remained steady, it is the European and UK regulators who have imposed total penalties of approximately £4.6 billion in 2019.

Learning from the failings at Commerzbank London, firms should take the following steps to ensure the robustness of their financial crime controls:

1. Risk Assessment

It is vitally important to conduct an assessment of both local and global AML risks specific to your business “to identify, assess, monitor and manage money laundering risk”. To avoid the pitfalls of senior management and employees failing to understand their risk responsibilities, AML policies should clearly identify which business or function is responsible for implementation, monitoring and oversight of AML risks. A gap analysis of existing policies and desk-level practices will help to ensure AML controls are fit for purpose.

2. Intermediaries

Commerzbank London was found to have had serious shortcomings in respect of the due diligence conducted on intermediaries such as business introducers or agents. In particular, AML controls were inadequate and applied in an inconsistent manner resulting in red flags failing to be investigated. When intermediaries are being engaged, it is important for firms to conduct a specific risk analysis, adopt a risk-based approach to due diligence and apply the rules in a consistent manner.

3. Proportionate Procedures for PEPs

Where PEPs, or family members or close associates of a PEP are identified, additional steps must be taken which include: approval from senior management; identification of their source of wealth or funds; and where a relationship is entered into, enhanced ongoing monitoring of the business relationship.

Firms should ensure that they can evidence screening for PEPs on the customer, beneficial owner and/or connected parties. Where PEPs are closely linked to customers, firms must be able to show that they have considered the potential AML risks posed by the individual and can demonstrate ongoing monitoring.

4. Tone From the Top

Commerzbank London failed to provide sufficient resources to the compliance function which led to a backlog of KYC checks. It is, therefore, crucial that the Money Laundering Reporting Officer has access to adequate resourcing to enable them to carry out their function properly and in a timely manner. This will be indicative of how serious senior management view AML, and compliance in general. If an exceptions process is adopted, as it was in Commerzbank London, it must be unambiguous and consistently applied once all risks are understood.

5. Transaction Monitoring

Ongoing monitoring is a key function to avoiding the risk of money laundering and ensuring compliance with best practice. It was also a key failing by Commerzbank London where the automated transaction monitoring tool was fundamentally flawed and was, as early as 2013, reported by a member of the Compliance team as “not fit for purpose”, relying on inaccurate information, failing to create alerts and failing to properly monitor the bank’s highest risk scenarios. Specifically, 40 high-risk countries were missing from the tool and the list of high-risk clients had not been updated, meaning that 1,100 high-risk clients had not been added.

Firms must ensure that monitoring systems are fit for purpose from the outset and tested and updated regularly.

Looking Ahead

Where firms can evidence that they have a risk-based approach across their business to AML which is reflected in proportionate AML policies and procedures that are routinely tested and monitored, they will be in a good position to prevent money laundering and demonstrate to the FCA that their controls are effective and adequate.

With 2020 being catapulted into the realms of uncertainty by COVID-19, it would be remiss to think that combatting financial crime would be a lower priority at governmental levels. If recent penalties are any indication, the European regulators, including the FCA, are focusing very clearly on tackling money laundering. There has never been a more important time to ensure that your compliance function is fully operational.