FCA Fines Commerzbank over AML failures – what is the lesson?

Introduction

On 17 June 2020, the Financial Conduct Authority (“FCA”) published a final notice (“Notice”) imposing a fine of £37,805,400 upon the London branch of Commerzbank AG (“Commerzbank”)^[1] for failing to put adequate anti-money laundering (“AML”) systems and controls in place between October 2012 and September 2017.^[2]

Background

The FCA reported that between 23 October 2012 and 29 September 2017 (“Relevant Period”), Commerzbank failed to meet FCA requirements and a series of breaches were identified in the way due diligence was conducted and in relation to ongoing monitoring due diligence and transactions.

Following the FCA visits, in March 2017, Commerzbank initiated a large-scale remediation project (“Remediation Programme”) to improve its financial crime control framework. As part of this programme, Commerzbank appointed a Skilled Person (pursuant to section 166 of the Financial Services & Markets Act 2000 (“FSMA”)) and implemented wide-ranging temporary business restrictions (“Business Restrictions”), ceasing onboarding new high-risk customers, ceasing new business with some existing high-risk customers and suspending all new trade finance business activities.

Although the Remediation Programme has been completed, the temporary Business Restrictions remain in place and will be eventually lifted.

What were the failings?

1. Issues in the way Commerzbank London carried out due diligence on new clients

1.1 Financial crime controls on intermediaries

There were shortcomings in Commerzbank’s financial crime controls applicable to intermediaries (e.g. insufficient due diligence in introducers and distributors).

It appeared that representatives of the Private Banking Sales (“PBS”) circumvented restrictions in place to prevent PBS from dealing with the introducer by allowing payments to be made to the introducer through other corporate entities.

The Skilled Person noted that due diligence on introducers was inadequate and inconsistent with “unidentified red flags, red flags which had been identified but not investigated appropriately and a lack of a risk based approach to due diligence.”

1.2. Inadequate controls on PEPs

The procedure to identify and consider the risks associated with politically exposed persons (“PEPs”) was inadequate on the basis of a lack of evidence that PEP and sanctions screening had been undertaken on the customer, its beneficial owners and / or connected parties.

There were occasions where although the PEPs were identified as being closely linked to the customer, there was no evidence that the AML risks had been considered and instances where no alert was uploaded to the system to avoid the risk in other transactions.

1.3. Need for verification of beneficial ownership through a reliable and independent source

The FCA also reported that certain business areas did not always adhere to Commerzbank’s policy of verifying the beneficial ownership of customers, from a reliable and independent source.

There was an excessive reliance on email confirmation as to the veracity of the information provided on the beneficial ownership of the customer without independent verification, meaning that financial crime risks arising through ownership and control structures may not have been identified.

1.4. Offboarding clients

Commerzbank’s global policy indicated that an account would not be open where adequate information to onboard a new client or adequate KYC information to complete the due diligence for an existing customer was not received, or, in some instances, it would mean the termination of an existing relationship. However, it was identified that Commerzbank had no comprehensive documented process or criteria for terminating a relationship with an existing client for financial crime risk.

1.5. Lack of clarity around responsibilities for AML risks

The FCA reported that “risk and issue owners were not clearly articulated or understood by Commerzbank London’s committees leading to a lack of clarity around responsibilities” with impact in the Front Office, Client Lifecycle Management (“CLM”) and Compliance.

2. Issues on ongoing monitoring due diligence on existing clients

2.1. Weaknesses in KYC refresh and exceptions process

Commerzbank’s policy was to undertake a review of the due diligence held for existing customers (“KYC refresh”) on a periodic basis, in accordance with the risk rating assigned to a customer.

Whilst steps were taken to reduce a significant backlog of KYC refresh, the measures were taken too late, and effected too slowly. The FCA noted that this was in part due to the fact that Commerzbank’s first and second lines of defence tasked with carrying out key AML controls were understaffed and highlighted that communication and coordination between internal departments.

The FCA also noted a lack of control, understanding and adequate awareness by senior branch management and compliance on the exceptions process put in place from May 2016 to permit existing clients to continue to transact with Commerzbank, despite not having been subject to timely periodic KYC checks.

3. Issues on ongoing monitoring transactions for existing clients

Commerzbank’s automated tool for monitoring money laundering risk on transactions for clients was identified as not fit for purpose based on the lack of access to key information from certain transaction systems.

In addition to this, the Skilled Person noted that due to a lack of automated and continuous updates on High Risk Customers, the highest risk scenarios were not being properly monitored.

The financial penalty

Following various visits in 2012, 2015 and 2017 relating to Commerzbank’s AML control framework, the FCA required Commerzbank to address a number of identified weaknesses, particularly:

to comply with the FCA Principles for Businesses (“Principles”) by taking reasonable care to organise its affairs responsibly and effectively, with adequate risk management systems (Principle 3); and
to have policies and procedures in place, comprehensive and proportionate to its business activities, to enable it to identify, assess, monitor and manage money laundering risk to comply with the Money Laundering Regulations 2007 (“MLR”).

In assessing the seriousness of the breaches, the FCA also considered what it called “a background of heightened awareness within the Commerzbank” in relation to the weaknesses of their global financial crime controls, following a previous action from the US Department of Justice in 2015^[3] which did not involve the London branch.

In imposing the fine, the FCA applied a 30% (stage 1) discount under the FCA’s executive settlement procedures which reduced the financial penalty from £54,007,800 to £37,805,400.

Notably, however, the fine imposed upon Commerzbank remains the second-largest fine imposed by the FCA, second to Standard Chartered Bank, where a financial penalty of £102m was imposed over breaches of AML regulations. ^[4]

How to maintain appropriate AML controls: What have we learnt from the FCA decision?

The FCA decision and the resultant fine imposed upon Commerzbank has reinforced the importance of firms maintaining appropriate risk-sensitive policies and procedures to minimise risk, including systems and controls to identify, assess and monitor money laundering and terrorist financing risks.

In order to establish and maintain an effective risk-based AML control framework in compliance with the AML Regulations, firms must take into consideration the following:

1. Compliance with new Customer Due Diligence (“CDD”) Requirements

The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (“MLR 2017”)^[5] require firms to identify customers and verify their identity on the basis of a reliable independent source. This obligation to identify and verify is extended to beneficial owners.

As part of due diligence, firms must also assess and obtain information on the purpose and intended nature of the business relationship or transaction. The MLR 2017 also set out stringent requirements in respect of Enhanced Due Diligence (“EDD”).

The FCA decision in Commerzbank reinforces that if a firm is not able to conclude the CDD or EDD on a prospective customer, it must not onboard that customer or transact for or with it. If the same happens in respect of an existing customer, the firm must terminate its relationship with its customer.

2. Ongoing monitoring due diligence on existing clients

Part of Commerzbank’s failures were related to the deficient monitoring of business relationships. The FCA reminded firms that this obligation requires firms to monitor business relationships tailored in accordance with the firm’s risk assessment of that customer. Where the business relationship is considered to be higher risk, the ongoing monitoring must be enhanced, and therefore more frequent or intensive.

3. Ongoing monitoring transactions for existing clients

Under the MLR, firms have an obligation to monitor all business relationships with existing clients. Where the business relationship is considered to be higher risk, the firms must put in practice and enhanced monitoring (e.g. PEPs).

The FCA reminded firms of their obligations to scrutinise customer transactions to ensure that they are consistent with the firm’s knowledge of the customer, its business and its risk profile.

Conclusion

The Commerzbank fine, the second-largest fine imposed by the regulator for breaches of AML provisions, is illustrative of the FCA’s tough stance on compliance measures and failure to heed to warnings by taking the necessary measures in a context where Commerzbank was also being criticised by US Regulators. The FCA decision highlights the importance of implementing and maintaining adequate compliance and due diligence procedures and undertaking remedial actions promptly and efficiently.

^[1] Commerzbank AG is a large international commercial bank, headquartered in Frankfurt, which operates in the UK through its branch Commerzbank London.

^[2] https://www.fca.org.uk/publication/final-notices/commerzbank-ag-2020.pdf

^[3] https://www.justice.gov/opa/pr/commerzbank-ag-admits-sanctions-and-bank-secrecy-violations-agrees-forfeit-563-million-and https://fcpablog.com/2015/03/12/compliance-fiasco-commerzbank-pays-145-billion-for-aml-sanct/

^[4] https://www.fca.org.uk/publication/decision-notices/standard-chartered-bank-2019.pdf

^[5] https://www.legislation.gov.uk/uksi/2017/692/contents/made

Cookie	Type	Duration	Description
_ga	third party	2 years	This cookie is installed by Google Analytics and collects information on how users interact with the website. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. It is used to distinguish users.
_gat	third party	1 minute	Google Analytics cookies to track users as they navigate the website and help improve the website's usability.
_gid	third party	24 hours	This cookie is installed by Google Analytics and collects information on how users interact with the website. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. It is used to distinguish users.
cookielawinfo-checkbox-necessary	session	1 year	Records the default button state of the corresponding category. It works only in coordination with the primary cookie.
cookielawinfo-checkbox-non-necessary	session	1 year
viewed_cookie_policy	session	1 year	Is the primary cookie that records the user consent for the usage of the cookies upon accept and reject. It doesn't track any personal data and is set only upon user action (accept/reject).

FCA Fines Commerzbank over AML failures – what is the lesson?