Anti-Money Laundering Lessons to be Learnt from the Commerzbank Fine
By Arun Srivastava & Gesa Bukowski
With the hefty £37.8 million fine imposed on Commerzbank AG’s London branch last month (and an accompanying strong deterrent message for the market more generally), the UK Financial Conduct Authority (FCA) have signalled their intention to continue to come down hard on firms’ breaches of anti-money laundering obligations.
Increased AML enforcement risk
The June 2020 announcement of the Commerzbank penalty comes following a series of signs indicating an increased risk of enforcement by the FCA in UK AML cases. The FCA’s 2020/21 Business Plan notes that it will continue to take enforcement action in financial crime matters where the FCA uncovers serious misconduct, “particularly where there is a high risk of money laundering.”
In a speech given in April 2019, the FCA’s Director of Enforcement, Mark Steward, said that “I think it is time that we gave effect to the full intention of the Money Laundering Regulations which provides for criminal prosecutions”. The speech was foreshadowed by the FCA signalling that it intended to pursue more dual-track money laundering investigations, meaning that the Authority would pursue running both civil and criminal investigations side-by-side. This shift raised prospects of an increased likelihood of criminal prosecution for breaches of procedural AML obligations, whether or not those breakdowns actually facilitated any substantive money laundering.
Taken together, these developments confirmed the risk of enforcement action where the regulator identifies breaches either of a company’s systems and controls (“SYSC”) requirements or breaches of the Money Laundering Regulations 2007 (“ML Regulations”). In particular, regulated firms are under increased risk of criminal prosecution and fine for procedural breaches which would otherwise be subject to a civil or administrative sanction.
The fact that the FCA have imposed a significant fine on Commerzbank for breaches of anti-money laundering (“AML”) compliance obligations is, therefore, not a complete surprise. While the fine is significant, it should not be forgotten that the FCA have fined two other major banks over £100 million each for AML contraventions.
Why do firms get it wrong?
One surprising aspect of money laundering enforcement is that Final Notices issued by the FCA invariably cover the same well-trodden ground of breaches of obligations relating to customer due diligence (“CDD”), high risk jurisdictions, treatment of politically exposed persons (“PEPs”) and monitoring. In the Commerzbank case, the FCA’s investigation covered nearly five years during which breaches were occurring. In this period the bank’s own internal audit team had identified problems yet, in the FCA’s eyes at least, the Bank failed to take appropriate remediation measures with sufficient speed.
The ML Regulations set out seemingly clear obligations around the performance of CDD checks, the assessment of risk, and the monitoring of transactions. In practice, meeting these obligations presents tremendous operational difficulties, particularly for large firms with a large number of clients and transactions and exposure to multiple jurisdictions. Beyond keeping policies and procedures current, ensuring the rigorous application of controls in real-time requires considerable human and technological resources.
A further dynamic is the impact of AML controls on a firm’s business. The Money Laundering Reporting Officer (MLRO) might potentially have to veto the onboarding of new clients or the execution of particular transactions. MLRO might also have to decide to report clients to the NCA or other FIU. This can, of course, create tension with the business.
FCA action against Commerzbank
In June 2020, the FCA imposed a fine of £37.8 million on Commerzbank AG’s London Branch for breaches of the ML Regulations. The 2007 ML Regulations have, of course, been superseded by the more recent Money Laundering, Terrorist Financing & Transfer of Funds (Information on the Payer) Regulations 2017 (the “2017 Regulations”), which came in force after the period of conduct for which Commerzbank is being penalised. However, since the 2017 Regulations contain the same fundamental obligations as the ML Regulations, albeit with a greater focus on a risk based approach, the Commerzbank case remains relevant for firms learning to comply with the updated regime.
Dealing with issues promptly
The FCA’s action against Commerzbank covered a broad period of time from 23 October 2012 to 29 September 2017.
An important feature of the case was that concerns about different AML compliance issues had existed for a lengthy period of time and had been raised by the bank’s own Internal Audit team. A Skilled Person under section 166 of the Financial Services and Markets Act 2000 had also been appointed in 2017. A Skilled Person is appointed to report to the FCA on matters of concern. Regulatory enforcement action is more likely to be taken against a regulated firm where the firm has failed to identify and remediate matters itself. A Skilled Person is an external appointment.
In addition to these internal red flags, the FCA was not the first regulator to state concerns about Commerzbank’s AML compliance. The New York Department of Financial Services (“NYDFS”) had taken action against Commerzbank’s New York branch and an independent monitor had been appointed to review and report on, amongst other things, weaknesses in the bank’s AML control framework at Commerzbank’s London branch.
These matters all pointed to the bank needing to take appropriate remedial action.
The manner in which a firm responds to issues once identified, including notifying regulators, remediating processes and controls, and addressing any substantive consequences of errors or breaches, are all important issues which impact on the regulatory response to failings.
We consider below some of the issues raised in the FCA’s Final Notice.
Introducers and Intermediaries
The bank was criticised by the FCA for failings in relation to the conduct of due diligence on introducers and distributors. The FCA’s Final Notices explained that the Private Banking Sales area of the bank dealt directly with customers, but some of these customers were introduced by intermediaries.
A firm needs to consider the nature and extent of its AML controls in circumstances where it does not have direct access to a customer and is instead dealing with the customer through intermediaries such as business introducers.
In addition to the above, intermediaries are a source of anti-bribery and corruption (“ABC”) risk and risks in relation to intermediaries also need to be assesses for these reasons.
Among the issues that arose in relation to intermediaries was the failure by some staff members to comply with instructions to refrain from dealing with certain intermediaries after an attempt was made by the bank to reduce its exposure in this respect. More generally, both the bank and the Skilled Person found that insufficient due diligence was being conducted on intermediaries. In 2016, the bank’s Internal Audit identified inconsistencies in policy documentation used by different parts of the bank that led to these discrepancies. There was also a lack of awareness by some parts of the bank of the intermediaries’ policy.
The Skilled Person found that due diligence on introducers was inadequate and inconsistent. The Skilled Person found that files revealed unidentified red flags, red flags that had been identified and not investigated and a lack of a risk based approach to due diligence.
These matters all created risks for the bank. Firms should have processes to identify relationships with intermediaries and assess the risks arising from those relationships both in an AML and an ABC context. Appropriate due diligence should be carried out on intermediaries and this should be reviewed periodically with risks being reassessed.
Politically exposed persons (“PEPs”)
PEPs are a key area of risk that have featured prominently in other AML enforcement actions taken by the FCA. When reviewed by the Skilled Person, a number of inadequacies in Commerzbank’s identification and screening of PEPs were found, including:
No evidence for certain files that PEP and sanctions screening had been undertaken on the customer, its ultimate beneficial owners (“UBOs”), and/or connected parties.
PEPs were identified as being closely linked to a customer yet there was no evidence that the AML risks posed by these associated individuals were considered.
Commerzbank was not able to demonstrate that it was conducting ongoing screening for PEPs or customers, meaning that events that ought to trigger a review after onboarding might not be identified.
The above failings in relation to PEPs were all failings to carry out basic procedures around PEPs appropriately. As PEPs are an area of high risk and close regulatory attention, firms should review processes around PEPs. One important aspect of controls around PEPs is to obtain senior management approval to onboarding clients who are PEPs, or whose UBOs are PEPs. However, it is also important to apply controls on an ongoing basis and not just at the time of onboarding.
Verifying the beneficial ownership of clients, including high-risk clients, from a reliable and independent source
AML obligations require that firms must take a risk-based approach to confirming the identity of beneficial owners. While it may be reasonable for a firm to confirm the beneficial owner’s identity based on information supplied by lower-risk customers, in other cases the firm may need to obtain confirming information from reliable and independent sources.
The Skilled Person found that in 46% of CDD files reviewed, the bank had failed to identify and verify the identity of beneficial owners. The Skilled Person attributed this to the fact that Commerzbank was too willing to accept responses and information from the customer without independently verifying or challenging them.
In performing CDD and associated measures, the starting point is that the firm should seek verification from sources independent of the client. It is usually difficult for firms to achieve compliance when relying solely on information that the client itself has provided. Where it is difficult to obtain sufficient information from public registers alone, the firm must take a holistic approach and the information a client is able to provide might be one component of this.
While AML controls focus closely on the client onboarding processes, the Commerzbank case highlights the fact that offboarding processes are also important.
In the Commerzbank case, the bank was criticized for not offboarding clients even where their accounts were dormant. This resulted in the risk of transactions taking place on accounts of clients who should have been offboarded. The FCA found that no comprehensive documented process or criteria existed for terminating a relationship with an existing client for financial crime risks. The FCA said that the firm should have had documented criteria for identifying clients that posed too high a financial crime risk so as to better enable the firm to adopt a uniform approach to offboarding clients in line with this risk appetite.
The Refresh Backlog
Money laundering regulations require firms to refresh CDD obtained on clients. Firms must assess the risks of customers and determine appropriate periods for performing CDD refresh, with higher risk customers undertaken more frequently and less frequent updates acceptable for lower risk customers.
Determining the appropriate refresh period can be challenging but, equally, firms must ensure that resources are available to perform refreshes at the relevant times. As stated above, a lot of focus is naturally placed on the onboarding stage given imperatives to get clients into a firm. However, from a compliance standpoint, the refresh is equally important given that ownership and risks related to a particular client can have changed.
In Commerzbank’s case, a significant backlog built up in refresh files, leading to the risk of the firm continuing to deal with clients where the risks associated with the client had not been appropriately checked and reassessed. While the bank tried to address the CDD/KYC refresh backlog, the FCA’s view was that the measures taken were too late and effected too slowly.
Transaction monitoring is a key part of an AML control framework, but it is notoriously difficult to implement an effective monitoring tool where a firm is seeking to monitor large volumes of transactions.
Regulation 28(11) of the 2017 Regulations provides that ongoing monitoring of a business relationship must include scrutiny of transactions to ensure that the transactions are consistent with the relevant person’s knowledge of the customer, the customer’s business and the customer’s risk profile.
Where the business relationship is considered to be high risk, monitoring must be more frequent or more intensive.
The FCA’s Final Notice stated that Commerzbank London’s automated tool for monitoring money laundering risk on transactions for clients “was not fit for purpose”, and did not have access to key information from certain of Commerzbank’s transaction systems. The appropriate information was not being fed into the tool, including for example the fact that the tool did not incorporate risks relating to 40 high risk jurisdictions. Given the deficiencies in the monitoring tool, the firm was not in a position to demonstrate that it was appropriately monitoring AML risk on an ongoing basis.
Finally, and importantly, from a governance perspective, the FCA found that risk and issue owners were not clearly articulated or understood by Commerzbank London’s committees. This led to a “lack of clarity around responsibilities”, which impacted the Front Office and Compliance.
In the Senior Managers and Certification Regime (SMCR) world, all firms must ensure appropriate allocation of roles and responsibility for them. Individuals are under greater scrutiny to ensure that they understand their roles, the risks for which they are responsible, and that they discharge their duties responsibly.