The UK's Financial Conduct Authority has fined the London branch of Commerzbank for applying bad financial crime controls applicable to intermediaries (i.e. introducers and distributors), politically-exposed persons or PEPs, and other things during 2012-17, when it had a wealth management unit.
The International Wealth Management business unit offered wealth management services to private clients between March 2013 and the second quarter of 2016. Commerzbank agreed to the sale of its wealth management business in 2015 but the unit lingered on at the London branch for another few months after year's end until the actual closing of the sale.
The FCA holds Commerzbank guilty of disobeying "principle for businesses" 3, which exhorts firms to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems. In particular, the bank's financial-crime controls that applied to intermediaries (i.e. introducers and distributors) were found wanting, a "skilled person's report" (done by an external contractor at the regulator's behest) found that it spotted and considered risks associated with PEPs inadequately, and certain business areas did not always stick to internal bank rules that governed the verification of the beneficial ownership of highly risky client-entities, from reliable sources of information. There was apparently no written-down process for ending a relationship with an existing client who (or which) posed a risk related to financial crime and there was a backlog of know-your-client (KYC) checks, in part because the "first and second lines of defence" were understaffed. No actual financial crime took place because of these problems.
The FCA makes a point of saying that in mid-2016 the financial crime team in the compliance department consisted of just three full-time employees, while by mid-2018, once the bank had admitted its shortcomings, this stood at 42. This is not, however, an indication of how many people the team ought to have had in the first place, as a 'remediation' exercise always brings in huge crowds of contractors who dissipate when most of the work is done, with perhaps one or two staying on as permanent.
The bank failed to have clear lists of "risk and issue owners," a vague reference to a hazy allocation of responsibilities. For a while in 2016, an 'exceptions' process existed to permit existing clients to continue to transact with the bank even though they had not been subject to timely periodic KYC checks. This spiralled out of control very quickly, with compliance people not knowing how it worked. This probably did not involve private clients because of the lateness of the time.
Intermediaries on the 'sell side' of private banking
Towards the end of 2012, Commerzbank London found out that it was not always being "duly diligent" with all intermediaries (such as business introducers or agents) in its private banking sales or PBS business area. PBS provided bespoke investment products to private banks and independent wealth managers who acted as intermediaries for others, such as professional investors or high-net-worth individuals. The next year the compliance function then found that 350 business partners had not been checked properly, leading to a reduction in the number of business partners that PBS engaged. In September 2014, compliance staff found that representatives of PBS had ignored an instruction, given in October 2012, not to deal with a particular introducer and had subsequently circumvented restrictions in place to prevent PBS from dealing with it by allowing payments to be made to it through other companies. The compliance department also remonstrated with people at PBS for not speaking to it 'transparently.' As late as 2016, auditors were finding further shortcomings in the financial crime controls.
In 2017 a "skilled person's review" (which the FCA often orders a firm to pay for by invoking s166 Financial Services and Markets Act 2000) looked at 61 files and found no evidence that PEP and sanctions screening had been undertaken on corporate customers, their beneficial owners and/or connected parties in ten of them. Commerzbank London was also not able to show the "skilled person" that it was looking continually for PEPs or customers in its Corporates and Markets Division.
Likewise, Commerzbank London’s automated 'tool' (software that generated alerts for the compliance department to look at) for spotting money-laundering-related risks regarding clients' transactions was not fit for use. This was true more or less throughout the period. It could not interpret data from certain transaction systems effectively and generated far too many alerts. The compliance department complained that it did not have enough money to keep this software going, let alone to improve it. It did not take account of 40 highly risky countries; it did not stay up-to-date with its list of highly risky clients. The compliance department did not review its rules and thresholds enough or on time.
Rules are like piecrusts - made to be broken
The FCA also says that Commerzbank broke rules SYSC 6.1.1R (taking care to control its affairs), SYSC 6.1.1R (having good policies and procedures), and SYSC 6.3.1R (taking care of money-laundering risk and exercising controls that are tailored to the complexity of its activities). Commerzbank received the usual 30% discount on the fine that it had to pay in return for its instant capitulation to all the FCA's demands.