The final notice recently issued by the UK’s Financial Conduct Authority against the London branch of Frankfurt-based Commerzbank AG (Commerzbank London) offers some insights into the anti-money laundering (AML) systems of a major financial institution, the flaws in those systems and the FCA’s approach to dealing with those flaws.

Familiar flaws

The flaws themselves occurred over a five-year period. Other reporting entities that have to conform to AML laws, including many small ones with sparser resources than Commerzbank, might find them (either to their comfort or consternation) strikingly familiar. The FCA found, for example, that customer due diligence (CDD) processes were particularly lacking in connection with intermediaries (such as business introducers or agents), politically exposed persons (PEPs), and the verification of beneficial owners - three of the key themes that come up repeatedly in AML conferences and training – and their findings in connection with these issues are instructive.

The extent of the problem

Many such businesses will also be familiar with the identified flaws in terminating existing relationships on AML grounds and in refreshing Know Your Customer (KYC) checks, as well as with understaffing in their compliance function and lack of clarity about risk owners and responsibilities. But it is surely fair to say that the sheer extent of the problem at Commerzbank London, with an ‘exceptions process’ for business relationships that were overdue for a "KYC refresh," but nevertheless continued, was enormous. The phrasing in the FCA’s notice – which described that process as ‘out of control’, and a system for monitoring ongoing transactions as ‘not fit for purpose’ – is an indication of why the regulator singled out Commerzbank London for particular censure.

The FCA’s approach

The FCA believed that because of its previous visits and warnings (which ultimately resulted in a requirement to appoint a "skilled person" under section 166 Financial Services and Markets Act 2000 and because of actions by US regulators against Commerzbank (though not its London branch), the bank should have struggled to improve its AML regime. Instead, the regulator says that it added to an already serious set of flaws.

By way of mitigation, the bank’s co-operation with the process, which proceeded by agreement, was such that the final penalty that the FCA imposed under s206 FSMA was reduced by 30%. That means that the FCA’s process for arriving at the final penalty of £37,805,400 from an initial figure of £54,007,800 is clear, although its method for arriving at that initial figure is rather less so.

Flaws in the system

The problem with intermediaries

In late 2012, the start of the period relevant to the notice, the bank itself spotted flaws in the CDD that it was performing on intermediaries with whom it had "business relationships" as defined by the Money Laundering Regulations 2007. It introduced a new policy in April 2013 and, in September 2014, its compliance function found that representatives of its private banking sales department had ignored an instruction not to deal with a particular introducer, had circumvented restrictions by allowing payments to be made to it through other corporate entities, and had then not co-operated with the compliance department’s internal investigation. It ought to come as a surprise to many that the bank chose to deal with these infractions by way of a verbal warning.

With that background in mind, it may come as less of a surprise that the "skilled person" appointed in 2017 found that CDD on introducers remained "inadequate and inconsistent," with a set of reviewed files revealing "unidentified red flags, red flags which had been identified but not investigated appropriately and a lack of a risk-based approach to due diligence."

The problem with PEPs

The skilled person also found inadequacies in the identification and screening of PEPs, including a set of files in which there was no evidence that PEP and sanctions screenings had been undertaken on the customer, its beneficial owners and/or connected parties. It found deficiencies in other files where alerts were discounted for little or no clear reason. There were instances in which staff had written that PEPs were closely linked to the customer, yet there was no evidence that they had considered any AML risks. Of course, without evidence it is hard to say whether the risks were considered or not, so this also serves as an example of the importance of recordkeeping.

The problem with beneficial owners

The bank’s problem with identifying beneficial owners seems largely to have stemmed from an overly heavy reliance on the things that its customers told it - and these included higher-risk customers as well as lower-risk ones. (In the case of some low-risk customers, its policies might have permitted a more relaxed approach of this kind.) When its staff spotted this-or-that problem, they told the compliance function that it would be difficult to start asking for independent verification, particularly if the client was itself a financial institution, as they did not currently seek such documents in their KYC review. In 2017 the skilled person found that, in many of the files that it reviewed, the bank was too willing to accept responses and information from the customers without verifying or challenging them.

Lack of clarity about responsibilities for AML risks

The skilled person also discovered that Commerzbank London’s committees had not been clear about "risk and issue owners," which led to a "lack of clarity around responsibilities." This is no doubt a familiar problem for many wealth management firms, particularly when AML policy overlaps with anti-bribery policy, fraud prevention, sanctions and tax evasion. It is often troublesome to have only one identifiable person or department responsible for all issues associated with financial crime.

Ending relationships

The skilled person found that the bank had no comprehensive written process or set of criteria for ending relationships with, or ‘offboarding,’ clients on grounds involving financial crime. It also spotted instances where Commerzbank London said that clients had been ‘offboarded’ but had failed to adhere to the rules that pertained to the offboarding process, resulting in the clients continuing to transact with it.

It is fascinating to note that the FCA's notice referred to, but did not criticise, a provision in the bank’s compliance manual that called for the end of a relationship with a client if he happened to be highly risky and "the relevant due diligence requirements cannot be met" unless "the reason for non-performance of CDD was outside the customers’ influence" or where "the economic interest of Commerzbank outweighed the risk of money laundering posed by the client such that it would be inappropriate to terminate the relationship."

The 'KYC refresh' backlog

Two particular contexts in which a client would (in theory) be ‘offboarded’ were when the bank had not obtained KYC documents at the outset of the relationship, or when, having done so, it had not obtained updated or ‘refreshed’ documents after a pre-set period of time. The final notice tells a salutary tale with respect to this process, in which Commerzbank London appears to have made a rod for its own back by setting (no doubt with the best of intentions) a strict process for refreshing KYC and a rule to ‘offboard’ in default, but then failing to police and resource that process properly. As a result, a huge backlog built up over a period of years and the system then fell apart at the seams.

The 'expiry exceptions' list

The numbers in the notice that illustrate this problem are particularly stark. A backlog of around 1,900 legal entities that were due a 'KYC refresh' developed in 2013. By 2016 - by which time an internal review had noted concerns about the backlog, which it said was operating ‘without clear rules’ – no less than 2,350 customers were awaiting either onboarding or a periodic review.

It was at this point that an ‘exceptions list’ of clients for whom KYC requirements were not met but with whom the bank nevertheless did business, was created and grew to such an extent that the FCA described it as ‘out of control.’ In one example cited in the notice, a highly risky client, five years overdue for a 'KYC refresh,' took part in 16 transactions from which the bank generated net revenue of £273,799.

The bank’s board instituted various reforms in 2017, but the FCA thought that they were ‘taken too late and effected too slowly.’ By mid-2018, the problem was big enough to prompt a drastic increase in the size of the bank’s financial crime team - from just three up to 42 people.

Troubles with 'ongoing monitoring'

Finally, the notice criticised the bank’s automated tool for monitoring the money-laundering risk that pertained to clients' transactions, saying that it was not fit for purpose and did not have access to key information from certain of the bank’s transaction systems. Alarmingly, an internal report in 2018 identified 999 transactions involving highly risky clients and/or highly risky jurisdictions that might have generated alerts but did not. Although the precise nature of the problem is not clear from the notice, the problem that it illustrates is the need to ensure that AML software is both properly used and in receipt of relevant information.

The FCA’s process

The seriousness of the problem

With all of this in mind, it is perhaps not surprising that the FCA considered the bank to have been "in serious breach" of both the Money Laundering Regulations and its Principles for Business (specifically Principle 3, which says that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems). The fine is the second largest one that the regulator has imposed on any firm for AML deficiencies.

In the context of the FCA’s five-step regime for setting an appropriate penalty (to be found in its Decision Procedure and Penalties Manual at DEPP 6.5A), this assessment of seriousness affected step two (step one being the 'disgorgement' of the direct benefit of misconduct, which the FCA deemed to be irrelevant in this case).

With reference to the lists of relevant factors in DEPP 6.5A.2G, the notice said that the breach "revealed serious or systemic weaknesses in the firm’s procedures or in the management systems or internal controls relating to all or part of the firm’s business" and "created a significant risk that financial crime would be facilitated, occasioned or otherwise occur," although "there was no or little risk of loss to consumers, investors or other market users individually and in general."

A reduction for disproportionality

This resulted in a figure of £163,660,050, equivalent to 15% of the bank’s total turnover from clients in the relevant period. A little cryptically, however, the notice then refers to DEPP 6.5.3(3)G, which says that the FCA may decrease the level of penalty "if it considers that [it] is disproportionately high for the breaches concerned." It added that, "notwithstanding the serious and long-running nature of the breaches...the level of penalty would nonetheless be disproportionate if it were not reduced" and so it substituted a figure ("having taken into account previous cases") of £45,006,513.

An increase for aggravating factors

The notice then considered aggravating and mitigating factors (step three of the regime), with reference to DEPP 6.5A.3G. Significantly for the rest of us, the fact that the FCA had issued guidelines and taken action against other banks in the same period should have taught the bank to take these matters seriously. A plan of remediation and a set of restrictions, following the recommendations of the skilled person, were cited as mitigating factors, before the headline figure was raised by 20% to £54,007,816.

A reduction for co-operation

After dismissing the need for any increase for the purposes of deterrence (step four), and applying DEPP 6.5A.5G, the notice then decreased the figure by 30% to take account of the bank’s co-operation (step five), resulting in the final penalty figure of £37,805,400.

More judgment than science?

The casual reader might be forgiven for detecting some sleight of hand here. Notwithstanding the superficial air of scientific rigour in the FCA’s system of calculation, the application of a 15% figure to turnover at the beginning and the tweaks of 20% up and then 30% down at the end seem utterly irrelevant in view of the substitution, closely following the reference to ‘previous cases’, of the otherwise unexplained figure of £45,006,513 in the middle.

It might perhaps be preferable for the FCA to drop the pretence of science and be a little more open about how it compared the relevant factors of this case against those of other, presumably comparable, cases. The fact that this was an agreed settlement also raises the question of whether the penalty was in any way negotiated with the bank - a vital question that deserves a clear answer one way or the other.

* John Binns can be reached on +44 (0)20 7430 2277