The regulator of Dubai's international financial centre has taken Deutsche Bank to court over access to the details of customers registered in Switzerland – and is showing no signs of backing down.

The regulator of Dubai's international financial centre has taken Deutsche Bank to court over access to the details of customers registered in Switzerland – and is showing no signs of backing down.

Commentators are finding it difficult to interpret this unprecedented step. Some believe that it is part of the assault on Swiss banking secrecy that only truly began with the recent US tax offensive against Swiss banks and the court cases that formed part of it. The Dubai Financial Services Authority made its request for the information in a local court on the last day of October and only publicised its action a few days ago. It is after the names and details of all clients for whom the Dubai branch's private wealth management department has acted in the last 2½ years.

Branch networks: the new enemy?

The regulator's choice of target – and it is certainly a deliberate choice – is interesting. Regulators tend to prefer international banks to open affiliates rather than branches in their jurisdictions because these can then be counted as domestic companies and are easier to regulate. International banking empires tend to want to open branches in foreign jurisdictions because they are easier to control than stand-alone companies with their own boards, much to the discomfort of some regulators. Deutsche Bank AG Dubai (DIFC) Branch is one of the latter.

When investigators use half the rulebook as a pretext

The occasion of this forthcoming legal tussle was supplied by a regulatory investigation of the kind that Lawrence Lieberman and Paul Glass of Taylor Wessing described here. At the start, in line with their descriptions of the way these events unfold, the DFSA already had specific rule-breaches in mind when it notified the bank in December that an investigation was about to begin.

These state that an authorised firm must, in conducting its business activities, act with due skill, care and diligence (GEN 4.2.2); ensure that its affairs are managed effectively and responsibly by its senior management, with adequate systems and controls to ensure, as far as is reasonably practical, that it obeys the law (GEN 4.2.3); deal with regulators openly and co-operatively (GEN 4.2.10). They state that an authorised individual should act with due skill, care and diligence in carrying out licensed functions (GEN4.4.2); disclose any information of which the DFSA would reasonably be expected to be notified (GEN 4.4.4); and do all he can to make his firm's business manageable and controllable.

The authority also alleges that the firm has broken AML 3.1.1, which obliges it to evolve effective anti-money-laundering policies, procedures, systems and controls. It is also investigating the firm for breaking AML 3.4.1(1), which obliges it to establish and verify the identity of any customer; AML 3.4.2(2), by which it must establish and verify the identity of anyone on whose behalf the customer is acting, including that of the beneficial owner of the relevant funds; AML 3.4.11(1)(c), regarding introductions and 'reliance', which states that the introducing member of the authorised firm's group has to state in writing that the customer's identity has been verified in line with Financial Action Task Force standards with no omissions and that the authorised firm – and presumably any visiting regulator – is always able to look at the identifying documents 'without delay'; and AML 3.7.1(2), which states that the firm must have regard to the relevant provisions of Appendices 1 and 2 when assessing the money-laundering risks before it.

These elephantine appendices run to nearly 5,000 words and contain a great deal of information about keeping customers' identification up-to-date, what documents to use and what information they should bear; special issues such as drug-trafficking and politically-exposed persons; and a description of what constitutes a suspicious transaction. They call for information about both the origin of funds being deposited and the customer's source of wealth/income. One phrase stands out: “The highest risk products or services in respect of money laundering are those where unlimited third party funds can be freely received, or where funds can regularly be paid to third parties, without evidence of identity of the third parties being taken.” The record-keeping period for identifying documents in the UAE is six years.

This does not exhaust the list of things for which the DFSA is scrutinising Deutsche Bank. Its claim-sheet says that it suspects breaches of COB 2.3.1, a complicated multi-rule which ranges from obliging the firm to determine whether someone is a professional client (see last issue) and listing the circumstances under which it need not designate him/it as such to warning it that it must treat a client at 'one stage removed' as its own customer unless the firm through which it is benefiting that client is another authorised firm.

The DFSA also voices its suspicions that Deutsche Bank broached COB 3.3.2, another complicated rule which calls for an agreement in which the client testifies to the bank that it has given it all the necessary information in Appendix 2 of the money-laundering rules, having actually done so. As in the UK's Money Laundering Regulations, there is a convoluted exemption for the client if it is 'impractical' for him/it to comply. Deutsche Bank may wish to make some use of this exemption in the long run.

Rule COB 3.4.2 states that an authorised firm should recommend suitable products to its clients. It must assess their needs, means, objectives, risk appetites and other things that the regulator might consider 'reasonable' at a later date. It can use its discretion to relax its rigid pursuance of 'suitability' in the case of professional clients. If it manages a discretionary portfolio management account for a professional client, however, it must be as strict about 'suitability' as in all other cases.

Each rule that the DFSA suspects Deutsche Bank of breaking appears to be lengthier and wider in range than the last. Most international centres with Anglo-Saxon legal roots have their versions of these rules, often in exactly the same phraseology.

The Grand Strategy

As far as it is possible to ascertain, the DFSA has never 'thrown the book at' a firm to this extent before. This can be taken in two ways: the length of the list might betoken the vehemence behind it, but it might also be a sign of the DFSA's desire to cover every eventuality.

It is also no accident that the subject of this epic battle of the jurisdictions is private banking and the subtext, without doubt, is the onshore assault on the proceeds of tax-evasion with the help of non-compliant jurisdictions. Switzerland, in the eyes of the DFSA and many others, is at the top of that list of countries. Dubai itself, however, tops the list in the eyes of many investigators who note its use again and again in money-laundering investigations. This could become a make-or-break test case on Dubai's role as a money-laundering haven; perhaps its authorities always intended it to be so.

The first lunge

The investigation officially began in December 2012. Seven months later – there must have been a visit in between as the document refers later to a 'skilled person's report' issued in April – the DFSA asked Deutsche to provide it with an Excel spreadsheet containing all the names of the clients of its private wealth management department. It also wanted to know the date on which every account was opened or (if applicable) closed; whether there was a 'client agreement'; the extent to which 'customer due diligence' (a clumsy term coined originally by the Basle banking group and eventually taken up by the FATF) had occurred; the standard to which this had happened; every client's risk-rating (the DFSA expected at least enough granularity for three levels – high, medium and low); whether the 'onboarding' process happened under Deutsche Bank's original rules or under a new set of rules that it hurriedly imposed in April, probably at the prompting of the 'skilled persons' who visited; and the name of the relationship manager.

Another, even more interesting, request for information came at the same time and in the same notice: a request for information about the accounts of a Mr Munir Kaloti, an influential jeweller whose business has been expanding in South America of late. The DFSA asked Deutsche Bank to pay special attention to “any AML risk assessment performed with respect to Munir Kaloti”. It also wanted all 'customer duly diligent' documents including the verificaiton of Kaloti's identity.

Kaloti Group, one of the world's largest gold and precious metal refiners and trading houses, is setting up a massive precious metal refinery in the Jumeirah Lakes Towers Free Zone of Dubai, with the opening date timed for late 2014. Why, some are asking, would the government of Dubai want to interrupt that project?

The first parry

Deutsche Bank complied in large part, but refused to surrender certain information that came, in the wonky grammar of its legal team, from “relationships booked to Deutsche Bank Geneva.” The registrations of the rest of its Dubai-based private banking clientèle (or at least those with relationship managers based in Dubai) appear to have been made in Singapore. Whether or not they were, Deutsche Bank admitted that it was not complying in 120 Swiss-related cases.

Its stated reason was the Swiss penal code. Under Swiss law, certain information can only be disclosed under a mutual legal assistance treaty or MLAT. Article 271 states that whoever, without being authorised, carries out activities on behalf of a foreign state or a foreign party or organization on Swiss territory, where such activities are the responsibility of a public authority or public official, and whoever aids or abets such activities can go to prison for three years and be made to pay a fine. This provision applies irrespective of the consent of private persons such as the account-holder.

It has long been held that the attempt of an American court to serve a summons on a Swissman might pass as a "prohibited act for the benefit of a foreign state" under article 271. If such a procedural act involves at least an implicit threat of coercive sanction for non-compliance, it will fall under article 271 and in principle only Swiss authorities may carry out such acts on Swiss soil under the applicable MLAT unless the Swiss government grant special permission for the act in question. No US subpoena is issued without a threat of at least a fine (which qualifies as coercive) for non-compliance. Whether this provision is of any use against the disclosure in Dubai of information about local relationships “booked to Switzerland” is unknown. (See the Swiss-American Chamber of Commerce website.)

What didn't happen next

The problem with an administrative hold-up in the provision of information to a waiting regulator is that the regulator often takes the failing to be deliberate. This was evidently the case when Deutsche Bank argued for and received a three-week extension for compliance with the notice. At the end of that period, complete with more wonky grammar, it presented some material but with the proviso that it was “only in so far as the Global South Asia team with DIFC-based, where the booking location is Singapore.”

Other material regarding Geneva (95% of it fell into this category), London, Frankfurt and Luxembourg clients, was missing. The bank wrote of its angst in the face of Article 271 and said that it would take a little time to investigate the ramifications of that law, although this did not explain its reticence about those European clients who lived outside Switzerland. It also wanted another week to look for “any potentially relevant information already on our premises.” It dwelt, moreover, on the fact that there was more than one regional team in the private wealth management department – a detail of no obvious moment whatever.

Then it wanted another couple of days. Then it issued a barefaced declaration that the only information it could hand over in relation to each remaining customer was (i) the name of each 'referrer' or 'coverage person' who operated in Dubai and had dealings with the client; (ii) the name of the client (a very un-Swiss thing to offer); and (iii) whether there was a 'client agreement'. It was prepared to divulge nothing about Munir Kaloti, not even saying that his details – obviously obtained locally – were not on the premises. Instead, it said that they were “not capable of production.” Nervous, wonky grammar had struck again. This was – and certainly ought to have been – like a red rag to a bull.

More apparent insolence followed. The bank stated in an email that “redacting the Swiss portion of documents will not cure a potential violation of SCC Article 271.” Anyone who reads this and thinks that it does not suggest that the information in question was there on the premises is unusual.

Another incriminating email followed. This time, the bank said that it had learnt of “some information requested in the 25 July notice that is available in the DIFC branch pertaining to private wealth management clients” and that it was “unlikely to be subject to Swiss information-sharing restrictions.” The email was incriminating because no such information has emerged from that day to this.

Obviously, the bank cannot blame Swiss law for failing to present this last piece of information. Nor can it do so for failing to present the information about Munir Kaloti; it claimed eventually that his records were “maintained in Geneva” but that could mean anything – its statement did not even go so far as to say that they were 'booked' in Geneva, whatever that in turn might mean. The DFSA, judging from one of its throwaway statements, seems to have 'bought' the idea that the Kaloti dossier could be somehow wrapped up in some kind of Swiss legal issue but this minor victory must be cold comfort to Detusche Bank.

The second lunge

Pressing its grievance, the Dubai FSA issued another notice at the end of August. It sent some 'delegates' – presumably accountants from KPMG or some other large and expensive firm – to pay it a visit and photocopy some documents. At the end it asked for more, although we are not told whether it received them.

At length, on 1 October, it issued another notice, this time asking for the following things that always presage a very serious and potentially criminal investigation, whichever jurisdiction wants them.

• 'GMIS' (which might stand for global management information systems, but then again might not) reports for each year since the dawn of the private banking service in Dubai, enumerating the revenue it generated, the total number of clients and the names of all the advisers assigned to them.
• Copies of all the minutes of the Dubai branch's executive committee meetings. All 'records of communications' (i.e. emails, which are crucial to every fraud trial) regarding all discussions to implement and approve the new PWM procedures are to be included.
• Copies of the minutes of all monthly team meetings attended by relationship managers.
• Confirmations – presumably signed attestations – of the numbers of all clients administered under the old (pre-investigation) system and the new (after April when the DFSA forced the system to change).
• A copy of the 'update document' which explains the transfer of clients from the old system to the new and whose existence the bank has already admitted.
• All records of instructions from the branch executive to private wealth relationship managers under the old model – a staggering total.
• Copies of the 'know your customer' check-list documents used by the old model.
• Copies of the KYC assessment templates used by the old model.
• A 'brochure' document – also missing – whose existence has piqued the regulator's interest.
• Copies of the email and call report samples for the private wealth management division that the DFSA asked for or saw once during the inspection.

The second parry

Now came the most unexpected rejoinder of all. The mysterious 'GMIS' reports, whose provenance was never explained in the DFSA claim-sheet, are held in Geneva. On 9 October Deutsche Bank used that fact to claim that article 271 “may therefore be relevant.” The reply was full of the usual holes. The bank did not even state baldly that it had checked the legal situation and could not present the information, merely that its ability to present it “in the requested format” could be inhibited, with no hint as to whether it might try to present it in another format – on paper or microfiche, for example. At no stage did Deutsche Bank ever produce a shred of legal argument that Article 271 did, in fact, apply to anything of consequence in the whole case – not even to a single file or email.

The 'clincher' for sceptics about Deutsche Bank's stance, however, is the recrudescence of its famous wonky grammar. One of its people wrote to the DFSA, not to state categorically that the information that it wanted was not on the premises (something that it might have been expected to know after months of searching) but merely to aver that “to the best of my knowledge and belief...the data requested (in the specific format...) does not exist within Deutsche Bank DIFC and is therefore not capable of production.” Any person who writes that something is “not capable of production” has literally been scared witless.

More fun followed. There was another plea to the effect that administrative delays were to blame, this time in relation to information about the DIFC's favourite jeweller. This, funnily enough, seems to have caused the DIFC a great deal of embarrassment. Not only did it shy away from the issue with a half-admission, totally in the face of the evidence, that Munir Kaloti's information might just be subject to the Swiss law of secrecy; it also felt constrained to issue a mysterious message on its website a few days ago.

This read: “DFSA Clarifies DIFC Courts Action. The announcement [of the court claim] stated that the DFSA had brought the proceedings for the purpose of enforcing compliance with two investigative notices. The DFSA confirms that neither Mr Munir Kaloti nor the Kaloti Group of companies are or were the subjects of the DFSA’s investigation.” Not a jot of further explanation follows. One wonders why a respectable regulator might want to behave like that.