On 17 June 2020, the UK Financial Conduct Authority ("FCA") issued a final notice with a penalty of £37,805,400 against Commerzbank AG ("Commerzbank London") for failings in its Anti-Money Laundering ("AML") program from 23 October 2012 to 29 September 2017.
Hit at the core - Commerzbank London is the door to the firm’s client facing business as it acts as a hub for sales and trading for a number of Commerzbank’s global customers and is responsible for their Know Your Customer ("KYC") and onboarding review.
Inadequate AML program
Whilst the full 50-page final notice can be read by clicking here, we have pulled together a high-level summary of the inadequacies of Commerzbank London's AML program and detailed them below.
The main issues were a lack of (a) clarity or no visibility of various internal function’s roles and responsibilities; (b) resources within the first and second-line teams responsible for fulfilling the KYC reviews was understaffed (meaning not enough time to complete reviews prior to starting business trading activities) and; (c) internal communication and engagement on dialogue with regulators. Despite the fact that issues were identified by the FCA and the New York Department of Financial Services for the first time 8 years ago, in 2012 and then in 2015, 2017 and 2018, Commerzbank London did not address them quickly or across its entities and jurisdictions.
2. Policies and Procedures The key problems were inadequate or non-existent policies and procedures (and when they were in place, they were not fully implemented such as on beneficial ownership) and the process for approving, recording or monitoring extensions for clients’ overdue KYC refresh. Whilst there is no evidence that shows that Commerzbank London facilitated financial crime, there was still a high-risk that it could have occurred because the organisation did not even have documented processes for what it would do in this instance and how it would terminate relationships with such clients.
3. KYC and Customer Due Diligence ("CDD") There were serious concerns that KYC was not adequately completed and that there was a significant backlog of existing clients for whom KYC had either not been completed at all or refreshed. There were specifically discrepancies in the due diligence undertaken on intermediaries (i.e. introducers and distributors) and the way in which Commerzbank London identified and considered the risks with Politically Exposed Persons ("PEPs") was also inadequate.
It was identified that in 46% of the CDD files reviewed, Commerzbank London had failed to identify and verify the beneficial owners. The FCA outlined one specific example in which it stated that Commerzbank London failed to apply enhanced CDD to an introducer despite the fact that the majority shareholder of the introducer was identified as a PEP and the minority shareholder was the subject to an adverse media search.
4. Monitoring The Primary Transaction Monitoring Tool (“Tool”) that Commerzbank London used was deemed not fit for purpose as it relied on inaccurate information and therefore created a high volume of false alerts (meaning that staff couldn’t identify scenarios in which they needed to investigate further). There were 40 high risk countries that were not even included in the Tool. Whilst it was identified by the Compliance function that the Tool needed more accurate information, it did not have the sufficient resource to enhance or maintain the Tool.
What can be learned from the Commerzbank London final notice?
There are several material lessons that can be learned from the Commerzbank London final notice:
Governance frameworks must be documented and put in place with roles and responsibilities clearly articulated and understood across an organisation. Any resourcing issues must be addressed at the earliest opportunity (and not when issues have been identified by auditors or regulators). Incurring costs on additional personnel for first, second- and third-line defence is far better than paying a financial penalty and having to deal with the reputational damage that can arise.
Policies and procedures, especially those on KYC and CDD, should be kept up to date and implemented across the entire business. There should be regular training for all staff as well as targeted training for client-facing personnel. Communications on the topic of AML should be common so that staff across the business are aware of their roles, responsibilities and the risks for non-compliance.
Effective systems for the onboarding and monitoring of clients need to be in place. Clients should not be able to continue to transact if they have not provided the required KYC information (unless an exception within a clear exception policy applies).
If internal or external audit identify any shortcomings, these must be addressed as quickly as possible. If regulators identify issue during thematic reviews or consultations, these should be rectified as a matter of urgency.
Organisations should consider their entire operations globally and not certain entities in silo. Regulatory action against one entity, for example, should trigger off a review of all entities. All relevant regulatory guidance and enforcement action should be reviewed and considered.
Aria Grace Law
Our team of banking and financial crime lawyers including Puja Modha have a wealth of experience in advising in the financial services and organisations in the fintech space. Prior to joining Aria Grace Law, they have both worked within American, Asian and European financial institutions and have covered multiple jurisdictions and interfaced with regulators. Today, they support organisations of all sizes in respect of their commercial, banking and compliance matters. If you would like to get in touch with them or find out more about how Aria Grace Law can help you, please contact us on firstname.lastname@example.org.
Regulatory Update by Puja Modha - Partner at Aria Grace Law 26.06.2020