On September 17, the Swiss Financial Market Supervisory Authority (FINMA) announced that it had concluded two enforcement procedures against Credit Suisse AG for deficiencies in its anti-money laundering (AML) procedures. The first enforcement procedure stemmed from FINMA’s investigations since 2015 into several banks with regard to suspected corruption involving the Fédération Internationale de Football Association (FIFA), the Brazilian energy company Petrobras, and the Venezuelan state-owned oil and natural gas company Petróleos de Venezuela, S.A. (PDVSA). FINMA then commissioned an investigation “to establish the relevant facts at Credit Suisse” for the 2006-2016 period, and launched an integrated enforcement procedure due to the commonalities between the three cases.
Through this enforcement procedure, FINMA determined that Credit Suisse “had infringed its anti-money laundering supervisory obligations in all three instances.” It found five types of “shortcomings” that occurred repeatedly over a number of years (mostly before 2014): (1) Identifying the client; (2) determining the beneficial owner; (3) categorizing a business relationship as posing an increased risk; (4) performing the necessary clarifications upon increased risk plus associated plausibility checks; and (5) documentation.
Each of these shortcomings ties back to the importance of comprehensive access to and review of client data. FINMA stated that “[t]o combat money laundering effectively, every relevant department within the bank must be able to see all the client’s relationships with the bank instantly and automatically.” While it credited Credit Suisse with making progress in implementing such a “single client view,” it found that “this overview is still to be extended outside the Compliance unit. This results in organisational weaknesses in addition to the contraventions of anti-money laundering provisions.”
The second enforcement procedure focused on the management of a what FINMA described as “a significant business relationship for the bank with a politically exposed person (PEP)” who was a client relationship manager. This investigation led to FINMA’s identification of shortcomings in compliance with AML due diligence obligations.
FINMA was specifically critical of Credit Suisse on this point:
The bank was too slow to identify and treat the PEP client as posing increased risks. Moreover, the due diligence and corresponding documentation relating to the business relationship were incomplete. The bank failed to meet its heightened due diligence obligations regarding investigation, plausibility checks and documentation regarding the client and certain related high-risk transactions.
FINMA also stated that this case also revealed weaknesses in Credit Suisse’s organization and risk management. Notwithstanding the fact that the manager in question “was very successful in terms of assets under management,” it said that he “breached the bank’s compliance regulations repeatedly and on record over a number of years. However, instead of disciplining the client manager promptly and proportionately, the bank rewarded him with high payments and positive employee assessments. The supervision of the relationship manager was inadequate due to this special status.” FINMA established that Credit Suisse “had failed to adequately record, contain and monitor the risks arising over a number of years from the PEP business relationship and the responsible (and since criminally convicted) client relationship manager.” As a result, it “identified both organisational deficiencies (in terms of allocation of responsibilities, supervision and control) and a lack of effective corrective intervention,” and concluded that the bank’s risk management “was not appropriate in this instance.”
FINMA next addressed the issue of measures that it would require to strengthen Credit Suisse’s AML compliance. It gave credit to the bank for taking certain measures since 2015 and for cooperating with FINMA. Even so, it required the bank to take two sets of additional measures “designed to further improve the bank’s governance, organisation and risk management in the wealth management business.” First, with regard to the shortcomings identified in the second procedure, it directed Credit Suisse to “remediate the relevant control systems and processes, and so prove that higher-risk business relationships and transactions are adequately detected, categorised, monitored and documented.” Second, with regard to the shortcomings in the first procedure, it stipulated that the bank “must have implemented the ‘single client view’ for all relationships and for all relevant functions by the end of 2019.” Finally, it stated that it would appoint an independent third party to review the implementation of the specified measures, including the measures initiated since 2015, [and] their adequacy and effectiveness.”
Note: These actions by FINMA represent the second significant enforcement reproof of Credit Suisse’s financial-crimes compliance program this year. Just over two months ago, a Hong Kong-based subsidiary of the bank entered into a resolution with the U.S. Department of Justice and the Securities and Exchange Commission for its role in a corrupt scheme between 2007 and 2013 to win banking business by providing employment to friends and family of Chinese officials. That resolution included a criminal penalty and disgorgement and prejudgment interest totaling more than $77 million. In addition, in January 2017, Credit Suisse reached a separate civil resolution with the Justice Department requiring it to pay a total of $5.28 billion related to its conduct in the packaging, securitization, issuance, marketing and sale of residential mortgage-backed securities between 2005 and 2007. The combination of these enforcement resolutions over a 19-month span is likely to heighten the scope and intensity of regulatory scrutiny of Credit Suisse’s compliance program in multiple jurisdictions.
The breadth of the FINMA findings and compliance improvements also provides compliance officers at other global financial institutions with a template against which they can compare their own AML programs and test for potential deficiencies. Given the level of maturity of AML regulation at the national and international levels, no leading financial institution can afford to operate a compliance program with significant flaws in customer identification, beneficial-ownership due diligence, AML risk assessment, or customer and transaction documentation, let alone in all of those areas. Nor can they afford to turn a blind eye to criminal or civil violations by any executive or manager just because he is a “top producer.” Law enforcement and regulatory agencies will continue to regard consistent enforcement of a corporate AML program, as with other financial-crimes enforcement programs, as essential to demonstrating the program’s success and effectiveness.