On June 17, the United Kingdom Financial Conduct Authority (FCA) announced that it fined Commerzbank AG (London Branch) £37,805,400 for failing to put adequate anti-money laundering (AML) systems and controls in place over a five-year period between October 2012 and September 2017.
The FCA stated that its investigation identified “failings in a number of areas.” Those areas included three categories of failures by Commerzbank London:
- Failure to conduct “timely periodic due diligence on its clients.” This failure, according to the FCA, “resulted in a significant number of existing clients not being subject to timely know-your-client checks.” For example, by March 1, 2017, “1,772 clients were overdue updated due diligence checks. A material number of these clients were able to continue to transact with the bank’s London branch due to the implementation of an exceptions process.” That process “was not adequately controlled or overseen and which became ‘out of control’ by the end of 2016.
- The FCA’s Final Notice in the case made clear that the backlog occurred, in part, because the bank’s first and second lines of defense tasked with carrying out key AML controls were understaffed throughout the period under review. For example, in mid-2016, the bank’s Financial Crime Team in Compliance consisted of just 3 full-time employees; in mid-2018, after the bank acknowledged the need for a dramatic increase in the team’s staff, it increased the staffing to 42 full-time employees.
- Failure to address “long-standing weaknesses in its automated tool for monitoring money laundering risk on transactions for clients.” For example, in 2015 the bank found that 40 high-risk countries were missing, and 1,110 high-risk clients had not been added, to its transaction monitoring tool. The Final Notice further stated that that tool “was not fit for purpose, and did not have access to key information from certain of Commerzbank’s transaction systems.”
- Failure to have “adequate policies and procedures in place when undertaking customer due diligence on clients.”
As a result of these failures, the FCA determined that Commerzbank “breached Principle 3 of the FCA’s Principles for Businesses, which requires firms to have adequate risk management systems in place.”
The FCA made specific reference to the fact that Commerzbank London “was aware of these weaknesses and failed to take reasonable and effective steps to fix them despite the FCA raising specific concerns about them in 2012, 2015 and 2017.” It also observed that these weaknesses
persisted during a period when the FCA was publishing guidance on steps firms could take to reduce financial crime risk as well as taking enforcement action against a number of firms in relation to AML controls. Despite these clear warnings, the failures continued.
At the same time, the FCA credited the bank with three actions responsive to those failures:
- Undertaking “a significant remediation exercise to bring its AML controls into compliance.” The FCA noted that a “Skilled Person” — i.e., a third party whom the FCA may engage, under the Financial Services and Markets Act (as amended), to provide views on aspects of a regulated firm’s activities if the FCA is concerned or wants further analysis — had completed work on testing the effectiveness of those enhancements.
- Conducting “an extensive look-back exercise to identify suspicious transactions during the period in question.
- Voluntarily implementing “a wide-ranging business restriction, which included temporarily stopping taking on new high-risk customers and suspending all new trade finance business activities.”
The FCA stated that because the bank agreed to resolve the matter at an early stage of the investigation, it qualified for the standard 30 percent discount; without that discount, the financial penalty would have been £54,007,800.
Note: AML compliance officers should read not only the FCA release, but the detailed 50-page Final Notice, to get a full sense of the reasons for and dimensions of the bank’s AML failures. They also should brief senior management in their firms about the highlights of the FCA’s action, and use the case as an opportunity for benchmarking their firm’s AML programs against the AML failures and determining where their internal training might usefully be revised.
In this case, Commerzbank London was fortunate in that the FCA acknowledged that there was no evidence that the bank’s failings had occasioned or facilitated financial crime. Any financial firm that allows similar long-term AML program failures to occur, however, cannot assume that it will be so lucky.