The FCA last week fined Commerzbank AG (London Branch) £37,805,400 for its failure to put adequate anti-money laundering (AML) systems and controls in place for the period dating October 2012 to September 2017.
This is one of several substantial fines recently issued by the FCA which, along with a recent move by the FCA towards criminal prosecutions in this space, is illustrative of a hardening in the regulator’s approach to AML-control related breaches.
Commerzbank London was found to have breached Principle 3 of the FCA’s Principles for Business, by failing to have adequate risk management systems in place. The weaknesses identified were deemed to present an unacceptable risk that Commerzbank London would be used to further financial crime.
The FCA raised specific concerns with Commerzbank London about weaknesses in their systems on 3 separate occasions in 2012, 2015 and 2017, yet Commerzbank London was found to have failed to take reasonable and effective steps to address the issues.
In its Final Notice, published 17 June, the FCA set out the reasons for its findings, which can be summarised as follows:
- Discrepancies in due diligence undertaken on intermediaries (i.e. introducers and distributors) arose as a result of shortcomings in the applicable financial crime controls. This was despite identifying in 2012 that due diligence was not being conducted on all intermediaries;
- Inadequacies in the way Commerzbank London sometimes identified and considered risks associated with PEPs were identified;
- Whilst Commerzbank London had a policy of verifying clients’ beneficial ownership from a reliable and independent source, it was found that this was not always adhered to by all areas of the business;
- The business lacked a clear documented process for terminating a relationship with an existing client deemed to be a financial crime risk. Consequently, some clients’ accounts remained open for many months after a decision was made to off-board them;
- There was a lack of clarity concerning responsibilities impacting on various client-facing and compliance functions, as risk and issue owners were not articulated clearly;
- Understaffing throughout the relevant period of the first and second-line teams responsible for carrying out AML controls meant KYC reviews were not completed in a timely manner, leaving a significant backlog;
- Compliance had no set procedures for approving, recording or monitoring extensions for clients’ overdue KYC refresh and lacked an adequate understanding of the exceptions process. This meant clients with potentially out of date CDD were still able to transact with the bank; and
- Commerzbank London’s Primary Transaction Monitoring Tool was deemed not fit for purpose as it could not access necessary information from some key systems, meaning identification of suspicious transactions could be missed.
In addition, the FCA criticized Commerzbank London for failing to heed guidance that was published during the relevant period advising on steps to be taken to reduce financial crime risks and contemporary enforcement action against other firms for similar control failures.
The FCA explained that Commerzbank London had undertaken significant remediation measures and conducted a past review to identify suspicious transactions in the relevant period. It therefore qualified for a 30% discount - without this discount its fine would have been over £54 million.
Other recent FCA enforcement
Commerzbank London is one of several banks subject to recent high-level fines by the FCA for AML failings. Others include:
- Standard Chartered Bank was fined £102.2 million in 2019 for poor AML controls;
- Deutsche Bank was fined £163 million in 2017 for AML controls failings, the largest ever fine imposed by the FCA for AML failings;
Lessons to be learned
The FCA expects financial institutions to maintain an effective risk-based AML control framework to minimise the risk of being used by criminals for money-laundering or financing terrorism.
Lessons to be learned from the Commerzbank London case include:
- Ensuring your policies and procedures for due diligence are not only kept up to date, but are understood and adhered to. Where possible, these should be built in to on-boarding processes;
- Where internal or external audits reveal shortcomings, these must be addressed as a matter of priority;
- Systems and controls should be put in place to ensure policies and processes are being adhered to uniformly across all areas of your business;
- Adequate processes should be in place for dealing with existing clients identified as a financial crime risks, so relationships can be terminated effectively and swiftly;
- Clearly articulated responsibilities for AML control processes should be in place and these should be understood by your relevant teams;
- KYC reviews must be completed in a timely manner, with any resourcing issues being addressed promptly if they could cause delays;
- Effective systems should be put in place to prevent clients with inadequate CDD from continuing to transact with your firm;
- IT systems must be fit for purpose; and
- FCA guidance and enforcement action must be considered when assessing your own systems and controls.
With a marked increase in enforcement action taken by the FCA, it is more important than ever that you are confident that you can defensibly evidence that you are meeting your AML control obligations.
TLT provides an end to end financial crime solution which ensures your financial crime systems and controls meet the relevant regulatory requirements.
Should you wish to discuss this further please do not hesitate to contact Michael Ruck or Noline Matemera.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions