The Financial Conduct Authority (FCA) has fined Deutsche Bank (DB) £163 million, the largest fine it has imposed for AML failings. It found the bank failed to maintain an adequate AML framework from the beginning of 2012 to the end of 2015, the result of which was that unidentified customers used the bank to transfer around $10 million of funds of unknown origin from Russia to offshore bank accounts.
DB had an AML model which meant that new customers could be onboarded with DB in the UK by other offices of the bank without the involvement of London front office personnel. Thereafter, the relationship was managed by (in this case) Moscow, with no meaningful ongoing monitoring of the customer relationship by the bank generally.
DB had started an investigation into mirror trades involving its Moscow subsidiary, and notified FCA in early 2015 of concerns it had identified in its AML control network. The bank's London operation was responsible for oversight of the Moscow AML compliance function. The investigation found that Russian customers had been buying highly liquid Russian securities in roubles from Deutsche Bank. At the same time, a non-Russian customer, onboarded by the Moscow operation, had sold the same securities to the bank in exchange for US dollars. The Moscow front office had been able to execute the London side of the trades through a remote booking process the bank used. Deutsche Bank's poor control framework, and the fact it missed several warning signs, meant this practice was not detected for 2.5 years.
FCA found the failings, within DB's corporate banking and securities division, meant the bank did not get sufficient information about its customers to inform the risk assessment process and provide a basis for transaction monitoring. It allowed certain overseas entities in the group to initiate and facilitate the establishment of new customer relationships in the UK without overseeing the process or properly monitoring remotely booked trades. In all, the bank:
- did not ensure its front office took responsibility for the division's KYC obligations: it did ask some questions of the Moscow office but did not follow it up when the answers were unclear. A review in 2013 had recognised this, but the London Front Office were not engaged in the global review programme that followed. As a result of its disengagement, many files had missing information, not least because the UK office had relied on its Indian KYC processing team to carry out the CDD without appreciating that there was insufficient review of information
- used flawed customer and country risk rating methodologies: FCA found the methodology used was informal and opaque, and did not designate Russia as a high risk country. On customer ratings, the methodology used failed to take account of key factors, including lack of face-to-face contact. As a result, none of the mirror trading customers were considered to be high risk. FCA noted that, even if they had been properly categorised, the AML team was unlikely to have had the resource to review the numbers of high risk customers properly
- had deficient AML policies and procedures: another bank had raised queries with DB about a mirror trading customer. The queries had gone unanswered and after a couple of reminders were raised with a different group regional office. Eventually, the query was responded to by the Moscow office, which said proper AML procedures had been followed and there was no reason for suspicion. On a separate occasion, the Moscow office itself raised concerns, which were not properly escalated or addressed within the AML team. Finally, the bank started a proper investigation after a further report from the Moscow office. FCA noted the policies were not prescriptive enough at the more detailed level and, in particular, provided no guidance on how to evidence or establish the legitimacy of a customer's source of wealth or funds. Neither did they require gathering of information on expected account activity. FCA further found the policies around identifying all ultimate beneficial owners were inadequate and that DB did not ensure CDD was carried out on underlying clients when customers were intermediaries
- had an inadequate AML IT infrastructure: in particular there was no single repository for KYC information and there was no reconciliation between the trading and customer onboarding systems. This meant the bank could not monitor customer trading activity and made it hard to retrieve information. It also had no detailed policies and procedures for transaction and payment monitoring and oversight:
- did not have automated AML systems for detecting suspicious trades
- did not adequately oversee trades booked in the UK by traders in overseas jurisdictions.
FCA found the bank's Moscow based subsidiary had executed more than 2,400 mirror trades over a 2.5 year period, which transferred more than $6 billion from Russia to various overseas bank accounts through Deutsche Bank in the UK. The purpose of the mirror trades was to convert roubles to dollars and transfer them out of Russia. FCA also found evidence of a large amount of suspicious one-sided trades.
Deutsche Bank management had often been made aware of staff shortages in the UK AML team, and the ongoing problems in resourcing which led to relevant staff having less time to oversee and supervise, and less time for training and professional development. The Moscow branch had also raised concerns about its staffing and processes.
FCA stressed the fine could have been significantly more, were it not for early settlement and DB's co-operation. However, this may not be the end of the matter - FCA has noted the nature of the findings may mean that other regulators or enforcement agencies undertake an investigation.
Lessons from the fine
DB's failings reinforce how multi-national businesses must ensure their policies and procedures are properly joined up. On a more granular level, it shows that:
- units that are responsible for AML compliance must clearly understand their responsibilities
- a model that allows one office in one jurisdiction to onboard customers for another is, of necessity, high-risk
- institutions must ensure their detailed policies properly address all elements of KYC, not only to apply the right level of due diligence but to understand the greater picture, especially around beneficial owners, source of funds and expected business patterns
- there must be clear and allocated responsibilities for monitoring and flagging of issues. In particular, where concerns or queries are raised, they must be properly followed through
- IT systems must ensure that the whole picture on customers and transactions is available
- resource is key, and internal cries for help must not be ignored
- systemic AML failings are not necessarily due to one person or one small group. But, it is critical to impose appropriate responsibility so it is clear who should be ensuring compliance.