Key Lessons Learned as UK’s AML Regulator Shows its Teeth

Only four months after the the United Kingdom’s Office of Financial Sanctions Implementation (OFSI) issued a £20.47 million penalty against Standard Chartered Bank (SCB) for alleged violations of the U.K.’s Ukraine- and Russia-related sanctions (see our alert here), another bank is in the news for regulatory breaches. This time it is the London arm of Commerzbank AG (Commerzbank), which was hit by the United Kingdom’s Financial Conduct Authority (FCA) on 17 June with a fine of £37.8 million ($47.4 million) for failures in its anti-money laundering controls.

The FCA is the UK’s conduct regulator for financial services firms. Financial institutions operating in the UK are required to take steps to minimise their risk of being used to facilitate money laundering or terrorist financing. These include taking reasonable care to establish and maintain an effective, risk-based anti-money laundering (AML) control framework, and to comply with applicable Money Laundering regulations. 

Commerzbank is a large international, commercial bank headquartered in Frankfurt, Germany, which operates in the UK through its branch, Commerzbank London. Commerzbank London acted as a hub for sales, trading and the due diligence process for a significant number of the bank’s global customers, and was required to have in place AML policies and procedures, comprehensive and proportionate to these activities, to enable it to identify, assess, monitor and manage money laundering risk. During the period from October 2012 to September 2017, the FCA identified a number of alleged shortcomings in Commerzbank London’s financial crime controls. These included alleged failures to:

• Conduct timely periodic due diligence on its clients, which resulted in a significant number of existing clients not being subject to timely know-your-client (KYC) checks. By 1 March 2017, 1,772 clients were overdue for updated due diligence checks. A material number of these clients were able to continue to transact with the bank’s London branch due to the implementation of an exceptions process, which was not adequately controlled or overseen and which became “out of control” by the end of 2016;
• Address long-standing weaknesses in its automated tool for monitoring money laundering risk on transactions for clients. For example, in 2015 Commerzbank London identified that 40 high-risk countries were missing from, and 1,110 high-risk clients had not been added to, the bank’s transaction monitoring tool; and,
• Have adequate policies and procedures in place when undertaking customer due diligence (CDD) on clients.

The FCA therefore found Commerzbank London to have breached Principle 3 of its Principles for Businesses, which requires firms to have adequate risk management systems in place. The FCA stated that these failings created “a significant risk that financial and other crime might be undetected.”

The FCA found that the failings were particularly serious because they persisted following visits by the FCA to Commerzbank London in 2012, 2015 and 2017, in which the agency specifically pointed out these weaknesses. Further, they occurred against a backdrop of heightened awareness within Commerzbank of weaknesses in its global financial crime controls following action taken against the bank by US regulators in 2015.

Commerzbank London benefited from a 30% discount on the original penalty of £54,007,800 because it agreed to resolve the matter at an early stage. It also undertook a significant remediation exercise to address the shortcomings in its AML control framework and increased the number of employees in the Financial Crime Team in Compliance from what had been just three full-time employees in London to 42.

This penalty is the second-largest to be imposed by the FCA following the penalty it imposed on Standard Chartered Bank last year of £102 million over breaches of AML regulations.

Practical Considerations

The FCA notice provides useful reminders for financial institutions about what they are required to do in order to manage their AML risks. These include:

1. Ensuring that they have appropriate, risk-based procedures for applying CDD measures when establishing a business relationship or carrying out a transaction for a customer;
2. Applying CDD at other appropriate times to existing customers on a risk basis;
3. Applying scrutiny to transactions undertaken throughout the course of their relationship with a customer;
4. Keeping documents, data or information obtained for the purposes of applying CDD measures up-to-date;
5. Applying, on a risk basis, enhanced customer due diligence measures (EDD) and enhanced ongoing monitoring in any situation which by its nature presents a higher risk of money laundering or terrorist financing; and
6. Establishing and maintaining appropriate and risk-based policies and procedures relating to the above.

It will also be important for financial institutions to ensure that, if they are given warnings by the regulator about weaknesses in their AML control frameworks, they take immediate remediative action. This may include pausing new customer onboarding until such time as appropriate CDD checks can be completed; ensuring that customers’ CDD information is updated on a periodic basis according to each customer’s risk profile, and increasing the headcount of financial crime control staff and/or engaging third-party vendors to ensure that KYC and other customer diligence can be carried out timely.

Based on recent enforcement actions, regulators in the UK are beginning to police and enforce financial crime regulations more stringently and successfully. This is in line with the recent, more aggressive approach to AML enforcement taken by other EU regulators in recent years such as those in Denmark and Sweden. With the departure of the UK from the EU and following the end of the transition period on 31 December 2020, how the UK proceeds in relation to implementation of any further EU AML legislation will depend on what, if any, withdrawal agreement applies. If there is “no deal”, the UK will have to decide whether to remain aligned with the EU or not. Whatever the position on new legislation, it seems doubtful that the UK will weaken its enforcement approach.