Final Notice

On , the Financial Conduct Authority issued a Final Notice to Commerzbank AG

FINAL NOTICE

1.
ACTION

1.1.
For the reasons given in this Final Notice, the Authority hereby imposes on

Commerzbank AG, London Branch (“Commerzbank London”) a financial penalty

of £37,805,400 pursuant to section 206 of the Act.

1.2
Commerzbank London agreed to resolve this matter and qualified for a 30%

(stage 1) discount under the Authority’s executive settlement procedures. Were

it not for this discount, the Authority would have imposed a financial penalty of

£54,007,800 on Commerzbank London.

2.
SUMMARY OF REASONS

2.1.
The Authority has the operational objective of protecting and enhancing the

integrity of the UK financial system. The laundering of money through UK financial

institutions undermines the integrity of the UK financial system. Financial

institutions operating in the UK are therefore responsible for minimising their risk

of being used for criminal purposes, including the risk of being used to facilitate

money laundering or terrorist financing.

2.2.
To mitigate this risk, UK firms must take reasonable care to organise and control

their affairs responsibly and effectively and to establish and maintain an effective

risk-based anti-money laundering (“AML”) control framework, and also must

comply with the applicable Money Laundering Regulations. The obligations on a

firm under the Money Laundering Regulations 2007 (the “ML Regulations”)

2.2.1.
ensuring that it has appropriate risk-based procedures for applying

customer due diligence measures (“CDD”) when establishing a business

relationship or carrying out a transaction for a customer;

2.2.2.
applying CDD at other appropriate times to existing customers on a risk-

sensitive basis;

2.2.3.
applying scrutiny to transactions undertaken throughout the course of

their relationship with a customer;

2.2.4.
keeping documents, data or information obtained for the purposes of

applying CDD measures up-to-date;

2.2.5.
applying, on a risk-sensitive basis, enhanced customer due diligence

measures (“EDD”) and enhanced ongoing monitoring in any situation

which by its nature may have presented a higher risk of money laundering

or terrorist financing; and

2.2.6.
establishing and maintaining appropriate and risk-sensitive policies and

procedures relating to the above.

2.3.
Commerzbank AG (“Commerzbank”) is a large international commercial bank,

headquartered in Frankfurt, which operates in the UK through its branch,

Commerzbank London. Many of Commerzbank’s global customers use products

and transaction platforms managed through Commerzbank London, which also

acted as a hub for sales, trading and the due diligence process for a significant

number of global customers.

2.4.
Commerzbank London was required, pursuant to the Authority’s Principles for

Businesses (the “Principles”), to take reasonable care to organise its affairs

responsibly
and
effectively,
with
adequate
risk
management
systems.

Commerzbank London was also required to have policies and procedures in place,

comprehensive and proportionate to its business activities, to enable it to identify,

assess, monitor and manage money laundering risk.

2.5.
Between 23 October 2012 and 29 September 2017 (“the Relevant Period”), it

failed to meet these requirements and, in doing so, breached Principle 3. In

particular:

2.5.1.
There were shortcomings in Commerzbank London’s financial crime

controls applicable to intermediaries (i.e. introducers and distributors);

2.5.2.
The Skilled Person identified instances where the way that Commerzbank

London identified and considered the risks associated with politically

exposed persons (“PEPs”) was inadequate;

2.5.3.
Certain business areas did not always adhere to Commerzbank London’s

policy of verifying the beneficial ownership of clients, including high-risk

clients, from a reliable and independent source;

2.5.4.
There was no comprehensive documented process or criteria for

terminating a relationship with an existing client for financial crime risk;

2.5.5.
A significant backlog of existing clients being subject to timely refreshed

know-your-client (“KYC”) checks developed during the Relevant Period,

in part because Commerzbank London’s first and second lines of defence

tasked with carrying out key AML controls were, throughout the Relevant

Period, understaffed. For example, in mid-2016, the Financial Crime

Team in Compliance consisted of just 3 full-time employees, when in mid-

2018, following an acknowledgement by Commerzbank London of the

need to dramatically increase staff in this area, this was increased to 42

full-time employees. In October 2016, 1,720 new clients were in a “huge

backlog” awaiting to be onboarded and, by February 2017, 2,226 existing

clients were overdue refreshed KYC checks. Whilst steps were taken to

reduce the backlog during the Relevant Period, these measures were

taken too late, and effected too slowly;

2.5.6.
Risk and issue owners were not clearly articulated or understood by

Commerzbank London’s committees. This led to a “lack of clarity around

responsibilities”, which impacted the Front Office, CLM and Compliance;

2.5.7.
An exceptions process put in place from May 2016 to permit existing

clients to continue to transact with Commerzbank London despite not

having been subject to timely periodic KYC checks, became, as at the end

of 2016, out of control, with both senior branch management and

Compliance lacking understanding and adequate awareness of the

process. In one example, a high-risk client, who was nearly 5 years

overdue KYC refresh, entered into 16 transactions with Commerzbank

London whilst overdue KYC refresh, with Commerzbank London

generating net revenue of £273,799 from these transactions; and

2.5.8.
Commerzbank London’s automated tool for monitoring money laundering

risk on transactions for clients was not fit for purpose, and did not have

access to key information from certain of Commerzbank’s transaction

systems.

2.6.
As a consequence of these inadequacies in its AML control framework,

Commerzbank London was unable to adequately identify, assess, monitor or

manage its money laundering risk. It therefore had not established, implemented

or maintained adequate policies and procedures to ensure its compliance with its

obligation to counter the risk that the firm might be used to further financial crime.

2.7.
Commerzbank London’s failings are particularly serious because they occurred

following visits by the Authority to Commerzbank London in 2012, 2015 and 2017

to discuss issues relating to its AML control framework, during which the Authority

identified weaknesses that Commerzbank London was to address. They also

occurred against a background of heightened awareness within Commerzbank of

weaknesses in its global financial crime controls following action taken by US

regulators in 2015, although the AML failings identified by US regulators did not

involve Commerzbank London. The Authority notes that there is no evidence of

financial crime having been occasioned or facilitated by Commerzbank London’s

failings.

2.8.
In March 2017, due to the concerns raised by the Authority in respect of its

financial crime control framework, Commerzbank London initiated a large-scale

remediation project relating to its financial crime controls (the “London

Remediation Programme”), and on 22 May 2017 Commerzbank London was

issued a requirement by the Authority to appoint a Skilled Person under section

166 of the Act.

2.9.
Commerzbank London has worked with the Skilled Person to improve its financial

crime controls and, from 28 September 2017, implemented wide-ranging business

restrictions (the “Business Restrictions”), which included temporarily ceasing

onboarding new high-risk customers, ceasing new business with existing high-risk

customers in respect of which a material change review or periodic review was

overdue and suspending all new trade finance business activities. A voluntary

undertaking to maintain the Business Restrictions was entered into with the

Authority on 20 December 2017 (the “Undertaking”).

2.10.
The London Remediation Programme is now complete. The Business Restrictions

remain in place, albeit that Commerzbank London has requested that these be

gradually lifted.

2.11.
The Authority hereby imposes on Commerzbank a financial penalty of

£37,805,400 pursuant to section 206 of the Act.

3.
DEFINITIONS

3.1.
The definitions below are used in this Notice:

The “Act” means the Financial Services and Markets Act 2000;

“AML” means anti-money laundering;

“AOP” has the meaning ascribed to it in paragraph 4.8;

The “Authority” means the body corporate previously known as the Financial

Services Authority and renamed on 1 April 2013 as the Financial Conduct

Authority;

The “Business Restrictions” means the business restrictions itemised in

paragraphs 4.128.1 to 4.128.6;

“C&M” means the Corporates & Markets Division of Commerzbank;

“CDD” means customer due diligence measures as defined in Regulation 5 of the

ML Regulations;

“CLM” means the Client Lifecycle Management team at Commerzbank London,

introduced in March 2015, as part of a rebranding of its predecessor team, the

Client Onboarding Services team (“COS”). COS replaced the Client Verification

Team (“CVT”) in November 2012. Each of CLM, COS and CVT performed

substantively the same functions for the purposes of this Notice. References to

CLM in this Notice, other than when expressly stated, are to CLM, COS or CVT

(depending on the date);

“Corporate GIC” means a GIC issued by an MSB-I branch to other business units,

for example C&M, in respect of a corporate client;

“DEPP” means the Authority’s Decision Procedures and Penalties Manual;

“DFS” means the New York State Department of Financial Services;

“EDD” means enhanced customer due diligence measures, applied in

circumstances as set out in Regulation 14 of the ML Regulations;

“EMC” means the Equity Markets & Commodities business division of

Commerzbank;

The “Expiry Exceptions List” has the meaning ascribed to it in paragraph 4.78;

The “FCT” means the Financial Crime Team;

“FI-GIC” means a GIC issued by MSB-FI to financial institution clients;

“GIC” means Group Introduction Certificate. Commerzbank could use a GIC when

introducing a customer of 1 Commerzbank office to another overseas office;

“Handbook” means the Authority’s Handbook of rules and guidance;

“ISIS” has the meaning ascribed to it in paragraph 4.8;

“JMLSG” means the Joint Money Laundering Steering Group. The JMLSG is a body

comprised of the leading UK trade associations in the financial services sector;

“JMLSG Guidance” means the guidance that was applicable during the Relevant

Period issued by the JMLSG, and approved by the Treasury, on compliance with

the legal requirements in the ML Regulations, the regulatory requirements in the

Handbook and evolving practice within the financial services industry. The JMLSG

Guidance sets out good practice for the UK financial services sector on the

prevention of money laundering and combatting of terrorist financing;

“KYC” means know-your-client;

“KYC refresh” has the meaning ascribed to it in paragraph 4.69;

“London Remediation Programme” has the meaning ascribed to it in paragraph

2.8;

“ML Regulations” means the Money Laundering Regulations 2007, which were in

force in respect of conduct from 15 December 2007 to 25 June 2017 inclusive;

“MLRO” means Money Laundering Reporting Officer;

“MSB” means Mittelstandsbank, a business division of Commerzbank;

“MSB-I” means MSB International, a business division of Commerzbank;

“MSB-FI” means MSB Financial Institutions;

“PEP” means a Politically Exposed Person as defined in Regulation 14(5) of the ML

Regulations;

“PBS” means the Private Banking Sales business area of Commerzbank London;

The “Primary Transaction Monitoring Tool” has the meaning ascribed to it in

paragraph 4.98.1;

The “Refresh Backlog” has the meaning ascribed to it in paragraph 4.75;

“Relevant Period” means 23 October 2012 to 29 September 2017;

“SAR” means suspicious activity report;

The “Skilled Person” means the skilled person appointed by Commerzbank London

pursuant to a requirement dated 22 May 2017, imposed by the Authority under

section 166 of the Act;

The “Treasury” means Her Majesty’s Treasury;

The “Tribunal” means the Upper Tribunal (Tax and Chancery Chamber);

The “Undertaking” has the meaning ascribed to it in paragraph 2.9;

The “US Monitor” has the meaning ascribed to it in paragraph 4.124; and

The “2015 CLM KYC Procedure” means the document titled “Corporates & Markets

Client Lifecycle Management: Know your Customer (‘KYC’) procedures” (version

4.
FACTS AND MATTERS

4.1.
Commerzbank AG is a large international commercial bank, headquartered in

Frankfurt, offering a range of financial services for clients. Commerzbank operates

in the UK through a branch, and has done so since 1973. Commerzbank London

offers services to commercial clients, rather than retail customers. Each of

Commerzbank’s business divisions are managed by a member of the Board of

Managing Directors, and all management functions sit within a Group

management structure.

4.2.
Commerzbank London is an international corporate banking branch and many of

the customers of both Frankfurt and other international branches use products

and transaction platforms managed centrally in London. Throughout the Relevant

Period, Commerzbank London acted as a hub for sales and trading for a number

of global customers, and generated an average annual total revenue of

approximately £750 million between 2013 and 2017, out of Commerzbank’s

average annual total revenue between 2013 and 2017 of approximately €12.6

billion. Throughout much of the Relevant Period, Commerzbank London acted as

a hub for the business by providing KYC onboarding and review services for a

number of jurisdictions other than the UK.

4.3.
Firms are required by the ML Regulations and by the Authority’s Rules to establish

and maintain appropriate risk-sensitive policies and procedures to minimise the

risk of them being used by those seeking to launder the proceeds of crime, evade

financial sanctions, or finance terrorism. This includes establishing and

maintaining systems and controls to identify, assess and monitor money

laundering risks as well as conducting CDD, EDD and ongoing monitoring of both

existing business relationships and transactions to manage the risks identified.

4.4.
From the start of the Relevant Period to 31 December 2016, 2 of Commerzbank’s

primary client-facing global units were operational in Commerzbank London: C&M

and MSB. There were several business areas within C&M, including Corporate

Finance, EMC, and Fixed Income & Currencies. MSB included MSB-I and MSB-FI,

offering a range of banking services to Commerzbank’s financial institution clients.

In addition, between March 2013 and the second quarter of 2016, Commerzbank

London also had an International Wealth Management business unit, which

offered wealth management services to private clients. From 1 January 2017,

C&M and MSB were joined to form a single global business unit, known as

“Corporate Clients”. Commerzbank sold its wealth management business in 2015

and agreed to sell the EMC business (which included PBS) in 2018.

4.5.
Within Commerzbank London, the Front Office retained operational responsibility

for the identification and management of compliance risks relating to AML. At the

start of the Relevant Period, the CVT undertook KYC checks on new and existing

clients. In November 2012, the CVT was replaced by the COS team, which

performed substantively the same role, and which formed, along with the Front

Office, the ‘first line of defence’. COS was introduced, in part, to address

governance and control weaknesses deriving from the need to ensure that the

client onboarding process was better aligned to the Compliance function and to

enable head office in Frankfurt “to adapt to regulatory developments”.

4.6.
The COS team was subsequently replaced by the CLM team in March 2015. CLM

undertook largely the same function as the COS team. Unless expressly stated

elsewhere, references in this Notice to “CLM” are to CLM and its predecessor

teams, COS and CVT.

4.7.
CLM was a global function within Commerzbank, and CLM in Commerzbank

London reported into the Chief Administration Office in C&M from the start of the

Relevant Period to March 2016, and then into the office of the Executive for C&M

Client Governance and Performance, which was based in Frankfurt.

4.8.
Commerzbank London stored information on existing and prospective clients on

internal systems, including a workflow tool which was designed to record whether

Commerzbank may do business with a client and manage account creation

requests (known as “AOP”). This information would come from an integrated sales

and information system used by the Front Office (known as “ISIS”). CLM had

access to AOP and would use client information from this system when conducting

due diligence. All new clients subject to due diligence were expected to have

details uploaded to at least one of these systems. Once a client had an “AML-

approved” status on AOP, a request would then be issued to set-up a trading

system account for the client.

4.9.
Throughout the Relevant Period, Commerzbank London’s procedures stated that

no transaction or other business activity was permitted until the due diligence

process had been completed and all necessary approvals obtained.

The Compliance function

4.10.
The Compliance function, which included the FCT, was a key part of Commerzbank

London’s second line of defence, assessing and deciding on customer relationships

considered high-risk from an AML perspective and providing advice to CLM relating

to client files and KYC reviews. Compliance also performed reviews and

investigated transaction alerts arising from Commerzbank’s computer-based

transaction monitoring systems, which monitored transactions carried out on

behalf of existing clients.

4.11.
Throughout the Relevant Period, there were reporting lines from Compliance at

Commerzbank London to Commerzbank London management and the Compliance

function in Frankfurt.

4.12.
Commerzbank’s head office, located in Frankfurt, performed an important role in

relation to Commerzbank London’s approach to financial crime controls. For

example, where Compliance did not support the onboarding of a client for financial

crime reasons it could escalate the matter to head office in Frankfurt to determine,

and senior managers in Frankfurt were centrally involved in decisions relating to

resourcing of the CLM and Compliance function in Commerzbank London.

Due diligence on new clients

4.13.
A firm must carry out CDD on its customers. This requires the firm to:

4.13.1. Identify the customer and verify the customer’s identity on the basis of

documents or other data obtained from a reliable and independent

source;

4.13.2. Identify any beneficial owners of the customer, and take adequate

measures on a risk-sensitive basis to verify their identity; and

4.13.3. Understand the purpose and intended nature of the customer’s

relationship with the firm.

4.14.
If a firm has assessed that the business relationship with the customer presents

a higher risk of money laundering or terrorist financing, it must conduct EDD. If

a firm is unable to conclude CDD or, in relation to high-risk customers, EDD on a

prospective customer, it must not onboard that customer or perform transactions

with or for that person. If a firm is unable to conclude CDD or, in relation to high-

risk customers, EDD on an existing customer, a firm must terminate its

relationship with its customer.

Commerzbank London’s due diligence process

4.15.
The level of due diligence performed would depend on the risk associated with the

customer, and Commerzbank London would determine this by reference to a

systems-generated score assigned to that customer. From October 2015 to the

end of the Relevant Period, Commerzbank London’s policy also required CLM to

consider whether any other information represented risk factors that ought to be

taken into consideration for assessing the appropriate risk category for the

customer.

4.16.
Commerzbank London dealt directly with customers, however, some of these

would be introduced via intermediaries, such as business introducers. A firm

needs to consider the nature and extent of its AML controls in circumstances

where it does not have direct access to a customer, and is instead dealing with

the customer through intermediaries, such as business introducers. Where dealing

with customers introduced via intermediaries, Commerzbank London’s procedure

required the customer to be onboarded and subjected to a KYC review by

Commerzbank London. Commerzbank London’s procedures required introducers

and distributors to be reviewed every year, regardless of risk rating and, given

the money laundering risk associated with intermediaries, the onboarding of a

business introducer required Compliance approval.

4.17.
The risk category assigned to a customer could be adjusted upwards pursuant to

review and approval by Compliance. Commerzbank’s policy at the start of the

Relevant Period noted that the risk scoring in AOP was not always correct and

should be checked before conducting a “4-eye review”, and amendments to it

could be made by changes made to ISIS. There were otherwise very limited

circumstances in which a downwards risk adjustment could be made, albeit there

was no documented policy confirming this until October 2015. From this date,

Commerzbank London’s policy envisaged that a risk rating could only be manually

decreased by a member of staff in circumstances where a local compliance rule,

which when introduced had deemed the client higher risk than the system

generated risk score, had subsequently been removed or, prior to October 2015,

potentially where the risk rating recorded on Commerzbank London’s internal

system was incorrect.

4.18.
The risk category assigned to the customer at the conclusion of this risk-scoring

process would be an important factor in determining the nature of the due

diligence undertaken and at subsequent periodic due diligence reviews. The

application of certain ‘pre-defined rules’ may have meant that a risk score for a

particular client might be changed, as might other exceptional adjustments during

the course of a KYC review. Certain customer types, such as customers with

beneficial owners who were PEPs, were more likely to be considered by

Commerzbank London to present a higher AML risk during the Relevant Period.

These customers would be assigned a high-risk rating and therefore be subject to

EDD, other than where the client was a regulated financial institution in an EU or

equivalent country.

4.19.
Customers assigned a high-risk rating would be subject to EDD. Files subject to

EDD by CLM would then be reviewed by a member of the Compliance function.

4.20.
CLM was required to carry out due diligence when onboarding a new customer to

verify the identity of the counterparty, collect and assess information on the

customer and its business, and perform screening on the customer and all related

parties, to ensure that the information provided by the customer corroborated

information available from independent data sources. From at least July 2013, the

Bank made available prescriptive lists of the types and form of acceptable

documentation for staff.

4.21.
If a new customer was unable or unwilling to provide the necessary information,

Commerzbank London would, ordinarily, not be able to enter into a transaction

with the customer.

4.22.
Prior to the introduction of the 2015 CLM KYC Procedure in October 2015, the

specific policy guidance on when a client relationship ought to be terminated was

set out in Commerzbank London’s Local Compliance Manual.

4.23.
From the start of the Relevant Period to 30 June 2013, this explained that a

relationship with a client must be terminated where the client is high-risk and the

relevant due diligence requirements cannot be met, or if the counterparty

“continuously and permanently” failed to provide the information required. This

was, however, subject to 3 exceptions:

4.23.1. Where the continuation would not give rise to significantly increased risks

with regard to the prevention of money laundering;

4.23.2. The reason for non-performance of the customer due diligence was

outside the customers’ influence; or

4.23.3. The economic interest of Commerzbank outweighed the risk of money

laundering posed by the client such that it would be inappropriate to

terminate the relationship.

4.24.
If an exception applied, the relevant Front Office manager who owned the client

relationship was required to confirm that there was no suspicion of money

laundering.

4.25.
From 1 July 2013 to June 2015, the requirements changed such that, in principle,

a client relationship must be terminated, irrespective of the risk rating of the

client, where due diligence requirements could not be met, albeit subject to the

same exceptions. If an exception applied, Commerzbank London’s updated policy

required prior written approval to be obtained and the client to be subjected to

enhanced monitoring to continue with the relationship. A further version of the

Local Compliance Manual, updated in June 2015, removed reference to the need

for a “consistent and permanent” failure by a counterparty to provide due

diligence. It also amended the exceptions to state that the termination obligation

applied without restriction.

4.26.
In addition, from December 2016, the Bank implemented a process for

terminating a relationship with an existing client, including in circumstances where

the client had not provided necessary KYC documentation, where the deadline by

which information due to be provided by a client had expired, or where the risk

associated with the customer was too high. Prior to this date, Commerzbank

London might also block the account of a client that presented an unacceptable

risk of financial crime, and might consider offboarding clients that had not been

subject to a business or trading relationship for a prolonged period, no longer

fitted with Commerzbank’s strategy, or were unlikely to be counterparties in the

future.

4.27.
Throughout the Relevant Period, some accounts were introduced to Commerzbank

London via GICs. The 2 key types used by Commerzbank London at certain points

in the Relevant Period were:

4.27.1. GICs issued by MSB/MSB-I to corporate clients (“Corporate GICs”); and

4.27.2. GICs issued by MSB-FI to financial institution clients (“FI-GICs”).

4.28.
Reliance on GICs, or equivalent documents, is permissible under the MLR 2007.

Commerzbank London’s approach to relying on GICs changed during the Relevant

Period and the onboarding processes underlying Corporate GICs and FI-GICs

differed. Deficiencies were identified with the use of GICs during the Relevant

Period, although Commerzbank London took steps to address the impact of these

deficiencies.

Corporate GICs

4.29.
The due diligence underlying Corporate GICs was undertaken by various

Commerzbank branches. In 2013, Compliance identified issues with Corporate

GICs including a perceived reluctance and/or refusal from some branches to

comply with requests to remediate the due diligence on client files in a timely

manner.

4.30.
Following a decision made by Compliance and senior management in Frankfurt in

February 2014, however, from May 2014, Commerzbank London ceased relying

on Corporate GICs. From this point until the end of the Relevant Period all

documentation accompanying the account opening request for the client was to

be reviewed in London.

4.31.
Throughout the Relevant Period, MSB-FI held global customer responsibility for

all financial institution clients of Commerzbank. It would carry out due diligence

on a new financial institution client and would issue an FI-GIC to other branches,

including Commerzbank London, where it had completed these checks.

4.32.
From the start of the Relevant Period to in or around February 2014, CLM could

rely solely on the information in an FI-GIC, other than where the client was

medium or high-risk, where it would need to identify and screen the directors and

ultimate beneficial owners of the client.

4.33.
On 29 April 2014, a “sanity check” of FI-GICs was conducted by Compliance in

conjunction with Frankfurt head office. One consequence of this was that

Commerzbank London could continue to rely on FI-GICs with additional due

diligence and screening conducted by CLM in London.

4.34.
In May 2015, the FCT conducted a quality assurance review of the FI-GIC

acceptance process. The review identified issues with the CDD process and MSB-

FI, including the “need to seek consistency in screening of associated persons”,

and “risk score discrepancies” between the system used by MSB-FI and the risk

score in ISIS on 5 out of 9 clients reviewed where the client had a risk score both

on ISIS and on the system used by MSB-FI. Following this review, Compliance in

London was requested by colleagues in Commerzbank London and Frankfurt to

“review the onboarding procedures for financial institutions from a UK

perspective”, and MSB-FI agreed to update its policies to reflect UK AML

requirements by the beginning of the second quarter of 2016.

4.35.
The 2015 CLM KYC Procedure was introduced from 21 October 2015 and stated

that, as an interim process, CLM would need to perform “top up checks on the

GIC as provided by MSB-FI”. These included undertaking screening and checks of

information available from public sources on the ultimate beneficial owners,

shareholders and directors of the client. Around this time, a high-risk customer

acceptance form was introduced to “strengthen Commerzbank London’s risk

management process for the Front Office” and “ensure that the onboarding of our

clients is aligned with the overall risk appetite of Commerzbank”. This created a

new step in the onboarding process for high-risk clients whereby “the requesting

Desk Head (L3/L4) will be asked to provide additional sign-off on the acceptance

of a client for onboarding once the initial Know Your Client (KYC)/Anti-Money

Laundering (AML) review has been completed and before the final Compliance

Quality Assurance (QA) is undertaken.”

4.36.
During 2016, concerns were raised in relation to the challenge that CLM faced in

dealings with colleagues in MSB-FI whilst MSB-FI’s onboarding processes were

being enhanced. For instance, in January, when discussing MSB-FI’s reluctance

to “reach out to their clients twice for the same information in the space of a few

months” to ensure that KYC information for certain financial institution clients was

up to date, CLM management noted that there was a risk that MSB-FI would not

be “prepared to help us complete the KYC.”

4.37.
In March 2016, an enhanced onboarding process for financial institution clients

was rolled out in Germany by MSB-FI and Commerzbank commenced a

remediation of the KYC of financial institution clients, which ran until the third

quarter of 2017.

4.38.
In June 2016, Internal Audit identified data quality issues in relation to FI-GICs.

A subsequent review by Commerzbank London found that Commerzbank’s

records did not evidence that 158 clients of Commerzbank London, which were

required to have a GIC, had one at the time they were onboarded. 18 of these

158 clients were identified by Commerzbank London as being “high-risk” and, at

the time that Internal Audit performed its review, 81 of the 158 clients were

assigned a “red” status on Commerzbank’s internal system: clients assigned a

“red” status were prevented from transacting with Commerzbank. A further 36 of

the 158 clients were subsequently assigned a “red” status, of which at least 1 was

due to financial crime risk.

4.39.
In June 2017, as part of the wider London Remediation Programme, Compliance

in London and Frankfurt agreed to put in place an interim solution to the

acceptance of GICs by Commerzbank London for FI clients within the KYC backlog.

FCT conducted a review of the FI-GIC acceptance framework, and it was

concluded that the CDD conducted by MSB-FI was sufficient such that CLM was

permitted to rely on GICs for low and medium-risk financial institution clients

without the need for further due diligence. The high-risk acceptance form would

still be required for high-risk clients, with additional checks by Compliance.

4.40.
An additional recommendation arising from this review was for Compliance to

review 10 client files to assess the quality and completeness of the CDD carried

out by MSB-FI. Compliance’s review found that they were “generally satisfied that

the GIC usage will be possible for London Branch”, and that on all files screening

had been performed on entities related to the client, but that on some of the client

files reviewed:

4.40.1. although the files evidenced the relevant approvals having been provided,

they did not include a detailed acknowledgment of the risks associated

with the client being from a high-risk jurisdiction; and

4.40.2. the files did not explain the risks associated with the clients that had an

“element of state ownership (in high risk jurisdictions), and a number of

politically-exposed individuals on their board”, albeit that these facts

were recorded on the GIC and the files evidenced approvals as having

been provided.

4.41.
Following the exercise, Compliance concluded in September 2017 that they were

satisfied that Commerzbank London could rely on FI-GICs but, where multiple

high-risk financial crime factors existed which indicated that a client posed a very

high financial crime risk, additional top-up checks would continue to be required.

The conclusions of the review were discussed and approved by the London

Remediation Programme Oversight Board.

4.42.
London High Risk FI Review and Approval process meetings were commenced in

October 2017, comprising attendees from the front office, CLM and Compliance in

Frankfurt and London, to oversee the financial institution remediation exercise

and discuss each high-risk financial institution client which required remediation.

Where required, certain financial institution clients could be escalated to the

Regional Client Governance Committee, established in May 2017, for further

review.

Issues with due diligence process

4.43.
As identified in paragraphs 4.44 to 4.66, throughout the Relevant Period, there

were a number of issues with the way that Commerzbank London carried out due

diligence on new clients.

Customer risk ratings

4.44.
The Skilled Person identified weaknesses with the way in which risk ratings were

calculated, and how this impacted the extent of due diligence undertaken for

customers. Specifically, the Skilled Person identified examples where the

calculated risk rating recorded for a customer did not impact on the level of due

diligence applied.

4.45.
A reduction to a client’s system-generated risk rating was permissible only in the

event that a “technical override” was necessary to downgrade the risk rating for

a client, where the client’s risk was deemed lower as a consequence of a change

to a local compliance rule. From October 2015, Commerzbank London’s policy

explained that this “is the sole instance where CLM is ever authorised to adjust a

risk category downwards.” Prior to October 2015, there was no documented policy

that prohibited manual downwards adjustments to a client’s system-generated

risk rating, but during this period such adjustments would have only been

permissible in similar limited circumstances. Despite this, during the Relevant

Period, there were 159 instances during the Relevant Period where a client’s risk

rating was manually lowered by staff at Commerzbank London, although not all

159 instances would have been in contravention of the applicable policy.

4.46.
From April 2017, Commerzbank London introduced an enhanced customer risk

rating methodology.

4.47.
Towards the end of 2012, Commerzbank London identified that it was not always

conducting sufficient due diligence on all intermediaries, such as business

introducers or agents, in its PBS business area. PBS provided bespoke investment

products to private banks and independent wealth managers who acted as

intermediaries for others, such as professional investors or high-net worth

individuals. Commerzbank London introduced, from April 2013, a policy for C&M

on how to interact with business partners. The Compliance function then

undertook a complete review of the due diligence held on approximately 350

business partners, identifying material concerns, including a lack of adequate due

diligence being performed. The result of this review was to significantly reduce

the number of business partners engaged by PBS.

4.48.
Following this review, in September 2014, Compliance found that representatives

of PBS had ignored an instruction, given in October 2012, not to deal with a

particular introducer, and had subsequently circumvented restrictions in place to

prevent PBS from dealing with the introducer by allowing payments to be made

to the introducer through other corporate entities. Compliance also found that

certain senior individuals in PBS had not been transparent with Compliance during

discussions on the issue. As a result of these findings a review of PBS was

initiated: the individuals were issued with a verbal warning by Compliance.

4.49.
Despite the review mentioned above, in 2016 Internal Audit identified further

shortcomings in the financial crime controls applying to intermediaries, namely

that whilst it was intended that Compliance would check the due diligence reviews

on all intermediaries conducted by the first line, policy documentation used by

CLM and Compliance was not consistent, and this had led to discrepancies in the

due diligence undertaken. Further, in March 2017, Internal Audit found that one

trading desk within Commerzbank London was not aware of the policy relating to

business partners introduced in August 2015.

4.50.
The Skilled Person also found that due diligence on introducers was inadequate

and inconsistent. The Skilled Person reviewed 5 introducer due diligence files and

found all not to be meeting the required standard, with the files revealing

“unidentified red flags, red flags which had been identified but not investigated

appropriately and a lack of a risk based approach to due diligence.”

4.51.
In 1 example, Commerzbank London failed to apply EDD to an introducer despite

the fact that the majority shareholder of the introducer was identified as a PEP

and despite the fact that the minority shareholder, who Commerzbank London

would be dealing with, had been the subject of an adverse media search that

required further investigation to determine materiality. The reason for this

appeared to be that management within that business area assessed that the risk

associated with the introducer was low due to his understanding of its trading

patterns and the length of the trading relationship with the introducer. This

contravened the terms of Commerzbank London’s policy on business partners,

introduced in August 2015.

4.52.
In 2018, Commerzbank agreed to sell the EMC business (including PBS), and this

led to the number of business introducers Commerzbank London dealt with

reducing from 160 to 9.

4.53.
In 2017, the Skilled Person found through its file review that there were

inadequacies in the identification and screening of PEPs.

4.54.
The Skilled Person’s review of files found that:

4.54.1. In 10 out of 61 of the files there was no evidence that PEP and sanctions

screening had been undertaken on the customer, its beneficial owners

and / or connected parties, and in some files alerts were discounted for

little or no clear reason;

4.54.2. There were instances where PEPs were identified as being closely linked

to the customer, yet there was no evidence that the AML risks posed by

the associated individual appear to have been considered. There were

also instances where no alert was uploaded to Commerzbank London’s

systems to ensure that others across Commerzbank transacting with the

client could identify the potential risk; and

4.54.3. Commerzbank London was also not able to demonstrate that it was

conducting ongoing screening for PEPs or customers in C&M, meaning

that events that ought to trigger a review might not be identified and

appropriate due diligence might not be applied in high-risk cases.

Identifying beneficial owners

4.55.
Prior to entering into a transaction with a client, Commerzbank London should

have, subject to certain minimum ownership thresholds, identified beneficial

owners, directors and/or third parties exercising a degree of control over the

client, and verified their identity. A firm must take a risk-based approach to

determine whether the identity of a beneficial owner can be verified by the

customer or by information obtained from a reliable and independent source. For

low-risk customers, it may be reasonable for a firm to confirm the beneficial

owner’s identity based on information supplied by the customer.

4.56.
Reliance on email confirmation from clients as to the veracity of the information

provided on the beneficial ownership of the client occurred in certain areas of

Commerzbank London. Relying on email confirmation from a client in these

circumstances was permitted under Commerzbank London’s Local Compliance

Manual at the time only where the client was low-risk.

4.57.
This issue was identified by Compliance in April 2015, at a time when CLM’s desk

procedures were being updated. In September 2015, CLM management explained

to Compliance that it would be very difficult to start to ask financial institution

clients to provide independent verification of their ultimate beneficial ownership,

on the basis that MSB-FI did not currently seek this documentation from these

clients in their KYC review.

4.58.
Although the 2015 CLM KYC Procedure was introduced in October 2015, a

subsequent review of CDD files by the Skilled Person, reported on in September

2017, found that:

4.58.1. in 46% of the CDD files reviewed, Commerzbank London failed to identify

and verify the beneficial owners;

4.58.2. in 70% of the CDD files reviewed, Commerzbank London failed to verify

connected parties to the client; and

4.58.3. further, where beneficial ownership and or connected party details were

obtained,
this
information
was
not
then
always
recorded
on

Commerzbank London’s internal systems.

4.59.
The Skilled Person found that one reason for the failure by Commerzbank London

to identify and verify beneficial owners and connected parties in these instances

was that, in 31% of the CDD files reviewed, it was too willing to accept responses

and information from the customer without independently verifying or challenging

them, meaning that financial crime risks arising through ownership and control

structures may not have been identified or mitigated.

Offboarding clients

4.60.
Where Commerzbank London did not receive adequate information to onboard a

new client, or did not receive adequate KYC information to complete the due

diligence for an existing client, its policy was that an account would not be opened

for that client or that, in a number of instances, an existing relationship ought to

be terminated. At the start of the Relevant Period, however, Commerzbank

London did not generally offboard clients, even where the client account was

dormant. At this time, Commerzbank London had more than a thousand dormant

accounts. This led to a process, which commenced in January 2015, where more

than 1,500 client accounts were to be closed.

4.61.
Issues relating to dormant accounts, and the offboarding of clients, remained.

4.62.
In October 2015, Compliance commenced a review of the Commerzbank

Transaction Services business area, which provided trade finance services to

corporate clients. This review identified that there was no uniform process in place

to ensure that accounts were closed in MSB-I and C&M systems where the account

was dormant. The review found an example where this had led to transactions

being processed through a sub-account for a client that ought to have been

offboarded.

4.63.
In September 2017, despite a number of local and global policies and procedures

that specified the circumstances, requirements and processes for offboarding

clients, including those offboarded for financial crime reasons, the Skilled Person

found a material risk to Commerzbank London due to there being no

comprehensive documented process or criteria for terminating a relationship with

an existing client for financial crime risk. The Skilled Person found that the process

followed by Commerzbank London placed too much emphasis on a single

individual to oversee and identify clients that posed too high a financial crime risk.

A documented process and criteria for identifying a client that poses too high a

financial crime risk better enables a firm to adopt a uniform approach to

offboarding clients in line with its financial crime risk appetite.

4.64.
There were also instances where clients were identified by Commerzbank London

as having been “offboarded”, but where the requirements for the offboarding

process were not adhered to, resulting in the clients continuing to transact with

Commerzbank London. In 1 case, an existing client was due to have its KYC

reviewed in 2013, but this review did not take place until June 2016. In this time,

the client continued to transact with Commerzbank London. In June 2016,

Commerzbank London initiated a KYC review for the client, but this was not

completed, and the decision was instead taken to offboard the client. However,

the client continued to use its account with Commerzbank London until the second

quarter of 2017. Commerzbank London still did not block the client’s account until

27 November 2017, having sent a closure notice to the client on 7 November

2017.

Lack of clarity around responsibilities for AML risks

4.65.
In October 2016, Internal Audit found that CLM’s mandate had not been clearly

determined and defined in its written framework. There was also uncertainty

amongst certain senior staff at Commerzbank London, particularly between 2015

and 2016, as to the identity of the individual responsible for the establishment

and maintenance of financial crime controls.

4.66.
The Skilled Person also identified that risk and issue owners were not clearly

articulated or understood by Commerzbank London’s committees, which led to a

“lack of clarity around responsibilities”. This impacted the Front Office, CLM and

Compliance.

Ongoing monitoring – due diligence on existing clients

4.67.
A firm must conduct ongoing monitoring of all business relationships, tailored in

accordance with the firm’s risk assessment of that customer. Ongoing monitoring

includes keeping CDD up to date through periodic review of the customer’s file,

or conducting reviews of the due diligence held in response to certain trigger

events.

4.68.
Where the business relationship is considered to be higher risk, the ongoing

monitoring must be enhanced, and therefore more frequent or intensive.

Commerzbank London’s process for reviewing due diligence for existing

customers

4.69.
Throughout the Relevant Period, Commerzbank London had a policy that required

it to undertake a review of the due diligence held for an existing client (also known

as a “KYC refresh”). A KYC refresh for a client was to be carried out on a periodic

basis, depending on the risk rating assigned to the client. High-risk clients would

be subject to KYC refresh annually and subject to EDD, with low-risk clients

subjected to KYC refresh every 3 years.

4.70.
A KYC refresh was also to be carried out in circumstances where there was a

“material change” to the information known about a particular client. Such reviews

could be initiated by either the Front Office, Compliance or CLM as a result of an

event or new information emerging about a client. This information would then be

assessed to review the financial crime risk associated with the client.

4.71.
CLM was required to conduct KYC refresh for existing clients in line with the same

requirements as applied to the onboarding of new clients. Front Office would

collate and, if necessary, obtain due diligence information from the client.

Compliance would provide advice to CLM on specific client files and conduct

reviews of high-risk client files. CLM generally was to commence the review of the

client file within 90 days of the client becoming due for KYC refresh, and was to

complete it prior to the client becoming overdue KYC refresh, unless an exception

had been given by a member of the first or second tier of management within

Commerzbank.

4.72.
Commerzbank
London
used
AOP,
where
information
about
clients
of

Commerzbank was to be held, when performing KYC refresh. A client would be

assigned a “red” or “green” status on AOP: a “red” status would mean that

Commerzbank London could not transact with the client.

Development of KYC refresh backlog

4.73.
In October 2012, when KYC refresh was overdue for a client, the AOP system

would automatically change the client’s status from ‘green’ to ‘red’. At this time,

there were a large number of clients becoming overdue KYC refresh, which

created significant challenges for those at Commerzbank London tasked with

performing the KYC refresh.

4.74.
In response, at or around the start of the Relevant Period, to reduce the impact

that the process was having, senior management within Compliance decided to

disable the automated function that changed the status of a client from ‘green’ to

‘red’ in circumstances where the client’s KYC refresh was overdue. Instead, a

static review would be carried out manually, with low-risk customers being subject

to a sampled review every third year. This was followed by a remediation exercise

instigated by Compliance in 2013, which involved refreshing approximately 8,000

existing legal entities’ data and adding further documentation to their files to

address changes in regulatory requirements. As a result of the resources diverted

to that remediation, a backlog of approximately 1,900 legal entities due to be

subject to KYC refresh developed, 193 of which were high-risk and 1,371 of which

were low-risk.

4.75.
A backlog of clients overdue KYC refresh (the “Refresh Backlog”) remained

throughout the Relevant Period. In June 2015, Internal Audit reported that the

factors contributing to the development of the Refresh Backlog, included:

4.75.1. a lack of coordination between the Front Office and CLM;

4.75.2. the fact that Commerzbank London was not relying on Corporate GICs,

and had to perform “top-up checks” on FI-GICs; and

4.75.3. the fact that the interaction between CLM, Frankfurt and other

Commerzbank branches relating to KYC documentation lacked clarity,

transparency and pace, mainly due to a different interpretation of due

diligence requirements across different jurisdictions.

4.76.
Internal Audit also found that the function on AOP that had automatically changed

the client’s status to “red” where the client was overdue KYC refresh, and which

had been disabled in October 2012, ought to be reinstated. This would have the

effect of preventing Commerzbank London from transacting with those clients,

subject to possible exceptions approved on an agreed and documented risk-based

assessment of the client by the Front Office and Compliance. The automatic

function was switched on in February 2016.

4.77.
At the end of September 2015, the Refresh Backlog comprised 71 clients. From

January 2016 to February 2017, senior members of CLM and Compliance met

regularly to discuss the Refresh Backlog and the backlog of new clients to be

onboarded. Despite this, the number of clients in the Refresh Backlog increased

quickly.

4.78.
In May 2016, senior management in CLM identified that there would be a large

increase of volume of KYC refresh cases over the next 12 months, due in part to

client files previously subject to remediation coming up for periodic review

simultaneously. As a result, and due to the automatic expiry function on AOP

having been switched back on, CLM management developed an exceptions

functionality to enable clients on a list, including those overdue KYC refresh, to

continue to transact with Commerzbank London: an “Expiry Exceptions List” was

implemented in May 2016.

4.79.
Between March 2016 and June 2016, Internal Audit conducted work to follow up

on its findings from June 2015. In October 2016, Internal Audit reported that

there was a “huge backlog” of 2,350 customers awaiting to be onboarded or

awaiting periodic review. This backlog comprised 1,720 new clients awaiting due

diligence to be completed, and 630 existing clients awaiting due diligence refresh.

Commerzbank London could not transact with the 1,720 new clients forming part

of the backlog until their KYC was approved. Commerzbank London’s policy at the

time was that failure to complete the due diligence checks required at onboarding

or periodic refresh would, ordinarily, prevent Commerzbank from entering into a

transaction with the customer. Internal Audit found instances in relation to

existing clients, however, where transactions took place despite the KYC checks

remaining outstanding.

4.80.
Of the 630 existing clients in the Refresh Backlog at the end of March 2016, 296

were clients of Commerzbank London. Of these 296 clients, 118 transacted with

Commerzbank London in circumstances where the KYC for the client was

outstanding, across 2,835 transactions, with Commerzbank London generating

net revenue in excess of £3,500,000 for these transactions. Of these clients, 11

were subsequently identified as having entered into transactions that raised a red

flag, AML concern or other suspicious characteristic during the period when KYC

was overdue. These 11 clients carried out 114 transactions in respect of which

Commerzbank London generated net revenue of approximately £1,000,000 whilst

these clients were overdue a KYC refresh. Although alerts for some of these clients

were, following investigation by Commerzbank, “closed with no issues”,

Commerzbank filed SARs in Germany in relation to 1 client in respect of

correspondent banking transactions on the basis that the client had “links with

organisations which were previously associated with terrorist financing” and was

subsequently offboarded.

4.81.
At a meeting on 15 June 2016 management in CLM and Compliance noted their

“continuing and growing concern on the mounting [Refresh Backlog]” and their

concern that the process was operating “without clear rules”. By 12 October 2016,

365 clients were overdue KYC refresh, of which 173 were categorised as high-

risk. This had increased to 759 clients by January 2017, in addition to 829 clients

scheduled to come up for KYC refresh within 3 months of that date. By 1 March

2017, there were 1,772 clients overdue KYC refresh.

The Expiry Exceptions List

4.82.
The Expiry Exceptions List, introduced by senior management in CLM from May

2016, was a spreadsheet containing the details of:

4.82.1. clients overdue KYC refresh;

4.82.2. clients scheduled to come up for KYC refresh within a month of the date

that the Expiry Exceptions List was compiled, but which were not at that

date overdue KYC refresh; and

4.82.3. other groups of clients that required KYC checks completed, such as those

financial institution clients that required ‘top-up checks’ to be carried out

by CLM due to the existence of a GIC.

4.83.
CLM management introduced the Expiry Exceptions List to enable clients,

including those overdue KYC refresh, to continue to transact with Commerzbank

London, where Commerzbank’s systems would have otherwise prevented this.

4.84.
Between May 2016 and 9 February 2017, 3,623 clients were added to the Expiry

Exceptions List. On 9 February 2017, being the date when the Expiry Exceptions

List was at its largest, 2,226 clients were on the Expiry Exceptions List. Not all of

these clients had overdue KYC refresh and, of the 2,226 clients on the Expiry

Exceptions List as at 9 February 2017, 792 were high-risk and the remaining

1,434 clients were low or medium-risk. Not all of these clients were clients of

Commerzbank London, but CLM and Commerzbank London performed important

due diligence for these clients, typically in addition to the due diligence that was

to be performed by the relevant lead branch. By 1 March 2017, there were 1,772

clients overdue KYC refresh.

4.85.
There were no set procedures in Compliance for approving extensions for clients

overdue KYC refresh, nor for how decisions were recorded or for how those clients

granted extensions could be monitored. Clients were therefore able to continue to

transact with Commerzbank London, despite Commerzbank London potentially

holding out-of-date CDD for those clients, and without Compliance having an

understanding of the way in which the exceptions process was being used by CLM.

By the end of 2016, the use of the Expiry Exceptions List was out of control.

4.86.
Of the 2,226 clients referenced above, 236 were high-risk clients of Commerzbank

London that were overdue KYC refresh for more than a year, yet still able to

transact with Commerzbank London. For example, 1 high-risk client, who was

more than 5 years overdue KYC refresh, entered into 10 transactions with

Commerzbank London whilst overdue KYC refresh: Commerzbank London

generated net revenue of £122,568 from these transactions. Another high-risk

client was able to enter into 16 transactions, with Commerzbank London

generating net revenue of £273,799 from those transactions, despite being

overdue KYC refresh for nearly 5 years. Of the 236 high-risk clients, 4 were

subsequently offboarded due to AML or compliance-related concerns.

4.87.
When Commerzbank London undertook the KYC refresh on the 2,226 clients on

the Expiry Exceptions List on 9 February 2017:

4.87.1. Commerzbank found that it either did not wish to trade with, or was

otherwise unable to approve the KYC for, 837 clients when it carried out

the first KYC review post-February 2017. As at 26 February 2019, this

remained Commerzbank’s position for 660 out of these 837 clients. Of

these 837 clients, 286 of these clients were high-risk. 9 clients were

offboarded due to AML or compliance-related concerns, 6 of which were

clients of Commerzbank London.

4.87.2. Commerzbank subsequently filed SARs in Germany in respect of

correspondent banking transactions entered through 2 of Commerzbank

London’s clients on the Expiry Exceptions List in February 2017; and

4.87.3. By 26 February 2019, 33 clients had still not been subject to KYC refresh.

Of these 33 clients, 6 were clients of Commerzbank London, all of which

were low-risk. Commerzbank subsequently found that it did not wish to

trade with 13 of these 33 clients when it came to carry out the first KYC

review post-February 2017. No SARs were filed in respect of these clients.

Causes of the weaknesses in KYC refresh and exceptions process

4.88.
From May 2016 to the end of the Relevant Period, Commerzbank London

undertook steps to try to address the Refresh Backlog, including:

4.88.1. increasing the headcount in CLM and, from March 2017, restructuring the

CLM function and introducing new management;

4.88.2. engaging a third-party vendor to assist with KYC checks for low and

medium-risk cases and, from September 2016, replacing external

contractors used in Commerzbank London by CLM with a wholly owned

outsourcing provider;

4.88.3. streamlining certain of CLM’s processes;

4.88.4. improving management information; and

4.88.5. in early 2017, the Board commissioned a special investigation by Internal

Audit into the Expiry Exceptions List, which was completed in June 2017.

4.89.
However, these measures were taken too late, and effected too slowly, and the

Refresh Backlog continued to grow until February 2017. This was in part because

communication and coordination between CLM, the Front Office and Compliance

was poor.

4.90.
There were several other contributory causes to the development of the Refresh

Backlog and the lack of oversight and controls surrounding the use of the Expiry

Exceptions List.

4.91.
There were weaknesses in the written framework for CLM, with certain key

procedures, including relating to the exceptions process, undocumented. In

particular, the procedure for Compliance to grant periodic extension approvals

lacked clarity or certainty, there was no clear position regarding the extent of the

use of the Expiry Exceptions List and there were inconsistencies between the

requirements to approve a client’s KYC status across global Compliance teams,

particularly around the use of GICs and the compliance requirements in Germany

versus London.

4.92.
The reporting to senior management on the Refresh Backlog and the Expiry

Exceptions List, including the number of clients on it and the fact that these clients

were still transacting, was inadequate and unclear, because for example the

precise number of client’s overdue KYC refresh was unclear. Senior management

at Commerzbank London therefore lacked oversight of some of the key issues

identified. This also meant that, despite attending regular meetings to discuss the

extent of the Refresh Backlog, senior management in Compliance failed to grasp

the extent of the Refresh Backlog or the way that the Expiry Exceptions List was

being used.

4.93.
Neither Compliance nor CLM had adequate numbers of staff to perform the tasks

assigned to them, despite external contractors being engaged to assist with file

reviews of clients on the Refresh Backlog. This issue persisted throughout the

Relevant Period. The Skilled Person found that the lack of resource in Compliance

impeded the effectiveness of the Compliance function. This hindered both CLM

and Compliance’s ability effectively to address the Refresh Backlog. In mid-2016,

the FCT in Compliance consisted of 3 full-time employees, which was increased to

42 full-time employees by mid-2018 as part of the London Remediation

Programme. By the end of the Relevant Period, total headcount in Regional

Compliance had increased from 23 to 43 and, by May 2019, total Compliance

resource had increased to 52.

4.94.
CLM was not, until at least 2017, able to perform the role of carrying out due

diligence for the Bank effectively, with the quality of file reviews being poor for

much of 2016. In addition, there appeared to be, from at least January 2015 to

June 2016, a lack of understanding about how to apply certain ‘pre-defined rules’,

designed to identify ‘red flags’ on a client’s file. These issues contributed to a

significant proportion of client files reviewed by CLM and submitted to Compliance

in or around September 2016 being referred back to CLM due to quality issues.

At this time, an increasing number of clients were also coming up for KYC refresh.

In addition, CLM senior management in London considered that decisions taken

by Compliance and senior CLM management based in Frankfurt, including relating

to staffing and aspects of the file review process at or around this time, had the

effect of exacerbating the identified weaknesses in the quality of file reviews

undertaken.

4.95.
In March 2018, despite the remedial activity undertaken during the Relevant

Period and the implementation of the London Remediation Programme in March

2017, Group Audit found shortcomings in all areas of the KYC review process. The

US Monitor, whilst acknowledging prior remedial efforts (though ultimately not

successful) and the improvements to Commerzbank’s compliance and governance

framework, noted that the quality of reviews completed remained unsatisfactory,

with CLM, at that time, still in “firefighting-mode”.

4.96.
As at the date of this Notice:

4.96.1. the Refresh Backlog is tracked on a permanent basis;

4.96.2. the CLM pipeline for new cases is managed and tracked centrally by the

Commerzbank London Management Office; and

4.96.3. governance underpinning the Expiry Exceptions List has been enhanced.

Ongoing monitoring – transactions for existing clients

4.97.
As part of its obligation to monitor all business relationships with existing clients,

a firm must also scrutinise customer transactions to ensure that they are

consistent with the firm’s knowledge of the customer, its business and its risk

profile. Where the business relationship is considered to be higher risk, this

monitoring must be more frequent or more intensive.

Commerzbank London’s process for monitoring transactions

4.98.
Commerzbank used a number of systems to monitor transactions for AML, and

other financial crime risks, including:

4.98.1. a transaction monitoring tool, which conducted automated transaction

monitoring, and which would generate alerts that would be subject to

review and investigation by Compliance. This was the primary transaction

monitoring tool used by Commerzbank London during the Relevant Period

(the “Primary Transaction Monitoring Tool”);

4.98.2. certain payments review systems, which would be used by Compliance

to access client files when checking alerts generated by the Primary

Transaction Monitoring Tool; and

4.98.3. a system to monitor cross-border payments and trade finance

transactions, including checking them against ‘blacklists’ (being a list of

customers offboarded due to financial crime concerns).

4.99.
From the start of the Relevant Period, Compliance was responsible for monitoring

transactions on behalf of existing clients. Its role included:

4.99.1. reviewing and adjusting the parameters in place for the relevant

monitoring systems, so that they could be optimised to identify only those

cases of potentially suspicious activity;

4.99.2. maintaining a global ‘blacklist’, setting out the details of any

counterparties, jurisdictions, or products which Commerzbank would be

prohibited from transacting with, or in; and

4.99.3. reviewing and assessing cases of suspicious activity, followed by

appropriate investigation and SAR escalation as necessary.

4.100. The Trade Finance department was also responsible for transaction monitoring in

relation to trade finance transactions.

4.101. The Primary Transaction Monitoring Tool was used during the Relevant Period to

conduct automated transaction monitoring against a set of rules developed and

designed by a third-party software licensor. Commerzbank would feed transaction

data through the Primary Transaction Monitoring Tool, which would then generate

alerts based on the scoring prescribed by the rules applied. Any alerts would then

be reviewed by Compliance, who would assess whether the particular transaction

and associated client accounts required further investigation.

4.102. There were two committees responsible for transaction monitoring of trade

finance transactions during the Relevant Period: the London CTS Oversight

Committee and the London Trade and Cash Management Transactions

Committee. Among other things, these committees would make decisions on

trade finance transactions referred to them to assess the financial crime or

sanctions risk associated with the transaction. From the start of the Relevant

Period, the London Management Meeting, a meeting of senior managers in

Commerzbank London, would also receive a report containing data on AML

transaction monitoring alerts and cases. At a global level, the Global Transaction

Monitoring Working Group was responsible for steering, developing, and

managing the post-transaction monitoring and investigation processes and

considering the adoption of transaction monitoring standards globally as well as

across Commerzbank business lines.

4.103. Commerzbank London had a number of policies and procedures in place

throughout the Relevant Period relating to the use of transaction monitoring tools

and systems, including the Primary Transaction Monitoring Tool.

Issues with Commerzbank’s transaction monitoring

4.104. From the start of the Relevant Period, the Primary Transaction Monitoring Tool

had weaknesses.

4.105. In December 2013, a report by a member of the Compliance function in respect

of the Primary Transaction Monitoring Tool found that it was “not fit for purpose”.

Specifically, this report stated that the Primary Transaction Monitoring Tool:

4.105.1.
relied on “inaccurate information creating [a] high volume of false

alerts”;

4.105.2.
relied on “inaccurate information, failing to create required alerts

based on a lack of quality data on which to assess individual clients”; and

4.105.3.
had a “lack of automated and continually updating High Risk

Customers [meaning] that our highest risk scenarios are not being

properly monitored”.

4.106. The report also found that the Primary Transaction Monitoring Tool was not able

to interpret data from certain transaction systems effectively.

4.107. Compliance subsequently reported, in May 2014, that the Primary Transaction

Monitoring Tool needed more accurate information in relation to source of wealth,

the nature of a client’s business and the purpose of accounts to function

effectively, and more IT support from Frankfurt. Compliance reported that it did

not have sufficient resource to enhance or maintain the Primary Transaction

Monitoring Tool.

4.108. Compliance reported in April 2015 that “the 2014 set-up of the [the Primary

Transaction Monitoring Tool] system shows room for improvement, both with

regards to the quality of data going into the system, as well as with regards to

the rules that are applied, based on the latest typologies.” Compliance had already

reported for the year ending 31 December 2013 that there was a need for “a

review of the feeds of information already going in to [the Primary Transaction

Monitoring Tool] to address the quality and accuracy of the information it was

receiving.”

4.109. Compliance’s report from April 2015 recorded that this issue would be addressed

through a Group-wide Compliance remediation project, known as “Project ARC”,

and the introduction of an improved externally hosted workflow tool, which would

need better information on customer activity and the purpose of accounts. The

report identified that adding IT support and enhancements to the Primary

Transaction Monitoring Tool from 2015 to 2017 would have a high resource impact

on Commerzbank London.

4.110. Deficiencies with the Primary Transaction Monitoring Tool persisted during 2015

and 2016.

4.111. In December 2015, Internal Audit conducted a review and reported on AML

controls at Commerzbank. This found that:

4.111.1.
40 high-risk countries were missing from the Primary Transaction

Monitoring Tool, as an update to the country list on the Primary

Transaction Monitoring Tool had not taken place in a timely manner;

4.111.2.
The list of high-risk clients used by the Primary Transaction

Monitoring Tool had not been updated, meaning that 1,110 high-risk

clients of Commerzbank had not been added;

4.111.3.
Compliance was not always recording that it was checking the

relevant transacting client against the sanctions list; and

4.111.4.
Regular reviews of applicable rules or thresholds used by the Primary

Transaction Monitoring Tool were either not documented or were not

undertaken in a timely manner.

4.112. In February 2016, a document produced in respect of a proposed enhancement

to the interface between the Primary Transaction Monitoring Tool and the client

systems used by Commerzbank, such as AOP, found that the setup of the Primary

Transaction Monitoring Tool had “been fundamentally unchanged since its original

implementation”. This interface was not built prior to the end of the Relevant

Period, in part because of the time and cost required to complete the task, and in

part due to the development of a new and enhanced transaction monitoring

system, which Commerzbank took the decision in December 2015 to implement

globally.

4.113. In April 2016, Compliance reported that certain changes to the Primary

Transaction Monitoring Tool were being delayed because they required additional

data feeds from transactional systems.

4.114. When undertaking reviews of transaction alerts, Compliance found that the

system would identify a very high proportion of transactions that did not, in fact,

have characteristics that presented financial crime risk (known as “false

positives”). This made the process of reviewing transaction alerts unnecessarily

time-consuming, and increased pressure on the limited resource available to

Compliance.

4.115. In addition to the Primary Transaction Monitoring Tool, other aspects of

Commerzbank London’s transaction monitoring systems displayed weaknesses.

4.116. For example, in March 2016 Compliance found that there was no clear process for

cash services through which potentially suspicious activity could be first detected,

and then assessed/reported as necessary. However, at this point, Compliance also

rated the risk associated with Commerzbank London’s transaction monitoring

systems as “fair”, due to some of the proposed steps to remedy the issues

identified, including conducting a local review to improve the Primary

Transactional Monitoring Tool while the global project to implement the new and

enhanced transaction monitoring system was being conducted by Group

Compliance.

4.117. In November 2016, the US Monitor recommended that Group Compliance carry

out reviews on a global basis of transactions carried out by the Trade Finance

business area, which took place between October 2015 and October 2016. 5

precautionary SARs were submitted in Germany in respect of transactions that

had been carried out from Commerzbank London. Compliance subsequently

assessed that, in all but one transaction, no action was necessary to be taken in

the UK in relation to these transactions. Compliance decided that, whilst no

financial crime was identified, two precautionary SARs should be filed due to a

number of high-risk factors being present.

4.118. In October 2016, Internal Audit reported that a particular automated pre-trade

control relating to certain sanctions screening had not been put in place as

expected by senior management in 2015, and that a global “blacklist” had also

not been implemented across all jurisdictions, creating the risk that business was

being conducted in 1 jurisdiction even where the customer had been offboarded

in another.

4.119. Further, in September 2017, the Skilled Person reported that the Primary

Transaction Monitoring Tool was not fit for purpose and would be replaced. As

noted above, Commerzbank took a decision in December 2015 to implement a

new transaction monitoring system globally. The implementation of the new

system in certain Commerzbank branches began in early 2017. The new

transaction monitoring system was implemented in Commerzbank London in June

2018.

4.120. Due to the concerns raised, Commerzbank London undertook a number of reviews

of transactions to identify any potentially suspicious activity that may have been

missed.

4.121. In March 2018, Compliance produced a report summarising a lookback exercise

performed on the Primary Transaction Monitoring Tool to identify potentially

suspicious activity missed as a result of the failure to update the list of high-risk

clients and countries between 2011 and 2015. The report identified that there

were 999 transactions for high-risk clients and / or high-risk jurisdictions that

were identified that might have triggered alerts but did not. Other than 3

transactions, all transactions were found to be in line with the relevant client’s

KYC and there was nothing unusual to report. Of those 3 transactions, 1 required

further investigation to assess whether a SAR ought to be filed, and 2 were

identified as there was insufficient documentary evidence available for an

assessment to be made. Following further investigation by Compliance, 2

precautionary SARs were filed in 2 of the 3 transactions, although no financial

crime was identified. In respect of the third transaction, no further action was

required.

4.122. In 2016, Commerzbank undertook a series of reviews of transactions entered into

by more than 1,000 correspondent banking clients domiciled across 29 high-risk

countries, with the aim of identifying suspicious transactional behaviour. During

these reviews, Commerzbank analysed approximately 5 million transactions and

conducted a deep-dive review of approximately 67,000 transactions. As a result

of these reviews, Commerzbank subsequently filed 2 SARs in relation to

transactions that referenced clients of Commerzbank London, although these

transactions did not relate to transactions carried out by Commerzbank London

and no financial crime was identified. Both clients had their relationship with

Commerzbank terminated as a result.

4.123. In July 2018, following observations made by the Skilled Person, Commerzbank

conducted a SAR internal referral review. Out of the 12 sampled cases:

4.123.1.
3 cases resulted in an external precautionary SAR being submitted;

4.123.2.
8 cases resulted in no external SAR being submitted; and

4.123.3.
1 case was closed, but it is not clear from the file whether an external

SAR was submitted.

Response to identified shortcomings in AML control framework

4.124. In March 2015, following action taken by the DFS against Commerzbank and

Commerzbank’s New York branch, Commerzbank was required to engage an

independent monitor (the “US Monitor”) as selected by the DFS. The US Monitor

reviewed and reported on weaknesses in the AML control framework at

Commerzbank London in March 2018, July 2018 and October 2018. The US

Monitor’s engagement ended on 24 June 2019.

4.125. In January 2017, the Authority conducted a visit to Commerzbank London. Due

to the concerns raised by the Authority in respect of Commerzbank London’s

financial crime control framework, in March 2017 Commerzbank London initiated

a large-scale remediation project relating to its financial crime controls (the

“London Remediation Programme”), and on 22 May 2017 was issued a

requirement by the Authority to appoint a Skilled Person under section 166 of the

Act.

4.126. The Skilled Person independently assessed the adequacy of Commerzbank

London’s financial crime controls, including its approach to CDD, EDD, ongoing

monitoring and transaction monitoring, and related governance arrangements.

The Skilled Person reported on these matters on 28 September 2017, highlighting

a range of weaknesses in respect of Commerzbank London’s financial crime

controls, including in relation to CDD, EDD, ongoing monitoring and transaction

monitoring, and the related governance arrangements.

4.127. Following the receipt of the Skilled Person’s report in September 2017,

Commerzbank London enhanced and re-scoped the London Remediation

Programme (which had been underway since March 2017). The London

Remediation Programme sought to address both underlying weaknesses and to

introduce enhancements identified from business-as-usual processes and

observations from the US Monitor, Skilled Person and the Authority.

4.128. In addition, following receipt of the Skilled Person’s report in September 2017,

Commerzbank London took steps to implement voluntary business restrictions to

allow it sufficient time to implement the changes identified by the Skilled Person.

On 20 December 2017, Commerzbank London entered into a voluntary

undertaking to the Authority that it would maintain the Business Restrictions,

4.128.1.
Effective 28 September 2017, all Commerzbank London trade

finance new business activities were suspended;

4.128.2.
Effective 28 September 2017, Commerzbank London would open no

new demand deposit accounts;

4.128.3.
Effective 28 September 2017, Commerzbank London would open no

new custody accounts;

4.128.4.
Effective 29 September 2017, Commerzbank London would not

onboard new high-risk customers;

4.128.5.
New low and medium-risk customers could be onboarded, but only

subject to formal approval from the Regional Client Governance

Committee; and

4.128.6.
Effective 5 December 2017, Commerzbank London would conduct no

new business with existing high-risk customers in respect of which a

periodic or material change review is overdue.

4.129. A limited number of transactions, including transactions to be entered into to fulfil

pre-existing contractual commitments, were permitted under the terms of the

Business Restrictions.

4.130. The Business Restrictions were agreed to remain in place until such time as the

Authority agreed in writing that certain, or all, of the restrictions may be modified

or lifted, having regard to the progress of the London Remediation Programme.

The London Remediation Programme is now closed, and the Business Restrictions

remain in place, albeit with modifications approved by the Authority.

4.131. The Skilled Person subsequently tested and evaluated the effectiveness of the

remediation work undertaken by Commerzbank London, and issued further

reports on these matters in August 2018, May 2019 and April 2020. Since the

Skilled Person’s report in September 2017, Commerzbank London has amongst

other things enhanced its policies and procedures with respect to PEPs and

implemented a comprehensive framework for offboarding clients, and the Skilled

Person has observed “significant enhancements” to the “clarity of responsibilities

and clear ownership of financial risk” at Commerzbank London. In the report

issued in April 2020, the Skilled Person found that, although Commerzbank

London was “not at the end of its journey as certain issues still require attention”,

Commerzbank London’s financial crime framework has “continued to mature” and

Commerzbank London is now “a completely different institution” to the one it

reviewed in September 2017.

5.
FAILINGS

5.1.
The regulatory provisions relevant to this Notice are referred to in Annex A.

5.2.
Principle 3 required Commerzbank London to take reasonable care to organise its

affairs responsibly and effectively, with adequate risk management systems.

5.3.
Commerzbank London was also required to have policies and procedures in place,

comprehensive and proportionate to its business activities, to enable it to identify,

assess, monitor and manage money laundering risk.

5.4.
Commerzbank London breached Principle 3 in that, during the Relevant Period:

5.4.1.
Despite having identified late in 2012 that it was not conducting due

diligence on all intermediaries (i.e. introducers and distributors) and then

taking steps to significantly reduce the number of business partners

engaged, both Internal Audit (in 2016) and the Skilled Person (in 2017)

subsequently identified shortcomings in the applicable financial crime

controls, leading to discrepancies in the due diligence undertaken on

intermediaries (see paragraphs 4.47 to 4.52);

5.4.2.
The Skilled Person identified instances where the way that Commerzbank

London identified and considered the risks associated with PEPs was

inadequate (see paragraphs 4.53 to 4.54);

5.4.3.
Certain business areas did not always adhere to Commerzbank London’s

policy of verifying the beneficial ownership of clients, including high-risk

clients, from a reliable and independent source, and there were instances

where Commerzbank London’s staff were too willing to accept assurances

from clients on the veracity of information of beneficial ownership (see

paragraphs 4.55 to 4.59);

5.4.4.
There was no comprehensive documented process or criteria for

terminating a relationship with an existing client for financial crime risk.

In 1 example, after Commerzbank London had decided in June 2016 to

offboard a client, the lack of documented process meant that the client’s

account was not, in fact, closed until November 2017 (see paragraphs

4.60 to 4.64);

5.4.5.
Risk and issue owners were not clearly articulated or understood by

Commerzbank London’s committees. This led to a “lack of clarity around

responsibilities”, which impacted the Front Office, CLM and Compliance

(see paragraphs 4.65 to 4.66);

5.4.6.
Commerzbank London’s first and second lines of defence tasked with

carrying out key AML controls were, throughout the Relevant Period,

understaffed and unable to complete KYC reviews for new and existing

clients in a timely manner. This led to the development of a significant

backlog of existing clients being subject to KYC refresh (see paragraphs

4.69 to 4.81);

5.4.7.
There were no set procedures in Compliance for approving extensions for

clients overdue KYC refresh, nor for how decisions were to be recorded

or how those clients granted extensions could be monitored. Clients were

therefore able to continue to transact with Commerzbank London, despite

Commerzbank London potentially holding out-of-date CDD for those

clients, and without Compliance having an adequate understanding of the

exceptions process. An internal review by Commerzbank London found

that, by the end of 2016, the use of the Expiry Exceptions List was out of

control (see paragraphs 4.82 to 4.96); and

5.4.8.
Commerzbank London’s Primary Transaction Monitoring Tool was not fit

for purpose, and did not have access to key information from certain of

Commerzbank’s transaction systems, creating the risk that potentially

suspicious transactions were not identified. Following retrospective

reviews in 2016 and 2018, Commerzbank London filed SARs in respect of

transactions not properly scrutinised due to these failings (see

paragraphs 4.104 to 4.120).

5.5.
As a consequence of these inadequacies in Commerzbank London’s AML control

framework, it was unable to adequately identify, assess, monitor or manage its

money laundering risk. It therefore had not established, implemented or

maintained adequate policies and procedures to ensure its compliance with its

obligation to counter the risk that the firm might be used to further financial crime.

5.6.
The weaknesses in Commerzbank London’s AML systems and controls resulted in

an unacceptable risk that it would be used by those seeking to launder money,

evade financial sanctions or finance terrorism.

6.
SANCTION

Financial penalty

6.1.
The Authority’s policy for imposing a financial penalty is set out in Chapter 6 of

DEPP. In respect of conduct occurring on or after 6 March 2010, the Authority

applies a 5-step framework to determine the appropriate level of financial penalty.

DEPP 6.5A sets out the details of the 5-step framework that applies in respect of

financial penalties imposed on firms.

Step 1: disgorgement

6.2.
Pursuant to DEPP 6.5A.1G, at Step 1 the Authority seeks to deprive a firm of the

financial benefit derived directly from the breach where it is practicable to quantify

this.

6.3.
The Authority has not identified any financial benefit that Commerzbank London

derived directly from its breach.

6.4.
Step 1 is therefore £0.

Step 2: the seriousness of the breach

6.5.
Pursuant to DEPP 6.5A.2G, at Step 2 the Authority determines a figure that

reflects the seriousness of the breach. Where the amount of revenue generated

by a firm from a particular product line or business area is indicative of the harm

or potential harm that its breach may cause, that figure will be based on a

percentage of the firm’s revenue from the relevant products or business area.

6.6.
The Authority considers that the revenue generated by Commerzbank London is

indicative of the harm or potential harm caused by its breach. The Authority has

therefore determined a figure based on a percentage of Commerzbank London’s

relevant revenue. Commerzbank London’s relevant revenue is the revenue

derived by Commerzbank London from its clients during the Relevant Period. The

Authority considers Commerzbank London’s relevant revenue for this period to be

£1,091,067,000.

6.7.
In deciding on the percentage of the relevant revenue that forms the basis of the

Step 2 figure, the Authority considers the seriousness of the breach and chooses

a percentage between 0% and 20%. This range is divided into 5 fixed levels

which represent, on a sliding scale, the seriousness of the breach; the more

serious the breach, the higher the level. For penalties imposed on firms there are

the following 5 levels:

6.7.1.
Level 1 – 0%

6.7.2.
Level 2 – 5%

6.7.3.
Level 3 – 10%

6.7.4.
Level 4 – 15%

6.7.5.
Level 5 – 20%

6.8.
In assessing the seriousness level, the Authority takes into account various factors

which reflect the impact and nature of the breach, and whether it was committed

deliberately or recklessly. DEPP 6.5A.2G(11) lists factors likely to be considered

‘level 4 or 5 factors’. Of these, the Authority considers the following factors to be

relevant:

6.8.1.
“the breach revealed serious or systemic weaknesses in the firm’s

procedures or in the management systems or internal controls relating to

all or part of the firm’s business”; and

6.8.2.
“the breach created a significant risk that financial crime would be

facilitated, occasioned or otherwise occur.”

6.9.
DEPP 6.5A.2G(12) lists factors likely to be considered ‘level 1, 2 or 3 factors’. Of

these, the Authority considers the following factors to be relevant:

6.9.1.
“there was no or little risk of loss to consumers, investors or other market

users individually and in general”.

6.10.
Taking these factors into account, the Authority considers the seriousness of the

breach to be level 4 and so the Step 2 figure is 15% of £1,091,067,000.

6.11.
Step 2 is therefore £163,660,050.

6.12.
Pursuant to DEPP 6.5.3(3)G, the Authority may decrease the level of penalty

arrived at after applying Step 2 of the framework if it considers that the penalty

is disproportionately high for the breaches concerned. Notwithstanding the serious

and long-running nature of the breaches, the Authority considers that the level of

penalty would nonetheless be disproportionate if it were not reduced, meaning it

should be adjusted.

6.13.
To achieve a penalty that (at Step 2) is proportionate to the breach, and having

taken into account previous cases, the Step 2 figure is reduced to £45,006,513.

Step 3: mitigating and aggravating factors

6.14.
Pursuant to DEPP 6.5A.3G, at Step 3 the Authority may increase or decrease the

amount of the financial penalty arrived at after Step 2, but not including any

amount to be disgorged as set out in Step 1, to take into account factors which

aggravate or mitigate the breach.

6.15.
The Authority considers that the following factors aggravate the breach:

6.15.1. The Authority visited Commerzbank London in October 2012 as part of a

thematic review of the firm’s trade finance and sanctions controls. A

feedback letter sent to Commerzbank London on 20 December 2012

highlighted weaknesses relating to risk rating, due diligence and

transaction monitoring in Commerzbank London’s trade finance business.

The Authority also visited Commerzbank London in April 2015 and

subsequently in January 2017, and following each visit informed

Commerzbank London of its concerns about aspects of its AML control

framework and financial crime governance;

6.15.2. Action taken by the US authorities against Commerzbank during the

Relevant Period highlighted, among other things, that Commerzbank had

failed to maintain sufficient controls, policies and procedures to ensure

compliance with AML laws and requirements; and

6.15.3. The Authority has published guidance on the steps firms can take to

reduce financial crime risk and provided examples of good and bad

practice since 2011. Since 1990, the JMLSG has published detailed

written guidance on AML controls. During the Relevant Period, the JMLSG

provided guidance on compliance with the legal requirements of the ML

Regulations, regulatory requirements in the Handbook and evolving

practice in the financial services industry. Before, or during the Relevant

Period, the Authority published the following guidance relating to AML

controls, which set out examples to assist firms:

6.15.3.1.
In March 2008, the Authority published a report titled “Review

of firms’ implementation of a risk-based approach to anti-money

laundering”. The report notes, among other things, that a firm must

take steps to ensure that its knowledge about a business relationship

with a customer remains current, and keep documents, data and

information obtained in the CDD context up to date;

6.15.3.2.
In June 2011, the Authority published a report titled “Banks’

management of high money-laundering risk situations: How banks

deal with high-risk customers (including politically exposed persons),

correspondent banking relationships and wire transfers”. The report

highlighted the importance of banks applying meaningful EDD

measures in higher risk situations and noted the importance of

carrying out enhanced monitoring with high-risk customers throughout

a relationship; and

6.15.3.3.
In December 2011, the Authority published “Financial Crime:

A Guide for Firms”. The guide highlights the need to conduct adequate

CDD checks, perform ongoing monitoring and carry out EDD measures

and enhanced ongoing monitoring when handling higher risk

situations.

6.15.4. The Authority has published a number of Notices against firms for AML

weaknesses both before and during the Relevant Period, including in

respect of Alpari Limited on 5 May 2010, Coutts & Company on 23 March

2012, Habib Bank AG Zurich on 4 May 2012, Turkish Bank (UK) Limited

PLC on 22 January 2014, Barclays Bank PLC on 25 November 2015 and

Deutsche Bank AG on 30 January 2017. These actions stressed to the

industry the Authority’s view of firms with AML deficiencies, and

Commerzbank London was accordingly aware of the importance of

implementing and maintaining robust AML systems and controls.

6.16.
Consequently, Commerzbank London was aware, or ought to have been aware,

of the importance of putting in place and maintaining effective procedures to

detect and prevent money laundering.

6.17.
The Authority considers that the following factors mitigate the breach:

6.17.1. Commerzbank London initiated the London Remediation Programme in

March 2017, which consolidated existing remediation work and

remediation work identified by the Authority into 1 change programme

relating to Commerzbank London’s financial crime controls; and

6.17.2. Commerzbank London voluntarily undertook to the Authority to put in

place the Business Restriction, implementing significant business

restrictions in respect of high-risk customers and trade finance. This was

agreed to remain in place until such time as the Authority agreed in

writing that certain, or all, of the restrictions may be modified or lifted,

having regard to the progress of the London Remediation Programme.

The London Remediation Programme is ongoing, and the Business

Restriction remains in place.

6.18.
Having taken into account these aggravating and mitigating factors, the Authority

considers that the Step 2 figure should be increased by 20%.

6.19.
Step 3 is therefore £54,007,816.

Step 4: adjustment for deterrence

6.20.
Pursuant to DEPP 6.5A.4G, if the Authority considers the figure arrived at after

Step 3 is insufficient to deter the firm who committed the breach, or others, from

committing further or similar breaches, then the Authority may increase the

penalty.

6.21.
The Authority considers that the Step 3 figure of £54,007,816 represents a

sufficient deterrent to Commerzbank London and others, and so has not increased

the penalty at Step 4.

6.22.
Step 4 is therefore £54,007,816.

Step 5: settlement discount

6.23.
Pursuant to DEPP 6.5A.5G, if the Authority and the firm on whom a penalty is to

be imposed agree the amount of the financial penalty and other terms, DEPP 6.7

provides that the amount of the financial penalty which might otherwise have

been payable will be reduced to reflect the stage at which the Authority and the

firm reached agreement.

6.24.
The Authority and Commerzbank London reached agreement at Stage 1 and so a

30% discount applies to the Step 4 figure.

6.25.
Step 5 is therefore £37,805,400.

6.26.
The Authority therefore hereby imposes a total financial penalty of the Step 5

figure on Commerzbank London for breaching Principle 3.

7.
PROCEDURAL MATTERS

7.1.
This Notice is given to Commerzbank London under section 390 of the Act.

Decision maker

7.2.
The decision which gave rise to the obligation to give this Notice was made by the

Settlement Decision Makers.

Manner and time for payment

7.3.
The financial penalty must be paid in full by Commerzbank London to the Authority

no later than 1 July 2020.

If the financial penalty is not paid


7.4.
If all or any of the financial penalty is outstanding on 1 July 2020, the Authority

may recover the outstanding amount as a debt owed by Commerzbank London

and due to the Authority.

Publicity


7.5.
Sections 391(4), 391(6) and 391(7) of the Act apply to the publication of

information about the matter to which this Notice relates. Under those provisions,

the Authority must publish such information about the matter to which this Notice

relates as the Authority considers appropriate. The information may be published

in such manner as the Authority considers appropriate. However, the Authority

may not publish information if such publication would, in the opinion of the

Authority, be unfair to Commerzbank London or prejudicial to the interests of

consumers or detrimental to the stability of the UK financial system.

Authority contacts

7.6.
For more information concerning this matter generally, contact Nick Larkman at

the Authority (direct line: 020 7066 6964 / email: nick.larkman@fca.org.uk).

Financial Conduct Authority, Enforcement and Market Oversight Division

ANNEX A

RELEVANT STATUTORY AND REGULATORY PROVISIONS

1.
RELEVANT STATUTORY PROVISIONS

1.1.
Pursuant to sections 1B and 1D of the Act, one of the Authority’s operational

objectives is protecting and enhancing the integrity of the UK financial system.

1.2.
Section 206(1) of the Act provides:

“If the Authority considers that an authorised person has contravened a

requirement imposed on him by or under this Act… it may impose on him a penalty,

in respect of the contravention, of such amount as it considers appropriate.”

2.
RELEVANT REGULATORY PROVISIONS

Principles for Businesses

2.1.
The Principles are a general statement of the fundamental obligations of firms

under the regulatory system and are set out in the Authority’s Handbook. They

derive their authority from the Authority’s rule-making powers set out in the Act.

The relevant Principles are as follows.

2.2.
Principle 3 provides:

“A firm must take reasonable care to organise and control its affairs responsibly

and effectively, with adequate risk management systems.”

Senior Management Arrangements, Systems and Controls (“SYSC”)

2.3.
SYSC 6.1.1R provides:

“A firm must establish, implement and maintain adequate policies and procedures

sufficient to ensure compliance of the firm including its managers, employees and

appointed representatives (or where applicable, tied agents) with its obligations

under the regulatory system and for countering the risk that the firm might be used

to further financial crime.”

2.4.
SYSC 6.3.1R provides:

“A firm must ensure the policies and procedures established under SYSC 6.1.1R

include systems and controls that:

(1)
enable it to identify, assess, monitor and manage money laundering risk;

and

(2)
are comprehensive and proportionate to the nature, scale and complexity of

its activities.”

2.5.
SYSC 6.3.3R provides:

“A firm must carry out a regular assessment of the adequacy of these systems and

controls to ensure that they comply with SYSC 6.3.1R.”

DEPP

2.6.
Chapter 6 of DEPP, which forms part of the Authority’s Handbook, sets out the

Authority’s statement of policy with respect to the imposition and amount of

financial penalties under the Act.

The Enforcement Guide

2.7.
The Enforcement Guide sets out the Authority’s approach to exercising its main

enforcement powers under the Act.

2.8.
Chapter 7 of the Enforcement Guide sets out the Authority’s approach to exercising

its power to impose a financial a penalty.


© regulatorwarnings.com

Regulator Warnings Logo