You may have missed this while watching the coup attempt, but Deutsche Bank settled FCPA charges last week with $130 million in penalties and disgorgement, a three-year deferred-prosecution deal, and lessons a-plenty about the perils of leaving internal control duties with operations executives in the First Line of Defense.
The settlement was announced Friday afternoon. Deutsche Bank agreed to pay $87 million to the Justice Department in criminal penalties, disgorgement, and other costs; plus another $43.3 million in disgorgement and interest to the Securities & Exchange Commission. (The Justice Department settlement included resolution of a second, unrelated case of commodities trading fraud, which we won’t address here.)
Deutsche Bank’s misconduct is broadly similar to so many other FCPA cases we’ve reviewed before. As described in the criminal information from the Justice Department and the cease-and-desist order from the SEC, executives ignored anti-corruption policies and controls while conducting business in China, Saudi Arabia, and Italy from 2009 into 2016.
Overseas agents were, as usual, the star of the show. Deutsche Bank called its agents “business development consultants” (BDCs), and employed hundreds of them during the seven years in question. Those BDCs routinely had close ties to foreign government officials, and lax internal accounting controls allowed the BDCs to be conduits for bribes.
For example, in 2010 Deutsche Bank was bidding to win an investment deal with Abu Dhabi’s sovereign wealth fund. A local agent in Abu Dhabi, identified as “Consultant B” in the SEC order, approached Deutsche Bank and said he wanted to help facilitate that investment deal. Key detail: Consultant B was related to the Abu Dhabi government official deciding whether Deutsche Bank would win said investment deal.
The SEC order also says that Consultant B made clear that his brother would be involved in the consulting work; the Justice Department settlement identifies the brother as a business partner of the Abu Dhabi government official. So clearly, using Consultant B was a sky-high corruption risk.
Still, a risk review committee of senior Deutsche Bank executives allowed the engagement with Consultant B to proceed — even though they knew Consultant B was related to the Abu Dhabi official, and that Consultant B had no known qualifications to facilitate an investment deal.
Deutsche Bank won the investment deal shortly after hiring Consultant B. The bank subsequently paid Consultant B roughly $3.5 million, without any invoices or documentation outlining exactly what Consultant B did. Then again, Consultant B’s contract only called for him to provide “generic advice and introductions.” So how detailed can those invoices be, really?
Anti-Corruption Policy Gone Wrong
What’s striking about this case was that on paper, Deutsche had strong policies for anti-corruption and its use of BDCs. As far back as 2008 (that is, before the relevant misconduct occurred), the bank had an anti-bribery policy that defined bribery expansively (“anything of value”) and included a clause against using BDCs to obtain confidential business information improperly. The anti-bribery policy also required pre-contract due diligence on all BDCs, clear documentation of services to be rendered, and payments in proportion to value of services rendered.
Moreover, the policy on using BDCs specifically said due diligence should determine whether the BDC was related to any foreign government official. Any such agent was then flagged as a politically exposed person, and Deutsche Bank could only engage with that BDC after approval by senior management and assurances from the compliance team that all conflicts of interest were identified and addressed.
Again — on paper, the policies all looked great. So what went wrong?
The damning paragraph seems to be this one from the SEC settlement order:
While the BDC Policy required that regional and divisional management approve and oversee the use of BDCs, in practice, the implementation and oversight of the policy fell to the BDC’s “business sponsor.” Business sponsors were responsible for generating business for Deutsche Bank and were compensated, in part, based on the revenue earned by Deutsche Bank. The business sponsors recommended the engagement of the identified BDC, determined whether payments to the BDCs complied with both the terms of the BDC contract and the bank’s policies, and maintained records concerning the services provided by the BDC, including invoices.
In other words, Deutsche Bank drafted an anti-corruption program that looked great — and then left responsibility for that program with executives in the First Line of Defense, who had financial incentives to ignore it.
Effective Internal Control = Empowered Compliance
Evidence for that statement comes in the form of two internal audits of the anti-corruption program. The first audit came in 2009, and flagged insufficient oversight of BDCs. That report recommended “centralized and thoroughly documented due diligence,” and that all contracts with BDCs include a right-to-audit clause. The audit went all the way to senior executives and the management board of Deutsche Bank, but “only limited steps were taken in response,” according to the SEC complaint.
The 2011 audit was even more precise in its findings: “failure by business sponsors to appropriately assess, document, and mitigate corruption risks and conflicts of interests; and failure to document the proportionality and justification for certain BDC payments.” Those were exactly the issues that tripped up Deutsche Bank in its dealings with Abu Dhabi. This audit also went to Deutsche Bank senior management, “and again, only limited steps were taken in response.”
My point is that when we talk about internal controls “reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts” — we should consider how much independent execution of controls figures into that concept.
The design flaw in Deutsche Bank’s anti-bribery program wasn’t that its policies were poorly drafted; they seemed fine. The flaw was that senior executives allowed business managers in the First Line of Defense to execute due diligence and oversight, which meant those managers had the ability to ignore those duties. Which they did, with gusto.
The wiser approach is to keep oversight of third-party agents — the due diligence, the contracting, the invoice collection, and so forth — away from those managers in the First Line who would work with the agents on a daily basis.
Internal control enthusiasts often talk about segregation of duties, but usually we associate that phrase with tasks done at the small scale: an accounting employee who approves new vendors cannot also be one who authorizes payments to vendors, for example.
Segregation of duties must also exist at a larger enterprise scale, too: one team works with third-party agents, the other oversees them.
Indeed, one compliance program improvement Deutsche Bank eventually made was to give the anti-bribery compliance function approval power over any new BDC arrangements. (Plus reducing the number of BDCs overall, plus an annual review of BDCs from here forward, plus enhanced due diligence and training.) So Deutsche Bank did, in the end, build a more robust compliance program by giving the compliance function the independence and authority it needed in the first place.
If only more companies would do that from the start.