The Federal Reserve has slapped Deutsche Bank with a $186 million penalty for failing to fix problems in its anti-money laundering compliance program that were originally flagged in the mid-2010s and related to Deutsche Bank’s sketchy relationship with Danske Bank, a former haven for Russian oligarchs.
The Fed announced the enforcement action on Wednesday. In addition to the financial penalty, Deutsche Bank will also need to implement a bevy of improvements to its compliance program in coming months. For compliance officers specifically in banking, the case offers a glimpse into what regulators want to see for effective AML compliance programs. For everyone else, the case is a reminder that regulators will indeed give your company another kick in the rear if you don’t fulfill promises made in previous enforcement actions.
To understand what happened here, we first need to review the original enforcement actions against Deutsche Bank. The first came in 2015, when the Fed and New York state regulators hit Deutsche with $258 million in penalties for a weak sanctions compliance program that allowed Deutsche’s overseas branches not to fulfill reporting obligations to U.S. regulators. The second arrived in 2017, when the Fed fined Deutsche Bank another $41 million for AML deficiencies relating to its relationship with Danske Bank’s Estonia branch. That Estonia branch was responsible for laundering more than $200 billion for Russian oligarchs and corrupt government officials, which eventually led Danske Bank to pay $2.4 billion in a criminal settlement announced last year.
Deutsche Bank did end its relationship with Danske Estonia in 2018 — but the bank had also agreed to implement numerous reforms to its AML compliance program; and subsequent regulatory examinations by the Fed found that Deutsche Bank wasn’t making them.
“Although some progress has been made recently,” the Fed said in its settlement order, “the U.S. operations, contrary to the requirements of [previous settlement] orders, have remained exposed to heightened levels of compliance risk without sufficient internal controls, including the risk of failing to detect money laundering activity or U.S. sanctions violations.”
So here we are.
What Comes Next for Deutsche
The Fed did give Deutsche some faint praise for recent remediation work — “Deutsche Bank has, recently, been prioritizing several critical elements” of the previous settlement orders, it said — but then warned that if Deutsche doesn’t accelerate the pace of remediation, the Fed might impose even more penalties and corrective actions again.
In other words, across a range of compliance program elements, from data analysis to customer due diligence to transaction monitoring, Deutsche Bank needs to make those improvements a priority, or beatings will continue.
Specifically, Deutsche Bank needs to work on:
- Data quality. The Fed wants to see improvements in the systems and data that Deutsche Bank uses for AML compliance and suspicious activity reporting, and wants effective interim controls in place until Deutsche implements permanent improvements.
- Customer due diligence program. The bank needs to finish implementing a customer due diligence program as originally outlined in the 2017 enforcement action, especially for medium- and high-risk clients in Deutsche Bank’s higher-risk business lines.
- Transaction monitoring. Deutsche Bank needs to implement a framework for transaction monitoring (also required in the 2017 order), which needs to address AML risk identification, alerting thresholds tailored to the risks of various lines of business, and investigation protocols to identify and report suspicious activity effectively.
Deutsche Bank will also need to complete a review of its sanctions compliance program, performed by an independent consultant, and then incorporate those findings into the bank’s compliance program. (Originally required in the 2015 settlement order.)
And just for good measure, today’s settlement with the Fed directs the boards of Deutsche Bank and its various subsidiaries to “take steps to ensure the allocation of adequate financial, staffing, and managerial resources to fully comply with this order.” Or else what? The Fed doesn’t expressly say, but my guess would be even more penalties and corrective actions.
The Fierce Urgency of Now
Obviously the larger lesson here is that boards and management teams cannot let known compliance issues linger. If you do, eventually regulators will catch up with you again and impose even more cost. That’s especially true in banking and other financial services firms, where regulatory examiners show up annually to see how your compliance program is performing. They’re going to notice when you drag your feet on previously flagged issues.
Let’s also remember that more cost is literally the only outcome here. The Fed imposed $186 million in penalties and then basically told Deutsche Bank to finish up all the corrective actions it was supposed to have already completed in the first place. However much money those corrective actions were going to cost Deutsche Bank, they weren’t going to cost $186 million.
Maybe Deutsche Bank leaders figured that slow-rolling compliance program improvements would let them earn more money, enough to make this week’s $186 million penalty worth the gamble? Then again, Deutsche Bank’s financial performance has done relatively well, from €1 billion in pretax profit in 2020 to €5.45 billion in 2022. Total assets and return on equity are up too.
I’d be more willing to bet that the real issue here is simply poor execution. Implementing change at large corporations is neither easy nor swift, and we did have a global pandemic screw up business plans for a few years. Unless you have a board and management team that places a high priority on getting compliance right, at best you end up with compliance that’s so-so. And then you end up with a compliance no-no.
So here we are.