Lessons on Policies & Procedures

A subsidiary of Deutsche Bank is serving up a double feature of compliance gone wrong this week, paying $25 million to settle charges with the Securities and Exchange Commission that the firm both made misleading disclosures about ESG investments and allowed an ineffective anti-money laundering program to linger for years. 

The SEC announced the settlement with DWS Investment Management Americas on Tuesday, and both parts of the settlement are worth a compliance officer’s time. First, we’ve rarely seen an SEC enforcement action over misleading statements about ESG efforts, although this DWS action probably won’t be the last. Second, everyone knows that financial firms are supposed to have an effective AML program, but this case gives an unusually detailed look at what constituted an ineffective program at DWS. 

Let’s start with the ineffective AML program since that’s the more common problem for financial firms. 

Since DWS operates as a mutual fund, it must comply with the rather plainly named FinCEN AML Mutual Fund Program Rule. The rule requires mutual fund businesses to establish an AML program (you probably figured that out already), but it does not mandate a uniform structure for those programs. Each firm can fashion its own AML policies and procedures based on its own risk factors. The FinCEN rule only requires that (1) the program be in writing; (2) the program is approved by the mutual fund’s board of directors; and (3) meet certain specific minimum requirements

Simply put, DWS had a lot of discretion to design its AML program as management deemed best. So what went wrong? 

Inconsistency in Policies

As described in the SEC settlement order about the AML failures, one issue was that from 2017 to 2021, the board of the DWS mutual funds did annually review and approve the AML program — but that program was one designed for all Deutsche Bank U.S. operations; it did not address specific compliance requirements for the mutual fund business.

Another failure was DWS’ transaction monitoring system. That system generated automated transaction monitoring alerts based on scenario-based rules, and the system was supposed to be tested (“tuned,” as the settlement order described it) from time to time. Except, the AML program’s policies and procedures were unclear on how often that tuning should happen. Some documents said tuning must happen annually; others said every one to three years. In any event, DWS management only tuned the system every five years or so.

This inconsistency had consequences. After the system was tuned in 2015, roughly 90 percent of all suspicious activity alerts were closed automatically. While samples of those automatically closed alerts were subject to periodic review, no review occurred from March 2017 through September 2018, and the remaining alerts were never reviewed by AML personnel. 

By December 2020, the monitoring system had been tuned again (several years late) and reprogrammed so that alerts were no longer automatically closed without review. After the tuning update, the number of alerts that needed a review each month by AML personnel tripled (even while the total number of alerts held constant). 

Why am I going into so much detail here? To show how the SEC thinks about “reasonably designed” policies and procedures. The DWS case gives us a sense of how that idea might go wrong at an actual company. We have generic policies not tailored to a company’s specific risks; inconsistent policies from one document to the next; procedures not executed in a timely manner; and those erratic procedures leading to a significant change of compliance risk once the error is corrected (that jump in alerts needing personnel review once the monitoring system was tuned). 

The question compliance officers should ponder is what measures would prevent the policy and procedure issues flagged above. For example, how do you build a policy management system to assure consistent language in all instances? What management review process could you implement to confirm that systems are tuned at proper times? Does the board verify that, yes, the policies and procedures it’s being asked to approve are specifically designed for your company? 

The ESG Disclosure Enforcement

The ESG violation is a different sort of policy failure. Namely, when you have a pretty policy that demonstrates to external parties how socially conscious your company is, how do you assure that employees on the inside actually follow it? 

In DWS’s case, the firm published an “ESG Integration Policy” in 2018 which declared that the firm’s investment managers applied ESG screening “to all of our actively managed holdings… ESG factors into [our investment professionals’] investment process, analysis and decisions.” DWS paid for an industry trade magazine to publish a flattering interview with a senior DWS executive, who said ESG “is top of mind throughout our organization” and “has become part of everything that we do.” 

DWS even wrote up handbooks for its investment analysts, which required the analysts to document their ESG considerations. The firm gave all analysts access to a proprietary tool called the ESG Engine, which graded various companies (from A to F) on their ESG worthiness. 

 

Clearly that’s a lot of promises made and attention paid to ESG. But according to the SEC settlement order for this violation, DWS never followed through with policies and procedures to assure that all those promises were kept. 

For example, despite all the hoopla about the ESG Engine and the ESG Integration Policy and the marketing of ESG-conscious mutual funds, DWS didn’t have any formal, documented process to confirm whether investment managers actually used the ESG Engine’s ratings when they made investment decisions for those ESG mutual funds. DWS also lacked standards that supervisors could follow to monitor investment managers’ compliance with the ESG Integration Policy.

By 2020 senior DWS managers realized this was a problem, and by 2021 they had started introducing corrective measures. For example, the template research report investment analysts used was amended to include a mandatory ESG section, where analysts had to document their ESG analysis. DWS also updated its ESG Integration Policy to clarify which supervisors were responsible for implementing the policy and what they were supposed to evaluate.

Obviously the SEC’s point with this enforcement action is to send a message to investment funds, that when those funds promise to consider ESG criteria, they need to follow through on that. I suspect we’ll see more enforcement actions over “greenwashing” offenses in the future. 

That’s fine. Compliance professionals as a whole, however, can still learn some valuable lessons here about how to build accountability measures to enforce the policies and procedures you have. That’s the universal issue arising from this case. DWS made promises to customers and lacked the means to follow through on those promises internally. 

For example, DWS clarified its policies to put more emphasis on roles and responsibilities. It amended its template documents to make ESG analysis and documentation mandatory. Well, we talk about roles and responsibilities and “embedding compliance controls into the business process” all the time around here. That’s what those remediation actions were. 

So as niche as these DWS enforcement actions might look, they do have some universal lessons, because policy and procedure issues drive us all crazy.