Failings in AML controls
The headlines regarding the action against Deutsche Bank for AML failings focused on a failure to properly monitor account activity of Jeffrey Epstein. However, the bulk of the case of the New York State Department of Financial Services (DFS) was related to AML compliance failures in correspondent banking relationships with Danske Bank Estonia (Danske Estonia) and FBME Bank (FBME).
A correspondent banking relationship is the provision of banking-related services by one bank (correspondent), usually as agent, to another bank (respondent) to enable the respondent to provide its own customers with cross-border products and services that it cannot provide them with itself, e.g. executing/processing payments, cash management and providing customers of the respondent with direct access to accounts with the correspondent (and vice versa).
As the correspondent often has no direct relationship with the underlying parties to a transaction and is therefore not in a position to verify their identities, nor the nature or purpose of the underlying transactions, these relationships have always been recognised as giving rise to increased AML risk for the correspondent. However, it was not until the Fourth Money Laundering Directive that the correspondent was required by express regulation to take particular due diligence measures where the respondent is outside the EEA.
Deutsche Bank had correspondent banking relationships with various foreign banks, including in high-risk jurisdictions or where customers operated in high-risk industries. DFS concluded that Deutsche Bank failed to adequately monitor and manage those relationships, including, in particular, with FBME and Danske.
Deutsche Bank was aware of potential issues with FBME’s compliance regime from as early as May 2005 when an internal memo indicated concerns with its AML compliance.
In November 2005, Deutsche Bank assigned FBME a Risk Assessment Customer (RAC) score of eight (out of 10), thereby designating it as a high-risk client. From 2008, the Bank identified a total of 826 suspicious transactions that referenced FBME. In communications with Deutsche Bank, FBME sometimes refused to disclose in writing the ultimate beneficial owners of its own corporate clients, explaining that such information could not be shared without violating local law.
Despite this lack of transparency, Deutsche Bank continued its banking relationship with FBME. After Deutsche Bank decided to close the FBME relationship in July 2014, the U.S. Government determined that the ultimate beneficial owner was, in one case, a Russian businessman who was affiliated with a Syrian research facility responsible for developing and producing non-conventional weapons. This was apparently not an isolated incident.
DFS concluded that the high-risk nature of the FBME relationship, the red flags, numerous suspicious transactions, and overt lack of transparency exhibited by FBME should have prompted Deutsche Bank to exit the relationship.
The relationship between Deutsche Bank and Danske Estonia began on October 1, 2007 when Danske Estonia was assigned a RAC Score of eight due to Danske Estonia’s high-risk jurisdiction, the volume of AML alerts and cases involving Danske Estonia’s customers, and the high-risk market segments serviced by Danske Estonia.
Throughout the relationship, Deutsche Bank was aware of issues at Danske Estonia concerning its non-resident customer accounts, specifically those “with a Russian or Latvian (indirectly Russia[n]) connection.” In September 2010, Deutsche Bank increased Danske Estonia’s RAC score to a 10, the maximum on the Bank’s risk scale, after it continued to see insufficient improvements from Danske Estonia regarding its non-resident customer portfolio. In November 2013 and September 2014, compliance memos indicated that the account be closed. However, the Bank maintained its relationship with Danske Estonia until October 2015.
During the eight-year period between 2007 and 2015, Deutsche Bank cleared more than $267 billion in 1,638,844 transactions for Danske Estonia. Out of this total, Danske transferred at least $150 billion in payments from Russia and other former Soviet states through Deutsche Bank. During that period, Deutsche Bank identified a total of 340 suspicious transactions that referenced Danske Estonia’s U.S. dollar correspondent accounts.
DFS considered that the high number of suspicious transactions, the history of high RAC scores, and various dialogues that the Bank had with its client concerning AML policies and controls, put Deutsche Bank on notice that there were issues that required timely further action.
The DFS found, inter alia, that:
- the Bank failed to maintain policies that set out sufficiently specific criteria, such as patterns of high RAC scores or high suspicious activity volumes, which would trigger termination of a correspondent banking relationship or where lesser risk-mitigation measures would be appropriate; and
- the Bank failed to consistently maintain policies that provided practical guidance to facilitate compliance, such as procedures for determining whether other foreign banks use the respondent’s correspondent account, or explanations of how employees could verify the identities of respondents’ beneficial owners.
This case confirms factors which are already recognised in the industry as high risk in correspondent banking such as where respondents:
- deal or trade on behalf of undisclosed customers;
- are offshore banks that are conducting business with non-residents or in non-local currency, and are not subject to robust supervision of their AML/CTF controls; or
- are domiciled in jurisdictions with weak regulatory/AML/CTF controls or other significant reputational risk factors e.g., corruption.
DFS’ key finding was that Deutsche Bank ignored some obvious red flags in continuing these correspondent relationships. Further, while a correspondent will continue to place primary reliance on the respondent’s AML/CTF controls, the case more specifically serves as a reminder of the need for firms:
- to review their risk-based approach for making their own enquiries of the identities of respondents’ customers where appropriate; and
- to determine how, in practice, they would reach a threshold for terminating a correspondent banking relationship.
Risk-based due diligence and monitoring – a reminder
Risk-based due diligence on a respondent must be undertaken (and periodically reviewed and updated) which will be a function of a range of risk factors set out, in particular, in the ML Regulations and Part 2 of the JMLSG, e.g., the respondent’s domicile, regulatory status, ownership and management structures; and the type of business and customer base.
While enhanced due diligence must be applied to non-EEA respondents; other factors may indicate lower risk including, inter alia, that the relationship is principal to principal; or limited to a SWIFT RMA plus capability which does not constitute a payment account relationship.
Likewise, the level of ongoing monitoring activity undertaken by a correspondent on its respondent’s activity will be commensurate with the risks determined to be posed by the respondent.
A correspondent must train staff on how correspondent banking transactions may be used for money laundering and terrorist financing, and in the firm’s procedures for managing this risk. Governance should also be adapted, in particular, firms should provide “senior management” approving correspondent relationships with appropriate training to provide them with sufficient knowledge of the firm’s money laundering and terrorist financing risk exposure.
First published on Thomson Reuters Regulatory Intelligence on 4 August 2