FCA Applies Penalty Formulas, Including Thirty Percent Reduction for Early Agreement by Bank
U.K. Enforcement System Provides Contrast to More Open-Ended U.S. System
On June 17, 2020, the Financial Conduct Authority (“FCA”), the non-governmental financial regulator in the United Kingdom, issued a Final Notice to Commerzbank London (the “Bank”), a branch of the large German business bank, assessing it £37.8 million for systemic failures to establish and effectively maintain an anti-money laundering (“AML”) program.
This was not the first large assessment for Commerzbank relating to AML. In 2015, Commerzbank AG and its U.S. affiliate entered into a deferred prosecution agreement with the U.S. Department of Justice to forfeit $563 million and pay a $79 million fine for violations of the International Emergency Economic Powers Act and the Bank Secrecy Act (“BSA”). The FCA noted this fact as an aggravating factor in determining the financial penalty for the Bank.
Despite the egregious nature of the alleged violations, the FCA still provided a 30% discount pursuant to its executive settlement procedures in light of the Bank’s agreement to resolve the matter at an early stage. Without the discount, the financial penalty would have been £54,007,800.
The Final Notice underscores the relatively formulaic penalty regime of the FCA, which presumably provides the value of (some) predictability for industry. It also provides an interesting foil to U.S. enforcement regarding AML violations and the resulting penalties. The Financial Crimes Enforcement Network, or FinCEN, has no formal and mechanistic system for adjusting financial penalties for AML violations. The closest U.S. counterpart appears to be general U.S. Department of Justice (“DOJ”) guidance regarding the prosecution of corporations, and the factors set forth by the Federal Sentencing Guidelines regarding the sentencing of convicted corporate defendants.
The Alleged Deficiencies and the FCA’s Calculation of the Penalty
The 50-page Final Notice details ongoing deficiencies at the Bank from October 2013 to September 2017. Key allegations by the FCA include:
- The Bank failed to adequately staff compliance teams, leading to a “significant backlog of existing clients being subject to timely refreshed known-our client (‘KYC’) checks.” In 2016, the relevant staff consisted of “just 3 full-time employees.” In October 2016, 1,730 new clients joined a “huge backlog” that reached 2,226 existing clients who were overdue for refreshed checks by February 2017. In 2018, staffing was increased to 42 employees.
- The Bank instituted an “exceptions process” allowing existing clients to transact with the Bank despite the lack of an updated KYC process, which “became, as of the end of 2016, out of control, with both senior branch management and Compliance lacking understanding and adequate awareness of the process.” As an example, one “high-risk client” was nearly five years overdue for a KYC check, during which time the client engaged in 16 transactions generating the Bank £273,799 in revenue.
- The Bank failed to address longstanding deficiencies with an automated tool for monitoring money laundering risks.
The Final Notice states the failings were particularly serious because the issues continued even after visits from the FCA to the Bank in 2012, 2015, and 2017, “during which the [FCA] identified weaknesses [the Bank] was to address. They also occurred against a backdrop of heightened awareness within [the Bank] of weaknesses in its global financial crime controls following action taken by US regulators in 2015[.]”
The Final Notice details the “5-step framework to determine the appropriate level of financial penalty.”
First, the FCA determines whether there was a “financial benefit derived directly from the breach where it is practicable to identify this.” Where applicable, the benefit would be disgorged. In this case, despite detailing revenues generated by transactions for clients without timely KYC, the FCA did not “identify any financial benefit . . . derived directly” from the Bank’s breach.
Second, the FCA considers the seriousness of the breach. The FCA advises the “amount of revenue generated by a firm from a particular product line or business area is indicative of the harm or potential harm that its breach may cause” based on “a percentage of the firm’s revenue from the relevant products or business area.” Applying a risk level assessment, the FCA determined the seriousness of the Bank’s violation equaled the second highest category, or 15%. The amount therefore equaled £163,660,050. However, the FCA found the penalty at this level would be “disproportionately high” and reduced the figure to £45,006,513.
Third, and critically, the FCA analyzes aggravating and mitigating factors to either increase or decrease the financial penalty. The FCA noted as aggravating factors the fact that the FCA visited and discussed the weaknesses of the AML program with the Bank. Further, the FCA recognized that the U.S. authorities had taken action against Commerzbank during the relevant time and highlighted that Commerzbank “had failed to maintain sufficient controls, policies, and procedures to ensure compliance with AML laws and requirements.” The FCA also noted several publications it had produced during the relevant time period that would have made the Bank aware of the importance of having “effective procedures to detect and prevent money laundering.”
However, the FCA also recognized that the Bank had initiated a “London Remediation Programme” in March 2017 and “voluntarily undertook . . . to put in place . . . significant business restrictions with respect to high-risk costumers and trade finance.” The restrictions will remain in place until the FCA agrees they can be modified. The aggravating factors outweighed the mitigating factors and resulted in a 20% increase. The FCA increased the penalty to £54,007,816.
Fourth, the FCA determines whether the figure should be increased again to ensure deterrence. Here, the penalty was deemed sufficient.
Fifth, the FCA reduced the penalty to reflect the stage at which the firm and agency reach an agreement. Because the Bank settled the issues at Stage 1, it received a substantial 30% discount, reducing the penalty to £37,805,400.
The FCA Penalty Regime Compared to U.S. Corporate Enforcement
By illustrating the formulaic approach which the FCA applies to its enforcement actions, the Final Notice provides an interesting contrast to the U.S. system.
Neither FinCEN nor any other U.S. regulator of financial institutions has a similar system in place for assessing the penalties for AML violations. The DOJ does have an established set of general principles for corporate enforcement regarding any and all potential violations, but the policy is still very flexible and open-ended, and is not mechanistic – for better or for worse. Specifically, the DOJ released in April 2019 updated guidance to DOJ prosecutors for “making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense,” as well as at the time of charging decision, “for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).” This detailed 20-page DOJ guidance, entitled “Evaluation of Corporate Compliance Programs,” focuses on three “fundamental questions”
- “Is the corporation’s compliance program well designed?”
- “Is the program being applied earnestly and in good faith?” In other words, is the program being implemented effectively?
- “Does the corporation’s compliance program work” in practice?
The DOJ guidance then breaks down the analysis of these three questions into numerous, more granular issues to be assessed, an approach which mirrors aspects of the FCA’s formula. Perhaps an even better analogy to the FCA’s system is the approach by the Federal Sentencing Guidelines to corporate defendants, which sets forth formulas for determining the recommended monetary penalty, depending upon numerical values assigned to various aggravating and mitigating factors.
A full discussion of the complex DOJ guidance and the Federal Sentencing Guidelines is beyond the scope of this blog post. The point here is that in the U.S. system, publicly-available formulas exist for calculating the penalties for convicted criminal corporate defendants, but not for calculating penalties in the civil or administrative sphere – and certainly not for AML violations. Of course, any seemingly “objective” system for calculating penalties always will be beholden to the subjective views of the individual enforcement staff implementing the system.
If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. To learn more about Ballard Spahr’s Anti-Money Laundering Team, please click here. To learn more about Ballard Spahr’s Virtual Currency Team, please click here.