Within the past year, federal law enforcement and regulatory agencies have repeatedly signaled that recidivist violations of law by corporate entities are likely to result in substantial penalties. Those signals include recidivism-specific policy statements, such as the Justice Department’s revision of its Corporate Enforcement Policy[1] to reflect its “more holistic approach to corporate recidivism”[2] and the Office of the Comptroller of the Currency’s (OCC’s) recent revisions of its Policies and Procedures Manual to address banks’ failure to correct persistent weaknesses.[3]
But those signals also include specific enforcement actions that carried substantial financial penalties, such as the Justice Department’s $315 million criminal penalty against ABB[4] and $206.7 million criminal penalty against Ericsson[5], and the Consumer Financial Protection Bureau/OCC $250 million enforcement actions against Bank of America for illegal activity in its consumer business.[6]
On July 13, in the most recent federal enforcement response to corporate recidivism, the Federal Reserve Board (Board) announced two enforcement actions directed at Deutsche Bank AG, its New York branch, and other Deutsche Bank U.S. affiliates.[7] One involved a consent order and a $186 million fine, based on unsafe and unsound practices and violations of the Board’s 2015 and 2017 consent orders with Deutsche Bank relating to sanctions compliance and anti-money laundering (AML) controls, including deficient AML internal controls and governance processes relating to Deutsche Bank’s prior relationship with the Estonian branch of Danske Bank.[8] The other involved a Written Agreement to address other general deficiencies relating to Deutsche Bank’s governance, risk management, and controls. This post will discuss both of these actions.
The Sanctions/AML Action
The Board’s Order to Cease and Desist and Order of Assessment of a Civil Money Penalty focused on three principal issues:
(1) Deutsche Bank’s consent to a 2015 Board order that (a) imposed a $58 million civil money penalty and (b) required Deutsche Bank, among other things, to adopt a global U.S. law compliance Program implementing enhanced procedures for compliance with U.S. sanctions requirements and engage an independent third party to conduct annual OFAC compliance reviews and risk-based sampling of U.S. dollar payments (Office of Foreign Assets Control (OFAC) Order);
(2) Deutsche Bank’s and Deutsche Bank-related entities’ consent to a 2017 Board order that (a) imposed a $41 million civil money penalty and (b) required Deutsche Bank and Deutsche Bank-related entities to address significant deficiencies in Deutsche Bank’s U.S. operations’ transaction monitoring capabilities and compliance with applicable AML laws, rules, and regulations, including the Bank Secrecy Act (AML Order); and
(3) The Board’s investigation of Deutsche Bank and Deutsche Bank Trust Company Americas (DBTCA) concerning their historical correspondent banking relationship with the Estonia branch of Danske Bank. According to the Board, “From 2007 until the end of the relationship in 2015, DBTCA cleared more than $267 billion in transactions for Danske Estonia, a significant portion of which involved high-risk non-resident customers of Danske Estonia.”[9]
The Board found that Deutsche Bank and its entities “had made insufficient progress in its remediation efforts pursuant to the OFAC and AML Orders, including with respect to compliance oversight, customer due diligence, transaction data, transaction monitoring and filtering, suspicious activity reporting, and facilitating independent third-party reviews.” In particular, it found that Deutsche Bank U.S. operations, “contrary to the requirements of the OFAC and AML Orders, have remained exposed to heightened levels of compliance risk without sufficient internal controls, including the risk of failing to detect money laundering activity or U.S. sanctions violations, particularly with respect to certain business lines within DB USA and the Branch that present higher than normal risk.”[10]
The Board also found that:
Deutsche Bank and DBTCA lacked adequate BSA/AML internal controls during their relationship with Danske Estonia. Due to these failures, Deutsche Bank and DBTCA failed to mitigate sufficiently the significant risk associated with the customer, despite consistently high customer risk ratings for Danske Estonia, high levels of suspicious activity reporting associated with Danske Estonia’s clients, and serious risk concerns about Danske Estonia expressed by senior Firm compliance personnel in 2013 and 2014 as a result of their continuing customer due diligence efforts.[11]
Based on the deficiencies and failures described above, the Board determined that Deutsche Bank and related entities “engaged in unsafe and unsound banking practices, and violations of the OFAC and AML Orders.” It acknowledged that “to address the deficiencies and manage the risks described above, Deutsche Bank has, recently, been prioritizing several critical elements of the OFAC and AML Orders as they affect certain business lines in the Firm posing higher sanctions and money laundering compliance risk, and must continue to prioritize and complete remediation for these business lines on a priority basis.”
At the same time, the Board warned that “the material failure to remediate the unsafe and unsound practices or violations described herein may require additional and escalated formal actions by the Board of Governors against the Firm, including additional penalties or additional affirmative corrective actions pursuant to section 8(b)(6) of the [Federal Deposit Insurance] Act (12 U.S.C. § 1818(b)(6)) or other applicable authorities.”[12]
In addition to the civil money penalty, the Board also directed that Deutsche Bank (1) prioritize the completion of certain provisions in the Board’s OFAC and AML Orders, with specific reference to improving systems and data supporting Deutsche Bank’s AML transaction monitoring and OFAC transaction filtering, (2) “complete implementation of a satisfactory customer due diligence program”; and (3) complete the implementation of an effective framework for transaction monitoring, with specific reference to certain higher-risk business lines. Finally, it required the boards of directors of Deutsche Bank and certain Deutsche Bank-related entities to “take steps to ensure the allocation of adequate financial, staffing, and managerial resources to fully comply with this Order, the OFAC Order, and the AML Order and in particular, to facilitate the Firm’s substantial completion by year end 2023 of key milestones included in the OFAC and AML action plans.”[13]
The Written Agreement
The written agreement between Deutsche Bank, various Deutsche Bank-related entities, and the Federal Reserve Bank of New York (New York Fed) addressed four key issues:
- At different points at least since 2012, New York Fed supervisors identified various deficiencies in governance, risk management, and internal controls across U.S. operations of Deutsche Bank and specified Deutsche Bank entities (“the Firm”). Although more recently the Firm had made some progress in remediating these deficiencies, particularly with respect to liquidity risk management, it “must continue to implement additional improvements”;
- Certain, but not all, of the deficiencies that the New York Fed identified relate to DWS USA, a Deutsche Bank intermediate holding company, and its subsidiaries, including certain services provided by Deutsche Bank USA and other Deutsche Bank entities to DWS USA and its subsidiaries;
- Additional financial and managerial support from Deutsche Bank is needed to remediate the weaknesses described above and ensure effective risk management and internal controls for its U.S. Operations, and Deutsche Bank has stated its commitment to provide this support; and
- The material failure to remediate the deficiencies described herein “may require additional and escalated formal actions by the Board of Governors against the Firm, including a cease-and-desist order, monetary penalties or additional affirmative corrective actions.”[14]
The agreement further required that within 60 days of the effective date of the agreement, the Firm (1) submit a written plan acceptable to the New York Fed to improve the Firm’s model risk management (“MRM”) governance and control practices across its U.S. operations; (2) submit an acceptable written plan for completion of the enhancement of its liquidity risk management function of its U.S. operations; (3) submit a written plan acceptable to the New York Fed to ensure compliance with the Board’s regulatory reporting requirements; and (4) submit to the New York Fed quarterly written progress reports, in a form and manner acceptable to the New York Fed, “detailing the form and manner of all actions taken to secure compliance with the provisions of this Agreement and the results thereof.”[15]
Observations
These enforcement actions by the Board provide further confirmation that “recidivism” has become the new shibboleth for civil and criminal enforcement agencies, including with regard to the financial sector. But they also contain two key lessons for senior bank leadership, including Chief Compliance Officers, Chief Executive Officers, and boards.
First, whenever financial institutions, however large or small, agree to compliance orders with bank regulators, they must promptly craft and execute on action plans to remediate the relevant compliance failures and inadequacies identified in those compliance orders. As a general matter, federal bank regulatory agencies appear to have lost patience with global systemically important banks that have the financial resources, but fail to demonstrate the resolve among their senior leadership, to remediate their compliance failures in a timely manner.
Second, banks’ boards of directors must provide management with the necessary financial, human, and technological resources and authority necessary for timely completion of those action plans. As the Board first demonstrated with regard to Wells Fargo in 2018, and hinted at in the Deutsche Bank order, it is prepared not only to impose substantial financial penalties for extensive and clearly identified compliance failures that persist, but to hold bank boards directly accountable through measures such as restrictions on future growth and even removal of board members who fail to meet supervisory expectations.[16]
Footnotes
[1] See U.S. Department of Justice, 9-47.120 – Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy (updated January 2023), https://www.justice.gov/criminal-fraud/file/1562831/download.
[2] See U.S. Department of Justice, Deputy Attorney General Lisa O. Monaco Delivers Remarks on Corporate Criminal Enforcement, September 15, 2022, https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-remarks-corporate-criminal-enforcement; U.S. Department of Justice, Assistant Attorney General Kenneth A. Polite, Jr. Delivers Remarks on Revisions to the Criminal Division’s Corporate Enforcement Policy, January 17, 2023, https://www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers-remarks-georgetown-university-law.
[3] See Office of the Comptroller of the Currency, Policies and Procedures Manual PPM 5310-3 at 25-26 (May 25, 2023), https://www.occ.gov/news-issuances/bulletins/2023/ppm-5310-3.pdf.
[4] See U.S. Department of Justice, ABB Agrees to Pay Over $315 Million to Resolve Coordinated Global Foreign Bribery Case, December 2, 2022, https://www.justice.gov/opa/pr/abb-agrees-pay-over-315-million-resolve-coordinated-global-foreign-bribery-case.
[5] See Fraud Section, Criminal Division, U.S. Department of Justice, United States v. Telefonaktiebolaget LM Ericsson, https://www.justice.gov/criminal-fraud/fcpa/cases/united-states-v-telefonaktiebolaget-lm-ericsson.
[6] See Consumer Financial Protection Bureau, CFPB Takes Action Against Bank of America for Illegally Charging Junk Fees, Withholding Credit Card Rewards, and Opening Fake Accounts, July 11, 2023, https://www.consumerfinance.gov/about-us/newsroom/bank-of-america-for-illegally-charging-junk-fees-withholding-credit-card-rewards-opening-fake-accounts/.
[7] See Federal Reserve Board, Federal Reserve Board announces two enforcement actions against Deutsche Bank AG, its New York branch, and other U.S. affiliates, July 19, 2023, https://www.federalreserve.gov/newsevents/pressreleases/enforcement20230719a.htm.
[8] See, e.g., U.S. Department of Justice, Danske Bank Pleads Guilty to Fraud on U.S. Banks in Multi-Billion Dollar Scheme to Access the U.S. Financial System, December 13, 2022, https://www.justice.gov/opa/pr/danske-bank-pleads-guilty-fraud-us-banks-multi-billion-dollar-scheme-access-us-financial.
[9] Federal Reserve Board, Order to Cease and Desist and Order of Assessment of a Civil Money Penalty Issued Upon Consent Pursuant to the Federal Deposit Insurance Act, as Amended 3-4, In the Matter of Deutsche Bank AG, Nos. 23-012-B-FB et al. (July 13, 2023), https://www.federalreserve.gov/newsevents/pressreleases/files/enf20230719a1.pdf.
[10] Id. 3.
[11] Id. 4.
[12] Id. 5.
[13] Id. 6-8.
[14] Federal Reserve Board, Written Agreement by and among Deutsche Bank AG et al. 2-3, Nos. 23-013-WA/RB-FB (July 17, 2023), https://www.federalreserve.gov/newsevents/pressreleases/files/enf20230719a2.pdf.
[15] Id. 7-11.
[16] See Federal Reserve Board, Responding to widespread consumer abuses and compliance breakdowns by Wells Fargo, Federal Reserve restricts Wells’ growth until firm improves governance and controls. Concurrent with Fed action, Wells to replace three directors by April, one by year end, February 2, 2018, https://www.federalreserve.gov/newsevents/pressreleases/enforcement20180202a.htm.
Jonathan J. Rusch is Director of the U.S. and International Anti-Corruption Law Program and Adjunct Professor at American University Washington College of Law, Adjunct Professor at Georgetown University Law Center, a Senior Fellow at New York University School of Law’s Program on Corporate Compliance and Enforcement; and Principal of DTG Risk & Compliance LLC. He is a former Deputy Chief in the U.S. Department of Justice’s Fraud Section, and former Senior Vice President and Head of Anti-Bribery & Corruption Governance at Wells Fargo.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).