The New York Department of Financial Services (“NYDFS”) recently sanctioned Deutsche Bank (“DB”) $150 million for BSA/AML deficiencies. According to the regulator’s factual findings, the compliance failures arose in connection with the bank’s private wealth relationship with Jeffrey Epstein, and correspondent banking relationships with Danske Bank Estonia (“Danske Estonia”) and FBME Bank (“FBME”), both located in Eastern Europe.
This latest enforcement action against DB follows several others issued against the bank by NYDFS since 2015, including for improper conduct arising from LIBOR manipulation, sanctions violations, improper foreign exchange trading practices, and BSA/AML deficiencies in connection with money laundering arising out of equity trades at its London and Moscow branches.
Here are a few takeaways from the regulator’s factual findings:
- DB did a number of things right. It designated its relationships with Jeffrey Epstein, and with Danske Estonia and FBME as high risk, and issues relating to Epstein were properly elevated to senior management at times. But the good was undone by several key deficiencies.
- One noted failure: relying too much on the customer’s word. NYDFS findings indicate DB managers did little to verify the information provided by Epstein and his lawyer offered to explain the business uses of the accounts or justify suspicious transactions. For example, although bank managers met with Epstein personally to question the veracity of allegations against him concerning relationships with underage girls, there was no contemporaneous record of that meeting or any effort to verify the statements he provided to the bank.
- Another key failure was poor execution. Following the in person meeting with Epstein, the bank’s “Americas Reputational Risk Committee,” put in place several conditions to police suspicious transactions by Epstein and his lawyer, including barring “any unusual and/or suspicious activity or [transactions that] are in a size that is unusually significant or novel in structure.” These conditions, however, were never transmitted to the day-to-day relationship managers for the Epstein accounts. Additionally, an AML compliance officer misinterpreted the conditions, believing it to mean that as long as future transactions in the Epstein accounts were consistent with past transactions, they were acceptable. Instead, the condition set an absolute standard of suspicion — not a relative one — and as a result the limitation was not properly communicated to the transaction monitoring team responsible for the Epstein accounts. Nor were any of these dnexecution failures detected by a compliance review or internal audit.
- A third shortcoming was a deficiency seen frequently in major enforcement actions. Here, senior managers declined to follow the very solid advice of experienced compliance personnel – in this case advice to restrict or end high-risk correspondent banking relationships with Danske Estonia and FBME. NYDFS found regarding the Danske Estonia relationship, “[d]espite this recommendation [that the account be closed] from a high-ranking and seasoned compliance professional, Deutsche Bank continued its relationship with Danske Estonia yet again.”
- Cooperation still counts. NYDFS recognized DB for its exemplary cooperation and indicated that it did not presently intend to extend the monitorship currently in place at DB. Bank Hapoalim did not get as much credit for cooperation in a recent NYDFS enforcement action. In fact, the Consent Order in the Bank Hapoalim matter specifically criticized the bank’s initial lack of cooperation, and indicated that the penalty in that case, $220 million, would have been less if full cooperation had been provided.
- Finally, NYDFS remains solidly in the business of BSA/AML enforcement. This is the second major BSA/AML enforcement action from the regulator in the last several months. It thus remains important that financial institutions of all sizes and stripes regulated by NYDFS be vigilant about maintaining adequate systems and controls, including through revised risk assessments, strong internal auditing, and, as appropriate, periodic checkups from outside consultants.