Commerzbank AG Settles Criminal and Civil BSA/AML and Sanctions Charges with U.S. Government
SUMMARY On March 12, 2015, Commerzbank AG (“Commerzbank”), Germany’s second largest bank, reached a multi-agency criminal and civil resolution of allegations that Commerzbank engaged in a practice of remitting “non-transparent” cross-border payments involving sanctioned clients through its New York branch (“Commerzbank New York”) and Bank Secrecy Act (“BSA”)/anti-money laundering (“AML”) compliance failures. Commerzbank entered into deferred prosecution agreements (“DPAs”) with the U.S. Department of Justice (“DOJ”) and the Manhattan District Attorney’s Office (“DANY”) in which Commerzbank admitted to criminal violations of the International Emergency Economic Powers Act (“IEEPA”), the Bank Secrecy Act (“BSA”) and recordkeeping provisions of the New York State Penal Law. Commerzbank also entered into Consent Orders with the Federal Reserve Board of Governors (“Federal Reserve”), the Treasury Department’s Office of Foreign Assets Control (“OFAC”) and the New York State Department of Financial Services (“DFS”). As a result of the settlements, Commerzbank has agreed to pay $1.45 billion in civil and criminal penalties to the agencies, undertake significant remedial measures, engage an independent compliance monitor and terminate or take other disciplinary action with respect to individuals deemed accountable for the misconduct. The bank, however, avoided a guilty plea or an indictment, suggesting prosecutors continue to view DPAs as a tool they are willing to employ “based on the individual facts and circumstances presented by [the] case and the [company].”1 SANCTIONS VIOLATIONS According to settlement documents, Commerzbank used “non-transparent” methods to conduct approximately 60,000 cross-border transactions through U.S. financial institutions, valued at over $253 -2- Recent Developments in BSA/AML and Sanctions March 26, 2015 billion, on behalf of Iranian and Sudanese entities.2 The transactions on behalf of Iranian entities spanned a six-year period, from 2002 to 2008—and were conducted with the awareness of senior management as early as 2003. During that six-year period, foreign branches and affiliates of Commerzbank assisted Iranian clients in evading U.S. sanctions by processing U.S. dollar payments through their correspondent accounts at U.S. financial institutions3 in a manner that concealed the sanctioned entities’ involvement in the transactions. The non-transparent methods cited by authorities include: Using cover payments (payments made through a chain of correspondent banks to settle—or “cover”—a credit transfer message that travels more directly to the ultimate beneficiary’s bank) to send cross-border payments involving sanctioned customers through U.S. financial institutions; A payment processing team established to manually remove information identifying sanctioned entities from payment messages in transactions processed through Commerzbank New York and other U.S. financial institutions; Encouraging sanctioned clients to omit sanctions-related information from their payment messages that were transmitted through the United States; Allowing an Iranian bank client to pay beneficiaries located in the United States using Commerzbank-issued checks—in lieu of sending direct wire payments to beneficiaries in the United States—which listed only the Iranian bank’s account number and address with no mention of the Iranian bank’s name; and Directing an Iranian client that was designated by OFAC as a specially designated national (“SDN”) to make payments using subsidiary companies, which bore no obvious connection to the Iranian client, to mask from Commerzbank New York the sanctioned client’s involvement in the payments.4 According to the settlement documents, the transactions on behalf of Sudanese entities spanned from 2002 to 2007. During that time, Commerzbank maintained U.S. dollar accounts for up to 17 Sudanese banks, including five SDNs, and processed cross-border payments for Sudanese customers through U.S. financial institutions in violation of U.S. sanctions using non-transparent methods similar to those described above. Although, as set out in the settlement documents, senior managers were aware that Sudanese cover payments were illegal by August 2005, the transactions continued until April 2006, when Commerzbank announced that U.S. dollar accounts for Sudanese banks should be closed. BSA-RELATED VIOLATIONS According to the settlement documents, there were also BSA/AML deficiencies related to foreign correspondent banking services at Commerzbank New York between 2008 and 2013. Correspondent banking is generally considered higher risk because it allows third-party banks to process transactions through their U.S. correspondent account for their own customers, with whom the U.S. financial institution generally does not have a relationship and has not conducted due diligence. “Significant” failures in the Commerzbank New York AML program cited in the settlement documents included the following: -3- Recent Developments in BSA/AML and Sanctions March 26, 2015 Failure to adequately monitor billions of dollars in correspondent banking transactions, including by failing to conduct due diligence on Commerzbank affiliates and branches; Failure to adequately investigate “alerts” of potential suspicious activity generated by the bank’s automated AML transaction monitoring software; and Failure to report suspicious activity, including more than $1.6 billion in wire transfers through U.S. dollar correspondent accounts of Commerzbank branches and affiliates in Singapore at Commerzbank New York that ultimately furthered a large accounting fraud at the Olympus Corporation. Monitoring and Due Diligence According to the settlement documents, Commerzbank New York did not conduct due diligence on or assign a risk rating to its foreign affiliates until 2007, nor to its foreign branches until 2013—failures that were inconsistent with Commerzbank New York’s legal duty to establish a due diligence program for its foreign correspondent banking customers (including foreign branches and affiliates) that included appropriate, specific, risk-based, and where necessary, enhanced due diligence policies, procedures and controls that were reasonably designed to detect and report suspicious activity conducted through or involving correspondent accounts at Commerzbank New York.5 According to settlement documents, because the AML automated software used by Commerzbank New York to identify potentially suspicious transactions relied on such risk ratings and other due diligence information, the branch’s failures to obtain this information from its foreign correspondent banking customers led to its inability to effectively monitor the correspondent accounts of its foreign branches and affiliates for suspicious activity. Interestingly, both the DOJ and DFS criticized Commerzbank New York for maintaining correspondent accounts for its foreign branches and affiliates without maintaining or having access to due diligence information about those branches’ and affiliates’ customers—i.e., the originators and beneficiaries of payments processed through those branches’ and affiliates’ correspondent accounts at Commerzbank New York. The DFS went as far as to state that this information “was necessary to conduct effective BSA/AML monitoring.”6 In 2009, U.S. federal banking supervisors, in consultation with the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) (which has overall authority for enforcement of and compliance with the BSA) and OFAC, issued interagency guidance which endorsed the position that U.S. financial institutions acting as intermediaries for cross-border funds transfers originated or received by third-party customers of foreign correspondent banking clients are “unlikely to be in a position to determine whether the transaction . . . is suspicious, based on an understanding of the activities of the originator and beneficiary” because such banks are usually not in a position to conduct customer due diligence on the originator and beneficiary of a payment as neither the originator nor beneficiary is the U.S. bank’s customer.7 Although the DOJ and DFS did not issue the guidance, their criticism of Commerzbank New York suggests that they may have an expectation for U.S. intermediary banks in the context of correspondent banking to understand, or at least have access to, information regarding the activities of the originator and beneficiary of cross-border funds transfers where the foreign correspondent banking customer is a branch or affiliate of the U.S. bank. -4- Recent Developments in BSA/AML and Sanctions March 26, 2015 Generation and Investigation of Alerts Based on the settlement documents, there were also additional failings by Commerzbank New York related to suspicious activity monitoring. The DOJ and DFS referenced a New York-based Vice-President in Compliance, responsible for setting the thresholds for Commerzbank New York’s computerized monitoring system that was used until 2010 to identify potentially suspicious activities. That Vice-President reported that “the threshold floors were set based on a desire not to generate too many alerts.”8 The DOJ and DFS also referenced another compliance officer who told federal investigators that the then-Head of Compliance for Commerzbank New York required a weekly update on the number of alerts and, in 2011, with the Head of AML Compliance, asked the officer to change the thresholds in the system to reduce the number of alerts generated. The compliance officer refused to do so.9 At the same time, there were lapses in processing the alerts that were generated. According to the settlement documents, until approximately 2013, “virtually all” AML-related customer information for Commerzbank’s foreign branches was maintained at Commerzbank’s head office in Frankfurt. When a transaction was alerted in a foreign branch’s correspondent account at Commerzbank New York, New York personnel were required to submit a request for information to their counterparts in Frankfurt. According to settlement documents, Frankfurt employees often failed to respond for many months, sent inadequate responses or did not reply at all to such requests. As a result, Commerzbank New York cleared numerous AML alerts based on searches of public databases and “perfunctory internet searches” without receiving responses to the requests for information.10 The DOJ noted that, as a result, Commerzbank New York “processed hundreds of millions of dollars in transactions that other parts of the Bank may have deemed to be suspicious without ever alerting U.S. regulators or filing a SAR.”11 Both the DFS and Federal Reserve levied similar criticisms. Suspicious Activity Reporting According to the settlement documents, Commerzbank’s BSA/AML compliance deficiencies led to its failure to report suspicious activity related to a large accounting fraud perpetrated by the Olympus Corporation (“Olympus”), a Japan-based optics and medical device manufacturer and former client of Commerzbank’s branch and affiliates in Singapore, including more than $1.6 billion in wire transfers through Commerzbank New York between 1999 and 2010. The settlement documents report that between 1999 and 2008, numerous Commerzbank executives in Singapore and elsewhere, including an executive who subsequently became Head of Compliance at Commerzbank New York, developed suspicions about the Olympus transactions. These suspicions were shared with, among others, Commerzbank’s Global Head of Compliance in Frankfurt. Notwithstanding these concerns, no negative information about Olympus was shared with Commerzbank New York, which continued to process hundreds of millions of dollars in wire transfers for Olympus in furtherance of its accounting fraud. Indeed, even when Commerzbank New York sought information from the Singapore branch about two payments from entities involved in the accounting fraud that generated alerts as potentially suspicious activity, no information regarding the suspicions about Olympus was shared with Commerzbank New York. The settlement documents that as a result of this “failure to communicate information and -5- Recent Developments in BSA/AML and Sanctions March 26, 2015 concerns”12 about Olympus to Commerzbank New York, transactions continued to flow through the correspondent accounts maintained by Commerzbank’s branches and affiliates at Commerzbank New York in furtherance of the Olympus accounting fraud while no suspicious activity reports were filed by Commerzbank New York with FinCEN concerning Olympus. Unlike some other recent high-profile criminal settlements, Commerzbank was not required to plead guilty to criminal violations. Despite recent criticisms, the DPA remains a tool that federal and New York state prosecutors are willing to use in the BSA/AML and sanctions context “based on the individual facts and circumstances presented by [the] case and the [company].”13 In addition, unlike recent actions involving BNP Paribas and Standard Chartered Bank, the DFS did not impose restrictions on the dollar clearing activities of Commerzbank New York. In other respects, however, Commerzbank’s settlement is consistent with other enforcement trends and the increased risk environment and heightened regulatory expectations with respect to BSA/AML and sanctions compliance. As evidenced by the Commerzbank settlement, which required the bank’s removal of certain employees deemed responsible for misconduct, regulators continue to focus on personal accountability. Both the Federal Reserve and DFS settlements contained provisions aimed at holding individuals accountable for their misconduct at Commerzbank. In addition, the DFS again imposed an independent compliance monitor to conduct a comprehensive review of the BSA/AML and OFAC compliance programs, policies and procedures at the bank concerning activities conducted by or through Commerzbank New York, as it did in other recent BSA/AML and sanctions settlements. The Commerzbank settlement is also consistent with increased regulatory scrutiny and expectations in the area of foreign correspondent banking and, in particular, with respect to branches and affiliates that clear U.S. dollar transactions on behalf of their customers through a U.S. branch or affiliate. The criticisms of Commerzbank may suggest a growing expectation that such international branches and affiliates make customer due diligence information available to U.S. branches or affiliates to the extent the customers’ payments are cleared through the U.S., particularly where suspicions have been identified. At the least, requests by the U.S. branch or affiliate for information regarding payments through U.S. correspondent accounts should be addressed in a complete, accurate and timely manner. In addition, the action also reinforces the importance of ensuring that BSA/AML compliance is afforded adequate staffing and resources to handle alerts generated by a properly tuned transaction surveillance system. Clients interested in further information concerning BSA/AML and sanctions developments are encouraged to contact the Sullivan & Cromwell lawyers identified at the end of this memorandum.