The US Federal Reserve Board fined Deutsche Bank $186 million for "insufficient remedial progress" under earlier 2015 and 2017 consent orders for AML and sanctions control deficiencies, as well as deficient AML internal controls and governance processes for its prior relationship with Danske Bank.
In total, the bank has faced over $285 million in fines by the FRB for AML and sanctions control deficiencies.
That is on top of:
- A previous $200 million fine by the NYDFS for sanctions compliance failures;
- $629 million in fines by the UK FCA and NYDFS to end investigations into mirror-trading schemes that violated AML laws; and
- The prospect of more fines by BaFin, the German financial regulator, for AML failures.
This latest action makes it crystal clear that throwing more money and people at compliance won't help you avoid regulatory issues. Instead, the top priority must be improving control effectiveness.
More people and spending is not the solution
Deutsche Bank has spent an incredible amount of resources trying to get out from under its regulatory issues. In 2021, the bank said it spent $2.4 billion to improve its AML controls and increased its AML personnel to over 1,600.
And in response to the latest action? The bank has hired even more people, to the tune of a 25% boost in anti-financial crime personnel, now totaling over 2,000 people.
This level of expenditure is simply not sustainable or scalable.
Worse, the spending hasn't resolved the bank's issues. While the bank says it "significantly invested in controls since 2019 to enhance our effectiveness," the spending and personnel increases clearly aren't satisfying regulators that the bank's compliance program is actually effective.
And if spending is cut back, the bank will end up right where it started.
Most compliance leaders' knee-jerk response to issues is to increase staffing and controls spending. But this latest action should cause you to pause and ask: what are we really trying to achieve? Will this spending actually improve our compliance program in the long-term?
Effectiveness is the key
The bank's initial AML and sanctions control failures have now metastasized into penalties for broader compliance program deficiencies for “compliance oversight, customer due diligence, transaction data, transaction monitoring and filtering, suspicious activity reporting, and facilitating independent third-party reviews.”
The first item that the regulator has ordered the bank to address isn't adding more controls, but rather improving its systems and data, by finding and remediating all data gaps.
In other words: just adding a lot of controls isn't enough; the regulator won't be satisfied without evidence that controls will actually work effectively and as expected.
This reflects the broader growing regulatory focus on effectiveness.
The importance on control effectiveness is even more apparent in the FRB's accompanying Written Agreement with the bank highlighting “general deficiencies relating to Deutsche Bank's governance, risk management, and controls.”
That requires the bank to create, as part of a Risk and Control Self-Assessment: "an effective methodology for assessing, substantiating, and documenting the effectiveness of controls throughout end-to-end business processes."
In short, the bank has to not only know all controls it has in place, but also show it can test and document its control effectiveness going forward.
Until it does so, the regulator is mandating that the bank prioritize remediation above all else, or it risks even more penalties.
Compliance leaders need to pay attention to this action -- when the regulators come knocking, will you already be equipped and prepared to thoroughly evidence your control effectiveness?
Cable is the all-in-one effectiveness testing platform that helps you comply with your financial crime requirements.