The Financial Conduct Authority’s (FCA) fine of £37.8 million (U.S. $47.5 million) on Commerzbank’s London branch for anti-money laundering (AML) failures is a reminder that the most fundamental risk-based AML controls are still not being implemented at some financial services firms.

Weaknesses at Commerzbank London were identified by the FCA in a “number of areas.” These included the failure of the bank to conduct periodic due diligence on its existing clients in a timely fashion, resulting in nearly 2,000 overdue due diligence checks on existing clients by March 2017.


The International Compliance Association (ICA) is a professional membership and awarding body. ICA is the leading global provider of professional, certificated qualifications in anti-money laundering; governance, risk, and compliance; and financial crime prevention. ICA members are recognized globally for their commitment to best compliance practice and an enhanced professional reputation. To find out more, visit the ICA website.

In addition, the FCA highlighted “long-standing weaknesses” in Commerzbank London’s automation tool for monitoring money laundering risk on client transactions. Incredibly, some 40 high-risk countries were found to be absent from the automation tool in 2015 and over 1,000 individuals had not been added.

Further, appropriate policies and procedures were absent for customer due diligence checks on clients.

AML warnings unheeded

Commenting on the fine, FCA Executive Director of Enforcement and Market Oversight Mark Steward said Commerzbank’s oversights over an extended period had “created a significant risk that financial and other crime might be undetected.”

The size of the FCA penalty is substantial, demonstrating not only the depth of the failures but also, crucially, that the opportunities to address them were squandered—with FCA warnings going unheeded.

It’s also worth stressing the agency specifically referenced the failures had continued despite FCA enforcement against other firms for not being up to standard and the regular dissemination of FCA guidance, which clearly set out what was expected.

The measures Commerzbank London failed to implement or even put in place were not new-fangled measures but basic AML controls that have been a requirement for some time. Commerzbank had been warned by the FCA of its AML failures on three separate occasions over the last decade (2012, 2015, and 2017) and did not act on them. That they were given the opportunity to rectify their errors and didn’t suggests deeper problems of responsibility, leadership, organization, and training.

Culture at any firm is important, with the tone-from-the-top establishing expected behaviors from all members of staff. Such a culture at Commerzbank undoubtedly could have prevented the aforementioned AML lapses, and it’s something that will need addressing if the firm is to avoid a repeat of a regulatory penalty.

That Commerzbank agreed to resolve the matter with the FCA early is laudable and resulted in a 30 percent reduction in penalty. The FCA also recognized the bank had undergone a “significant” remediation exercise to overhaul its AML controls up to the required standard and, further, that these remediations had been tested by a skilled person.

Lessons to be learned

What can senior management and regulated firms learn from this case? There are a few crucial takeaways:

  • The first is that the FCA is willing to engage with organizations that are not following its regulations. No matter the gravity of the situation a firm may find itself in, it stands to benefit from communication and cooperation with any regulator.
  • Second, the FCA will provide opportunities for firms to make amends when it identifies weaknesses. It is in a firm’s interest to respond to these within an appropriate window of time.
  • Third, fines of this scale are wholly avoidable and less likely to occur when senior management acts quickly on regulator recommendations.
  • Finally, risk-based AML controls are not something to be implemented and then forgotten about. A continual cycle of evaluation and assessment should take place to ensure controls are effective and reflect the risk.

Had Commerzbank listened to FCA feedback or conducted internal checks to make sure its AML controls were up to scratch, it might have avoided a multimillion-pound fine and the reputational damage that follows.

The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.