Commerzbank London will pay a £37.8 million (U.S. $47.4 million) penalty in a settlement with the U.K. Financial Conduct Authority for anti-money laundering (AML) systems and controls failures, the FCA announced Wednesday.

According to the FCA’s investigation, between October 2012 and September 2017, Commerzbank London “failed to take reasonable and effective steps” related to the following compliance and internal control failings:

Timely periodic due diligence. Such failures resulted in a “significant backlog” of existing clients not being subject to timely Know Your Client (KYC) checks, in part because Commerzbank London’s first and second lines of defense tasked with carrying out key AML controls were understaffed. “For example, in mid-2016, the Financial Crime Team in Compliance consisted of just three full-time employees, when in mid-2018, following an acknowledgement by Commerzbank London of the need to dramatically increase staff in this area, this was increased to 42 full-time employees,” the FCA stated in its final notice. By February 2017, 2,226 existing clients were overdue for KYC checks.

Inadequate due diligence procedures. Commerzbank London had inadequate procedures in the way it considered the risks associated with politically exposed persons, the FCA’s final notice states. In addition, according to the FCA, “certain business areas did not always adhere to Commerzbank London’s policy of verifying the beneficial ownership of clients, including high-risk clients, from a reliable and independent source.”

An exceptions process put in place to allow existing clients to continue to transact with Commerzbank London—despite not being subject to timely periodic KYC checks—became “out of control, with both senior branch management and compliance lacking understanding and adequate awareness of the process,” the FCA said.

Responsibilities around AML risks were not clearly articulated. In October 2016, internal audit found the bank’s client lifecycle management team’s mandate “had not been clearly determined and defined in its written framework,” the FCA’s final notice stated. “There was also uncertainty amongst certain senior staff at Commerzbank London, particularly between 2015 and 2016, as to the identity of the individual responsible for the establishment and maintenance of financial crime controls.”

“Risk and issue owners were not clearly articulated or understood by Commerzbank London’s committees,” the FCA’s said. This led to a lack of clarity around responsibilities, which impacted the front office, the bank’s client lifecycle management team, and compliance.

Automated tool for monitoring money laundering risk on transactions for clients was not “fit for purpose.” In December 2015, internal audit conducted a review and reported on AML controls at Commerzbank and found, for example, that 40 high-risk countries were missing from the transaction monitoring tool. Nor was its list of high-risk clients updated, meaning that 1,110 high-risk clients of Commerzbank had not been added to the transaction monitoring tool.

Additionally, the FCA said “compliance was not always recording that it was checking the relevant transacting client against the sanctions list; and regular reviews of applicable rules or thresholds used by the transaction monitoring tool “were either not documented or were not undertaken in a timely manner.” Also, Commerzbank had “no comprehensive documented process or criteria for terminating a relationship with an existing client for financial crime risk,” according to the FCA.

AML violations

Because of its compliance and internal control failings, Commerzbank breached Principle 3 of the FCA’s Principles for Businesses, which requires firms to have adequate risk management systems in place. These weaknesses persisted even after the FCA published guidance on steps firms could take to reduce financial crime risk and at a time the FCA was bringing enforcement actions against numerous firms for AML control failures. “Despite these clear warnings, the failures continued,” the FCA said.

The FCA acknowledged, however, that Commerzbank London has undertaken a “significant remediation exercise to bring its AML controls into compliance” and “has conducted an extensive look-back exercise to identify suspicious transactions during the period in question. Commerzbank London also voluntarily implemented a wide-ranging business restriction, which included temporarily stopping taking on new high-risk customers and suspending all new trade finance business activities.”

Furthermore, because Commerzbank London resolved the matter at an early stage of the investigation, it qualified for a 30 percent discount in the penalty amount. Without the discount, the financial penalty would have been £54 million (U.S. $67.7 million).

Firms operating in the United Kingdom, including the branches of overseas firms, “must take reasonable care to organize and control their affairs responsibly and effectively and to establish and maintain an effective risk-based AML control framework,” the FCA said.

“Commerzbank London’s failings over several years created a significant risk that financial, and other crime, might be undetected,” said FCA Executive Director of Enforcement and Market Oversight Mark Steward. “Firms should recognize that AML controls are vitally important to the integrity of the U.K. financial system.”