Control Failures and the erosion of 1st and 2nd line defences cost Deutsche Bank $130M
Deutsche Bank settled FCPA charges last week [Jan 8 2021] with $130 million in penalties and disgorgement, a three-year deferred-prosecution deal. And there are lessons aplenty about the perils of leaving internal control duties with operations executives in the First Line of Defence.
DEUTSCHE BANK AGREED TO PAY
- $87 million to the Justice Department in criminal penalties, disgorgement, and other costs;
- $43.3 million in disgorgement and interest to the Securities & Exchange Commission. (The Justice Department settlement included resolution of a second, unrelated case of commodities trading fraud, which we won't address here.)
- In the criminal information from the Justice Department and the cease-and-desist order from the SEC,
- executives ignored anti-corruption policies and controls while conducting business in China, Saudi Arabia, and Italy from 2009 into 2016.
"BUSINESS DEVELOPMENT CONSULTANTS" (BDCS)
- Overseas agents were, as usual, the star of the show.
- Deutsche Bank called its agents "business development consultants" (BDCs), and
- employed hundreds of them during the seven years in question.
- These BDCs routinely had close ties to foreign government officials, and lax internal accounting controls allowed the BDCs to be conduits for bribes.
- For example, in 2010, Deutsche Bank was bidding to win an investment deal with Abu Dhabi's sovereign wealth fund.
- A local agent in Abu Dhabi, identified as "Consultant B" in the SEC order, approached Deutsche Bank and said he wanted to help facilitate that investment deal.
- Key detail:
- Consultant B was related to the Abu Dhabi government official deciding whether Deutsche Bank would win said investment deal.
- Consultant B made clear that his brother would be involved in the consulting work; the Justice Department settlement identifies the brother as a business partner of the Abu Dhabi government official.
- Using Consultant B was a sky-high corruption risk.
- Still, a risk review committee of senior Deutsche Bank executives allowed the engagement with Consultant B to proceed — even though they knew Consultant B was related to the Abu Dhabi official, and
- that Consultant B had no known qualifications to facilitate an investment deal.
- Deutsche Bank won the investment deal shortly after hiring Consultant B.
- The bank subsequently paid Consultant B roughly $3.5 million, without any invoices or documentation outlining what Consultant B did.
- Then again, Consultant B's contract only called for him to provide "generic advice and introductions."
ANTI-CORRUPTION POLICY GONE WRONG
- What's striking about this case was that on paper, Deutsche had strong policies for anti-corruption and its use of BDCs.
- As far back as 2008 (that is before the relevant misconduct occurred), the bank had an anti-bribery policy that defined bribery expansively ("anything of value") and included a clause against using BDCs to obtain confidential business information improperly.
- The anti-bribery policy also required
- Pre-contract due diligence on all BDCs, clear documentation of services to be rendered, and payments in proportion to the value of services rendered.
- Moreover, the policy on using BDCs specifically said
- due diligence should determine whether the BDC was related to any foreign government official.
- And Any such agent flagged as a politically exposed person,
- Deutsche Bank could only engage with that BDC after approval by senior management and
- Assurances from the compliance team that all conflicts of interest were identified and addressed.
ON PAPER, THE POLICIES ALL LOOKED GREAT. SO WHAT WENT WRONG?
- The damning paragraph seems to be this one from the SEC settlement order:
- While the BDC Policy required that regional and divisional management approve and oversee the use of BDCs, in practice, the implementation and oversight of the policy fell to the BDC's "business sponsor."
- Business sponsors were responsible for generating business for Deutsche Bank and were compensated, in part, based on the revenue earned by Deutsche Bank.
- The business sponsors
- recommended the engagement of the identified BDC,
- determined whether payments to the BDCs complied with both the terms of the BDC contract and the bank's policies, and
- maintained records concerning the services provided by the BDC, including invoices.
- In other words,
- Deutsche Bank drafted an anti-corruption program that looked great —
- and then left responsibility for that program with executives in the First Line of Defence, who had financial incentives to ignore it.
AUDITS PROVE THE POINT
- Evidence for that statement comes in the form of two internal audits of the anti-corruption program.
- The first audit came in 2009, and flagged insufficient oversight of BDCs.
- That report recommended "centralized and thoroughly documented due diligence," and that all contracts with BDCs include a right-to-audit clause.
- The audit went all the way to senior executives and the management board of Deutsche Bank, but "only limited steps were taken in response," according to the SEC complaint.
- The 2011 audit was even more precise in its findings:
- "failure by business sponsors to assess appropriately, document, and mitigate corruption risks and conflicts of interests; and
- failure to document the proportionality and justification for certain BDC payments."
- Those were exactly the issues that tripped up Deutsche Bank in its dealings with Abu Dhabi.
- This audit also went to Deutsche Bank senior management, "and again, only limited steps were taken in response."
INDEPENDENT EXECUTION OF CONTROLS
- When we talk about internal controls
- "Reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts."
- We should consider how much independent execution of controls figures into that concept.
- Deutsche Bank's anti-bribery program's design flaw wasn't that its policies were poorly drafted; The flaw was
- Senior executives allowed business managers in the First Line of Defence to execute due diligence and oversight, which meant those managers could ignore those duties.
- Which they did, with gusto.
- The wiser approach is to keep oversight of third-party agents —
- The due diligence, the contracting, the invoice collection, and so forth — away from those managers in the First Line who would work with the agents daily.
SEGREGATION OF DUTIES
- Internal control enthusiasts often talk about segregation of duties, but usually, we associate that phrase with tasks done at the small scale: for example.
- An accounting employee who approves new vendors cannot also be one who authorizes payments to vendors,
- Segregation of duties must also exist at a larger enterprise-scale, too:
- One team works with third-party agents; the other oversees them.
- And Indeed, one compliance program improvement Deutsche Bank eventually made was
- To give the anti-bribery compliance function approval power over any new BDC arrangements.
- Plus reducing the number of BDCs overall, plus an annual review of BDCs from here forward, plus enhanced due diligence and training.
So Deutsche Bank did, in the end, build a more robust compliance program by giving the compliance function the independence and authority it needed in the first place.
If only more companies would do that from the start.