IMG_3289Recidivist behavior is something that the US government is forced to face in Foreign Corrupt Practices Act (FCPA) enforcement from time-to-time. When a company agrees to a Deferred Prosecution Agreement (DPA) or Non-Prosecution Agreement (NPA), it always agrees not to engage in the same or similar conduct again. Recently Novartis reported that it is under scrutiny in South Korea for criminal conduct around alleged illegal payments to doctors in the form of excessive payments for scholarly articles or for articles for which payment was made but where the articles were never published in scholarly journals. This is after agreeing to a Cease and Desist Order with the Securities and Exchange Commission (SEC), in March 2016, which read in part, “Respondent Novartis cease and desist from committing or causing any violations and any future violations of Sections 13(b)(2)(A) and 13(b)(2)(B) of the Exchange Act”.

Recently another entity demonstrated the difficulty with recidivism. That entity was Deutsche Bank and the regulator was not the SEC or even Department of Justice (DOJ) but the UK Financial Conduct Authority (FCA). As reported in the Financial Times (FT), in an article entitled “Deutsche Bank still plagued by legal uncertainty in wake of FCA warning, James Shotter and Caroline Binham wrote that the FCA issued a scathing report issued after its review of the Bank. They wrote that the FCA found “serious and systemic failings in relation to financial crimes.” This was all in light of Deutsche Bank’s $2.5bn fine paid last year to regulators in the US and UK.

The litany of failures does provide a Chief Compliance Officer (CCO) with a very good list to use as a benchmark to see if there are items your company is falling short upon. Recognizing that the issues involve a financial institution or that the compliance issues focused upon by the FCA does not lessen their relevance or impact for the anti-corruption compliance practitioner.

The first criticism was leveled at the Bank’s top management. While a new Chief Executive Officer (CEO) took over in July 2015, after the fine was levied, until recently “DB UK lacked a clear strategy and effective leadership in the tackling the systemic AML failures that had occurred.” The question for you is therefore two-fold: (1) What is your strategy for compliance?; and (2) Does your company have effective leadership in place to implement that strategy? Before you go off nodding your head that, of course we have both in place, my question to you is: How would you document both?

Some of the most basic questions you should put to yourself and your compliance program are as follows. What is your compliance strategy? Is it based upon a risk assessment? How recent was your last risk assessment upon which that strategy was based? What were the risks identified in the risk assessment and how did you rank them? Is your strategy managing those identified risks first? and What evidence do you have to demonstrate all of the above?

How would you demonstrate effective leadership? Once again would it be a simple metric of what compliance related activities senior management has engaged in over the past year? Would you try to incorporate some of the items laid out in the DOJ Pilot Program Guidance specifically about the quality of your compliance professionals, their compensation vis-à-vis other senior management in your company? How about compliance certification? What about promotion into and out of the compliance function? Has there been professional growth by your compliance team? Do they attend conferences and garner CPUs or CLE?

The next area of insufficiency touched upon by the FCA was in the Bank’s record keeping. The article reported, “37 of the 42 client files that it reviewed “did not meet legal and regulatory requirements.”” Think about that for a moment… you are under the equivalent of a DPA and when the regulators come over 90% of the files they review do not have sufficient documentation. Fortunately, this is something that you can check easily, quickly and at little to no cost. Go into your filing room, real or virtual and pull the files on your top 50 third party representatives and look to see if all the required documents are in the files. If not, look around to see if they are misfiled. If you still cannot find the required documentation, you can do the remedial work now to fix the situation before the SEC or DOJ show up. Finally, if the required documents are not in place, you may well need to hold on signing that SOX certification for compliance.

The FCA also skewered Deutsche Bank over its technology. In the most basic of Anti-Money Laundering (AML) systems, that being Know Your Customer (KYC), the FCA found the Bank had held required documents in 220 different and separate systems. It is no wonder the Bank could not find something and as the article noted, “this led to a number of problems, including leaving some clients with no underlying [KYC] documentation and incorrect risk assessments being applied.” If your systems cannot talk to each other, they certainly are not going to talk to you.

This lack of any technological solution led the regulators to conclude the Bank had no real interest in the actual doing of AML compliance. The article stated that the FCA report “referred to a ‘tick-box’ approach rather than any real judgment being applied and a lack of awareness about suspicious activity across the business.”

All of these failings were overlaid by two additional factors that were not a part of the FCA report. The first was that “veteran lawyer Georg Thoma resigned form Deutsche’s supervisory board after coming under fire from other board members for his investigations into how the bank’s senior figures dealt with past scandals.” Further, there is an open investigation, by the DOJ and New York state Department of Financial Services, in addition to the FCA, over the Bank’s “trades that involve Russian clients buying securities in rubles through the Bank’s Moscow office and then selling identical ones for foreign currency”. i.e. money laundering.

The FT piece ends by stating the Bank has set aside €4.5 bn to “deal with its mountain of legal risk” with some analysts saying the cost could well go much higher.

For the anti-bribery/anti-corruption compliance practitioner, the lessons from Deutsche Bank are manifold, yet items that you can check yourself. Review the evidence of your compliance strategy and its effectiveness; review your third party files to ascertain all required documents are in place; and make sure you can talk to your technology and it can talk among itself.

Finally, whatever you do Document, Document, and Document.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2016