Global Mindset. Local Instinct.

Deutsche Bank Settlement: Another Cautionary Tale of a ‘Paper’ Compliance Program

by | Jan 27, 2021 | Compliance & Investigations

By Shuying Lin

On January 8, 2021, Deutsche Bank agreed to pay the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) more than $120 million in penalties and disgorgement to resolve the investigation into the alleged violations of the books and records and internal accounting controls provisions of the Foreign Corrupt Practices Act (FCPA).

Deutsche Bank is a multinational financial services company incorporated and domiciled in Germany and operates in more than 70 countries worldwide.

According to DOJ and SEC, the Frankfurt-based bank was involved in a long-running bribery scheme outside the U.S., where it contracted with and paid third-party intermediaries who were connected with foreign governments to obtain or retain global business.

The bank was accused of failing to devise and maintain an adequate system of internal accounting controls to ensure that payments to third-party intermediaries are accounted for and properly made. As a consequence, bribery payments and other unauthorized payments were made to politically affiliated people, and these payments were falsely recorded as legitimate business expenses on the company’s books and records.

The FCPA and its Accounting Provisions

The FCPA generally prohibits paying bribes to foreign officials.

FCPA also requires publicly traded companies to maintain accurate books and records (the “books and records” provision) and to have an adequate system of internal control to provide reasonable assurances that transactions are properly authorized, recorded, and accounted for (the “internal controls” provision).

The accounting provisions were enacted to prevent accounting practices that hide corrupt payments and apply to any company that has securities registered in the U.S. or is required to file periodic reports with the SEC.

Deutsche Bank must comply with the above accounting requirements because it is a public reporting company under U.S. securities laws and has stocks traded on the New York Stock Exchange (NYSE).

DOJ and SEC share enforcement authority for the accounting provisions and are respectively in charge of imposing criminal and civil liability. A knowing and willful violation of the accounting provisions could subject a company to criminal liability. (Proof of knowledge and intent are not required to impose civil liability.)

In this case, Deutsche Bank entered into a cease-and-desist order with the SEC and a three-year deferred prosecution agreement with the DOJ.

Deutsche Bank’s Alleged Bribery Scheme

Based on the information published by the DOJ and SEC, from at least 2009 through 2016, Deutsche Bank made bribery payments as well as payments made for unknown, undocumented or unauthorized services to so-called “business-development consultants” (BDCs), who were in fact foreign officials, their family members or associates, in order to obtain and retain business in countries including the United Arab Emirates, Saudi Arabia and Italy.

  • The “books and records” violation: In the alleged bribery scheme, Deutsche Bank was charged with violating the “books and records” provision because its employees and agents created false justifications and documentation for payments made to people connected with foreign governments, including mischaracterizing such payments as “referral fees” or “consultancy” payments to the BDCs.
  • The “internal control” violation: Deutsche Bank was accused of violating the “internal control provisions” as it failed to implement and maintain an adequate system of internal control related to the use of and payments to BDCs, including by
    • failing to conduct meaningful due diligence regarding BDCs, (either adequate due diligence was not performed, or due diligence was conducted more than a year after the BDC was retained and paid), resulting in the hiring of BDCs who had no demonstrated expertise or qualifications and who simultaneously work for the foreign governments from which the bank sought businesses; and
    • paying BDCs who were not under contract with the bank at the time payments were made and without invoices or adequate documentation of the services purportedly performed.

What Went Wrong Despite Having a Robust Written Compliance Program

In fact, as noted by the law enforcement, Deutsche Bank seems to have a robust written global anti-corruption/anti-bribery compliance program, which prohibited the offer of anything of value which may be deemed to influence any act or decision of a public official and prohibited any undocumented payments or bribes.

The compliance policy explicitly addresses the risks of bribery posed by third-party representatives, including detailed requirements in relation to the hiring of third-party representatives and requiring enhanced due diligence when BDCs (including their close relatives and associates) have any political or governmental affiliations or exposures.

While the compliance program looks good on the paper, its implementation is clearly flawed.

For example, contrary to its written policies which require the regional management to oversee the use of BDCs, in practice, the oversight of the use of BDCs fell to “business sponsors.”

  • Business sponsors were people responsible for generating business for the bank and whose compensation were in part based on the revenue earned by the bank.
  • It is these people who had initially proposed the BDCs who would later determine whether contracts and payments to the BDCs conform to the company’s compliance policies.
  • Moreover, business sponsors were responsible for maintaining records concerning the services provided by such BDCs.

While its internal audit group had alerted the senior management in 2009 about the clear deficiencies of the company’s internal control with respect to the use of and payments to BDCs, including inadequate due diligence conducted by its employees on the BDCs, the lack of oversight to ensure BDCs were not used for corrupt purposes and the lack of documentation supporting the actual services rendered, no major changes have taken place at the company until 2016, and until that time senior management and regional committees at various locations had continued to approve the engagement of and payments to the BDCs without any major efforts taken to improve its internal controls.

Lessons Learned & Concluding Thoughts

The enforcement action against Deutsche Bank serves as another reminder to multinational companies of the importance of the actual implementation of their compliance programs, as law enforcement will look beyond a company’s written compliance policies and assess whether the compliance program actually works in helping a company uncover compliance weaknesses and prevent future misconduct.

As discussed, Deutsche Bank’s compliance program failed because it was only strong on paper. The company failed to make sure its employees and agents were acting in accordance with its compliance policies, and its senior management turned a blind eye to the clear deficiencies of its internal control system and failed to take any meaningful steps to close the gaping holes in the face of clear risks of corruption.

It is also worth pointing out that these compliance failures themselves might violate the laws, as the FCPA accounting provisions do not apply only to bribery-related violations, although the provisions were originally enacted to prevent accounting practices that hide payments of bribes.

Specifically, falsifying books and records and failing to maintain effective internal controls are themselves illegal under the FCPA, even in the absence of any conduct associated with bribery or corruption.