Last week, according to a Department of Justice (DOJ) Press Release, Deutsche Bank Aktiengesellschaft, “agreed to pay more than $130 million to resolve the government’s investigation into violations of the Foreign Corrupt Practices Act (FCPA) and a separate investigation into a commodities fraud scheme. “The resolution includes criminal penalties of $85,186,206, criminal disgorgement of $681,480, victim compensation payments of $1,223,738 and $43,329,622 to be paid to the US Securities & Exchange Commission in a coordinated resolution.” Settlement documents include a Deferred Prosecution Agreement (DPA) and Information from the DOJ and a Cease and Desist Order (Order) entered to with the SEC. This settlement comes on the heels of another Foreign Corrupt Practices Act (FCPA) settlement in August 2019, where the Bank paid $16.2 million to settle a ‘Princeling’ charge that it corruptly hired sons and daughters of foreign officials and of employees of state-owned enterprises. Today, I want to conclude with some final thoughts and lessons learned.
The following examples demonstrate multiple internal control failures. In China, a third-party, who was a government official, was hired and worked for the entity whom the Bank was attempting to gain business from. This third-party was ““a close friend of” a foreign government official whose approval was needed for the establishment of the investment fund.” Moreover, and with a huge red flag, “that same government official required that Deutsche Bank work through Consultant A to establish the investment fund.” This corrupt agent was paid “at least $1.6 million. This included payments for services purportedly performed before he was engaged.” The Bank gave this third-party “a partnership interest in the investment fund that required little or no upfront capital and entitled him to a large potential profit share.” This agreement was executed without Legal and Compliance having full information about the circumstances of BDC’s relationship with the government entity.
What were the internal control failures? Hiring a third-party who himself was a foreign official and worked for the entity with whom Deutsche Bank was trying to obtain business. The third-party was also a well-known a “close friend of a foreign government official whose approval was needed for the establishment of the investment fund.” Finally, the Bank actually set up an investment fund for the third-party and the Bank’s customer.
Consider Italy, where the Bank hired an Italian Tax Court Judge, to refer high net worth clients to the Bank. There was little to no due diligence performed prior to retaining the third-party. Even with the pretense of a written contract, numerous payments were made to the third-party that exceeded the commission rate in his contract and included payments outside the terms of his contract. Even when no services were provided by the third-party, he was paid more frequently than permitted by contract. A written contract acts as an internal control because a third-party should not be paid outside the term and amount of the contract and should certainly not be paid when no work is performed.
Another key internal control is the segregation of duties. You simply cannot have a Business Development (BD) person, who recommends a third-party, be responsible for managing that third-party when the BD person is being compensated based in part of the sales of the third-party. The financial incentive to allow or encourage the third-party to engage in bribery and corruption in well-known high-risk jurisdictions is simply too great. When coupled with a corrupt culture such as the one in place at Deutsche Bank, it is a clear recipe for disaster in the form of a FCPA violation.
Ignoring Internal Audit
Based on the settlement documents, you might rightly question why the Bank even had an internal audit function as in both 2009 and 2011 it identified red flags around the third-parties used by the Bank. The 2009 Report noted identified concerns with the Bank’s use of one third-party around insufficient oversight over the engagement to ensure it was not being used for corrupt purposes. Internal audit also reported a lack of documentation detailing what actual services were rendered by the third-party.
The 2011 internal audit report found other areas of concern such as:
- Lack of due diligence around third-parties;
- Lack of training and awareness of the Bank’s third-party Policy by bank employees
- Lack of knowledge about due diligence requirements before hiring third-parties by Bank employees;
- Failure by business sponsors to appropriately assess, document, and mitigate corruption risks and conflicts of interests; and
- Failure to document the amount and justification for certain payments to third-parties.
Internal audit recommended that the Bank’s “global BDC Policy be revised and that the internal accounting controls around BDCs be enhanced to include centralized and thoroughly documented due diligence to demonstrate that a BDC was qualified to perform the services for which it was contracted, maintenance of detailed records of all work performed by the BDC, and a requirement that BDC engagements include books and recordkeeping provisions giving Deutsche Bank inspection rights.” Of course, none of this was ever done.
Reading and re-reading the settlement documents, one can only wonder at the culture at the Bank which basically boiled down to win at all costs: lie, cheat, steal, engage in bribery and corruption, manipulate the markets, we don’t care. Just Win Baby. The Bank was also comfortable in dealing with some very dodgy characters beyond even Donald Trump and his family. The Bank has now said it will no longer do business with Trump and his personal banker left the Bank at the end of 2020.
Does this mean the Bank will turn state’s evidence against Trump? It is hard to say at this point, but the Bank is committed in the DPA to “cooperate fully with the Offices in any and all matters relating to the conduct described in the Statement of Facts and other conduct under investigation by the Offices at any time during the Term, subject to applicable laws and regulations, until the later of the date upon which all investigations and prosecutions arising out of such conduct are concluded, or the end of the Term.” [emphasis supplied] While this is boilerplate language found in every DPA it certainly takes on greater significance now.