- FCPA Professor - https://fcpaprofessor.com -

Issues To Consider From The Deutsche Bank Enforcement Action

This previous post [1] detailed the recent $122.6 million Foreign Corrupt Practices Act enforcement action against Deutsche Bank based on the company’s “improper use … of third party-intermediaries, business development consultants, and findings (BDCs) to obtain and retain global business.”

This post continues the analysis by highlighting additional issues to consider.

How Much And Which Type Of Internal Controls Are Specifically Legally Required?

According to the SEC:

“Deutsche Bank’s Global Anti-Corruption Policy (“Anti-Corruption Policy”) prohibited the payment of bribes, both directly and indirectly, to obtain an improper personal or business advantage in both the public and private sectors. Deutsche Bank prohibited the offer of anything of value which may be deemed to influence any act or decision of a public official and also prohibited the use of BDCs to improperly obtain confidential information about business opportunities. Under Deutsche Bank’s relevant policies, third-party representatives could only be engaged in circumstances where: 1) there was documented pre-contractual due diligence; 2) a written contract which set out the representative’s role and/or services was provided in a form approved by the Bank’s Legal department (“Legal”); 3) the contract contained a documented description of services to be performed, amount to be paid, and other material terms of the engagement; 4) the payment was proportionate to the value of the services rendered; and 5) appropriate review and approval was obtained before the engagement began. Additionally, Deutsche Bank prohibited any undocumented payments or bribes.”

You can be sure that if Deutsche Bank did not have any of the above policies and procedures the SEC would have found that the company violated the FCPA’s internal control provisions.

According to the SEC:

“Deutsche Bank’s Use of Business Development Consultants Policy (“BDC Policy”), its global policy governing the use of consultants and finders, required that the Bank conduct thorough due diligence prior to retaining and paying a BDC to determine, among other things, whether the BDC, or their immediate family members and close associates, had any political or governmental affiliations or exposures. A BDC with a “political or governmental affiliation” was classified as a politically exposed person (“PEP”) and required enhanced due diligence; this person could not be engaged without additional vetting and approval by senior management, Legal, and the Bank’s compliance function (“Compliance”) to provide reasonable assurance that potential conflicts of interest were identified and addressed. The BDC Policy also required that prospective BDCs have “sufficient expertise and qualifications” to perform the contemplated services. Payments were required to be proportionate to the services rendered and made only in circumstances where the supporting invoice contained “sufficient detail regarding the services or matters to which such invoice relates.”

You can be sure that if Deutsche Bank did not have any of the above policies and procedures the SEC would have found that the company violated the FCPA’s internal control provisions.

According to the SEC, “as part of the Bank’s anti-corruption program, a group within Deutsche Bank’s internal audit function conducted a review of business arrangements in its Asia-Pacific region in order to assess the integrity and legitimacy of certain transactions.” According to the SEC, “the same group conducted another internal investigation into the Bank’s BDC relationships” a few years later.

You can be sure that if Deutsche Bank did not have an internal audit function that conducted such reviews, the SEC would have found that the company violated the FCPA’s internal control provisions.

[2]

However, Deutsche Bank did all of the above things, yet the SEC still found that the company violated the internal controls provisions.

Why?

According to the SEC:

Contrary to its internal policies and with known failures in its relevant internal accounting controls, between 2009 and 2016, Deutsche Bank engaged some BDCs: 1) with no demonstrated expertise or qualifications; 2) who simultaneously worked for a government entity from which Deutsche Bank sought business; 3) without a written agreement; 4) using form agreements with no substantive description of the services to be performed and/or provisions calling for “success fee” payments; 5) at rates that were unreasonably high as compared to the work allegedly being performed; and 6) in circumstances where either adequate due diligence was not performed or where due diligence was conducted more than a year after the BDC was retained and paid. [emphasis added]

As a result of its lack of sufficient internal accounting controls relating to BDCs, Deutsche Bank paid certain BDCs in circumstances where no invoices were submitted and where invoices contained insufficient documentation to detail what services were performed. In certain instances, when invoices were submitted, they were vague and inadequate, making it nearly impossible to determine what, if any, services were performed or to determine the purpose for the payment. In some instances, BDCs were paid in excess of what was provided for pursuant to their contract with Deutsche Bank and some BDCs were paid even though they had no contract at the time certain of the services were purportedly performed. Amongst the BDC payments made in these circumstances were those that were bribes.”

Are any of the specific deficiencies listed by the SEC specifically required by the FCPA’s internal controls provisions?

No.

The internal controls provisions state that issuers  shall “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances” that certain financial objectives are met. The FCPA then defines  “reasonable assurances” to mean “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”

Of note, the DOJ alleged that Deutshe Bank did not have “internal controls sufficient to provide reasonable assurances regarding the reliability of financial reporting and the execution of transactions in accordance with management’s authorization, and which would have helped detect and stop Deutsche Bank from continuing to make corrupt payments to and through BDCs.” (emphasis added).

However, “detect and stop” concepts are simply not found in the internal controls provisions.

Don’t Have Business Sponsors Responsible For Third Party Compliance

Notwithstanding the above salient legal points, those within a company with “skin in the game” as to the third party relationship, probably should not be put in charge of third party compliance.

Yet, this is what the SEC found:

“While the BDC Policy required that regional and divisional management approve and oversee the use of BDCs, in practice, the implementation and oversight of the Policy fell to the BDC’s “business sponsor.” Business sponsors were responsible for generating business for Deutsche Bank and were compensated, in part, based on the revenue earned by Deutsche Bank. The business sponsors recommended the engagement of the identified BDC, determined whether payments to the BDCs complied with both the terms of the BDC contract and the Bank’s policies, and maintained records concerning the services provided by the BDC, including invoices.”

Other Third Party Red Flags

Third party red flags are not inherently illegal, but the more red flags present in a third party relationship, the more the FCPA enforcement agencies will take notice.

According to the SEC, the following red flags were present in various BDC relationships:

Elevate Your FCPA Research

There are several subject matter tags in this post. However, only subscribers to FCPA Professor's premium search feature can see and use them in research. Efficient and cost-effective FCPA research is just a click away.

Elevate Your Research [3]