OneFinance Compliance in the Financial Services Sector

OneFinance Compliance in the Financial Services Sector

Compliance in the financial services sector has never been as important as it is today. The German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) recently imposed a record fine of EUR 4,250,000.00 on N26 Bank GmbH for not filing a report on suspected money laundering in a timely, accurate and/or complete manner as required under the German Act on Money Laundering (Geldwäschegesetz, GwG). This record fine is the start of a new area in the compliance sector of the financial services industry, indicating the dedication of BaFin and its new President, Mark Branson, to enforce compliance with money laundering rules and regulations in Germany by, amongst others, issuing substantial fines.

Our financial services compliance team assists clients with (1) implementing any preventive measures and (2) navigating an investigation initiated by BaFin or a third-party auditor appointed by BaFin.

Compliance in the financial services sector entails 

• anti-money laundering measures,
• combating terrorism financing, 
• fraud prevention, 
• financial sanctions and 
• MiFiD compliance measures.

BaFin is the competent supervisory authority for the entire financial sector and as such, supervises credit institutions, payment institutions, securities trading, other financial service providers, and insurance companies (Financial Institutions). To meet compliance in practice, it is market standard that Financial Institutions produce (a) a risk analysis, (b) a compliance manual and (c) a compliance policy, all tailored to their respective business model. The risk-based approach allows an individual set of measures tailored to the respective level of risk. Most importantly, the documentation provides protection against reputational harm and external challenges by supervisory authorities.

The Hogan Lovells OneFinance compliance team advises on these preventive measures, which include, amongst others, the drafting of risk analyses, a compliance manuals and corporate governance rules. Regarding potential investigations and to prevent fines, we recommend compliance reviews, compliance & investigation trainings and assisting the implementation of any findings. For additional and more detailed information, please find our European Compliance Guide including our expertise in the anti-money laundering sector and our Global Investigation Guide.

Investigations led by BaFin and ECB

BaFin’s supervisory powers include, among other things, the power to:

• conduct its own investigation into the conduct of a Financial Institution’s business
• appoint the German Central Bank (Deutsche Bundesbank) to conduct such an investigation; or
• appoint third parties (in particular, audit firms) to conduct such an investigation on BaFin’s behalf.

In each case, these activities will be carried out at the cost of the Financial Institution. BaFin will communicate the final results of the investigation to the Financial Institution. BaFin-appointed investigators are only responsible to BaFin, i.e., the supervised Financial Institution cannot sue the investigator for damages resulting from professional malpractice.

In addition, BaFin can require the Financial Institution's external auditor to investigate certain circumstances or to place particular emphasis on certain topics during the regular annual audit.

BaFin can investigate the business conduct of the Financial Institution itself, as well as the conduct of all external service providers to the extent that they perform significant business functions for, or on behalf of, the Financial Institution. BaFin does not need justification or a minimum threshold in order to launch an investigation. The investigator may enter the business premises during normal business hours, ask questions, and request documents. Management and employees are obliged to answer questions and supply documents. However, they do not need to give self-incriminating answers.

Despite the statutory provisions, supervised Financial Institutions prefer to take a more active role and have become adept at carrying out their own internal investigations into questionable business conduct. The goal is to replace a BaFin investigation with the supervised Financial Institution's own investigation. Usually, investigations cases begin with an informal BaFin inquiry, in which BaFin asks the Financial Institution questions regarding specific facts. This can pertain to topics such as aiding and abetting tax evasion, anti-money laundering measures, U.S. and EU sanctions compliance, prevention of other unlawful behavior (internal or external fraud cases), sufficiency of own funds, or sufficiency of risk management. It is imperative for the supervised Financial Institution to tackle the questionable business conduct immediately and to give a timely response to the initial BaFin inquiry. The supervised Financial Institution can then inform BaFin that it is aware of the allegations and that it has already retained an impartial third party to do the fact-finding.

This proactive approach of a Financial Institution will generally be successful in convincing BaFin to wait for the outcome of the internal investigation if BaFin can reasonably expect an investigation report with quality standards comparable to its own. Therefore, it is our experience that the supervised Financial Institution appoints a reputable investigator and vests him with similar degrees of independence, impartiality, and freedom to carry out the investigation as appropriate.

In situations where a Financial Institution is credibly determined to clarify allegations and, if necessary, to improve its business conduct, BaFin has cooperated by not launching its own investigations. That means the Financial Institution should always be one step ahead of BaFin, with a pre-appointed investigator, a ready-to-use communication strategy, and a sincere commitment to implement the lessons from the investigation.

However, even if BaFin agrees not to launch its own investigation, it will still reserve the right to verify the facts found (in terms of taking control samples) and draw its own conclusions. 

In addition to the investigations initiated by BaFin, the European Central Bank ("ECB") may also launch its own investigations in compliance matters. As of 4 November 2014, CRR credit institutions are also subject to direct supervision by the ECB under the new system of supervision, which comprises the ECB and the national competent authorities of participating EU Member States such as Germany. This new system of supervision was created by the Single Supervisory Mechanism, which is one of the elements of the so-called Banking Union. Under its new role, the ECB also carries out comprehensive assessments comprising (i) supervisory risk assessments, (ii) asset quality reviews, and (iii) stress tests. Direct supervision as exercised by the ECB affects the supervision competences of BaFin and the German Central Bank in its role as bank supervisor. With regard to significant credit institutions, the ECB is now responsible for carrying out specific supervisory tasks previously performed solely by BaFin and by the German Central Bank, which also include investigations of compliance breaches. Every significant credit institution supervised by the ECB has its own Joint Supervisory Team consisting of officers of the ECB and the national competent authorities such as BaFin and the German Central Bank. The Joint Supervisory Teams are coordinated by the ECB. Whenever the ECB conducts any investigations, the Joint Supervisory Team acts. This new regime under the supervision of the ECB may increase complexity but does not change the basic way in which such cases are dealt with, as the principles in handling such investigations remain the same as described for the investigations initiated by BaFin. The ECB can also appoint third parties to conduct the investigations or it can conduct the investigations itself. However, involvement of the ECB certainly increases the challenges of the process itself, as well as the diligence required to cooperate with the different authorities involved.

Fines in connection with anti-money laundering measures

The most recent reports demonstrate that administrative fines have been levied against obliged entities of the financial services industry. The most common reasons have been: 

• The official identification document was not fully copied during the customer identification process.
• The Financial Institution cannot prove that it has obtained appropriate confirmation whether or not the contracting party is acting on behalf of a beneficial owner.
• The Financial Institution did not submit suspicious activity reports in a timely, accurate and complete manner to the financial intelligence unit. 

BaFin ensures that Financial Institutions can be held liable for breaches of AML laws. Furthermore, BaFin has the right to provide for and impose penalties as an administrative measure. Administrative penalties apply to breaches on the part of obliged Financial Institutions that are serious, repeated, systematic, or a combination thereof, of the requirements for 

• Customer due diligence; 
• Suspicious transaction reporting; 
• Record-keeping; and 
• Internal control measures.

BaFin’s administrative penalties may include the following measures:

• A public statement which identifies the natural or legal person and the nature of the breach;
• An order requiring the natural or legal person to cease the conduct and to desist from repetition of that conduct;
• Withdrawal or suspension of the authorisation where an obliged entity is subject to an authorisation;
• A temporary ban against any person discharging managerial responsibilities in an obliged entity, or any other natural person, held responsible for the breach, from exercising managerial functions in obliged entities; 
• Maximum administrative fines of at least twice the amount of the benefit derived from the breach where that benefit can be determined, or at least EUR 1 million.

Anti-money laundering measures

Compliance with the requirements of the AML laws mainly consists of satisfying two high-level obligations:

• Organisational requirements; and
• Customer due diligence requirements.

Risk analysis

Obliged entities are required to rate individual business relationships and transactions in light of their respective money-laundering risk (risk-based approach). The results of the risk assessment must be documented. It should describe the potential risks associated with the business of the obliged entity which can be divided into the following categories:

• Company risks;
• Customer risks;
• Product risks;
• Transactional risk;
• Geographic risks.

The relevant risk factors were specified in Appendices I and II to AMLD4. As soon as the potential risks have been determined and described, it is the task of the obliged entity to determine to what extent they may actually materialise. Depending on the risk levels (i.e. risk-based approach), preventive measures and safeguards may be implemented. The risk assessment must also be updated at least once a year in order to ensure the effectiveness of the preventive measures and safeguards.

Money laundering reporting officer

The essential element of compliance with AML laws lies in an appropriate internal organisation. Even if this is only required for certain entities (where appropriate with regard to the size and nature of the business), the appointment of a money laundering reporting officer ("MLRO") is recommendable, to bear responsibility for the development of internal policies, procedures and controls, including risk analysis and risk management measures, customer due diligence, reporting, record keeping, internal control and employee screening. The MLRO is also entitled to report suspicious events to the central office for financial transaction investigations (Financial Intelligence Unit – "FIU"). The position of the MLRO was generally strengthened by the latest amendments of AMLD4, as the fulfilment of his or her duties may not lead to any disadvantages in the employment relationship. The clear organisational responsibility for this task is the foundation for compliance with the AML laws. 

AML manual

With the confidential risk assessment in place, the next element of the compliance structure – the AML manual – can be drafted and implemented. The AML manual describes the internal processes and activities to be implemented by the company to ensure compliance with legal requirements. Amongst other matters, the manual includes regulations for client identification, the document, or software system to be used, the escalation process for on-boarding politically exposed persons, as well as record keeping and retention requirements and the internal procedure to report suspicious activities to the MLRO and other corporate governance provisions.

AML policy

Each obliged entity must implement appropriate processes and train employees on the types and current methods of money laundering and terrorist financing. This requirement can be met through an AML policy where each employee receives general information on money laundering and appropriate obligations. The training should be repeated at regular intervals depending on the respective AML risk of the obliged entity; market standard is every two years. It is also important to document all employees' attendance of the training sessions to ensure compliance with the AML provisions.

Internal controls

With the AML manual and the AML policy in place, the company and all employees must implement the internal requirements in practice. One of the central tasks is the performance of customer due diligence. More generally, it is important to monitor the business activities and effectiveness of the implemented preventive measures and safeguards.

Authored by Richard Reimer and Sarah Wrage.