Poor policy management leads to multi-million dollar fine for financial service firm

Lack of annual review and regular monitoring for AML system, along with ESG policy inconsistency 

A Deutsche Bank subsidiary, DWS Investment Management Americas, settled with the SEC to the tune of $25 million for making misleading ESG disclosures and running an ineffective anti-money laundering system.

Both failures stem from a lack of systems to review and maintain policies. DWS had implemented an ESG Integration Policy in 2018 which it trumpeted to third parties and investors, but did not do enough to embed or ‘integrate’ this policy internally. 

Greenwashing: Public ESG commitments did not align with internal practices

DWS wrote that the firm’s investment managers applied ESG screenings “to all of our actively managed holdings… ESG factors into [our investment professionals’] investment process, analysis and decisions.” DWS paid for this claim to appear in industry magazines, including an interview with a DWS executive who said “ESG is top of mind throughout our organisation” and “has become part of everything that we do.”

The firm had guides directing analysts to document their ESG considerations through a tool called ESG Engine, which assessed companies on their ESG rating. Sounds great, right? But according to the SEC settlement, DWS had nothing in place to ensure these commitments were kept or acted upon.

Despite providing ESG Engine as a tool to use, DWS had no policy or formal, documented system in place to assess whether investment managers actually used the ESG Engine when making decisions. DWS did not implement any standards to assess compliance, and this went on for years. Only in 2021 did the company realise this was a problem and changed tack, but not before the SEC decided to hold DWS accountable for grandiose claims that amounted to little more than a well-prepared press release.

Failure to understand or implement an adequate AML policy

More worryingly, DWS was also charged with serious AML compliance failings, also stemming from a lack of policy management. From the same period as the ESG failures occurred, 2007-2021, the board of DWS mutual funds rubber-stamped the AML programme designed for all Deutsche Bank US operations. It did not tailor the system for specific compliance requirement for the mutual fund business, as required by the FinCEN AML Mutual Fund Program Rule. This does not mandate a specific AML programme, but does require that each firm tailor its own AML policies and procedures according to its own risk assessment. DWS did not do this. Its AML programme did not address the specific compliance issues for its own operations.

DWS’ transaction monitoring system was supposed to undergo tests or ‘tuning’ according to the settlement. But the AML programme did not specify how often that tuning should happen. Some documents said annually, others every one to three years. In actuality, DWS management tuned the system once in every five years.

As a result, 90% of suspicious activity alerts were closed automatically. Samples were supposed to be subject to periodic review, but this didn’t happen for over a year and a half. In late 2020, over five years since the last tuning, the reprogrammed alerts were changed to not be automatically closed without review. This tripled the alerts, despite the number of accounts staying consistent. 

What was the failing?

  • Generic policies not tailored to the business and its specific risks
  • Inconsistent policies and language from one document to the next
  • Procedures not executed in a timely manner
  • Erratic procedures
  • Lack of consistent or frequent review
  • Discrepancy between public commitment and internal processes
  • Lack of management review of policies
  • Failure of the board to understand basic policy management
  • No follow through on public promises

What has DWS committed to changing?

  • Clarified policies to put more emphasis on roles and responsibilities
  • Amended template documents to make ESG analysis mandatory

Ultimately, policies must be worth the paper they are written on. They must align with public commitments and marketing materials, and must be reviewed to ensure consistency. Moreso, the board of a company should, at the most basic level, understand it’s regulatory expectations and ensure a consistent and compliant approach. 

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.