Such was the basic lesson Deutsche Bank (DB) learned earlier this month, after the New York State Department of Financial Services (DFS) imposed a $150-million monetary penalty against the lender over its failure to properly mitigate the financial-crime risks of its client Jeffrey Epstein. The agency, which also cited compliance failings linked to Deutsche Bank’s relationships with Danske Bank Estonia and FMBE Bank, concluded that the German institution “inexcusably failed to detect or prevent millions of dollars of suspicious transactions” involving Epstein.

The DFS consent order recounts how the bank went wrong “despite knowing Mr. Epstein’s terrible criminal history”, and offers a number of important lessons for compliance teams reviewing high-risk customers of their own.

Relationship onboarding

DB initiated its relationship with Epstein and his related entities in August 2013 and maintained it until December 2018, when the relationship was terminated due to renewed negative media coverage over his past criminal conduct. Even before commencing the relationship, there had been widespread media reports of Epstein’s trafficking and abuse of underage women. In September 2007, Epstein was convicted in Florida of two prostitution charges, including the solicitation of a minor to engage in prostitution.

A related deferred prosecution agreement made public in 2009 revealed details that Epstein may have conspired to use interstate commerce to induce minors to engage in prostitution, to engage in illegal sexual conduct with minors and to traffic minors. The agreement also showed that prosecutors produced a list of alleged “victims” and that Epstein funded their legal costs. The media continued to publish articles, on a regular basis, about Epstein and his activities up to and beyond August 2013 when DB onboarded Epstein as a client.

In December 2012, a Relationship Manager (RM1) joined DB from another institution where he had previously overseen Epstein’s accounts. RM1 suggested to DB management that Epstein could be a lucrative client who could generate millions in revenue and who facilitate introductions to his wealthy associates.

As expected, DB conducted due diligence on Epstein prior to onboarding. A memo sent to senior DB management noted Epstein’s 2007 criminal conviction, his 18-month prison sentence and 17 out-of-court civil settlements linked to the conviction. RM1 opined that, over time, there could be investments of $100-300 million generating revenues of $2-4 million. Although DB had a Reputational Risk Committee (RRC) in the US, it did not discuss nor consider any reputation risk posed by an association with Epstein.

Onboarding occurred in August 2013 with brokerage accounts opened for Epstein-linked companies based in the British Virgin Islands in order to hold marketable securities and cash, and to invest with the bank over time. Eventually, there were over 40 Epstein linked accounts held at DB. A compliance officer approved the initial onboarding based on an email sent by a senior manager who, after consulting both DB’s US General Counsel and the US Head of Compliance, approved the onboarding in principle, subject to the due diligence exercise not revealing any concerns. The compliance officer failed to speak to any of his senior colleagues prior to granting his own onboarding approval.

Suspicious transactions

As the Epstein relationship was deemed to be “high-risk” and as he was assessed to be a “Honorary PEP” due to his known links to senior politicians, the Epstein accounts were subject to enhanced transaction monitoring. However, such monitoring did not address the individual risks posed by Epstein.

In January 2014, DB opened a bank account for the Epstein-linked “Butterfly Trust”. The account’s stated purpose was to pay taxes and trust fees. The Trust’s beneficiaries included some of Epstein’s co-conspirators and several women with eastern European names. When questioned by DB, Epstein said the beneficiaries were employees or friends. At the point of onboarding, DB learned that one beneficiary was a female co-conspirator of Epstein. However, the account was approved based on the original earlier email from a senior manager and because the female co-conspirator had not been tried or convicted in a criminal court.

The Butterfly Trust account was used to make 120 payments totalling $2.65 million to the beneficiaries for their rent, expenses and tuition. More suspiciously, the Trust account was used to pay $7 million in multiple legal settlements via many law firms and to pay $6 million in legal fees for Epstein and his co-conspirators.

Questions raised

By early 2015, Financial Crime staff escalated concerns following media reports that a 2008 plea bargain by Epstein would be made available to his alleged victims, highlighting his links to a former senior US politician as well as to a member of a European royal family. Despite the nature of the allegations, a senior manager accepted without question Epstein’s observations on these media reports.

The RRC considered the Epstein accounts in January 2015, but contrary to bank policy, no minutes of their deliberations were taken. Immediately following the meeting, a Committee member emailed a colleague that the Committee was “comfortable with things continuing” and that another Committee member “noted a number of recent sizable deals”.

Poor internal communications

A few days after the RRC meeting, a Committee member outlined, via an email to senior colleagues, the three conditions the RRC placed on continuing the business relationship. Firstly, transactions need not have Compliance pre-approval provided that the business assessed that the trades weren’t suspicious, unusual, used a novel structure or very large. Secondly, the business monitored the transactions to ensure compliance with the first condition. Finally, accounts could be opened where DB’s US Wealth Management Division had approved the activity.

Although these conditions were widely circulated through DB in New York, including to the bank’s US CEO, they were not communicated to Epstein’s relationship team, which continued to conduct business in the same manner as before. This failing was significantly compounded when a compliance officer interpreted the first RRC condition as being assessed against Epstein’s previous dealings rather than being assessed objectively. This interpretation was communicated to the transaction monitoring team. For example, a March 2017 transaction alert on payments to a Russian model and agency was closed as being “normal for this client” and hence not suspicious.

The compliance officer further instructed the transaction monitoring team to verify, using Internet searches, that any female linked to an Epstein payment was aged 18 or over, and to only flag those transfers for which there was no discernible rational transaction. This instruction had little effect on DB’s relationship with Epstein.

More red flags ignored

In January 2016, an accountant representing Epstein requested an account be opened for Gratitude America, Epstein’s private charity. The RRC Secretary ordered that an external due diligence report on Epstein be commissioned. When the relationship team requested additional information from the accountant to assist the exercise, they were advised that Epstein had resigned from the charity and hence the new account was no longer needed. As a result, no due diligence report was produced.

A new Relationship Manager (RM2) replaced RM1 in April 2016. Although RM2 had reviewed the Epstein KYC file and he was aware of the reference to the RRC, he was not aware of the three RRC conditions on continuing the Epstein relationship.

A May 2018 transaction alert was raised about payments to accounts in the names of eastern European women at a Russian bank. An Epstein accountant advised RM2 that the payments were for tuition fees. When a compliance officer queried why the account was being used for tuition fees, RM2 said that Epstein’s staff used any account that was in credit to make payments on his behalf.

Suspicious cash transactions

Between 2013 and 2017, Epstein’s personal lawyer withdrew $7,500 in cash two or three times per month from a New York DB branch. In total, there were 97 such withdrawals. The bank’s limit for withdrawals by a third party on an account was $7,500. When queried, the lawyer explained the payments were for travel, tipping and expenses.

In 2014, the lawyer inquired into how much he could withdraw on Epstein’s behalf without DB being required to submit a report to the US authorities. It is unclear whether DB responded to the query. In 2017, the same lawyer further inquired whether a withdrawal of $10,000 would generate a report to the authorities. Following an affirmative response, he split the withdrawal over two days.

DB compliance staff discussed the constant cash withdrawals and their reporting obligations with the lawyer. Nevertheless, Epstein’s lawyer reassured DB that all was well, so much so that DB continued to permit the cash withdrawals. In 2017, on one occasion, the lawyer withdrew $100,000 in cash explaining it was needed for tipping and household expenses.

Over a four-year period, the lawyer withdrew $800,000 in cash. Although DB met their legal obligations by submitting cash reports to the authorities, it readily accepted the explanation that the withdrawals were for tipping, travel and household expenses.

What lessons can be drawn?

DB terminated its relationship with Epstein in December 2018 following a media report the previous month setting out his 2008 plea bargain. This episode provides numerous lessons that compliance officers can learn from.

Firstly, where an institution decides to conduct business with a high-risk client, it must tailor its due diligence and transaction monitoring to mitigate the risks posed by that particular client rather than seeking to mitigate generic risks.

Secondly, DB failed to adequately monitor Epstein’s account activity for the type of activity that Epstein was notorious for, although the bank was aware of his criminal conviction, prison sentence and the allegations against various co-conspirators. Despite this knowledge, DB failed to block payments to the named co-conspirator and the young women, or to effectively probe why Epstein needed $200,000 in cash withdrawals per year.

Thirdly, the failure by DB to “join the dots” between their knowledge of Epstein’s past and his account activity, and thus consider whether there were any grounds for suspicion, represents a “major compliance breach” in the view of DFS.

Finally, these substantive breaches were compounded by a series of procedural failings. The initial onboarding was not reviewed by the RRC, itself a breach of DB policy. Instead, approval was granted by an email based on two offhand conversations. That initial email was later used as the basis to open further Epstein accounts. When the RRC subsequently considered the issue, they were satisfied upon the basis of an undocumented meeting between Epstein and two front office staff. Again, bank policy was breached as the RRC deliberations went undocumented. The three RRC conditions on the Epstein relationship were not communicated to relevant staff or were misinterpreted.

Across the world, many banks have been sanctioned for unknowingly failing to identify high-risk clients. In this case, Deutsche Bank staff were aware they were dealing with a high-risk client, but were perhaps driven by business considerations and failed to adopt a suitably sceptical mindset when dealing with him. Those banks with historic links to Epstein should consider consulting their lawyers while all banks should assess whether they have properly implemented controls to mitigate all the risks introduced by their risky clients.