Deutsche Bank DPA Reflects Government’s Focus on Third-Party Risk Management and Data-Driven Compliance Programs

On January 8, 2021, US authorities announced that they reached an agreement with Deutsche Bank Aktiengesellschaft (Deutsche Bank) to resolve the government’s investigation into violations of the Foreign Corrupt Practices Act (FCPA) as well as a separate investigation into a commodities fraud scheme.

According to the criminal information, between 2009 and 2016, Deutsche Bank employees, including managing directors and high-level regional executives, conspired to make payments to business development consultants (BDCs) who were acting as proxies for foreign officials, and then violated the books and records provision of the FCPA by falsely reporting these corrupt payments and bribes. According to the information, Deutsche Bank also participated in a separate scheme to engage in fraudulent and manipulative commodities trading practices involving publicly-traded precious metals futures contracts. As part of the resolution, Deutsche Bank agreed to enter into a three-year deferred prosecution agreement (DPA) and pay over $130 million in criminal penalties, criminal disgorgement, and victim compensation.

The DPA mirrors the DOJ’s June 2020 updated guidance titled “Evaluation of Corporate Compliance Programs” (the Guidance), as well as the DOJ’s and SEC’s July 2020 “A Resource Guide to the US Foreign Corrupt Practices Act” (the FCPA Guide). Both of these documents provide insight into how the DOJ and SEC evaluate the hallmarks of a corporate compliance program.

Several mandates related to third-party risk management are included in the DPA in light of Deutsche Bank’s use of BDCs and other agents and business partners. For example, the DPA requires Deutsche Bank to scrutinize its third parties to determine whether they have relationships with foreign officials, that third-party contracts specify what services are to be provided, and that third-party compensation is commensurate with the applicable industry and geographic location. In addition, the DPA incorporates updated language from the Guidance that focuses on continuous risk management of third parties rather than only during the onboarding process by requiring that Deutsche Bank engage in “ongoing monitoring of third-party relationships through updated due diligence, training, audits, and/or annual compliance certifications by the third party.”

The DOJ’s recent focus on using data to build an effective compliance program is also reflected in the DPA, which requires that Deutsche Bank compliance and control personnel have sufficient access to “relevant sources of data to allow for timely and effective monitoring and/or testing of transactions.” The DPA builds on the Guidance by stating that data should be used to “conduct a thoughtful root cause analysis” so that Deutsche Bank is well-positioned to mitigate the risk of future violations. This is not the first time the DOJ has emphasized the importance of using data to assess and mitigate risk, as a similar mandate was included in a DPA entered into between the DOJ and JP Morgan Chase in September 2020 to settle criminal charges stemming from market manipulation schemes. Arent Fox’s analysis of that DPA can be found here.

Finally, the DPA also follows the Guidance and FCPA Guide in other areas, including by requiring that Deutsche Bank ensure that middle management is involved in enforcing the Company’s corporate policy against anti-corruption violations. The focus on middle management can be found in the Guidance, which states that an effective compliance program requires a “high-level commitment by company leadership to implement a culture of compliance from the middle and the top.” Similarly, the FCPA Guide notes that, when reviewing a compliance program, the DOJ and SEC look at whether middle managers reinforce the Company’s commitment to compliance.

As companies build and refine their compliance programs, they should consider not only the Guidance and FCPA Guide, but also recent enforcement actions which provide additional information on how the government assesses corporate compliance programs. The DPA’s focus on third-party risk is particularly significant, especially for companies that have had to expand their use of third parties as a result of business disruptions caused by the COVID-19 pandemic. Companies should also be equipped to thoughtfully and strategically use data to test the effectiveness of their compliance programs and ensure that the programs work both on paper and, more importantly, in practice.


Continue Reading