The Commerzbank bank case provides a chilling story of a systemic breakdown in compliance, and the far-reaching consequences of such a breakdown.  Even in the context of a systemic breakdown, there are valuable lessons to be learned.

The first and most striking question is why did Commerzbank get a DPA at all?  BNP Paribas was forced to plead guilty and Commerzbank was given a DPA.  I would be interested in hearing the internal discussions leading to that different result.  If the conduct was so bad as to require the comprehensive and detailed DPA, why did it not merit a criminal plea?

Furthermore, if DOJ decides not to prosecute any individuals, there is a real question as to whether or not all of this enforcement really ends up deterring anything.  After all, if a fine is the only relevant penalty, then executives may decide to ignore or skirt the law when business justifies doing so.  Of course, there may be evident statute of limitations problems, or even other proof problems that we are not aware of.

The Commerzbank DPA is striking in its breadth and specific requirements, including mandatory processing requirements for US dollar transactions; certifications and government notification requirements of violations of law; and incorporation of specific regulatory orders issued against Commerzbank in the past.  All of this has raised the stakes for Commerzbank — violations of the DPA could lead to criminal prosecution for the four specific offenses included in the filed Information, as well as potential contempt violations.

The detailed requirements require Commerzbank to:

(i) apply the OFAC sanctions list to United States Dollar (“USD”) transactions, the acceptance of customers, and all USD cross-border Society for Worldwide Interbank Financial Telecommunications (“SWIFT’) incoming and outgoing messages involving payment instructions or electronic transfer of funds;

(ii) not knowingly undertake any USD cross-border electronic funds transfer or any other USD transaction that is prohibited by U.S. law or OFAC regulations;

(iii) continue Financial Economic Crime sanctions training of officers, managers and employees, as well as supervisors involved in processing of USD payments;

(iv) continue to apply its written policy requiring the use of SWIFT Message Type (“MT”) MT 202COV bank-to-bank payment message where appropriate under SWIFT Guidelines, and by May 30, 2015, certify continuing application of that policy;

(v) continue to apply and implement compliance procedures and training designed to ensure that the Company’s compliance officer in charge of sanctions is made aware in a timely manner of any known requests or attempts by any entity to withhold or alter its name or other identifying information where the request or attempt appears to be related to circumventing or evading U.S. sanctions laws. The Company’s Head of Compliance, or his or her designee, shall report to the government in a timely manner, the name and contact information of any entity that makes such a request;

(vi) maintain the electronic database of SWIFT Message Transfer payment messages and all documents and materials produced to the United States as part of this investigation.

In addition to these requirements, the DPA requires Commerzbank to abide by Federal Reserve Bank regulatory orders and requirements.

Most significantly, Commerzbank is required to submit 90-day reports for the entire three-year term on its progress concerning remediation and implementation of the compliance measures. The DPA requires Commerzbank to submit “specific and detailed” accounts of the BSA and sanctions compliance improvements; and to identify any violations of the BSA that have come to Commerzbank’s attention. Finally, at the conclusion of the three-year DPA, Commerzbank’s CEO must certify that Commerzbank’s compliance improvements have been completed.

In total, the DPA builds a new level of requirements and potential punishments against Commerzbank for failure to abide by regulatory orders, and to implement an effective sanctions and BSA compliance program. Additionally, the DPA includes a notification requirement, in addition to BSA SARs requirements, that could have catastrophic consequences for violating the law and the DPA for any failure to report.

In the end, the government has imposed an unprecedented regulatory-type DPA that is aimed at a global financial institution that engaged in systemic violations of the law. The government’s message is loud and clear – if you violate the law, lose control of your compliance function and fail to take meaningful steps to comply, the government will ensure compliance through tough and comprehensive punishment and supervision.

Whether this is the right public policy, and consistent with other prosecutions, is a question that has not been answered.  Time will tell on that issue.