Financial crime staff would be well advised to consider the findings of the review conducted by the Danish Financial Supervisory Authority (DFSA) into the country’s largest bank, Danske, its management and senior employees in relation to allegations of money laundering taking place at its branch in Estonia.
In the first part of this two-part article, I will discuss some of the key issues that arose pertaining to Danske’s compliance controls.
This Scandinavian saga commenced in March 2017 with media reports of the Russian Laundromat case involving Danske’s Estonian branch.
Media reports suggest €7.1 billion (£6.3 billion) may have been laundered through the branch. Some of its customers who were linked to the case had opened accounts with the branch between 2011 and 2013.
The branch had a significant number of Russian and non-Baltic customers, who generated significant profits for the bank. For example, although Russian customers represented only 8% of the branch’s customers by number, they generated 35% of its profit.
Historically, Danske had AML issues.
For example, in 2012, the DFSA concluded that Danske had not complied with Danish AML obligations.
Also, it wasn’t until 2018 that the DFSA learned that Danske did not have a person responsible for AML matters as required by Danish law between December 2012 and November 2013.
Three lines of defence model breaks down
Danske adopted the now standard three lines of defence model.
The first line was the business who had the responsibility to conduct its operations lawfully and efficiently.
The second line was a risk management function whose role was to identify and mitigate risk whilst the compliance function checked compliance with the rules.
The internal audit function represented the third line of defence in that they checked whether the other two lines picked up on problems.
The Board and the Executive Committee, based on the relatively small size of the Estonian branch, felt it sufficient to rely on regular reports from the three lines of defence that all was well and accordingly they did not pay the branch any special attention.
From a financial viewpoint, in 2013 Estonia generated 2% of the Danske’s total profit before impairments and its assets represented just 0.5% of Danske’s total balance sheet.
However, the three lines of defence model completely failed.
The first line, the business, did not focus on its high risk customers, whilst the Business Banking team in Copenhagen, to whom the branch reported, relied on regular assurances that all rules were being complied with.
The second line did not include any details of AML risk in the Baltic branches in their regular reports to senior management. Finally, the third line, the branch’s internal audit function was not fully integrated into Danske’s Group Internal Audit (GIA) department.
Whistleblower submits reports
Although the Estonian regulator conducted AML reviews of the branch in 2007 and 2009, senior management in Copenhagen were unaware of the conclusions of the review.
Also, whilst the termination of the relationship with the branch by a USD correspondent bank in July 2013 due to the branch’s extensive links to non-resident customers led to a review of the branch’s activities by senior management in Copenhagen, no action was taken until a whistleblower reported his concerns in December 2013.
He made a report to head office about a non resident customer established as a UK limited liability partnership (LLP) at the UK’s Companies House.
The LLP had filed public financial statements for the year to May 2012 as a “dormant” company. In reality, the LLP had a credit balance with the branch of $965,418 on 31 May 2012 and had an extensive history of transactions.
The whistleblower notified the customer’s relationship manager and the branch Compliance Officer, who both advised him the matter would be rectified. The LLP later resubmitted its financial statements to Companies House showing a bank balance of $25,000.
At this point, the whistleblower became increasingly concerned that the bank continued to be involved with a company which had committed a crime.
He suspected that a Danske employee had actively participated in the matter of the erroneous financial statements and that the branch had knowingly opened an account for a dormant company, which he noted, was “quite an achievement”.
He concluded that Danske had probably committed a crime, had actively assisted others commit a crime, had likely breached numerous banking regulations, had behaved unethically and that there had been a “near total process failure”.
It wasn’t until nine months later in September 2014 that the branch terminated the relationship with the customer and submitted a Suspicious Activity Report to the authorities.
Bank Commissions reviews
GIA – Danske’s Group Internal Audit – conducted an AML review of the branch following further reports by the whistleblower in January 2014 about three other branch customers.
In February 2014, GIA found issues such as that:
(i) some customers used newly formed companies in order to avoid filing financial statements
(ii) complicated corporate structures were employed using entities in the former Soviet Union and tax havens
(iii) the beneficial owners of corporate customers were not identified
(iv) such information was not requested as it may have caused problems in the event that Russian authorities requested information and
(v) nine unregulated Russian intermediaries were used to make payments out of Russia.
It appears that the GIA report galvanised senior management in Copenhagen into action. They decided that there would be no further cooperation with the unregulated Russian intermediaries and no new non resident customers would be taken on.
However, relationships with existing non resident customers continued. An external review was commissioned. It soon revealed 23 significant deviations from the applicable rules or best practice in the branch.
At this stage, Copenhagen senior management appeared to lose their resolve.
The Board member responsible for the Baltic region made a presentation to the Board on the results of both the GIA and external reviews. The presentation “toned down” the conclusions of those inspections.
The Board minutes omitted any significant comments on the presentation, although sometime later, some Directors stated there was a significant discussion about the presentation.
Further reviews of the branch’s customers were commissioned as well as reviews on the earlier reviews. By December 2014, 853 relationships with customers were terminated.
However, it took until September 2017 that a review was undertaken of the earlier transactions executed by customers, a proposal first made by GIA in May 2014.
Financial crime staff would be well advised to carefully review the DFSA letter to Danske and forward a copy to their Internal Audit department.
Consideration should also be given to making a presentation, based on this case, to the Audit Committee and the Board of Directors, emphasising the total failure of the three lines of defence model and the findings of the DFSA.
This case also highlights the importance of having constant checks on systems, rather than launching a strategy and assuming it is working well.
If constant checks had been made on its three lines of defence model, the bank could have spotted earlier on that something had broken down and addressed it.
This case also demonstrates that while foreign branches may represent only a very small part of a Group’s total operations they may bring considerable regulatory problems if internal reporting mechanisms and any local control functions are not properly integrated into the Group structures.
Senior compliance staff may want to consider issues such as to what extent branch reporting mechanisms are assessed and to what degree do they correspond with head office?
Those who work in Group control functions or who are senior managers within a Group may also like to consider whether any elements of this modern Scandinavian saga could happen at their firm, do you spot any similarities or are some of the processes familiar with your turf?
If yes, it may be worth discussing it with colleagues and examining whether it’s time to make some changes before the regulator comes knocking on your door.
Main photo: The Lithuanian offices of Danske Bank.
This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.
About the author: Denis O’Connor is both a Fellow of the Institute of Chartered Accountants in England & Wales and the Chartered Institute of Securities and Investment. He was a member of the British Bankers’ Association Money Laundering Committee from 2003 -10; and a member of the JMLSG’s Board and Editorial Panel between 2010 and 2016. He has been a frequent speaker at industry conferences on financial crime issues, both in the UK and abroad.