The money laundering scandal that has rocked Danske Bank – Denmark’s largest bank – highlights some key points, not just for the bank, but also for financial crime professionals the world over.
To better understand this case, it is worth looking at the initial findings of the review conducted by the Danish Financial Supervisory Authority (DFSA) into Danske, in relation to allegations of money laundering at its branch in Estonia.
In continuation from the first part of this two-part article, it’s worth exploring the issues raised in the review and considering how they might apply to compliance departments or impact the work of AML professionals.
Goodbye to non-resident customers
An important development was that in January 2015, the Board decided to exit the non-resident portfolio within the Estonian branch, some eighteen months after the termination of a relationship by a correspondent bank and over a year after being alerted to the whistleblower’s concerns.
The exit process took another year to complete notwithstanding pressure from the Estonian regulator and another relationship being terminated by another correspondent over the branch’s British corporate customers who were controlled by Russians and its Moldovan customers.
By mid 2015, after pressure from the local regulator, the CEO of the Estonian branch was replaced, however the Board or the Executive Committee were not involved, as per standard procedure, in the selection of his replacement.
Although there had been indications of problems since mid 2013 and various reviews conducted throughout 2014, it was not until January 2015 that Danske notified the DFSA of the Estonian regulator’s concerns.
Previously, the Head of Compliance and AML had rejected the proposal of the Chief Risk Officer to notify the Estonian, the Danish and the UK regulators of the branch’s failings.
The saga now jumps forward to April 2017 when the Board commissioned an external consultant to ascertain why the internal controls has failed.
However, it was not until September 2017 that an external review was commissioned to evaluate the the extent of suspicious transactions and customers. December 2017, four years after the whistleblower’s first report, saw a law firm appointed to supervise the latest review.
The DFSA delivered, in May 2018, a withering critique to the Board of Directors:-
*the three lines of defence failed so that customers could launder vast amounts;
*Danske failed to properly integrate the Baltic Compliance and AML unit into the Group’s function;
*Danske failed to properly investigate the whistleblower’s reports, including the suspected collusion between some branch employees and non-resident customers who were involved in criminal activities;
*Danske took over four years after the termination of a relationship by a branch correspondent in mid 2013 to investigate the extent of suspicious transactions and customers in the branch;
*the Board failed to discuss the regulatory problems in Estonia in its meetings or failed to ensure there were proper Board minutes recording such discussions;
*it was not until January 2015 that the decision was made to exit the non-resident business and it took a further twelve months to finally close the unit;
*Danske’s internal reporting, decision making processes and culture failed to identify and then adequately handle the issues and their mitigation, including regulatory notifications, covering the period up to early 2016 and from January 2017;
*the GIA function had not properly integrated its Baltic team into the department prior to December 2013 and thereafter failed to ensure that the Executive Board and the Board of Directors were aware of the Estonian issues;
*the Group Compliance and AML function and their Legal counterparts failed to ensure compliance with Danish AML law prior to December 2013 and then they failed to adequately mitigate the identified failings;
*Danske failed to inform the DFSA of AML concerns although it was clear in early 2014 to some Executive Board members and some senior employees that information supplied to the DFSA and the Estonian regulator in 2012/3 was misleading;
*Danske failed to appoint a Head of AML between December 2012 and November 2013 and failed to notify the DFSA of this omission until February 2018;
*Danske failed to replace the Estonian branch management for eighteen months after the first report by the whistleblower;
*Danske failed to provide the DFSA with adequate information from January 2017 onwards.
As a result of these failings, the DFSA decided to impose an additional risk capital requirement of 0.7%.
In monetary terms, this amounted to 5 billion Danish Kroner (£600 million). The regulator gave the Board two months to respond to the criticism and to explain the changes that would be introduced to prevent a recurrence of these issues.
The Board takes action
In response to the considerable regulatory and media attention, Danske have announced that currently over 1,000 staff now work on AML issues and that over the past year they have sent over 9,300 Suspicious Activity Reports to the authorities .
New procedures have been rolled out and all Danske staff have been retrained. The Board further announced that Danske will not “financially benefit” from any revenues, estimated to be DKK1.5 billion (£178 million), generated from any suspicious transactions by non resident customers in Estonia by paying an equivalent amount of such revenues “for the benefit of society” including preventing financial crime.
The Board and the regulators now await the conclusions from Danske’s own internal investigation supervised by an external law firm which is due to report in September 2018.
An Executive Board member has resigned from Danske over his role in the saga. The Board may take disciplinary action against other senior members of staff once they receive the report, whilst regulators may apply their own sanctions.
In addition to the points raised in the first part of this article, financial crime staff would be well advised to consider some lessons and questions for compliance departments that arise from this case:
1. Review the financial statements of corporate clients to ensure they are not inconsistent with the transaction history and balances held with your firm. One should ask questions like, for example, does a company that publicly files “dormant” accounts frequently conduct transactions with your firm?
2. It is also important to know: does your firm ensure that significant findings arising from regulators’ reviews are notified to and considered by the Audit Committee and the Board of Directors?
3. In appropriate cases, consider appointing an external party rather than internal staff to conduct investigations in order to maintain a degree of objectivity and independence. Legal privilege may be obtained if a law firm is commissioned for such investigations.
4. How seriously does your firm take whistleblower’s reports, including of alleged collusion between some branch employees and non-resident customers who are possibly involved in criminal activities? How long does it take before it decides to act on information supplied?
5.Although there had been indications of problems since mid 2013 and various reviews conducted throughout 2014, it was not until January 2015 that Danske notified the DFSA of the Estonian regulator’s concerns. How would your department and manager have handled this scenario? Generally, how long would it take before your bank or firm notifies the regulator?
The old adage ‘prevention is better than cure’ may well apply here.
This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.
About the author: Denis O’Connor is both a Fellow of the Institute of Chartered Accountants in England & Wales and the Chartered Institute of Securities and Investment. He was a member of the British Bankers’ Association Money Laundering Committee from 2003 -10; and a member of the JMLSG’s Board and Editorial Panel between 2010 and 2016. He has been a frequent speaker at industry conferences on financial crime issues, both in the UK and abroad.
Main photo: The offices of Danske Bank in Lithuania.