How Danske is cleaning up after a €200B money laundering scandal

The report, which will focus on the “non-resident” accounts in Estonia through which the money was laundered, will not be made public until regulators and investigators in Denmark (and perhaps elsewhere—Danske is not saying) have looked through the findings as part of their own investigations.

It is not clear what action the bank will take on the back of its own probe, but it is a safe bet to think further improving compliance will be on the list.

During a nine-year period from February 2007 up until the end of January 2016, Denmark’s biggest bank failed to spot billions of euros of illicit funds from countries including Azerbaijan, Moldova, and Russia were being laundered through one of its Baltic operations.

The bank initially thought about €4 billion (U.S. $4.65 billion) was laundered: latest estimates indicate it is 50 times higher.

What went wrong

Danske Bank’s money laundering scandal is widely believed to be the third biggest in the world after Wachovia Bank and Standard Chartered, whose own criminal activities coincidentally started around the same time as those at Danske.

To find out what went wrong—and how badly—Danske first commissioned law firm Bruun & Hjejle in autumn 2017 to investigate the allegations.

The firm’s resulting “Report on the Non-Resident Portfolio at Danske Bank’s Estonian branch” released in September 2018 made for uncomfortable reading.

It found that a series of major deficiencies in the bank’s governance and control systems made it possible for criminals to use its Estonian branch for suspicious transactions starting in 2007 (when it acquired Sampo Bank) and that it had around 15,000 customers that were either “non-resident” or had similar characteristics that should have created money laundering red flags.

Danske received a tip from a whistleblower in 2013 but, despite follow-ups by internal audit and compliance, management failed to take quick and decisive action.

The investigation also found only part of the suspicious customers and transactions were reported to authorities; that the Estonian branch had “insufficient focus” on the risk of money laundering; that the Estonian control functions did not have a satisfactory degree of independence from the Estonian organization; and that the branch operated with its own culture and systems and too independently from the rest of the group without adequate control or management focus.

The group has since exited its banking activities in Estonia, Russia, and Latvia and is in the process of doing the same in Lithuania.

The fallout for the bank was immediate. Danske’s then-CEO Thomas Borgen resigned in September 2018 amid an executive boardroom shuffle and was charged by Danish prosecutors last year for his involvement. The bank is also subject to ongoing criminal and regulatory investigations in Denmark, Estonia, France, and the United States and faces 276 separate legal actions in Denmark brought by individuals and groups of investors, worth around DKK 6.5 billion (U.S. $1 billion). A separate investor lawsuit is worth up to DKK 1.3 billion (U.S. $200 million). The bank intends to defend itself against all claims.

Another legal action—estimated to be worth around DKK 2.7 billion (U.S. $420 million)—was initiated in February against Borgen by 72 institutional investors.

Danske moving forward

Since the scandal, Danske has invested heavily in improving its compliance and risk management functions. According to the bank’s interim report for the first half of this year released in July, operational spend for 2020 is some 7 percent higher than in 2019 ($2.14 billion compared to $2 billion) due primarily to costs relating to the bank’s transformation in the wake of the Estonia scandal, financial crime prevention, and the strengthening of the bank’s compliance and regulatory setup.

As part of its compliance and risk management overhaul spearheaded by the group’s chief compliance officer and member of the executive leadership team Philippe Vollot—who joined from Deutsche Bank in November 2018—Danske has strengthened the bank’s risk culture and risk awareness by redesigning and simplifying risk frameworks, methodologies, and policies, as well as by improving the handling and learnings from risk events.

The bank has also recruited additional resources across the group to ensure sufficient skills and expertise are in place for further implementation of its non-financial risk framework. For example, in the immediate aftermath of the scandal, the bank quadrupled the number of full-time employees working on financial crime to 1,200.

Over the past year, Danske has again increased the number of employees engaged in preventing financial crime, improved KYC controls so they are more efficient and more effective, and delivered training to all employees to enable them to better identify and manage potential financial crime risks. The bank has also invested in more effective IT systems for automated transactions monitoring and has created a Conduct & Compliance Committee to improve the board’s oversight of compliance matters. It has also overhauled its sanctions screening techniques to better detect suspect accounts and suspect transactions.

Other measures to improve governance include making senior managers and executive board members more directly accountable by including risk management and compliance in their performance agreements and by strengthening the bank’s “three lines of defense” model and whistleblowing procedures.

Just how badly Danske will be hit by fines and criminal sanctions in the future over the Estonian money laundering debacle is sheer guesswork. However, given the steps the bank has taken under Vollot, in particular, and the board generally, it is fair to acknowledge the bank’s views toward risk management and compliance are not the same as they once were. And while it may take time for the bank to restore its reputation, the positive measures being taken will surely help.