Danske Bank case illustrates poor anti-money laundering practices

Compliance and legal troubles at Danske Bank continue to escalate.

On Aug. 6, Denmark’s State Prosecutor for Serious Economic and International Crime (SØIK) announced it has initiated a criminal investigation against Danske Bank for possible money laundering violations related to suspicious transactions connected to the bank’s Estonian branch.

“Due to the very serious nature and scope of the case, we have followed the case for a long time,” State Prosecutor Morten Niels Jakobsen of SØIK said in a statement. The investigation has now progressed enough where SØIK can finally confirm that it has launched an investigation and is currently determining whether to bring criminal proceedings against Danske Bank for violations of Denmark’s Money Laundering Act, he said. Jakobsen added that the case has been a high priority for a long time.

Since Danish prosecutors launched their investigation, “more police reports have been received against Danske Bank in the case,” Jakobsen said. Danish prosecutors have obtained a “very extensive” amount of information and material, including from Finanstilsynet (the Danish Financial Supervisory Authority) and are in discussions with several international collaborators, he said.

It’s too early to say whether criminal proceedings will result, but no stone will be left unturned, Jakobsen said. Under the Money Laundering Act and the underlying EU Directive, sanctions for money-laundering violations must be effective, proportionate, and dissuasive. “In practice, the determination of fines is based on the size of the total suspicious transactions that a financial institution has not handled correctly,” Jakobsen said. “This means that the fine significantly exceeds the profit.”

The Danish investigation began in the same week that Estonia’s public prosecutor launched an investigation of its own into the bank’s money laundering activities. The investigations relate to the now-defunct, non-resident portfolio at the bank’s Estonian branch from 2007 to 2015.

The bank has been aware of AML issues for years. In December 2013, senior employees at the bank received a whistleblower report about AML issues in relation to a customer in the Estonian branch’s non-resident portfolio (that is, Russian and other non-Baltic customers).

It was not until September 2017, however, that Danske Bank launched an investigation into the non-resident portfolio of the Estonian branch. The investigation covers nine years of data, including more than nine million e-mails, 7,000 documents, and millions of transactions.

Compliance shortcomings

Danske Bank said it received eight orders and eight reprimands from the Danish Financial Supervisory Authority (Danish FSA) on May 3, 2018, regarding management and governance in relation to the AML case at the Estonian branch. “Danske Bank has taken several steps and initiatives to comply with the orders and will continue the work going forward,” Danske Bank CEO Thomas Borgen said on a July 18 conference call with investors.

“[I]t is clear that Danske Bank has failed to live up to our own standards and expectations of our stakeholders in terms of preventing our Estonian branch from being used for potential illegitimate activities.”
Thomas Borgen, CEO, Danske Bank

These orders and reprimands follow the findings of a scathing report by the Danish FSA, describing multiple failures by the bank’s management team to prevent the money laundering. In its report, the Danish FSA said it “finds it particularly worthy of criticism” that:

Deficiencies in all three lines of defense at the Estonian branch were so significant that customers had the opportunity to use the branch for criminal activities involving vast amounts;

The bank did not initiate an investigation into the extent of suspicious transactions and customer relationships until September 2017—more than four years after the termination by one of the branch’s correspondent banks of its correspondent bank relations and almost four years after the whistleblower report;

The bank deferred the decision to close the part of the non-resident portfolio that related to customers who did not have personal or business-related links to the Baltic countries until January 2015 and that the closedown was not completed until January 2016;

The bank’s internal reporting, decision-making processes and corporate culture failed to ensure that the problems of the non-resident portfolio were sufficiently identified and handled in a satisfactory way, including by reporting suspicion of criminal activities to relevant authorities;

The bank did not inform the Danish FSA of the identified AML issues, even though in early 2014, it should have been clear to some executive board members and other senior employees that the information previously provided by the bank to the Danish FSA and the Estonian FSA in 2012 and 2013 was misleading and that it should have been clear to them that the supervisory authorities focused on the area; and

The bank’s information to the Danish FSA since the beginning of 2017 has been inadequate.

“Consequently, the case has uncovered serious weaknesses in the bank’s governance in a number of areas,” the report stated. “On this basis, the Danish FSA finds that the bank is exposed to significantly higher compliance and reputational risks than previously assessed.”

The Danish FSA acknowledged, however, that the bank has made improvements in its AML and compliance areas in recent years. For example, the bank has stated that it has increased the number of employees working with AML in the first and second lines of defense from less than 200 to 550 last year and nearly 900 today. Among other things, the bank has also expanded and updated internal AML training, worked to strengthen the compliance culture, and made considerable IT investments.

AML FAILURES

Below is an excerpt from the findings of the report by the Danish Financial Supervisory Authority regarding failures by Danske Bank’s management and senior employees to prevent money laundering.
From the end of 2012 to November 2013, Danske Bank did not have a person responsible for AML activities as required by the Danish Anti-Money Laundering Act. The Danish FSA was not notified of this until February 2018, and then as a result of the Danish FSA’s supplementary questions.
The board of directors and the executive board have stated that in practice, the head of group compliance and AML, who reported to the bank’s CFO, was the person responsible for AML activities.
The bank had, and has, organized its management using three so-called lines of defense. The first line of defense is the business itself, which must ensure correct, legal, and expedient operations. The second line of defense is a risk management function that is to identify and mitigate risks and a compliance function that is to check compliance with rules. Finally, the third line of defence is the internal audit department, which monitors whether the first and second lines of defence identify the problems. Management receive s reporting from the three lines of defence on an ongoing basis.
The board of directors and the executive board have stated that when assessing the board of directors’ and the executive board's work and the volume of written material that the members of the two boards receive, it should be taken into consideration that the branch in Estonia accounts for only a small part of the total business and total risks. They have argued that because of this, management must to a large degree rely on the defence systems in place to function. When information about the business and the fectiveness of defence systems of a worrying nature comes to light, management attention must , however, increase. At the end of 2013, the branch's assets made up about 0.5% of the group ’ s total assets, while profit before impairments made up about 2.0% of g roup profit before impairme nts for the year 2013. In respect of the Estonian branch, there were deficiencies in all three lines of defence. The first line of defence at the branch did not focus on efficiently combating money laundering despite the significant number of high - risk, non - resident customers. T his was not identified by the first line of defence at Business Banking in Copenhagen, which received a number of reports stating that the branch complied with the rules. The second - line integration of the Baltic units into the Group’s risk management, inc luding monitoring and reporting, was weak. AML at the branches in the Baltic countries was not mentioned as a compliance risk in the bank’s management reporting. The third line internal audit formed part of Group Internal Audit (GIA). The i ntegration of th e branch’s internal audit department with GIA was also inadequate . Several documents show how management in Copenhagen did not integrate the Estonian branch in the bank’s risk management and control systems, but instead allowed the branch to operate with significantly different risk exposure and to a large extent, the branch itself conducted controls.
Source: Danish Financial Supervisory Authority

Additionally, the bank in July appointed Philippe Vollot as chief compliance officer and as a new member of the executive board. Vollot will take up his position by Dec. 1, 2018. “With Philippe Vollot as new member of our executive board, we strengthen our competencies within compliance and anti-financial crime, which has been a focus area at Danske Bank in recent years,” Borgen said.

Regulatory action

Separately, the Legal Affairs Committee of the Riigikogu (Parliament of Estonia) on July 31 convened a meeting to find out why nobody took responsibility for the money laundering case concerning Danske Bank.  “We would like to get answers from the supervisory agency and the investigative bodies on how this criminal deception could be carried out through Estonia for such a long time, and if the authorities have done everything they can to investigate it,” Committee Chairman Jaanus Karilaid said in a press statement.

Parliamentary parties have until Sept. 12 to submit opinions on “whether to establish a Riigikogu committee of investigation to deal with the money laundering case, or to form a working group at the Legal Affairs Committee that would investigate this problem in depth,” Karilaid said.

She added that the Committee is also considering “whether to change the legal order so that in the future the owner of the money or the conductor of the transaction has to prove the legality of the money.” At present, it is up to the state to prove the illegal origin of the money.

Danske Bank’s response

In response to the Estonian AML investigation, Borgen acknowledged that the bank had insufficient controls in place. “While it is too early to conclude as to the extent of suspicious transactions, it is clear that Danske Bank has failed to live up to our own standards and expectations of our stakeholders in terms of preventing our Estonian branch from being used for potential illegitimate activities,” he said.

Moving forward, Borgen said, Danske Bank is “committed to transparency with respect to the findings of the investigations, including a clear account of the issues, causes, and accountabilities.”

Additionally, the Danske’s board of directors and executive board have determined that Danske Bank should forego any profits from the suspicious transactions in the Estonian non-resident portfolio. Any gross income generated from such transactions from 2007 to 2015 will go toward combating international financial crime and other efforts, Danske Bank said.

Findings from the investigations will be reported by September 2018. The final amount to be made available will be decided after the investigations conclude. As it stands now, “we have no insight into any potential fine,” Borgen said.  “When we have some more clarity, we will communicate that to the market.”