Danske Bank reveals Estonian branch may have laundered $230 billion as CEO steps down
Friday, September 21, 2018
Posted by: Brian Monroe
By Brian Monroe
September 21, 2018
Denmark’s largest bank admitted that a Baltic branch has potentially laundered hundreds of billions of dollars in a widening financial crime probe that has risen larger each month, with the latest twist being that the head of the entire bank has stepped down in disgrace.
Danske Bank has made headlines in recent months as the scope of potential money laundering through its Estonia branch tied to risky regions such as Russia, Azerbaijan and Ukraine has soared from an initial estimate of $80 billion, then to $150 billion and, now, in an 87-page report released Wednesday, to an estimated $234 billion – leading to the bank’s Chief Executive Officer, Thomas Borgen, to say he is stepping down.
As a point of context in this battle in the Baltics, the suspicious financial flows equate to nearly the size of the entire gross domestic product of Denmark, currently pegged at just more than $300 billion. Danske Bank has total assets of $472.5 billion and revenues of $7.6 billion.
Danske Bank did this by becoming the bank of choice for thousands of customers residing outside Estonia, which the audit firm refers to as the burgeoning “Non-Resident Portfolio.” To read the bank’s press release, click here. To read the bank’s announcement of the CEO’s resignation, click here.
The Estonian branch and the non-resident portfolio had become part of Danske Bank when it acquired Finnish-based Sampo Bank in 2007, where the bank also acquired branches in Latvia and Lithuania.
“It is clear that Danske Bank has failed to live up to its responsibility in the case of possible money laundering in Estonia,” Borgen said in a statement. “I deeply regret this. As the CEO, I have the management responsibility for the things that take place in the bank, and, of course, I take on this responsibility.”
So far, more than 40 employees and agents “have been deemed to have been involved in some suspicious activity,” and been reported to the Estonian financial intelligence unit, while eight former employees have been reported to the Estonian police by Danske Bank.
In the report by Danish law firm Bruun & Hjejle, done at the behest of the bank, reviewers found widespread financial crime compliance failings at every level of the bank and at every pillar of the anti-money laundering (AML) program from 2007 to 2015, roughly the time when the bank undertook aggressive investigations to uncover potential illicit activity while later shedding its non-resident accounts.
Required reading for compliance officers
The lengthy and detailed report – required reading for all AML compliance professionals, particularly those in the region – included failures to query and risk rank clients and regions, monitor and report suspicious activity, track and escalate aberrant alerts and purposeful omissions related to client details and actions to shield profitable patrons, just to name a few.
A simple word search in the document uncovers that issues related to term AML is referenced more than 200 times, compliance nearly 100 times and the term laundering nearly three dozen times.
The investigation into Danske Bank and recent penalties against other European institutions show the dynamic U.S. regulators having weaker laws and stronger penalties and foreign regulators having more stringent laws but lax enforcement could be changing, said Jim Richards, the principal and founder of RegTech Consulting and the former AML/BSA compliance officer for Wells Fargo.
“The EU has been very prescriptive with rules-based regulations, but along with that went lax supervision and little AML enforcement,” said Richards, who has more than 30 years of compliance experience in top posts. “The U.S. has taken a different approach, with principals-based regulation, mixed supervision and heavy AML enforcement.”
He called the revelations related to Danske Bank and recent penalties an “in-cycle game changer,” meaning the cycle of stronger supervision and penalties may just be ramping up, with the revelations in the report and expected penalties to be “precedent setting.”
It should, however, have come as no surprise to Danske compliance staff that Estonia is a “conduit for Russian money,” Richards said, adding that what is still unknown is if the Estonian branch’s AML team at least were filing some suspicious activity reports on the aberrant activities. “And we don’t know if Danske’s correspondent banks, including U.S. banks, were filing SARs and even exiting their relationships with Danske,” said Richards.
This is also not the first time the bank has had to admit publicly that the branch is replete with catastrophic compliance control failings.
Danske Bank informed the public about the findings by Washington, D.C.-based Promontory, with the global consulting firm concluding that “several major deficiencies led to the branch not being sufficiently effective in preventing it from potentially being used for money laundering in the period from 2007 to 2015,” the bank stated in a September 2017 press report.
The investigations presage potential penalties from other European regulators that have recently found their teeth when it comes to financial crime and corruption failings and more aggressive enforcement.
Earlier this month, ING Groep, the Netherlands’ largest financial institution, stated it would pay Dutch authorities 775 million euros, or $900 million, in a historic settlement for broad failures in its financial crime compliance controls that allowed illicit groups to launder an estimated hundreds of millions of dollars for years. To read ACFCS coverage of the action, click here.
In the same week, French banking behemoth Société Générale stated it is expecting to pay a 1.1-billion-euro penalty, or $1.27 billion, to a host of U.S. federal and state investigative and regulatory authorities for breaching U.S. sanctions rules – the second time in recent months the bank has had to negotiate a high-profile settlement for financial crime compliance failures. To read ACFCS coverage of the impending fine, click here.
Regulators try to intervene
The report also details attempts by regulators to highlight the AML failings at Danske Bank and set out a course of improvements.
During 2014, the Estonian Financial Supervision and Resolution Authority (FSA) conducted three inspections at the Estonian branch, with two reviews finding that branch management had not ensured employees had the required expertise or “professional suitability” to identify or mitigate the rising customer risks.
As well, the Estonian regulator performed a more detailed review of performance related specifically to AML requirements, eventually concluding that Danske Bank “systematically established business relationships with persons in whose activities it is possible to see the simplest and most common suspicious circumstances.”
Further, reviewers judged that the bank valued profits over compliance program requirements.
“[W]e have therefore systematically identified situations during our on-site inspection where Danske Bank’s system for monitoring transactions and persons is effectively not working,” the Estonia FSA examiners said, as captured in the audit report. “Economic interests prevail over the obligation to apply enhanced due diligence measures.”
Both the Danish and Estonian regulators have further harsh words for Danske Bank in public comments. To red them, click here and here.
There were “so many shortcomings in all three defen[s]e lines, that it was possible for customers to use the branch for crimes involving large amounts,” the Danish regulator stated on its site, adding that the bank’s lax governance and AML controls caused it to miss obviously suspicious activity and report those to authorities.
In tandem, Danske Bank “did not inform the FSA about the problems ascertained with the measures to present money laundering although, from the beginning of 2014, it should have been obvious for some managers and other senior employees that the information from the bank in 2012 and 2013 to the Danish and Estonian financial supervisory authorities had been misleading.”
The audit report is “clear evidence of the extent of the deficiencies that existed at the bank,” said Kilvar Kessler the chairman of Finantsinspektsioon, the Estonian regulatory agency. “The report describes serious shortcomings in the organi[z]ation of Danske Bank, where risk-appetite and risk control were not in balance.”
By the numbers: The Danske Bank investigation
The investigations have been “very thorough and extensive,” according to the bank. Here is a snapshot of the effort it can take to investigate, identify, remediate processes and ameliorate authorities when a single foreign branch in a risky locale falls afoul of AML best practices:
· Reviewed 15,000 customers.
· Reviewed 9.5 million payments.
· Reviewed 12,000 documents.
· Analyzed more than eight million emails.
· Conducted more than 70 interviews with current and former employees and managers, including members of the Executive Board and members of the Board of Directors.
· Overall, approximately 70 people have worked full time on the investigations.
· Scrutinized some 6,200 customers “starting with the customers hitting most risk indicators first. Almost all of these customers have been reported to the authorities.”
· 42 employees and agents have been deemed to have been involved in some suspicious activity, reported to Estonian financial intelligence unit.
· Eight former employees have been reported to the Estonian police by Danske Bank.
More investigations coming
The bank is also facing more investigations from regulators and authorities near and far, along with being shunned by many global banks in relation to its correspondent network connections – some of the factors that have led the bank’s stock price to plummet some 30 percent this year.
Regulators and investigators in its home country and Estonia along with the United States, and potentially other European agencies and watchdog groups, are looking at the evidence to determine if they should follow suit.
In parallel, many large U.S. banks have recently closed their correspondent relationships with Danske Bank, fearful that the institution could be allowing risky and secretive “nested” entities surreptitious entre into the U.S. financial system.
IT integration failures lead to blind spots
It was also nearly impossible for Danske Bank compliance officers in Denmark to have visibility into any potential customers or even sub-entities hidden behind correspondent portals due to a lack of AML systems integration between the Estonian branch and headquarters, according to the law firm report.
The issues started for the Estonian branch when the non-resident portfolio become part of Danske Bank in 2007 after it acquired Finnish-based Sampo Bank. At issue was that the foreign portfolio contained a wealth of risky individuals and entities from Russia, Ukraine and Azerbaijan, which needed extra due diligence at the front end and more rigorous transaction monitoring after the merger – ideally by the more experienced home country compliance staffers.
That didn’t happen.
“The Estonian branch had its own IT platform,” according to the report. “This meant that the branch was not covered by the same customer systems and transaction and risk monitoring as Danske Bank Group headquartered in Copenhagen.”
As a result, that meant that the Danske headquarters group “did not have the same insight into the branch as other parts of Group,” according to the report. Further complicating matters: “Many documents at the Estonian branch, including information about customers, were written in Estonian or Russian.”
Whistleblower, internal, external pressures converge
Ironically, many in the bank believed it could absorb the higher risks betwixt the nonresident portfolio because they would be “mitigated by appropriate anti-money laundering (AML) procedures.”
But in early 2014, following a report from a whistleblower and audit letters from Group Internal Audit, “it became clear that AML procedures at the Estonian branch had been manifestly insufficient and inadequate.”
As well, AML procedures “also became subject to harsh criticism from the FSA in Estonia, and Danske Bank was met with regulatory sanctions from both the Estonian FSA in July 2015 and the Danish FSA in March 2016. The Non-Resident Portfolio was terminated in 2015 with the last accounts being closed in early 2016.”
The report will also likely have aftershocks in other regional Baltic banks, said Richards, of RegTech consulting.
“Any reasonable BSA officer who has taken a look at the Danske case better be anticipating that his or her senior management, board of directors and other top executives are going to say ‘whoa, I just read about this case, is our bank impacted at all.”