This article appears as the "Discussion of the month" topic in AML News and Updates Newsletter - December 2022 edition which can be found here.
The Danske bank Estonian branch case shows how a lack of effective corporate governance, insufficient monitoring of the subsidiaries, and inadequate due diligence measures can expose a reputable bank to money laundering.
Penalties for Danske Bank
Danske Bank, a global financial institution headquartered in Denmark, pleaded guilty on December 13th, 2022 for facilitating money laundering through its Estonian branch between 2008-2016.
The amounts to be paid to authorities:
➡️ $2 billion from the U.S. Department of Justice (DoJ) minus $850 million for payments conducted by Danske Bank for parallel investigations by other domestic and foreign authorities. The allegation is that "Danske Bank defrauded U.S. banks regarding Danske Bank Estonia's customers and anti-money laundering controls to facilitate access to the U.S. financial system for Danske Bank Estonia's high-risk customers, who resided outside of Estonia – including in Russia."
➡️ DKK 4.7 million from the National Special Crime Unit (Denmark): for failures to ensure compliance of the Estonian branch on a Group level, failures to follow up allegations made by the whistleblower, failures to investigate suspicious transactions, etc.
➡️ $413 million from the U.S. Securities and Exchange Commission for violating the antifraud provisions of the Securities Exchange Act of 1934.
Here's a timeline of the main events that show how things took the wrong way:
2007: Danske Bank took over the Finnish bank Sampo AS, including its Estonian subsidiary, which had a large base of "non-resident portfolio," including customers from the Russian Federation.
The Estonian FSA and the Russian Central Bank provided warnings about possible "tax and customer payments evasion" and "criminal activity in its pure form, including money laundering" estimated and "billions of rubles monthly." However, no action was taken by Danske bank.
2008: The internal audit report on AML procedures of the Estonian branch gave the branch a "satisfactory" rating, stating that "the non-resident customers department has improved considerably in applying KYC principles" and only found a few shortcomings.
The same year, Danske Bank abandoned the plans to migrate the Estonian branch IT platform to the Danske Bank Group because of the global financial crisis effects and the high costs involved.
2009: The Estonian regulator, the FSA, performed an AML inspection on the Danske Bank Estonian branch identifying that, although the internal procedures of the branch were in line with the legal framework, the customer documents and information collected did not comply with the requirements of the legislation and the internal procedures of the branch. That was the first opportunity missed by Danske Bank to improve its AML measures.
2010: An American newspaper published an article linking a specific suspicious company and a North Korean arm smuggling case in Thailand to the Danske Bank Estonian branch. Also, Estonian media linked the branch to an alleged money-laundering scheme involving a currency exchange company and a specific customer. Again, no actions taken.
2011: The Internal Audit report on AML compliance of the Danske Bank Estonian branch assigned a "satisfactory" rating on compliance and a "fair" rating for AML, highlighting "several deficiencies in mandatory documentation."
2012: The Danish FSA warned about "a number of serious AML/CFT issues in the Estonian branch." The Danske Bank Legal and Group Compliance & AML department reported that they were aware of the high-risk customer database of Sampo Pank Estonia and that they were confident that the controls in place correspond to the actual risk. The management relied on information provided by the Estonian branch.
2013: One of the correspondent banks for clearing USD payments terminated the business relationship with Danske Bank Estonia for AML purposes. This was another real opportunity to scrutinize the non-resident portfolio of Danske Bank Estonia, which was again missed.
2014: A whistleblower reported to the Danske Bank (parent company), disclosing details about specific customers involved in money laundering. Further allegations were made in the following months by the whistleblower, which was not appropriately investigated.
The 2014 Group Internal Audit Report had an "action needed" rating, indicating significant deficiencies in the Danske Bank Estonia AML program.
Until 2014, the Executive Board was given comfort that had no basis to worry, that the situation had come under control and that problems belonged to the past. However, following another allegation from the whistleblower and the Internal Audit report, Danske Bank in Denmark realized that there was a historical misconception.
2015: The non-resident portfolio was terminated.
2016: The last accounts were closed.
The case was resolved in 2022 after multiple investigations in various jurisdictions.
It is estimated that, between 2007-2015, more than €200bn was laundered through the Estonian branch by money launderers, including corrupt actors in post-Soviet states.
These actors used shell companies in Spain, Sweden, the United Kingdom, and other European countries to launder dirty money.
Some customers that maintained accounts with Danske Bank Estonia were participating in the "Russian Laundromat" and "Azerbaijani Laundromat."
Main failures of the Danske Bank:
❌ The branch IT platform was operated independently, making it extremely difficult for the parent company to monitor the branch's activities.
❌ The Board of Directors missed a lot of opportunities to remedy the weaknesses.
❌ During 2013, the Estonian branch had not appointed an anti-money laundering (AML) officer to oversee the AML program.
❌ Basic customer due diligence procedures: Insufficient controls to identify the beneficial owners and their source of funds and wealth.
❌ Insufficient training of employees
❌ Insufficient attention to customer activities
❌ No screening of customers against politically exposed persons (PEPs) lists and sanctions lists.
❌ No screening of incoming payments against sanctions or terror lists.
❌ Lack of response to suspicious customers and transactions.
Until today, Danske Bank's share is less than half what it was before the scandal was revealed.
Source: Yahoo Finance
This case provides valuable lessons for financial institutions that should take appropriate measures to protect themselves against financial crime and reputational damages.
Source of information for events: Brunn & Hjejle Report on the Non-Resident Portfolio at Danske Bank’s Estonian branch (September 2018)