On September 19, Danske Bank issued the report of its internal investigations into reported use of its Estonian branch between 2007 and 2015 by non-residents of Estonia for money laundering. The most dramatic finding in the report, prepared by a Danish law firm, was that during that period, approximately €200 billion ($234 billion) in potentially suspicious transactions flowed through that branch.
The report set forth ten principal findings:
- A series of major deficiencies in the bank´s governance and control systems made it possible to use Danske Bank’s branch in Estonia for suspicious transactions
- From Danske Bank’s acquisition of Sampo Bank (including Sampo’s Estonian branch) in 2007 until its termination of the customer portfolio in 2015, Danske Bank “had a large number of non-resident customers in Estonia that we should have never had, and [who] carried out large volumes of transactions that should have never happened.”
- “[O]nly part of the suspicious customers and transactions were historically reported to the authorities as they should have been
- “[I]n general, the Estonian branch had insufficient focus on the risk of money laundering, and branch management was more concerned with procedures than with identifying actual risk.”
- “[T]he Estonian control functions did not have a satisfactory degree of independence from the Estonian organization.”
- The Estonian branch “operated too independently from the rest of the [Danske Bank] Group with its own culture and systems without adequate control and management focus from the Group.”
- “[T]here is suspicion that there have been employees in Estonia who have assisted or colluded with customers.”
- “[T]here have been breaches at management level in several Group functions.”
- “[T]here were a number of more or less serious indications during the years, that were not identified or reacted on or escalated as could have been expected by the Group.”
- “[A]s a result, the Group was slow to realise the problems and rectify the shortcomings. Although a number of initiatives were taken at the time, it is now clear that it was too little and too late.”
The report also highlighted the composition of the Estonian branch’s customers:
- Approximately 10,000 customers belonged to the non-resident portfolio. To ensure that all relevant aspects were covered, the investigation covered “a total of around 15,000 customers with non-resident characteristics (that is, a further 5,000 customers).”
- Those 10,000 customers “carried out a total of around 7.5 million payments.”
- “The around 15,000 customers carried out a total of around 9.5 million payments.”
- “For all of the customers covered by the investigation, that is, around 15,000 customers, the total flow of payments amounted to around EUR 200 billion.”
The investigation analyzed “a total of some 6,200 customers found to have hit the most risk indicators. Of these, the vast majority have been found to be suspicious.” Overall, the bank “expect[s] a significant part of the payments to be suspicious.”
The bank also addressed disciplinary measures it had taken against current and former employees. It stated that “[m]anagement has taken all the steps necessary vis-à-vis the employees and managers involved in Estonia and Denmark in the form, among other things, of warnings, dismissals, loss of bonus payments and reporting to the authorities, but we do not comment on individuals[.] The majority of these employees and managers are no longer employed with Danske Bank.” The bank added that that the investigation “has established that the Board of Directors, the Chairman and the CEO did not breach their legal obligations towards Danske Bank.”
The bank announced at least 16 remedial measures it had taken or was taking in response to the findings:
- The bank “will serve only subsidiaries of our Nordic customers and international customers with a solid Nordic footprint.
- “Governance and oversight in relation to the Baltics have been strengthened with the introduction of a new pan-Baltic management.
- “The independence of control functions in the Baltics has been strengthened and processes and controls have been raised to Group level to ensure the same level of risk management and control as in other parts of the Group.
- “The Baltic units have been migrated to a single shared IT platform, which enables increased transparency and oversight.”
- A quadrupling of the staff dedicated to combat financial crime that “now totals 1,200 full-time employees.”
- Initiation of a comprehensive AML program, “which has led to major changes in the form of new organisational structures, new routines and procedures, as well as the implementation of new IT systems.”
- Strengthening of “the compliance knowledge and culture across the organisation, among other things through a strong management focus and extensive mandatory training.”
- Implementation of “risk management and compliance in performance agreements of all members of the Executive Board and senior managers.”
- Strengthening of the whistleblower function “by transferring the responsibility for investigating reports to Group Compliance and implementing a stronger governance setup to handle reports,” and introduction of mandatory training about the whistleblower system.
- Generally strengthening of the three lines of defense, “which also includes ensuring increased independence of control functions and making sure that whistleblower reports and correspondence with supervisory authorities form part of reporting to the Board of Directors.”
- Recruitment of a new Chief Compliance Officer “with broad international experience.”
- Implementation of the extra Basel Pillar II capital requirement of DKK 5 billion and increase of the target for the total capital ratio to more than 19 percent.
- A Group assessment of management and governance in the Estonian branch.
- “Integration of compliance as a fundamental part of our culture at all levels.”
- “New initiatives and procedures to ensure that indications of potentially problematic issues are sufficiently investigated escalated in a timely manner and handled effectively.”
- Plans to establish a central unit at Group level “to ensure transparency and completeness in Danske Bank’s interaction with the FSA and due, timely and qualified reporting.”
Notwithstanding the bank’s conclusion that its Chief Executive Officer (CEO), Thomas Borgen, had not breached his legal obligations to the bank, Borgen announced, in a coordinated release, that he intended to resign as CEO. Although the investigation “concludes that I have lived up to my legal obligations,” he said, “I deeply regret” that the bank “has failed to live up to its responsibility in the case of possible money laundering in Estonia.”
Note: The reported total of €200 billion vastly exceeds all prior estimates of suspected money laundering transactions that flowed through the Estonian branch. Not surprisingly, public officials were quick to react to the report with concern. Danish Prime Minister Lars Lokke Rasmussen said that he was “shocked” and that the numbers were “of an astronomical magnitude.” The European Commissioner for Justice, Věra Jourová, described the situation as “the biggest scandal, which we have now in Europe,” and said that she “she would summon ministers from Denmark and Estonia to explain how Danske Bank executives and regulators missed the scandal.” In addition, the head of Denmark’s Financial Supervisory Authority (FSA), Jesper Berg, stated that the FSA was reopening the investigation of Danske Bank that it had “initially” closed in May 2018.
Borgen’s resignation and the unknown number of terminated employees that the bank mentioned are only a portion of the departures from Danske Bank over the last six months. In April, the bank board member responsible for business banking as well as Estonia resigned, and the head of wealth management reportedly “decided to leave after being with the bank since 1999.” In July, the head of group compliance resigned, while specifying his resignation was unconnected to the Estonian branch investigation.
Speculation has already begun about the potential financial penalties that Danske Bank could receive if regulators find that it has engaged in wrongdoing. According to Business Insider, the estimates range from US$630 million (by the Danish government) to US$2.3 billion (Credit Suisse) to US8.3 billion (by a key competitor of Danske Bank). Those estimates, however, do not make clear whether they take into account the interests of other nations through whose financial systems some of the suspicious transactions may have flowed. According to the Wall Street Journal, the U.S. Department of Justice, Securities and Exchange Commission (SEC), and Office of Foreign Assets Control have been investigating Danske Bank since a whistleblower filed a complaint with the SEC more than two years ago. A Danish member of the European Parliament said that he had spoken with the U.S. Department of the Treasury in July 2018 and that “there is no doubt that they also follow the Danske Bank case closely.”
Aggressive pursuit by all three of those agencies – and perhaps involvement by United Kingdom or French authorities — could substantially expand the scope and scale of Danske Bank’s ultimate criminal or regulatory liability. Although the bank will likely emphasize its recent remedial measures, including compliance improvements, in any dealings with those agencies, its acknowledged compliance weaknesses over nearly a decade and its tardiness in responding effectively may weigh heavily in any resolution of potential criminal or civil charges.
In the meantime, the Danske Bank investigation report is a treasure trove for compliance officers, who can use it as a basis for comparison with their own compliance programs and incorporate information from the report into their compliance training. The very fact that Danske Bank felt compelled to announce at least 16 remedial measures indicates the vast extent of the compliance flaws and weaknesses that may continue to cost the bank dearly, but that may help other financial institutions to avoid repeating its mistakes.