Author: Jonathan J. Rusch

On September 19, Danske Bank issued the report of its internal investigations into reported use of its Estonian branch between 2007 and 2015 by non-residents of Estonia for money laundering.  The most dramatic finding in the report, prepared by a Danish law firm, was that during that period, approximately €200 billion ($234 billion) in potentially suspicious transactions flowed through that branch.

The report set forth ten principal findings:

1. A series of major deficiencies in the bank´s governance and control systems made it possible to use Danske Bank’s branch in Estonia for suspicious transactions
2. From Danske Bank’s acquisition of Sampo Bank (including Sampo’s Estonian branch) in 2007 until its termination of the customer portfolio in 2015, Danske Bank “had a large number of non-resident customers in Estonia that we should have never had, and [who] carried out large volumes of transactions that should have never happened.”
3. “[O]nly part of the suspicious customers and transactions were historically reported to the authorities as they should have been
4. “[I]n general, the Estonian branch had insufficient focus on the risk of money laundering, and branch management was more concerned with procedures than with identifying actual risk.”
5. “[T]he Estonian control functions did not have a satisfactory degree of independence from the Estonian organization.”
6. The Estonian branch “operated too independently from the rest of the [Danske Bank] Group with its own culture and systems without adequate control and management focus from the Group.”
7. “[T]here is suspicion that there have been employees in Estonia who have assisted or colluded with customers.”
8. “[T]here have been breaches at management level in several Group functions.”
9. “[T]here were a number of more or less serious indications during the years, that were not identified or reacted on or escalated as could have been expected by the Group.”
10. “[A]s a result, the Group was slow to realise the problems and rectify the shortcomings. Although a number of initiatives were taken at the time, it is now clear that it was too little and too late.”

The report also highlighted the composition of the Estonian branch’s customers:

1. Approximately 10,000 customers belonged to the non-resident portfolio. To ensure that all relevant aspects were covered, the investigation covered “a total of around 15,000 customers with non-resident characteristics (that is, a further 5,000 customers).”
2. Those 10,000 customers “carried out a total of around 7.5 million payments.”
3. “The around 15,000 customers carried out a total of around 9.5 million payments.”
4. “For all of the customers covered by the investigation, that is, around 15,000 customers, the total flow of payments amounted to around EUR 200 billion.”

The investigation analyzed “a total of some 6,200 customers found to have hit the most risk indicators. Of these, the vast majority have been found to be suspicious.” Overall, the bank “expect[s] a significant part of the payments to be suspicious.”

The bank also addressed disciplinary measures it had taken against current and former employees.  It stated that “[m]anagement has taken all the steps necessary vis-à-vis the employees and managers involved in Estonia and Denmark in the form, among other things, of warnings, dismissals, loss of bonus payments and reporting to the authorities, but we do not comment on individuals[.] The majority of these employees and managers are no longer employed with Danske Bank.”  The bank added that that the investigation “has established that the Board of Directors, the Chairman and the CEO did not breach their legal obligations towards Danske Bank.”

The bank announced at least 16 remedial measures it had taken or was taking in response to the findings:

1. The bank “will serve only subsidiaries of our Nordic customers and international customers with a solid Nordic footprint.
2. “Governance and oversight in relation to the Baltics have been strengthened with the introduction of a new pan-Baltic management.
3. “The independence of control functions in the Baltics has been strengthened and processes and controls have been raised to Group level to ensure the same level of risk management and control as in other parts of the Group.
4. “The Baltic units have been migrated to a single shared IT platform, which enables increased transparency and oversight.”
5. A quadrupling of the staff dedicated to combat financial crime that “now totals 1,200 full-time employees.”
6. Initiation of a comprehensive AML program, “which has led to major changes in the form of new organisational structures, new routines and procedures, as well as the implementation of new IT systems.”
7. Strengthening of “the compliance knowledge and culture across the organisation, among other things through a strong management focus and extensive mandatory training.”
8. Implementation of “risk management and compliance in performance agreements of all members of the Executive Board and senior managers.”
9. Strengthening of the whistleblower function “by transferring the responsibility for investigating reports to Group Compliance and implementing a stronger governance setup to handle reports,” and introduction of mandatory training about the whistleblower system.
10. Generally strengthening of the three lines of defense, “which also includes ensuring increased independence of control functions and making sure that whistleblower reports and correspondence with supervisory authorities form part of reporting to the Board of Directors.”
11. Recruitment of a new Chief Compliance Officer “with broad international experience.”
12. Implementation of the extra Basel Pillar II capital requirement of DKK 5 billion and increase of the target for the total capital ratio to more than 19 percent.
13. A Group assessment of management and governance in the Estonian branch.
14. “Integration of compliance as a fundamental part of our culture at all levels.”
15. “New initiatives and procedures to ensure that indications of potentially problematic issues are sufficiently investigated escalated in a timely manner and handled effectively.”
16. Plans to establish a central unit at Group level “to ensure transparency and completeness in Danske Bank’s interaction with the FSA and due, timely and qualified reporting.”

Notwithstanding the bank’s conclusion that its Chief Executive Officer (CEO), Thomas Borgen, had not breached his legal obligations to the bank, Borgen announced, in a coordinated release, that he intended to resign as CEO.  Although the investigation “concludes that I have lived up to my legal obligations,” he said, “I deeply regret” that the bank “has failed to live up to its responsibility in the case of possible money laundering in Estonia.”

Note: The reported total of €200 billion vastly exceeds all prior estimates of suspected money laundering transactions that flowed through the Estonian branch.  Not surprisingly, public officials were quick to react to the report with concern.  Danish Prime Minister Lars Lokke Rasmussen said that he was “shocked” and that the numbers were “of an astronomical magnitude.” The European Commissioner for Justice, Věra Jourová, described the situation as “the biggest scandal, which we have now in Europe,” and said that she “she would summon ministers from Denmark and Estonia to explain how Danske Bank executives and regulators missed the scandal.”  In addition, the head of Denmark’s Financial Supervisory Authority (FSA), Jesper Berg, stated that the FSA was reopening the investigation of Danske Bank that it had “initially” closed in May 2018.

Borgen’s resignation and the unknown number of terminated employees that the bank mentioned are only a portion of the departures from Danske Bank over the last six months.  In April, the bank board member responsible for business banking as well as Estonia resigned, and the head of wealth management reportedly “decided to leave after being with the bank since 1999.”  In July, the head of group compliance resigned, while specifying his resignation was unconnected to the Estonian branch investigation.

Speculation has already begun about the potential financial penalties that Danske Bank could receive if regulators find that it has engaged in wrongdoing.  According to Business Insider, the estimates range from US$630 million (by the Danish government) to US$2.3 billion (Credit Suisse) to US8.3 billion (by a key competitor of Danske Bank).  Those estimates, however, do not make clear whether they take into account the interests of other nations through whose financial systems some of the suspicious transactions may have flowed.  According to the Wall Street Journal, the U.S. Department of Justice, Securities and Exchange Commission (SEC), and Office of Foreign Assets Control have been investigating Danske Bank since a whistleblower filed a complaint with the SEC more than two years ago. A Danish member of the European Parliament said that he had spoken with the U.S. Department of the Treasury in July 2018 and that “there is no doubt that they also follow the Danske Bank case closely.”

Aggressive pursuit by all three of those agencies – and perhaps involvement by United Kingdom or French authorities — could substantially expand the scope and scale of Danske Bank’s ultimate criminal or regulatory liability.  Although the bank will likely emphasize its recent remedial measures, including compliance improvements, in any dealings with those agencies, its acknowledged compliance weaknesses over nearly a decade and its tardiness in responding effectively may weigh heavily in any resolution of potential criminal or civil charges.

In the meantime, the Danske Bank investigation report is a treasure trove for compliance officers, who can use it as a basis for comparison with their own compliance programs and incorporate information from the report into their compliance training.  The very fact that Danske Bank felt compelled to announce at least 16 remedial measures indicates the vast extent of the compliance flaws and weaknesses that may continue to cost the bank dearly, but that may help other financial institutions to avoid repeating its mistakes.

On September 17, the Swiss Financial Market Supervisory Authority (FINMA) announced that it had concluded two enforcement procedures against Credit Suisse AG for deficiencies in its anti-money laundering (AML) procedures.  The first enforcement procedure stemmed from FINMA’s investigations since 2015 into several banks with regard to suspected corruption involving the Fédération Internationale de Football Association (FIFA), the Brazilian energy company Petrobras, and the Venezuelan state-owned oil and natural gas company Petróleos de Venezuela, S.A. (PDVSA).  FINMA then commissioned an investigation “to establish the relevant facts at Credit Suisse” for the 2006-2016 period, and launched an integrated enforcement procedure due to the commonalities between the three cases.

Through this enforcement procedure, FINMA determined that Credit Suisse “had infringed its anti-money laundering supervisory obligations in all three instances.”  It found five types of “shortcomings” that occurred repeatedly over a number of years (mostly before 2014): (1) Identifying the client; (2) determining the beneficial owner; (3) categorizing a business relationship as posing an increased risk; (4) performing the necessary clarifications upon increased risk plus associated plausibility checks; and (5) documentation.

Each of these shortcomings ties back to the importance of comprehensive access to and review of client data.  FINMA stated that “[t]o combat money laundering effectively, every relevant department within the bank must be able to see all the client’s relationships with the bank instantly and automatically.”  While it credited Credit Suisse with making progress in implementing such a “single client view,” it found that “this overview is still to be extended outside the Compliance unit. This results in organisational weaknesses in addition to the contraventions of anti-money laundering provisions.”

The second enforcement procedure focused on the management of a what FINMA described as “a significant business relationship for the bank with a politically exposed person (PEP)” who was a client relationship manager.  This investigation led to FINMA’s identification of shortcomings in compliance with AML due diligence obligations.

FINMA was specifically critical of Credit Suisse on this point:

The bank was too slow to identify and treat the PEP client as posing increased risks. Moreover, the due diligence and corresponding documentation relating to the business relationship were incomplete. The bank failed to meet its heightened due diligence obligations regarding investigation, plausibility checks and documentation regarding the client and certain related high-risk transactions.

FINMA also stated that this case also revealed weaknesses in Credit Suisse’s organization and risk management.  Notwithstanding the fact that the manager in question “was very successful in terms of assets under management,” it said that he “breached the bank’s compliance regulations repeatedly and on record over a number of years. However, instead of disciplining the client manager promptly and proportionately, the bank rewarded him with high payments and positive employee assessments. The supervision of the relationship manager was inadequate due to this special status.”  FINMA established that Credit Suisse “had failed to adequately record, contain and monitor the risks arising over a number of years from the PEP business relationship and the responsible (and since criminally convicted) client relationship manager.”   As a result, it “identified both organisational deficiencies (in terms of allocation of responsibilities, supervision and control) and a lack of effective corrective intervention,” and concluded that the bank’s risk management “was not appropriate in this instance.”

FINMA next addressed the issue of measures that it would require to strengthen Credit Suisse’s AML compliance.  It gave credit to the bank for taking certain measures since 2015 and for cooperating with FINMA.  Even so, it required the bank to take two sets of additional measures “designed to further improve the bank’s governance, organisation and risk management in the wealth management business.”  First, with regard to the shortcomings identified in the second procedure, it directed Credit Suisse to “remediate the relevant control systems and processes, and so prove that higher-risk business relationships and transactions are adequately detected, categorised, monitored and documented.”  Second, with regard to the shortcomings in the first procedure, it stipulated that the bank “must have implemented the ‘single client view’ for all relationships and for all relevant functions by the end of 2019.”  Finally, it stated that it would appoint an independent third party to review the implementation of the specified measures, including the measures initiated since 2015, [and] their adequacy and effectiveness.”

Note: These actions by FINMA represent the second significant enforcement reproof of Credit Suisse’s financial-crimes compliance program this year.  Just over two months ago, a Hong Kong-based subsidiary of the bank entered into a resolution with the U.S. Department of Justice and the Securities and Exchange Commission for its role in a corrupt scheme between 2007 and 2013 to win banking business by providing employment to friends and family of Chinese officials.  That resolution included a criminal penalty and disgorgement and prejudgment interest totaling more than $77 million.  In addition, in January 2017, Credit Suisse reached a separate civil resolution with the Justice Department requiring it to pay a total of $5.28 billion related to its conduct in the packaging, securitization, issuance, marketing and sale of residential mortgage-backed securities between 2005 and 2007.  The combination of these enforcement resolutions over a 19-month span is likely to heighten the scope and intensity of regulatory scrutiny of Credit Suisse’s compliance program in multiple jurisdictions.

The breadth of the FINMA findings and compliance improvements also provides compliance officers at other global financial institutions with a template against which they can compare their own AML programs and test for potential deficiencies.  Given the level of maturity of AML regulation at the national and international levels, no leading financial institution can afford to operate a compliance program with significant flaws in customer identification, beneficial-ownership due diligence, AML risk assessment, or customer and transaction documentation, let alone in all of those areas.  Nor can they afford to turn a blind eye to criminal or civil violations by any executive or manager just because he is a “top producer.”   Law enforcement and regulatory agencies will continue to regard consistent enforcement of a corporate AML program, as with other financial-crimes enforcement programs, as essential to demonstrating the program’s success and effectiveness.

For some members of the ultra-wealthy, daily living has become exceptionally frustrating.  Take the case of Teodorin Obiang, First Vice President of Equatorial Guinea and son of the country’s President Teodoro Obiang.  As befitted the son of a man in permanent contact with God, and the heir-apparent in a country blessed with vast oil revenues, Obiang was once able – despite his modest salary of $6,500 a month while serving as the country’s Minister of Forestry and Agriculture — to indulge freely in the good things in life: a Malibu, California mansion costing more than $30 million, homes on at least three other continents, numerous luxury cars, the $20 million art collection of the late Yves St. Laurent, and a Gulfstream jet, to name a few.

In the last decade, however, Obiang has been increasingly beset with vexing demands by various  governments:

• In 2011, French authorities seized a brace of Obiang’s luxury cars, which were later auctioned off after a French appeals court found “sufficient indications to believe that all the vehicles were acquired through the misappropriation of funds.”
• In 2012, French authorities seized Obiang’s €107 million mansion near the Champs-Élysées, as well as many of its contents (e.g., a Rodin statue, 300 bottles of wine worth €1 million and art works from the St. Laurent collection), and obtained an international arrest warrant for Obiang.
• In 2014 — in the face of allegations that he used “relentless embezzlement and extortion [to] shamelessly loo[t] his government and [shake] down businesses in his country to support his lavish lifestyle” — Obiang agreed to relinquish assets totaling more than $30 million (including the Malibu mansion) to resolve civil forfeiture cases that the U.S. Department of Justice had brought in 2011.
• In 2016, Swiss authorities seized 11 of Obiang’s luxury cars, despite Obiang’s explanation that the cars were only in Switzerland for repairs, and Dutch authorities seized his $120 million luxury yacht at the request of Swiss authorities investigating Obiang for money laundering.
• 2017 proved even more disruptive to Obiang’s lifestyle. In October, he was convicted in absentia in a French court on corruption- and embezzlement-related charges and handed a three-year suspended sentence and confiscation of more than €100 million of his assets in France, including the Paris mansion.  The conviction and sentence occurred not long after a South African court approved the seizure of his multimillion-rand South African beach cottage.

The latest source of frustration for Obiang was the reception he and his party received when flying into Brazil last week.  Brazilian federal police reportedly found $1.5 million in cash in one bag and watches worth an estimated $15 million in another, and seized the cash and watches.   Even though an Equatorial Guinea diplomatic source later explained that “the money was to pay for medical treatment Obiang was to undergo in São Paulo,” and Obiang was accustomed to traveling with suitcases filled with cash, Brazilian law inconveniently forbids individuals from entering Brazil with more than 10,000 reais ($2,417) in cash.

In a subsequent meeting with the Brazilian Ambassador to Equatorial Guinea, Equatorial Guinea’s Foreign Minister Simeón Oyono expressed concern about Obiang’s treatment, referring obliquely to “behaviour which could disturb the good health enjoyed by the ties of friendship between the two States, peoples and governments.”  Oyono’s concern is understandable.  At this rate, if more countries are minded to follow the American, French, and Swiss examples, certain other governments may be concerned if their ultra-wealthy officials are unable to retain, transfer, or transport their assets merely because they have provably engaged in grand corruption, embezzlement, or money laundering.

On September 13, the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) announced three North Korea-related sanctions designations. OFAC stated that the designations against two entities and one individual — China-based Yanbian Silverstar Network Technology Co., Ltd. (“China Silver Star”), China Silver Star’s North Korean Chief Executive Officer Jong Song Hwa, and its Russia-based sister company, Volasys Silver Star – “targets the revenue North Korea earns from overseas information technology (IT) workers.”

The Treasury Department described China Silver Star as “nominally a Chinese IT company, but in reality  . . . managed and controlled by North Koreans[,]” that as of mid-2018, “had earned millions of dollars from collaborative projects with Chinese and other companies.”  It also explained that Volasys Silver Star was created in early 2017 “as a Russia-based front company” created by a North Korean IT worker and employee of China Silver Star.   As of early 2018, Volasys Silver Star employees, “many of whom had moved to Russia from China Silver Star, had earned hundreds of thousands of dollars in under a year.  Although nominally run by a Russian individual, Volasys Silver Star is also in fact managed by North Koreans.  As its CEO, Jong Song Hwa set company goals for China Silver Star, and he controls the flow of earnings for several teams of developers in China and Russia.”

Earlier this summer, on July 23, U.S. Department of State, with OFAC and the U.S. Department of Homeland Security’s (DHS) Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE), issued an advisory “to highlight sanctions evasions tactics used by North Korea that could expose businesses – including manufacturers, buyers, and service providers – to sanctions compliance risks under U.S. and/or United Nations sanctions authorities.”  The advisory warned that “[b]usinesses should be aware of deceptive practices employed by North Korea in order to implement effective due diligence policies, procedures, and internal controls to ensure compliance with applicable legal requirements across their entire supply chains.”

The advisory set out a list of five factors that are potential indicators of goods, services, and technology with a North Korean nexus, including the following statement regarding IT services:

North Korea sells a range of IT services and products abroad, including website and app development, security software, and biometric identification software that have military and law enforcement applications. North Korean firms disguise their footprint through a variety of tactics including the use of front companies, aliases, and third country nationals who act as facilitators. For example, there are cases where North Korean companies exploit the anonymity provided by freelancing websites to sell their IT services to unwitting buyers.

It also included a list of potential indicators of North Korean overseas labor, as the North Korean government “exports large numbers of laborers to fulfill a single contract in various industries,” including IT services.  It noted that in 2018-2018 North Korean laborers working on behalf of the North Korean government were present in 41 listed countries and jurisdictions.

The advisory also briefly discussed due diligence best practices.  It stressed that “[b]usinesses should closely examine their entire supply chain(s) for North Korean laborers and goods, services, or technology” and including crosslinks to DHS and OFAC recommendations for due diligence practices and potential mitigating factors.  It summarized the penalties for individuals and entities for sanctions violations and enforcement actions, as well as activities that could result in OFAC designation.

Probably because of the mention of IT companies in the State Department advisory, Treasury Secretary Steven Mnuchin stated in the OFAC announcement that “Treasury is once again warning the IT industry, businesses, and individuals across the globe to take precautions to ensure that they are not unwittingly employing North Korean workers for technology projects by doing business with companies like the ones designated today,”

Note:  Corporate compliance officers need to take note of these latest designations, and recognize that North Korea poses an even broader range of financial-crime risks to U.S. companies than money laundering or cyberattacks and network intrusions.  Two separate Executive Orders were applied in these designations: Executive Order 13722, which applies to individuals or entities that are engaged in, facilitated, or are responsible for the exportation of workers from North Korea, including exportation to generate revenue for the Government of North Korea or the Workers’ Party of Korea; and Executive Order 13810, which applies in pertinent part to individuals or entities operating in the IT industry in North Korea.

Compliance officers therefore need to take pains in ensuring that their sanctions compliance programs, especially their supply-chain due diligence processes, are demonstrably effective in addressing any potential engagements with IT companies.  Slipshod due diligence or inconsistently operating internal controls that fail to detect North Korean connections could well result in enforcement actions relating to either or both of those orders under Title III of the Countering America’s Adversaries Through Sanctions Act (CAATSA).  Moreover, lack of vigilance in North Korea sanctions compliance on all fronts could have long-term geopolitical consequences.  As Treasury pointed out in its announcement, the United Nations Security Council acknowledged in its Resolution 2397 (2017) “that the revenue generated from North Korean workers overseas contributes to North Korea’s nuclear weapons and ballistic missile programs.”

On September 11, Mexicans Against Corruption and Impunity (MCCI), a private-sector organization, issued a report on the results of its investigation into the collapse of dozens of buildings in Mexico City in the September 19, 2017 Central Mexico earthquake, which took 228 lives.   According to the Los Angeles Times, the report linked the collapses to corruption, finding “that dozens of buildings that collapsed in the quake had been shoddily constructed and wrongly deemed safe by building inspectors.”  Even though experts from the Universidad Nacional Autónoma de México (UNAM) characterized Mexico City’s Building Code as a “state-of-the-art code,” the Times reported that a principal reason that unsafe construction continues is “outsourcing of building inspections to private engineers who are hired and paid by developers, an arrangement that gives engineers an incentive to declare buildings safe, even when they aren’t.”   In addition, MCCI investigative journalism director Salvador Camarena reportedly “criticized the fact that it is not possible to easily access information about a building’s history including the construction method used.”  (A YouTube video relating to the report is available via the MCCI website.)

Mexico’s tragic experience is just the latest instance of countries with substantial bribery and corruption problems suffering the tragic consequences of corruption-influenced substandard construction.  Here are a few of the more prominent examples in recent years:

• Iran: In November 2017, a 7.3 magnitude earthquake that killed at least 530 people and injured thousands of others brought down many state-built homes, which Iranian President Hassan Rohani attributed to corruption in construction contracts.
• India: In August 2013, 150 people reportedly died in Mumbai “in building collapses resulting from substandard or illegal construction.” An Indian Supreme Court Justice, Madan B. Lokur, reportedly said that thousands of buildings in Mumbai are unsafe.
• Bangladesh: In April 2013, Rana Plaza, an industrial building used by several garment factories, collapsed, resulting in the deaths of more than 1,130 people.  The collapse, described as “one of the world’s worst industrial accidents,” led to the Bangladesh Anti-Corruption Commission charging 18 people, including the owner of Rana Plaza, Mohammad Sohel Rana.  Rana was eventually convicted and imprisoned on corruption-related charges.
• Haiti: The January 2010 earthquake that killed an estimated 200,000 to 250,000 people also caused the pervasive collapse or semi-collapse of buildings across the country.
• Egypt: In December 2007, more than three dozen people were reported killed in the collapse of a 12-story apartment building in Alexandria. At the time, illegal building was reportedly ubiquitous in Egypt; the governor of Alexandria said that there were approximately 31,000 known building violations in the city, and the head of the city council said that at least 6,500 buildings “are near collapse.”  By 2016, Daily News Egypt reported that Alexandria had become one of “the top cities with illegal buildings, with 14,521 buildings without licences.”

The linkage between widespread corruption and fatal building collapses is not random.  A 2011 academic study of global earthquake fatalities found that in the three preceding decades “83 percent of all deaths caused by the collapse of buildings during earthquakes occurred in countries considered to be unusually corrupt.”

The factors that influence substandard construction in countries with higher corruption risk are widely recognized.  Lack of a national building code, urban population density, increases in housing demands, proximity of buildings to earthquake zones, and property laws that developers can exploit to frustrate government efforts to demolish unsound buildings are just some of the factors that can influence and interact with corrupt building practices, including “use of substandard materials, poor assembly methods, the inappropriate placement of buildings and non-adherence to building codes.”

What appears to be lacking is a consensus among nations that building-related corruption warrants special attention and some form of coordinated and collective action on a global scale.  Admittedly (to paraphrase the late Tip O’Neill) all building is local, as are the laws and regulations that are supposed to ensure safe and sound construction.  But most types of corruption do not pose a risk of widespread deaths and devastation to neighborhoods and workplaces.  Some multinational organization with expertise in anti-corruption measures, such as the United Nations Office on Drugs and Crime, could be a suitable convenor of a long-term initiative, which could marshal resources to explore the problem on an international scale and develop frameworks that governments could use or adapt as necessary to combat the problem at a national level.  All types of corruption are unacceptable, but some ought to be more unacceptable than others when their cost includes human lives.