This week Danske Bank released a report detailing the results of its much anticipated internal investigation into allegations of money laundering perpetrated in its Estonian branch. The results of the investigation dwarfed even the boldest predictions.
The report found between 2007 and 2015 the Estonian branch processed a staggering 200 billion Euros, or $234 billion, in suspicious transactions by thousands of non-resident costumers. The report finds the AML procedures at the Estonian branch were “manifestly insufficient and inadequate,” resulting in numerous breaches of legal obligations by the Estonian branch. The report details a numerous red flags that allegedly should have alerted the parent Danske Bank Group (“Group”) to the issues.
However, the report also concludes that the Group’s Board of Directors, Chairman, Audit Committee, or Chief Executive Officer did not violate any legal obligations in failing to detect or stop the suspicious transactions. Despite this finding, the CEO, Thomas Borgan, resigned the same day the report was released. Borgan stated, “Even though I was personally cleared from a legal point of view, I hold the ultimate responsibility. There is no doubt that we as an organization have failed in this situation and did not live up to expectations.” The consequences of this colossal money laundering scandal are unlikely to stop with Brogan’s resignation.
This blog post will summarize the scope of the report, findings of suspicious activity, the causes and red flags of potential money laundering violations, and outline the known and anticipated consequences of this scandal for Danske Bank.
The Scope of the Report
The 87 page report details the year-long investigation by the Danish law firm Bruun & Hjejle into the allegations of potential money laundering out of the Estonian branch. The scope of the investigation was massive: collecting information on 87 million payments over a 10 year period for all customers at the Estonian branch. Importantly, the review looked at 10,000 non-resident customers that were known to the bank and included in a specially managed “Non-Resident Portfolio” in Estonia until 2015. The review also looked at an additional 5,000 customers of the Estonian branch that were not in the portfolio but qualify as non-resident customers. In addition, there was an investigation into the accountability for failure to detect the suspicious activity, which include interviews of 49 individuals.
Findings of Suspicious Activity in Estonia
The primary focus of the report is on the transactions of non-resident customers, including those in the Non-Resident Portfolio, “a pool of non-resident customers managed within the Estonian branch by a designated group of employees.” This Non-Resident Portfolio at the Estonian branch dated back to the 1990s, prior to Danske’s acquisition of the branch in 2007 as part of its purchase of the Finnish Sampo Bank. The Non-Resident Portfolio customers were both private persons and corporate entities, with a small number that were “non-regulated entities acting as intermediaries providing cross-border payment solutions to unknown end-clients in Russia and other CIS countries.” Per year the customers in the Non-Resident Portfolio accounted for 2-4% of the total customers of the Estonian branch. Yet, these customers in the Estonian branch accounted for a significant portion of the deposits made in the entire Danske Baltic bank branches (Estonia, Lithuania, and Latvia) including 9% of total deposits for the Baltic region in 2013.
Of the Estonian customers reviewed, 6,200 involved the most risk factors being investigated, including:
- Customers that have been identified as registered to or otherwise associated with addresses that are shared with numerous other customers and have been identified as suspicious in various jurisdictions (including British Virgin Islands, United Kingdom, Cyprus, and Denmark)
- Customers with significant differences between their revenue figures reported in publicly available documents and payment activity as demonstrated in their Estonian accounts
- Customers that have been identified in the public domain as being associated with money laundering schemes
- Customers with large amounts of funds passing through accounts regularly in short periods of time, with unusual payment chains, unexplained or unusual sources of funds or wealth, unusual payment descriptions, or adverse media coverage
- Customers with payments with suspicious counterparties in other banks
An appropriate AML compliance program would have included a customer due diligence program that would have identified these concerns. However, as the report finds:
It is clear that AML procedures at the Estonian branch had been manifestly insufficient and inadequate, including, inter alia, a lack of identification of “controlling interests” of customers, lack of screening of customers, and lack of independence and possible internal collusion in the Estonian bank.
From 2007 to 2015 the flow converted into EUR for the 6,200 customers reviewed equaled 200 billion Euros. Investigators say the majority of these transactions are believed to be suspicious. Further, thousands of more customers — those presenting the fewest risk factors — still remain to be investigated.
In addition, the reports notes several notorious money laundering schemes allegedly utilized the Estonian branch, including: 1) Russian shell companies processed funds for a member of Putin’s family and FSB; 2) former Italian member of the Parliamentary Assembly of the Council for Europe, Luca Volontè, processed a bribe from Azerbaijani officials in exchange for orchestrating a 2013 defeat of a resolution regarding political prisoners in Azerbaijan; and 3) allegations made by Hermitage Capital Management that high-ranking officials in the Russian Government laundered $230 million from the tax fraud uncovered by Sergei Magnitsky. The report does not provide conclusive discussions of these events.
Contributing Causes and Red Flags for AML Violations
Danske Bank acquired the Estonian branch, and its thousands of non-resident customers, in 2007 when it purchased Sampo Bank. Prior to this Danske Bank had not been operating in the Baltic.
There were warnings about the danger posed by the non-resident customers in Estonia, even before it was purchased. In June 2007, the Russian Central Bank wrote a letter to the Danish Financial Supervisory Authority (“FSA”) expressing concern over the non-resident customers at Sampo, stating that the “clients of Sampo Bank . . . participate in financial transactions of doubtful origins” and estimated the transactions to equal “billions of rubles monthly.” The Executive Board of the Group reviewed the letter and stated they would investigate internally. The Group responded to the Danish FSA stating their review found the Estonia branch complied with existing law, citing a conclusion by the Estonian FSA its made no “material observations.” The Group further gave assurances that its “AML concept” would be implemented and that reporting lines were established.
Importantly, after the acquisition the Estonian branch maintained a separate IT platform from the Group. The Group had considered integration of the Baltic subsidiary systems, but ultimately found it would be too expensive and take up too much capacity to migrate the Baltic systems to that of the Group. As a result of its independent IT platform “the branch was not governed by the same customer systems and transaction and risk monitoring” that the Group employed. The separate IT platform also prevented the Group from having the same insight into the Estonia Branch.
The Group was aware that the non-resident customers in the Estonian branch were a high risk, but believed the risk was mitigate by appropriate AML procedures. The report details numerous occasions where the Group was given assurances by the Estonian branch and even Estonian authorities that the AML procedures were largely compliant. However, in 2013 the Danish FSA inquired about the Estonian branch, its customers, and its AML procedures. The correspondence from the Group Legal at this time reveals an understanding of the “very special set up . . . made for Russian customers we have in Estonia” and that these “customers involve a high risk.” The Group Legal recognized that many of their customers were on a list of Russian blacklisted customers maintained by the Russian Central Bank. The Group Legal documents state the Danish FSA was “very worried because they [had] confirmed with US authorities” that Dankse complied with Danish FSA’s requirements on AML. The Danish FSA emphasized that customer due diligence needed to be observed in Estonia “not only in written procedures but also in everyday business activities.”
Another significant red flag came in June 2013, when a correspondent bank clearing USD payments terminated its relationship with the Estonian branch based on AML concerns. The internal documents indicate a discussion of this event and an examination of “Non-Resident Russian Profiles.” No action was taken and another correspondent bank agreed to expand its cooperation with Dankse Bank to include working with the Estonian branch.
In December 2013, Danske finally received a warning it could not ignore. A whistle-blower report from an employee with the Estonian branch detailed significant misconduct at the branch including:
- A lack of financial data on a specific customer who had filed false financial accounts with the UK Companies House
- That the “branch knowingly continued to deal with a company that committed a crime”
- Falsification of records by branch employees
The Non-Resident Portfolio and allegations of criminal activities and money laundering attracted significant media attention. In 2017, Danske Bank was also the subject of a formal investigation by the French government based on complaint brought by Hermitage Capital Management relating to suspicions of money laundering transactions carried by customers of the Estonian branch. The Dankse Bank also continued to face inquiries from the Danish FSA over allegations of money laundering conducted through the Estonian branch.
The Group conducted an internal investigation and found more customers “with similar irregularities.” The Group Audit internal investigation concluded the Estonian branch was not conducting proper customer due diligence and could not possibly monitor the accounts using the current system. The Group undertook a number of initiatives to address the issues in Estonia, but ultimately these inadequate AML procedures became the subject of harsh criticism by the FSA in Estonia. Both the Estonian FSA and Danish FSA imposed regulatory sanctions Danske Bank. Ultimately, the Non-Resident Portfolio was terminated in 2015, with the last accounts closing in 2016.
Known and Anticipated Consequences
The report notes that there were numerous breaches of legal obligations in the Estonian branches and some isolated breaches of legal obligations elsewhere in the Group. However, the report finds the Group’s Board of Directors, Chairman, Audit Committee, and Chief Executive Officer did not violate their legal obligations. The press release from Danske Bank states based on the conclusions of the investigation, it has taken measures against current and former employees in Estonia and Denmark including, among other things “warnings, dismissals, loss of bonus payments, and reporting to the authorities.”
It will be interesting to see if this finding — absolving the top individuals at the company of misconduct — will stir controversy in the EU; in the United States, there has been an increasing emphasis, or at least a stated desire by the government to increase the emphasis, on enforcement actions against individuals, including in the AML context. The general interest in individual accountability has expanded steadily since the U.S. Department of Justice issued its principles of prosecution regarding individual accountability through the so-called “Yates Memo” in September 2015, which in effect increased the pressure on all companies to cooperate against their own employees. The Yates Memo stated that “[o]ne of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.”
The press release notes that Danske Bank is “not able to provide an accurate estimate of the amount of suspicious transactions made by non-resident customers in Estonia.” The Board of Directors has decided to donate the gross income from the customers during the 2007-2015, totaling DKK 1.5 Billion or roughly $236 million, to an independent foundation to fight financial crimes in Denmark and Estonia. The press release signals what may be to come for Danske Bank, noting its donation of gross earnings will be “to the extent not confiscated by the authorities.”
As recognized in the press release, Danske Bank can expect hefty fines from the Danish FSA. Analysts have estimated these fines may reach $800 million. It has been reported that the United States authorities may also be investigating Danske Bank. Aside from institutional punishment, Danske Bank is suffering reputational harm and has already lost 30% of its market value in the wake of this money laundering scandal.
This a tremendous reminder to all financial institutions of the importance of AML compliance, particularly adhering to customer due diligence obligations. The fall out of the Danske Bank case is sure to demonstrate the far-reaching consequences of a failure to address AML problems in a timely and meaningful manner.
Jessica Case Watt