Danske Bank, the Danish bank now infamous for allowing one of the largest money laundering schemes in history during the 2000s and 2010s, pleaded guilty to fraud charges in U.S. federal court today and agreed to pay more than $2 billion in criminal penalties and other monetary fines.
Danske will pay $2.06 billion in criminal forfeiture to the Justice Department, plus another $413 million to the Securities and Exchange Commission in civil disgorgement, penalties, and interest. The bank also agreed to keep making improvements to its compliance program, which it has already been making for five years now; and to the oversight of an “independent expert” appointed by its Danish regulators last year.
All of this stems from the huge money laundering scheme that unfolded at Danske from 2007 until 2016, when some $236 billion in suspicious transactions flowed through the bank’s branch in Estonia. Most of that money came from Russian nationals (read: cronies of Vladimir Putin, or cut-outs for Putin himself), and the bank repeatedly published reports to investors and the public that everything in Estonia was just peachy — while executives inside the bank lurched from one warning about rampant misconduct to another.
“Danske Bank lied to U.S. banks about its deficient anti-money laundering systems, inadequate transaction monitoring capabilities, and its high-risk, offshore customer base in order to gain unlawful access to the U.S. financial system,” assistant attorney general Kenneth Polite said in a statement.
Gurbir Grewal, head of the SEC Division of Enforcement, followed up with his own statement: “Corporations that raise money from the public must disclose information that is material to investors, who then get to decide what risks they want to take… Danske Bank repeatedly broke that bargain by misrepresenting to its shareholders, including U.S. investors, that it had strong anti-money laundering controls while hiding its significant control deficiencies and compliance failures.”
A Brief History of Danske Compliance Failures
Danske Bank purchased its Estonia branch in 2007, and was warned almost immediately that its new location had issues. As described in the SEC’s settlement order, Danish banking regulators contacted Danske that year with concerns that they had received from the Bank of Russia about customers supposedly engaged in illicit transactions through the Estonia location, including allegations of money laundering. Danske Bank’s board discussed those issues in 2007, and an internal audit commissioned that year found the Estonia branch’s anti-money laundering and customer due diligence practices were “thin.”
So as far back as 2007, senior bank executives and the board knew that trouble was afoot in Estonia. Still, Danske Bank allowed the Estonia branch to keep doing its thing, and those suspicious customers generated material amounts of profit: roughly 2.3 percent of all pre-tax profit from 2009 through 2015, up to a high-water mark of 4.6 percent in 2011.
The AML compliance risks were glaring. By 2013, senior Danske executives in Copenhagen knew that Danske Estonia was offering high-risk services and products that the bank didn’t allow in other branches. For example, Danske Estonia allowed its non-resident customers to use intermediaries to conceal the customers’ true identities, and offered foreign exchange “trading solutions” that let those unknown customers convert rubles to U.S. dollars and transfer the funds out of Russia.
Danske also turned a blind eye to Danske Estonia’s antiquated AML and customer due diligence controls — as in, Danske Estonia couldn’t conduct automated customer screening or automated transaction monitoring, while its suspicious customers funneled $236 billion through the branch. Danske had no access to the IT platform at Danske Estonia, and therefore no real visibility into what was going on there.
My favorite detail happened in 2014, after Estonian bank regulators examined the bank branch and provided Danske’s senior management with a laundry list of shortcomings. One Danske manager’s reply: “It is a total and fundamental failure in doing what we should do and doing what we claim to do.” Another described the regulators’ review as “brutal to say the least, and is as close to the worst I have ever read within the AML/CTF area.”
Needless to say, none of these lurid details were disclosed to investors. “These omissions rendered Danske’s repeated statements to investors that its AML procedures were robust and legally compliant materially misleading in light of the circumstances in which they were made,” as the SEC said with its typical bland understatement.
The media finally exposed Danske Estonia’s shenanigans in 2017. The predictable outcry ensued and the Danish regulatory establishment was especially jolted, since Denmark routinely ranks as one of the least corrupt and most transparent countries on earth. Danske Bank CEO Thomas Borgen resigned in 2018, and Danish law enforcement charged him with dereliction of duties in 2019.
The head of the Estonia branch from 2007 to 2015 Aviar Rehe, who had been a witness in Estonia’s criminal investigation, turned up dead in 2019. His death was ruled a suicide.
Observations on Compliance
The most lessons for compliance officers here are one part technical, one part leadership.
The technical: Danske Bank allowed its Estonia branch to operate in a siloed, antiquated way. Danske Estonia didn’t have automated systems for customer screening and transaction monitoring, and because of that executives at Danske headquarters in Denmark couldn’t see what was going on. Failure to invest in technology undermined transparency, and there compliance violations lie.
Senior executives in Denmark also tolerated a siloed management structure in Danske Estonia, too. For example, the Danske Estonia’s compliance and AML managers reported directly to bank managers there in Estonia, rather than to Danske Bank’s compliance chief in Copenhagen.
Still, the larger issue here really was about leadership: Danske Bank executives in Denmark allowed Danske Estonia’s shortcomings and isolation to continue. They did not push for improvement with the necessary urgency. That’s a poor control environment, and from there nobody should be surprised that poor control activities followed. (One specific warning sign of a poor control environment: the board or senior management tolerating lack of action on audit findings or regulatory examination issues.)
Danske Bank did receive full credit from the Justice Department for cooperation and remediation, because the bank took steps such as providing substantial information from its internal investigation, quickly and voluntarily producing a significant amount of documents located outside the United States, making foreign witnesses available for interviews, and providing detailed analysis of complex, cross-border transactions. That all helps to take a tiny bit of sting off that $2.4 billion in fines and penalties.
Still, just imagine how much less damage might have been done if Danske Bank had acted on its problems from the start. Sigh.