Today let’s continue to look at the settlement Danske Bank reached with the Justice Department earlier this week, for the huge money-laundering scheme that operated from the bank’s Estonia branch in the 2000s and 2010s. I’ve been reading the plea agreement in the case, and compliance officers have a lot to consider here.
First, to recap: Danske Banke pleaded guilty on Tuesday to one count of bank fraud, and agreed to pay $2.06 billion in criminal forfeiture to the Justice Department, plus another $413 million to the Securities and Exchange Commission in civil disgorgement, penalties, and interest. Danske Bank will also continue an overhaul of its compliance program that has now been ongoing for several years, under the watchful eye of an “independent expert” appointed by Danish financial regulators last year.
All of this stems from the money laundering scheme that unfolded at Danske from 2007 until 2016, where some $236 billion in suspicious transactions flowed through the bank’s branch in Estonia. Most of that money came from Russian nationals on U.S. watch lists, and the bank repeatedly published reports to investors and the public that its anti-money laundering compliance program was operating just fine. Internally, however, bank executives both in Estonia and in the Denmark headquarters knew their AML compliance efforts were a paper-thin mess.
If we need any specific observations of how Danske Bank stumbled into this morass of compliance failures, the plea agreement (posted on Thursday) provides two great ones.
First example: Danske Bank acquired its Estonia branch in 2007, and was warned immediately by Russian bank regulators that the Estonia branch was a haven for suspicious activity. Then, as the plea deal describes…
[Danske Bank] undertook a project to bring the Baltic branches onto the central technology system Danske Bank had established, recognizing that there were some risks, including AML risks, presented by allowing the Baltic branches to remain outside of the IT platform used by Danske Bank headquarters… In 2008, Danske Bank canceled the migration to the central technology system because the executive board, consisting of Danske Bank senior executives, concluded it would “simply be too expensive” and could cause irregularities.
That was the fatal mistake by bank leadership. Danske Bank allowed the Estonia branch to maintain its own antiquated IT systems, with no automated customer due diligence or transaction monitoring — simply because bringing the Estonia branch up to acceptable compliance standards would be too expensive. Danske leaders didn’t have the requisite commitment to effective compliance, and from there its AML troubles flowed.
Second example: By 2012, several Estonia branch employees, including the then-head of AML compliance for the branch, were drafting a memo for senior executives back in Denmark. The memo included a description of the supposedly robust onboarding procedures for Russian customers. Supposedly, those customers had to be approved by a special “client committee” headed by the branch’s top compliance officer, and were then subject to automated transaction monitoring.
Those promises, the plea agreement said, “were not true; though the client committee and other procedures existed on paper, in 2014 Danske Bank Estonia’s regulator found that there was “no evidence” that Danske Bank Estonia followed its written procedures… or reviewed those procedures to ensure they were compliant with law and working as intended.”
So the bank had a paper compliance program, without any actual evidence of true compliance efforts going on at the ground level. Then again, with no support from senior management for a strong compliance program, why should we expect anything else?
The Compliance Program Reforms
Now let’s turn to the many compliance program reforms that Danske Bank needs to make, and the certifications that the bank’s chief compliance officer will need to make as part of the deal — because, yes, CCO certification is part of the settlement too.
As part of its settlement, Danske agreed to a three-year period of continuing cooperation and reporting to the Justice Department. The arrangement is just like a deferred-prosecution agreement, except there is no “deferred” part because Danske has already pleaded guilty. Let’s call it a post-prosecution agreement.
The deal also requires Danske Bank to meet at least quarterly with the Justice Department throughout the three-year term, and to submit annual progress reports to the prosecutors until the agreement expires at the end of 2025. The first report, due in December 2023, needs to focus on three topics:
- Complete description of the bank’s remediation efforts to date;
- Complete description of the testing conducted to evaluate the effectiveness of the compliance program, and the results of that testing; and
- Proposals to assure that the compliance program is reasonably designed, implemented, and enforced.
The next reports, due at the end of 2024 and 2025, respectively, are supposed to cover all the same ground, and incorporate any feedback the Justice Department provides from the prior reports.
The Justice Department did not assign a compliance monitor because Danish authorities imposed their own “independent expert” to oversee Danske Bank’s compliance reforms. But if that monitor independent expert departs before the end of the three-year deal, the Justice Department does retain the right to impose a monitor independent expert of its own.
Lastly, we have two certification requirements. First, Danske Bank’s CEO and CFO will need to certify at the end of the agreement that the company has disclosed any and all evidence or allegations of money-laundering failures. Separately, the CEO and the chief compliance officer will need to certify that the bank’s compliance program is “reasonably and effectively designed to deter and prevent violations of money laundering, anti-money laundering, and bank fraud laws throughout the bank’s operations.”
Other Thoughts on the Deal
To get more insights from this Danske Bank settlement, compliance officers need to string the previous two sections of this post together. The question is this: If you want to prevent weak executive commitment to compliance, or a paper-only compliance program, what steps should you take to assure that your program is effective and working well?
We can glean a few clues from the Danske Bank settlement — specifically, “Schedule C,” which outlines all the compliance program elements that Danske Bank must put in place.
For example, one item in Schedule C talks about disciplinary procedures. Danske must implement “appropriate disciplinary procedures” for violations of the compliance program, and “such procedures should be applied consistently and fairly, regardless of the position held by, or perceived importance of, the director, officer, or employee.”
Disciplinary actions certainly send a clear signal to your workforce that management takes ethics and compliance seriously. At the practical level, then, compliance officers would need to keep meticulous records about who committed what infractions, who did or didn’t face disciplinary actions, and why offenders received the punishments they did. Companies should also use a disciplinary framework to guide those decisions, so auditors could match your actions and records to larger principles governing your compliance program.
We could also look at executive compensation and incentive-based pay. As part of its settlement, Danske Bank must examine its performance reviews and bonus structure “so that each Bank executive is evaluated on what the executive has done to ensure that the executive’s business or department is in compliance with the compliance programs,” Schedule C says. A failing score in compliance “will make the executive ineligible for any bonus for that year.”
That’s all good, but notice how the language there is all affirmative: executives will be rewarded for encouraging compliance behavior. That ignores the Justice Department’s other message lately about negative reinforcement — that companies should have and use clawback policies to rescind incentive-based pay for misbehavior.
Why no mention of clawbacks? I dunno. But if you want to keep management engaged in compliance, disciplinary action and compensation practices deserve steady attention.
To avoid paper-based programs, focus on collection of evidence, because evidence is ultimately the yardstick to measure whether your policies and procedures are working.
For example, if you want to prove that customer due diligence procedures are working you’ll need evidence of how many customers undergo due diligence (ideally all of them), and how many improper transactions still happen after customer due diligence (ideally none of them). Or if you want to prove that all “discounts” requested by overseas resellers were legitimate (discounts being a common tactic to funnel bribes), then you’ll need evidence to show that all requests were documented as legitimate.
That’s really what we’re talking about when we say a company needs “more policies and procedures” — we’re talking about generating more evidence, either to intercept potential misconduct or to defend the company against claims of misconduct.
At Danske Bank, for example, executives talked about “digging deeper into the compliance and control procedures.” That’s just another way of asking whether your procedures are adequate for the risk involved; whether those procedures are happening as intended. So aren’t we just asking, in a roundabout way, for evidence?