Danske Bank CCO to Depart in 2024
The chief compliance officer at Danske Bank has announced that he will be leaving the bank in 2024, raising a delicate but important question. Who’s going to certify the effectiveness of Danske Bank’s compliance program to the Justice Department when the bank is scheduled to do that in 2025?
Satnam Lehal, Danske Bank’s chief compliance officer since 2021, posted a statement to LinkedIn on Monday that he will leave the bank early next year. We don’t know why, although giving the world 12 months’ notice certainly suggests that Lehal’s departure is a decision he made himself and for his own reasons. In his post, Lehal only said, “We have achieved a huge amount since I joined in summer 2019 and I look forward to leading our continued progress over the next 12 months.”
Fair enough, and we wish Lehal well; he seems to have done an impressive job building the bank’s compliance capabilities. But Danske Bank pleaded guilty in December to a huge and long-running money scheme operating out of the bank’s Estonia branch. As part of that settlement, the bank’s chief compliance officer and CEO will need to certify that Danske Bank has an effective compliance program when the plea agreement expires in December 2025.
So who’s supposed to sign that certification when it comes due, if the CCO who designed the program when the plea deal was struck is already gone? How can the subsequent CCO feel confident putting his or her name to that certification, theoretically under penalty of perjury?
These questions have been stuck in my brain since assistant attorney general Kenneth Polite first raised the specter of CCOs certifying their programs one year ago. Now they’re no longer hypothetical. This is going to happen, and the compliance professionals who might want to succeed Lehal at Danske Bank — or at any of the other companies that also have CCO certification requirements — deserve a clear answer.
So far the Justice Department hasn’t replied to my requests for comment. Danske Bank only said it has no comment.
[UPDATE: The Justice Department did give me a comment on Thursday afternoon, saying, “We expect whoever is the CCO at the time of certification to sign (that is, the new CCO). We also expect any CCO serving during the term of the agreement to be meaningfully engaged in building a strong compliance program that meets both legal requirements and requirements of the agreement with the department.” If you have any thoughts about this, I would love to hear them at [email protected].]
Danske Bank’s Commitments
Let’s review the actual plea agreement that Danske Bank signed with the Justice Department in December, since it’s representative of this new certification regime.
The first important document is Schedule C, which spells out all the compliance program components that Danske Bank is supposed to maintain. The components themselves are all the stuff one would expect to see in a case like this: high-level commitment to compliance, an empowered and independent leader of the compliance function, periodic audits of the program, training, policies and procedures, systems to monitor customer and third-party relationships.
Next is Schedule D. This outlines the series of progress reports that Danske Bank must make to the Justice Department over the next three years. The first report, due in December 2023, needs to focus on three topics:
- Complete description of the bank’s remediation efforts to date;
- Complete description of the testing conducted to evaluate the effectiveness of the compliance program, and the results of that testing; and
- Proposals to assure that the compliance program is reasonably designed, implemented, and enforced.
The subsequent reports, due at the end of 2024 and 2025, respectively, are supposed to cover all the same ground, and incorporate any feedback the Justice Department provides from the prior reports. Danske Bank executives are also supposed to meet with the Justice Department within 30 days of submitting each report to review its contents; and also meet with the department at least quarterly “to discuss the status of the review and self-reporting obligations, and any suggestions, comments, or improvements the bank may wish to discuss with or propose.”
Before we even get to that final certification in 2025, let’s talk about those meetings and reports. If Lehal is leaving sometime in 2024, that means numerous quarterly meetings (any that happen in 2024 after Lehal goes, and all of them in 2025) will take place with someone else as Danske Bank’s chief compliance officer. What preparation will that person need? How will he or she feel confident representing the bank, and talking about its compliance issues?
Last is Schedule F. This is the actual certification form that Danske Bank’s CEO and CCO will need to sign and submit to the Justice Department when the plea agreement expires at the end of 2025. The key passage is this:
[B]ased on the undersigned’s review and understanding of the bank’s compliance programs, including its anti-money laundering compliance program, the bank has implemented compliance programs that meet the requirements set forth in Attachment C to the agreement. The undersigned certify that the bank’s compliance programs are reasonably and effectively designed to deter and prevent violations of money laundering, anti-money laundering, and bank fraud laws throughout the bank’s operations.
That’s what the chief compliance officer and the CEO will need to sign, with the threat of personal liability looming over their heads.
Gaming Out CCO Predicaments
So we still have those pesky questions about how a CCO who arrives mid-plea agreement is supposed to certify the design and effectiveness of a compliance program that he or she didn’t design.
For example, could the CCO candidate demand during the job interview that they get some sort of “right of review” when they start? And that they can restructure the compliance program as necessary, if they believe it’s deficient? That seems like a pretty far-fetched demand to me — and even if a company does agree to that, what about the Justice Department? Just imagine the mess that would happen if the new CCO says, essentially, “Nope, we’ve been doing this all wrong and it needs an overhaul.” Imagine the eyebrows that would be raised in the Fraud Section.
On the other hand, if the company doesn’t agree to let the CCO candidate revamp the program if necessary, what CCO in their right mind would want that sort of risk? You’re basically taking the new job on faith, and I think we all know how dicey that can be in modern Corporate America. So do you demand D&O insurance as part of the compensation package, in case the program secretly sucks and you’d be on the certification hook? Again, what if the company says no?
There’s also the possibility that we’re making a mountain out of a molehill. Perhaps the Justice Department will be very forgiving of successor CCOs, and not hold them liable for certifications that turn out, in hindsight, to be erroneous. But in that case, why are we even doing this at all? If certifications are supposed to matter, then they have to be enforced.
Some people might note that CEOs need to sign these compliance certifications too, and it’s also possible that a CEO might arrive mid-plea agreement and face the same predicament. That’s not quite right. First, an incoming CEO will have the power to review and revamp company operations; that’s what new CEOs do. Second, CEOs routinely rely on subordinates to give them advice. It wouldn’t be far-fetched at all for a newly arrived CEO to seek out assurances from the compliance officer before the CEO signs the certification.
That reliance wouldn’t work as well the other way around, where an incoming CCO is asking the CEO for assurance. The CEO might not know the compliance program well, or have overly optimistic beliefs in how the program works. You can’t rely on the CEO the way he or she can rely on you.
So all in all, there are plenty of ways this CCO certification requirement might spook compliance officer candidates, unless they get much more clarity and assurance from somebody, somewhere, about the personal risks they might be shouldering. And now Danske Bank gives us a clear, specific example of the conundrum.
Perhaps the Justice Department could give us some clear, specific answers?