What did Danske Bank do?
Danske Bank, the largest bank in Denmark, recently pleaded guilty to charges of money laundering and agreed to pay a $400 million fine. This plea, the result of an investigation into the bank's involvement in a massive money laundering scheme, has significant implications for financial crime risk management.
The money laundering scheme, which took place between 2007 and 2018, involved the flow of billions of dollars through the bank's Estonian branch.The funds, which were believed to be of illicit origin, were laundered through a network of shell companies and ultimately ended up in various accounts around the world. The scheme was discovered in 2013, but it wasn't until 2018 that the bank publicly disclosed the full extent of the wrongdoing.
Despite multiple warnings from regulators, internal auditors, and whistleblowers, both Danske Estonia and Danske headquarters in Denmark failed to effectively address multiple gaps in their risk management, client onboarding and transaction monitoring systems. This resulted in an estimated 200 billion USD in suspicious transactions flowing through the international financial system.
Thanks to recently published official documents, several critical aspects of the Danske case and its impact on correspondent banks have come to light.
How the Danske Bank scandal impacts the cross-border payments system
Correspondent banking is when one bank (the correspondent) provides services to another bank (the respondent); often this involves the facilitation of cross-border payments by one institution on behalf of another. For emerging markets, it is a crucial tool for accessing global networks, allowing for international finance and ensuring proper functioning of global financial systems.
Correspondent banking relationships can be particularly vulnerable to financial crime, because the respondent bank is, to a significant extent, reliant on the risk management systems of its correspondents.
Danske Estonia’s largest and most profitable business was the provision of accounts to non-resident customers - customers located outside of Estonia - acting as their gateway to the international financial system. To allow Danske Estonia’s non-resident customers to transact across borders in U.S. dollars, Danske set up correspondent banking relationships with at least three (unidentified) U.S. banks.
Three failures admitted by Danske Bank as part of the recent plea agreement
Here are just three of the failures admitted by Danske:
Multiple false assurances by Danske Estonia executives to respondent banks:
For example, when “U.S. BANK 1” had concerns as early as 2008, Danske Bank Estonia assured the bank’s representatives it had put in place automatic sanctions and AML monitoring. This was not the case, as Danske Bank Estonia continued to rely on manual systems.
In fact, contrary to best practice which requires robust compliance and AML programs, Danske Bank Estonia policy and practice enabled non-resident customers to do business with minimal due diligence and monitoring. Over just two years, Danske Bank Estonia processed 34 billion USD for non-resident customers through its account at the U.S. bank.
An executive at the U.S. bank later said that if he had known Danske’s assurances were false, he would have “run to his boss’s door to notify him” followed by asking colleagues to “pull the plug” on the relationship.
Dependence on forms containing false information to carry out due diligence:
U.S. respondent banks repeatedly found themselves relying on forms filled out by Danske Bank Estonia employees to conduct due diligence on the relationship. On multiple occasions, those forms turned out to contain false information.
For example, in October 2013 a compliance executive at Danske Bank Estonia falsely answered “yes” to core questions including whether their bank had the right levels of enhanced due diligence for higher risk customers. The questionnaire also falsely claimed that “real-time” monitoring was in place for all incoming transactions over €500,000, and that all outgoing transactions were screened against relevant sanctions lists.
Respondent banks not having a real-time overview of the risk involved in Danske Bank Estonia transactions:
Ignoring a specific request from U.S. Bank 3 not to do so, Danske Bank Estonia unilaterally routed non-resident transactions and suspicious shell company payments through its respondent. While the U.S bank noted an increase in suspicious activity from the Danske Bank Estonia account, more than 200 million USD had flowed through it by the time the payments were stopped.
As a result of these and other failings, a later internal investigation by Danske Bank found that Danske Bank Estonia “had processed through the U.S. Banks billions of dollars in transactions associated with money laundering and other criminal schemes, including Russian criminal schemes.”
A separate report by the Estonian authorities concluded that Danske Bank Estonia prioritised “the economic interest in profit” over due diligence requirements.
Implications for the global correspondent banking system
While the Danske Estonia case can be seen as unusual, the truth is that today correspondent banking as a sector often continues to rely on manual, questionnaire-based risk management procedures. Thus, not only is it easier for large cases of suspicious activity to slip through the net, but the system enables financial crime to be actively facilitated, with limited consequences for perpetrators of crime.
The greatest lesson from this major news scandal is that financial crime risk management must be steered by more robust, technology-driven processes. Whilst other areas of financial services, such as retail banking, are already propelled by digitised systems and point of service payments, why are AML and cross-border payment processes still playing catch up? Financial crime still remains a trillion dollar issue, and is draining institutions of money, time and resources. When notable banks like Danske continue to be embroiled in scandals, it’s increasingly apparent that current manual methods are undermining financial institutions.
By utilising reliable, technology-driven methods to evaluate institutional risk, banks can detect financial crime risk in real-time, and remediate based on quality-assured financial crime risk information.
Investment in data-driven financial crime risk management, including analysis of transactions in real-time, continues to be much needed to ensure a safer financial system for all and inject trust back into correspondent banking - something, along with the reputation of the financial system as a whole - which has been tarnished by continuous scandals.