The money-laundering scandal currently unfolding at Danske Bank may well be the largest AML compliance failure ever: at least $230 billion in suspicious transactions funneled through the bank’s Estonia branch from 2007 through 2015.
The bank’s CEO has been forced out. Danish banking regulators are investigating the bank. European Union regulators are investigating the Danish regulators, to determine how a money-laundering operation so vast could continue for so long. The U.S. Justice Department has opened a criminal investigation. The bank’s stock price plummeted and dozens of employees might be turned over to police.
It is a near-perfect example of how different types of failure can amplify each other, creating a scandal for the ages.
The misconduct itself — oligarchs in Russia and Azerbaijan, funneling criminal proceeds through the bank into shell companies registered in London, Scotland, or elsewhere — isn’t anything new. Oligarchs have been cleansing their dirty money through slipshod banks and shell companies for decades.
What’s news here is the scope of Danske Bank’s failure to stop the misconduct. Quite simply, everything went wrong with Danske Bank’s ethics and compliance effort. It is a near-perfect example of how different types of failure can amplify each other, creating a scandal for the ages.
These failures are detailed in a report Danske Bank released on Sept. 19, based on an outside investigation executives commissioned last year. Let’s take a look.
Weak Lines of Defense
Typically corporate compliance programs are grouped into three lines of defense: operations employees in the first line; management functions (including compliance) in the second line; and internal audit in the third. None of them worked at Danske Bank.
- First Line. Investigators found 42 employees and agents, plus another eight former employees, who somehow had business connections with customers or helped them process suspicious transactions.
- Second Line. As far back as 2010, members of Danske Bank’s management committee were discussing the high volume of suspicious transactions in Estonia, and whether that might complicate the bank’s expansion in the Baltics. The suspicious activity kept happening into 2015.
- Third Line. The internal audit team first audited the Estonia branch in 2011 and gave it a “fair” rating (the third-best out of five) for AML procedures. By 2014 the audit team was back, investigating a whistleblower’s report of rampant compliance failures. Which the audit team confirmed.
At the ideal organization, the three lines are supposed to hold each other accountable.
Management can fire rogue employees. Whistleblowers can call internal audit about rogue managers. Internal audit can tell management which policies aren’t working for employees.
Conversely at Danske Bank, none of these lines executed their ethics and compliance duties competently. Those failures created the environment for…
Three Types of Control Failures
Internal controls come in three forms: entity-level controls that apply to the whole organization; process-level controls that address a whole category of transactions; and transaction-level controls to prevent or detect specific suspicious transactions. Danske Bank had failures at all three levels.
- Entity level. Danske Bank’s board promoted executives who knew about, and failed to stop, the misconduct in the Estonia branch. That branch was overseen in the early 2010s by Thomas Borgen, then head of international banking. He was promoted to CEO in 2013, before Danske Bank sacked him last month.
- Process level. Danske Bank had poor due diligence processes, which didn’t catch suspicious customers. It had poor IT governance processes, including allowing the Estonia branch to maintain its own IT systems with documentation written in Estonian and Russian rather than Danish. It had poor disciplinary processes: of the 50 current or former employees suspected of flouting AML procedures, only one was fired.
- Transaction level. The Estonia branch had 6,200 non-residential customers, and “the vast majority have been deemed suspicious,” as investigators said in their report. So that is a long-term, widespread failure at the transaction level: living, breathing employees, not flagging suspicious customers.
Again, consider the interplay of ethics and compliance failure. When a company has poor entity-level controls, process controls wither, which means employees can override transaction controls with ease.
That’s not how it’s supposed to work. Strong messages from the board and CEO translate into attention to strong processes — everything from compliance training, to due diligence, to accounts payable. Strong processes prevent employees from misbehaving.
The Big Failure
Regardless of how we slice Danske Bank’s problems, the central issue is this: executives did not connect the risk to accountability. Why not?
That’s a point every compliance officer should consider for his or her own organization. Better yet, consider it this way: what actions should management be taking to show that executives want to connect compliance risk to accountability?
If an executive is truly serious about enforcing accountability, he or she would not allow a high-risk operating unit to maintain separate IT systems.
For example, if an executive is truly serious about enforcing accountability, he or she would not allow a high-risk operating unit to maintain separate IT systems. Insisting on integration would be an entity-level control (a message sent to the whole company), that would stimulate better process-level controls (a unified IT system manages data more effectively), which would improve transaction-level controls (better ability to intercept suspicious payments).
We could give other examples: better risk metrics, more aggressive targets to reduce high-risk activity, terminating employees for policy violations more often, higher completion rates for due diligence of third parties. The list is endless, but the question is always the same: What can management do to show that it wants to connect ethics and compliance risk to accountability?
It’s a question worth asking early and often — not one to ask in hindsight.
Download & Print Guide: Definitive Guide to Compliance Program Assessment