Earlier this month, Danske Bank was sentenced in the Southern District of New York to three years of probation and forfeiture of $2.059 billion.  The sentencing capped a tumultuous and global scandal that became public several years ago, as the enormous scope of the bank’s anti-money laundering (“AML”) compliance problems emerge:  several hundred billion in suspicious transactions allegedly were processed over time at the bank’s former Estonian branch.  As a result of the sentencing, Danske Bank was ordered to make an actual payment of $1,209,062,646; the bank received credit for the rest of the forfeiture amount on the basis of a $178.6 million payment to the Securities and Exchange Commission and a $672.3 million payment to Denmark authorities.

Danske Bank was charged not with violating the Bank Secrecy Act (“BSA”), but rather with bank fraud.  According to the press release issued in December 2022  by the Department of Justice (“DOJ”) at the time of the bank’s plea, the bank had “defrauded U.S. banks regarding Danske Bank Estonia’s customers and [AML] controls to facilitate access to the U.S. financial system for Danske Bank Estonia’s high-risk customers, who resided outside of Estonia – including in Russia.”  The DOJ’s choice to charge bank fraud presumably was predicated upon issues relating to U.S. jurisdiction and the actual applicability of the BSA to Danske Bank and activities in Estonia – but the heart of the criminal case is that Danske Bank allegedly hid its own AML failures from three U.S. banks, thereby thwarting the U.S. banks’ own AML programs and compliance with the BSA.

The plea agreement contains a lengthy statement of facts full of eye-catching allegations.  As we describe, it sets forth a tale of intentional and sometimes brazen misconduct by Estonian branch employees, coupled with lax oversight and implicit approval, or at least tolerance, of such conduct by some people in upper management.  Further, it involves another example of a financial institution, in the eyes of law enforcement and regulators, over-valuing profit and under-valuing compliance systems.  The case also highlights, again, the potential risks associated with correspondent bank accounts held by non-U.S. banks, the importance of having fully integrated and coordinated monitoring systems, and the potential role of whistleblowers.

Finally, this saga is not necessarily over entirely.  Danske Bank is subject to three years of probation.  The plea agreement requires numerous compliance commitments by the bank, including signed certificates of compliance and self-reporting of potential AML failures.  Danske Bank’s troubles also have involved lawsuits brought by investors claiming to have been defrauded, although the bank has had success in fending off these actions (see here, here and here).

Danske’s Troubles Begin with Acquisition of Sampo Bank

We summarize here the factual statement accompanying the plea agreement and underlying the sentence.  All of the following are allegations.

In 2007, Danske Bank (“Danske”) acquired Finland-based Sampo Bank which included a large operation in Estonia that provided financial services to non-resident customers, including those residing in Russia. After acquiring Sampo Bank, Danske offered banking services through a subsidiary in Estonia until mid-2008. From 2008 to 2019, Danske operated a branch headquartered in Estonia through its International Banking Group (“IBG”). The Danske Estonia branch (“Danske Estonia”)’s “non-resident portfolio” (“NRP”) was very profitable – indeed, it generated over 50% of the profits. Danske Estonia was aware that the NRP customers resided in high-risk jurisdictions and frequently used shell companies. NRP customers conducted transactions in U.S. dollars, which required Danske to use several U.S. banks to process the transactions.

IBG employees conspired with their customers to shield the true nature of their transactions and even assisted in establishing shell companies in exchange for a “consulting fee.” NRP customers were allowed to open accounts without sending account opening documents to Danske Estonia and minimal know your customer (“KYC”) review. Danske Estonia was aware of NRP customers engaged in suspicious and potentially criminal transactions through internal audits. Moreover, regulators identified concerns with NRP customers.

Regulator Concerns

As we previously blogged about regulator investigations into Danske, shortly after acquiring Sampo Bank, the Central Bank of Russia (“CBR”) sent a letter to Danske regarding transactions of “doubtful origin” and noting that “the mentioned transactions . . . can be connected with the criminal activity in its pure form, including money laundering.” The Estonia Financial Supervisory Authority (“EFSA”) also issued a report criticizing the Estonia branch’s AML activities. EFSA found that Danske Estonia’s policies were “mostly in compliance” – but the branch only “formally” adhered to these policies when its actual oversight was inadequate. EFSA issued a series of corrective actions, but subsequent examinations found persistent deficiencies. The EFSA sent the Danish Financial Supervisory Authority (“DFSA”) a letter highlighting concerns with Danske Estonia’s AML controls. The DFSA shared the concerns with Danske. The EFSA ultimately issued a final report concluding that Danske Estonia allowed economic interests to outweigh due diligence. Danske Estonia did not reveal the report to any of the U.S. banks where they had an account.

Danske’s Response to Regulator Concerns

Danske compliance executives inquired about previous responses to the EFSA and how Danske Estonia monitored transactions of high-risk customers. Danske Estonia’s monitoring was inadequate because, unfortunately, Danske had scrapped an information technology (IT) program that would have allowed the bank to monitor and conduct additional oversight over Danske Estonia’s transactions and customers through a central technology system. The migration to a central technology system, which may have prevented or at least reduced some of the ensuing AML violations, was deemed to be “simply too expensive.” Meanwhile, the Danske Board of Directors noted the importance of displaying extra compliance efforts.

In response, Danske Estonia employees including the former branch manager and head of AML prepared a memo to Danske senior executives and identified the NRP as a “prudent and well organized” business. The memo highlighted a robust onboarding procedure, including approval by a client committee and automated monitoring procedures. The memo misrepresented Danske Estonia’s onboarding process. Danske executives repeated many of the statements contained in the memo to the DFSA but never confirmed the accuracy of any of the statements.

A Danske internal counsel shared with the former CFO of Danske that she had confirmed that the issues the DFSA raised were correct, that Danske Estonia had a deliberate policy to attract high-risk customer, that some of these customers were blacklisted in Russia, and there was no proof that compliance was addressing the issues.

In response, Danske initiated a business review of the entire Baltic region. The report from the review identified clear red flags including the size of the NRP and the existence of some unregulated financial intermediaries used to process transactions through Danske Estonia accounts for unknown third parties. Despite the identified red flags, the report concluded that the NRP had “excellent compliance processes in all aspects of the business.” The Danske report contained misstatements about Danske Estonia’s compliance controls, including the size of the NRP portfolio. Danske compliance executives suggested engaging an independent party to review the NRP and Danske Estonia’s compliance controls.

Danske Estonia’s U.S. Bank Accounts

Danske Estonia used accounts at three U.S. banks, all of which were federally-insured and located in the Southern District of New York (the U.S. Banks”). The U.S. Banks required account opening information and regular updates. Danske misrepresented their AML compliance program, transaction monitoring, and information regarding Danske Estonia’s customers and their risk profile. Due to Danske Estonia’s misrepresentations, one U.S. Bank facilitated $160 billion in transactions on behalf of its NRP customers.

As early as 2008, one U.S. Bank brought NRP concerns to the attention of Danske Estonia. The U.S. Bank warned against restricting clients’ activities to avoid detection by the U.S. Bank’s transaction monitoring system. The U.S. Bank made a compliance visit to Danske Estonia, where employees provided false and misleading information about the NRP. The only truthful statements Danske Estonia employees made were regarding how they counseled suspicious customers. The employees actually admitted that whenever the U.S. Bank would identify suspicious customers, Danske Estonia would “counsel a client to restructure to avoid catching the attention of [U.S. Bank 1’s] monitoring. They encourage the client to break out their activity into two or three entities, which as the effect of splintering the activity.” The U.S. Bank obviously had been unaware of this activity and had been under the impression that Danske Estonia off-boarded suspicious customers that they had identified.

The employees also admitted to not having the resources to deal with the U.S. Bank’s inquiries about suspicious transactions, and the fact that they did not have automated transaction monitoring. What’s worse, is Danske attempted to walk back Danske Estonia’s comments and told the U.S. Bank that they had misunderstood the discussion. Eventually, the first U.S. Bank closed the Danske Estonia account, processing $34 billion for the NRP customers during the relationship.

Meanwhile, Danske Estonia personnel also were misleading Danske executives.  The Danske Estonia brand manager discussed the need to design a strategy to “camouflage” the NPR business from Danske executives; a Danske Estonia executive reassured this branch manager that they had done this “exercise once before [in] 2006-2008 and we’ll do it again,” and emphasized that the “main thing is how we look in this case, not how it really is.”

A second U.S. Bank emerged but made the decision to stop processing payments through the Danske Estonia’s U.S. account. Danske executives were concerned about raising suspicion with U.S. regulators noting that “[w]e should make sure we don’t create a relationship where U.S. Bank 2 suddenly feels the need to share their concerns about [DANSKE BANK] with U.S. regulators.”

Subsequently, Danske Estonia entered into a new correspondent relationship with a third U.S. Bank, and made no mention of the concerns raised by the first U.S. Bank. The third U.S. Bank contacted Danske Estonia about suspicious payments and was told by Danske Estonia employees that the shell companies were owned by Russian individuals and corporations who set them up to ultimately hide the fact that they are owed by Russians, to given them “more favourable contract negotiations with global commercial trading firms.” The third U.S. Bank requested Danske Estonia stop routing payments of shell companies through the account. Danske ignored this request. Based on Danske Estonia’s misrepresentations, the third U.S. Bank processed $3.8 billion through the account on behalf of NRP customers  Danske decided to process the transactions through the third U.S. Bank account, regardless of their previous “no-shell” request.

Further, a Danske Estonia compliance executive completed a “Correspondent Banking Client Profile Form” which the third U.S. Bank required for new correspondent accounts.  The compliance executive made several knowing misrepresentations in the form, including asserting that Danske Estonia had no high-risk customers under Danske Estonia’s AML policies, and that Danske Estonia had no physical presence in Russia.

The Whistleblower

In response to this audit, Danske hired an auditing firm to conduct a review of gaps in NRP’s AML/KYC processes. The auditing firm found 17 shortcomings mirroring the concerns raised by the whistleblower. The auditing firm confirmed that there was no automated transaction monitoring system and no verification that the manual monitoring system was actually operating. In addition, the auditing firm concluded that all NRP customers were high risk and given the large amount of customers it was “impossible that the senior management of [IBG] could be aware of the personal circumstances of all of them.” When the auditing firm was pressed by Danske compliance staff for their “gut feeling” on how Danske compared to other Baltic banks they replied that Danske Estonia’s critical gaps were “greater than we’ve seen in other banks in the region.” Moreover, Danske did not disclose the whistleblower allegations to any government authority or the U.S. Banks where their accounts were located until the DFSA requested information pertaining to AML issues. Danske’s internal counsel suggested that Danske should share the whistleblower’s allegations with law enforcement, but Danske compliance executives ignored this suggestion.

Closure of Danske Estonia

In 2016, Danske closed the NRP and commissioned an internal investigation. Danske voluntarily made the results public in September 2018. The EFSA instructed Danske to close Danske Estonia, which ultimately closed in 2019.

Ongoing Compliance

As noted, the saga is not necessarily over.  Attachment C to the plea agreement is an eight-page document entitled “Compliance Commitments.”  In it, Danske Bank has agreed to maintain effective AML policies; perform periodic risk-based reviews; perform internal training; establish an effective system for internal reporting and investigation of potential violations of AML and money laundering laws; evaluate its executives and their bonuses according to their efforts to ensure that the bank is compliant; institute a risk-based approach to retaining and overseeing third party relationships; and periodically review and test its compliance programs.

Under the plea agreement, the bank must provide an initial work plan and then three annual reports to the DOJ over the course of the bank’s probationary period regarding the bank’s updating and testing of its compliance programs.  The DOJ will have access to all non-privileged third party reports regarding the bank’s compliance programs, including the reports of the independent expert appointed as a result of the bank’s separate agreement with Danish authorities.  The bank also must meet with the DOJ every three months regarding its remediation, implementation and testing of its compliance programs. Likewise, thirty days prior to the expiration of the bank’s probationary period, the bank, by its Chief Executive Officer and Chief Compliance Officer, will certify to the DOJ in writing that the bank has met its compliance obligations under the agreement. 

The bank also must continue to cooperate with the DOJ and potentially other domestic or foreign law enforcement and regulatory authorities, and provide relevant, non-privileged information upon request.  Finally, the bank has agreed that if it “learns of any evidence or allegation of conduct that may constitute a violation of federal money laundering law, the Bank Secrecy Act or other anti-money laundering laws, U.S. sanctions laws, or federal bank fraud laws had the conduct occurred within the jurisdiction of the United States, the [bank] shall promptly report such evidence or allegation” to the DOJ.

[View source.]