Regularly topping annual lists of the most transparent and least corrupt countries in the world, the Scandinavian nations of Norway, Sweden and Denmark have enjoyed a reputation for honesty, trust and fairness. When reports surfaced that some of its banks may have been used to funnel ill-gotten Russian funds into Western economies the initial response was for many one of disbelief. As investigations began to scratch the veneer off, a different picture emerged: one of poor anti-money laundering controls, sanctions violations and looking the other way while there was money to be made.
Thomson Reuters Regulatory Intelligence has published a special report considering not only what went so very wrong in the Scandinavian banks but also the lessons all financial services firms can learn from the myriad compliance failings.
The investigations have been wide-ranging, and the resulting implications have been economic, reputational and personal.
Aside from potential fines and the reputational and market capitalization fallout, the unwinding of the Baltic money laundering affairs involving these banks has led to a sizeable increase in costs, as they have been forced to revamp their compliance routines. Danske Bank has cut thousands of staff and closed its operations in Estonia and Latvia following the scandal. It has also embarked on a $300 million program to improve IT operations and hire more compliance staff. Swedbank expects to have spent SEK 1.55 billion on investigations in 2020 and SEK1.1 billion on improvements under a 217-point action plan aimed at fixing any gaps in its AML regime.
The regulators themselves have also come in for substantive criticism with the problems of inadequate supervision not limited to banks. In a close-knit region known for social order, it took a long time for regulators to become aware of the problems at the banks involved, which enjoyed a high level of trust. As allegations surfaced against several Swedish banks in 2019, Erik Thedeen, head of the Swedish regulator, admitted his agency had fallen short at detecting money laundering offences in the past. “I think we have to admit that we, in Sweden, and other regulators, have done too little,” he said, adding that he would redirect the agency’s resources and ask for additional funds to bolster its money laundering oversight.
What firms can and should do in response
The Scandinavian banks’ difficulties with sanctions breaches, a lack of control over the actions of branches and the possibility they may have laundered substantial sums all have a root cause in flawed risk and control infrastructures.
One ramification of an inadequate control framework is that the impact in terms of compliance breaches is unlikely to be confined to one area. Firms may therefore wish to carry out wider internal investigations or a series of them. Given banks are already under regulatory, political and shareholder scrutiny, initiating an internal investigation may be the best way to prevent further compliance breaches. Investigations are disruptive, and both the investigation process itself any follow-up remedial actions can take up significant management time. Further potential costs could include the need to reprioritize or reschedule other work, possible damage to staff morale and the need to employ external consultants or lawyers.
Once a firm has learnt all possible lessons from an internal investigation, senior managers need to consider whether, and if so how, the findings of an investigation should be communicated.
The conclusion of an internal investigation may also be an appropriate time for a firm to carry out a critical evaluation of its approach to risk identification and the balance of preventative and detective controls. In a potentially high-risk area, additional preventative controls may be needed. Senior managers must satisfy themselves all reasonable steps have been taken to assess compliant activities in the areas under their control. Where compliance problems or breaches have been found, every effort should be made to investigate and remediate them, compensate customers and inform regulators.