What is the Danske Bank money laundering scandal?

How one Danish bank spectacularly failed in AML procedures

What is Danske Bank?

The bank was the largest in Denmark and offered services across the Nordic area. Founded in 1871, the bank has around 5 million customers, with over 210,000 SME clients and at least 2,000 corporate and institutional clients.

In 2007, Danske Bank merged with the Finnish Sampo bank. As a result of the merger, Danske acquired branches in new countries such as Estonia.

What were the money laundering allegations against Danske Bank?

The case was one of the largest ever. An estimated $236 billion was laundered through the Estonian branches. The main culprit seemed to be the lack of communication between Danske Bank’s executive board in Copenhagen and the Estonian branch’s management. This was later exposed as being highly corrupt. 

The executive board was negligent in not enforcing proper communication routes, and not monitoring whether its branches were functioning in a legal way or not.

Like a burst dam, the issue started with one vulnerability: a corrupt branch manager in Estonia. Criminals then exploited that vulnerability over and over again to launder hundreds of billions of dollars of criminal proceeds. 

How did the money laundering take place?

Shortly after the merger in 2007 and Danske Bank acquiring its new branches in Tallinn, the Russian central bank notified Danske of its concerns that the branch was being used for tax evasion, and possibly military and terrorist financing. 

Estonian regulators also criticised Danske for failing to adequately account for compliance risks and not deploying KYC regulations in the branch. 

The Estonian unit of Danske continued to function mostly independently and without oversight. In fact, Danske’s attempt to move its Baltic branches onto a single IT system failed and were not followed up.

The majority of paperwork at the Estonian branch was written in Russian or Estonian, leaving the Danish headquarters unable to conduct proper oversight. 

A new head of International Banking Activities, Thomas Borgen, was appointed in 2009. One of his express objectives was to increase the number of non-resident clients in the Baltic branches, who came from Russia or former Soviet countries. 

The Danske Bank board was unconcerned about the unusually large Russian deposits playing a role in the Estonian branch’s earnings, and simply added the overseas accounts ledgers to their profits. 

The Estonian branch’s non-resident portfolio kept increasing steadily from 2010 to 2015, and the percentage of non-resident accounts’ earnings that were profitable before credit losses increased from 49% to 99% of the branch’s overall profits.

Corporate clients, mainly from Russia, the UK, and the British Virgin Islands, made up the bulk of the non-resident clientele. Despite accounting for just 0.5% of the bank’s assets, the Estonian branch still contributed 11% to Danske’s overall earnings before taxes, a fact that was starkly visible in its 2011 accounts.

Despite alerts and warnings from the Danish Financial Supervision Authority and internal auditors highlighting AML concerns at the Estonian Branch, Thomas Borgen became Danske Bank CEO in 2021.

For more than a year, Borgen failed to appoint an MLRO as required under Danish law. Other banks such as JPMorgan stopped serving as the Estonian branch’s correspondent bank for dollars given the mounting allegations. In a 2013 meeting between Borgen and JPMorgan, Bank of America and Deutsche Bank, Borgen refused to reduce nonresident accounts. 

A 2013 study on the Estonian Branch demonstrated a number of indicators of money laundering. Firstly, there were significantly more transactions among nonresident accounts than usual. Second, the branch produced an unnatural surplus of profit, with many of its customer’s activities showing indifference to major changes in inflation and deflation. Lastly, a large portion of the branch’s clients were denoted as intermediates in the form of unregulated organisations.

Thomas Borgen continued to dismiss these concerns. 

In 2014, Howard Wilkinson, an executive at the branch, published a report regarding suspicious nonresident accounts that were transferring substantial quantities of money through the bank, frequently from Russian roubles to dollars. Wilkinson originally emailed the letter to members of the Executive Board as well as the bank’s internal audit unit, the Baltic banking group, and the Compliance division at Danske. The report mentioned several high-profile clients, many of whom were routing millions of dollars through the branch per day.

The Internal Audit team at Danske used this evidence to produce a scathing assessment of the branch’s nonresident activities. But in 2014, Borgen said he was hesitate to take any decisive action since it may “seriously damage any sales price.”

The first fines by the Estonian FSA were levied in 2015. In 2016, the Danish FSA also levied a fine. Deutsche Bank and Bank of America discontinued their banking agreements with the Danske Bank in 2015. Danske finally shutdown its nonresident business at the Estonian branch in 2016. Fully two years after the 2014 Howard Wilkinson whistleblowing report. 

An external analysis was published in 2018, demonstrating that due to a lack of supervision and money laundering checks, an estimated $236 billion was laundered. Borgen and the chairman resigned, and ten employees at the Tallinn branch were held by Estonian authorities on suspicion of intentionally facilitating money laundering with Russian clients. 

A former executive of the Estonian branch of Danske Bank was found dead in 2019. Estonian police discovered the body of Aivar Rehe, who was in charge of the branch from 2007 until 2015, after he was reported missing. He was a key witness in the Estonian authorities’ ongoing criminal investigation. The cause of his death has been reported as suicide

A criminal investigation into Thomas Borgen and other senior Danske Bank executives was dropped in 2021. An unnamed woman who had ties to Russia was remanded in custody in December 2021 after being extradited from the UK. Three more suspects are also facing charges, while the bank is awaiting action from US, Danish, Estonian and French authorities. The bank was fined €1.8m by Irish authorities in 2022 for failings by its Irish operations.

What AML procedures were missing?

While it is hard to imagine that the Estonian branch was not, at least on some level, wilfully involved in money laundering, there were significant AML procedures which were not present and contributed to the situation.

  • Lack of identification of ultimate beneficial owners (UBOs)
  • Lack of screening of customers
  • Lack of response to negative media reports pertaining to customers
  • Limited reporting of suspicious customers and transactions to authorities
  • Possible collusion with customers on the part of employees of the Estonian branch
  • Lack of oversight of the Estonian branch by the parent company
  • Failure to properly investigate, conclude and report on whistleblower reports
How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.