Danske Bank Estonian scandal shows the maximum impact of operational risk failures

The following article is from our latest FIG in Focus newsletter.

In February 2019, Danske branch was ordered to close its Estonian operations by the end of the year as a result of the money-laundering crisis which has gripped the Danish bank.

The branch in question was acquired as a result of Danske’s merger with Finnish Sampobank in 2007. After the merger it continued to use a separate IT system from Danske’s main platform and many of its transactional documents were written only in Estonian and Russian. Due to cost considerations, Danske deferred operational changes which would have mitigated the differences in systems and language which made central oversight of the branch difficult.

The scandal ultimately revolves around Danske’s alleged role in the so-called “Laundromat” operations channeling funds from Russia and Azerbaijan from 2005-13. The transactions originated in Danske Estonia’s so-called “non-resident” portfolio and is believed to be concentrated in a relatively small number of clients, who were thought to be front operations for Russian criminal organizations and politically exposed persons. Many of the suspect transactions were so-called “mirror trades” where securities are bought in Russian roubles and sold in US Dollars. The annual volume of activity originating from this portfolio exceeded the GDP of Estonia for several years and is thought to exceed €200 billion in total. In 2013 the portfolio accounted for 99% of the Estonian branch’s profits and 11% of Danske’s overall profits. Thomas Borgen, who was at that time head of international banking and later went on to become Danske’s chief executive was keen on expansion of this lucrative business.

Given the profitability of the Estonian operation, management refused to act despite some US dollar counterparties refusing to handle mirror trades because of the perceived risk. Another warning sign was that although the non-resident customers utilized foreign exchange, bond and securities trading, the portfolio was described as having “little or no credit risk”.  Management was apparently unconcerned that a huge volume of business apparently had no need of credit products or facilities.

Action was only taken when an internal whistle-blower who alerted Danske’s internal audit team. The whistle-blower was a senior executive at Danske’s UK alleges that he was subsequently internally discredited, and attempts were made to silence his complaints. Eventually in early 2014 management made the startling admission that:

“It was now realized at Group level that AML [anti money laundering] procedures at the Estonian branch involving the Non-Resident Portfolio had been manifestly insufficient and inadequate. It was also realized that all control functions (or lines of defence) had failed, both within the branch and at Group level.”

A later report into the scandal by Danish lawyers Bruun & Hjejle was more scathing, describing Danske’s AML in the following terms:

“(i) insufficient knowledge of customers, their beneficial owners and controlling interests, and of sources of funds; (ii) screening of customers and payments had mainly been done manually and had been insufficient; and (iii) there had been lack of response to suspicious customers and transactions.”

At the time of writing the scandal has forced the resignation and criminal charges being filed against of Danske’s chief executive and finance director. Ten employees in Estonia have also been arrested and charged with money laundering offences. Danske’s market capitalization has halved, and it is expected to cost Danske several billion dollars in fines from regulators in Denmark, Estonia, USA and France.

Although the scale of the Danske disaster is unprecedented many of the underlying themes are unfortunately typical of many past operational risk scandals:

  1. The theme of a geographically remote branch, suddenly contributing large amounts of profit from a previously untapped business source is reminiscent of many past scandals, most notably the 1995 collapse of Barings bank following trading losses in its Singapore office. In Danske’s case the “remoteness” of the Estonian branch is compounded the fact that it was acquired by takeover and appears never properly integrated into the main business.
  2. A source of profits which is apparently free of risks is almost certainly too good to be true. Given the competitive nature of international banking, is it realistic that peers will continue to ignore an apparently rich source of revenues for five years? In Danske’s case the risks it was actually taking are obvious with hindsight, but the absence of credit risk on a large portfolio should have been a warning sign.
  3. The way that Danske’s management acted for much of the period is symptomatic of a corporate culture which consistently underestimated and failed to identify operational risks. At one point Danske had no appointed anti-money laundering officer (as required by Danish law), it failed to invest in proper systems and procedures in its Sampo acquisition, its money laundering procedures were not fit for purpose, and finally it sought to discredit and ignore an internal whistle-blower. This is typical of a so-called “oblivious” risk management culture, analogous to a military tank which blunders into a minefield with its hatches down, unaware of the risks ahead of it.

The Danske case is however unusual in that it demonstrates the full range of the effects of operational risk. Financial impact is likely to be significant in future fines imposed over several jurisdictions. Arguably, the halving of the share price has already imposed this loss on the owners of the business.  The reputational impact upon Danske is best put in their own assessment given to a branch executive committee meeting in 2013: “here is potential reputational risk in being seen to be assisting ’capital flight’ from Russia “. Franchise impacts are often limited to the loss of a group of customers, or the opportunity cost of damage repair. However, in this case the forced closure of the entire Estonian franchise demonstrates that operational risk can ultimately destroy a whole business if the risk management failures are serious enough.