By Donna Boehme
It’s pretty hard not to be sucked into the ever-expanding saga of Danske Bank’s horrific money laundering misadventure, even just for the sake of some painfully obvious takeaways that it offers to even the casual observer from the governance and compliance and ethics fields. The sheer numbers are astounding. One statistic that is particularly striking is the estimated $200Bn of questionable funds thought to have flowed through the Estonian branch of the tiny bank at the center of Europe’s largest money laundering scandal in history is actually more than the entire $29bn GDP of Estonia in 2017 and is approaching two-thirds of the $324Bn GDP of Denmark itself. In addition, another source estimates the potential illicit funds involved from illicit money laundering activities at 5% of the world’s GDP Yikes! Reports of multiple investigations by U.S. and EU regulators compound daily. So let’s start on those takeaways:
Takeaway #1 – Seat at the Table.
One clear reason for positioning Compliance with seniority and a seat at the table is the fateful transaction which predated all of the Danish bank’s money laundering troubles: its 2007 acquisition of small Finnish bank Sampo Bank which then became Danske’s Estonian branch. In acquiring Sampo, Danske inherited its portfolio of “nonresident funds” and an entity with a separate set of IT systems, preventing any meaningful integration into Danske’s AML controls.
Can there be any doubt that Danske could have benefitted from a strong (Compliance SME) voice at the strategy and senior exec meetings where this transaction was discussed, vetted, approved and implemented? The compliance profession has long advocated for representation in the M+A due diligence and integration processes where serious risks can be identified, evaluated and prevented. At a minimum an independent compliance function could have highlighted the flaws in the bank’s money laundering controls during the critical due diligence and integration stages, and led a stream of enquiries regarding the transaction’s money laundering risk, a risk which should be #1 on the high risk list for all international banking entities. A seat for an independent and empowered CCO in the C-suite and M+A due diligence strategy meetings (at a minimum) should be a ‘no-brainer’ in all financial institutions! Danske should be the last word on the Board’s oversight responsibilities for empowering a true, independent Compliance SME (not a mere JD) with a seat at the table and line of sight authority to address the organization’s most basic compliance, ethics, reputation and culture risks at the outset of any such transaction!
Takeaway #2 – Internal Compliance Investigations are the Achilles Heel of any Compliance program.
Danske is a timely reminder of the dark theme that runs through nearly every Compliance1.0 case study in the recent scandal headlines: a failure of internal investigations to discover misconduct and raise it to the senior levels of the organization for remediation before it explodes in the crisis zone and prosecutors’ crosshairs. GM ( delayed ignition switch recall), VW (wide-ranging emissions software fraud), and Wells Fargo (enormous cross-selling fake accounts customer fraud), Siemens, WalMart and even the current Goldman Sachs newsmaking money laundering scandal are all examples of companies that failed to follow up promptly and robustly to their internal reports of misconduct. After all, the early discovery and remediation of misconduct is at the very heart of the Compliance mandate, and the very rationale of the Federal Sentencing Guidelines themselves. This explains why any experienced CCO regards internal investigations as “where the rubber meets the road” of their compliance program, and its ultimate measurement of success. So the prescription for any failing internal investigation program that requires strengthening and resuscitation is twofold: (i) clear and consistently implemented investigation guidelines that address the most common areas of roadblocks in internal compliance investigations: confidentiality, objectivity, impartiality, timeliness, professionalism and nonretaliation and (ii) a nondiscretionary Board escalation clause that can escalate to the Board’s notice cases in identified areas of high ris It should be noted that these two features should be designed and managed by a true Compliance SME because they are a staple of experienced CCOs.
Takeaway #3 – How a company treats its whistleblowers is a measure of ethical leadership culture.
Companies serious about their compliance obligations should view the success of their internal investigation and nonretaliation policies as a powerful measure of their internal controls and compliance processes. As discussed above, employees that report concerns often bring to light misconduct that could not be discovered by other traditional methods. But without a Compliance SME to develop effective investigation processes, investigations can fail to deliver the desired results. A review of WalMart, Siemens, GM, Wells Fargo and CBS compliance and ethics scandals reveals that reports of misconduct were made, but failed to reach senior management for resolution. Unfortunately, too often those who raise concerns suffer retaliation. Strong investigations guidelines developed by a CCO (with true Compliance SME) can reduce the rate of investigation failures and raise the level of ethical leadership.
Takeaway #4 – “Tip of the Iceberg for AML?”
Steve Kohn, world renowned whistleblower protection expert and counsel to Howard Wilkinson in this matter, has noted recently that because the Danske case likely involved Western banking institutions as “correspondent banks”, the current investigations are merely the “tip of the iceberg” and could have implications for all AML programs if correspondent banks are drawn into the According to Mr. Kohn: “Greed knows no boundaries. Money laundering is an international big business. The Danske scandal will not be solved until every penny transferred from Estonia to the New York banks is tracked down, and those who engaged in illegal transactions are held accountable.” AML compliance experts will surely be analyzing the implications from Danske for their programs. Boards, regulators and all gatekeepers should take specific note of the implications for both Compliance and Audit functions. At a minimum, Boards should insist upon a strong, well-crafted Board escalation policy to ensure that certain high risk matters take an unfiltered path to their attention. A strong independent and empowered Compliance 2.0 program should always incorporate this kind of mechanism, tailored to the company’s risk profile.
There will no doubt be multiple investigations and prosecutions that need to play out, but the impact of Danske should have serious, long-term implications for international financial firms and their compliance programs.