Categories
Blog

Danske Bank: Part 3 – Compliance Failures

We are exploring the Danske Bank A/S (Danske Bank), AML enforcement action in which Danske Bank pled guilty this week and agreed to forfeit $2 billion to resolve the US investigation into its fraud on US banks. According to the Department of Justice (DOJ) Press Release, “Danske Bank defrauded U.S. banks regarding Danske Bank Estonia’s customers and anti-money laundering controls to facilitate access to the U.S. financial system for Danske Bank Estonia’s high-risk customers, who resided outside of Estonia – including in Russia.” Danske Bank also settled with the Securities and Exchange Commission (SEC) who said, in their Press Release, the Bank misled investors about its anti-money laundering (AML) compliance program in its Estonian branch and failed to disclose the risks posed by the program’s significant deficiencies.

How did it start to go wrong?

Interestingly, and most significantly for compliance professionals, the trouble for Danske Bank started with an acquisition. According to the Plea Agreement, “Danske Bank acquired Finland-based Sampo Bank in 2007, including Sampo Bank’s large operation in Estonia. A significant part of Sampo Bank’s Estonia business was providing banking services to non-resident customers, that is, companies and individuals residing outside Estonia, including in Russia. DANSKE BANK knew this was a large part of Sampo Bank’s Estonian business model and continued this business after acquiring Sampo Bank. The non-resident portfolio (“NRP”) was, by far, Danske Bank Estonia’s most lucrative business line, generating, over the life of the branch, over 50% of Danske Bank Estonia’s profits. DANSKE BANK knew that many NRP customers conducted transactions in U.S. dollars, which required Danske Bank Estonia to use U.S. banks and bank accounts to process those transactions. By December 2013, DANSKE BANK knew that the NRP was high-risk because, among other reasons, its customers resided in high-risk jurisdictions, frequently used shell companies to shield the identity of their ultimate beneficial owner or the sender or recipient of transactions, and engaged in suspicious transactions through U.S. banks.”

In addition to a failure of due diligence in the pre-acquisition phase, Danske Bank did nothing post acquisition to make sure the new Estonian branch complied with basic AML. Danske Bank Estonia had an inadequate and ineffective compliance program that applied to all customers. As noted in the Plea Agreement, “Danske Bank Estonia, through its International Banking Group (“IBG”), attracted NRP customers by ensuring that they could transfer large amounts of money through Danske Bank Estonia with very little, if any, oversight or scrutiny. IBG employees conspired with their customers to shield the true nature of their transactions, including by assisting customers to conceal beneficial owners by establishing accounts for known shell companies and sometimes creating shell companies for customers in exchange for a “consulting fee.””

Actual Knowledge of Compliance Failures

To read the settlement documents it is clear that Danske Bank was making so much money laundering its Russian clients that it did everything it could do so to avoid making any changes which would kill the golden goose. As early as 2007, Danske Bank was aware a substantial portion of Danske Estonian branch’s customers were non-residents of Estonia, the NRP accounts, and that many of the NRP customers were from Russia and other former Soviet-bloc countries. These NRP customers’ practices included well-known red flags for potential money laundering, for example, frequent use of offshore LLPs and nominee directors to obscure or conceal beneficial ownership information, use of unregulated intermediaries to carry out transactions on behalf of unknown clients, and ties to jurisdictions with enhanced money laundering risks. Yet both Danske Bank Estonia and the parent Danske Bank maintained that “all is well” (yes cue the Animal House riot scene about now).

It was not as if Danske Bank was unaware of its Estonia branch shortcomings and failures. According to the SEC Complaint, “in 2007, the Danish Financial Supervisory Authority (“Danish FSA”) contacted Danske with concerns it had received from the Bank of Russia about NRP customers allegedly engaged in illicit transactions through Danske Estonia, including money laundering which was discussed by Danske’s Board of Directors in August 2007.” In light of the Danish FSA’s warnings, Danske conducted an internal audit of Danske Estonia’s transactions in 2007. That audit did not assess whether Danske Estonia complied with AML and Know-Your-Customer (KYC) procedures required under applicable laws and regulations, but the audit report provided to Danske management noted that Danske Estonia’s procedures in this area were “thin.” The 2007 audit recommended to Danske management that Danske undertake further investigation of Danske Estonia’s practices to ensure compliance with applicable law. Further, in March and April of the same year, the Estonian FSA had carried out an inspection at Danske Estonia and issued an inspection report on August 16, 2007, which found that the Estonian branch was not compliant with its legal obligations.

These compliance shortcomings were in four general areas. Danske Bank Estonia used foreign consultants and intermediaries to recruit customers and outsourced its legal obligations to conduct due diligence and obtain KYC information to third parties. Second, Danske Bank management knew that Danske Estonia was offering certain high-risk services and products associated with suspicious activity which Danske did not permit other branches to offer. Third, Danske Bank knew that its IT platform was incompatible with Danske’s IT platform. Danske knew or was reckless in not knowing that Danske Estonia could not conduct automated AML or KYC controls, such as automated customer screening and automated transaction monitoring. Fourth, Danske Bank Estonia’s AML and compliance control framework did not adequately mitigate the risks of the NRP portfolio and Danske failed to provide effective supervisory oversight. Danske Estonia’s compliance and AML departments were structured differently than at other Danske branch and reported directly to Danske Estonia’s branch manager with dotted line reporting to Danske’s compliance and AML departments. As a result, Danske Estonia’s compliance and AML functions were not effectively monitored or effectively supervised by Danske.

Tomorrow, the Danske Bank response.

Categories
Daily Compliance News

December 19, 2022 – The Qatar Threatens The EU Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you four compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network.

 

Stories we are following in today’s edition of Daily Compliance News:

  • Qatar threatens EU over bribery allegations. (WSJ)
  • The UK takes a stand against corruption. (Forbes)
  • Washington SCt blocks Albertson’s distribution. (Reuters)
  • SBF expected to agree to extradition. (NYT)
Categories
Corruption, Crime and Compliance

The Curious FCPA Case of Asante Berko

In 2020, Asante Berko settled a case with the SEC by agreeing to pay $329,000. A criminal indictment was filed in Brooklyn, New York shortly after the settlement. In November of 2022, Berko arrived in London at Heathrow Airport and was then arrested; charged with conspiring with two Ghanaian officials and four other individuals to benefit Goldman Sachs, himself, and a Turkish energy company. The scheme began to unravel when Goldman Sachs discovered the payments. Join Michael Volkov as he examines the recidivist case of Asante Berko’s FCPA violations.

  • Berko orchestrated the bribery scheme between 2014 and 2017 to secure an electrical power contract from the Ghanaian government for the Turkish energy company. They were attempting to secure a power purchase agreement (PPA) or an emergency power agreement (EPA) with Ghana, which required the approval of certain Ghanian officials and entities, including a senior Ghanaian official as well as the Executive Cabinet and Parliament.
  • In seeking reimbursement for the bribes paid out by Berko and his conspirators, he falsified invoices for consulting services allegedly provided by a Ghanian consulting company, which were then paid by the Turkish energy company. The payments were routed through correspondent banks in the US. 
  • Violators of FCPA often act with flagrant disregard of the laws and delusions that their obvious crimes will remain undiscovered and uninvestigated, Michael comments.
  • Goldman Sachs officials began questioning the Turkish energy company about the payments to the Ghana consulting Company that appeared in their financial analysis. Despite the reassurance of Co-conspirator Number 3, Goldman Sachs conducted a due diligence review of the transaction and various email accounts and communications, including personal accounts used by Berko and others for incriminating conversations.

 

Resources

Goldman Sachs Official Indicted Over Ghana Bribery Scheme

Email Michael: mvolkov@volkovlaw.com 

 

Categories
The ESG Report

Simplifying ESG with Mandi McReynolds

Tom Fox welcomes Mandi McReynolds to this episode of the ESG Report. Mandi is the Head of Global Environment, Social and Governance at Workiva, a company whose ESG program allows them to communicate with internal and external stakeholders. In this conversation, she and Tom talk about Workiva’s role in ESG compliance.

The Backbone of ESG

Internal controls are the backbone of ESG, so including them in your framework will make your ESG program run more efficiently. This takes the collaborative effort of your compliance, finance and sustainability teams. In order to meet the needs of investors and stakeholders, these teams must collaborate and agree on the systems and processes they should use.

 

The Business Process

Risks can be managed more effectively with an ESG program that is well-implemented. It is important to understand this when thinking about the business process of ESG. “[However], you can’t be so ESG-woke that you take your company broke,” Mandi cautions Tom. You need to strike a balance between making sure that your company is operating and behaving ethically, and also delivering on its promises to its stakeholders. Investors need to see how you’re keeping your promises and commitments through transparent reporting, so you can demonstrate your commitment. These are all part and parcel of the business process of ESG. 

 

Looking Ahead

Tom asks Mandi what technological components of ESG will be more prevalent in the future. “We’re going to see more advancements in scenario planning,” she says. Companies are going to be thinking about tools and simulations they can use with data to shape their future direction. In the coming years, these tools will only continue to advance, and they’re going to be crucial in making sure companies live up to the standards they have established for themselves. “In order for companies to deliver on their commitments, they have to start telling consumers and stakeholders about where they are, where they’ve been, and where they’re going. In order to do that, I think we’re going to see incredible advances in technology in a very short amount of time,” Mandi remarks. 

 

Resources

Mandi McReynolds | LinkedIn 

Workiva

 

Categories
Blog

Danske Bank: Part 2 – Jurisdiction

We finally have the big one in money laundering. That, of course, is Danske Bank A/S (Danske Bank), a global financial institution headquartered in Denmark, which pled guilty this week and agreed to forfeit $2 billion to resolve the US investigation into its fraud on US banks. According to the Department of Justice (DOJ) Press Release, “Danske Bank defrauded U.S. banks regarding Danske Bank Estonia’s customers and anti-money laundering controls to facilitate access to the U.S. financial system for Danske Bank Estonia’s high-risk customers, who resided outside of Estonia – including in Russia.” Danske Bank also settled with the Securities and Exchange Commission (SEC) who said, in their Press Release, the Bank misled investors about its anti-money laundering (AML) compliance program in its Estonian branch and failed to disclose the risks posed by the program’s significant deficiencies.

One might reasonably ask why the US government is bringing this action. I think there are two key reasons. First, only the US has the cache to bring such a massive enforcement action against any bank, wherever they are domiciled, which threatens the world’s financial integrity through multiple years of facilitating money laundering. The second is that as the world’s principal financial leader, the US government sees itself as the protector and enforcer of that system. While many outside the US may decry these realities, it is clear that only the US can lead such an action. There certainly were other countries which participated, as both the DOJ and SEC Press Releases noted the cooperation of Denmark and Estonia in this enforcement action but at the end of the day, it had to be led by the US.

Jurisdiction

Even if the US feels that it should lead an enforcement effort in this affront to international law, there still must be jurisdiction to bring these enforcement actions. According to the SEC Complaint, “Danske is a Danish multinational banking and financial services corporation headquartered in Copenhagen, Denmark. At all relevant times, Danske was the largest bank in Denmark and a major retail bank in Northern Europe, with offices in countries outside Denmark.” However, I was somewhat surprised to learn that “Danske’s shares traded in Denmark on the OMX Copenhagen and in the United States over-the- counter (“OTC”) as American Depositary Receipts (“ADRs”) listed in U.S. dollars, and U.S. investors constituted a significant portion of Danske’s shareholders. Between 2009 and 2018, U.S. shareholders held as much as 18% of Danske’s stock.”

This stock sold in the US warranted regulatory protection of US investors. The SEC Complaint went on to note that Danske Bank “engaged in deceptive acts, including misleading Danish regulators and U.S. correspondent banks, to conceal its AML and KYC deficiencies. Danske stopped providing services to its high risk customers by April 2016 but failed to timely disclose to investors known misconduct and widespread AML failures.” These failures to inform investors took the form of “a variety of reports, including annual, interim, corporate governance, and risk management reports, in English on its corporate website for the benefit of and made available to, inter alia, actual and prospective U.S. investors. Certain of these reports contained representations to investors about Danske’s risk management processes and disciplines related to the banks systems and controls. Such systems and controls would include Danske’s policies and procedures to detect, prevent and mitigate risks to the bank from financial crime, including money laundering.” Finally, the harm from the illegal conduct hit US investors as “between September 2017 and November 1, 2018, Danske’s share price dropped by approximately 49% as the full extent of Danske’s misconduct became apparent.”

The only reference to US jurisdiction from the DOJ came in the Plea Agreement which obliquely noted Danske Bank “engaged in suspicious transactions through U.S. banks.”

We rarely take a deep dive into the jurisdiction which allows a Foreign Corrupt Practices Act (FCPA) or other similar action to be brought in the US. However, the Danske Bank AML enforcement action makes clear that simply because a company is domiciled outside the US, if it does business internationally, there may be multiple US jurisdiction points which could allow US authorities to bring an enforcement action.

Tomorrow, where did it all start and what were the AML compliance program failures?

Categories
FCPA Compliance Report

Scott Garland and Zach Hafer – Practice After the DOJ

Welcome to the award-winning FCPA Compliance Report, the most senior podcast in compliance. I have double trouble in this episode as I welcome Scott Garland and Zach Hafer. They worked together for many years at the US Attorney’s Office for the District of Massachusetts. Both are now in private practice, Garland as a Managing Director at Affiliated Monitors, Inc. and Hafer as a Partner at Cooley LLP in Boston.

Some of the highlights include:

In this podcast, we consider DOJ corporate enforcement through the mechanisms of DPAs and NPAs based upon Hafer’s tenure as the Criminal Chief. They discussed the need to balance approving prosecutions for general impact vs. based on the case’s merits. We also consider how, if at all, the Monaco Memo changes DOJ focus. Garland leads us through a discussion of compliance issues within a prosecutor’s office, why your compliance philosophy is so critical, and some of the biggest issues and situations they both confronted while in the US Attorney’s Office for the District of Massachusetts. We conclude this section with a discussion of receiving compliance advice: what worked and what did not.

We conclude with a discussion of transitioning from DOJ to private practice, and both Zach and Scott summarize some of the key questions they are getting from clients. Garland opines on key issues he sees for monitors after Monaco Memo, and we conclude with why proactive monitoring can be such a powerful tool.

 Resources

Scott Garland at Affiliated Monitors

Zach Hafer at  Cooley LLP