Tag: DOJ

Categories
31 Days to More Effective Compliance Programs

Day 3 – Leadership’s Conduct at the Top

DAG Lisa Monaco’s speech in September 2022 announcing the Monaco Memo as articulated in the Monaco Doctrine laid out the very basics of compliance; that the key to every company is culture. She stated, “corporate culture matters. A corporate culture that fails to hold individuals accountable or invest in compliance — or worse that thumbs its nose at compliance — leads to bad results.”

From the enforcement perspective, the DOJ will assess companies for their ethical cultures. From the compliance perspective, the ethical tone of a company and accountability all start at the top and, most specifically, senior management. This requirement is more than simply the ubiquitous “tone-at-the-top,” as it focuses on the conduct of senior management. The DOJ wants to see a company’s senior leadership doing compliance. The DOJ asks if company leadership has, through their words and concrete actions, brought the right message of doing business ethically and in compliance to the organization. How does senior management model its behavior on a company’s values, and how is such conduct monitored in an organization?

I once had a Chief Executive Officer (CEO) observe the following, “You want me to be the ambassador for compliance.” I immediately said yes, that is exactly what I need you to do. As an “Ambassador of Compliance,” a CEO can fully model the conduct that senior management engages in going forward. Another area a CEO can forcefully engage an entire company is through a powerful video message about doing business the right way and in compliance. A great example was a CenterPoint Energy video put out in 2015 after the Volkswagen (VW) emissions-testing scandal became public. The video featured Scott Prochazka, CenterPoint Energy President, and CEO. He used the VW scandal to address the culture and values at the company proactively and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with an additional resource, entitled, Manager’s Toolkit—What does Integrity mean to you? that managers used to facilitate discussions and ongoing communications with employees around the company’s ethics and compliance programs. Finally, the cost for the video was quite reasonable as it was produced internally.

 Three key takeaways:

1. Senior management must do compliance; not simply talk-the-talk of compliance but also walk-the-walk.

2. Use your CEO to talk about current events and how those ethical failures are lessons to be learned for your organization.

3. Your CEO as Compliance Ambassador.

Categories
The Corruption Files

Episode 15 – The ABB Settlement

Establishing trust can greatly affect the outcome of a case. Thomas Fox and Michael DeBernardis talk about ABB’s 2022 bribery case in South Africa, how self-disclosure benefits any situation, the DOJ’s approach on cracking down recidivists, choosing the right people for your team, and being wary of waivers.

▶️ The ABB Settlement with Tom Fox and Mike DeBernardis Background facts to the case. (00:00:29)

Tom lays out the facts of the ABB settlement. Michael points out the DOJ’s plans for penalizing recidivists and ABB’s biggest compliance misstep. (00:07:07)

Tom emphasizes the importance of compliance oversight, being vigilant of billing in high-risk jurisdictions, and the benefit of ABB’s “almost” self-disclosure. (00:12:08)

Mike discusses the impact of trust and incentivizing other recidivists to come forward and the risks of going off of real-time information. (00:18:27)

Tom mentions how having someone with experience concluding resolutions in the DOJ can make a difference. Even with a fairly low penalty, ABB is still required to report on its compliance program. (00:24:22)

Mike prefers having an independent monitor in place. However, he highlights ABB’s trust in their team to do a thorough job of reporting. (00:27:31)

Mike gives credit to ABB’s swift actions and extensive remediation, describing the DOJ’s outcome as “threading the needle”. Thomas believes the case is still a win for compliance. Michael drives home how doubling down on compliance pays off.

—————————————————————————-

Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.

Categories
Blog

Profit Sharing as Bribery: The Honeywell FCPA Enforcement Action: Part 2 – The King and Bribery Schemes

To close out 2022 in Foreign Corrupt Practices Act (FCPA) enforcement actions, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) announced settlements of FCPA enforcement actions with Honeywell UOP, a US-based subsidiary of Honeywell International Inc. For its actions, Honeywell agreed to a criminal penalty of about $79 million, with the DOJ crediting up to $39.6 million of the criminal penalty for Honeywell’s payments to authorities in Brazil in related proceedings. The company agreed to pay the SEC $81.5 million in disgorgement and prejudgment interest and the SEC provided for an offset of up to $38.7 million for payments to Brazilian authorities. Yesterday we laid out the broad outlines of the enforcement action. Today, I want to take a deep dive into the bribery schemes.

Bribery Schemes

 1. Brazil and Petrobras

Honeywell’s culture was so corrupt in 2010, when the facts around this matter began, that the business unit dealing with Petrobras could openly lie to the corporate compliance function. As stated in the Deferred Prosecution Agreement (DPA), “On or about May 27, 2010, two Honeywell UOP employees submitted a form requesting that Honeywell’s compliance department approve Brazil Sales Company to serve as Honeywell UOP’s sales agent. To increase the likelihood of receiving internal approvals, the Honeywell UOP employees lied on the request form, stating that Brazil Sales Company had been “known to” Honeywell UOP and a Honeywell UOP employee for two years, when, in fact, the companies had no common history and the Honeywell UOP employee had no prior knowledge of Brazil Sales Company.”

Let’s unpack this for a minute. This is a statement in the DPA, and it speaks to not only how poorly the compliance function was thought of internally but a sales function that openly used lying, cheating and fraud as part of their business practices. But not all blame lies with the business unit as where was the corporate compliance function in their trust but verify role? Apparently non-existent. When you wed a business strategy based on corruption and fraud both internally and externally, you can see where this was headed. By 2010, the corruption rot in Petrobras was well-known literally across the globe and there is no way that the Honeywell compliance function did not know doing business with Petrobras was not high risk.

It was at this early junction that the profit-sharing focus as the basis for the bribe payment was structured, “Honeywell Employee 1 and Intermediary 2 offered to pay Petrobras Official 1 one percent of the expected revenue from the Premium Refinery Contract, or approximately $4 million, in exchange for Petrobras Official 1 using his influence to help Honeywell UOP win the contract. They agreed to use a portion of Brazil Sales Company’s expected three-percent sales commission (approximately $12 million) from Honeywell UOP to pay the $4 million bribe. They also agreed that the remaining $8 million from the sales commission paid to Brazil Sales Company would be divided equally between the Intermediary 1 and Intermediary 2.”

Profit sharing with a cap was the basis for the bribe payment. Capitalism at its finest, only topped by the code name given to the corrupt Petrobras employee, the King. The King provided inside information to Honeywell on pricing and terms which the company used to bring in their bid so it would be the winning bid and Honeywell’s profit sharing with the King could commence.

Just how corrupt (or even more charitably inept) was Honeywell during this time frame? Consider the payment mechanisms outlined in the SEC Order. From 2011 to 2014, the Honeywell “employee responsible for processing the Brazil Agent’s commission payments calculated the Brazil Agent’s commission using numbers from UOP’s invoice and neither asked for nor included an invoice from the Brazil Agent before forwarding the payment request to Honeywell’s accounting group. The payment requests lacked relevant information and when the Brazil Agent changed his company’s name and wanted the commission payments routed to a Swiss bank account in the new company’s name, she forwarded the payment requests without question.” Honeywell was paying from US to Swiss bank accounts to parties with no reported due diligence or even contracts with Honeywell. This was not the compliance function making the payments but corporate accounts payable. Just how big an internal controls failure was this?

3. Algeria and Sonatrach

 This bribery scheme involved Honeywell Belgium and the well-known corrupt third-party agent Unaoil. In 2011, Honeywell Belgium hired Unaoil to help facilitate its relationship with Sonatrach. According to the SEC Order, right out of the box, Unaoil officials received “a panicked phone call from the HPS [Honeywell Belgium] Regional GM asking him to make a pass-through payment to a group of people in Europe who purportedly had helped Honeywell Belgium secure a contract with Sonatrach.” Things only got worse from there for Honeywell Belgium. Unaoil, “on behalf of Honeywell Belgium, paid the Sonatrach official $50,000 from a Swiss bank account and an additional $25,000 from the same Swiss bank account on December 28, 2011.”

Thereafter, Honeywell Belgium and Unaoil agreed to a commission structure of 4.5% for contracts landed by Unaoil with Sonatrach with an amount not to exceed $500,000. While no such work was delivered by Unaoil, it billed Honeywell Belgium a lump sum of $300,000 which was approved internally and paid by finance and “falsely recorded as a sales commission. Through a series of intermediary transfers, the Monaco Agent used a portion of the money from Honeywell Belgium to repay the Consultant who had paid the $75,000 in bribe payments to the Sonatrach official. The series of intermediary transfers involved multiple U.S. correspondent banks located in New York. The Monaco Agent admitted that it recorded the payments with internal codes the Monaco Agent sometimes used for bribe payments.”

Join me tomorrow where I conclude with some lessons learned from this final FCPA enforcement action from 2022.

Categories
Blog

Profit Sharing as Bribery: The Honeywell FCPA Enforcement Action: Part 1 – Introduction

To close out 2022 in Foreign Corrupt Practices Act (FCPA) enforcement actions, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) both announced settlements of FCPA enforcement actions with Honeywell UOP, a US-based subsidiary of Honeywell International Inc. For its actions, Honeywell agreed to a criminal penalty of about $79 million, with the DOJ crediting up to $39.6 million of the criminal penalty for Honeywell’s payments to authorities in Brazil in related proceedings. The company agreed to pay the SEC $81.5 million in disgorgement and prejudgment interest and the SEC provided for an offset of up to $38.7 million for payments to Brazilian authorities.

US Attorney Alamdar S. Hamdani for the Southern District of Texas said in the DOJ Press Release,  “This case exemplifies corporate misconduct on a global level. Prosecuting and investigating this type of crime is an important role our office takes seriously in order to ensure fair and equal playing fields for U.S. companies and consumers. We will continue our efforts to aggressively investigate and prosecute those who violate the FCPA and combat corrupt practices in order to preserve the integrity of our nation’s business dealings here and abroad.”

According to the DOJ Press Release, “between 2010 and 2014, Honeywell UOP conspired to offer an approximately $4 million bribe to a then-high-ranking executive of Petróleo Brasileiro S.A (Petrobras) in Brazil. Specifically, Honeywell UOP offered the bribe to secure improper advantages in order to obtain and retain business from Petrobras in connection with Honeywell UOP’s efforts to win an approximately $425 million contract from Petrobras to design and build an oil refinery called Premium.” The company also ran into trouble in Algeria, as was noted in the SEC Press Release which stated, “in 2011, employees and agents of Honeywell’s Belgian subsidiary paid more than $75,000 in bribes to an Algerian government official to obtain and retain business with the Algerian state-owned entity Sonatrach.”

In Brazil, Honeywell entered into an agency agreement with a sales agent for the purpose of funding and paying the $4 million bribe to the high-ranking Petrobras executive. Interestingly, the corrupt Petrobras executive was paid a percentage of the contract value, which was funded with the full knowledge of Honeywell’s US corporate office. In exchange for the bribe payments and after obtaining business advantages, including inside information and secret assistance from the Petrobras executive, Honeywell won the contract. Honeywell earned approximately $105.5 million in profits from the corruptly obtained business. The Algerian bribes were paid by Honeywell Belgium through the well-known corrupt entity Unaoil and were made via a pass-through payment to a group of people in Europe who purportedly had helped Honeywell Belgium secure a contract with Sonatrach.

Honeywell was able to secure a Deferred Prosecution Agreement (DPA) from the DOJ and although the company did not self-disclose its conduct and therefore did not receive any discount for doing so, the company did receive a 25% discount through for its cooperation with the Fraud Section’s and the Office’s investigation “by, among other things, (i) proactively disclosing certain evidence of which the Fraud Section and the Office were previously unaware; (ii) providing information obtained through its internal investigation, which allowed the government to preserve and obtain evidence as part of its own independent investigation; (iii) making detailed presentations to the Fraud Section and the Office; (iv) voluntarily facilitating interviews of employees; (v) collecting and producing voluminous relevant documents and translations to the Fraud Section and the Office, including documents located outside the United States.” The SEC Order stated, “Honeywell cooperated in the Commission’s investigation by identifying and timely producing key documents identified in the course of its own internal investigation, providing the facts developed in its internal investigation, and making current or former employees available to the Commission staff, including those who needed to travel to the United States.”

Interestingly, while the DPA does require Chief Compliance Officer (CCO) certification, it does not mandate a monitor. According to Attachment F in the DPA, the Chief Executive Officer (CEO) and CCO are both aware of the compliance obligations of Honeywell as laid out in the DPA, and “based on a review of the Companies’ reports submitted to the Department of Justice, Criminal Division, Fraud Section and the United States Attorney’s Office for the Southern District of Texas pursuant to Paragraph 12 of the Agreement, the reports are true, accurate, and complete.” Moreover, both the CEO and CCO must certify that, based on their “review and understanding of Companies’ anti-corruption compliance programs, the Companies have implemented anti-corruption compliance programs that meet the requirements set forth in Attachment C to the Agreement. The undersigned certifies that such compliance programs are reasonably designed to detect and prevent violations of the anti-corruption laws throughout the company’s operations.”

Finally, as noted herein, the case was truly international both in the scope of the bribes paid and in the use of the well-known corrupt energy industry agent Unaoil by Honeywell. The Unaoil connection was most probably how the DOJ was first notified about Honeywell’s bribery and corruption. Enforcement was also international in scope with a part of both the DOJ and SEC fines and penalties credited to payments made by Honeywell based upon the investigation in Brazil by the Controladoria-Geral da União (CGU), the Ministério Público Federal (MPF), and the Advocacia-Geral de União (Attorney General’s Office).

Join me tomorrow where I take a deep dive into the bribery schemes, or profit sharing with a King.

Categories
31 Days to More Effective Compliance Programs

Day 2 – Continuous Monitoring and Continuous Improvement

Continuous monitoring and improvement are two of the most important phrases for any compliance program. These twin concepts were perhaps the biggest modifications in the 2020 Update to the Evaluation of Corporate Compliance Programs. In 2021 and 2022, all companies’ risks changed as we moved from Working From Home to Return To Office and now a hybrid work model. Of course the great resignation has also played a part.These changes in our basic work location drove home perhaps the most prescient comment I heard during the pandemic, which was by Jed Gardner, who said, “We have moved from disaster recovery to business continuity to business as usual.” This means that risks will change in ways you may not see at speeds you do not anticipate. Your compliance program must be ready to respond to whatever those risks might be going forward.

In the 2020 Update, the DOJ began to address this from the compliance program perspective with several questions. “Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?”

The next area for continuous monitoring and improvement was an area of compliance that is not normally associated with those concepts, Policies, and Procedures. Here questions included “When was the last time your policies and procedures were updated? Perhaps more importantly, under the 2020 Update, what was your process for doing so? Was there any rigor around your process? Did that rigor include incorporating information and data collected through continuous monitoring, real-time monitoring, or continuous access to operational data and information across functions?”

The final area in the 2020 Update for consideration is called Continuous Improvement, Periodic Testing, and Review. The question included the following, “How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular risk areas are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based on lessons learned from its misconduct and/or other companies facing similar risks?”

Three key takeaways:

1. How has your company’s risks changed over the past year?
2. What is your process for continuous monitoring and improvement?
3. What sources of information do you use that come from outside your organization?

Categories
Daily Compliance News

December 28, 2022 – The Declination Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you four compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Stories we are following in today’s edition of Daily Compliance News:

  • Peru arrests generals for corruption. (DW)
  • Safran gets Declination. (WSJ)
  • Meta settles for Cambridge Analytica. (BBC)
  • Angola court orders dos Santos asset seizure. (Al Jazeera)
Categories
Blog

Danske Bank: Part 5 – Final Thoughts

Over the past several blog posts, we have been exploring the Danske Bank A/S (Danske Bank), AML enforcement action in which Danske Bank pled guilty and agreed to forfeit $2 billion to resolve the US investigation into its fraud on US banks. Danske Bank also settled with the Securities and Exchange Commission (SEC) for misleading US investors about the bank’s anti-money laundering (AML) compliance program in its Estonian branch and failed to disclose the risks posed by the program’s significant deficiencies.

Banks Still Behaving Badly

According to Violation Tracker, the top 10 banks for fines and penalties for this century are as follows:

TOP 10 CURRENT PARENT COMPANIES TOTAL PENALTY $ NUMBER OF RECORDS
Bank of America $83,354,221,356 271
JPMorgan Chase $36,129,286,132 223
Citigroup $25,740,655,365 159
Wells Fargo $22,081,458,643 229
Deutsche Bank $18,541,562,802 79
UBS $17,082,743,334 106
Goldman Sachs $16,603,475,848 90
NatWest Group PLC $13,515,546,857 31
Credit Suisse $11,427,400,126 52
Morgan Stanley $10,167,765,234 190

In 2022, the top fines involving banks are:

  • Danske Bank: $2.4 billion
  • Bank of America: $225 million
  • Citigroup: $200 million
  • Goldman Sachs: $200 million
  • Morgan Stanley: $200 million
  • Credit Suisse: $200 million
  • Barclays: $200 million
  • Deutsche Bank: $200 million
  • Nomura: $100 million

For whatever reason, banks cannot seem to get it anything near right. Willie Sutton is alleged to have said the reason he robbed banks was because “that’s where the money was.” Now it seems the banks are the bad guys, and the regulators continually have to lay out what seems massive fines and penalties to banks. Yet banks seem oblivious to playing within the bounds of the law. Perhaps, and to broaden out Consumer Financial Protection Bureau (CFPB) head Rohit Chopra’s statement announcing the latest fine against a bank, Wells Fargo at $3.7 billion “Wells Fargo’s rinse-repeat cycle of violating the law” needs to be updated to banks “rinse-repeat cycle of violating the law.”

M&A Double Trouble

Purchasing a corrupt entity is certainly one thing but allowing it to stay corrupt is quite another. As I often say, if an acquisition target engaged in bribery and corruption, or indeed money-laundering, before you acquired them and continue to do so after said purchase; it is not them but you who are now breaking the law. When Danske Bank purchased the branch that became Danske Estonia, it was aware that a substantial portion of the Estonian branch’s customers were “non-residents of Estonia, a group of accounts known as the Non-Resident Portfolio or “NRP” and that many of the NRP customers were from Russia and other former Soviet-bloc countries. These NRP customers’ practices included well-known red flags for potential money laundering: for example, frequent use of offshore LLPs and nominee directors to obscure or conceal beneficial ownership information, use of unregulated intermediaries to carry out transactions on behalf of unknown clients, and ties to jurisdictions with enhanced money laundering risks. Some of these practices were known to Danske in 2007.”

But here is where Danske Bank sealed its fate. As detailed by Matt Kelly in Radical Compliance, calling it the “fatal mistake by bank leadership”; and as laid out in the Plea Agreement, “Danske Bank canceled the migration to the central technology system because the executive board, consisting of Danske Bank senior executives, concluded it would “simply be too expensive” and could cause irregularities.” This allowed Danske Estonia to “maintain its own antiquated IT systems, with no automated customer due diligence or transaction monitoring — simply because bringing the Estonia branch up to acceptable compliance standards would be too expensive. Danske leaders didn’t have the requisite commitment to effective compliance, and from there its AML troubles flowed.”

Money, Money, Money

Perhaps the biggest problem for Danske Bank was the one in the mirror and its addiction to the filthy lucre generated by its Estonia Branch. Both Danske Bank itself and the regulatory authorities made clear the actual AML failures which were ongoing. According to the SEC Order, in “February 2014, Danske hired an external, independent third party to conduct a limited review of Danske Estonia’s AML practices” who concluded into only two months that there were “numerous AML deficiencies that left Danske Estonia highly susceptible to money laundering, including 17 identified as “critical or significant” control deficiencies. Danske’s legal department recommended and retained a third party to conduct a comprehensive internal investigation of Danske Estonia’s customers and transactions and to investigate allegations of employee misconduct. However, Danske senior management canceled the contract and decided to conduct the investigation internally. An internal Danske working group conducted only limited additional investigation of Danske Estonia at that time.”

The regulators identified the illegal issues as well. The Estonia FSA conducted a series of examinations at Danske Estonia and provided a draft report to Danske Estonia which detailed extensive facts concerning willful violations of Estonian AML law by Danske Estonia employees. The report stated, “Danske systematically establishes business relationships with persons in whose activities it is possible to see the simplest and most common suspicious circumstances” and concluded that Danske Estonia systematically ignored Estonian AML law. Danske acknowledged the severity of the Estonian FSA’s findings in communications, including one in which a Danske manager stated, “It is a total and fundamental failure in doing what we should do and doing what we claim to do. This just even more underline[s] the need of full clean up now.” [Emphasis added.] Another manager stated, “The executive summary of the . . . letter is brutal to say the least and is as close to the worst I have ever read within the AML/CTF area. . . . [I]f just half of the executive summary is correct, then this is much more about shutting all non-domestic business down than it is about KYC procedures . . . .” Nonetheless, instead of terminating the NRP business, Danske management opted to continue it because of the profits it generated.” [emphasis in original]

So, we leave this sordid saga of the US DOJ and SEC bringing an AML enforcement action against a Danish bank. At least the US is willing to bring such an enforcement action.

Categories
Compliance Into the Weeds

The Danske Bank AML Enforcement Action

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject. In this episode, we consider the Danske Bank AML enforcement action, and the bank recently pled guilty to money-laundering violations through its Estonia subsidiaries.

Some of the highlights included:

  • The background facts.
  • What did the home bank know and when?
  • Did a tech failure set this all in motion?
  • The Bank’s attempts to hide the violations from US authorities.
  • Why is the US and not Denmark bringing an enforcement action against a Danish bank?
  • What about CCO certification?
  • The role of the Danish monitor.

 Resources

Tom in the FCPA Compliance and Ethics Blog

Matt Kelly in Radical Compliance

Categories
Blog

Danske Bank: Part 4 – The Bank’s Response

We are exploring the Danske Bank A/S (Danske Bank), AML enforcement action in which Danske Bank pled guilty this week and agreed to forfeit $2 billion to resolve the US investigation into its fraud on US banks. According to the Department of Justice (DOJ) Press Release, “Danske Bank defrauded U.S. banks regarding Danske Bank Estonia’s customers and anti-money laundering controls to facilitate access to the U.S. financial system for Danske Bank Estonia’s high-risk customers, who resided outside of Estonia – including in Russia.” Danske Bank also settled with the Securities and Exchange Commission (SEC) who said, in their Press Release, the Bank misled investors about its anti-money laundering (AML) compliance program in its Estonian branch and failed to disclose the risks posed by the program’s significant deficiencies.

Most probably at this point you are thinking it is a very good thing Danske Bank is the premier financial institution in Denmark, or they might not still exist. But as we have seen right up until today, banks continue to engage in the most egregious behavior and simply are hit with another set of fines and penalties. (Wells Fargo Bank NA fined yet another $3.7 billion, this time by the Consumer Financial Protection Bureau, seeConsent Order.) I suppose it is no surprise that Danske Bank was given “too large and too important to put out of business” designation by Danish regulators. That is also probably one of the key reasons the US government brought this enforcement action. First, because the US had the teeth to do and second, the Danish regulators could simply ‘blame the Americans’.

Of course, Danske Bank itself demonstrated its colors when one of its executives said in an email, [Per the SEC Order] “[W]e should be mindful that we have a really bad case in Estonia, where I believe that all lines of defence failed. . . We should make sure that we don’t create a relationship where [Correspondent Bank 2] suddenly feels the need to share their concerns about Danske with US regulators.” The Order went on to note, “Between September 2015 and January 2016, the Danish FSA sent a draft AML inspection report to Danske which included a reprimand related to Danske’s Board of Directors’ failure to identify and address risks at Danske Estonia. In March 2016, the Danish FSA issued a final inspection report which was provided to Danske senior management in which it reprimanded Danske for its failure to identify critical risks at Danske Estonia and failure to limit these risks and concluded that Danske was not in compliance with the Danish AML Act and that “the conditions at the bank’s branch in Estonia posed a material reputation risk for the bank.””

Danske Bank did not receive credit for self-disclosure, but the bank did receive credit for its cooperation, which included full cooperation and admission of responsibility, providing documents and witnesses to be interviewed, all located outside the US and, perhaps most importantly, a “detailed analysis of cross border transactions.” As remedial steps the Bank closed its “non-residential portfolio”, terminated employees, including senior bank executives who were engaged in the conduct, improved its AML function, including a centralized money laundering financial compliance and financial crime program, hired competent and experienced AML compliance professionals and initiated direct reporting lines to the Board of Directors. The Bank agreed to a best-in-class compliance program and an independent expert appointed by the Danish FSA to oversee implementation of the remedial solution. Interestingly, if this independent expert quits for any reason the DOJ retains the right to appoint a monitor.

Danske Bank agreed to a three-year period of continuing cooperation and reporting to the DOJ. Although there is no Deferred Prosecution Agreement (DPA) since this was a criminal guilty plea it seems to act in the manner of ongoing obligations under a DPA. However, it will require Court approval and ongoing oversight because it is a plea deal and not a DPA. Danske Bank is to meet at least quarterly with the DOJ throughout the three-year term, and to submit annual progress reports to the prosecutors until the agreement expires at the end of 2025. According to Radical Compliance, the first report, due in December 2023, needs to focus on three topics:

  • Complete description of the bank’s remediation efforts to date;
  • Complete description of the testing conducted to evaluate the effectiveness of the compliance program, and the results of that testing; and
  • Proposals to assure that the compliance program is reasonably designed, implemented, and enforced.
  • The next reports, due at the end of 2024 and 2025, respectively, are supposed to cover all the same ground, and incorporate any feedback the Justice Department provides from the prior reports.

Of course, there is the Chief Compliance Officer (CCO) certification. Would you like to be the CCO who has to certify the Danske Bank AML compliance program is “reasonably and effectively designed to deter and prevent violations of money laundering, anti-money laundering, and bank fraud laws throughout the bank’s operations”?

Tomorrow, we conclude with final thoughts and lessons learned.

Categories
Blog

Danske Bank: Part 2 – Jurisdiction

We finally have the big one in money laundering. That, of course, is Danske Bank A/S (Danske Bank), a global financial institution headquartered in Denmark, which pled guilty this week and agreed to forfeit $2 billion to resolve the US investigation into its fraud on US banks. According to the Department of Justice (DOJ) Press Release, “Danske Bank defrauded U.S. banks regarding Danske Bank Estonia’s customers and anti-money laundering controls to facilitate access to the U.S. financial system for Danske Bank Estonia’s high-risk customers, who resided outside of Estonia – including in Russia.” Danske Bank also settled with the Securities and Exchange Commission (SEC) who said, in their Press Release, the Bank misled investors about its anti-money laundering (AML) compliance program in its Estonian branch and failed to disclose the risks posed by the program’s significant deficiencies.

One might reasonably ask why the US government is bringing this action. I think there are two key reasons. First, only the US has the cache to bring such a massive enforcement action against any bank, wherever they are domiciled, which threatens the world’s financial integrity through multiple years of facilitating money laundering. The second is that as the world’s principal financial leader, the US government sees itself as the protector and enforcer of that system. While many outside the US may decry these realities, it is clear that only the US can lead such an action. There certainly were other countries which participated, as both the DOJ and SEC Press Releases noted the cooperation of Denmark and Estonia in this enforcement action but at the end of the day, it had to be led by the US.

Jurisdiction

Even if the US feels that it should lead an enforcement effort in this affront to international law, there still must be jurisdiction to bring these enforcement actions. According to the SEC Complaint, “Danske is a Danish multinational banking and financial services corporation headquartered in Copenhagen, Denmark. At all relevant times, Danske was the largest bank in Denmark and a major retail bank in Northern Europe, with offices in countries outside Denmark.” However, I was somewhat surprised to learn that “Danske’s shares traded in Denmark on the OMX Copenhagen and in the United States over-the- counter (“OTC”) as American Depositary Receipts (“ADRs”) listed in U.S. dollars, and U.S. investors constituted a significant portion of Danske’s shareholders. Between 2009 and 2018, U.S. shareholders held as much as 18% of Danske’s stock.”

This stock sold in the US warranted regulatory protection of US investors. The SEC Complaint went on to note that Danske Bank “engaged in deceptive acts, including misleading Danish regulators and U.S. correspondent banks, to conceal its AML and KYC deficiencies. Danske stopped providing services to its high risk customers by April 2016 but failed to timely disclose to investors known misconduct and widespread AML failures.” These failures to inform investors took the form of “a variety of reports, including annual, interim, corporate governance, and risk management reports, in English on its corporate website for the benefit of and made available to, inter alia, actual and prospective U.S. investors. Certain of these reports contained representations to investors about Danske’s risk management processes and disciplines related to the banks systems and controls. Such systems and controls would include Danske’s policies and procedures to detect, prevent and mitigate risks to the bank from financial crime, including money laundering.” Finally, the harm from the illegal conduct hit US investors as “between September 2017 and November 1, 2018, Danske’s share price dropped by approximately 49% as the full extent of Danske’s misconduct became apparent.”

The only reference to US jurisdiction from the DOJ came in the Plea Agreement which obliquely noted Danske Bank “engaged in suspicious transactions through U.S. banks.”

We rarely take a deep dive into the jurisdiction which allows a Foreign Corrupt Practices Act (FCPA) or other similar action to be brought in the US. However, the Danske Bank AML enforcement action makes clear that simply because a company is domiciled outside the US, if it does business internationally, there may be multiple US jurisdiction points which could allow US authorities to bring an enforcement action.

Tomorrow, where did it all start and what were the AML compliance program failures?