The Danske Bank Scandal Is the Tip of the Iceberg

Financial institutions and the governments that regulate them aren’t doing nearly enough to prevent money laundering.  

The Danske Bank building in Copenhagen, Denmark.
The Danske Bank building in Copenhagen, Denmark. (THOMAS LEKFELDT/AFP/Getty Images)

Last month, the CEO of Danske Bank, Thomas Borgen, stepped down, and both Denmark’s Financial Services Authority and the European Banking Authority opened investigations into the bank’s illegal activities at its Estonian branch. On Sept. 19, Bruun & Hjejle, general practice attorneys hired by Danske Bank, released a chilling report revealing how over 200 billion euros, about $230 billion, were illegally laundered through its branch in Estonia over a nine-year period. Despite this negligence, the report cleared Borgen and the board of directors of any kind of legal responsibility. While it is by no means the first money laundering exposé in recent years, it may be the largest one.

Money launderers seek to disguise criminal behavior and the money generated by it as legitimate. In 2017, the IMF and the United Nations Office on Drugs and Crime estimated that $2.1 trillion dollars is being laundered by criminals annually—with their techniques growing in sophistication. One of the most common strategies for money laundering is creating shell companies, fake companies that take cash in exchange for fake goods or services, in essence operating as money transfer operations.

With increasingly complex schemes to conceal money laundering, it can often be difficult for banks to detect and thwart these criminal activities. Banks have created transaction monitoring systems that target suspicious behavior, such as depositing large sums of cash,  rapid money transfers, or complex transactions designed to escape detection. But because anti-money laundering procedures are automated and rely on predictable patterns of behavior by criminals, money launderers who are experienced and sophisticated will manage to avoid detection by such software. When a customer engages in suspicious behavior that triggers the automated system, in theory, an internal investigator is then alerted and reviews the transaction. However, even in the banking industry, 95 percent of these alerts are considered false positives, and almost none of them result in a formal report of suspicious activity.

The current scandal began in 2007, when Danske Bank acquired the Finland-based Sampo Bank, which also had an Estonian branch. At this particular branch during the period 2007-2013, 44 percent of all deposits came from nonresidents of Estonia—approximately 10,000 of the branch’s customers. Between 2007 and 2015, these same customers conducted 7.5 million transactions (not including transfers between customers). In total, that flow of money added up to about 200 billion euros. Because the Estonian branch had its own IT platform and many documents were written in Estonian or Russian, Danske Bank did not have the same amount of insight into this branch’s activity and simply assumed it was taking appropriate anti-money laundering procedures.

The report published by Bruun & Hjejle explains that this was not the case. The bank knew neither enough about its customers nor enough about their controlling interests. What makes matters more interesting is that 42 employees and eight former employees may have been colluding with criminals to maintain this money laundering activity. According to the report, two of the main perpetrators were the Russian and Azerbaijani “Laundromat” operations.

The breadth of suspicious activity by customers was vast. Some of these customers had shared addresses or held other properties that were suspicious. Others had significant differences between their revenue and payment activities. Still others were publicly associated with money laundering and had made payments with suspicious counterparties in other banks. They were, of course, likely assisted by the 50 employees who are now suspected of collusion. These employees were involved with the suspicious payments, made significant cash deposits, had personal relationships with customers, or were involved in suspicious payments with other employees. One of the many whistleblower reports about the Estonian branch even mentioned that “the bank knowingly continued to deal with a company that had committed a crime.” Even more troubling, after said whistleblower shared concerns about false financial reports with a supervisor, the fake accounts were replaced with new accounts that were equally false.

The Russian and Azerbaijani Laundromats were central to the fraud taking place at Danske Bank’s Estonian branch. The Laundromats were criminal financial vehicles that helped to launder money worldwide through shell companies by using fraud, the rigging of state contracts, and customs and tax evasion. The Russian Laundromat worked between 2011 and 2014 by creating 21 “core” companies in the United Kingdom, Cyprus, and New Zealand.

These companies generated fake debt, then obtained a Moldovan court order that required 19 Russian companies pay these debts to Moldova-based Moldindconbank and Latvia-based Trasta Komercbanka. Once out of Russia, the money was transferred all around the world, accounting for 26,746 payments totaling $20.8 billion to 5,140 companies with accounts at 732 banks in 96 countries. At Danske Bank, 177 customers received payments from these core companies.

Similarly, the Azerbaijani Laundromat used a series of shell companies to disguise the origin of $2.9 billion that is suspected to come from the family of Azerbaijani President Ilham Aliyev. This Laundromat worked as a slush fund to pay off politicians, siphon off private funding, and launder money. While much of this scheme is still under investigation, 75 customers of Danske Bank are implicated, and the Estonian branch handled the accounts of all four major companies involved in the Azerbaijani Laundromat.

Despite all of this suspect activity and a chorus of whistleblowers, Danske Bank did nothing. As early as 2007, the Estonian Financial Supervision Authority came out with a critical report on the bank’s activities. Then, in 2013, the first whistleblower came forward to disclose that the Estonian branch was knowingly dealing with funds from the family of Russian President Vladimir Putin and the Russian security service, the FSB. However, these claims were not properly investigated and faded into the woodwork.

Updating the branch’s anti-money laundering system to Danske’s company standards was apparently too expensive to justify. This is despite the fact that at the time of the report’s publication, 6,200 of the customers hitting the most risk indicators had been screened, and almost all of them were deemed to have engaged in suspicious activity. Over-reliance on automated systems has meant that less time is spent actually analyzing suspicious transactions and is instead focused on increasing profit.

The scandal has made it clear that institutions like Danske Bank need to adopt more stringent procedures to make sure that their branches are not used illegally. Rather than focusing on the behavior of one customer, an anti-money laundering strategy could focus on fund flows, observing where different operational echelons of suspicious criminals intersect with one another.

All of this means nothing, however, if the bank’s staff are not trained to notice and report this criminal activity. Looking at Danske Bank’s failure to observe how criminals used their bank to transfer over 200 billion euros in illicit funds shows just how important it is for financial institutions to revamp their anti-money laundering procedures. If not, they risk reputational failure, years of investigations, and the possibility of billions of dollars in fines.

Banks cannot be trusted to regulate themselves. Ultimately, governments must act to combat money laundering. In the case of Danske Bank, there was a lack of institutional willpower to follow through on money laundering suspicions. State regulators, by contrast, have the ability to mandate greater transparency of company ownership and monetary penalties when banks’ procedures are not sufficient. Furthermore, by advocating a focus on individual liability, governments can make money laundering a personal matter that could result in prosecution.

By pushing for greater transparency, governments can implement legislation that requires action rather than relying on industry best practices. For example, the European Union passed the Fourth Anti-Money Laundering Directive in 2015 to focus on forming a more coherent policy and ensuring that all funds were fully traceable within the EU. However, the Danske Bank case makes clear that this particular measure failed.

It’s easy to see why. Under EU law, anti-money laundering legislation and prosecution is handled at the national level. The European Banking Authority has some ability to issue recommendations to national supervisors, which are then overseen by the European Commission. If these are not followed, it is possible for the agency to issue direct instructions to banks. However, this is rare. The European Commission proposed giving the Banking Authority more powers last month, but it does not enjoy all-encompassing supervision of all financial activity within the EU. The Commission has asked the agency to open an investigation into the Danske Bank case. As there is no genuine EU enforcement power right now, this case may act as a catalyst to increase the EU’s power to act as a deterrent against money laundering and conflicts of interest at the local level, as was the case in Denmark.

Government regulators must work more aggressively across borders and with foreign partners to take enforcement action against money laundering. One of the most effective strategies  is fines. There is no greater persuasive tactic than finding perpetrators and fining them millions of dollars or euros to decrease the likelihood of it happening again—Danske Bank could face several billion dollars in fines from the U.S. Justice Department, for example.

While the Danish Financial Services Authority is tasked with monitoring banks, stock exchanges, brokers, insurance companies, and pension funds, among other financial companies, it fell short in terms of its reaction to Danske Bank. The agency needs to be more adept at mandating greater standards of transparency, focusing on individual liability and handing out monetary penalties. Even actions by the Estonian Financial Supervision Authority, which in 2014 conducted an audit of the branch that voiced concern over anti-money laundering practices, did not result in better behavior from the bank. What was missing was monetary penalties and individual liability measures.

The immensity of Danske Bank’s failure to identify these suspicious transactions has put it in the spotlight. However, it simultaneously puts pressure on all banks to re-evaluate what procedures they have in place. Instead of relying on systems based on “detection rules,” banks should put into place hybrid response strategies that look beyond single instances. Part of what makes money laundering so complex to unravel is that it depends on the connections that banks have with one other. In other words, it uses a bank’s greatest strength against it. Adopting approaches that look into these connections—interactions between suspected criminal accounts—and training employees are critical steps in shaping the future of responding to money laundering.

The interconnectedness of banks has reached the point where money transfers and laundering happen in an instant. Even small banks in countries like Latvia, Moldova, and Estonia are vulnerable to being used as part of a worldwide Laundromat. This environment is precisely why there must be a closer examination into Danske Bank’s conduct and stronger government anti-money laundering regulation.

Governments should begin by requiring banks to comply with stronger transparency regulations. By doing so, they can close the gaps where money laundering can occur. In addition, they must enforce more stringent individual liability rules. By placing the burden directly on bank employees, governments and regulatory agencies can protect banks from criminal networks and employees tempted to collude with them. Finally, they need to threaten and enforce monetary penalties. By creating negative incentives, governments and regulators will not only punish bad actors but also cause others to think twice before engaging in criminal behavior.

For now, Danske Bank is facing the consequences of its actions. Investigations across Denmark, the United Kingdom, and the United States, as well as the resignation of its CEO, could serve as a deterrent and force banks to be more vigilant.

However, as anti-money laundering procedures become more fine-tuned and complex, criminals will become more sophisticated—and the policies of national governments and the EU will have to evolve quickly in order to stop them.


Gabriella Gricius is an assistant analyst at the Hague Centre for Strategic Studies and a senior research associate at the Netherlands Office of the The Public International Law and Policy Group.