It was quickly decided among the four recipients of the whistleblower report that Group Internal Audit should conduct an investigation into the allegations, using employees from outside the Estonian branch. On January 7, 2014, the Executive Board was informed of the allegations but was not given a copy of the whistleblower report. The Audit Committee was also given information about the investigation by Group Internal Audit at its meeting on January 27, 2014. However, according to minutes of the meeting, it was not specified that the investigation resulted from a whistleblower report.
On January 9, 2014, three more customers with “similar irregularities” were reported to Group Internal Audit by the whistleblower. In March and April 2014, there were additional reports from the whistleblower, including concerns about customers structured as Danish limited partnership companies (“K/S companies”). In its Corporate Responsibility report from 2013 (released in February 2014), Danske Bank wrote:
[Whistleblower] [R]eports are passed on to the Group Chief Auditor, the Group General Counsel and the Board of Directors’ Audit Committee for further action. In 2013, four cases were reported through the whistleblower system. They occurred both in and outside Denmark. Three cases that were concluded led to changes in procedures or increased management attention. One case is still under investigation.
In a January letter to the Executive Board, Group Internal Audit confirmed some of the allegations made by the whistleblower. Documents provided by some customers when opening accounts were found to be insufficient. Group Internal Audit also pointed to the potential risk of a customer having been “tipped off” (implying that the customers had been colluding with employees at the Estonian branch). More generally, it was noted that “ongoing monitoring” was performed manually by account managers, who were responsible for so many customers that it was “in fact impossible to perform the monitoring in an effective and efficient way.” It was added that “[b]ased on the work performed, we have not identified areas that need immediate reporting to the FSA.”
In early February 2014, Group Internal Audit conducted an on-site audit at the Estonian branch. Auditors were provided with the OFZ memo on intermediaries from October 2013. On February 5, 2014, Group Internal Audit presented its draft conclusions in an email forwarded to two members of the Executive Board and in turn shared with other members, including the CEO. It was stated that: “we cannot identify actual source of funds or beneficial owners” and that an employee with the branch had “confirmed verbally (in the presence of all 3 auditors …) that the reason underlying beneficial owners are not identified is that it could cause problems for clients if Russian authorities requests information.” Moreover, it was stated that “[t]he branch has entered into highly profitable agreements with a range of Russian intermediaries where underlying clients are unknown.” As part of the overall conclusions, Group Internal Audit recommended “a full independent review of all non-resident customers.”
When informed of Group Internal Audit’s findings via email, the CEO responded: “Noted. Here you should consider an immediate stop of all new business and a controlled winding-down of all existing business.”
A working group was established to address the findings of the February audit report. The working group consisted of two members of the Executive Board as well as members from Business Banking, Baltic Banking, Group Compliance & AML and Group Internal Audit. At its first meeting on 7 February 2014, the working group defined six action points:
“Close for all new off-shore customers, pending an independent review of the business area
Close all business with intermediaries immediately
Draft terms for an external second opinion on the adequacy of and compliance with the KYC procedures and systems in Estonia
Review identified files
Consider any HR actions to be taken
Clarify responsibility for escalation of whistle blower findings to relevant FSA – or other authority”
These action points were dealt with in subsequent meetings.
Following up on its audits letters from January and February, Group Internal Audit issued an audit report on March 10, 2014 that addressed the Estonian branch’s non-resident customers (this report was shared with the Estonian branch). The report assigned the worst possible rating of “Action needed” and noted that “[t]he Branch’s portfolio of nonresident customers has to be reviewed and information on the commercial rationale for the customers structuring their business within LLP layers as well as on the ultimate beneficial owners of the trading entities underlying the LLPs have to be sufficiently documented in the Bank systems”
The working group instructed Group Compliance & AML to engage an external consultancy to evaluate internal AML procedures and controls at the Estonian branch. The consultancy provided a draft report on March 31, 2014, and a final report on April 16, 2014, both of which were sent to Group Compliance & AML and shared with some members of the Executive Board. In connection with its draft report, the consultancy wrote that “[b]ased on our experience in conducting such engagements, you do not have as many low impact issues as some of your peers, but your critical gaps (e.g. regarding risk assignment, transaction monitoring, level of CDD [Customer Due Diligence] applied) are greater than we’ve seen in other banks in the region.” In response to a question on whether there had been breaches of AML regulation, the consultancy confined itself to general remarks and a statement to the effect that “[c]ertain specific local legislation gaps do however exist.”
In the final report, the external consultancy found that procedures for accepting new clients and opening new accounts for non-resident customers were overall followed. However, the report also noted shortcomings in relation to unclear instructions for account agreements and KYC questionnaires, as well as insufficient monitoring of transactions. The report identified 17 “control deficiencies” that all were assessed as critical or significant. The Estonian branch worked throughout 2014 to close these gaps.
In April 2014, the Estonian branch initiated a new review into corporate customers in the Non-Resident Portfolio. The review was overseen by Baltic Banking and the newly established Group business unit, International Banking. As part of this review, relationship managers with the branch completed separate memos for each of the nonresident business customers for whom they were responsible. The memos were reviewed by a committee at the branch in which members of branch management took part. It was for the committee to decide whether customer relationships were allowed to be carried on or should be terminated.
Information about the Estonian branch and the whistleblower case was presented to the Executive Board and the Board of Directors at their April meetings. The Executive Board was given a presentation by a fellow member titled “Status Danske Bank Estonia Branch.” The presentation, which had been prepared by employees within Business Banking, contained three slides titled: “Timeline for Whistleblower Case and Audit Reports.” The slides listed some of the whistleblower allegations as well as findings by Group Internal Audit and the external consultancy. According to minutes of the meeting, the Executive Board was told that “the appropriate steps were being taken to continue dealing with the matter in accordance with the Group’s whistle blowing policy, as well as all the applicable local regulations and supervisory rules.” The Executive Board was informed of the ongoing customer review, which would include an assessment of “how the business could be exited in an appropriate fashion.” During the meeting, the CEO instructed Group Compliance & AML to prepare a new plan for AML in the Baltics, which was eventually approved on August 1, 2014.
At the end of April, the Audit Committee reviewed the draft status report for Q1 2014 prepared by Group Internal Audit. During the meeting, Group Internal Audit informed the committee that “the local internal auditor was under surveillance” and that “[t]he Bank’s best practice [at Group level] was different from the local Estonian practice, and the local internal auditor had not followed the procedures as he should have.” The next day, the Board of Directors discussed the whistleblower case, the steps taken to investigate the matter, and the initiatives taken and planned to strengthen processes and controls with respect to AML and KYC in the Baltics. The Whistleblower’s actual reports were not shared with the board.
In the spring and early summer of 2014, different work streams were formed to address the whistleblower’s findings. Group Legal proposed hiring an external consultancy to conduct an “[i]n inquiry into allegations of misconduct” on the basis of the whistleblower and to review “critical information on a number of irregularities involving senior members of staff.” This proposal was rejected by two members of the Executive Board. As an alternative, Group Legal asked Group Compliance & AML to “take on the task of bringing this whistleblower matter to an end.” However, Group Legal provided Group Compliance & AML the whistleblower allegations in very broad terms and left out some allegations entirely, including allegations of internal collusion.
After reviewing the whistleblower allegations, Group Compliance & AML sent a list containing “facts and mitigation actions” and a “conclusion” for each allegation. Upon submitting this list to Group Legal, Group Internal Audit, and two members of the Executive Board, Group Compliance & AML indicated “no more action will be done due to the specific allegations” and they would be following “the progress of the suggested actions.” As for the five whistleblower allegations which had been verified to be true, reference was made to the AML Action Plan for the Baltics. Regarding the two whistleblower allegations in the process of being verified, reference was made to Group Legal. Finally, as for seven whistleblower allegations not verified or only partly verified, very little action was identified. After this, there was no additional investigation into the whistleblower allegations.
In early July, Group Internal Audit followed up on its Estonian branch audit from February.
Regarding non-resident customers onboarded since March 1, 2014, Group Internal Audit had “no major comments to the quality of the due diligence requirements applied and completeness of the documentation collected and filed by the area.” However, Group Internal Audit made critical comments on the ongoing customer review based on a sample of eight customers, which had all been reviewed and confirmed by the branch. Around the same time, in response to an inquiry from Group Internal Audit, Business Banking noted that “[t]he allegations made by the whistleblower have all been investigated.”
In May 2014, Business Banking reviewed the preliminary findings of a Baltic Banking strategy review with the Executive Board. The presentation noted that “[t]he current performance will be difficult to maintain and there are a number of challenges going forward,” including “limited future appetite for non-resident business.” In the presentation, AML requirements were overall seen as a threat. A separate slide titled “Significant change in appetite for non-resident business will reduce net profit for the Baltic operation” provided information on the Non-Resident Portfolio, noting that it contributed “90% of the profit before tax for Estonia.” The presentation also recommended a strategy which involved “a reposition towards a Corporate Baltic bank with focus on Nordic customers,” including “[g]radually run-off of Non-resident business.” A revised version of the presentation was delivered to the Board of Directors on June 26, where it was noted that there was “limited future appetite for non-resident business,” and repositioning remained the recommended strategy. According to the meeting minutes, the:
[CEO] emphasized that the Baltic countries are important for many of the Bank’s Nordic corporate clients and particularly the Finnish customers. Further, [CEO] found it unwise to speed up an exit strategy as this might significantly impact any sales price. Lastly, [CEO] and [name] explained the development of the Baltic countries. The preferred option would be to support Nordic corporate clients, but a closer review of the business case needed to be undertaken, concluded [CEO].
The Board Chairman concluded the meeting by noting that “the Board was supportive of the proposed repositioning towards a corporate bank,” but that “all exit options in respect of the non-resident and retail business, including a potential three-way merger, should be further explored prior to making a decision.”
At their meeting on October 28, the Board of Directors debated the repositioning strategy for the Estonian branch as well as a possible sale of the Non-Resident Portfolio. According to the meeting minutes, the Board resolved that “management should continue to consider all strategy options, including a sale, and revert to the Board with a recommendation at the Board meeting in January 2015 at the latest.”
In September, the EFSA delivered their summary findings from a branch AML exam conducted in June and July. Their summary, which was shared with several Executive Board members, found that “Danske Bank systematically established business relationships with persons in whose activities it is possible to see the simplest and most common suspicious circumstances.” A number of details were given, which led to the observation that “[w]e have therefore systematically identified situations during our on-site inspection where Danske Bank’s system for monitoring transactions and persons is effectively not working.” In the draft report, the EFSA voiced its suspicion that at the branch, “economic interests prevail over the obligation to apply enhanced due diligence measures.”
Group Legal shared the English summary of the draft inspection report with Group Compliance & AML. While the Executive Board was never supplied a copy of the EFSA’s draft inspection report, its findings were discussed at an Executive Board meeting on October 7. From the meeting minutes:
The Bank has recently received a drafted report from the Estonian FSA where they point out significant challenges regarding non-resident customers. According to [name] there was no cause for panic as the findings have been addressed in the ongoing process improvement. [Name] will travel to Estonia and assist the Estonian organisation.
At their October meeting, the Audit Committee was informed that the EFSA’s draft inspection report included “rather harsh language from the Estonian FSA” and that “[a]ll observations have been thoroughly reviewed by the local compliance and legal teams in Estonia as well as by Group Legal together with external Estonian legal counsel.”
In December, the EFSA released their final inspection report, which included more specific findings but otherwise echoed the draft report’s finding of significant weaknesses in the branch’s AML procedures. Group legal provided the DFSA with information from the report, but not the actual report.
Neither the Audit Committee nor the full Board of Directors received a copy of the EFSA’s draft, or final, inspection report.
In December, Baltic Banking approved a new policy for the Non-Resident Portfolio. The policy emphasized that “[w]hen establishing customer relationship and opening an account the bank must make sure that the customer has legitimate business reasons to operate in Baltic countries or neighboring region.” In relation to customer onboarding and understanding the business model of the customer, the source of funds would also have to be identified. As for existing customers, it was now stated that “[s]trategically the bank foresees winding down relationships by end of second quarter 2015.”