Danske Bank’s Risk Management at the time of the Sampo Bank Acquisition
The source of Danske’s current problem lies in the Estonian branch’s Non-Resident Portfolio. The Non-Resident Portfolio refers to the former pool of non-resident customers managed within the Estonian branch by a designated group of employees (relationship managers and others). Customers in the Non-Resident Portfolio were both private persons and corporate entities and the services offered to these customers include payments and other transactions in various currencies, foreign exchange lines (“FX lines”) and bond and securities trading (only very limited credit facilities were offered to customers in the Non-Resident Portfolio).
When Danske’s acquisition of Sampo Bank took effect on February 1, 2007, the International Banking department within the Estonian branch managed the Non-Resident Portfolio. In May 2007, this department was integrated into the Private Banking Department within the Personal and Retail Banking division, which handled both resident and non-resident customers. However, Danske Bank had no way of knowing how many customers constituted the Non-Resident Portfolio because no customer lists were kept until 2013.
At the time of the acquisition, it was clear that the Estonian financial system was growing increasingly reliant on non-resident customers. According to publicly available data from Estonia’s central bank, total non-resident deposits in Estonian banks was EUR 284.5 million at the start of 2000. By year-end 2007, this figure had grown to EUR 1.59 billion and would eventually peak at EUR 2.95 billion on June 30, 2015.
Sampo Pank continued to operate as a standalone subsidiary following the acquisition and in June 2008, became a branch of Danske Bank (its name was officially changed to Danske Bank in November 2012). The Estonian branch had its own Executive Committee and the Branch manager reported directly to the head of Baltic Banking. From 2007 to 2009, the head of Baltic Banking reported directly to Danske Bank’s CEO. In addition, there was a joint board of directors for the Baltic entities, the Baltic Advisory Board (earlier named the Baltic Supervisory Board) with members from Group, as well as a Baltic Executive Committee.
Danske Bank employs a standard “three-lines-of-defense” model for risk management. The first line of defense consists of risk management exercised by the business areas. They enter the necessary registrations about customers that are used in risk management tools and models, and they maintain and follow up on customer relationships. Each business area is responsible for preparing carefully drafted documentation before business transactions are undertaken and for properly recording the transaction. Each business area is also required to update information on customer relations and other issues as may be necessary. The business areas must make sure that all risk exposure complies with approved risk policies as well as the Group’s other guidelines. Historically, the business areas have exclusively focused on credit risk.
The second line of defense is performed by the risk, compliance, and AML functions, which oversee, monitor, and challenge the risk exposures of the Bank’s business units and are responsible for implementation of efficient risk management and compliance procedures. However, at the time of the Sampo Bank acquisition, these functions were scattered across various departments. For instance, Group Credits had overall responsibility for the credit process in all of the Group’s business areas. This included the responsibility for developing rating and scoring models and for applying them in day-to-day credit processing in the local units. Group Finance oversaw the Group’s financial reporting and strategic business analysis, including the performance and analytic tools used by the business units. The department was also in charge of the Group’s investor relations, corporate governance, capital structure, M&A, and relations with rating agencies. Risk Management was also part of Group Finance. As the Group’s risk monitoring unit, Risk Management had overall responsibility for the Group’s implementation of the rules of the Capital Requirements Directive (CRD), risk models, and risk analysis.
Finally, the third line of defense lies with functions that provide independent assurance and assessments (above all, Group Internal Audit).
 Eesti Pank, Statistical indicators,