Out of the several money laundering cases in recent years, two of the most disturbing were those of Danske Bank and Swedbank, mainly because they were headquartered in Nordic countries where such cases were rare. Moreover, these countries are known for high standards of living, and very low levels of crime and corruption.
There are similarities in both the cases in that they involved money laundering in their subsidiaries in the Baltic countries, especially, Estonia, Latvia, and Lithuania. The weaknesses in governance and controls were similar. And both likely involved being linked to what was called the Russian Laundromat, the Azerbaijani Laundromat, customers linked to the Panama Papers and Mossack Fonseca, customers that corresponded to entities subject to Magnitsky-related allegations by Hermitage Capital Management, apart from customers identifed as linked to proxy networks with reputational risk issues, or with connections to certain oligarchs or PEPs.
As soon as the first report on the scandal came on TV, the Swedbank appointed Clifford Chance to investigate the allegations and more broadly into Swedbank’s money laundering risks.
Clifford Chance’s report on its investigation was made public in March 2020. A few excerpts, with minor changes, are given below, followed by comments:
Approach/Methodology
Clifford Chance adopted a risk-based approach, focussing on business areas and time periods in which the most significant issues have been identified.
AML Controls
Clifford Chance did not conclude that Swedbank engaged in money laundering or processed customer transactions that constituted the proceeds of crime. Among other things, this would require defnitive knowledge of a customer’s source of funds, which was not available.
The investigation revealed that Swedbank ” had inadequate systems and controls to ensure proper management of the AML and economic sanctions risk of its customer base, which, therefore, historically exposed Swedbank and the Baltic Subsidiaries to signifcant AML and sanctions risk.”
Swedbank Estonia and Swedbank Latvia actively pursued these high risk customers as a business strategy.
In Swedbank Estonia, the Committee for onboarding new customers “approved high risk customers without having complete documentation regarding the ultimate benefcial owners (“UBOs”), proof of source of funds or explanation of the legitimate business purpose of the customers, and did not address red flags that arose from the information that was provided. Some of the companies
had complex and opaque ownership structures involving off-shore entities organized in low tax jurisdictions, as well as ownership through foreign trusts and similar vehicles for which the UBOs were diffcult to verify. Swedbank Estonia also accepted customers despite awareness amongst employees, including relationship managers (“RMs”), that the listed benefcial owners were not the actual UBOs, and in situations in which the prospective customer refused to provide verifable benefcial ownership information.”
In addition, at Swedbank Estonia, employees involved in the HRNR business kept certain information regarding the UBOs for some customers outside of Swedbank’s regular customer databases and retained the information in hard copy in a safe or locked drawer to assuage the customer’s concern that the true UBOs may become known to third parties. Swedbank Estonia employees also accepted customer corporate structures knowing that they were designed to conceal the true UBOs from home country tax authorities. Lastly, Swedbank Estonia employees also repeatedly overlooked or disregarded indications of potentially suspicious transactions. Some of these practices were also identifed in the other Baltic Subsidiaries. The AML defciencies were not limited to the Baltic Subsidiaries, as certain of the high risk customers that banked primarily in the Baltics also were permitted to open and to maintain accounts with Swedbank LC&I and Swedish Banking.
Governance
The report identified several governance failings. Swedbank senior management historically had failed to establish clear lines of AML-related responsibilities, particularly as between the business (the frst line of defense) and Compliance (the second line of defense), or to ensure methods of challenge by the second line over the AMLrelated functions appointed to the frst line of defense. In addition, throughout the Investigation Period, the Swedbank CEOs appeared to lack an adequate appreciation for the severe risk posed to the institution by the HRNR business in Baltic Banking, given the consistently ineffective AML controls. This lack of appreciation for the degree of risk was evidenced by the Bank’s failure to adopt a Group-level AML risk appetite statement until 2017, or to take steps to ensure consistency of approach to risk rating customers across business lines
The Investigation also found that because senior management failed to appreciate the degree of legal and reputational risk to Swedbank, it did not always engage with the Board in a manner consistent with the importance of these issues. For example, throughout the Investigation Period GIA repeatedly identifed and reported serious AML control defciencies which were raised to the Audit Committee of the Board and often summarized to the full Board, particularly during the period from 2016 through early 2019. The messaging on balance by the CEO and other senior executives to the Board during this period was that while there were problems, they were under control.
Similarly, during this period, the Group Compliance function internally and with the assistance of outside experts such as the law frm Erling Grimstad AS (“Grimstad AS”), had identifed serious AML control defciencies and potentially serious legal risk to Swedbank arising from those defciencies. In some cases, the more serious fndings were not escalated in a timely manner to the Board, shared with GIA, or shared with the management of the relevant Baltic subsidiary.
Swedbank did not always take an actively transparent posture with regulators regarding AML-related issues, de-emphasized negative information and occasionally employed a narrow or literal reading of certain requests.
Public disclosures
Clifford Chance examined public statements made by Swedbank executives and concluded that certain statements made during October 2018 and February 2019 by Swedbank and its executives concerning Swedbank’s historical AML compliance, then current AML compliance, and exposure to certain types of AML risk, were inaccurate or presented without suffcient context.
Accountability
The Investigation determined that the three former CEOs who served during the Investigation Period, the Board and certain employees all contributed to a greater or lesser degree to Swedbank’s failure to recognize and manage the signifcant legal and reputational risk to Swedbank posed by its HRNR portfolio in the Baltic Subsidiaries.
Investigation found that the CEO who served from 2009 through 2016 failed to focus on AML defciencies in the Baltic Subsidiaries during this time despite recurring GIA reports indicating such defciencies, and notwithstanding an SFSA inspection that found signifcant AML defciencies in LC&I and Swedish Banking.
With respect to the CEO who served from 2016 through 2019, the Investigation
concluded that the CEO’s tenure included signifcant steps to de-risk the HRNR
business in the Baltic Subsidiaries and to launch internal investigations of potential AML exposure in response to media reports of money laundering scandals, regulator requests and other indicators. However, the CEO did not direct suffcient resources, attention, or urgency to the remediation of the issues identifed, and did not ensure that information regarding these issues was shared between relevant Swedbank control functions or with the Management Boards of the relevant Baltic Subsidiaries. Nor did this CEO ensure that the Board was adequately educated or apprised of the signifcant legal and reputational risk that these AML defciencies, in light of the historical high risk
customer base in the Baltic Subsidiaries, presented to Swedbank.
Investigation determined that while the Board was not apprised of the full extent of the legal and reputational risk posed by the AML issues in the
Baltics, the Board was informed through regular GIA reports of recurring problems in AML controls, including in the Baltic Subsidiaries. Interviews of Board members indicated that the Board generally understood, based on statements from Swedbank’s management, that these matters were under control. Although the minutes of the Audit Committee do reflect relevant discussions of these issues, the full Board record does not reflect signifcant challenge by the Board to management on the AML issues that were presented to them.
Investigation also identifed a number of employees whose actions and/or
inaction caused or contributed to the perpetuation of the AML problems in the Baltic Subsidiaries. These employees ranged from senior managers at Swedbank and the Baltic Subsidiaries, to relationship managers who serviced some of the most problematic HRNR clients, and included members of the customer approval committee in Swedbank Estonia who approved account openings despite apparent red flags. Clifford Chance shared facts regarding these employees with Swedbank over the course of the Investigation, and Swedbank consequently ended the employment of a number of then-current employees.
Remediation
“Since the Investigation began in early 2019, Swedbank has appointed a new CEO and a mostly new management team, including a new Chief Compliance Offcer (“CCO”) and CEO of Swedbank Estonia, and has taken other employment actions dictated in large part by fndings in the Investigation. Moreover, Swedbank has a new Board Chair, and the Board now is comprised of mostly new members.
Under this new leadership team, Swedbank has focused on transforming its approach to AML and counter-terrorist fnancing (“CTF”) and sanctions policies and procedures, creating new roles, appointing new personnel, increasing resources, revising and strengthening policies and procedures and taking steps to continue the process of derisking its customer portfolio including in the Baltic Subsidiaries.
“As part of these ongoing de-risking and remediation efforts, and with input from Clifford Chance, Swedbank and its Baltic Subsidiaries have (a) embarked on a much more comprehensive approach and remediation plan to address and to strengthen the AML/CTF and sanctions frameworks; (b) undertaken a review of Swedbank’s corporate governance; (c) engaged external consultants to assist in remediation efforts; (d) increased AML/CTF resources; and (e) continued to off-board customers who do not meet Swedbank’s risk appetite.
“In addition, Swedbank is planning to engage a consultant to assess the current state of Swedbank’s AML/CTF policies, procedures, systems and controls, including their implementation. The consultant will identify any existing gaps against regulatory requirements and industry best practices, help Swedbank address those gaps and conduct assessments to ensure that gaps have been fxed.”
Comments
The report has not brought out actual money laundering as they will have to investigate for that the actual source of income. But, it has found all round weaknesses in governance and AML controls, which are similar to that of the Danske Bank experience in Estonia. There are also echoes of the HSBC case of 2012, where acquisition of subsidiaries without ensuring a cultural fit was mainly responsible for money laundering cases. There are similar weaknesses here also. Among others are giving controls the go by, not taking auditors seriously, and so on.
Sweden’s financial supervisory authority, known as Finansinspektionen, imposed a penalty of around 4 billion Swedish kronor, the equivalent of USD 397 million, in March 2020. The lesson from the case is that one does not have to wait for actual money laundering charges to be proved, as this is often difficult when cross-border transactions. Proof of deep and persisting AML control weaknesses that were allowed to fester despite warnings from auditors is enough for imposition of severe penalties, and should serve as an incentive to initiate corrective action.
© G Sreekumar 2021
For periodical updates on all my blog posts, subscribe for free at the link below:
https://gsreekumar.substack.com/