Danske Bank is the largest bank in Denmark and one of the largest in the Nordic region, with a presence in 15 countries, mostly in Northern Europe. In 2018, the bank serviced some three million customers, mostly personal, i.e., retail, but also business customers (Danske Annual, 2018). Danske Bank is regulated by the Danish Financial Supervisory Authority (DFSA) and considered to be one of six systemically important financial institutions in Denmark, and hence “deemed essential to the financial system”.

In 2017, Danske Bank posted gross income of some DKK 76 billion (Net Income DKK 48 billion (approx. Eur 6.3 billion)). Over 93% of gross income was generated in the Nordic countries (Denmark, Sweden, Finland and Norway). Another 4% of gross income was generated in the UK (Northern Ireland), where Danske had previously acquired the Northern Bank and the National Irish Bank (which has Danske-branded branches in Ireland). Of particular note here is that Baltic branches (i.e., Estonia, Latvia and Lithuania) contributed only 0.5% of gross income (Danske Bank, 2018a).

As with many large international banks, the Danske Board organised its risk functions in the so-called ‘Three Lines of Defence’ model (Danske Bank, 2018a):

“The first line of defence is the business itself, which must ensure correct, legal and expedient operations. The second line of defence is a risk management function that is to identify and mitigate risks and a compliance function that is to check compliance with rules. Finally, the third line of defence is the internal audit department, which monitors whether the first and second lines of defence identify the problems. Management [and the Board] receives reporting from the three lines of defence on an ongoing basis.”

Given the prevalence of this ‘lines of defence’ model in modern banking, it is disconcerting to find that “all lines of defence failed” (Danske Bank, 2018a).

In November 2006, Danske Bank announced its acquisition of Finnish-based Sampo Pank and completed the acquisition in February 2007 (Danske Bank, 2018a). Later, in 2008, Sampo Pank in Estonia was formally turned into a branch of Danske Bank.

During the 1990s, there had been “strong economic ties between the Baltic countries and Russia” (Danske Bank, 2018a), and as a result, the Estonian branch had built up a sizeable portfolio of customers who resided outside Estonia, the so-called ‘Non-Resident Portfolio’. This portfolio, which over time numbered roughly some 10,000 firms and individuals, was dominated by customers from “the Russian Federation and the larger Commonwealth of Independent States (“CIS”), including countries such as Azerbaijan and Ukraine” (Danske Bank, 2018a).

Organisationally, the Non-Resident Portfolio, consisting of some 3000 to 4000 customers at any one time, was managed by a separate unit, called the International Banking Division (IBD). Until the end of 2015, when it was closed and the Non-Resident Portfolio terminated, this division held a significant share of this overseas business in the local banking system (Danske Bank, 2018a):

“By the end of 2013, the Non-Resident Portfolio within Danske Bank’s Estonian branch held 44 per cent of the total deposits from non-resident customers in Estonian banks (up from 27 per cent in 2007) and nine per cent of the total deposits from non-resident customers in Baltic banks (up from five per cent in 2007)”

The International Banking Division was profitable (Danske Bank, 2018a):

“The [Estonian] branch had high earnings on Russian and other non-Baltic customers (non-resident customers), whose total volume of payments through the branch was very considerable. For example, 35% of the profit in the branch in 2012 was generated by Russian customers, who made up 8% of the customer base. …

Up until June 2013, employees at the bank had considered initiating similar businesses with non-resident customers in the branch in Lithuania, but the Executive Board rejected these plans.

At this point, it is important to note that payment income dominated IBD profitability (Danske Bank, 2018a):

“As regards the Non-Resident Portfolio, the branch took no credit risks of any significance. For the same reason, little capital was allocated to the Non-Resident Portfolio [Original Emphasis]”

This meant that, provided operational risks were being managed, the Non-Resident Portfolio was an almost perfect banking business, with little or no credit risk, and significant fee income, especially from Foreign Exchange (FX) and Payments transactions. As there is ‘no such thing as a free lunch’, such excessive profits should have raised red flags for business, risk and audit managers but appeared not to have done so.

The problem with this financial ‘golden goose’ (McConnell, 2013) was that operational risks, in particular money laundering risks, were not being managed properly, and there was a disaster waiting to happen.

Before considering the Danske case in detail, it is worth describing the business environment in which misconduct first emerged and then thrived. The term ‘Russian Laundromat’ has passed into popular folklore to describe various schemes used by rich people to launder money from Russia and other ex-Soviet republics (especially, in this context, Azerbaijan and Moldova) to the UK and other western countries, often via tax havens.

In 2014, the Organized Crime and Corruption Reporting Project (OCCRP), a non-profit media organisation providing an “investigative reporting platform”, produced a report titled the “Russian Laundromat” (OCCRP, 2014) which claimed:

“Between 2010 and early 2014, organized criminals and corrupt politicians in Russia moved US$ 20 billion in dirty funds through this laundromat’s complex cleanse-and-spin cycle made up of dozens of offshore companies, banks, fake loans, and proxy agents. The process was then certified as clean by judges in the tiny Republic of Moldova. The newly cleaned funds were then spread across Europe.”

In 2017, the OCCRP followed up on this initial report with another which gave details of how the ‘Laundromat’ worked and the people and businesses involved (OCCRP, 2017):

“Money entered the Laundromat via a set of shell companies in Russia that exist only on paper and whose ownership cannot be traced. Some of the funds may have been diverted from the Russian treasury through fraud, rigging of state contracts, or customs and tax evasion. … At the other end of the Laundromat, money flowed out for luxuries, for rock bands touring Russia, and on a small Polish non-governmental organization that pushed Russia’s agenda in the European Union.”

The Laundromat scheme was “ingenious” (OCCRP, 2017):

“Organizers created a core of 21 companies based in the United Kingdom (UK), Cyprus and New Zealand and run by hidden owners. A number of Russian companies then used these companies to move their money out of Russia. … All of the core-group companies appeared to be owned by proxies standing in for hidden owners. Even directors and shareholders of the companies were fake”.

And the criminals often used ‘fake debt’ to allow money to be moved from Russia (OCCRP, 2017):

“To get the money out, the scheme’s organizers devised a clever misdirection. They created a fake debt among some of these core shell companies and then got a Moldovan judge to order the Russian company seeking to launder funds to pay that [fake] debt to a court-controlled account”.

Having ‘cleaned’ the money through Moldova, it was a small step to release the money into the international financial system, through respected international banks, such as Danske Bank (OCCRP, 2017):

“Between 2011 and 2014, the 21 shell companies fired out 26,746 payments from their various [Moldovan bank] accounts. The payments went to 96 countries, passing almost without obstacle into some of the world’s biggest banks. … Finally, payments of laundered money slid easily into the world’s biggest international banks. [Emphasis added]”

The OCCRP (2017) report showed for the first time that Danske Bank was one of the leading conduits for the flow of illicit funds—but other banks were also involved, including other Nordic banks:

“The Laundromat illustrates that the world’s banking system has been impotent, unable to stanch massive flows of illicit money.”

After Danske Bank had been forced to launch its own investigation in 2017, the OCCRP (2018) reported on the flow of illicit funds through the Estonian branch.

Both Danish and Estonian banking industries are covered by European Union (EU) law, in this case (Danske Bank, 2018a):

“EU Directive 2005/60 (“Third AML Directive”) was implemented into Estonian law on 28 January 2008 in the form of the Money Laundering and Terrorist Financing Prevention Act (“MLTFPA”)”

Under this comprehensive directive, financial institutions in the EU are required to (Danske Bank, 2018a): (1)

Perform “customer due diligence” or ‘Know Your Customer; when establishing a business relationship with a customer, including “an obligation to establish the customer’s identity (and, where applicable, the beneficial owner) and to obtain information on the purpose and intended nature of the business relationship”;

Obviously, to fully comply with the EU AML Directive, a financial institution would have to create and properly staff the organisations needed to perform and monitor all transactions for potential AML activity and to train their staff in doing so. In addition, a financial institution would have to develop the IT systems necessary to identify (and track) potential Suspicious Activity Reports (SARs). This is a non-trivial undertaking for any financial institution, especially an international bank.

While the Estonian branch did make a large number of SARs to the FIU (Danske Bank, 2018a), the information was neither comprehensive nor complete, as described in the following sections.

Figure 1 (here called the Danske Laundromat) summarises the flow of money through Danske Bank that had given rise to the scandal (from top right to bottom left).

As noted above, after the acquisition of Sampo Pank, the Sampo branch in Tallinn, Estonia, serviced a large number of ‘Non-Resident’ customers residing in ex-Soviet Union countries including Russia, Azerbaijan and Moldova. Periodically, those customers would transmit money to their accounts in the Danske Estonian branch and then send instructions to make transfers to individuals and businesses overseas (Danske Bank, 2018a).

Typically, the transfer instructions from Non-Residents would be merged with instructions from Estonian customers and passed onto the Danske Bank headquarters in Copenhagen. Here, the transfers would be merged with additional instructions from Danish and other European customers and passed onto partner, so-called ‘correspondent’, banks (McAndrews, 2010) for delivery to the bank accounts of the final recipients, often businesses registered in London, Paris or New York.

However, what if the businesses were not real but in fact merely ‘front’ companies created to pay and/or receive money, i.e., to money launder?

In some cases, when the money was paid by a fake ‘front company’ in, say, London, that business would pass the payment (minus a significant fee) along to accounts in tax havens, such as Cyprus or the British Virgin Islands, where, suitably cleansed, the funds would disappear into the global financial system—and with automation through the SWIFT network, the full set of transfers through the different ‘hops’ could be executed ‘end-to-end’ in hours, even minutes.

It should be noted that almost all of the payments made through these different ‘hops’ would be totally automated, especially if a Non-Resident customer (even if located outside of the ex-Soviet Union) had used an Internet-banking connection to Danske Bank. This means that staff would have little or no opportunity to catch an invalid transmission as it flows through the system, unless there is an automated AML system for reviewing all transfers and diverting those that look ‘suspicious’ for further investigation. In addition, good AML practice would also investigate all transfers on a daily, weekly and monthly basis looking for suspicious transactions, patterns and trends. Of course, this can only be done using appropriate computer software that is developed, tested, operated and monitored for compliance according to company policies and regulatory rules.

At this point, it should be recognised that collecting information about the sources and uses of illicit funds is very difficult, as banks, such as Danske, only see part of the overall picture and hence are often unable to verify key information, such as the ultimate owner of a company in a different jurisdiction.

Many international transfers will originate from business customers on a regular basis. For example, an automobile dealer in Russia or Moldova will pay for shipments of vehicles on a regular basis, often using a third-party broker in the West. Thus, assuming that the automobile dealer and third-party broker are bona fide businesses, there would be little need to flag any transfer as suspicious. It would be extremely difficult, for example, to detect if one or more of such payments were suspicious.

However, detailed investigation is not what banks are required to do. Under AML legislation, they are required to file a Suspicious Activity Report (SAR) with the appropriate financial intelligence agency—in this case, the Estonian Financial Intelligence Unit (EFIU).

The failure to comprehensively identify suspicious behaviour was highlighted in the analysis of the Non-Resident Portfolio (Danske Bank, 2018a):

“The SARs filed on the approximately 10,000 customers in the Non-Resident Portfolio accounted for approximately 13 per cent of the total number of SARs filed in the period. [but …] the Non-Resident Portfolio accounted for approximately 30 per cent of the total number of FIU inquiries received by the branch in the period from 2007 through 2015. Only few of the customers examined have been deemed not suspicious, that is without suspicious characteristics and not having been involved in payments deemed suspicious. [Emphasis added]”

In short, almost all activity in the Non-Resident Portfolio, inherited from Sampo Pank and expanded by Danske Bank, should have been considered ‘suspicious’ but was not.

Turner (1976) identifies two distinct stages that bring a disaster to the public’s attention: the “precipitating event”, which grabs the attention of the public; and the “onset”, or immediate consequences of the event.

In September 2018, the Board of Danske released a report of an inquiry into the ‘Non-Resident Portfolio at Danske Bank’s Estonian branch’, undertaken by an independent legal firm, Bruun & Hjejle (Danske Bank, 2018a). The Board had initiated this inquiry after public and regulatory pressure following publication of details of the Russian Laundromat (OCCRP, 2017).

In a conference call to publish the report, Chairman of the Board of Directors Ole Andersen highlighted the severity of the inquiry’s findings (Danske Bank, 2018c):

“Finally, our investigation shows that the bank has failed to live up to its obligations and responsibility. We, of course, take this very seriously and we regret these events deeply. They do not reflect the kind of bank that we want to be and we’ll do everything we can to learn from these events going forward, so that something like this can never happen again”.

The remainder of this paper summarises the findings of this and other official reports concerning this scandal.

Turner (1976) identifies a short period after the Precipitating Event, the Onset, during which the “immediate consequences of the collapse of “cultural precautions” become apparent” and in many ways set the scene for what follows.

In the Danske case, the initial reaction was for the CEO, Thomas F. Borgen, to resign, and this was followed pretty quickly by a ‘spill’ of a number of Board positions, including the Chairman and Chair of the Audit Committee. An internal manager, Jacob Aarup-Andersen, who was not directly involved in the scandal, was proposed as the new interim CEO (Danske Bank, 2018d).

Turner (1976) identifies two final stages that are common in an organisational disaster. In the immediate aftermath, there is the “rescue and salvage” of anything of value left from the disaster, and finally, there is the “cultural adjustment”, which attempts to learn lessons from the unhappy events. Again, these stages were apparent in the Danske case.

Shortly after the new interim CEO was installed, Danske announced the bank’s financial results for the first nine months of 2018, which showed a slight fall in operating income compared to the same period in 2017, but in addition, the Board announced that income was down (Danske Bank, 2018b):

“as a result of our decision to donate DKK 1.5 billion, corresponding to the gross income from the Estonian non-resident portfolio, to initiatives aimed at combating financial crime.”

Interestingly, the Board had attempted to wipe the slate clean by taking a substantial hit to its profits, counteracting any charges that the bank had profited from its mistakes.

However, the bank announced that it had become the subject of criminal investigations by US authorities, which lays the ground for further possibly large regulatory fines in the future (McConnell, 2015).

In considering the case, the bank’s main regulator, the Danish Financial Services Authority, considered action under Danish law against staff and management but demurred (DFSA, 2018).

“The Danish FSA has assessed whether there are grounds for bringing actions under the fit and proper rules against the bank’s current members of management and staff. On the available basis, the Danish FSA does not consider that there are sufficient grounds for bringing such actions.”

However, the DFSA noted that (DFSA, 2019):

“In Danske Bank’s Estonian branch, there have been significant violations of the European and Estonian money laundering rules. In December 2018, ten former employees in the branch were arrested in Estonia. By all accounts, for a number of years employees in the Estonian branch actively carried out and covered up the violations both to the bank’s senior management in Copenhagen and to the Estonian Financial Supervisory Authority (EFSA).”

At the time of writing, in late 2019, there are several legal investigations taking place in a number of jurisdictions, and doubtless, further actions will be taken by regulators and other authorities in the future.

Turner (1976) points out that after the dust settles, it is possible to carry out a “more leisurely and less superficial assessment” of the events leading up to a disaster, with the goal of learning lessons from it and ultimately closing the circle by adjusting the erroneous beliefs and norms that lead to the failure.

In the Danske case, this included making significant improvements to its operational risk management (ORM) processes, in particular working on AML (Danske Bank, 2018a).

“The bank has stated that it has increased the number of employees working with AML in the first and second lines of defence from less than 200 to 550 last year and nearly 900 today. Among other things, the bank has also expanded and updated internal AML training, worked to strengthen the compliance culture and made considerable investments in IT in the area.”

Turner (1976) considered the “incubation period” to be of utmost importance when analysing corporate disasters, as it is actions prior to the “onset of the event” that ultimately determine the “scale” of the organisational disaster. During the incubation period, Turner (1976) points out that there is a steady accumulation of events that are at odds with the norms of the organisation but go unnoticed because their importance is not fully appreciated. Turner identifies the “incubation period” as the stage where the “failures of foresight” that lead to the eventual disaster occur and he describes a number of key features, summarised in Table 1 above, which are common to the disasters that he studied.

Describing Turner’s approach, Fitzsimmons and Atkins (2017) noted that:

“Analysing these long incubations, Turner found steady accumulations of tell-tale events that were not acted upon. Some were overlooked or misunderstood for reasons ranging from wrong assumptions to a failure to understand the complexity of the system. Others were ignored because people refused to accept just how bad the consequences could have been if the mishap had not been a ‘near miss’”.

The events that led to the Danske scandal coming to the public’s attention took place over 12 years during a period of enormous changes in the financial system, most notably the Global Financial Crisis (GFC) of 2007/2008, the impact of which has not completely worked its way out of the global financial system in 2019 (McConnell and Blacker, 2011).

During this prolonged period, there were very many events, actions and inactions by Danske Bank directors, management and staff and also external banking regulators and other financial institutions. Table A1 in Appendix A lists a timeline of some of these events and activities, organised by date, which is broken down in the table by seven distinct phases.

The remainder of this section considers some of the more important events that went unnoticed or were given insufficient attention by management. However, at this point, it should be noted that the events described here were selected, from a vast amount of information, by the author as being important. It is not infeasible that another researcher might select different, even contradictory, events when analysing the events from another perspective.

Turner (1976) argues that a disaster or “cultural collapse” takes place because of “some inaccuracy or inadequacy in the accepted norms and beliefs” of a firm or, here, a group of semi-independent branches. Organisational disasters build up gradually over time, and the signs should be apparent to management and regulators. Instead, the warning signs go unnoticed or ignored because of “cultural rigidity” which manifests itself in erroneous assumptions and reluctance to face unpalatable outcomes (Turner, 1976).

In 2006, as it was about to acquire Sampo and its Estonian subsidiary, Danske Bank was very clear in its vision and mission and its strategic positioning (Danske Bank, 2018a).

“Danske Bank Group focuses on conducting conventional banking business in the northern European markets based on state-of-the-art technology. The Group is a leading player in the Nordic markets.”

The Board had developed an overall vision of ‘One platform—exceptional brands’ based on shared technology (Danske Annual, 2006):

“We have developed a solid and scalable platform to support our core business. The platform consists of systems to manage IT, product development, communications, branding, credits, risk, HR development and finances. This platform allows all our units across borders to base their work on the same business model. We continually develop our business model through best practice activities and an active pursuit of new business opportunities. Our ambition is to build and maintain unique brands that respect our core values. [Emphasis added]”.

It was very much a vision of a global organisation directed from the centre in the bank’s headquarters in Copenhagen, Denmark with:

“Group standards for risk management, financial planning and control, credit approval, HR development, compliance and the shared IT platform ensure a well-structured management of all activities.”

While there is nothing intrinsically wrong with such a vision and aspirations, the difficulties of actually implementing common standards across diverse markets and cultures must be recognised. Such a vision is replete with strategic implementation risks (McConnell, 2016).

Turner (1976) points out that all organisations develop a culture that relates the tasks that individuals perform to the goals of the firm and that success stems from the effectiveness of that culture. The other side of this coin, however, is that in attempting to create an all-pervasive culture, managers may well become blind to potential problems outside of the perceived norms. Turner (1976) describes how, in the development of a disaster, important events go “unnoticed or misunderstood because of erroneous assumptions”.

In the case of Danske Bank, an erroneous assumption was that whenever a policy was agreed at board and headquarter level, it would be implemented throughout the bank organisation as ‘one platform’. While such an assumption may have been valid when Danske was based mainly in Denmark and was staffed primarily by Danes, it does not necessarily hold as the bank acquired new staff in countries with different cultures, and existing work practices.

This is not a judgement on non-Nordic countries, but merely that distinct differences in organisational cultures have been observed between countries (Hofstede, 1991). Even without delving too deeply into Hofstede’s six dimensions of national culture, it should be apparent that approaches to organisational compliance would almost certainly differ between a Western European democracy and a country and people still emerging from Soviet dominance. There is no evidence that Danske considered that different approaches to compliance might be needed, if only in communicating policies, in their recently acquired ex-Soviet subsidiaries.

In describing the ‘decoy phenomenon’, Turner (1976) noted that:

“A recurrent feature of the reports analyzed is that in many instances, when some hazard or problem was perceived, action taken to deal with that problem distracted attention from the problems which eventually caused trouble”.

In the case of Danske, there was a huge ‘decoy phenomenon’, that of the Global Financial crisis (GFC), which occurred just a few years into the acquisition of Sampo Pank and, in particular, it was not surprising, given the problems in the Irish economy at the time (Nyberg, 2011), that the bank’s board focussed on its Irish and UK investments. In the great scheme of things, the relatively ‘minor’ operational issues in the Estonian branch would not reach the top of the pile of important problems that needed to be resolved quickly.

Perhaps one of the most surprising findings in the disasters reported by Turner (1976), Gleick (1992) and Augustine (1995) was that often there were clear warnings of potential danger before a disaster occurs. However, warnings from outsiders were routinely dismissed by management with the assumption that the firm knows better than outsiders as to how to run its business.

The same “organizational exclusivity”¹ was apparent within Danske Bank, especially in respect of warnings from external parties: (1)

Warnings from financial regulators;

Banking is an information-intensive industry (McConnell, 2017). Every day, in any large financial institution, such as Danske Bank, millions of pieces of information are captured from banking transactions, such as payments, deposits, mortgage repayments, Foreign Exchange trades and so on. These captured data are stored, processed, aggregated and reported to customers (as statements), regulators (as regulatory repots) and to management as information of many different types (operating volumes, profitability, risks, future liabilities etc.) While the vast majority of this information will be ‘correct’, an unknown proportion will be incorrect—the result of genuine mistakes, delays and even fraud.

Finding these errors, however, is like finding the proverbial needle in a very large haystack, and even harder as the haystack is continually growing and shifting shape. Furthermore, after anomalies are found, selecting the errors in order of importance is also very difficult.

Of course, modern banks use Information Technology (IT) to perform the vast bulk of the job of searching for, and reporting, potential errors. Banking and most other businesses today are driven by ‘exception reporting’ or the highlighting of possible exceptions in a vast mass of data. If IT systems have not been programmed to pick up exceptions, then management and ultimately a board will be making decisions on the basis of incorrect, out-of-date or incomplete information.

As noted earlier, Danske Bank Management were very proud of their ‘One Platform’ strategy (Danske Annual, 2007):

“We have developed a solid and scalable platform to support our core business. The platform consists of systems to manage IT, product development, communications, branding, credits, risk, HR development and finances. This platform allows all our units across borders to base their work on the same business model [Emphasis added]”.

By having a single and shared IT platform across all (or almost all) business units, management information can be produced that is ‘consistent’, providing the basis for identifying exceptions that management needs to address.

In late 2006, announced the acquisition of Sampo Pank and noted (Danske Annual, 2006):

“Danske Bank expects to complete the integration of Sampo Pank’s Finnish activities on its IT platform at Easter 2008. It has not yet been decided when to integrate the still relatively small operations in Estonia, Latvia, Lithuania and Russia.”

It should be noted that the announcement stated “when” not “if” the Estonian branch would be integrated into the ‘One Platform’, and as a measure of whether this was achievable, and indeed what had been achieved, the report added:

“The Group vision of creating “one platform—exceptional brands” was clearly reflected in the successful migration of the systems of National Irish Bank and Northern Bank to the Group’s shared IT platform during Easter 2006.”

However, unlike the situation in the Irish banks, the integration of the Baltic branches of Sampo, especially Estonia, did not go well for reasons that were not expanded upon (Danske Annual, 2008):

“In the third quarter of 2008, on the basis of a cost analysis, the Group decided to discontinue the migration of Banking Activities Baltics to its shared IT platform. But this will not stop future investments in the Baltic banks and their IT departments and local IT systems. The Group will also continue the business integration of the banks and will market Danske Bank products where relevant. [Emphasis added]”.

In other words, the IT systems used to capture and, more importantly, to report to Group management and the Board were not consistent across the bank, giving rise to considerable “difficulties and noise” (Turner, 1976). In particular, in the context of this case, the identification of ‘suspicious’ money laundering transactions was not consistent and indeed may have been downplayed, or even removed, in the alternative Estonian systems.

With hindsight, the decision not to complete the integration of the Baltic branches, ostensibly for cost reasons, cost the bank very dearly.

Turner refers to “strangers” as members of the general public who may behave unpredictably in a disaster. In Turner’s framework, ‘strangers’ may not necessarily contribute directly to the causes of disasters but become part of the ‘noise’ that distracts the attention of the participants and hinders the detection of potential problems. In the Allied Irish Bank (AIB) and National Australia Bank (NAB) cases, McConnell (2003, 2005) identified examples of ‘strangers’ in the banking industry, in particular brokers, who had an impact on those events.

In the Danske case, the ‘strangers’ are obvious—they are the firms and individuals who were classified as the ‘Non-Resident Portfolio’. It was the failure of the bank’s employees and managers to get to ‘Know Your Customers’ (KYC) that led to the scandal and considerable cost to Danske Bank, not only in money but also in reputation.

The number of these strangers is significant, estimated at “approximately 10,000 in the period from 2007 through 2015”, including some customers that were “passive” (Danske Bank, 2018a). At any one time, Danske Bank (2018a) documents that there just under 3900 active customers with customers coming and going from different jurisdictions (even a small number from Estonia itself):

“Over time, the geographical distribution of the customers in the Non-Resident Portfolio changed. In total, customers came from 90 countries based on their registered or recorded residency status (for example, postal address for private persons and country of incorporation for corporate entities), the three main countries being Russia, the UK and the British Virgin Islands.”

It should be noted that changes in the numbers and origins of customers would be expected in a money laundering situation, as criminals attempt to stay ahead of their pursuers—here, the financial crime authorities. Danske Bank (2018a) provides copious statistics on the make-up of the Non-Resident Portfolio over time, and it should also be noted that there were approximately 5000 customers who resided outside of Estonia, such as in other Nordic countries, who were not considered to be part of the Portfolio.

These strangers/customers were very active in making significant payments (Danske Bank, 2018a):

“In the period from 2007 through 2015, the approximately 10,000 customers in the Non-Resident Portfolio had approximately 7.5 million incoming and outgoing payments. …. The flow as converted into EUR was approximately EUR 200 billion.”

It was the failure to comply with AML regulations for many of these payments that created the scandal and cost Danske dearly.

Turner (1976) documents how, prior to many organisational disasters, there was often a “failure to comply with existing regulations”, with those closest to an impending disaster unable to see the looming chaos because of so-called “cultural rigidity”. In this case, the “existing regulations” ignored were those of regulators who had developed rules as to how AML activities should be identified and reported to financial crime authorities.

It should be noted that the term ‘discredited or out-of-date regulations’ refers to the perceptions of management not regulators, as there is no evidence that the various regulators for Danske downplayed the importance of AML as illustrated above when discussing complaints from regulators. The independent report found that (Danske Bank, 2018a):

“AML procedures at the Estonian branch in relation to the Non-Resident Portfolio were manifestly insufficient and inadequate and in breach of international standards as well as Estonian law. This was so even though the non-resident customers were categorised as high risk. [Emphasis added]”

The report listed, in great detail, some very clear examples of non-compliance and failures of due diligence, including clear breaches of AML regulations (Danske Bank, 2018a):

“Lacking knowledge of customers;

There were also serious organizational failings:

“Other shortcomings have been identified, such as the lack of independence between the AML function at the Estonian branch and the business and insufficient training of the staff of the Estonian branch and lack of formal procedures. [Emphasis added]”

Furthermore, in addition to the manifest failures as regards AML compliance, the firm appeared to be in breach of its obligations with the Danish regulator (Danske Bank, 2018a):

“From the end of 2012 to November 2013, Danske Bank did not have a person responsible for AML activities as required by the Danish Anti-Money Laundering Act. The Danish FSA was not notified of this until February 2018 and then as a result of the Danish FSA’s supplementary questions. The Board of Directors and the Executive Board have stated that in practice, the head of Group Compliance & AML, who reported to the bank’s CFO, was the person responsible for AML activities.”

There were also obvious organisational failures that undermined the independence of risk management function particularly in the Estonian branch, making compliance with regulations “ineffective” (Danske Bank, 2018a):

“In addition, the branch’s second and third lines of defence were organised in such a way that in practice, they reported to the branch CEO and thus were not sufficiently independent.”

A common feature of organisational disasters is that those who are closest to the problem “fail to call for help”, which has been attributed to fears of causing unnecessary alarm, psychological denial of the danger or the assertion of the individual’s invulnerability (Turner, 1976). Turner points out that individuals consistently underestimate the scale of the problems that they face because of ambiguity or disagreement about the evidence regarding the danger. He also notes that when the danger becomes impossible to ignore, rather than addressing the causes of the problem, individuals often look to shift the blame to others.

This was apparent in the Danske case, where unpalatable truths were ignored or downplayed (Danske Bank, 2018a):

“For a long time, it was believed within Group that the high risk represented by non-resident customers in the Estonian branch was mitigated by appropriate anti-money laundering (“AML”) procedures.”

As an example, in 2012, in correspondence with the Danish FSA, the AML programme was referred to as “Best in Class” (Danske Bank, 2018a)—and indeed, it may well have been so in most areas of the Danske group, but clearly not in the Estonian branch, and the harsh criticism from regulators, over a significant time, showed:

“AML procedures also became subject to harsh criticism from the FSA in Estonia, and Danske Bank was met with regulatory sanctions from both the Estonian FSA in July 2015 and the Danish FSA in March 2016”.

Danger was routinely minimised in Board reports and minutes (Danske Bank, 2018a):

“The head of Business Banking, who was responsible for the Estonian branch on the Executive Board, informed the Executive Board and Board of Directors of the observations made by GIA and the consultancy firm. The slides he had had prepared for the Board of Directors meetings significantly toned down the AML issues, but the Board of Directors and the Executive Board have stated that it should be taken into account that the slides were neither shared nor used. [And …]

It appears that, despite the mounting evidence, the Board and management did not ‘join the dots’ and did not fully recognise the dangers they were facing (Danske Bank, 2018a):

“The bank’s Board of Directors and Executive Board argue in their reply to the Danish FSA that such a simultaneous breakdown of all three lines of defence is a risk that must be considered to have low probability from a management perspective. [Emphasis added]”

The Board appeared to have blamed this on their workload (Danske Bank, 2018a):

“The Board of Directors and the Executive Board have stated that when assessing the Board of Directors’ and the Executive Board’s work and the volume of written material that the members of the two boards receive, it should be taken into consideration that the branch in Estonia accounts for only a small part of the total business and total risks. [Emphasis added]”

This section looked at each of Turner’s ‘stages’ of a disaster and related the events that occurred over the decade that it took the scandal to emerge to these stages. The next section looks at the risks that emerged but were not managed properly.

A member of the US Federal Reserve Board, Randall Kroszner (2008) noted that financial firms do not always recognise and manage risks to their corporate strategy:

“An effective overall corporate strategy combines a set of activities a firm plans to undertake with an adequate assessment of the risks included in those activities. Unfortunately, many firms have forgotten the second part of that definition. In other words, there can be no real strategic management in financial services without risk management [Emphasis added].”

As with the term ‘strategy’, there is no generally agreed definition of ‘strategic risk’ nor of Strategic Risk Management (SRM). MacLennan (2010) points out:

“It is relatively recently that strategic risk management has emerged as a distinct concern. Recognition that isolated risk management in specific areas is inadequate and that many risks are “strategic” in their nature and impact has led to the emergence of the field.”

McConnell (2016) collected a number of definitions of strategy and strategic risk. For example, for the purposes of examining banks, the US Federal Reserve and the Office of the Comptroller of the Currency (OCC) define “strategic risk” as (OCC, 2010):

“The current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. This risk is a function of the compatibility of an organisation’s strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals, and the quality of implementation [Emphasis added].”

In the Danske case, the negative impact of earnings arises from the AML scandal, which involves both “adverse business decisions”, “improper implementation of decisions”, in particular, the acquisition of Sampo Pank.

In the early 2000s, Danske was following an aggressive strategy of “growth by acquisition”, acquiring smaller banks in Northern Europe, such as Sampo. McConnell (2016) notes that growth strategies are risky, and acquisition strategies are particularly risky because of the “difficulty/inability of performing sufficient ‘due diligence’ on the firm being acquired”.

In documenting many instances of commercial acquisitions that have failed, Rankine and Howson (2014) warn that “most acquisitions fail” to achieve their stated objectives and point out the importance of conducting good commercial due diligence. They note, however, that it is often very difficult to perform sufficient due diligence on the company being acquired not only in the cases where the board of the firm being pursued perceives the approach to be ‘hostile’ but, even when it is welcomed, in cases when secrecy, such as keeping the news of a potential takeover from employees, must be preserved.

In the case of Danske, it is apparent that the board and management did not do sufficient due diligence on Sampo Pank, since, as noted earlier, the Russian central bank had already warned that there was evidence of significant money laundering at the Estonian branch (Danske Bank, 2018a). Not that such a discovery should have stopped the acquisition, merely that additional work would be needed to resolve the problems that were later unearthed.

In short, while the overall growth through the acquisition strategy of acquiring smaller banks in Northern Europe may be considered somewhat successful, or at least not unsuccessful, the Danske Board did not identify nor did they manage the complete set of the risks in their strategy.

While an opportunity was missed to identify AML issues when Sampo Pank was first acquired, later decisions turned that initial problem into a much bigger one. When in 2006, Danske announced the acquisition of Sampo Pank (Danske Annual, 2006), it clearly stated that:

“Danske Bank expects to complete the integration of Sampo Bank’s Finnish activities on its IT platform at Easter 2008. It has not yet been decided when to integrate the still relatively small operations in Estonia, Latvia, Lithuania and Russia.”

However, in 2008, the Board stated that “on the basis of a cost analysis, the Group decided to discontinue the migration of Banking Activities Baltics to its shared IT platform.” (Danske Annual, 2008). This meant that as time went on (Danske Bank, 2018a):

“The Estonian branch had its own IT platform. This meant that the branch was not covered by the same customer systems and transaction and risk monitoring as Danske Bank Group headquartered in Copenhagen (also referred to as “Group”), and it also meant that Group did not have the same insight into the branch as other parts of Group. [Emphasis added]”.

This anomaly proved a serious shortcoming for the bank’s risk monitoring functions, compounded by the fact that many of the documents were written in Estonian or Russian and thus difficult for foreigners to read.

In the Danske case, the board and management had a clear strategy of ‘one platform’, based on shared state-of-the-art technology. However, the board chose not to follow that strategy for the Baltic branches for cost reasons. In this, they failed to fully understand and manage the risks in the overall technology strategy (McConnell, 2017)

In 2004, the Basel Committee of the Bank for International Settlements, the world’s senior banking regulator, finalised proposals to bring the management of Operational Risk in line with the standards already adopted for Market and Credit risks (Bank for International Settlements, 2004). These so-called Basel II proposals are designed to strengthen operational controls in international banks and to ensure that they have set aside sufficient capital to cover large losses, such as those at Danske Bank. The Basel Committee defines operational risk as (Bank for International Settlements, 2004):

“the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but not strategic or reputational risk”.

In the 2004 Basel II regulations, ‘Money Laundering’ is identified as an Operational Risk Loss Event Type in the category of “Clients, Products & Business Practices”, in the Level 2 Category “Improper Business or Market Practices” (Bank for International Settlements, 2004, Annex 7). The Danske case would seem to fit this classification, and hence, the losses are clearly an Operational Risk Loss Event (ORLE).

It is also obvious that all of the factors identified by the Basel Committee as giving rise to operational risk were present in the Danske case, including:

Processes—failure of basic processes designed to identify money laundering;

It is apparent from the evidence provided in the independent report (Danske Bank, 2018a) and others that, at least for management of the operational risks of money laundering, the ‘Group operational risk management framework of policies’ and IT systems were woefully deficient.

In its 2008 Annual Report, as Sampo Pank was being acquired, the Danske Board reported that as regards operational risk management (ORM) (Danske Annual, 2008):

“Group operational risk management relies on a framework of policies. Each individual business unit is responsible for the day-to-day monitoring of operational risk and for mitigating losses. The relevant support functions place resources at the disposal of the business units. The measurement and control framework comprises four qualitative elements:

In its initial ‘Risk Management Report’ to its Danish regulator (Danske Bank, 2010), it was noted that the “Executive Board” had a dedicated “Operational Risk Committee” which “includes managers of all major support functions and resource areas, including IT, and the Group Business Development department” and which:

“[...] reviews trends in the Group’s key operational risks on an ongoing basis and follows up on the progress of concrete action plans regarding these risks. The committee also receives reports and recommendations on key risk indicators.” [And …]

Thus, Danske Bank appeared to have ‘ticked all the boxes’ as regards regulatory required policies, organisations and frameworks for operational risk management but, as noted by the independent inquiry, “all three lines of defence failed”, and the much-vaunted risk management framework did not work.

The independent investigation summarised the failures of operational risk management in the Estonian Branch (Danske Bank, 2018a):

“In respect of the Estonian branch, there were deficiencies in all three lines of defence. The first line of defence at the branch did not focus on efficiently combating money laundering despite the significant number of high-risk, non-resident customers. This was not identified by the first line of defence at Business Banking in Copenhagen, which received a number of reports stating that the branch complied with the rules. The second-line integration of the Baltic units into the Group’s risk management, including monitoring and reporting, was weak. AML at the branches in the Baltic countries was not mentioned as a compliance risk in the bank’s management reporting. The third line internal audit formed part of Group Internal Audit (GIA). The integration of the branch’s internal audit department with GIA was also inadequate. [Emphasis added]”

The core problem in this case is that, despite the many red flags raised by regulators, correspondent banks and a whistle-blower, the issue was not raised to a level that the Board and senior management would take the warnings seriously. Despite what management considered to be a world-class risk management framework, the right information did not flow to the right people (Danske Bank, 2018a):

“Several documents show how management in Copenhagen did not integrate the Estonian branch in the bank’s risk management and control systems, but instead allowed the branch to operate with significantly different risk exposure and to a large extent, the branch itself conducted controls.”

Such a situation is clearly a serious failure of ORM processes in the bank, which was long-lived (over a decade) and catastrophic, causing serious economic and reputational damage to the company.

How could such a failure happen, though?

Documenting a large number of ORM failures, Blacker and McConnell (2015) identified similar operational risk management failures including in Barings, Allied Irish Bank (AIB), National Australia Bank (NAB), Société Générale (SocGen), Union Bank of Switzerland (UBS) and JPMorgan. Several of these cases are often categorised as ‘rogue trading’, but in all these cases, breakdowns in operational risk management processes enabled the people responsible to precipitate serious losses.

A key point about many of these cases, and also obvious in the Danske case, is the ‘remote’ nature of the staff and business units involved in the risk management failures. Before these scandals erupted, the offices and business units involved were considered to be small and reasonably profitable, and the small size of the business was wrongly considered not to be risky.

This, however, is a flawed analysis. Whereas the level of credit risk may reasonably be tied to business unit size, this is not true of operational risk, as failures in ORM in even a small business unit can bring about very large regulatory fines. Operational risk is no respecter of size or profitability.

The key lesson of the Danske Bank scandal is that operational risk management (ORM) processes failed, not across the whole firm but, disastrously, in a small, remote business unit that was considered by HQ as hardly worth worrying about. Turner (1976) showed that once such an incorrect belief takes hold, it becomes accepted wisdom and very hard to dislodge.

In some respects, the solution is obvious and simple—apply the most rigorous risk management analysis and management to every business unit in the firm, even if, at first glance, the effort may not appear to be justified.

In terms of the Basel II regulations (Bank for International Settlements, 2004), this means that every business unit should, each year, conduct a formal and rigorous risk and control self-assessment (RCSA) exercise, in which all operational risk issues pertaining to the business unit would be documented, considered and improvements canvassed.

As a separate and independent exercise, this business line RCSA exercise should be reviewed and audited independently by the firm’s central risk management organisation and also the internal audit function. At this stage, any whistle-blowing reports related to the business unit would be considered and used to validate the business unit’s self-assessment.

The results of these reviews should then be presented to senior business line and executive risk committees for formal analysis, monitoring and sign-off. Any requests for additional information or for process changes should be formally made to business unit management and monitored during execution by the central risk management function. Additionally, in order to pick up systematic problems across business lines, formal assessments of RCSAs by independent experts should be commissioned on a regular basis.

To many business unit managers, such recommendations might appear to be bureaucratic overkill—ticking even more boxes—and to an extent, they are. However, as Turner (1976) observes and Danske Bank shows, barriers to the free flow of information down and up the organisation need to be minimised, regulations need to be respected, warnings, especially from well-positioned whistle-blowers, need to be heeded and risks must be treated seriously.

In short, boards and senior executives must endure that their risk management policies and frameworks are effective, everywhere in the organisation.