Considering Danish Bank’s money laundering case related to their Estonian branch, what are then the learnings that any company – big or small – should take notice of?
Let’s first look at what went wrong. The Danish Financial Supervisory Authority (“FSA”) have done their assessment in the decision of 3 May 2018.
FSA’s decision includes eight injunctions and eight appeals. The decision also reveals that the increase in compliance and reputations risks that have been detected, should be covered by an increased Pillar 2 capital of 5 billion DKK.
The decision is only considering the management and governance of the money laundering activities. The specific questions about lack of money laundering efforts in Estonia’s Estonian branch are addressed by the Estonian authorities.
These are the wrongdoing according to FSA;
Board of Directors, Executive Board and the Bank’s other decision-making processes have not been adequately documented in the form of sufficient written resolutions, minutes of led discussions and made decisions. Ratings of compliance risks have in addition, not been sufficiently considered or have been given sufficient significance in decision making.
The bank’s reporting procedures, decision-making processes and corporate culture have not been sufficient preventing risks from materializing.
The Bank’s management has not secured sufficient focus on the compliance area and transparency of the problems and ensuring timely and safe handling of possible problems with complying with the legislation. Management’s priorities and practices have damaged the credibility of the bank and reputation. Considering the bank’s systemic importance and international presence the reputation of the Danish banking sector may also be damaged. In summary, these are the three main questions and learnings that any company may take notice off;
1. Are our decision-making processes sufficiently linked to our risk management processes in order for you to answer, “what could go wrong (risks) in order to meet our objectives”, “how do we manage what could go wrong (our risks)” and “how do we know if we are effective in managing what could go wrong and thereby meet our objectives”.
The learning there off ought to be;
2. Do we know if we have a strong or weak risk culture? Most companies depend on people. People do drive earnings in many ways. However, sometimes people also act incorrectly – some intent to do wrong, some fail to act on feedback, some neglect policies and procedures. The erroneous acts can cause fraud, safety breaches, operational errors, and overleveraging. Regardless, companies cannot assume that a healthy risk culture is a natural thing in an organization. Rather, leadership teams must manage risk culture just as thoroughly as any business problem, demanding evidence about the underlying attitudes that pervade day-to-day risk decisions.
So, the learnings should be;
3. What is our risk appetite and is it operational? Can employees be guided by your risk appetite or is it to overarching? Is risk tolerance, limits, profiles defined on each level of the organization? And are roles & responsibilities defined according to the risk appetite?
So, the learnings should be;
Read more about the author: Heidi Gliese Hylleborg