March 24, 2021

Reading this summary of what happened at Danske Bank in Estonia – with a dramatic conclusion for it’s former CEO – you can only ask yourself: what use is it to invest in artificial intelligence, expensive regtech solutions and back office systems if people know what’s happening and don’t take the right action.

In just a year and a half, 65.7 million euros and over $1 billion passed through the accounts of just one (1) client, an average of around $2.5 million for every working day — even though Danske never appeared to know who its customer was; proper customer due diligence was never done. In an other example mentioned, 10,500 one-gallon paint cans for an average price of over $1,000 each (!) were featured in trade documents. A classic example of over invoicing – and not a hard case to detect at that – and the report is full of these examples. All classic stories of under and over pricing indicating the importance of TBML.

What makes it worse is that this was facilitated – actively or passively – by local staff. Local management was aware and answering a question on the awareness of head office, the local CEO literally replied “Of course they knew”. The reason given was simple: the Estonian office would not be able to turn a profit without accepting illicit money.

Now, this is not something that happened in the distant past when fines were not common yet, when compliance was hardly a topic of concern for senior management and when employees of financial institutions were not even trained. How is it possible that despite all FATF recommendations, investments in the compliance function and operational compliance in the first line of defence, this still happens. In other words: what can we learn from this? The sad truth is that there’s really nothing new we can learn; it’s all known but not put to practice. Let’s review some lessons anyway.

It starts at the top, not only the tone at the top needs to be right, there needs to be actual and hands-on interest in financial economic crime prevention, incidents need to be reported and reviewed, dashboards on the level of operational compliance across the organization need to be produced and reviewed. Particularly that last element is unfortunately still missing in many financial institutions.

Secondly, broad awareness across the organization needs to be achieved. Awareness doesn’t just mean ‘having heard of it’ or ‘knowing that it is important’. Particularly for all client facing staff but also for staff involved in processing, authorizing, checking or auditing client activity, awareness needs to be translated to operational application and ready to use guidance. That implies among others clear job descriptions, detailed and job specific instructions, up‑to‑date operational procedures and clear management guidance.

Finally it implies that all supporting systems are in place to ensure operational compliance is easy to achieve. The word ‘systems’ does not refer to technology alone; of course state of the art transaction monitoring systems – where possible making use of artificial intelligence and publicly available data – smooth onboarding and customer relationship management systems are important. Equally important are non-technical systems like easily accessible escalation procedures, a system for support by the second line of defence and not to forget appraisal and reward systems that support adherence to internal AML/CFT policies.

A policy is just a document. An important document, but in the end nothing more than that. The first line of defence with help from the compliance function needs to make it work, needs to ensure that policies are adhered to, that staff are trained, that well-thinking analysts, customer service staff and relationship managers act with integrity. Culture is key and fintech is not a panacea; in the end achieving operational compliance depends on the power to execute and the ability to operationalise compliance guidelines in the first line of defence.