30 Apr 2020
At times it can seem as if Swedbank’s recent history has been taken from the plot of a Nordic noir novel. There is a procedural bleakness to the Swedish bank’s money laundering scandal and a complexity to it all that does little to resolve the moral ambiguities of institutional malfeasance.
And, as if to check off the genre’s plot elements, there are also claims that the bank’s troubles can be traced back in part to a massive criminal scheme perpetrated by Russian officials, and to the alleged murder of a Muscovite attorney who uncovered the fraud.
Noir fans and other interested readers can find Swedbank’s tale described in great detail in a recently published report by global law firm Clifford Chance, which was tasked with investigating the lender’s compliance failings in the wake of allegations that it had processed billions of dollars in suspicious payments.
For anti-money laundering professionals, the Swedish bank’s compliance struggles also serve as a warning for how things can go wrong when systems and controls aren’t adequately implemented to address regulatory risks.
Media reports first linked Swedbank to suspected money laundering at Danske Bank’s Estonian branch in late 2018, but it wasn’t until a report by Sweden’s Sveriges Television (SVT) the following February that the public began to take notice.
The report, which aired in primetime, alleged that 50 Swedbank customers with ties to Danske Bank’s Estonian affiliate showed indicia of money laundering and had moved some $5.8 billion in funds through the financial institution between 2007 and 2015. Approximately $26 million of that total could be traced back to an alleged $230-million Russian tax fraud uncovered by Muscovite attorney Sergei Magnitsky in 2007, the public television network claimed.
Magnitsky died in Russian custody in 2009 after his detention on charges related to the massive fraud. His supporters—many of whom claim Magnitsky was intentionally killed—have repeatedly described the charges against him as false and retributive.
The SVT report, along with subsequent news coverage, found that individuals purportedly involved in the tax fraud funneled their illicit funds through shell companies into accounts maintained at Danske Bank, which has been accused of processing $230 billion in suspicious transactions through its unit in Estonia. Some of those funds found their way into Swedbank, SVT said.
The allegations have since prompted Sweden, Estonia and the United States to launch investigations into the bank.
Swedbank’s board responded by commissioning Clifford Chance to not only investigate the allegations directly, but also review the bank’s historical exposure to money laundering risk across all its operations. The firm reviewed some 30 billion transactions, half of which were executed in the Baltic units, and 20 million documents covering a period from January 2007 to March 2019, in addition to conducting more than 100 interviews of current and ex-staff.
Although Clifford Chance found no direct evidence of money laundering at Swedbank and did not determine that client accounts were linked to criminal activity—a conclusion potentially informed by the absence of key due diligence documents—investigators found that the institution had inadequate systems and controls to manage its money laundering and economic sanctions risk. Consequently, the bank had been exposed to significant risks of criminal exploitation, the firm said.
These risks were particularly acute in Swedbank’s Baltic units, and especially so in its Estonia-based arm, the firm found. Both the Latvian and Estonian outfits actively sought business from non-resident customers until 2016. Indeed, in 2015, Swedbank Estonia accepted a number of non-resident customers who had been off-boarded by another Estonian institution that had withdrawn from the non-resident market due to excessive money-laundering risks.
Although the Estonian unit had a New Customer Committee, it often approved new clients without complete documentation on ultimate beneficial owners, proof of sources of funds or an explanation of the legitimate business purposes of the accounts.
Frequently, Swedbank’s staff ignored “red flags” on inadequate documentation, the report found. The red flags included complex and opaque ownership structures, often based in secrecy jurisdictions with foreign trusts and similar vehicles being frequently employed. Swedbank onboarded the clients despite knowledge among staff that the non-resident customers had either misrepresented their beneficial owners or refused to disclose such details at all.
In certain cases, Estonian bankers did not maintain records on Swedbank’s standard customer database in order to prevent details of beneficial owners from being known to third parties. Staff in Estonia accepted new customers who employed complex structures in order to hide the details of beneficial owners from home country tax authorities, the report concluded. Furthermore, indications of potentially suspicious transactions in Estonia were often ignored or disregarded.
The law firm focussed its analysis on non-resident customers within Europe as well, including companies based in Malta, Cyprus, the UK and Luxembourg. Across these customers of the three Baltic units, Clifford Chance identified €17.8 billion of incoming funds and €18.9 million of outgoing funds in the five years to March 2019. However, the value of transfers linked to these customers in the region fell significantly in 2018 and 2019.
Clifford Chance also assessed compliance by the Baltic units with US sanctions legislation over the five years ending in March 2019. From a review of 26 million SWIFT interbank messages and 1.6 million USD payments, investigators identified 582 relevant transactions with a value of $4.76 million. Swedbank processed the transactions despite their links to persons in Iran, Libya, Cuba and Crimea, the law firm said.
How Suspected Criminality Escaped Detection
How did the bank allow itself to become exposed to such a large influx of suspicious funds? The answer, in part, comes down to managerial failings, according to the report.
For example, senior management failed to establish a clear division of responsibilities between the front-line business unit (the first line of defence) and the compliance team (the second line of defence). Also, clear methods of challenge by Compliance over the front-line business were absent.
The CEOs in the review period failed to understand the “severe” risk posed by non-resident customers in the Baltic region, given the “consistently ineffective AML controls”. This lack of understanding was further demonstrated by the failure until 2017 to adopt a Group AML risk statement and the failure to enforce a consistently assessment of risk-rating customers across the Group.
As senior management failed to appreciate the legal and reputational risk faced by the bank, they also failed to consistently engage with the board on these issues, the firm said. Although Group Internal Audit (GIA) identified key weaknesses and reported these to the board’s Audit Committee, senior management advised the board that the weaknesses were being addressed and were under control.
Similarly, although Group Compliance, with the assistance of a local law firm, identified serious concerns and significant legal risks, some of these risks were not effectively escalated in a timely manner to the board, GIA or senior management in the Baltic region.
Clifford Chance also considered Swedbank’s responses to various AML-related requests from regulators in order to assess the level of transparency in the bank’s engagement with its supervisors. The report concluded that, in some cases, the bank was not sufficiently transparent, de-emphasised negative information and occasionally adopted an overly narrow or literal interpretation of requests.
The law firm also reviewed AML-related public disclosures by the bank and its senior executives, including those made in various annual and interim reports, shareholder communications and analyst presentations in light of the discoveries made during the investigation. The report concluded that,between October 2018 and March 2019, some statements about both institution’s exposure to historical and current AML risks were inaccurate or presented without sufficient context.
Questions of Accountability
Clifford Chance also considered the actions of those individuals who were responsible for the existence and perpetuation of inadequate AML and sanctions controls and why those deficiencies persisted without a material improvement over many years. The three CEOs in post during the review period were scrutinised as were other employees who contributed to the failure to recognise and mitigate the significant risks posed by the non-resident customers of the Baltic units.
The CEO from 2009 to 2016 failed to focus on the AML weaknesses in the Baltic region despite numerous GIA reports highlighting such deficiencies and a report by the Swedish regulator identifying significant AML weaknesses in the domestic market.
Although the next CEO, who was in post until 2019, took significant steps to address these issues, including commissioning the report, she did not devote sufficient resources, attention or urgency to the remediation efforts, the law firm said. Nor did she ensure that relevant information was shared with the board or with local management boards of the Baltic branches. Furthermore, she failed to adequately educate or apprise the board of the reputational and legal risks associated with the AML failings linked to the non-resident customers.
It is clear from the report that board members did not sufficiently challenge senior management about the various AML issues, and that they generally accepted assurances that the matters were being addressed and were under control.
The bank terminated a number of senior managers both in Sweden and the Baltic region, some relationship managers of the non-resident customers and some members of the New Customer Committee on the basis of both their action and inaction in contributing to issues identified by the law firm.
Swedbank has since appointed a number of new officeholders, including a new CEO, a new Chief Compliance Officer, a new CEO in Estonia, a new Board Chair and a number of new board members. The bank has adopted more stringent AML procedures and controls, devoted more resources to financial crime topics, continued the process of de-risking its Baltic customer base and strengthened its corporate governance procedures. The top 170 managers in the bank did not receive a 2019 bonus in order to reinforce the message that regulatory compliance is a bank-wide responsibility and not just a matter for the Compliance team.
With the assistance of an external consultant, in September 2019, the bank launched 132 AML initiatives of which 67 were completed by the following December. It is expected that the remaining initiatives will be completed by the end of this year.
Once again, a bank has found itself at the heart of a money laundering scandal due to internal failures to adequately implement fundamental financial crime controls rather than as a result of the cunning plan by clever, sophisticated criminals. As with many a noir tale, we end with the mundane.
Compliance professionals, however, can draw some valuable lessons from Swedbank’s struggles: high-risk customers and their beneficial owners must be fully identified, AML controls must be consistently applied across the group, banks should be totally transparent with their regulators rather seeking to be “economical with the truth” and board members should be prepared to robustly challenge senior executives on the identification, mitigation and management of these risks.
Shortly after the report was published, Swedbank incurred a $386 million fine from its domestic regulator. When considered with the cost of the report’s investigation and new procedures totalling some £250 million, the bank and its shareholders have learned a very expensive lesson, even before considering potential fines arising from ongoing investigations by Estonian and US authorities. Compliance staff would be well advised to review the report to ensure their firms do not make the same, very expensive mistakes that Swedbank made.
Denis O’Connor is both a Fellow of the Institute of Chartered Accountants in England & Wales and the Chartered Institute of Securities and Investment. He was a member of the British Bankers’ Association Money Laundering Committee from 2003 -10; and a member of the JMLSG’s Board and Editorial Panel between 2010 and 2016. He has been a frequent speaker at industry conferences on financial crime issues, both in the UK and abroad.
This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.
RiskScreen: Eliminating Financial Crime with Smart Technology
You can claim CPD minutes for this content, by signing up to our CPD WalletFREE CPD Wallet