Danske Bank was fined €1,820,000 by the Central Bank of Ireland on 13 September for three violations of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010 (CJA). Danske has acknowledged the three violations.
For a period of nine years, between 2010 and 2019, Danske Bank failed to guarantee that its automated transaction monitoring system tracked the transactions of specific types of customers at its Irish branch.
The Root Cause of the Violations
According to the Enforcement Action, the fundamental reason for this failure was the usage of historic data filters inside Danske's automated transaction monitoring system, originally established in 2005 and pushed out to the Irish branch in 2006. Danske failed to examine the validity of these past data filters inside the system, nor did it make any system improvements to account for the specific needs of the CJA when it came into effect in Ireland in 2010. This resulted in the erroneous exclusion of certain groups of customers from transaction monitoring, including those clients designated as a high and medium risk by Danske, resulting in the three CJA violations in this case.
Danske identified the issue during an internal audit in 2015 but failed to fix it or even alert its Irish branch or the Irish regulator, as required.
Instead, the problem continued for nearly four more years, resulting in 348,321 unmonitored transactions in Ireland between August 31, 2015, and March 31, 2019 (2.43% of all transactions processed through the Irish branch). Danske eventually addressed the issue internally in October 2018 but did not bring the Central Bank up to speed until February 2019 - barely a month before it finished updating its systems.
In addition to its transaction monitoring failings, the three CJA violations were as follows:
- Transaction monitoring - For over nine years, Danske failed to guarantee that its automated transaction monitoring system tracked the transactions of specific types of customers for money laundering and terrorism funding risk at its Irish branch.
- Enhanced customer due diligence -Danske's Irish branch failed to conduct automated transaction monitoring in respect of certain categories of customers, ignoring an important part of due diligence, namely transaction monitoring data, which is required to identify and assess money laundering/terrorist financing risks specific to those customers and identify where any consequential additional measures may be required.
- Policies, methods, and controls for anti-money laundering and counter-terrorism financing - Danske's policies, procedures, and controls did not function to detect the erroneous exclusion of specific types of clients from automated transaction monitoring.
The Appropriate Fine was €2,600,000
The Central Bank stated that the appropriate fine was €2.6m; however, it was lowered by 30% to €1.82m in compliance with the regulator's early settlement discount scheme.
As stated by the Central Bank, the failure to alert supervisors was an "aggravating element" in the case that was taken into account when determining how much to fine Danske.
This is the first penalty issued by the Central Bank on a financial organization that is established and supervised outside of Ireland (e.g., in Denmark) yet operates as a passport branch in Ireland. The Central Bank is in charge of anti-money laundering/counter-terrorism financing (AML/CFT) and supervises Danske's branch activities in Ireland.
Firms operating branches in Ireland must still comply with its regulations
Seána Cunningham, the director of enforcement at the Central Bank, stated:
“The Central Bank recognizes that while firms may rely on automated solutions for transaction monitoring, they must ensure that systems employed for this purpose are appropriately monitored and calibrated correctly to take account of the actual money laundering or terrorist financing risk to which the firm is exposed.
In this case, the transaction monitoring system used by the Irish branch was a Danske group-wide automated system that had applied historic data filters which operated to erroneously exclude certain categories of customers from being monitored for a period of almost nine years. This led to serious breaches in this case.”
This case emphasizes the need for corporations, including those operating a branch in Ireland, to verify that their group systems, controls, policies, and procedures are compliant with Irish regulatory requirements, as well as that their governance structure and risk management measures are effective. These should be risk-based and reasonable, based on business risk assessments of businesses' money laundering and terrorism financing risk exposure.
Compliance with anti-money laundering and counter-terrorism funding regulations is and will continue to be a top priority for the Central Bank. This case highlights their determination to pursue enforcement measures and apply fines when corporations fail to comply with anti-money laundering/counter-terrorism funding regulations.
Our AML Transaction Monitoring tool helps firms meet their AML requirements in accordance with the "risk-based approach" principle. Organizations can utilize pre-defined rules and scenarios or create their own rules and situations. Thus, all financial transactions mediated by the organization are managed in our transaction monitoring tool according to the organization's preferences.
The product offers solutions to help firms improve their AML compliance in every industry. You can make your AML control procedures automatic and efficient by using dynamic rules and scenarios, a sandbox test environment, real-time alerts, robust alarm management, and many other features.