30/01/2019
Response by Finantsinspektsioon of Estonia to the English summary of the Report on the Danish FSA’s supervision of Danske Bank concerning money laundering through the bank branch in Estonia.
“We welcome the clear indication now given by our Danish colleagues that Finantsinspektsioon of Estonia should firmly take the lead in supervising the Danske Bank in Estonia, clarity that we have been waiting for from DSFA for some years,” said Kilvar Kessler, Chairman of Finantsinspektsioon. “Finantsinspektsioon now plans to go forward with its supervisory activities over Danske Bank, which we will be disclosed in due course separately.”
Danske Bank failed in its governance. The Danish Financial Supervisory Authority was and is responsible for supervising the governance of Danske Bank, including its branches. Finantsinspektsioon stands ready to take over supervision of Danske Bank as whole.
The Danish Financial Supervisory Authority, the DFSA, described in its English Summary Report the serious failures in governance at Danske Bank. The report stated that the overall control environment at Danske Bank was inadequate. Furthermore, the bank had opted not to integrate the IT systems in the branch with those of the rest of the bank, which impeded the effective monitoring of the business in Estonia. This decision was not compensated for through risk management and the control system did not detect signs of violations of the law effectively and in good time.
Income from the non-resident business of the branch was not proportional to the size of that business line within the bank, and should have raised additional red flags in Danske Bank. Finantsinspektsioon believes that bank governance should be designed, built and run as a single whole that covers all the parts of a bank and all its risk, including control and governance arrangements for anti-money laundering (AML) and for combating the financing of terrorism (CFT).
European Union banking directives, regulations and guidance set minimum harmonised standards for bank governance. This law very clearly imposes on the home member state a duty to supervise bank governance, including the governance of bank branches, as these are not separate legal entities with independent liability towards their creditors.
Finantsinspektsioon of Estonia forced Danske Bank to close its non-resident business in 2014 and 2015. No other agency in Denmark or in Estonia made any great efforts to close down these risks and deal with weaknesses in the bank governance at that time, though the Estonian Financial Intelligence Unit (FIU) helped Finantsinspektsioon with valuable background information.
Finantsinspektsioon of Estonia operates under Estonian law. Finantsinspektsioon carried out a number of on-site inspections at the Danske Bank branch in Estonia and conducted other supervisory work. Of particular note are two on-site inspections in 2014 that documented a large number of material breaches of Estonian law by Danske Bank. After the failure by the bank to act as a result of supervisory dialogue, Finantsinspektsioon took out a precept in 2015 obliging Danske Bank to rectify the breaches and build an adequate risk control organisation. As a result, the bank exited its non-resident business by the end of 2015. Finantsinspektsioon acted independently in this work, with no information or instructions from Denmark. The DFSA was asked for feedback and suggestions before the two on-site inspections were conducted in 2014, but for the first inspection the DFSA simply asked to be informed of the results, while Finantsinspektsioon has no records of any response from the DFSA about the second on-site inspection, meaning the DFSA decided not to be involved.
Before commencing the two on-site inspections in 2014, Finantsinspektsioon informed the DFSA as the primary supervisory authority several times in 2012 and 2013 about potential issues in the governance at Danske Bank, in which the Estonian branch was an integral part. When Finantsinspektsioon saw that no action was taken by the DFSA, it decided to act by itself.
Under current European rules, Estonian and Danish authorities have shared responsibility for AML supervision of the Danske Bank branch in Estonia. So far, Finantsinspektsioon has relied on the DFSA being in lead for AML supervision of Danske Bank, but the report makes clear that the DFSA sees the lead should be firmly taken by Finantsinspektsioon.
The DFSA argues in the summary report that Finantsinspektsioon is responsible for the AML supervision of the Estonian branch. This is a simplified view of the legal circumstances. Finantsinspektsioon has repeatedly explained that AMLD3, a piece of EU legislation harmonising anti-money laundering in the EU prior to June 2015, did not have any provisions on the division of responsibilities when cross-border banking is provided and freedom of establishment is exercised. As discussed, combating money laundering (ML) and terrorist financing (TF) by a bank is generally a matter of building effective controls, which is purely an issue of the bank’s governance. It is the current opinion of Finantsinspektsioon that it is rather artificial and unrealistic to make a sharp distinction between internal governance, which deals with ML and TF risks, and the rest of the bank internal governance. In practice, the internal governance of a bank is a holistic system. A majority of the responsible authorities in EU countries handle the AML risk control organisation of outgoing branches of a bank as a whole is under their supervision as the home authority. Obviously it is a problem for any bank when the home country authority requires a certain set-up of governance, but the host country authority demands that the bank act in a totally different way. Finantsinspektsioon sees that European rules and authorities are designed to avoid this happening and to minimise the risk of such conflicts. AMLD4, which is in force from June 2015, rightly addressed issues of cross-border jurisdiction, allocating responsibilities between the home and host countries.
Finantsinspektsioon is somewhat surprised that the DFSA firmly states “the host country supervisor, [Finantsinspektsioon] is responsible for the AML supervision of the Estonian branch.” Firstly, it is not clear what period that statement is intended to cover and whether the DFSA is sufficiently qualified in Estonian law to make such a statement. Secondly, Estonia and the other member states decide how they implement the EU directives, including AMLD, by making one or more agencies responsible for all or certain responsibilities under the directives. Estonia has also allocated a number of institutions as supervisors under AMLD, and the FIU of Estonia collects reports of suspicious transactions from obliged entities including incoming EU bank branches. The FIU has the right to request information from obliged entities, including bank branches, and to freeze assets held in them.