The Central Bank has fined Denmark’s Danske Bank just over €1.8 million for three breaches of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010 (CJA).

The regulator said that the breaches stemmed from Danske’s failure to ensure that its automated system monitored the transactions of certain categories of customers of its Irish branch for a period of almost nine years, between 2010 and 2019.

The CJA requires financial institutions to monitor any business relationship that it has with a customer “to the extent reasonably warranted by the risk of money-laundering or terrorist-financing”.

Adjustments not made

The Central Bank stated that the root cause of this failure was historic data filters that were applied within Danske’s automated transaction-monitoring system, first implemented in 2005 and rolled out to the Irish branch in 2006.

“Danske failed to consider the appropriateness of these historic data filters within the system, or make any adjustments to the system to take account of the specific requirements of the CJA when it came into force in Ireland in 2010,” the regulator’s statement said.

“This led to the erroneous exclusion of certain categories of customers from transaction-monitoring – including some customers rated by Danske as high and medium risk,” it continued.

Internal report

The Central Bank said that an internal audit report in May 2015 had made Danske aware of the inadequacies in its system, but that Danske had failed to notify the Irish branch of these issues, and to take adequate action for almost four years.

Between 31 August 2015 and 31 March 2019, the regulator estimates that 348,321 transactions, equating to almost 2.5% of all transactions processed through the Irish branch, were not monitored for money-laundering and terrorist-financing risk.

The Central Bank set the fine at €2.6 million, but reduced it by 30%, in line with a discount scheme provided for in its Administrative Sanctions Procedure (ASP).

This is the first penalty that the Central Bank has imposed on a financial institution incorporated and supervised outside of Ireland that operates in Ireland as a branch on a ‘passport’ basis.

This means that the bank uses an authorisation obtained in Denmark to sell products and services in Ireland.

Danske apologises

Danske’s Irish branch provides banking services mainly to large companies and institutional customers – including the public sector.

According to the Central Bank, the three breaches were:

• Danske failed to ensure that its automated system monitored the transactions of certain categories of customer for money-laundering and terrorist-financing risk at its Irish branch for a period of almost nine years,
• In failing to conduct automated transaction-monitoring for some categories of customers, Danske’s Irish branch did not take into consideration an important part of due diligence that is necessary to identify and assess risks specific to those customers,
• The policies, procedures and controls put in place by Danske did not operate to identify the erroneous exclusion of certain categories of customers from automated transaction-monitoring.

In a statement, Danske Bank acknowledged the seriousness of the issues identified in the Central Bank investigation.

“Danske Bank deeply regrets and apologises for the matters which were the subject of this investigation,” it said, adding that it recognised the importance of effective anti-money-laundering procedures, and took its obligations under legislation and regulatory guidance “very seriously”.