The Central Bank of Ireland has fined Danske Bank A/S €1.82M for failing to conduct AML checks on 347,000 transactions.
On Thursday, the Central Bank of Ireland (CBOI) announced that it has fined Danske, a company with its headquarters in Copenhagen, for having AML/CFT system flaws that enabled thousands of high- and medium-risk transactions to go unmonitored.
The Criminal Justice (Money Laundering & Terrorist Financing) Act, 2010, was violated three times between 2012 and 2014 due to failures to keep track of hundreds of thousands of transactions for indications of criminal behavior.
During the nine years between 2010 and 2019, according to the regulator, Danske neglected to make sure that its automated transaction monitoring system was keeping an eye on the transactions of specific client types at its Irish branch.
The automated transaction monitoring system used by the lender, initially implemented at its Irish branch in 2006, was found to be the primary contributor to the failure, according to the CBOI. "Historic data filters" were used inside this system.
"Decision marks first time CBOI has imposed a penalty on a financial institution incorporated and supervised outside of Ireland," according to the Central Bank of Ireland
The watchdog initially assessed that the proper penalties should be €2.6M, however due to the early settlement discount plan, this amount was cut by 30% to €1.82M.
The Central Bank has never before fined a financial institution that is formed and regulated outside of Ireland thanks to this ruling.
For nine years, there was a gap in security, allowing thousands of potentially dangerous clients to remain undetected.
According to the Central Bank, the Danish bank, which runs a branch in Dublin for business clients, neglected to keep track on hundreds of thousands of transactions between 2010 and 2019 for indications of criminal behavior.
Due to the bank's failure to calibrate its automated monitoring system in 2010 to account for revised anti-money laundering rules in Ireland, about one in 40 transactions eluded Danske's system.
The Irish Central Bank stated that "Danske failed to consider the appropriateness of these historic data filters within the system or make any adjustments to the system to take account of the specific requirements of the CJA when it came into force in Ireland in 2010."
These failures led to the “erroneous exclusion” of certain categories of customers from transaction monitoring, including some customers that the bank had identified as high and medium risk.
Following an internal audit study in 2015, Danske became aware of the flaws, but it took almost four years for it to inform the Irish office and take corrective action.
According to the Central Bank, between the end of August 2015 and the end of March 2019, over 350,000 transactions—or around 2.43% of all transactions handled by the Irish branch—were not examined for potential money laundering and terrorism financing risks.
The Central Bank found that Danske's anti-money laundering/counter-terrorist financing policies, strengthened customer due diligence, and transaction monitoring procedures all needed improvement.
Danske has acknowledged the three violations.
"While firms may rely on automated solutions for transaction monitoring, they must ensure systems are appropriately monitored and calibrated to take account of the actual money laundering risk to which firm is exposed," said Seana Cunningham, Director of Enforcement and AML at CBOI.
"The importance of transaction monitoring in the global fight against money laundering and terrorist financing cannot be overstated. It is imperative that firms implement robust transaction monitoring controls which are appropriate to the money laundering risks present and the size, activities, and complexity of their business," she added.
"These controls must be applied to all customers, irrespective of their risk rating, as they enable firms to detect unusual transactions or patterns of transactions and where required apply enhanced customer due diligence to determine whether the transactions are suspicious," she continued.
"The Central Bank recognises that while firms may rely on automated solutions for transaction monitoring, they must ensure that systems employed for this purpose are appropriately monitored, and calibrated correctly to take account of the actual money laundering or terrorist financing risk to which the firm is exposed," she said.
"In this case, the transaction monitoring system used by the Irish branch was a Danske group wide automated system that had applied historic data filters which operated to erroneously exclude certain categories of customers from being monitored for a period of almost nine years. This led to the serious breaches in this case," she continued.
"This case highlights the requirement for firms, including those operating in Ireland on a branch basis, to ensure that group systems, controls, policies and procedures are compatible with Irish legal requirements and to ensure that their governance framework and risk management measures operate effectively. These should be risk-based and proportionate, informed by firms’ business risk assessment of their money laundering and terrorist financing risk exposure," Ms. Cunningham said.
By fLEXI tEAM