On August 27, 2024, the New York State Department of Financial Services (DFS) entered a Consent Order with Nordea Bank Abp and its New York branch requiring Nordea to pay $35 million within ten days of the Order. DFS's investigation into Nordea Bank focused on the inadequacies of its Know Your Customer (KYC) and anti-money laundering (AML) policies, practices, and procedures at its banks in Latvia, Lithuania, Estonia, and Denmark—opened after the fall of the Soviet Union. DFS also found that Nordea failed to comply with the federal Bank Secrecy Act. As a result, Nordea was found to have violated 3 N.Y.C.R.R. § 116.2 for failing to maintain an effective and compliant AML program, failing to conduct adequate due diligence in its correspondent bank and Relationship Management Application relationships, and 3 N.Y.C.R.R. § 504.3 by failing to maintain an adequate transaction monitoring system.
The investigation was prompted by Nordic financial regulatory authorities, including the Danish Financial Supervisory Authority (D-FSA), the Finnish Financial Supervisory Authority (FIN-FSA), the Swedish Financial Supervisory Authority (S-FSA), and the Norwegian Financial Supervisory Authority (N-FSA), who identified weaknesses in Nordea's compliance programs, and the 2016 Panama Papers leak. Nordea Bank was among the financial institutions named alongside the nearly 215,000 tax havens in the almost 12 million documents encompassing the 2016 Panama Papers leak. According to DFS, the Panama Papers showed that Nordea enabled hundreds of customers to set up tax-sheltered offshore accounts.
In sum, DFS found that Nordea was routinely aware of deficiencies in its KYC and AML controls at the relevant banks throughout 2010 to 2016. While DFS acknowledged Nordea's efforts to remediate its practices, the bank either did so too slowly or inefficiently, resulting in DFS's second-largest monetary sanction in 2024.
KEY FINDINGS
DFS primarily focused on Nordea's regular acknowledgment of inefficient controls throughout its various banks and correspondent banks across Europe.
- After a 2016 merger to combine its operations in Estonia, Latvia, and Lithuania with Den Norske Bank to form Luminor Group AB, Nordea failed to prevent certain Luminor customers from accessing Nordea's banking systems, described in an email from a Nordea financial crime specialist as "a severe breach of at least (but not limited to) information security rules, financial crime regulatory frameworks" and recommending "an incident report must be filed immediately."1 Despite Nordea's findings that there were serious AML risks with its Luminor relationship, it failed to adequately address the issues. Nordea also maintained inadequate transaction monitoring throughout the relationship.
- At Nordea's Denmark bank, the Vesterport International Branch, Eastern European and Asian customers exposed the bank to several money-laundering scandals, including those identified in the Panama Papers, as well as the Russian Laundromat,2 the Azerbaijani Laundromat,3 and the Hermitage Capital allegations.4Nordea inadequately dealt with the issues at Vesterport, having lacked what DFS called "a standardized approach." Nordea had "no procedures to block payments" or prevent customers from routing transactions to other banks. The bank began to cease operations in 2014.5
- Around 2015, an audit found Nordea lacked formal agreements with correspondent banks regarding AML policies, practices, and procedures. Further, there were inadequate instructions for KYC procedures. Nordea found employees had insufficient training in control measures and often failed to perform enhanced due diligence for high-risk banks and individuals.6
- DFS concluded Nordea lacked adequate KYC and AML procedures as part of its relationship with Danske Bank. Danske was found to have violated Danish AML laws in 2015. Even so, Nordea did not collect specific KYC data on Danske Estonia until several years into the relationship. Eventually, Nordea rated Danske Estonia an AML risk class "C" rating. DFS noted, "four entities that were central to the Azerbaijani Laundromat were customers of Danske Estonia." DFS blamed Nordea's lack of sufficient KYC collection with Danske Estonia on its lack of awareness of money laundering and illegal activity.7
- Nordea maintained a relationship with Latvia's ABLV Bank, which the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) named "an institution of primary money laundering concern" in 2018. While Nordea terminated the relationship in 2018, DFS noted the termination "came too late" and only when it learned of FinCEN's concerns. Nordea had often identified AML risks in its relationship with ABLV before 2018. Still, Nordea routinely continued its relationship with ABLV despite these risks. DFS noted Nordea's controls were inadequate for dealing with a bank like ABLV, including "reliance on manually-updated internal lists of FinCEN 311 entities that were not updated in a timely manner, thus allowing the transactions to occur when they should not have."8
- Nordea's relationship with the Bank of Cyprus followed a similar theme – insufficient due diligence, internal controls, and transaction monitoring, and routine decisions to continue the relationship despite red flags such as knowledge the Bank was a Russian tax haven, lack of documentation on the Bank and its board members, which included a former KGB agent, and frequent allegations of Russian money laundering.9
DFS noted it gave considerable weight to Nordea's "extensive cooperation with DFS throughout this investigation. This cooperation has included Nordea's timely and appropriate responses to requests for information and its support to provide relevant information through a novel channel created by the FIN-FSA."10 Additionally, DFS recognized Nordea's efforts "to remediate the historical deficiencies identified in this Consent Order, which included a substantial and continued financial investment into compliance resources and risk-based enhancements to its compliance program."11
GLOBAL IMPACTS FOR DFS-REGULATED ENTITIES
Because of its New York branch, DFS's reach extended into Nordea's lack of compliance and oversight in regions where there may be less regulatory oversight. As a result, DFS-regulated banks must be extra cautious of the risks associated with doing business in high-risk regions. This includes weighing whether they can adequately enforce sufficient policies, practices, and procedures in those regions to DFS's satisfaction. DFS-regulated banks must ensure their policies and procedures at all branches are sufficient to pass DFS scrutiny. Nordea routinely failed to enforce specific KYC measures for high-risk banks, like Danske Estonia. Even if a bank has sufficient KYC and AML procedures for a New York branch, those procedures may require modification for international branches. Further, Nordea's employees were found to lack sufficient training in key areas like AML and KYC policies, practices, and procedures. This training may require modification depending on the region – an employee in Eastern Europe may need to raise more concern over certain transactions than an employee in New York. Large international banks like Nordea must also have adequate monitoring of all correspondent relationships. For example, Nordea was found to have insufficient documentation for its relationship with the Bank of Cyprus. Especially in high-risk regions, banks must ensure they maintain updated information and perform the required due diligence. Unlike Nordea, banks doing business in high-risk regions should have a lower risk appetite for branches in those regions. And banks must ensure they have adequate technology to monitor largescale, international transactions. This includes monitoring reports of various regulatory agencies. DFS found Nordea lacked adequate transaction monitoring, resulting in suspicious transactions either not being detected, reported, or lost in backlogs of unprocessed reports.
Nordea's lack of adequate policies, practices, and procedures, especially considering it was so active in high-risk areas, was a problem exacerbated by its repeated refusal to act when it spotted red flags. There must be individuals in place at high-risk banks willing to not only report red flags, but act on them immediately. While DFS recognized Nordea's eventual remedial efforts, those efforts often came too late, and only after they were repeatedly put on notice by Nordic regulatory authorities, American regulators, like FinCEN, and knowledge of red flags in high-risk areas.
Nordea's regulatory missteps highlight how vital it is for other financial institutions to: (1) stress test all policies, practices, and procedures to ensure they are adequate for DFS-regulated banks; (2) establish adequate AML and KYC procedures specific to different regions and problems faced by different branches and correspondent banks; (3) ensure adequate monitoring of all banking relationships, including the individuals in leadership roles at those banks; (4) implement sufficient training across all branches; (5) maintain adequate, up-to-date technology for transaction monitoring; (6) ensure the right individuals are in place to enforce adequate policies, practices, and procedures; and (7) guarantee that those individuals will promptly take action after spotting red flags.
LOOKING AHEAD
DFS-regulated entities and international banks with New York branches should heed the case of Nordea Bank as an example of potentially problematic AML and KYC protocols, and consider internal reviews of such policies in order to avoid similar investigations in the future.
Footnotes
1. In the Matter of Nordea Bank Abp, and Nordea Bank Abp New York Branch, New York State Department of Financial Services Consent Order, ¶ 35 (Aug. 27, 2024), https://www.dfs.ny.gov/system/files/documents/2024/08/ea20240827-co-nordea.pdf (last visited Sept. 13, 2024).
2. The Russian Laundromat "laundered an estimated $20 billion from Russian shell companies into banks throughout the European Union and around the world between 2010 and 2014." Id. ¶ 42, n.1.
3. The Azerbaijani Laundromat "laundered over $2 billion between 2012 and 2014 through four UK registered shell companies." Id. ¶ 42, n.2.
4. The Hermitage Capital Allegations involved a 2018 complaint from Hermitage Capital Management to "Nordic authorities . . . that $175 million in illicit funds had flowed through Danske Bank's branch in Estonia, and Ukio Bankas in Lithuania into hundreds of accounts at Nordea." Id. ¶ 42, n.3.
5. Id. ¶¶ 40–58.
6. Id. ¶¶ 62–63.
7. Id. ¶¶ 67–82.
8. Id. ¶¶ 83–93.
9. Id. ¶¶ 94–107.
10. Id. ¶ 123.
11. Id.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.