On August 27, 2024, the New York State Department of Financial Services (“NYDFS”) announced a consent order involving a $35 million settlement with Nordea Bank Abp (“Nordea”) for alleged significant failures related to anti-money laundering (“AML”) compliance. Nordea, headquartered in Helsinki, Finland, operates globally, including through a licensed branch in New York, which has its own AML and transaction monitoring requirements.

The enforcement action, which followed revelations from the Panama Papers leak, found that Nordea allegedly failed to conduct proper due diligence on high-risk correspondent banking relationships and maintained inadequate AML controls.  According to the NYDFS, the Panama Papers implicated Nordea in aiding clients in establishing offshore shell companies in order to facilitate illicit activities.

The consent order alleges that Nordea violated New York law by allowing compliance failures in its AML program and procedures to persist.  Meanwhile, Danish officials recently charged Nordea with repeatedly violating Denmark’s anti-money laundering act between 2012 and 2015, thereby exposing Nordea, potentially, to extremely significant fines.  As we will discuss, although the consent order implicates many different issues, the NYDFS enforcement action represents, in part, the latest chapter in the continued fall-out from the massive AML scandal involving Dankse Bank.  The consent order also highlights, once again, the particular risks posed by correspondent banking relationships, on which we repeatedly have blogged (for example, here, here, and here).

Key Takeaways

The Consent Order reflects that the NYDFS made the following findings:

1. Deficient AML Program: Nordea’s AML program, particularly within its Baltic branches (Latvia, Lithuania, and Estonia) and the International Branch in Denmark, exhibited significant deficiencies. These included insufficient policies and procedures for detecting and reporting suspicious activities, exposing the bank to heightened risks of money laundering.
2. Inadequate Due Diligence: Nordea failed to conduct adequate due diligence on its correspondent banking relationships.  Failure to properly assess the risks associated with the banking parties may have facilitated money laundering.
3. Insufficient Transaction Monitoring: Nordea’s transaction monitoring system was inadequate, further exacerbating the risks associated with its AML compliance failures.
4. High-Risk Transactions: The NYDFS linked Nordea’s Baltic operations to billions of dollars in high-risk transactions. These transactions underscored the vulnerabilities in the bank’s control mechanisms.
5. Prior Regulatory Warnings: Regulatory bodies in Nordic countries previously identified weaknesses in Nordea’s AML compliance programs. Despite these warnings, the bank did not take adequate measures to address the identified issues, allowing the risks to persist.

Challenges in the Baltic Branches

According to NYDFS, Nordea’s Baltic branches faced significant challenges in managing money laundering risks, particularly concerning customers from post-Soviet states with high corruption indices. Despite recognizing these risks, the bank’s efforts to enhance its AML compliance between 2010 and 2017 were insufficient. Audits conducted during this period revealed an overreliance on manual monitoring, inadequate customer identification data, and persistent shortcomings in Customer Due Diligence (“CDD”) and Enhanced Due Diligence (“EDD”) processes. These issues left the bank vulnerable to financial crimes.

Issues at the International Branch at Vesterport

Nordea’s International Branch in Vesterport, Denmark (“VIB”), which primarily served corporate customers with connections to Russia and Eastern Europe, was implicated in numerous money laundering scandals, including the Panama Papers, Russian Laundromat, and Azerbaijani Laundromat. Audits conducted in 2009 and 2013 allegedly identified significant gaps in CDD, EDD, and transaction monitoring processes. These deficiencies, coupled with media scrutiny and increased inquiries from correspondent banks, ultimately led to the branch’s closure in 2014.

Nordea’s Correspondent Banking and RMA Relationships

Nordea maintained extensive correspondent banking relationships and exchanged SWIFT Relationship Management Application (“RMA”) keys with various financial institutions, including Danske Bank, ABLV, and Bank of Cyprus. The NYDFS found that Nordea failed to adequately manage and monitor the risks associated with these relationships.

Danske Bank

Danske Bank, headquartered in Copenhagen, Denmark, had a significant correspondent banking relationship with Nordea, with substantial annual cross-border payment traffic. Despite adverse findings from the Danish Financial Supervisory Authority in 2012 and other issues, Nordea assigned Danske an AML risk class “A” rating in 2013. However, internal reviews in 2016 and 2017 identified significant compliance failures, necessitating a downgrade in Danske’s AML risk rating and increased monitoring.

ABLV

ABLV Bank, based in Latvia, was identified by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) in 2018 as a primary money laundering concern. Despite identifying numerous red flags, Nordea delayed terminating its relationship with ABLV until after FinCEN’s notice. NYDFS determined that this delay exposed Nordea to significant risks and highlighted the need for more timely and effective AML compliance measures.

Bank of Cyprus

The Bank of Cyprus, known for its associations with Russia, allegedly posed substantial money laundering risks. Despite identifying high risks and red flags, NYDFS found that Nordea maintained its relationship with the bank until 2019.  Internal audits and KYC reviews allegedly revealed gaps in Nordea’s due diligence regarding the Bank of Cyprus. In 2015, Nordea’s internal audit revealed deficiencies in KYC procedures, including insufficient Politically Exposed Persons (“PEP”) screening, and lack of site visits at the Bank of Cyprus. The KYC file from that year flagged additional risks, including Cyprus’s status as an offshore financial center and ineffective financial oversight. Notably, the file identified three PEPs on the board of Bank of Cyprus, including a former KGB agent and a close associate of Vladimir Putin.

It was not until 2023 that Nordea had fully exited its association with the Bank of Cyprus, closing all RMAs except those required by prior guarantees.

Transaction Monitoring

In 2008, Nordea implemented an IT-supported transaction monitoring system, fully operational by 2010. Initially, the system included three monitoring scenarios, expanding to six by 2013, but did not cover correspondent banking transactions. The Swedish Financial Supervisory Authority identified these deficiencies in 2015, prompting Nordea to introduce 28 new monitoring scenarios in 2016, specifically for correspondent banking risks.

Despite these enhancements, Nordea Bank Finland faced challenges integrating transaction data into the automated system, leading to the development of semi-automated controls by mid-2018. Additionally, Nordea allegedly failed to prevent transactions involving ABLV due to delays in updating internal sanctions lists, resulting in breaches of internal sanctions standards. Between 2016 and 2018, flagged transactions related to the Bank of Cyprus were not addressed, and the relationship continued until 2019.

NYDFS acknowledged Nordea’s efforts to improve transaction monitoring but noted ongoing significant challenges and areas requiring improvement.

The Consent Order

As part of the settlement, Nordea agreed to several measures to address the deficiencies identified by the NYDFS in addition to the $35 million monetary penalty. These measures include:

1. Strengthening the AML Compliance Program: Nordea committed to enhancing its AML policies, procedures, and controls to better detect and prevent money laundering activities.
2. Enhancing Transaction Monitoring: The bank agreed to upgrade its transaction monitoring system to more effectively identify and report suspicious activities.
3. Rigorous Due Diligence on Correspondent Banking Relationships: Nordea will conduct more thorough due diligence on its correspondent banking partners to ensure compliance with AML standards.
4. Independent Compliance Review: An independent consultant will be appointed to assess Nordea’s compliance with the Consent Order, providing recommendations for further improvements and ensuring the implementation of agreed-upon measures.
5. Regular Progress Reports: Nordea is required to submit periodic progress reports to the NYDFS, detailing the steps taken to comply with the Consent Order and the effectiveness of the measures implemented.

[View source.]