I. Background
Sweden’s financial supervisory authority (“SFSA”) recently fined Swedbank AB a record 4 billion Swedish kronor (approximately $386 million) for deficiencies in its anti-money laundering (“AML”) processes and controls. See SFSA’s press release. The same day, March 19, 2020, Estonia’s financial supervisory authority issued a “precept” requiring Swedbank to make specific changes to its organizational structure and AML risk practices and reporting requirements. Soon after, on March 23, 2020, Swedbank published an extensive report detailing the results of an internal investigation conducted by Swedbank’s counsel, Clifford Chance LLP (the “Report”).
These regulatory actions came in the wake of media reports that raised questions about Swedbank’s possible involvement in money laundering scandals in the Baltic region, particularly in Estonia. On February 20, 2019, a Swedish public television network program broadcast allegations that 50 of Swedbank’s customers engaged in $5.8 billion worth of transactions in the Baltics between 2007 and 2015 that were indicative of money laundering. On the heels of these press reports, the Swedish and Estonian financial authorities announced investigations into Swedbank, and Swedbank hired Clifford Chance to conduct an investigation into the Swedish television program’s allegations, as well as more broadly into Swedbank’s historical exposure to money laundering risk and potential violations of U.S. sanctions.
The Swedish and Estonian enforcement actions may be only the beginning for Swedbank. The Estonian Prosecutor’s Office and the Latvian Police Department are currently investigating whether money laundering or other criminal acts occurred at the bank. The European Central Bank and the Swedish Economic Crime Authority are also conducting investigations. Further, Swedbank disclosed that it is under investigation by multiple U.S. authorities, which may focus, at least in part, on potential U.S. sanctions violations.
II. Report’s Findings
The Report offers detailed insight into the specific AML and U.S. sanctions deficiencies that led to the enforcement actions against Swedbank. Clifford Chance’s year-long investigation focused primarily on identifying historical deficiencies in Swedbank’s AML compliance systems and controls within its subsidiaries in Estonia, Latvia, and Lithuania (the “Baltic subsidiaries”) from 2007 through 2019, and it also found potential violations of U.S. sanctions. The Report concluded that the Baltic subsidiaries historically “were exposed to substantial money laundering risk” and had processed approximately €37 billion worth of transactions between 2014 and 2019 that Clifford Chance found to be high risk for money laundering. However, the Report did not conclude that Swedbank actually engaged in money laundering or processed customer transactions that constituted proceeds of criminal activity—noting that, among other things, such crimes would require definitive knowledge of a customer’s source of funds, which was not available to Clifford Chance.
The Report reached a number of conclusions with regard to Swedbank’s risk management and AML and sanctions compliance. Among other things, it found:
- Swedbank had “inadequate systems and controls to ensure proper management of the AML and economic sanctions risk of its customer base, which, therefore, historically exposed Swedbank and the Baltic Subsidiaries to significant AML and sanctions risk.”
- The Baltic Subsidiaries did not adequately train its business employees on the importance of following AML policies, including collecting appropriate “know your customer” (“KYC”) information and did not take adequate steps to ensure existing AML policies were followed.
- Swedbank’s subsidiaries in Estonia and Latvia “actively pursued . . . high risk customers as a business strategy.”
- Swedbank Estonia “approved high risk customers without having complete documentation regarding the ultimate beneficial owners, proof of source of funds or explanation of the legitimate business purpose of the customers, and did not address red flags that arose from the information that was provided.” Further, Swedbank Estonia accepted customers despite knowing that the listed beneficial owners were not the actual beneficial owners and “accepted customer corporate structures knowing they were designed to conceal the true [beneficial owner] from home country tax authorities.”
- Swedbank Estonia “repeatedly overlooked or disregarded indications of potentially suspicious transactions.”
- Swedbank did not adopt systematic automated customer and transactions sanctions screening in the Baltic subsidiaries until 2017, well over a decade after U.S. authorities started to bring highly publicized enforcement actions against non-U.S. banks arising out of failures in sanctions compliance controls, and many years after peer Europe-based institutions had done so. The Report concluded that the Baltic subsidiaries processed 582 transactions totaling $4.8 million that potentially violated U.S. sanctions.
In addition, the Report made a number of observations about employee accountability:
- One of Swedbank’s prior CEOs “failed to focus on AML deficiencies” despite recurring internal reports, as well as a Swedish regulator report, of such deficiencies.
- While the subsequent CEO took “significant steps to de-risk” the high risk customer business in the Baltic subsidiaries, he “did not direct sufficient resources, attention, or urgency to the remediation of the issues identified, did not ensure that information regarding these issues was shared” between relevant control functions or management boards, and did not adequately educate or apprise the Board of Directors of the AML deficiencies.
- Although the Audit Committee and Board were informed of persistent AML and sanctions controls deficiencies, neither was “adequately informed of the degree of legal and reputational risk posed by these deficiencies.” The investigation “found little evidence of any substantive discussion of these issues” at either the Board or Audit Committee meetings. The Board record did not “reflect significant challenge by the Board to management on the AML issues” and the Board “did not act adequately to manage and control the AML risk of which it was made aware.”
The Report also concluded that certain public statements made by Swedbank and its executives concerning Swedbank’s AML compliance and exposure to AML risk “were inaccurate or presented without sufficient context.” In addition, Swedbank “may not have provided adequate context in [its] responses to regulatory requests, may have failed to provide updated information, or may have interpreted a request in an overly technical or narrow manner.”
III. Takeaways
Financial institutions’ compliance personnel would be well-advised to study the Report for lessons as they evaluate their own institutions’ AML compliance programs.
- Beneficial Ownership and High-Risk Customers. The Report makes clear the importance of collecting KYC and beneficial ownership information for high risk customers.[1] As discussed above, the Report emphasizes the dangers of onboarding high risk customers while having either incomplete or inaccurate beneficial ownership information, or while having insufficient controls to mitigate the attendant risk.
- Focus on U.S. Sanctions Compliance for Non-U.S. Companies. The Report demonstrates the importance, including for non-U.S. companies, of having a well-functioning, risk-based U.S. sanctions compliance program that includes effective sanctions screening processes. The Report notes that nearly all the potentially violative transactions at Swedbank occurred before the Baltic Subsidiaries implemented automated sanctions screening. The U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) considers well-functioning sanctions screening to be a critical component of an effective sanctions compliance program. In May 2019, OFAC published “A Framework for OFAC Compliance Commitments” (the “Framework”). The Framework provides OFAC’s view of the essential elements of an effective sanctions compliance program, which U.S. government regulators will likely consider when evaluating Swedbank’s sanctions compliance program: (i) management commitment; (ii) risk assessment; (iii) internal controls, including policies and procedures; (iv) testing and auditing; and (v) training. The Framework also discusses root causes of OFAC compliance program deficiencies gleaned from prior OFAC administrative actions. Among others, OFAC highlights: a lack of a formal sanctions compliance program; improper customer due diligence; sanctions screening failures; and processing financial transactions (primarily denominated in U.S. dollars)[2] involving U.S. sanctions targets to or through U.S. financial institutions.
- Global Risk Appetite. In considering whether AML risk is appropriately managed, financial institutions might consider implementing global risk appetite statements if they have not already done so. According to the Report, Swedbank management’s lack of appreciation of AML risk was evidenced by the bank’s failure to adopt a “Group-level AML risk appetite statement until 2017, or to take steps to ensure consistency of risk rating customers across business lines.”
- Consistent Transparency with Regulators. It is notable that the director of the SFSA, in announcing the fine, specifically highlighted that Swedbank employees withheld information when responding to regulators’ requests for information related to Swedbank’s AML controls and procedures. For example, in one response to the SFSA, the bank did not explicitly define “Swedbank” to include its subsidiaries and excluded information about them, even though the SFSA’s request had included subsidiaries. In addition, the Report found emails where employees expressed concern that responses to regulators may be misleading, but the responses remained unchanged. These missteps by Swedbank serve as an important reminder of how critical it is for financial institutions to cooperate fully and proactively with regulators. Losing credibility with regulators can prove very costly and may even result in higher monetary penalties or settlements.
- Boards Must Take an Active Role in AML Compliance. The Report suggests that Swedbank’s Board failed to respond adequately to reported AML and sanctions control deficiencies. Boards and Board committees would be well advised to follow up on AML deficiencies identified by management to ensure the directors fully understand the scope, and to hold management responsible for remediation of known weaknesses. As discussed above, the Report noted that the Swedbank Board record did not indicate significant engagement on AML issues of which the Board was apprised. This suggests that it may be prudent for boards to ensure that board minutes and other written records document their active involvement on AML matters, particularly in ensuring that corrective measures are taken.
- Collateral Consequences. Financial institutions’ AML compliance failings can negatively impact their stock price and can present civil litigation risk. Swedbank’s share price declined by approximately one-third during 2019 after information about its AML problems became public. In addition, in the past several years, shareholder derivative lawsuits have been filed following certain AML enforcement actions. For example, one lawsuit alleged that a financial institution’s disclosures regarding AML controls and compliance were materially false or misleading.[3] In another case, shareholders sued a financial institution’s board and management for breach of fiduciary duty in failing to adopt and implement an adequate compliance program.[4] These and other follow-on consequences, such as the imposition of a compliance monitor, can be costly and disruptive to a financial institution.
[1] In the United States, certain U.S. financial institutions are now required to identify and verify the identity of the beneficial owners of their legal entity customers in accordance with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network’s “Customer Due Diligence Requirements for Financial Institutions” final rule, which became applicable in May 2018.
[2] The potential U.S. sanctions violations by the Baltic subsidiaries involved U.S. dollar-denominated transactions concerning countries or regions that are targets of comprehensive territorial U.S. sanctions. OFAC presumes that U.S. dollar-denominated transactions clear through U.S. banks. Accordingly, if such transactions involve targets of U.S. sanctions, they may potentially result in a U.S. sanctions violation.
[3] Lieblein. v. Ersek, No. 14-cv-00144 (D.C. Colo. Jan. 19, 2014). The Tenth Circuit dismissed this case for failure to plead sufficient facts to excuse lack of pre-suit demand. City of Cambridge Ret. Sys. v. Ersek, 921 F.3d 912 (10th Cir. 2019).
[4] Reiter v. Capital One Fin. Corp., No. 11693-CB (Del. Ch. Nov. 16, 2015). Delaware’s Court of Chancery dismissed this case for failure to plead sufficient facts to show futility of pre-suit demand. Reiter v. Capital One Fin. Corp., 2016 WL 6081823 (Del. Ch. Oct. 18, 2016).