Central Bank of Ireland Enforcement Action – Danske Bank reprimanded and fined €1.82m for AML/CFT transaction monitoring failures
September 2022On 13th September 2022, the Central Bank of Ireland (the “Central Bank”) reprimanded and fined Danske Bank A/S, trading in Ireland as Danske Bank, €1,820,000 pursuant to its Administrative Sanctions Procedure for three breaches of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010, as amended (the “CJA 2010”).
This is the first penalty that the Central Bank has imposed on a financial institution which is incorporated and authorised outside of Ireland, but which operates here as a branch on a passport basis.
Breaches
The three breaches arise from the failure by Danske Bank to ensure that its automated transaction monitoring system monitored the transactions of certain categories of customers of its Irish branch which occurred over a period of almost nine years, between 2010 and 2019.
The three breaches comprised of failures by Danske Bank under the CJA 2010 related to:
- Transaction Monitoring: Danske Bank failed to ensure that its automated transaction monitoring system monitored the transactions of certain categories of customer for money laundering and terrorist financing risk at its Irish branch for a period of almost nine years.
- Enhanced Customer Due Diligence: In failing to conduct automated transaction monitoring in respect of certain categories of customers, Danske Bank’s Irish branch did not take into consideration an important part of due diligence i.e. transaction monitoring data, which is necessary to identify and assess money laundering/terrorist financing risks specific to those customers and identify where any consequential additional measures might be required.
- Anti-money laundering / Countering the Financing of Terrorism policies, procedures and controls: The policies, procedures and controls put in place by Danske Bank did not operate to identify the erroneous exclusion of certain categories of customers from automated transaction monitoring.
Background The failure arose from historic data filters that were applied within Danske Bank’s automated transaction monitoring system, first implemented in 2005 and rolled out to the Irish branch in 2006. Danske Bank was found to have failed to consider the appropriateness of these historic data filters within the system or make any adjustments to the system to take account of the specific requirements of the CJA 2010 when it came into force in Ireland in 2010. This led to the erroneous exclusion of certain categories of customers from transaction monitoring, including some customers rated by Danske Bank as high and medium risk.
Danske Bank became aware that its automated transaction monitoring system erroneously excluded certain categories of customers in May 2015 but failed to rectify it or notify the Irish branch or the Central Bank of this issue.
It was only in October 2018 when the Irish branch identified the issue that steps were taken to rectify it, but the Central Bank said it was not informed of the issue until February 2019. As a result, the failures to rectify the issue and to notify the Central Bank promptly were considered aggravating factors in the case.
Central Bank on Transaction Monitoring The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham said…“It is imperative that firms implement robust transaction monitoring controls which are appropriate to the money laundering risks present and the size, activities, and complexity of their business. These controls must be applied to all customers, irrespective of their risk rating, as they enable firms to detect unusual transactions or patterns of transactions and where required apply enhanced customer due diligence to determine whether the transactions are suspicious.”
In 2020, the Central Bank had highlighted in its
AML Bulletin on Transaction Monitoring the importance of monitoring customer transactions to detect potentially suspicious activity. The Bulletin noted that the CJA 2010 specifies that a designated person must monitor customer transactions in order to identify transactions that may be suspicious in nature, and that the intensity of the monitoring should increase with the complexity and scale of those transactions so that the risk of ML/TF is also factored into the transaction monitoring process.
Therefore, while firms may rely on automated solutions for transaction monitoring, the Danske Bank case reiterates the requirement for firms to ensure it has in place controls, policies and procedures that are compatible with Irish legal requirements and to ensure that their governance framework and risk management measures operate effectively. These should be risk-based and proportionate, informed by firms’ business risk assessment of their ML and TF risk exposure.
Do you have any questions on Transaction Monitoring? Reach out to us at
info@regsol.ie for information on our training courses and consultancy services.
To read the Central Bank Enforcement Action Notice in its entirety you can click on the following link:
Public statement relating to Enforcement Action against Danske Bank A/S (centralbank.ie)