This article was first published in the October 2019 International edition of 
Accounting and Business magazine.

It’s now just over a decade on from when the last global financial crisis hit its most critical stage, and still the question is being asked: where were the accountants? This time, it’s the Danish state prosecutor for financial fraud who’s asking questions about EY’s 2014 external audit of Danske Bank – an institution under fire for enabling what could become Europe’s largest recorded money laundering scandal.

Danske Bank is under investigation in several countries, including the US and UK, for suspicious flows of funds dating back to 2007, when it acquired Finland’s Sampo Bank and turned Sampo’s Estonian subsidiary into a hugely successful Baltic outpost of Danske. That success did not last long. By 2017, a different picture had emerged, with several reports indicating that a multitude of failings at the Estonian subsidiary had allowed €200bn of suspicious transactions to flow through the bank via its portfolio of customers who lived outside the Baltic states.

But as the story unfolds, attention is turning to the institutions designed to prevent such activities – namely the Danish financial regulator and the bank’s auditor. The authorities want to know how the problem was missed (EY has said it ‘reported as required by the then-applicable regulation and will fully cooperate with the state prosecutor’). With hindsight it is certainly hard to see how so many red flags went unnoticed.

Missed flags?

The Estonian unit of the bank posted an astonishing 402% return on investment (ROI) in 2013. Compared with Danske Bank’s personal banking business (8.7% ROI) and the group overall (6.9%), the figure should have set alarm bells ringing. At the start of Danish legal proceedings against Danske late last year, the then Danish business minister Rasmus Jarlov said: ‘The financial ratios were off. A lot of money was made in a tiny Estonian branch, which posted a huge profit margin and quick, large transfers in and out of the branch, which looked off. It’s the sort of thing that I would assume would catch the interest of both management and auditors.’ So why didn’t it?

In the case of Danske, some disagree that the auditor may have been at fault. Brian Adrian Wessel of the FSR (a group that represents, among others, the audit industry in Denmark) points out: ‘An external audit report isn’t an audit of whether laundering has taken place, but an audit of whether the accounts give a truthful account of the facts.’ The question is whether the auditors thought that 402% ROI was a truthful reflection of activity in the non-resident portfolio. It seems they did.

Indeed, many would argue that the responsibility lay first with the bank. Before the acquisition, it had been warned by the Russian central bank about what looked like ‘criminal activity in its pure form, including money laundering’ at Sampo. The bank’s failure to subject customers to ‘politically exposed persons’ checks or screen incoming payments against sanctions or terror lists is hard to understand.

Accountants have clear anti-money laundering (AML) responsibilities. Where they suspect there may be laundering, they must submit a suspicious activity report. They don’t have to worry about proving their suspicion or finding where any dirty money has gone – that is up to law enforcement. Accountants don’t even have to be certain that suspicious activity is going on – they can report on the basis of an inkling. After the scandal broke, it emerged that the Estonian branch had filed reports of suspicious activity by 653 non-resident customers between 2007 and 2015 without ringing alarm bells at Danske or the auditors.

‘Ultimately, bank and auditor are both responsible for identifying and reporting suspicious activity, and the failure of one does not exonerate the other,’ says an ACCA spokesperson. ‘It is crucial that banks and accountants are aware of and understand their responsibilities and how to discharge them.’

ACCA’s spokesperson says accountants are key gatekeepers for the financial system and have a big role to play in preventing and detecting money laundering (see also ‘Scrutiny’s risk ratchet’, page 54). ‘Accountants should be alert to the red flags of money laundering and read the signs,’ he says.

‘However, they first need to know what these signs are and where to find them. Only the right AML training informed by the latest intelligence can equip accountants properly. Historically law enforcement has failed to share crucial intelligence with the accountancy sector, and only now are the first steps being taken in some places to change that.’

Low rates of compliance Whether or not the auditors got it wrong, Danske’s situation indicates a broader problem with AML compliance, particularly in banking. A 2017 Thomson Reuters survey found that only 47% of UK banks had taken action to implement all AML regulation, which is itself becoming more layered and wider in scope. So what does the future hold?

Banks in particular can see they are only a handful of failed checks away from a serious fine or being caught up and implicated in a terrorist incident.

Compliance is not optional. However, these businesses are hugely complex, with thousands of clients, hundreds of thousands of beneficiaries and millions of transactions. Research by Consult Hyperion found that each AML-necessary know-your-customer (KYC) check costs between £10 and £100. Its study also reveals that KYC checks have a high rate of failure due to reliance on manual processing and poor-quality third-party data sources.

There is hope that technology may help banks and their auditors with compliance and testing. The growing adoption of electronic identification across the EU, as well as more powerful tools to comb and connect transactions, means that businesses are swiftly gaining the capability to check on prospective and existing customers.

Charles Blackmore of Audere International, a private intelligence firm, suggests businesses and their accountants take a twin-track approach: ‘They should take advice on reliable emerging technology to screen their customers and initially identify who could be deemed risky. This keeps time and cost to a minimum. If they have suspicions, they need a trained in-house team or external advice to help them decide who they are willing to onboard and who needs a closer look.’ He stresses, though, that technology and advice are only so ‘they can flag it – it’s not their job to investigate whether there is in fact criminal activity’.

ACCA’s spokesperson agrees. ‘It’s not about asking accountants to do additional work hunting for criminal activity when providing services to their clients, but about them understanding their responsibilities and recognising the red flags,‘ he says. ‘Accountants must keep their eyes open and report anything that becomes suspicious or does not make sense. However, without relevant intelligence from law enforcement, red flags will be missed.’

Felicity Hawksley, journalist