The Central Bank of Ireland has fined Danske Bank €1.82m for three breaches of its anti-money laundering and terrorist financing rules in the first such penalty that it has imposed on a financial institution which is incorporated and supervised outside of Ireland, but which operates in Ireland as a branch on a passport basis.

In a statement on 15 September, the Dublin-based banking authority said the Criminal Justice Act breaches stemmed from the failure by Danske Bank A/S (Danske) to ensure that its automated transaction monitoring system monitored the transactions of certain categories of customers of its Irish branch, for a period of almost nine years, between 2010 and 2019.

The root cause of this failure was historic data filters that were applied within Danske's automated transaction monitoring system, first implemented in 2005 and rolled out to the Irish branch in 2006. Danske failed to consider the appropriateness of these historic data filters within the system or make any adjustments to the system to take account of the specific requirements of the CJA when it came into force in Ireland in 2010. 

This led to the erroneous exclusion of certain categories of customers from transaction monitoring, including some customers rated by Danske as high and medium risk, which caused the three breaches of the CJA in this case.

In May 2015, Danske became aware, as a result of an internal audit report, of the inadequacies in its transaction monitoring system and the nature of the risks they posed, yet it failed to notify the Irish branch of these issues and to take adequate action for almost four years. 

It is estimated that between 31 August 2015 and 31 March 2019, 348,321 transactions, equating to approximately one in forty or 2.43% of all transactions processed through the Irish branch were not monitored for money laundering and terrorist financing risk.

The Central Bank determined the appropriate fine to be €2,600,000, which was reduced by 30% to €1,820,000 in accordance with the early settlement discount scheme provided for in the Central Bank's Administrative Sanctions Procedure.

The three breaches comprised of failures by Danske under the CJA relating to:

Transaction Monitoring: Danske failed to ensure that its automated transaction monitoring system monitored the transactions of certain categories of customer for money laundering and terrorist financing risk at its Irish branch for a period of almost nine years.

Enhanced Customer Due Diligence: In failing to conduct automated transaction monitoring in respect of certain categories of customers, Danske's Irish branch did not take into consideration an important part of due diligence i.e. transaction monitoring data, which is necessary to identify and assess money laundering/terrorist financing risks specific to those customers and identify where any consequential additional measures might be required.

Anti-money laundering / Countering the Financing of Terrorism policies, procedures and controls: The policies, procedures and controls put in place by Danske did not operate to identify the erroneous exclusion of certain categories of customers from automated transaction monitoring.

The three breaches have been admitted by Danske, the central bank further said. 

The Central Bank's director of enforcement and anti-money laundering, Sean Cunningham, said: "The importance of transaction monitoring in the global fight against money laundering and terrorist financing cannot be overstated. It is imperative that firms implement robust transaction monitoring controls which are appropriate to the money laundering risks present and the size, activities, and complexity of their business. These controls must be applied to all customers, irrespective of their risk rating, as they enable firms to detect unusual transactions or patterns of transactions and where required apply enhanced customer due diligence to determine whether the transactions are suspicious.

"The Central Bank recognises that while firms may rely on automated solutions for transaction monitoring, they must ensure that systems employed for this purpose are appropriately monitored, and calibrated correctly to take account of the actual money laundering or terrorist financing risk to which the firm is exposed. In this case, the transaction monitoring system used by the Irish branch was a Danske group wide automated system that had applied historic data filters which operated to erroneously exclude certain categories of customers from being monitored for a period of almost nine years. This led to the serious breaches in this case.

"This case highlights the requirement for firms, including those operating in Ireland on a branch basis, to ensure that group systems, controls, policies and procedures are compatible with Irish legal requirements and to ensure that their governance framework and risk management measures operate effectively. These should be risk-based and proportionate, informed by firms' business risk assessment of their money laundering and terrorist financing risk exposure.

He added: "Danske became aware that its automated transaction monitoring system erroneously excluded certain categories of customers in May 2015 but failed to rectify it or notify the Irish branch or the Central Bank of this issue. It was only in October 2018 when the Irish branch identified the issue that steps were taken to rectify it, which were completed in March 2019. However, the Central Bank was not informed of the issue until February 2019. The failures to rectify the issue and to notify the Central Bank promptly are aggravating factors in this case.

"The Central Bank expects firms to bring failures to its attention at the earliest opportunity and to act expediently to address identified errors. The Central Bank will hold firms, including those operating in Ireland on a passporting basis, fully accountable where they fail to take such actions.

"Anti-money laundering and countering the financing of terrorism compliance is, and will remain, a key priority for the Central Bank. This case demonstrates our willingness to pursue enforcement actions and impose sanctions where firms fail in their anti-money laundering/countering the financing of terrorism compliance."