Danske Bank, Estonia – a technical review of the latest leak of data

Following a massive leak of data to Berlingske (the oldest and one of the most respected newspapers published in Denmark) relating to twenty bank accounts which appear to have been used to launder at least $8bn through Danske Bank’s Estonian branch between 2007 and 2015, I was given the opportunity to review six of the account statements, amounting to thousands of pages of account activity, to provide expert analysis on how clear the signs of money laundering were.

Berlingske have kindly given me permission to write a more thorough review of the activity I observed. I’m hoping to publish follow-up articles over the next few weeks.

Berlingske have done a wonderful job in bringing this story to the general pubic but I wanted to write a more technical review for the more specialist audience I have here on LinkedIn.

I’m going to avoid naming names or including specific examples because there are still many more stories to come out of this leak but I do want to do a more detailed review of some of the macro elements as I think it will provide greater context as to just how egregious this activity was.

I’m going to focus on one particular account which was opened in the name of a UK Limited Liability Partnership (LLP). The partnership was formed in June 2007 and opened an account with Danske in October the same year. The first two credits into the account arrived on the same day in early November 2007 and amounted to just over €1.5m. A further €1m arrived the following day and, at the same time, four payments totalling €1.5m were remitted to three UK LLPs, one of which received two separate payments totalling €800,000 and the other two receiving €200,000 and €500,000 respectively. Note that these payments almost exactly match the first days’s credits.

Even more interestingly, two of the three recipient LLPs were also formed earlier in 2007 by the same people as the receiving account and were registered at exactly the same address.

One of the first things you look for as a financial crime investigator is unexpected or unlikely links between either side of a commercial transaction. To find this level of coincidence at the outset of a relationship, between newly formed LLPs, all registered at the same address within six months of each other and who have the same designated members is stretching credulity to breaking point.

And how many newly formed companies start turning over millions of Euro (or pounds or dollars) on a daily basis? At the outset of trading? With no web presence?

Nevertheless, over the next few days, a further approx €2.5m was received and approx €2.5m was paid out, partly to two of the same LLPs as already mentioned but a further sum of nearly €2m was paid to a new LLP which was also formed in 2007 by the same people and registered at the same address as the others. The balance on an account which had now, in the space of six days received €5,009,797.50 in credits and paid out €5,009,000 was €780.22 (the difference is the bank’s commission and fees plus €0.16 interest).

One day in July 2008 the total day’s credits were €8,280,000 and the debits for the same day were €8,266,176.09. Spotted any red flags yet?

Altogether, within the six accounts I evaluated, I found 32 UK LLPs (which I used as a “marker” for suspect activity). Of those 32 LLPs, every one of them had overseas designated members, twenty two had the same designated members and seventeen were registered to the same address. Overwhelmingly they were formed in either 2006 or 2007 (seven were formed between 2003 and 2005).

The question now becomes “should the bank’s transaction monitoring systems or some form of manual check have alerted the relevant officers of the bank to the suspicious nature of these transactions?”

After all, to find this information out, you first need to conduct the investigation. Back in 2008, would a bank’s systems have been tuned to spot this activity?

I think the answer has to be “yes!”

In a little more than fourteen months, the account in question eventually received nearly $US750,000,000, almost €300,000,000 and some bits and pieces of other currencies (including nearly £1,500,000). I don’t know about you but I would have expected, at any time in the last 10 or 15 years, any bank to have found the passage of over $US1,000,000,000 through the account of an anonymous UK LLP to have been suspicious. And this is just one of the accounts in question (albeit one of the busiest).

Danske is going to publish the results of its internal review in September. It will make for interesting reading.

And before any of us start to feel too smug about Danske’s woes, my strong hunch is that this is nowhere near the last or worst of such examples. The OCCRP was quoted recently as saying that organised crime in Europe generates approx $129bn a year. Compare that to the $8.3bn laundered over five or six years through Danske and you soon start to see that this is just the tip of the iceberg.

There will be a lot of people out there (and some who are reading this article) who are only too painfully aware that similar activity is happening right now through accounts that they are aware of, and concerned that no-one appears to be doing anything about it (or hoping someone else will as they feel unable to take the responsibility themselves).

What I would say to them is this:

Imagine at some point in the future, a multi billion dollar laundromat is identified as having been run through your branch. A criminal investigation ensues and you are interviewed under caution. What would you want your response to be.

“I saw it but did nothing?” = failing to report

“ I never saw a thing?” = criminal negligence


“I prepared and filed an internal suspicious activity report as I am obliged to do.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s