Danske Bank has pleaded guilty in the Southern District of New York to conspiracy to commit bank fraud, agreeing to forfeit $2.059 billion to the United States. The SEC has imposed an additional $413 million in penalties. Together, the resolution closes the U.S. chapter of what is widely regarded as the largest money laundering scandal in European banking history.
The facts centre on Danske’s Estonian branch, which from 2008 to 2016 served as a conduit for approximately €200 billion in transactions from non-resident customers — predominantly from Russia and other former Soviet states. The branch, based in Tallinn, operated with minimal oversight from Danske’s Copenhagen headquarters and served a clientele that had little or no legitimate connection to Estonia.
The guilty plea focuses not on the laundering itself — Danske was not accused of knowingly laundering money — but on the bank’s systematic deception of its U.S. correspondent banks. To access the U.S. dollar clearing system, Danske’s Estonian branch relied on correspondent banking relationships with American institutions. In applications and ongoing representations, Danske assured those correspondents that its AML controls met international standards and that non-resident customer risk was appropriately managed. These representations were false.
In reality, the Estonian branch’s AML function was understaffed, under-resourced, and effectively ignored by management. Know-your-customer files were incomplete or fabricated. Suspicious transaction reports were either not filed or filed after extraordinary delays. Internal audits that flagged the branch’s deficiencies were not acted upon. A 2014 whistleblower report by Howard Wilkinson, a former head of the branch’s trading unit, was investigated internally but led to no substantive remediation.
The scale of the flows is difficult to comprehend. €200 billion passed through a single branch of a mid-sized Nordic bank over eight years. Even if only a fraction of that was genuinely illicit — and investigators believe the proportion was substantial — the Estonian branch was one of the most prolific money laundering vehicles ever operated through the Western banking system.
The Danish Special Crime Unit has pursued parallel proceedings. Former CEO Thomas Borgen was charged in Denmark in 2022; his trial is pending. Ten former employees of the Estonian branch have been charged or convicted in Estonia. The branch was closed in 2019.
Lessons from the Baltics
The Danske case is personal for me in the sense that it touches every professional concern I have about how large banks manage financial crime risk in subsidiary operations.
The fundamental failure was not technical. Danske did not lack the tools or the frameworks to detect what was happening in Tallinn. It lacked the institutional will to look. The Estonian branch was enormously profitable — its non-resident business generated revenues vastly disproportionate to the branch’s size. That profitability created a powerful institutional incentive to avoid asking difficult questions.
This is a pattern I have seen repeatedly in my career. When a business line is generating exceptional returns relative to its peers, compliance should be asking why. Disproportionate profitability in banking is often a signal of inadequate risk management — the business is earning returns that properly controlled competitors cannot match, because it is accepting risks that those competitors have chosen to reject.
The correspondent banking dimension is particularly instructive. Danske’s Estonian branch could not have processed €200 billion in dollar-denominated transactions without access to the U.S. clearing system. That access was provided by American banks that relied on Danske’s representations about its AML controls. When those representations turned out to be false, the correspondent banks were unwittingly complicit in facilitating the flows. This is exactly why U.S. regulators have become increasingly aggressive about correspondent banking due diligence — and why they were willing to pursue a criminal fraud theory rather than a straightforward BSA case.
The whistleblower story is also significant. Howard Wilkinson raised the alarm in 2014 — two years before the flows stopped and four years before the scandal became public. His report was reviewed internally and dismissed. In my experience, whistleblower complaints in AML are among the most reliable early warning signals available. They tend to come from people who are close enough to the business to see what is actually happening, but far enough from the decision-making to recognise that it is wrong. Institutions that dismiss these reports are not just failing their employees — they are actively choosing to remain ignorant.
The €200 billion figure will be debated for years. Not all of it was illicit. But the Estonian branch’s customer base — shell companies registered in opaque jurisdictions, with beneficial owners who could not be identified, transacting in patterns inconsistent with any legitimate commercial activity — represented exactly the kind of risk that modern AML frameworks are designed to detect and reject. That it persisted for eight years at a major European bank tells you everything you need to know about the gap between compliance policy and compliance practice.