On August 27, 2024, the New York State Department of Financial Services (NYDFS) announced a consent order against Nordea for significant failures in its anti-money laundering (AML) compliance program. The Helsinki-headquartered bank, which operates in the US through its New York branch, agreed to accept a $35 million fine following an investigation related to the adequacy of Transaction monitoring (TM) and Know Your Customer (KYC) procedures during the period 2008 to 2019.

This recent infraction highlights the critical need for every financial institution (FI) to examine its own internal processes related to KYC, TM, and correspondent banking relationships. This requires FIs to initially focus on two key areas.


ENSURE ADEQUATE KYC PROGRAMS 

FIs are required to monitor their customers and their customers’ transactions to ensure there is no facilitation of, or nexus to, criminal activity. As a result, efficient KYC and customer due diligence (CDD) processes serve as key controls in effective compliance programs. 

Enhanced due diligence (EDD) is required for customers posing particularly high risk. Additionally, the Consent Order proposes the concept of ongoing due diligence (ODD), which suggests that FIs have a heightened responsibility to maintain and refresh the customer information of their highest-risk customers on a more frequent basis than the more-routine updates (or KYC Refresh) for lower risk clients.

As a result, once-a-year updates may not be adequate for high-risk customers, and FIs should examine their written processes to ensure that they are adequately assessing and documenting the risks posed by this subset of customers and defining KYC processes for customers subject to ODD. 

This is especially true where an FI maintains correspondent banking relationships (or exchanges SWIFT RMA keys) with other FIs, as the NYDFS appears to suggest that such relationships should be examined to determine if existing control environments mitigate the risks posed.


STRENGTHEN TM PROGRAMS 

FIs are also required to maintain TM programs to detect and investigate patterns of customer behavior that are potentially suspicious and reportable to law enforcement. These TM programs must be routinely updated to ensure they are functioning effectively and calibrated to include detection scenarios presented by correspondent banking and other third-party relationships. 

As a result, FIs should examine the extent of their access to third party transaction data and the quality of that data as it used during the TM process. This is especially true for FIs with products/services such as Banking as a Service (BaaS) which rely on third party data sources for critical AML compliance functions. 

In the case of Nordea, the NYDFS found that several of Nordea’s account and transaction data feeds, including applicable sanctions lists, were not sourced into Nordea’s automated TM system and failed, among other things, to detect and stop payments involving Nordea and a correspondent institution that had been designated by US regulators as an institution of primary money laundering concern.

In 3Q 2016, Nordea and Norway’s DNB [Den Norske Bank] entered into an agreement to consolidate their operations in Estonia, Latvia, and Lithuania to form an independent FI, called Luminor. The arrangement exposed Nordea, through correspondent and other transactional agreements, to significant financial crimes risks – in fact, Nordea compliance teams identified gaps in Luminor’s data, pointed out Luminor’s high-risk customer base and lack of understanding of the basic nature and purpose of Luminor’s customers’ accounts. As a result, Nordea could not apply sanctions or TM protocols to Luminor’s transactions, yet continued its correspondent relationship, nonetheless.1

Each alleged failure of critical TM and KYC processes at Nordea offers an opportunity for all FIs to review these processes and identify potential areas for improvement in light of growing regulatory expectations for risk-based compliance programs to combat financial crime.


HOW CAPCO CAN HELP 

• Capco can deliver in both an advisory and a managed services capacity to support clients requiring help with KYC and/or TM alert and case disposition. For example, we can summarize results of investigations in a required narrative format (e.g. disposition) using our SAR Genie AI tool, which saves analyst time per case. 
  
• Capco has experience with Financial Institutions of all sizes and risk-profiles and can tailor our services, accordingly, including scalable resource pools to meet periods of high demand or backlogs of work requiring completion.
• Our US business has 35+ resources with an average of 12 years’ experience in financial crimes compliance and related risk management. 
• It also has 15 Certified Anti-Money Laundering Specialists (CAMS).
• Our team draws from a diverse background of lawyers, ex-regulators, leading risk management professionals, data scientists, and former BSA Officers and CCOs. 
• Capco’s deep domain expertise coupled with our agile and entrepreneurial approach means we can design bespoke solutions rapidly and effectively using leading technology such as GenAI and our homegrown SAR Genie.

References

¹ https://www.dfs.ny.gov/system/files/documents/2024/08/ea20240827-co-nordea.pdf