Skip to content
BY 4.0 license Open Access Published by De Gruyter June 22, 2022

Approaching the Danske Bank Scandal in a “Tragedy of the Commons” Perspective: Implications for Anti-Money Laundering Institutional Design and Regulatory Reforms in Europe

  • Andrea Minto EMAIL logo and Niels Skovmand Rasmussen


Policy- and law-makers worry increasingly about how recent money laundering scandals unfolded. There is widespread confusion, though, about what went wrong – “the failures” – and uncertainty as to how to control and cope with them. This article offers a conceptual framework and legal analysis for examining the underpinning “failures”, what causes them, and how, if at all, those failures interact with each other. In doing so, it disentangles three layers, namely “corporate failure”, “supervisory failure”, and “political failure”. Historically, scholars have tended to think of each of those failures separately. However, we believe that a greater focus should be devoted to whether and how the three failures exhibit interactions and even feed on one another. This holistic perspective reveals that scandals such as the one in Danske Bank might result from a type of “tragedy of the commons” in which each layer – corporate, supervisory, and political – generate significant asymmetries of information between parties and actors, exacerbating the agency problems which pervade financial markets. The article will apply Elinor Ostrom’s IAD (Institutional Analysis and Development) framework as to account for the complexity and interconnection in financial markets. Such framework is used to examine the recent developments in policy- and law-making in European anti-money laundering legislation. Not only does the IAD framework explain how the supervisor failure escalated and spilled over but it also sheds new light on why it happened. Together these insights are critical in a legal policy evaluation as they allow scholars to look pass the mere effects of the supervisory failure and focus diligently on the underlying causes. From a purely methodological perspective, it thus demonstrates the added value of incorporating an institutional analysis in doctrinal legal research.

1. Problem statement and the aim of the study

Governments and international organisations are calling for increased cooperation and regulation in contrasting money laundering practices[1]. Once more and once again, EU financial regulation proves to a greater extent to be scandal-driven following the financial crisis and the publication of the seminal de Larosière report.[2] In the European Union, for example, the European Commission has been triggering the law-making process in response to some recent scandals,[3] exploring how the current institutional set up of gatekeepers, controls, and check and balances could be strengthened.[4] There is, nonetheless, a great deal of confusion about what went wrong and what types of failures should now be managed and (better) regulated.

Some commentators, for example, claim that the shortcomings at the corporate level (e. g. the lack of efficient internal processes) are among the main factors of financial scandals.[5] Some, however, point the finger at the supervisory authorities and at the flaws especially pertaining uncertainties as to “who is responsible for what” in cross-border situations.[6] Others complain about how the political sphere, in this ambit, proved not to be exempted from imperfections.[7] A common factor in the various views is that such scandals have displayed the complexity of financial markets; a complexity that pervades how financial institutions are governed and controlled (corporate layer), a complexity in the way in which financial institutions are supervised (supervisory layer), and a complexity in the way in which the political sphere might be involved (political layer). Those layers have combined to generate significant asymmetries of information between parties and actors, exacerbating the agency problems which pervade financial markets. At the same time, each problem seems to be related to one another in such a way as to impact, in a negative feedback loop, the other layers worsening the overall situation. Indeed, poor corporate governance structures call for ineffective supervisory practices which, in turn, draws on political flaws as well. Besides such negative feedback loop, whereby one failure aggravates the others, the relationship between the different failures is also characterised by a number of common drivers or roots.[8]

As a result, there is a type of “tragedy of the commons”, in which each layer lacks a sufficient incentive to limit any such behaviour that influences and impacts on the failure of another layer, eventually endangering and worsening the very situation of each and every layer. Even though each layer strives to be avoiding the impact of supervisory failures on themselves, they will discount that the failure of other layers might impact them. This model is commonly used to represent and study the trade-offs which economic actors make when deciding whether or not to exploit a common resource in an uncertain environment.

The aim of this article is to approach EU anti-money laundering policies regulation from a novel standpoint of analysis where the corporation, the supervisor, and the politician are “commoners”, and where the common resource to be managed is system resilience. The model will be adapted to the purposes and characteristics of the common resource and the commoners, in particular by accounting for the existence of spillover effects and interconnections between the corporate level, the supervisory level, and the political level. The main contribution lies in examining to what extent the “tragedy of the commons” can contribute in overcoming the current “silo thinking stand” towards failures and rather embrace a holistic and systematic approach in times of regulatory overhaul and reforms.

The remainder of this article is structured as follows: Par. 2 provides a general overview of the features of the “Tragedy of the Commons”. Par. 3 shows the advantages of Elinor Ostrom’s IAD (Institutional Analysis and Development) framework as to account for the complexity and interconnection in financial markets. Par. 4 displays the major shortcomings that came about in the Danske Bank scandal. In doing so, it disentangles the “corporate failure”, the “supervisory failure”, and the “political failure”. Par. 5 moves along to the normative consideration, elaborating on the application of the “Tragedy of the Commons” perspective and analysis. Par. 6 puts forward the concluding remarks.

2. An introduction to the theoretical framework

2.1 The collective action problem in financial law

In his well-known essay on “The Tragedy of the Commons”, Garrett Hardin puts forward a model to illustrate the tension between group and self-interest that characterises social dilemmas.[9] According to this model, self-interest drives over-consumption of the resource – a common pasture, in his example – to the detriment of all.[10] In one of the core portions of his essay, Hardin used a sheepherder allegory in order to examine how a natural resource – to which access is more or less open to all – could end up being exploited and/or managed not in the best way.[11]

Over the last fifty years, the Tragedy of the Commons has been a very useful model for understanding the degradation of many common-pool resources. It has been adopted for both natural resources (for example fossil fuels, atmosphere, and fisheries) and manmade resources (e. g., social welfare, health care, the internet, et cetera).[12] Indeed, the need to preserve certain natural and cultural resources (such as water) justifies property rights granted to government that owns and must protect and maintain these resources for the public’s use[13]. Recent studies have applied such paradigm also to financial markets,[14] to the point of characterising systemic risk as the result of a Tragedy of the Commons in which “market participants lack sufficient incentive, absent regulation, to limit risk-taking in order to reduce the systemic danger to others”.[15]

The “commons” thus could be used to approach questions relating to the governance of the financial system. As maintained by Paul Tucker, “the problem of financial system vulnerability is best framed in terms of a common-resource”.[16] Tucker considers financial stability and system resilience as a common good. In fact, it can be regarded as non-excludable as each economic agent in the marketplace can benefit from it, and no one can be prevented from enjoying it, but – unlike public goods – common goods get overused and can diminish or disappear absent of any regulation.[17] This distinction has a material implication: “For public goods, each actor faces private costs of production that exceed their private benefits of consumption, creating a problem of how to generate or incentivize action. The classic feature of a common-good problem, by contrast, is that each actor’s private benefits in eating the grass exceed their private costs, creating a challenge of how to deter action”.[18]

In an environment of stability, any economic agent can be tempted to engage in free-riding behaviour (e. g. banks may be tempted to take up more risk), exacerbated by moral hazard phenomena. This leads up to a “collective-action problem sourced in striking private incentives”.[19] Each agent – as the argument goes – eats the “system-resilience grass”. What brings about such collective action problem are the interlinkages that characterise financial markets. “Given this network of exposures and dependences, the common-resource — resilience — can be thought of as a property of the fabric of the system. Crises are more likely when the fabric has worn thin. Its resilience relies on the exercise of restraint by the firms. That is to say, restraint “produces” the common good, and a lack of restraint at a later period “consumes” it. Putting state intervention to one side, participants in the market are, through their conduct, either producers or consumers of stability”.[20] The financial system could thus most certainly be seen as a shared resource system that, if managed properly, can result in an efficient and well-functioning financial system. A well-functioning financial system – for the purposes of this study – means therefore a well-managed common resource where the supply of core financial services is maintained and “the degree of resilience desired in the system as a whole given society’s tolerance for crisis and the costs, if any, of making the system more robust”.[21]

How can we best manage a common pasture – that is, public confidence in a viable financial system – avoiding each economic actor standing to profit by adding an additional cow to the commons? How to overcome a system where the “cost” of the cow’s grazing is shared by all (in our case: trust-breaching incidents), whereas the profit from the cow accrues to the villager alone (as the metaphor goes: for the credit institution, who retains customers and grows its business; for the supervisor, who pursues its regulatory objectives; for the policy-maker who develops its own political strategies).

The application of the general tenets of the “tragedy of the commons” seems to provide an original entry point of analysis to account for possible causes of public trust decline that can threaten system resilience. Our working hypothesis is that the common good is reliability that individuals have in a well-functioning financial system. Public trust is deeply imbedded in the EU Single Rulebook understood both as legal texts and a regulatory approach to harmonisation, as many of the preambles to the postcrisis pieces of EU banking law overtly state.[22]

In this way, we strive to characterise the relationship between credit institutions, financial supervisors, and policy-makers as a shared-resource system where there is a risk that each economic actor might deplete or spoil the shared resource[23]. One example could be that the public confidence arising out of good work of a supervisory system might end up being exploited and depleted by failures in the corporation and at the corporate level.

Yet, Hardin’s model overlooked another economics problem that is particularly relevant in issues involving collective goods or external effects: interdependence. For Hardin, the problem resided more in the freedom to use a resource rather than in the characteristics of the resource itself.[24] In fact, Hardin argued that the only way for ensuring sustainability and avoiding the tragedy is simple: stop making resources open to all. Thus, the tragedy of the commons can be useful to describe financial markets as a shared resource system. At the same time, Hardin’s model shows how individuals’ pursuit of their own self-interest might play out, under circumstances that resemble the dynamics of financial markets where the self-interest of market participants proved to be a contributing factor of financial scandals and failures.

Hardin does provide a good framework in understanding the problem but does not offer much in terms of a solution. The next section will make an attempt to move further in the quest to delineate a solution.

2.2 Identifying common roots causes behind the failures: Elinor Ostrom’s IAD (Institutional Analysis and Development) framework

Hardin’s framework is well-suited to frame the problem of the commons. Yet, there seems to be little hope – in Hardin’s eyes – to come around the inefficiencies stemming from the exploitation and depletion of the commons. In fact, despite some provisional improvements available through the adoption of property rights, a common resource seems to be inevitably destined to be a problem with no technical or feasible solution.[25] Aligning to the elegant arguments by the anthropologist Bonnie J. McCay, though, we would like us to “think less of a commons as a necessary tragedy and more in terms of a commons as having great social value if managed correctly.[26] As the arguments go, McCay suggests that the instances of overexploitation of, for instance, natural resources are generally a result of “mismanaged commons” that in turn result in a “tragedy of the commoners” rather than the tragedy of the commons.

Further, Elinor and Vincent Ostrom tagged along and explored this take much deeper. As Vincent Ostrom explained, “individualistic decision-making applied to common-property resources will inexorably result in tragedy unless the structure of decision-making arrangements can be modified to enable persons to act jointly in relation to those resources as a common property. Potential recourse to coercive measures will also be necessary to preclude a hold-out strategy and regulate patterns of use among all users. Unrestricted individualistic decision-making in relation to common-property resources or public goods will lead to the competitive dynamic of a negative-sum game: the greater the individual effort, the worse off people become”.[27]

In particular, Nobel Prize winner Elinor Ostrom dedicated much of her research to demonstrating how commons do not inevitably lead to tragic ruin, as Hardin insisted, but that they can be properly managed. She departs from some of the simplistic views of Hardin’s – namely, that the economic problem of inefficient resource allocation does not come from the interdependence of resources but rather from the tendency of self-interested individuals to engage in free-riding – and puts forward a new conception of commons.[28]

As Elinor Ostrom maintains, “situations characterized by [Hardin’s] assumptions, in which individuals independently make anonymous decisions and primarily focus on their own immediate payoffs, do tend to overharvest open-access resources. Researchers have repeatedly generated a ‘tragedy of the commons’ in experimental laboratories when subjects make independent and anonymous decisions in a common-pool resource setting”.[29] She argues that interactions and interdependencies should be accounted for, and she puts forward a model of rationality whereby individuals establish “core relationships” that can lead to increased net benefits for the commons. Her model identifies “individual attributes” that are particularly relevant in explaining behaviour in social dilemmas. These attributes comprise “i) the expectations individuals have about others’ behaviour: ii) the norms individuals learn from socialization and life’s experiences; and iii) the identities individuals create that project their intentions and norms”.[30] In so doing, she offers a way to diagnose social dilemmas and to understand the commons as a mode of governing access to and use of shared resources.

Hence, Ostrom developed the famous Institutional Analysis and Development Framework (IAD), in order to analyse complex systems that could be disentangled into clusters of variables.[31] Those clusters of variables aid explaining outcomes by examining the governance structures, the actors’ positions, and the informal and formal rules devised for individuals to extract resources from the commons’ resource. The three clusters are “exogenous variables”, “action arena”, and “outcomes/patterns of interactions”.

The exogenous variables encompass all aspects of the social, cultural, institutional, and physical environment that set the context within which an action situation is situated.[32] The exogenous variables affect actors and action situations, which “generate patterns of interactions and outcomes that are evaluated by participants in the action situation and feedback on both the external variables and the action situations and the actors”.[33]

More specifically, “biophysical conditions” relate to the nature of the good we are confronted with (one out of four types of goods: private goods, public goods, common goods, and toll goods).[34] In addition, we will be considering time as “biophysical conditions”. This in fact allows to elaborate on “when” events and processes that have given rise to present-day conditions came about;[35] “attributes of a community” refers to prior interactions, internal homogeneity or heterogeneity of key attributes, and the knowledge and social capital of those who may participate or be affected by others; “rules-in-use” specifies the framework that provides who must, must not, or may take which actions affecting others subject to sanctions.[36] The set of external variables impacts an action situation to generate patterns of interactions and outcomes that are evaluated by participants in the action situation and feedback on both the external variables and the action situation.

The IAD has been designed as follows:[37]

            Basic components of the IAD framework. Source: Ostrom (2010, 646).

Basic components of the IAD framework. Source: Ostrom (2010, 646).

The Hardin’s model of the tragedy of the commons makes assumptions about the biophysical characteristics (system resilience is depletable), attributes of the community (independent, self-interested rational actors), and rules-in-use (every economic actor for themselves).[38] Viewed through the IAD lens, things change materially since system resilience is considered to be replenishable; attributes of the community turn into an interactive setting where cooperation and coordination are feasible, and members are interrelated; the rules are a multi-level and cross-sectional set of norms among actors. This enlightens the usefulness of the concept of how a commons can function for the governance of shared resources: the structure of the IAD, with actors in positions, entering into social interactions with their own strategies (as well as ethics, ideas, and information), and operating under sets of rules that structure social interactions.[39]

Departing from Hardin’s and landing on Ostrom’s commons entails quite a shift in the analytical approach. In fact, Hardin would have been approached credit institutions, financial supervisors, and policy-makers by investigating their self-interests, and how their free-riding behaviour could conflict with, and exhaust, the common good (system resilience).

Before moving any further with the application of the tenets of such model, we need to display the major problems that emerged in the recent Danske Bank case first. We will do that in the following chapter, where we will strive to disentangle the “corporate”, “supervisory”, and “political” failure behind the scandal.

3. A case study on the Danske Bank money laundering case

The present section applies the IAD framework developed by Elinor Ostrom to the case of large-scale money laundering in Danske Bank. This section explores three action arenas that each form an integral part of the overall supervisory failure. This includes the following arenas:

  1. The fit and proper test of the management of Danske Bank by the Danish CA;

  2. The supervisory cooperation between the Danish and Estonian CAs; and

  3. The conflict of interest in EBA’s Board of Supervisors.

Clearly, these action arenas represent different action situations with a unique composition of participants. A key question is, however, if they also have their own set of exogenous variables (i.e. biophysical conditions, attributes of a community and rules-in-use) or it is possible to identify an overlap among them. In the latter event, it points towards more than an incidental or isolated supervisory failure in the Danske Bank case. Instead, the case should be approached as a systemic issue in the Union’s capacity to prevent money laundering that warrants legislative reform. Hereby the IAD framework not only explains how the supervisor failure escalated or spilled over (from one arena to another) but also shed new light on why it happened. Together these insights are critical in a legal policy evaluation as they allow scholars to look pass the mere effects of the supervisory failure and focus diligently on the underlying causes. From a purely methodological perspective, it thus demonstrates the added value of incorporating an institutional analysis in doctrinal legal research.

3.1. The fit and proper test of the management of Danske Bank

The first part of our tale begins with Danske Bank’s acquisition of Finnish-based Sampo Bank in November 2006. Hereby, the credit institution also gained control over a small Estonian subsidiary (later transformed into a branch) that had a portfolio of non-resident customers; mainly from Russia and other former Soviet states. At the time of the acquisition, the number of non-resident customers was around 3.500 natural and legal persons and went up to around 3.900 at the end of 2012 before the portfolio was finally terminated by the end of 2015. Yet, in the same period, the transaction flow of the non-resident portfolio was estimated to more than €200bn. The portfolio was managed by a separate group of employees in the secretive International Banking Department, and the services provided consisted of deposits, payments, and other transactions in various currencies and foreign exchange lines as well as bond and securities trading. Due to low credit risks, the department was able to maintain a high earning and only allocate a small amount of capital which made the non-resident customers a profitable business area.[40] To address the increased AML/CTF risks associated with non-resident customers,[41] credit institutions are expected to perform enhanced customer due diligence in accordance with the third Anti-Money Laundering Directive (AMLD III) applicable at the time.[42] A key question is, however, to what extent the management of Danske Bank was aware of these risks, and whether the Danish CA responded in a timely and proportionate manner?

3.1.1 The AML/CTF warnings and the corrective actions taken by Danske Bank

In the period between 2007 and 2015, several warnings, from the inside as well as the outside of the organisation, highlighted the compliance risks of the non-resident customers in Danske Bank. The first type of warning came from the Danish and Estonian CAs responsible for the home and host supervision of Danske Bank. Already in June 2007, the Danish CA forwarded a letter from the Russian Central Bank concerning various criminal activity including money laundering. At its meeting on 7 August 2007, both the executive board and board of directors of Danske Bank were informed about the existence of this letter. In the reply of the bank, Group Legal and Group Compliance & AML made a reference to a recent inspection report from the Estonian CA. The report was written in Estonian, and the branch only sent an English translation of the summary to Danske Bank’s Group Compliance & AML in Copenhagen.[43] The critical conclusions of the latter report were restated in an erroneous way, and the reply was not shared with the senior management afterwards.[44] It therefore appears that key information was not escalated to the management level inside the organisation nor shared between the national CAs outside the organisation which delayed a proper response.[46] The second type of warning came in June 2013 where a member of the executive board was contacted by one of the correspondent banks, JP Morgan, wanting to terminate the business relationship on grounds of AML/CTF risks. The question was brought up on a Business Banking Performance Review meeting and led to an investigation of the non-resident portfolio at the initiative of members of the executive board. At a meeting on 23 October 2013, the Head of the International Business noted that the Estonian branch’s non-resident portfolio was bigger than that of its rivals and needed to be reviewed and potentially reduced. However, the CEO emphasized the need for a middle ground and wanted to discuss this further outside that forum. Considering that an accelerated termination of the Baltic activities would reduce sales value in case of a divestment,[47] it indicates that the senior management may have prioritised profitability over compliance.[48] The third type of warning consisted of a series of whistle-blower reports made by Howard Wilkinson, a former head of trading for Danske Bank in the Baltic. According to Danske Bank, it was now realized at group level that the AML procedures in the Estonian branch had been manifestly insufficient and inadequate.[49] Yet, the corrective actions taken by the members of the executive board, Chief Audit Executive and Head of Group Compliance & AML had a very limited scope.[50] It therefore appears that the management of Danske Bank would continue to underestimate the severity of the problems and mistakenly believe that the situation had come under control.[51]

3.1.2 The supervisory response of the Danish CA

On 3 May 2018, following an intense dialogue with Danske Bank, the Danish CA published its first supervisory decision in response to the money laundering scandal. It included no less than eight orders and eight reprimands to the credit institution. Nevertheless, the authority did not find sufficient grounds for bringing actions under the fit and proper rules which sparked public criticism.[52] It is therefore worth exploring whether this critique was justified in relation to key function holders and members of the senior management of Danske Bank.

Already in June 2013, the Joint Board of Appeal decided in SV Capital OÜ v. EBA that the suitability of key function holders does not fall outside the third Capital Requirements Directive (CRD III) and lie solely within the ambit of national law.[53] To reach this conclusion, the Board relied heavily on a set of EBA guidelines on the assessment of the suitability of members of the management body and key function holders from November 2012. These guidelines provide that they are deliberately broader in scope than Article 11 (sufficiently good repute and experience) and extent to key function holders based on Article 22 (robust governance arrangements) of CRD III. Even though EBA argued that Article 11 was a complete statement of the law, the Board found that Article 22 was wide enough to cover the suitability of key function holders.[54] Yet, under the guidelines the assessment of key function holders was discretionary on part of the CAs unlike the credit institutions.[55] It is therefore unclear whether the guidelines constitutes the EBA’s interpretation of the binding obligations in Article 22 of CRD III or in fact set a higher standard than the said Directive,[56] as suggested in the public consultation.[57] In the compliance table from February 2013, the Danish CA confirmed that it complies or intends to comply with the guidelines.[58] As part of the Danish transposition of CRD III, the personal scope of the fit and proper requirements has gradually been expanded over time. Yet, it was not before January 2017 that key function holders of systemically important financial institution, such as Danske Bank, were made subject to fit and proper rules.[59] This long delay may, at least to some extent, be explained by the ambiguous nature of the guidelines which led to an inconsistent interpretation of the provisions in CRD III at the national level.[60]

In contrast, under Danish law, the senior management has been subject to fit and proper rules since February 2005.[61] In section 64(1)(6) of the Danish Financial Business Act, it is provided that the senior management shall not have engaged in any conduct which may give reason to believe that the person in question will not adequately perform his or her duties or hold such office.[62] To address new market developments, the preparatory works guiding the interpretation of this provision has been changed over time. Following the financial crisis of 2008-2009, it was provided that emphasis should be on maintaining confidence in the financial sector in the event of a bank failure.[63] In response to AML scandals in the EU, it was further added in 2018 that violations of AML/CTF standards is also a relevant criterion in the assessment of suitability.[64] Yet, already three years earlier, the Danish CA ordered a company to dismiss its CEO on AML/CTF grounds under the fit and proper rules. In this case, the Danish CA conducted a supervisory visit of a smaller financial company and concluded that AML/CTF measures were not established nor prioritised in the executive management for a longer period of time and despite several reprimands from the supervisory authority. As these violations together constituted a very serious managerial failure, the Danish CA eventually ordered the company to dismiss the CEO.[65] Going back to Danske Bank, the Danish CA found no less than eleven breaches of the organisational requirements in the statutory act transposing Article 74(1) CRD IV together with the obligation of the senior management to provide adequate information to the supervisory authority and perform its responsibilities to a sufficient extent.[66] As these deficiencies most likely constitute “very serious managerial failure”, it is surprising that the Danish CA did not find sufficient grounds for bringing actions under the fit and proper rules in May 2018, more than four months before the chairman of the management board and the CEO decided to step down voluntarily due to pressure from the shareholders.[67] The Danish CA has partly admitted that it was overly trusting of the information received from Danske Bank as part of the ongoing supervision. This may have weakened the position of the Danish CA when it several years later had to take supervisory actions. Some evidence also suggests that this underenforcement may be explained by reputational or litigation risks when applying its prudential powers to AML/CTF cases.[68] Yet, those concerns do appear less justified following the adoption of CRD V in June 2019[69] and a recent decision from the Danish Supreme Court delivered in January 2020.[70]

3.2. The supervisory cooperation between the Danish and Estonian CAs

The second part of our the tale concerns the supervisory cooperation between the Danish and Estonian CAs governed by the familiar home state control principle.[71] This principle is based on the premise that the home state, in being in the best position to assess prudential and conduct risks, should also be responsible for the latter.[72] Hereby, the principle not only addresses the problem of double regulation for the market participants but also promote regulatory competition among their supervisors.[73] To function effectively, the home state control principle relies on trust between Member States, and it has therefore been supported by essential harmonisation where barriers to trade are justified.[74] In this way, the home state control principle goes one step further than its judicial counterpart, mutual recognition, by allocating to the home state the competence and responsibility to regulate cross-border activities carried out by service providers established on its territory.[75] Yet, as demonstrated by the Danske Bank case, the lack of trust between national CAs is detrimental to effective cross-border supervision in the area of financial services.

3.2.1 The disagreement between the Danish and Estonian CA

In the aftermath of the regulatory failures in Danske Bank, an inter-institutional conflict (or blame game) arose between the Danish and Estonian CAs. In response to numerous inquiries from national media, the CAs made a joint statement in May 2018, expressing their shared understanding of the supervisory responsibilities.[76] This political agreement only lasted to January 2019 where the Danish CA published its final report on the supervision of Danske Bank. Here the events were unilaterally referred to as “the Estonia case”, and it was concluded that AML/CTF supervision of a branch is the sole responsibility of the host supervisor.[77] Merely two days later, the Estonian CA published a highly critical response arguing that there is a shared responsibility for AML supervision between the home and host supervisor.[78] This disagreement on the proper interpretation of AMLD III has most likely complicated AML/CTF supervision in practice.[79] By way of example, it is disputed whether the Danish CA failed to respond to an invitation from the Estonian CA to take part in a follow-up inspection of the Estonian branch in 2014. On 20 February 2019, the Danish CA took an unconventional step by publishing two letters from the historical correspondence with the Estonian CA.[80] In a press release published later on the same day, the Estonian CA found that the unilateral disclosure was misleading and instead invited the Danish CA to make a full disclosure of all letters, on-site reports, and administrative acts.[81] All of these statements came in quick succession which may have provoked further escalation. For instance, due to the language barrier, the national CAs would have to rely on the English summary, in case the full statement was not translated in time. Some evidence suggest that this was not always the case.[82]

3.2.2 The supervisory college of Danske Bank

The term supervisory college generally refers to a multilateral working groups of relevant supervisors that are formed for the collective purpose of enhancing effective consolidated supervision of an international banking group on an ongoing basis.[83] To support cross-border supervision of Danske Bank group, the Danish CA established a supervisory college at the start of 2009 before it was even mandated by EU law.[84] The college was based on a “Multilateral Cooperation and Coordination Agreement”, more commonly referred to as a Memorandum of Understanding (MOU),[85] which focused mainly on capital and liquidity requirements. Yet, the risk evaluation of the college did contain detailed descriptions of the AML/CTF standards of the Estonian branch in the period 2013-2018.[86] The objective of the college was to facilitate the exchange of information, coordinate supervisory reviews, and conduct risk assessments on group level as well as solo levels.[87] It is therefore clear that the agreement takes a holistic approach to cross-border banking supervision in line with the position of the Estonian CA, see above. However, the agreement is based on a bottom-up approach and does not lay down any specific obligations on the national CAs to conduct joint on-site examinations of a foreign branch.[88] The same is true for CEBS guidelines and the EU legal acts on which the agreement was based.[89] It is therefore not surprising that the Review Panel of CEBS concluded in October 2010 that: “Although competent authorities have made considerable strides in implementing the mechanisms that support an effective college, it cannot yet be said that the competent authorities supervise cross-border banks in a collegial fashion.”[90] This leaves us with the question whether the Danish or Estonian CA was responsible for supervising the Estonian branch under EU law?

3.2.3 The distribution of supervisory responsibilities in AMLD

The public disagreement between the Danish and Estonian CAs relates to the period before AMLD IV came into force. It is therefore necessary to examine how the responsibilities between the home and host supervisor were distributed in the earlier generations of said Directive. According to the recital of AMLD II, the authorities of the Member States in which the branch is located should receive suspicious transaction reports and ensure that the Directive is complied with (our emphasis).[91] It therefore appears that the EU legislator favours the principle of host supervision both for FIUs and national CAs which is in line with the territorial approach of AMLD III.[92] The problem is, however, that the responsibilities of national CAs have not been stated expressly in the body of the Directives.[93] By way of contrast, AMLD IV includes detailed provisions on supervision of group-wide AML/CFT policies and procedures as well as local AML/CFT rules in the branch.[94] It may therefore be questioned whether the EU legislator has in fact departed from the Court’s principle of mutual recognition in a clear and unambiguous manner.[95] If not, a host Member State may in accordance with Article 5 of AMLD III supervise foreign service-provider and take enforcement actions provided that the restrictions are duly justified by the general good exceptions; such as investor confidence in national financial markets.[96] This condition is most likely to be fulfilled in case of a specific and well-founded suspicion of large-scale money laundering in a foreign branch.[97]

3.2.4 The binding mediation mechanism in the funding Regulation

As a last resort, national CAs may request EBA to assist them in settling their disagreements in cross-border situations. This procedure covers disagreements on “the procedure or content of an action or inaction of a competent authority of another Member State”.[98] According to legal scholarship, this includes situations where supervisors meet in supervisory colleges and are expected to take decisions in common understanding.[99] It is therefore clear that the disagreement between the Danish and Estonian CAs clearly falls within the substantive scope of binding mediation. However, each stage of this procedure is made subject to different conditions and limitations: Firstly, the procedure only applies to cases specified in the acts referred to in Article 1(2) of EBA’s founding Regulation. Even though AMLD III is covered by the latter provision, the text of the Directive makes no references to binding mediation. Secondly, EBA may only act on its own initiative if the disagreement can be determined on the basis of objective criteria. This condition is likely to be fulfilled in case the national CAs concerned are obliged to adopt a common decision within a specified time frame.[100] However, the same is not true if the distribution of supervisory responsibilities are unclear, and there are no shared understanding of the factual circumstances. Thirdly, EBA cannot adopt an individual decision addressed to financial institution unless the EU legal acts in question have been attributed direct effect.[101] Yet, in the area of AML/CTF, the preferred legal instrument by the Commission has been minimum Directives rather than fully harmonised Regulations. As a result, EBA would not have the necessary powers to circumvent the national CAs in the case at hand. The fact that only a few national CAs have recourse to binding mediation may therefore not only be explained by an unwillingness to escalate disputes from the national level[102] but also the vast number of conditions and limitations in the founding Regulation.[103]

3.3. The conflict of interest in EBA’s Board of Supervisors

The third and final part of our tale relates to the breach of Union law procedure enshrined in Article 17 of EBA’s founding Regulation. According to the Joint Board of Appeal, this procedure is “central to deliver the results that justify the establishment of the European System of Financial Supervision.[104] These results include the orderly functioning of financial markets, the stability of the financial system, and neutral conditions of competition for financial institutions.[105] To ensure a proportionate regulatory response, the procedure consists of several interlocking stages.[106] As part of the first stages, the Board of Supervisors is expected to adopt a draft recommendation setting out the necessary actions to comply with EU law.[107] However, the Board is composed of the heads of the national CAs as voting members, and the procedure is therefore considered to have an uneasy fit within EBA’s hybrid governance structure.[108] This misalignment of interest may cause paralysis in the main decision-making body of the ESAs,[109] as witnessed in the Danske Bank case.

3.3.1 The procedure leading to the decision of EBA’s Board of Supervisors

At the time of the public disagreement between the Danish and Estonian CAs, a strong political pressure was building up on EBA to investigate the cross-border case among others.[110] On 12 September 2018, a group of MEPs from the political group The Greens/European Free Alliance sent a public letter to the former Chairperson of EBA, Andrea Enria, requesting him to open a breach of Union law investigation of the national CAs.[111] Only seven days later following Danske Bank’s own investigation report, a similar request was made by the Commission for EBA “to make full use of its powers to investigate”.[112] On 18 February 2019, EBA informed the European Commission that it had decided to open a Breach of Union Law Investigation of both the Danish and Estonian CAs.[113] The investigation covered the period 2007-2014 and identified in total four breaches of EU law; including significant shortcomings in cooperation between the national authorities.[114] However, draft recommendation of the Breach of Union Law Panel was later rejected by the members of the Board of Supervisor meeting in Paris on 16–17 April 2019. It demonstrated how peer-pressure among the heads of the national CAs was not a viable strategy when confronted with a politically salient issue. As a result of this, EBA was forced to close the investigation,[115] which made the Danish CA conclude – in a rather misleading press statement – that “the draft by the EBA Secretariat has not documented a breach of Union law”.[116] This decision by the Board of Supervisors gave rise to a strong political criticism and from both the European Commission and members of the European Parliament calling for a wider reform of the decision-making procedures in EBA.[117] The key question is, however, whether the draft recommendations was rejected on legal or political grounds by the members of the Board of Supervisors?

3.3.2 The legal and political rational of the decision

In the internal discussion among the heads of the national CAs it is possible to distinguish between two lines of arguments: The first line of arguments relates to the scope and conditions of the breach of Union law procedure. For instance, the alleged breaches of Union law dated back to the time before EBA was established on 1 January 2011. Here it may be argued that EBA is the legal successor of CEBS and therefore naturally takes over all existing and ongoing tasks from the former 3L3 committee.[118] Another example is that the breach of Union law procedure is not an appropriate tool to address a historic breach of Union law. The wording of EBA’s founding Regulation does suggest that the breach of Union law procedure is only targeted ongoing supervisory failings by national CAs.[119] A similar understanding is expressed in EBA’s annual report where “(t)he principal consequence of an investigation that finds a breach is that the EBA addresses a recommendation to the competent authority with the aim of correcting the breach”.[120] However, by relying on this procedure, as a subtle alternative to the infringement proceeding in Article 258 TFEU,[121] the Commission may draw on the technical expertise, independence, and resources of EBA under the investigation.[122] Based on the interpretative principle of effet utile,[123] it may therefore be argued that the procedure should also apply to historic breaches of Union law insofar that it does not infringe the rights of the defense.[124] One problem is here that the Breach of Union Law Panel only has two months in total to conduct its investigation, prepare the draft recommendation, and hear the views of the national CA concerned.[125] Considering that a short time frame makes it more difficult for the national CA to refute the panel’s arguments, it may be questioned whether the weak procedural standing is justified in the event of a historic breach of EU law?

The second line of arguments has a political nature as it concerns the institutional role of the Board of Supervisors. According to several members of the Board of Supervisors, “EBA should focus more on strengthening supervisory practices rather than investigating past failures of institutions and their supervisors”.[126] This intergovernmental view is at odds with the mandate provided by the European legislator in the founding Regulation[127] as well as the opinion of Advocate General Jääskinen holding that the ESA’s are granted a clear hierarchical authority over their national counterparts.[128] A related issue is whether the heads of the Danish and Estonian CAs were allowed to intervene in the meeting of Board of Supervisors? According to the draft minutes, the two supervisory authorities not only summarized their initial actions but also expressed their views on EBA’s investigation and criticized the use of the breach of Union law procedure before taken part in the vote on the draft recommendation.[129] In the founding Regulation, it is provided that the CA alleged to have breached Union law is not allowed to take part in the independent panel that proposes the draft recommendation.[130] Yet, the same standard does not apply to the subsequent discussion, and voting in the Board of Supervisors as EBA’s Conflict of Interest Policy only covers private interests and not institutional affiliations within the EFSF.[131] On this basis, it may be questioned whether the decision adopting the rules of procedures is consistent with the obligation to act independently and objectively in the sole interest of the Union as a whole set out in the founding Regulation.[132] In any event, the breach of Union law procedure is bound to lose credibility when representatives of the national CAs under investigation help to decide their own case.

3.4. Main findings of the Danske Bank case

The previous sections have explored the legal and factual context of the Danske Bank case. The question is now if (or how) the IAD framework developed by Elinor Ostrom could help to identify and explain the root causes of the supervisory failure. Here it is worth highlighting three main observations in relation to the Danske Bank case:

Firstly, cross-border supervision in Europe spans across several action arenas which inevitably increases the need for mutual coordination and information exchanges. In the Danske Bank case, this included supervision by the Danish CA of Danske Bank, the supervisory college of Danske Bank and finally the Board of Supervisors of EBA. Even though these action arenas have their own set of exogenous variables, it is possible to identify an overlap among them, as illustrated in the table below:

Action arena Biophysical/material conditions (time) Attributes of the community (trust, culture) Rules in use (nature, scope, and content)
The Danish CA’s fit and proper test of the management of Danske Bank The failed attempts to acquire accurate information from Danske Bank have likely weakened the position of the Danish CA when it several years later had to take supervisory actions. The Danish CA was overly trusting with the information from Danske Bank that appear to have prioritised profitability over compliance. The weak link between prudential and AML/CTF Regulations together with the ambiguous nature of the suitability guidelines led to national inconsistencies and under-enforcement.
The supervisory cooperation between the Danish and Estonian CAs The disagreement between the Danish and Estonian CAs took place before AMLD IV came into force where the responsibilities of national CAs was not stated expressly in the body of the Directives. The trust between the Danish and Estonian CAs was broken after the publication of the report on Danske Bank. At the same time, CEBS concluded that supervisory colleges did not work in a collegial fashion. The fact that only a few national CAs have recourse to binding mediation may be explained by the vast number of conditions and limitations in the founding Regulation.
The role of the Board of Supervisors in the European Banking Authority It may be questioned whether the weak procedural standing of national CAs is justified in the event of a historic breach of EU law. The decision not to adopt the draft recommendation demonstrated that peer-pressure was not a viable strategy and gave rise to a strong political criticism. The conflict of interest policy was inconsistent with the obligation to act independently and objectively in the sole interest of the Union as a whole.

Unfortunately, this also means that those failures are not incidental but rather represent systemic issues in the Union’s capacity to prevent money laundering that warrants legislative reform. A similar conclusion is reached by the Commission in its post-mortem report.[133] Yet, it may be questioned whether fundamental issues related to trust and culture are only present in AML/CTF or they expand to other areas as well. Before answering this question, it is worth recalling that poor supervisory co-ordination, cooperation and information-sharing have all been identified as historic weaknesses in the EU banking and securities markets regulation.[134]

Secondly, the systemic nature of the supervisory failure has allowed self-interest motivated behaviour to spill over from one action arena to another: a) In order to manage reputational and litigation risks the Danish CA decided not to bring actions under the fit and proper rules that address excessive and imprudent risk-taking in the financial sector,[135] b) At the outset the Danish and Estonian CAs favoured political blame-games over mutual learning in order to improve cross-border supervision in Europe, and c) The head of the Danish and Estonian CAs helped decide the outcome of their own BUL-investigation which damaged the organizational credibility of the ESAs. In other words, we find the same tension between the group and self-interest in each of those action arenas. It is interesting to note that EU financial law originally was considered less scandal-driven compared to national law due to the fact that the Commission is more detached from immediate electoral concerns.[136] However, by integrating the national CAs into the European supervisory framework, it appears to have created a path for supervisory failures and call for reforms to reach the supranational level unhindered. It inevitably brings into question the future role of the national CAs in the supervisory framework: How can they continue to inform supranational decision-making through their knowledge of local markets without undermining the broader European interest? This question already became a source of deep institutional divide in the latest reform of ESFS from December 2019.[137]

Thirdly, these spill-over effects aggravate the negative impact of the supervisory failures on the resilience of the financial system. What emerged as a technocratic case on AML supervision of a credit institution in a couple of smaller Member States ended up as political salient issue on the design of the EU supervisory framework.[138] This development has led to a greater politicization of the EBA which inevitably harms its ability to develop technocratic and objective solutions.[139] Perhaps even more troublesome it may also negatively affect the future development of the EFSF in terms of powers and budget. A clear example of this trend is the interinstitutional negotiations on whether to transfer responsibilities for AML/CTF away from EBA and grant it to a new, dedicated body. Here the European Parliament has expressed ‘its deep concern regarding the EBA’s ability to carry out an independent assessment owing to its governance structure’.[140] However, transferring AML/CTF supervision to a new authority does not fix the governance arrangements of the ESAs. It is therefore more than likely that a new conflict of interest will arise in another high-sensitive area. In addition, it may also weaken the functional link between AML/CTF and prudential supervision at the European level. By way of contrast, both types of supervision are usually carried out by the same authority in the Member States.[141]

4. How should the resilience of the EU financial system be strengthened?

The Danske Bank’s scandal with its different layers can be thought of as a collective-action problem involving different action arenas eroding the system resilience that they themselves depend upon. In this section of our study, we intend to approach such a problem by using the “commons” literature insights, which, as we all know, are particularly suitable for the analysis of economic governance, especially relating to the effective management of collective action problem. Since many of the characterising features of the Danske Bank case deal with interconnections and spill-over effects, we will align the main tenets of the theory of the Commons to recent literature and adapt it to the purposes of our analysis.

In a recent speech delivered at the Boston Federal Reserve Bank Conference, Paul Tucker warned that “we need to step back and think about financial stability as a common-resource problem afflicted by hidden actions”.[142] For the Harvard Kennedy School Professor, this entails to account for the articulation of the different threats to financial stability in the quest to find a standard of resilience that can be applied consistently across different parts of the financial system. “The problem of the ‘stability commons’ is that anybody who could deplete the [financial] system’s resilience needs to be within the broad scope of the regime for stability”.[143] The regime for stability is thus so broad as to overcome any silo-thinking or sectorial labelling, especially since “money laundering risks occur both within and outside the financial sector”.[144]

Hardin’s traditional model posits on the opportunity of using private mechanisms for the governance of the commons. In practice, however, private mechanisms and (unfettered) self-regulation proved to be far from effective in achieving resiliency and ultimately guaranteeing confidence in the financial system.[145] The existence of sheer incentives for circumvention – combined with techniques for risk concealment – outweighed the capacity of private action, let alone, to secure financial resilience. This prompted the government to be the most viable response. Much as they can preserve public grazing lands or air quality by restricting or taxing behaviour that degrades these resources, regulators and supervisors should be guarding financial stability and public confidence against free-riding. Yet, financial complexity and market interconnection create an additional challenge. In the same way that preserving the integrity of ocean fishing necessitates international cooperation, securing financial resilience requires corporations, supervisors, and policy-makers to orderly coordinate to limit circumvention outside their own action arena. That is, in other words, making sure to deploy a mechanism to guard against a much more complex and correlated version of free-riding.

By way of contrast, the IAD framework provides a holistic approach to the supervisory failures: it explores the failures behind each of the three layers/action arenas and how they might be connected with one another. By following the steps in the IAD framework and using the action arena as the unit of analysis, we can contextualise and broaden the understanding of “what went wrong” and also provide access to larger and crosscutting domains of the policy-making spectrum, approaching normative perspectives and questions. In our case, we know that system resilience is the common that could be depleted. Most of the problems in the Danske Bank scandal related to the attributes of the community, in that the interaction between different actors lacks good patterns of cooperation and informational exchange as the result of moral hazard and free riding issues.[146] Indeed, participants’ incentives to act collectively were poor as differences in their individual interests and constituencies affected power relations and levels of trust between them. Furthermore, cultural differences might have undermined trust and ultimately the ability of participants to communicate, jointly learn about, and act in the perspective of an efficient management of the common resource. At the same time, issues concerning the rules in use were identified. The current regulatory framework shows the intricacies of a multi-level and cross-sectional system with different layers of norms and provisions intertwining. This begs the question as to whether the regulatory framework is “congruent” in producing “a distribution of costs that is proportional to the distribution of benefits”.[147] In other words, checks and balances need to be in place in order to guarantee that the economic agents are accountable for the condition of the common resource and the possibility to deplete it. This for instance links to the issues that the current EBA procedure for breach of EU law brought up in the domain of the Danske Bank scandal. Viewed through the IAD lens, thus: 1. system resilience is not purely depletable, but it can replenish and be regained (“biophysical conditions”); 2. the community is formed by members that are interrelated, and cooperation and coordination are feasible (“attributes of a community”); the rules are a multi-level and cross-sectional set of norms among actors.

The existence of these exogenous variables, and their negative impact on the resilience of the EU financial system, throws into question the degree of centralisation in the ESFS.[148] Yet, this question is complicated by the fact that national experts with local market knowledge continue to play a key role in the functioning of the Single Market. This is especially true for AML/CTF where the national CAs cooperate closely with local law enforcement bodies and prosecutors. It is therefore a relevant and objective criterion to consider the support or buy-in of national CAs when the Commission is confronted with competing policy choices in this area.[149] However, it becomes more problematic if the Member States in the Council fail to adopt legal reforms that serve broader EU interests only to protect the influence of their national CA. The latest reform of the ESFS from December 2019 provided EBA with a new intervention power to request national CAs to investigate possible breaches of Union law by financial sector operators.[150] However, the European Parliament and Council were far less progressive when it comes to both the governance arrangements and the funding model of the ESAs. Here the legislative proposal from the Commission foresaw an independent preparatory body responsible for non-regulator decisions (to replace the management board) and market-based financing to be collected by the national CAs.[151] By firmly rejecting those proposals, it led EBA to conclude that the reform merely constitutes “evolutionary, not revolutionary, step[s] in the EU’s approach to AML/CFT”.[152] For this reason, it is questionable whether the reform in fact addresses the “structural problem” in the Union’s capacity to prevent that the financial system is used for illegitimate purposes.[153]A more fundamental and sustainable solution would be to reinterpret the constitutional principles governing the exercise of Union competences in light of the heightened AML/CTF risks facing Europe. This would allow parts of the AMLD IV (revised) to be transferred to a directly applicable Regulation as well as direct supervision of some obliged entities at the European level, as envisioned in the Action Plan of the Commission from May 2020.[154] Fortunately, it appears that such an interpretation has gradually been accepted by the Co-legislator in relation to both the principle of subsidiarity and proportionality in Article 5 TEU.[155] Yet, it does not change the fact that future legislative proposals are likely to be challenged on political, legal, as well as operational grounds.[156] An important task for academic scholars will therefore be to critically examine and assess the basis of those objections in the years to come.

5. Concluding remarks

Financial markets are characterised by free riding behaviour and moral hazard phenomena, leading up to a collective-action problem. Recent financial scandals, like the Danske Bank case, revealed in fact how an economic agent is tempted to pursue its own interest to the detriment of the commons, i. e. resilience. An attempt to overcome the inefficiencies relating to the “tragedy of the commons” could be offered by the Institutional Analysis and Development Framework by Ostrom (IAD). Such framework enlightens how a commons can function for the governance of shared resources: the structure of the IAD, with actors in positions (“participants”), entering into social interactions with their own strategies (as well as ethics, ideas, and information) and operating under sets of rules that structure social interactions. The “action arena” is the unit of analysis and has the advantage of showing the set of exogenous variables that affect how “participants” act and interact with each other. The IAD accounts for the complexity of the multilevel and polycentric settings that characterise financial markets and, more specifically in relation to the European dimension, feeds the centralisation versus decentralisation debate and the subsequent relationship between national,intergovernmental, and supranational levels. Quite distinctively, the IAD highlights legal factors (rules) as well as non-legal factors (biophysical/material conditions and attributes of the community) that together determine the outcome of the action arenas. All of this points to the relevance of institutional arrangements for governing common-pool resources as well as the central role of trust in coping with financial scandals and social dilemmas such as the Danske Bank one. As a matter of fact, reinvigorated emphasis on structural factors affecting the likelihood of increased cooperation between participants and stronger level on centralisation seems to be essential. This analysis seems particularly timely and relevant considering the upcoming institutional and substantive developments enshrined in the European Commission’s so called “AML legislative package”[157].


This research has been carried out within the Jean Monnet Chair in Digitalisation in EU Financial Studies (EUDIFIN) – 611917-EPP-1-2019-1-IT-EPPJMO-CHAIR.The European Commission’s support for the production of this publication does not constitute an endorsement of the contents, which reflect the views only of the Author, and the Commission cannot be held responsible for any use which may be made of the information contained therein.Although this article is the result of a joint reflection, par. 1, 2.1, 2.2, and 4 can be primarily attributed to Andrea Minto, with the remaining par. 3.1, 3.2, 3.3, 3.4 and 5 primarily attributable to Niels Skovmand Rasmussen.

Published Online: 2022-06-22
Published in Print: 2022-06-08

© 2022 Andrea Minto and Niels Skovmand Rasmussen, published by Walter de Gruyter GmbH,Berlin/Boston

This work is licensed under the Creative Commons Attribution 4.0 International License.

Downloaded on 5.2.2023 from
Scroll Up Arrow