From Scandal to Dominance: How Nordic Banks Found Redemption in Regtech

Published On May 19, 2021

In 2019, a global money laundering scandal shamed several Nordic banks into cleaning up their acts. Now, just a few years on, those same firms are outgrowing their European rivals. Radar examines the compliance revolution at the heart of Nordic banking.

If there is one region that can teach the rest of the world about the importance of robust compliance, it is the Nordics. 

Forced to overhaul their systems and controls following a global money laundering scandal, Danske Bank A/S, Nordea Bank Abp, Swedbank AB (publ) and Skandinaviska Enskilda Banken AB, are now reaping the rewards of extensive digitization projects in both the front and back office.

The lenders have topped the European tables for new digital-only customers, and have weathered the pandemic in robust shape, showing healthy balance sheets and strong capital buffers.

The quartet have come a long way since the dark days when illicit cash flows of more than US$200 billion linked to Eastern European crime syndicates were washed through their branches in Baltic states.

Criminal probes were launched and fines in the billions of dollars were foisted upon the banks, with share prices halving as customers and investors fled. Industry jargon, such as “Know Your Customer” and “false positives”, entered the public lexicon following the debacle as widespread anger and shame tarnished the previously unblemished reputations of the lenders.

Compliance-based Metrics

The headlines focused on the punishments, but in the background the banks quickly carried out vast technological upgrades, organizational restructures, and changed corporate mindsets to put culture and conduct first.

Danske and Nordea transformed their compliance departments, and implemented regulatory technology rooted in machine learning and natural language processing. 

The projects have been so successful that the firms now lead the pack, a fact borne out by their outstanding performance during the coronavirus downturn, much of which was down to their willingness to adopt digital tools. 

According to credit ratings agency S&P, during the pandemic, Nordic banks outperformed the top 50 largest European banks, and many other global peers, by a large margin of 2-3 percentage points.

It is an example other firms should follow, said Alice Cheung of Alvarez & Marsal Disputes and Investigations, noting that a strong culture of compliance is the bedrock for reputational strength and confidence in the business. 

“A risk-aware culture needs to be embedded and continuously reinforced into the culture and mindset of all employees across the bank,” she said.

“In efforts to encourage this, banks may consider implementing compliance-based performance metrics to determine compensation of all staff. The risk of repeating history and falling short of regulators’ expectations again comes with too high a price.”

Overly-complex Projects

Last year, the Bank of England (BoE) said U.K. firms lag behind the Nordics in the adoption of machine learning and data analytics solutions as it laid out a strategy to encourage the development of “world class” regulatory technology.

“For decades, as a consequence of mergers and acquisitions and developments in regulation and technology, new layers of complexity have simply been patched onto old systems,” the BoE said. “There is widespread recognition that patching up old systems is fast becoming too costly and risky to continue.”

Similar to their counterparts in Japan and the U.S., the U.K.’s largest banks have struggled with large technological change projects, and suffer from clashes between overlapping stakeholders in compliance and IT departments. 

The difficulties are rarely through a lack of trying; according to McKinsey, the finance industry spends more on software as a percentage of operating income than insurance and airlines. This rarely correlates with improved performance, however, and the results are often disappointing due to the convoluted nature of multi-team projects and poor data governance. 

Some patchwork compliance and surveillance tools date back decades, said Cheung, which often compounds the problem. “These types of legacy systems are difficult to upgrade and integrate with new technology. In addition, complex organizational structures within these large banks make decision-making processes difficult and lengthy,” she said.

It may take up to several years for a bank to approve and finally implement any proposed changes to its systems and by then, there could very well be new regulations or technology making the “new” system again outdated and unable to cope with the latest risks, Cheung said. 

Saving Space, and Budget

Asia’s best performing banks today are those that have targeted internal inefficiencies, automated controls, and are moving to cloud-based, “space-saving” techniques, McKinsey found in a recent report. 

Nordic firms are already well ahead in this regard, and were singled out by the BoE as the example for the U.K. market to follow when implementing their own regulatory technologies. Software-as-a-Service is an increasingly viable option for firms that are struggling with the expenses of hardware acquisitions, provisioning and maintenance, as well as software licensing, installation, and support.

The digitization process, which involved moving to cloud-based compliance systems and introducing machine learning surveillance tools, helped the firms take a huge step forward, making them more comfortable in using advanced analytics to gather insights across business lines.

“Although generally already more advanced than many other regions, digitization has picked up pace in the Nordics and regulators have continued to push for banks to adapt to the changing environment,” said Thomas Clifford, partner at Deloitte and Head of the Nordics Financial Risk team.

The Post-COVID-19 View

Beyond the immediate challenges of COVID-19, more compliance-based rules are in the pipeline across Norway, Sweden, Denmark, and Iceland, as regulators continue to ensure firms aren’t risking a repeat of their historic mistakes. 

Starting this year, Denmark has adopted a “comply-or-explain” legal framework that forces large corporate firms to disclose data ethics policies. It includes AI and algorithmic transparency, model data management, and data protection, and is to be expanded to include the financial sector. 

The regulatory framework for outsourcing was also updated in July 2020 with the specific purpose of removing legal barriers to the adoption of cloud services in the financial sector.

Whistleblowing provisions are also to be strengthened across the Nordics, with a more coordinated approach between different states and greater protections for employees inside financial services firms who come forward. 

The updates are in line with other regions, with global regulators insisting there will be no letup in enforcement action, and that they expect standards to remain high, despite the current constraints on business. 

The Nordic region’s experiences highlight some of the major failures that can arise when compliance is an afterthought and complacency sets in. Their decision to invest in technologies that better anticipate, identify, and manage risks has left them in better shape to ride out the current crisis, and should serve as a lesson to other firms struggling to make compliance a priority.