Correspondent banking and AML failures: North American and European case studies

This is yet another, under the theme "Learning from the Lessons of other Jurisdictions."  The Thought Leadership Forum has over the years, also conducted many workshops under this theme, on many sectors. This article, the third in the April/May 2026 series on Banking, will share research into the operations of the US subsidiaries of the Dutch Rabobank, and Canada's Toronto Dominion Bank as well as the Estonian subsidiary of the Danske Bank of Denmark. These, I hope, will serve as examples to those in operations and administration, functional executive heads, non-executive boards, governance committees, external auditors, regulators, lawyers and arbitrators, in Sri-Lanka.

Regrettable events in a potential financial hub

The recent unprecedented events, at a public listed bank in the private sector and a high profile government department, regrettably, negatively impacts upon the credibility of our entire country, which for years has been attempted to be promoted as a potential financial hub. It is important to have such aspirations, and there was a basis for that. There still is, if we are genuine about that goal. We should therefore, not abandon that quest, throw the baby out with the bath water as it were, and creep into the woodwork. We must pause and turn the searchlight inwards.

A dent in the nation's reputation

First, we must acknowledge that there are lapses and weaknesses both in the private and public sector that caused a dent in our reputation as a destination for foreign direct and portfolio investment. The outcome of the lapses and weaknesses questions the safety, security, and the integrity of the banking and financial sector, the capital market, and all key institutions which have statutory, regulatory, oversight over the sector - such as the Central Bank, the Securities and Exchange Commission of Sri-Lanka, the Sri-Lanka Accounting and Auditing Standards Monitoring Board, and the Auditing Profession in the country. This is a value adding chain. It is also a hierarchy. All within it, I need to get to the drawing board to correct what is deficient, simply not right or sustainable.

An admirable SOE now a sustainable PLC: A thorough diagnostic and an imperative to build back better

That private sector Bank - once a state owned enterprise dependent on the Government for equity funds, and multilateral and bilateral development partners for concessionary and grant funds which are no longer available- transitioned seamlessly, over three decades ago, to a public listed entity with local and foreign individual and institutional shareholders, even sovereign wealth funds. This Bank also played a major role in development banking for large and medium sized projects while also contributing islandwide to what we called SMI's then- Small and Medium Industry loans as a PCI- Participating Credit Institution. It has earned its place in the country. It owes us all an obligation, to perform a thorough independent diagnostic assessment of all its aspects, and to build back better. This is a national imperative.

Personal reminiscences

Might I add, on a personal note, that it is a Bank that I, on behalf of a major diversified, public listed conglomerate I worked with decades ago, have negotiated several hundreds of millions of loans from. The board and management were professional, sensitive, engaged and proactive. They worked holidays and weekends and delivered even better than their competition who included foreign banks that wooed us more intensely, for business. I remember well, how many such Bank CEO's visited me personally, at my office, at this conglomerate. I was also able to apply for and receive, a number of World Bank/IDA assisted technology grants (from a Technology Development Fund), as well as "Central Bank Refinance" which was once rejected by the Bank's board, but later recommended, to prevent a collapse of a hotel group, which this conglomerate acquired, and which today sits within its portfolio having also paved the way for its iconic flagship project. Naturally, I remain a well-wisher of this Bank.

Risk managing vulnerabilities of digitisation: Protecting long-established Government institutions

The issue at the country’s newly established Public Debt Management Office is a tragic event indeed. In the seven decades post-independence, there are many Government ministries, departments, and public officials who have made an extraordinarily valuable contribution. Let us not take them or the institutions they administered for granted. We must therefore, also be natural well-wishers of the respective Government ministry and divisions, the public officials, who are all now found wanting. This established, time tested, institutional infrastructure too, is not something we can throw out with the bath water as it were. But it is a compelling national imperative that the relevant institutions and its connected parts, all subject themselves to an independent diagnostic in order to strengthen every aspect, ensure all divisions are resourced well, with clearly laid down procedures.

Dented and digitally undressed or secure

Digitisation is necessary, timely and progressive. Yet, if we are to truly transition from a "Dented, Digitally Undressed and Vulnerable Sri Lanka" to a responsible and sustainable "Digitally Secure Sri Lanka" our initiatives must not be "quick fix" or hasty, offensive or defensive but honest, wholesome and robust to a practically achievable, optimum level. It is vital that every step is secure and indeed resourced with persons of competence, honesty, integrity, experience and maturity. That is the only way we can regain trust and credibility.

The role of correspondent banks

It is against this background that today, I like to discuss a component of the global "banking value chain" for want of a better term, by inviting readers, who may not be banking and financial domain experts, to gain insight into how risk propagates across financial systems of multiple jurisdictions, through for example, the functions of correspondent banking. A correspondent bank is a financial institution that provides services on behalf of another bank—typically in another country—enabling international payments, trade finance, and cross-border fund transfers. Each institution facilitates part of the transaction, but no single participant may have full visibility of the entire transaction chain. It is within this structure that network risk becomes particularly pronounced.

Dutch Rabobank and Canada's Toronto Dominion

Today, large international banks serve as the arteries of global commerce. Yet, even institutions with decades of reputation and operational sophistication can become conduits for illicit financial flows if governance, compliance, and oversight fail. The cases of Rabobank N.A., a U.S. subsidiary of the Dutch Rabobank, and Toronto-Dominion Bank’s US operations illustrate how systemic anti-money laundering (AML) failures can permeate every layer of an organisation, threatening not only the bank itself but counterparties, regulators, and the integrity of the broader financial system.

Rabobank's US subsidiary: Transactions between US and Mexico

Rabobank is a major Dutch cooperative banking group, with international operations spanning Europe, the Americas, and beyond. Its U.S. subsidiary, Rabobank N.A., headquartered in California, was entrusted with retail, corporate, and commercial banking services, including high-volume cross-border cash handling, particularly flows between the U.S. and Mexico. Between 2009 and 2012, Rabobank N.A. allowed significant lapses in its AML controls. Suspicious cash deposits, wire transfers, and structured transactions were ignored, and a system was created to conceal deficiencies from U.S. regulators. High-risk clients were effectively placed on a “Verified List,” preventing meaningful monitoring or reporting of their activity.

US subsidiaries of Canada's Toronto-Dominion

Toronto-Dominion Bank, (TD Bank) one of Canada’s leading financial institutions, operates extensive U.S. banking subsidiaries that provide retail, commercial, and correspondent banking services. From at least 2018 through 2024, it is reported that TD Bank’s U.S. operations failed to monitor a critically alarmimg percentage of its transactions. This vast failure, amounting to trillions of dollars in unmonitored flows, demonstrated profound weaknesses in transaction monitoring, customer due diligence, and overall AML governance. Both banks, despite their size and sophistication, allowed systemic deficiencies to persist for years, exposing themselves and the wider financial system to enormous risk.

Growth and revenue over compliance red flags

At both Rabobank and TD Bank, the failures were not accidental. Executive leadership prioritised growth and revenue over compliance. Internal audit warnings, risk management advisories, and compliance red flags were repeatedly ignored or undermined. In Rabobank’s case, senior executives actively concealed AML deficiencies, creating a culture where compliance recommendations were subordinated to business interests. TD Bank’s U.S. leadership under-resourced compliance teams and ignored repeated alerts, allowing unmonitored transactions to proliferate unchecked.

Resource constraints and limitations, exploited

Compliance departments in both institutions were understaffed and ineffective. Alerts on suspicious transactions were often ignored or poorly investigated. High-risk customers received implicit exemptions, eroding the integrity of AML programs. In both cases, these systemic compliance gaps enabled criminal actors to exploit the banking infrastructure, illustrating the consequences of under-resourced and deprioritised compliance functions.

Internal audit warnings, and risk management advisories

Internal audit, while tasked with identifying weaknesses, was unable to enforce corrective action. Resource constraints, limited authority, and management resistance meant audit findings were repeatedly unaddressed. Risk management structures were poorly integrated with compliance, leaving the banks exposed to operational, reputational, and legal risk. Transaction monitoring systems were either inadequate or bypassed entirely, failing to detect high-risk activity.

External audit and professional services oversight

External auditors and professional advisors did not find or escalate these failures effectively. Audit scope limitations and reliance on management representations created blind spots, leaving regulators unaware of the full scale of non-compliance. Professional services firms, while capable of identifying deficiencies, were constrained by incomplete information and client confidentiality obligations, highlighting systemic limitations in independent oversight.

Regulatory interventions, concealments, and shortcomings

US regulators, including the Department of Justice (DOJ), Office of the Comptroller of the Currency (OCC), Financial Crimes Enforcement Network (FinCEN), and the Federal Reserve, eventually intervened in both cases. In Rabobank’s situation, a guilty plea was entered, and forfeitures were imposed. TD Bank’s U.S. subsidiaries faced record fines, asset caps, and formal oversight following systemic AML breaches. Before enforcement actions, regulators were hindered by either deliberate concealment, as in Rabobank’s case, or overwhelming transaction volumes, as with TD Bank. The cases illustrate that even well-resourced regulators can struggle to detect systemic failures in real time, underscoring the importance of proactive oversight and robust reporting mechanisms.

Forfeitures, criminal fines and shareholder lawsuits

Rabobank N.A. forfeited approximately $368.7 million and incurred criminal fines. TD Bank’s U.S. operations paid roughly $3.09 billion in fines and forfeitures. Both banks faced structural oversight, employee terminations, and extensive remediation of AML programs. Investor confidence and client trust were severely eroded. Both banks suffered reputational harm that disrupted growth plans, particularly in correspondent banking and cross-border operations. TD Bank faced shareholder lawsuits alleging misrepresentation of AML compliance, compounding reputational and financial consequences.

Accountability and systemic integrity

The cases of Rabobank N.A. and TD Bank U.S. reveal that systemic AML failures are rarely the result of isolated errors. They reflect deficiencies in governance, culture, internal controls, and regulatory oversight. For banks, regulators, auditors, and professional advisors, these cases provide enduring lessons: compliance must be prioritised at every organisational level, oversight must be empowered to act, and accountability must be enforced.

As for enforcing accountability, may I invite readers, researchers, practitioners and resource persons at seminars, who often contact me, to refer to the section on United Kingdom's Senior Managers Regime in my Thought Leadership Forum article titled "Banks, Basel, compliance and governance, published in the Daily FT on 24 April 2026. (https://www.ft.lk/columns/Banks-Basel-compliance-and-governance/4-791036). It is only through such requirements and enforcements, that the integrity and trust of the global financial system can be maintained.

Let us now cross over to Europe. The case which I will describe, exposes how weaknesses in governance, oversight, correspondent banking relationships, and international regulatory coordination can converge within a global financial system.

Danske Bank Estonia — 

A systemic failure at scale

Danske Bank, headquartered in Denmark, is the country’s largest financial institution and historically one of the most respected banking groups in the Nordic region. Its origins date back to the 19th century, and over time it evolved into a major regional banking group with operations spanning Scandinavia, the Baltic states, and parts of Northern Europe.  Tragically, it became the centre of what is widely regarded as one of the largest money-laundering scandals in modern banking history.

Non-resident clients, many linked to Russia

Between 2007 and 2015, its Estonian branch which became part of Danske Bank through its acquisition of Finland’s Sampo Bank in 2007, which included branches in Estonia, Latvia, and Lithuania, processed vast volumes of transactions. As the word acquisition flashes through my mind, I must pause, to remind readers about the importance of "pre-acquisition due diligence" that I stressed upon with practical examples in the article titled "Epstein, Bank of America, JPMorgan, and Deutsche, in the Daily FT, on 9 April 2026 ( https://share.google/XQN808T6xH8oLEhRP).

The vast volumes of transactions referred to above were estimated at over €200 billion (approximately $200–230 billion)—largely through so-called non-resident clients, many linked to Russia and other former Soviet states. Internal reviews later revealed that these customers “should never have been customers” and that transactions “should never have been made,” reflecting deep failures in anti-money-laundering (AML) controls and governance. 

Reminiscing about post-Soviet nations and parallels

As these examples prompt me to arm-chair travel to many post-Soviet nations, I am sent down memory lane, to my on-site insights into the gaps, deficiencies and needed reforms to the legal, statutory and regulatory environment and corresponding institutions in post-Soviet nations such as Armenia, Kyrgyzstan and Azerbaijan, where I was on assignment for the Asian Development Bank (ADB) on multiple occasions, over several years. I recall the many Technical Assistance interventions I had the privilege to design, in order to bring in new legislation, institutions and procedures. This is an area the Government and regulators should focus on, to help build necessary technical capacity, within statutory, regulatory institutions with oversight responsibility.

Branch autonomy, poor KYC and internal audits

As for Danske Bank’s Estonian branch, it apparently operated with significant autonomy, weak monitoring systems,  poor KYC discipline and internal audits. A whistleblower raised serious concerns as early as 2013–2014, but internal compliance functions and external auditors failed to escalate these or act with sufficient urgency. Critically, even when deficiencies were identified—including the absence of effective transaction monitoring and widespread high-risk customers—senior management did not respond decisively, and in some cases disclosures to counterparties and regulators were misleading. 

Devastating consequences: Guilty pleas, forfeitures, penalties, and fines

The consequences were severe and global. In 2022, Danske Bank pleaded guilty in the United States to conspiracy to commit bank fraud and agreed to forfeit approximately $2 billion, one of the largest penalties of its kind.  In parallel, it settled with the US Securities and Exchange Commission for about $413 million for misleading investors about its AML controls, and faced additional actions across Europe, including a € 6.3 million settlement in France. Investigations led to employee referrals to law enforcement, branch closure, and years of regulatory scrutiny, culminating in the bank completing US probation only in 2025.