Investigation Houston
The ING Bank AML Compliance Failure
Lan’s Enterprise Limited Training Program
Training Objectives
What you’ll learn today:
- Understand how a major international bank failed its AML obligations
- Identify systemic compliance failures and their root causes
- Recognize the consequences of prioritizing business over compliance
- Learn key red flags that were missed for years
- Apply lessons to prevent similar failures in your organization
Case Overview
ING Bank N.V. - The Facts
- Institution: ING Bank Nederland (ING NL)
- Period: 2010-2016
- Investigation: “Operation Houston” by Dutch FIOD
- Settlement: €775 million (September 2018)
- Status: Only Dutch bank on Global Systemic Banks list
What Is a Systemic Bank?
Critical Infrastructure
- 9 million account holders in Netherlands
- 340 million payment transactions per month
- Essential to financial system functioning
- Higher responsibility for system integrity
- Trusted reputation in national/international trade
With great power comes great responsibility
The Legal Framework
AML/CTF Act Obligations
- Client Due Diligence (CDD) - Know Your Customer
- Report Unusual Transactions to FIU
- Train Employees to identify risks
- Record and Document all assessments
Gatekeepers of the financial system
The Gatekeeper Role
Why Banks Matter
- Banks have overview of all client transactions
- Ideally positioned to detect money laundering
- Must identify undesirable elements
- Must prevent and report suspicious activity
- Protect integrity of entire financial system
ING failed this critical duty for 6 years
Timeline: Investigation Launch
How It Started
- 2010-2015: Multiple criminal investigations find suspects banking with ING
- February 2016: Pattern emerges - reasonable suspicion of violations
- March 1, 2016: FIOD raids ING offices
- 2016-2018: Extensive investigation of systemic failures
The Seven Deadly Failures
Systemic Shortcomings Uncovered
- Missing or incomplete CDD files
- Incorrect risk classifications
- Failed CDD review processes
- Not terminating risky relationships
- Broken transaction monitoring
- Wrong client segmentation
- Insufficient personnel capacity
Failure #1: Missing CDD Files
The Foundation Cracked
- Over 1 million clients had incomplete files (pre-2007)
- Missing UBO (beneficial owner) identification
- Unknown client activities and purpose
- PEPs (Politically Exposed Persons) not identified
- Remediation project: 2011-2014
Example: October 2016 - New clients accepted with NO CDD screening due to system errors
Failure #2: Wrong Risk Ratings
Blind to Danger
- High-risk clients classified as low-risk
- No documentation requested or followed up
- PEPs not identified (can’t identify unknown clients)
- Wrong ratings = wrong monitoring frequency
- Signals of money laundering routinely missed
If you don’t know your client, you can’t assess their risk
Failure #3: No CDD Reviews
Set It and Forget It
- Periodic reviews not conducted
- Event-driven reviews ignored
- Client information never updated
- Ignored alerts from own systems
- Ignored inquiries from law enforcement
Years passed without checking if client data was still accurate
Failure #4: Exit Process Broken
Keeping Bad Clients
- Undesirable clients not terminated timely
- Incomplete CDD didn’t trigger exit
- Internal policy not followed
- Relationships continued despite risks
- Money launderers operated undisturbed
Failure #5: Transaction Monitoring
The Most Critical Failure
“Capping” or “Topping” System:
- Maximum 3 alerts per day for some categories
- Alert limits based on staff capacity, not risk
- Monitored accounts, not clients (“smurfing” risk)
- Percentage-based ranking, not absolute amounts
- System effectiveness never tested (2010-2016)
Transaction Monitoring Example
How Capping Worked
Internal ING Recommendation:
“Set parameters to top off the (over)abundance of alerts and thus reduce the workload”
Response: “is being done already”
Translation: We’re limiting alerts to match our staff, not our risk
Transaction Monitoring Logic Flaw
Percentage vs. Amount
Transaction 1: €100 normal → €10,000 transaction = 100x deviation
Transaction 2: €1,000,000 normal → €99,000,000 transaction = 99x deviation
System ranked Transaction 1 higher for investigation
The €99 million transaction was lower priority!
Failure #6: Wrong Segmentation
High Risk in Low Risk Buckets
- Clients classified by commercial criteria
- No monitoring of correct placement
- Trust clients in wrong segments
- “Special Purpose Vehicles” misclassified
- Different monitoring per segment
High-risk clients received low-risk monitoring
Failure #7: Understaffed
Capacity Crisis
- Insufficient personnel for years (2010-2016)
- Staff lacked necessary knowledge and experience
- Problems never structurally solved
- Alert limits set by staff availability
- No investment in compliance capacity
Business growth, but not compliance growth
Root Cause Analysis
Why Did This Happen?
1. Insufficient Attention & Priority
- Lack of awareness at senior management
- Poor “tone at the top”
- Underinvestment in systems and people
2. Business Over Compliance
- Commercial objectives prioritized
- Compliance culture not embedded
- “Attractive” client acceptance processes
Root Causes Continued
Cultural Failures
3. No Sustainable Solutions
- Short-term fixes only
- No long-term strategic remediation
- Problems persisted year after year
4. Dysfunctional Internal Controls
- “Three lines of defense” model failed
- Fragmentation - no ownership of whole process
- Everyone focused only on their role
Root Causes: Final Factor
Absence of Escalation Culture
- Ground-level employees knew of problems
- Issues didn’t reach senior management
- Signals from regulators sent back down
- No monitoring of remediation
- Accountability vacuum
Those who knew couldn’t act; those who could act didn’t know
Warning Signs Ignored
Years of Alerts - No Action
2008: DNB instruction - “satisfy requirements for controlled operation”
2015: DNB order for incremental penalties on private banking
2016: DNB reports transaction monitoring shortcomings
ECB 2015: On-site investigation identifies compliance risks
Internal warnings: Repeatedly noted but not acted upon
The Shocking Quote
ING’s Own Assessment
“For years we have only monitored the tip of the iceberg without taking samples of the remaining alerts, which could have given us an idea of the quality and effectiveness of our monitoring programme…”
Translation: We knew we were missing most money laundering signals
Real Cases: Curacao Money Laundering
€150 Million Case
- Period: May 2010 - 2014
- Amount: €150 million in credit card transfers
- 49 alerts from 2010-2013 - all dismissed
- UBOs unknown, business activities unclear
- Misclassified in SME segment
- First FIU report: August 2013 (3 years late)
- Relationship finally ended: January 2015
Real Cases: Underground Banking
€9 Million Case
- Business: Suriname “building materials trader”
- Reality: Currency exchange office
- Amount: Over €9 million transacted
- 15 mobile PIN terminals in Netherlands
- Client claimed no Netherlands activities
- Practically no CDD at acceptance
- Account blocked April 2015, closed September 2015
Real Cases: Cash Deposits
€507,565 in Cash
Companies F and A: “Fruit and vegetable importers”
- Owner ID document missing from CDD file
- Bankrupt person as authorized representative
- 90 cash deposits totaling €343,035 (Company F)
- 41 cash deposits totaling €164,530 (Company A)
- Many deposits in €500 notes
- Zero alerts for Company F
- Relationships ended mid-2015
$55 Million in Bribes
- Watertrail (Vimpelcom subsidiary) account at ING
- Paid $55 million to Karimova-linked company (2007, 2011)
- Karimova: Daughter of Uzbekistan President
- Essential UBO data missing
- 2012: Public reports link recipient to money laundering
- Zero alerts from transaction monitoring
- April 2015: Reported to FIU only after journalist inquiry
The Unmeasurable Damage
What We’ll Never Know
- Exact number of signals missed
- How many criminal clients went undetected
- Total money laundered through ING
- Number of financial crimes facilitated
- Full extent of damage to financial system integrity
ING can no longer determine these numbers
The Consequences: Financial
€775 Million Settlement
Breakdown:
- €675 million - Criminal fine
- €100 million - Confiscation of unlawfully obtained gains
Calculation: Savings from not hiring sufficient compliance staff
Context: One of largest banking settlements in European history
The Consequences: Legal
Criminal Charges
AML/CTF Act Violations:
- Article 3: Failed to conduct CDD
- Article 5: Entered relationships without proper CDD
- Article 8: Failed enhanced due diligence
- Article 16: Failed to report unusual transactions
Criminal Code Violation:
- Article 420quater: Culpable money laundering
Why No Individual Prosecutions?
Organizational Crime
High Bar for Individual Liability:
- Must prove knowledge of offenses
- Must prove conscious contribution to crimes
- Must prove conscious neglect to prevent
Result: Many individuals made mistakes, but insufficient evidence to prosecute individuals
Responsibility attributed to organization as a whole
Why Settlement, Not Trial?
Practical Justice
Reasons for Settlement:
- ING publicly acknowledged mistakes
- Full cooperation with investigation
- Comprehensive remediation plan under DNB supervision
- Taking responsibility for years of violations
- More effective than lengthy court proceedings
Path to Compliance
- Large-scale, long-term program
- Supervised by DNB
- Sustainable solutions, not quick fixes
- Tackling all seven failure areas
- Multi-year implementation timeline
- Regular progress monitoring
Settlement conditional on successful remediation
Lessons Learned: Culture
Compliance Must Come First
Critical Failures:
- “Business over compliance” mindset
- Growth prioritized over control
- “Attractive” onboarding over safety
- Cost savings over proper staffing
Lesson: Compliance is not a cost center - it’s your license to operate
Lessons Learned: Governance
Three Lines of Defense
What Failed:
- Fragmented responsibilities
- No holistic ownership
- Limited accountability per role
- Weak escalation culture
- “Tone at the top” absent
Lesson: All three lines must work together with clear ownership
Lessons Learned: Systems
Technology Must Match Risk
What Failed:
- Alert caps based on capacity, not risk
- Percentage logic vs. absolute amounts
- Account-level vs. client-level monitoring
- No effectiveness testing for 6 years
- Staff capacity determined system limits
Lesson: Your monitoring system must be fit for purpose and regularly tested
Lessons Learned: People
Invest in Your Team
What Failed:
- Insufficient quantity of staff
- Insufficient quality and training
- High workload, low capacity
- Knowledge gaps not addressed
- Years of underinvestment
Lesson: Skilled, sufficient staff are non-negotiable for compliance
Lessons Learned: Response
Act on Warnings
What Failed:
- Regulator warnings ignored
- Internal signals not escalated
- Remediation programs insufficient
- Years of repeated shortcomings
- No sustainable change
Lesson: When regulators or staff warn you, listen and act decisively
Red Flags You Must Act On
Warning Signs ING Ignored
- Incomplete client information
- Missing UBO documentation
- Client activities unclear or suspicious
- Transaction patterns don’t match business
- Law enforcement inquiries
- Multiple system alerts dismissed
- Other banks exiting same client
- Public reports of client misconduct
The Gatekeeper Failure
Impact on Society
Consequences:
- Money launderers operated freely for years
- Criminal enterprises funded undisturbed
- Law enforcement investigations hindered
- Financial system integrity compromised
- Public trust in banking damaged
- Other institutions put at risk
ING failed society, not just regulators
Key Takeaways
Critical Points to Remember
- Systemic banks have systemic responsibilities - Size increases duty
- Business over compliance always fails - Short-term gain, long-term disaster
- Your monitoring must be effective - Test it, prove it, improve it
- Warning signs demand action - Internal and external signals matter
- Culture flows from the top - Leadership sets compliance tone
Key Takeaways Continued
More Critical Lessons
- Know Your Customer isn’t optional - It’s the foundation of everything
- Invest in your people - Skilled staff are your first line of defense
- Technology has limits - Systems must be designed for effectiveness, not convenience
- Escalation culture saves institutions - Problems must reach those who can fix them
- Remediation must be sustainable - Quick fixes perpetuate problems
Discussion Questions
Reflect on Your Organization
- Could this happen in your institution?
- Do you have sufficient compliance resources?
- Is your transaction monitoring effective?
- Can staff escalate concerns freely?
- Does business ever override compliance?
- How do you respond to regulator feedback?
- When did you last test your AML systems?
Your Responsibilities
What You Must Do
As AML Professionals:
- Conduct thorough CDD on every client
- Never dismiss alerts without proper investigation
- Escalate concerns immediately
- Report unusual transactions promptly
- Keep learning and improving
- Speak up when you see problems
- Remember: You are a gatekeeper
The €775 Million Question
Was It Worth It?
ING’s Calculation (2010-2016):
- Save money on compliance staff ✗
- Grow business without control ✗
- Ignore warnings and hope ✗
Result:
- €775 million penalty ✓
- Massive reputational damage ✓
- Years of remediation ✓
- Criminal record ✓
Lesson: Compliance is always cheaper than the alternative
Final Thoughts
The Trust Equation
Banking = Trust
Without trust:
- No clients
- No transactions
- No business
- No future
ING learned that compliance isn’t a burden - it’s the foundation of trust
- AML Compliance Team: aml@gmfinance.co.nz
- Emergency Hotline: +64 09-309-8808
- Training Program: Lan’s Enterprise Limited
Questions?
Remember: Every compliance decision you make protects the entire financial system
Thank You
Stay Vigilant, Stay Compliant
“For years we have only monitored the tip of the iceberg…”
Don’t let this be your organization’s story