At first glance, the customers on the list sounded boring. They were mostly obscure trading companies with generic names like Hilux Services and Polux Management. But the auditors — who had been tipped off by a police unit that tracks financial crime — didn’t have to dig too deep before things got very strange.

The companies were moving huge amounts of money through Danske Bank from Russia, Azerbaijan, and Ukraine, and justifying them with nonsensical contracts.

One company with no website or internet presence, started by a 21-year-old from Azerbaijan, received millions of dollars from Russian state arms company Rosoboronexport for no clear reason. Another company from Uzbekistan bought $2 million worth of “building materials” from the remote British Virgin Islands. A third company agreed to loan out $150 million, but inexplicably transferred $582 million instead.

After more than a month poring over Danske’s books, the auditors produced a damning report about the bank’s failure even to try to understand what its own clients were doing, But it was never made public, even after the goings-on at Danske Estonia sparked one of the biggest money laundering scandals of all time.

In 2017, a team from OCCRP and the Danish newspaper Berlingske revealed that billions of dollars in dirty money had been moved through the bank’s Estonian branch. Only then, three years after it had been produced, did Danske’s head office get around to translating the Estonian audit.

Now, a copy of the report has been obtained by Berlingske and shared with OCCRP. It describes in exacting detail how the bank breached at least 47 different anti-money-laundering regulations — and how employees at the Tallinn branch enabled this by systematically ignoring hundreds of bizarre transactions.

In parts, it reads like a point-by-point list of the techniques offshore companies and politically exposed people use to transfer huge sums of money without accounting for their origin — and of the bank’s failure to question them.

“Danske was a textbook case where the bank’s risk level and its risk management were not in balance,” Kilvar Kessler, the head of the Finantsinspektsioon, or Estonian Financial Supervision Authority (FSA), told OCCRP.

“Why weren’t they? Because the profit coming from the branch with the risk was so high. If there would have been adequate risk control in place, such income wouldn’t have been possible.”

After seeing the first draft of his auditors’ report, Kessler was appalled. He immediately called Danske Estonia’s CEO, Aivar Rehe, and asked for a meeting. Soon afterwards, they were sitting together at an upscale restaurant in Tallinn’s picturesque Old Town.

“What have you guys been doing here?” he asked Rehe in dismay.

The bank head responded that without its lucrative offshore unit, Danske wouldn’t have a profitable business in Estonia.

Kessler asked if the head office in Copenhagen knew what was going on in Tallinn.

“Of course they knew,” he remembers Rehe saying.

Rehe committed suicide in 2019 amid a money-laundering probe into operations at the bank. He was not a suspect in the case but had been sought as a witness.

Danske Bank declined to answer specific questions related to this story. A press officer for the bank, Stefan Singh Kailay, directed journalists to a previous statement in which the bank acknowledged that it should never have had its portfolio of offshore customers.

“It is also obvious that we were too slow to acknowledge the scale of the problems and get the portfolio closed down,” Kailay said.

Thousand-Dollar Paint Cans and Nonexistent Addresses

The heart of Danske’s dirty business in Estonia lay in what was known as the “non-resident banking unit,” a team of about a dozen bankers who catered exclusively to foreign customers in places like Azerbaijan and Russia.

Last year, OCCRP reported on how these bankers — known as “relationship managers” — actively helped their clients evade anti-money-laundering regulations by running offshore companies for them.

But even when they weren’t conspiring with their clients, the relationship managers were ignoring obvious signs of money laundering, the FSA audit found.

For example, they accepted documentation from clients written in Azerbaijani, even though nobody on the team spoke the language. (The bank’s official policy was to only accept documents in English, Estonian, or Russian.) When asked about this, the bank replied that one relationship manager, Oksana Lindmets, had “some knowledge” of Azerbaijani and supplemented this with Google Translate.

They also accepted documents signed by Stan Gorin, a Latvian who had become notorious for selling his identity as a nominee company director, even though at that point there were hundreds of media reports detailing how his name had been used for illegal businesses, from weapons trafficking to pyramid schemes.

Perhaps most importantly, the relationship managers did not appear to pay much attention to the contracts that justified their clients’ transfers of millions of dollars, even when they were clearly absurd.

One high-risk client, Milecome Enterprises LLP, bought 10,500 one-gallon paint cans for an average price of over $1,000 each. Another supposedly sold a batch of metal pipes for $500 million, which would have added up to 344,820 metric tons — an unlikely amount, given that a full shipping container can hold only around 28. Inexplicable trades, especially those involving round numbers, are a classic sign of money laundering.

Another company, Riverlane LLP, was registered barely a month before it became Danske’s client. It had no website and only about 15,500 British pounds in cash assets, and declared its address at a location in Azerbaijan that didn’t appear on Google Maps.

Despite this, it almost immediately started moving huge amounts of money through the bank, mostly to other shell companies on the back of dubious contracts for the sale of electronics, textiles, building materials, and metals.

Auditors pointed out that many of these documents were nearly identical in form and content. In many cases, the buyer agreed to pay in advance for goods that would only be delivered after a month or more. One contract was signed a year before Riverlane was founded, while another was for the sale of an object whose name, the auditors said, was just gibberish: “the EP 70 KVA Sanay Puntasi 50cm.”

Danske often did not even bother to collect contracts at all, or check whether the trades actually took place.

“Danske Bank has not put in enough effort to determine where and when the goods would be delivered to the carrier and, moreover, whether the goods were carried at all,” the auditors wrote. “[F]or example, how and by what means were 282,138 tonnes of wire rod or workbenches valued at $250 million transported, and [were] they were transported at all.”

In just a year and a half, 65.7 million euros and over $1 billion passed through Riverlane’s accounts, an average of around $2.5 million for every working day — even though Danske never appeared to know who its customer was.