U.S. Court Sentences Defendant to 9 Years’ Imprisonment, $1 Million Fine for Arms Export Control Act and Money Laundering Offenses

On November 13, the U.S. District Court for the Northern District of California sentenced the operator of a U.S. business, Naum Morgovsky, to 108 months’ imprisonment, a $1 million fine, and forfeiture of $222,929.61, on his plea to charges of conspiring to illegally export components for the production of night-vision and thermal devices to Russia in violation of the Arms Export Control Act (AECA), and for laundering the proceeds of the scheme.  Morgovsky’s wife, Irina Morgovsky, also pleaded guilty to conspiracy to violate the AECA and misuse of a passport, and was sentenced on October 31 to 18 months’ imprisonment for her role in the conspiracy.

The Department of Justice press release stated that according to their guilty pleas, which occurred during the second day of jury selection in their case on June 12, 2018, Naum and Irina Morgovsky

admitted that from at least April 2012 until Aug. 25, 2016, they conspired to export without the necessary license to a company called Infratech in Moscow, Russia, numerous night and thermal vision components, including image intensifier tubes and lenses.  The couple used their U.S. business, Hitek International, to purchase these components and misrepresented to the sellers that the products would not be exported.  The couple then shipped the products to Russia using a variety of front companies and shipment methods.  Further, defendants knew the night and thermal vision components they exported were on the U.S. Munitions List and that they therefore were not permitted to export the items without a license from the Department of State, Directorate of Defense Trade Controls, which they never sought.

The sentencing judge also found that Naum Morgovsky had taken steps to conceal his crimes so that he and Irina Morgovsky could continue to operate their illegal export business without detection, and that he laundered the proceeds of the AECA crimes.  The government also alleged that Naum Morgovsky used numerous front companies and the identity of at least one deceased person in furtherance of their scheme.

Note: Some attorneys have referred to the “complexity” of the AECA, and one recent commentary has characterized the overall multi-departmental bureaucratic process for reviewing and approving defense exports as “understaffed and organized in a way that can make the approval process inefficient and redundant.”  The Morgovskys’ actions, however, did not involve misunderstanding of fine distinctions in the International Traffic in Arms Regulations (ITAR), or bureaucratic delays in processing export-control paperwork.  Both defendants knew that the night and thermal vision components that they sought to export were unmistakably on the U.S. Munitions List, never sought the license that would therefore have been required, misrepresented to the sellers from whom they bought the components that the components would not be exported, and used numerous front companies and engaged in identity theft in the course of shipping the components to Russia.

In this respect, at least, the Department of Justice’s approach in this Administration to prosecuting AECA violations appears consistent with the approach in the Obama Administration.  Both Administrations have pursued and successfully prosecuted AECA cases when the items in question were on the U.S. Munitions List – such as weapons and weapons parts, sensors for use in high-level applications, and parts designed for missile and space applications – and there was evidence that the defendants knew it was illegal to export such items.  As a final note, Naum Morgovsky’s sentence, though longer than many AECA defendants, is not the longest sentence for an AECA defendant in recent years.

United States Court of Appeals Affirms Sentence of Defendant in EBRD-Related FCPA Prosecution

On November 8, the United States Court of Appeals for the Third Circuit affirmed the sentence of Dmitrij Harder, who had pleaded guilty in 2016 to two counts of violating the Foreign Corrupt Practices Act (FCPA).  At the time of his guilty plea, Harder, the former owner and president of Chestnut Consulting Group Inc. and Chestnut Consulting Group Co. (the Chestnut Group), admitted that between 2007 and 2009, he engaged in a scheme to pay approximately $3.5 million in bribes to an official of the European Bank for Reconstruction and Development (EBRD), to corruptly influence the official’s actions on applications for EBRD financing submitted by the Chestnut Group’s clients and to influence the official to direct business to the Chestnut Group.

Prior to Harder’s sentence, the Probation Office in the United States District Court for the Eastern District of Pennsylvania calculated an advisory range, under the United States Sentencing Guidelines, of 87-108 months’ imprisonment.  At the sentencing hearing, government prosecutors moved for a downward departure, pursuant to section 5K1.1 of the Sentencing Guidelines, in recognition of Harder’s cooperation and testimony during a related corruption trial in England that secured convictions against his former clients. The district court granted the government’s request for downward departure, which resulted in a Guidelines range of 57-71 months’ imprisonment.

Harder sought, but did not receive, an additional downward departure on three grounds that he advanced: (1) the proposed sentence was substantially greater than the average sentence for individual FCPA defendants; (2) “the bribes that he paid did not result in a loss to any victim; and (3) the two projects for which he corruptly sought financing proved successful and highly beneficial to the Eastern Siberia region.”  At sentencing, even after Harder’s counsel “continued to argue that Harder’s actions were less culpable due to the allegedly positive outcome,” the district court remained unpersuaded and sentenced Harder to 60 months’ incarceration (a sentence within the Guidelines range) and approximately $2 million in financial penalties.

On appeal, Harder alleged two procedural errors:

  1. Mitigation: Harder argued that the district court denied him a fundamentally fair sentencing hearing when it refused to hear or consider counsel’s argument in mitigation of offense severity. On this issue, the Third Circuit panel noted that “the record clearly reflects that the district court afforded meaningful consideration to Harder’s mitigation argument,” which it indicated is all that a sentencing court must give to a defendant’s sentencing arguments. It concluded that “the district court did not err by declining to grant Harder’s downward variance on the grounds that his conduct was allegedly less harmful than that of other FCPA defendants.”
  2. Unwarranted Disparity: Harder argued that the district court refused to comply with the statutory obligation to avoid unwarranted sentencing disparities.  On this issue, the panel rejected Harder’s argument, stating that “Harder does not challenge the calculation of his Guidelines range but simply objects to the district court’s refusal to grant a downward variance.”

Note: The decision in this case is not included among published Third Circuit opinions, probably because Harder’s issues on appeal were neither issues of first impression nor arguments that the court considered meritorious enough to warrant detailed analysis.  Three observations are still in order.

First, it should be noted that the sentencing court gave Harder credit for cooperation with the authorities (in the form of a downward departure) due to his testimony in a non-U.S. judicial proceeding.  The language of Guidelines section 5K1.1 states that a federal court may grant a departure from a Guidelines sentence “[u]pon motion of the government stating that the defendant has provided substantial assistance in the investigation or prosecution of another person who has committed an offense.”  Although it might seem that this basis for departure would pertain only to U.S. investigations and prosecutions, neither the text nor the Guidelines commentary thereon contain any limiting language to that effect.

The fact that the government was willing to file a section 5K1.1 motion for Harder’s assistance in a foreign trial indicates that the Justice Department is willing to construe section 5K1.1 expansively, at least in cases where the defendant may be able to render substantial assistance in a foreign prosecution.  It is noteworthy that in its successful prosecution of the EBRD banker whom Harder bribed, Andrey Ryjenko, the United Kingdom Crown Prosecution Service did not mention Harder by name, but credited “effective cross-border partnerships between a number of jurisdictions, including the United States” for making Ryjenko’s conviction possible.

Second, Harden’s argument regarding unwarranted disparity in FCPA sentencings was critically deficient in two respects.  One is the failure to raise the additional issue that the Third Circuit had identified: i.e., challenging the sentencing court’s calculation of the Guidelines range as well as raising the variance issue.  There is no guarantee that the Third Circuit would have found any greater merit in that additional issue, but its absence from the appeal clearly played a role in the panel’s reasoning.

The other is that Harder might have had greater success with his argument had he been able to show significant disparities between his sentence and the sentences of other co-defendants in the case.  Unfortunately for Harder, there were apparently only two other people prosecuted in connection with the bribery, and both were prosecuted in the United Kingdom.  The banker whom Harder bribed, Ryjenko, was sentenced after his London trial in June 2017 to six years’ imprisonment, and Ryjenko’s sister, Tatyana Sanderson, had been declared unfit to stand trial but pleaded guilty to laundering Ryjenko’s bribe payments through accounts in her name and received a suspended sentence of two years’ imprisonment in September 2018.   While reference to those facts would have taken the Third Circuit well outside the record of Harder’s appeal, it might have provided a further basis for the Third Circuit to conclude that Harder had not been the victim of unwarranted disparity in his sentence.

Third, it seems plain that Harder should never have raised the argument, at sentencing or on appeal, that he should be given favorable consideration for a further variance because his bribery of Ryjenko made people in Eastern Siberia more prosperous.  Apart from the fact that the FCPA contains no “bribery creates positive externalities” defense, on a more fundamental level courts are unlikely ever to reward a defendant for criminal conduct that arguably benefited third parties who did not participate in the crime itself.  A defendant who robs Peter to pay Paul should not be able to claim that he deserves leniency because Paul was genuinely deserving of and benefited from the money.

Cathay Pacific Reports Sustained Cyberattacks That Led to Major Data Breach

On November 12, Hong Kong-based airline Cathay Pacific publicly disclosed that the data breach it had first reported on October 24 was the result of a sustained series of cyberattacks that began in March 2018 and continued even after May 2018.  In its October 24 statement, Cathay Pacific had announced only that “as part of its ongoing IT security processes, it has discovered unauthorised access to some of its information system containing  passenger data of up to 9.4 million people.  Upon discovery, the company took immediate action to investigate and contain the event.”

Subsequently, Cathay Pacific prepared and issued the November 12 statement, in advance of a November 14 joint meeting of the Hong Kong Legislative Council’s (LegCo’s) Panel on Constitutional Affairs, Panel on Information Technology and Broadcasting, and Panel on Security.  In that statement, Cathay Pacific described a substantially longer timeline for both the attacks and the response than its October 24 statement had indicated.  That timeline began in March 2018,

when Cathay first detected suspicious activity on its network and took immediate action to understand the incident and to contain it. Cathay did this with the assistance of a leading global cybersecurity firm. During this phase of the investigation, Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter. These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention. . . . Even as the number of successful attacks diminished, we remained concerned that new attacks could be mounted.

The November 12 statement also included details about who was affected by the breach, what information was accessed, and how it conducted its internal investigation.  It explained that the investigation had  three objectives: (i) investigation, containment, and remediation; (ii) confirming which data had been accessed and whether it could be read by the attacker(s); and (iii) determining the types of personal data that pertain to each affected passenger and notification.  “Once we met these objectives,” Cathay Pacific explained, “we notified affected passengers and relevant authorities.”

Cathay Pacific also sought to anticipate criticism about the delay in its disclosure of the full extent of the attacks and breach.  It stated that

the nature of this attack involved a number of complex systems that took significant time to analyse. An enormous amount of work was involved in the investigation, which was highly technical. The process by which the stolen data could be identified, processed, and linked to a specific passenger also contributed to the length of time involved between initial discovery and public disclosure.

With regard to its investigation, Cathay Pacific also stated that “our foremost objective and primary motivation has been to support our affected passengers by providing accurate and meaningful information to them. . . . The investigation was complex, longer than what we would have wished and we would have liked to have been able to provide this information sooner.”

Note:  At the conclusion of its November 12 statement, Cathay Pacific acknowledged “that there [are] many lessons that we can and will learn from this event.”  There are at least two lessons that other companies, from senior management to information-security and compliance officers, can learn from Cathay Pacific’s experience — though those lessons may not necessarily be the ones that Cathay Pacific had in mind.

First, senior management needs to understand how sustained cyberattacks on their information systems can be.  Media reports sometimes seem fixated on the word “sustained” in describing cyberattacks, such as the June 2017 cyberattack on the United Kingdom Parliament.  It should be noted that that attack reportedly lasted on the order of only 24 hours, but included a peak intensity of approximately 200,000 attempts over a number of hours on a single day.  The Cathay Pacific attack, by contrast, lasted for approximately three months.  Although that attack might seem like a “black swan” event, its success over multiple months makes it highly likely that those or other cyberattackers will emulate the concept of multiple-day or week attacks against other companies and government agencies.

For that reason, senior management needs to plan for the possibility that it will need to spend significant sums to supplement their company’s human and technological resources, and remediate hardware and software damage, in the event of a major cyberattack that lasts for an extended period.  As one point of comparison, in March 2018 the City of Atlanta experienced a major ransomware attack that not only caused significant damage to various information resources, but required the City to engage in emergency contract hires of security consultants and crisis-communication experts.  The bill for response and remediation reportedly increased from $2.7 million in April 2018 to $17 million by August 2018.

Second, in their first reports of a major cyberattack or data breach, companies need to choose their words carefully in describing the attack or breach.  In 2018, investors, the media, and the general public can be quick to react adversely to any reports that a company that suffered a data breach did not publicly disclose that breach until well after the event.  While a company must always take steps to see that the nature and timing of such disclosures comply with applicable state laws or national legislation, it must also anticipate that its first statements about the breach will set the tone for immediate and later responses by the media and the investing community.

In Cathay Pacific’s case, its October 24 explanation of the reasons for delaying disclosure – the need to determine the true extent of the damage and to remediate effectively — was not unreasonable on its face, and the company did include specific information about how people who thought they might be affected could contact the airline.  The greater problem appears to have been the wording of that statement.  Though surely not intended to mislead the public, the statements in the lead paragraph that it “discovered unauthorised access to some of its information system” and “took immediate action to investigate and contain the event” could easily be read to mean that the attack was a one-time event of brief duration.  That, coupled with the seven-month delay in disclosing the breach, likely added momentum to the “avalanche of criticism” that the October 24 statement triggered.

Three more specific lessons from this case, for other companies that suffer data breaches in the future, are simple:

  • When you’re ready to make your first statement about the breach, be as concise, and as accurate, as you can without compromising any ongoing internal investigation or remedial efforts. In that critical first disclosure, a company doesn’t need to explain the precise details of attack vectors or of the information-technology defense mechanisms and techniques it used.  It does need to be clearly understood when it describes the general nature and duration of the attack.  In the case of the UK Parliament attack, Parliamentary authorities provided general but prompt information during the weekend that the attack was underway, and were specific and accurate about the attack’s duration and intensity reasonably soon after the attack had ended.
  • Have someone outside the crisis-response team read the draft statement. It’s easy for people operating 24/7 in a crisis-response mode to make the assumption that they’ve said what needs to be said.  But it takes no effort to have someone from outside the team read the draft statements, as well as any draft questions and answers that corporate or government spokespersons propose to use with the media, with a layperson’s eye, and tell the crisis-response team where the public or the media might misunderstand or misconstrue any statements.
  • As with any other corporate crisis response, provide followup details when you can, but only when you’re confident you can provide accurate data. In the case of the UK Parliament attack, less than a month after the attack Parliament provided a concise but specific accounting of the extent of the attack, how many accounts were compromised, and what Parliament had done to respond.

In today’s LegCo joint panel meeting, Cathay Pacific’s representatives are likely to face pointed and critical questioning about its response to the cyberattacks and the timing of its disclosures.  With luck, it will already have learned enough lessons from its experience to date to provide responses that reduce the duration and intensity of that criticism.

European Commission Takes Action Against Luxembourg and Malta for Inadequate Compliance with 4th AML Directive

On November 8, the European Commission took significant actions against two European Union (EU) Member States to underscore the importance of compliance with the 4th Anti-Money Laundering (AML) Directive, Directive 2015/849.  That Directive, according to the Commission,

“reinforces the previously existing rules by:

  • “strengthening the risk assessment obligation for banks, lawyers, and accountants;
  • “setting clear transparency requirements about beneficial ownership for companies and trusts;
  • “facilitating cooperation and exchange of information between Financial Intelligence Units from different Member States to identify and follow suspicious transfers of money to prevent and detect money laundering or terrorist financing;
  • “establishing a coherent policy towards non-EU countries that have deficient anti-money laundering and counter-terrorist financing rules;
  • “reinforcing the sanctioning powers of competent authorities.”

First, the Commission decided to refer Luxembourg to the EU Court of Justice for transposing only part of that Directive into their national law.  The Commission also proposed that the Court of Justice charge “a lump sum and daily penalties until Luxembourg takes the necessary action.”

Second, the Commission adopted an opinion requiring the Maltese anti-money laundering supervisor, the Financial Intelligence Analysis Unit (FIAU), to continue taking additional measures to fully comply with its obligations under the 4th AML Directive.  Previously, on July 11, 2018, the European Banking Authority (EBA) investigated and concluded that the FIAU was breaching Union law.  It determined, per the Commission, “that Malta failed to correctly supervise financial institutions and ensure their compliance with anti-money laundering rules.”  In particular, the Commission called upon the FIAU to take a number of measures, including:

  • “Improving its methodology to assess money laundering and terrorist financing risks;
  • “Enhancing its monitoring and supervisory strategy by aligning resources with the risk of money laundering posed by certain institutions;
  • “Ensuring that the authority is able to react in an appropriate time when a weakness is identified, including by revising its sanctioning procedures;
  • “Ensuring that its decision-making is properly reasoned and documented;
  • “Adopting systematic and detailed record-keeping processes for offsite inspections.”

Note:  The Commission’s actions in these two cases are not unique; it has previously referred Romania and Ireland to the Court of Justice, and taken other actions against 18 other Member States, regarding transposition measures for the 4th AML Directive.  In light of the continuing surge of AML enforcement activity in the European Union, however, the Commission needs to continue to assert its AML oversight authority with vigor, even as it sorts out what additional authority it may seek to exert even greater supervision and control over European financial institutions.

In addition, the Commission doubtless has its eye on the 5th AML Directive, which entered into force on July 9, 2018 and which Member States will have to transpose into national legislation by January 10, 2020.  Given its experience with many Member States’ delays in fully transposing the 4th Directive, the Commission should be concerned about Member States’ ability to transpose the latest Directive into national law in just over 15 months’ time.

On Moral Development in Military and Corporate Leadership

On Veterans Day, it is always appropriate to pay respect to the veterans of all generations, for their valor and for the sacrifices they make in the cause of freedom.  But it is worth taking a moment to recognize veterans also for the ethical and moral leadership they show in serving their country.   At every level and in every branch of the military – from the lowest-ranking enlisted man or woman to the Chairman of the Joint Chiefs of Staff – men and women routinely make decisions with ethical and moral consequences.

Some of those decisions, in combat situations, have to be made in fractions of a second and may have instant life-or-death consequences.  Other decisions, away from the battlefield, may be more deliberate, but may have significant consequences for the men and women whom those decisions affect — not least in shaping the ability of those men and women to make decisions that are militarily sound and morally defensible.  Over the past two decades, military leaders in the United States and other countries, such as the United Kingdom, have placed increasing emphasis on recognizing that the propriety of the use of military force has moral and ethical dimensions, and have committed to incorporating that recognition into the training of officers and enlisted men and women.

As one example of that commitment, a publication by the Lejeune Leadership Institute at Marine Corps University, Leadership, Ethics and Law of War Discussion Guide for Marines (Guide), identifies four stages of moral development in military leaders:

  1. Compliance: This stage involves the most basic level of behavior: i.e., learning to “compl[y] with critical orders quickly and unfailingly,” and with the broader set of rules, standards, and beliefs within a military organization. As the Guide warned, “Obedience at its pinnacle guarantees order, function, and accomplishment, but as an end-state it is dangerous. Those who stop developing at the obedience level run a risk of becoming unthinking, blind followers.”
  2. Moral Understanding: This stage addresses the concept of moral understanding, which “implies that we make numerous and complex value judgments about the foundational principles that underlie established rules and standards. These judgments precede ethical decisions, which in turn precede ethical conduct, which itself precedes ethical leadership.” Moral understanding, in this analysis, involves two challenges for leaders: (1) clarifying their expectations to their subordinates; and (2) ensuring that those expectations are in constant agreement with the mission and overall organizational principles.”
  3. Moral Maturity: This stage addresses the concept of moral maturity. Moral maturity “is not an end-state, rather, it is the product of continuous evaluation. A moral leader assesses his own beliefs; how those beliefs are manifest in his actions and the actions of his unit, and how closely aligned those actions are with the expectations of his nation, service, and mission.”
  4. Moral Ambition: This last stage involves the concept of moral ambition: “the active rather than passive pursuit of virtuous behavior not only in self, but in all members within the individual’s sphere of influence.”

Corporate leaders and managers who are confident that their companies already reflect a “culture of compliance” would still do well to compare their own leadership and actions against each of these four stages.  If they see subordinates who are locked into a “whatever it takes” mentality in pursuing the company’s business objectives, it is highly likely that those subordinates are communicating that same mentality to their staff members, and that those staff members in turn are expected simply to comply without question.  Such a situation requires prompt and decisive action to communicate that “whatever it takes” is a path that can lead only to harming the company (not to mention corrective action and even termination).

Even if corporate leaders and managers do not have such a situation, they still need to make sure they are being clear in communicating their expectations to subordinates, particularly with regard to properly reconciling ends and means in the day-to-day conduct of business.  As indicated above, corporate leaders will embody moral understanding to the extent that they not only communicate their expectations clearly, but that they reflect on those expectations and challenge themselves to see that their expectations agree with the company’s mission and overall principles (including codes of ethics and compliance standards).  With sustained effort, those reflections can translate into moral maturity as leaders continuously evaluate not only their own beliefs, but also the extent to which their own and their subordinates’ actions on the job demonstrate commitment to those beliefs and align with the expectations of their company’s top leadership and board and of regulators.

If corporate leaders can accomplish all of those tasks, they may be fortunate enough to achieve moral ambition.  As the Guide explains, there are no guarantees of doing so, “for it demands reflection, willingness, courage, and constancy of purpose.”  But because “moral ambition makes day-to-day leadership an agent of profound change,” it is a goal for which corporate leaders – no less than military leaders – ought to strive.