TSB Offers First-Ever Guarantee to Bank Customers Victimized by Fraud

On April 14, United Kingdom bank TSB announced the launch of what it termed its “Fraud Refund Guarantee.”  The Guarantee – which TSB characterized as a first in United Kingdom banking — “means that if you’re clearly an innocent victim of fraud on your TSB account, we will refund the money you lost from your account.”

TSB explained the scope of its Guarantee as follows:

All too often people who have money taken out of their account by fraudsters have to fight to get their money back. Even though this is the last thing you feel like doing if you’re the victim of crime.

Our Fraud Refund Guarantee means that you will get a refund even if you make an honest mistake. Whether you accidentally click on something you shouldn’t, or you share some sensitive information without thinking. As long as you’re an innocent victim, we’ll refund you.

TSB also stated two circumstances in which it would not refund money to a customer: (1) if a customer is “involved in committing the fraud”; and (2) if a customer “has been repeatedly affected by fraud, because they didn’t follow the advice we gave them to keep their account safe.”

TSB’s announcement stems directly from the catastrophic April 2018 information-technology migration at TSB that resulted in some TSB customers going weeks without banking services, 200,000 customer complaints, a loss of 80,000 customers, and some 1,300 customers being defrauded.  Then-Chief Executive Officer of TSB Paul Pester stated that the levels of fraudulent attacks had increased 70 times, as scammers conducted phishing calls, emails, and texts “purporting to be TSB and asking them to verify their bank details.”  In addition, United Kingdom Financial Conduct Authority (FSA) head Andrew Bailey reported that there had been approximately 10,600 fraudulent attempts relating to TSB’s IT catastrophe, and informed the United Kingdom Parliament that the FSA, jointly with the United Kingdom Prudential Regulation Authority, would investigate the TSB IT migration.

Note: Regardless of the circumstances prompting its announcement of the Fraud Refund Guarantee, TSB deserves credit for taking the lead in adopting a progressive approach to refunding its customers who are victimized by fraud.  While banks should be vigorously competitive in the products and services they offer, the concept that “fraud is not a competitive issue” should remain a vital component of any bank’s culture of compliance – particularly as cybercriminals have become increasingly sophisticated in their exploits and techniques and target banks and bank customers for massive frauds.  Adoption of a similar fraud-guarantee policy by other United Kingdom banks would not only serve to present a united front on fraud remediation, but also help to alleviate British bank customers’ widespread mistrust in their banks.

Libyan Government Seeks South Africa’s Assistance in Recovering $23 Million of Gaddafi Money

On April 6, The Telegraph reported that the Libyan government has asked the assistance of South African President Cyril Ramaphosa in recovering millions of dollars that the late Libyan ruler Muammar Gaddafi smuggled out of Libya and handed personally to former South African President Jacob Zuma before Gaddafi’s death.

In 2011, at the time of the NATO  intervention in Libya, Zuma, who was then South Africa’s President, reportedly “had disagreed with international military intervention in Libya and had offered Gaddafi asylum in South Africa as his regime crumbled.”  Although Gaddafi declined Zuma’s offer, he allegedly handed Zuma approximately $23 million, saying that “he will die in his own country” and adding, “’Please use this if I’m captured and taken to the International Criminal Court, find a good lawyer for me’. He said, “If I’m killed, please give it to my family”, a source told South Africa’s Sunday Times.”

Zuma then reportedly held the $23 million “for several years in an underground vault at his luxurious home in rural Kwazulu Natal, according to government sources,” but in February 2019 gave it to King Mswati of Eswatini (formerly Swaziland) “after fearing he would face charges over corruption allegations.”

The Sunday Times also reported “that the cash is now held by a relative of King Mswati’s who is employed by Eswatini’s central bank,” and that the King ”initially denied he had the Gaddafi money but reportedly admitted to knowing of its whereabouts when he met Mr Ramaphosa for the second time last week.”

Note: Even though the $23 million is only a fraction of the $20 billion in missing Libyan money that found its way to South Africa, this report is of interest in two respects.  First, it provides yet another example (as if one were needed) of Zuma’s pervasive condonation of corruption by others in high places. Although Zuma apparently deserves some modest credit for not pocketing Gaddafi’s funds upon Gaddafi’s death, and setting them aside for some future disposition, his hasty transfer of those funds to King Mswati suggests some degree of consciousness of guilt for retaining them for eight years rather than repatriating them to the Libyan government.

Second, it provides an additional perspective on the complexity of identifying and repatriating kleptocrats’ assets.  When heads of state facilitate the export and transfer of other heads of states’ stolen funds, it further complicates the process of tracing and recovering those funds.  If President Ramaphosa can obtain control over and repatriate the Gaddafi funds in Eswatini in the near future, it can set an example for other heads of state in demonstrating their countries’ active commitment to combating kleptocracy.

European Banking Authority Closes Investigation into Danish and Estonian Bank Regulators Over Danske Bank Oversight

On April 17, the European Banking Authority (EBA) announced that it had closed “its formal investigation into a possible breach of Union law by the Estonian Financial Services Authority (FSA)  (Finantsinspektsioon) and the Danish Financial Services Authority (Finanstilsynet) in connection with money laundering activities linked to Danske Bank and its Estonian branch in particular.”  The EBA’s terse release added only that the EBA’s Board of Supervisors had voted the day before to reject a proposal for a breach of European Union law recommendation.

Previously, the EBA had announced on February 19 that it had opened an investigation of the Danish and Estonian FSAs  under Article 17 of the EBA’s founding Regulation.  The abrupt end of the EBA’s investigation, however, sent vague and ambiguous signals about the basis and significance of that decision.

One report by EU Observer took the view that the Board of Supervisors’ action had “cleared Danish and Estonian financial regulators of breaking any EU laws in their handling of” the Danske Bank situation.  Reuters reported, however, that “[n]ational banking supervisors who control the [EBA} effectively forced it to clear” the Estonian and Danish FSAs.  All but one of the 28 national supervisors on the Board reportedly rejected the EBA’s recommendation.  That rejection, according to Reuters, “blocked any further legal action by the EBA against the Estonian and Danish supervisors and signaled EU states’ reluctance to let the bloc’s authorities investigate the exposure of their banking systems to financial crime.”

Note: The lack of transparency in this action by the EBA should satisfy no one.  Given the already white-hot glare of publicity over the Danske Bank scandal since last fall, and calls by the European Commission and European Parliament members for further inquiry into the FSAs’ oversight of Danske Bank, the EBA must have known, at the time it opened the investigation of the Danish and Estonian FSAs, that even that initial step would create a particularly dark cloud of suspicion over those FSAs.

For its part, the Board of Supervisors’ decision, while entirely within its authority, does nothing to dispel doubts about the capacity of the EBA to play any meaningful role in ensuring effective AML oversight within the Union.   If it truly concluded, on the basis of available evidence, that there is no basis to pursue the inquiry further against either FSA, the Board owes it to the Commission – and to the FSAs whose conduct was called into question – to say so in specific terms.

United Kingdom Financial Conduct Authority Fines Standard Chartered Bank More Than £102 Million for Poor AML Controls

On April 9, the United Kingdom Financial Conduct Authority (FCA) announced that it had fined Standard Chartered Bank (SCB) £102,163,200 “for Anti-Money Laundering (AML) breaches in two higher risk areas of its business.”  The FCA stated that it had conducted investigations into two areas of SCB’s business that SCB had identified as higher risk: (1) its UK Wholesale Bank Correspondent Banking business; and (2) its branches in the United Arab Emirates (UAE).

The FCA stated that it had found “serious and sustained shortcomings” in SCB’s AML controls relating to customer due diligence and ongoing monitoring, and that SCB “failed to establish and maintain risk-sensitive policies and procedures, and failed to ensure its UAE branches applied UK equivalent AML and counter-terrorist financing controls.”

The United Kingdom Money Laundering Regulations 2007 (MLRs), according to the FCA, required SCB to take two specific types of actions.  First, it was required to “establish and maintain appropriate and risk sensitive policies and procedures to reduce the risk it may be used to launder the proceeds of crime, evade financial sanctions or finance terrorism.” Second, it had “to require its global (non-EEA) branches and subsidiaries to apply policies and procedures in relation to due diligence and ongoing monitoring that are equivalent to those required of”  SCB in the United Kingdom.

The FCA, however, found “significant shortcomings” in SCB’s own internal assessments of the adequacy of its AML controls, as well as “its approach towards identifying and mitigating material money laundering risks and its escalation of money laundering risks.” These failings, in the FCA’s judgment, exposed SCB “to the risk of breaching sanctions and increased the risk of Standard Chartered receiving and/or laundering the proceeds of crime.”  SCB’s reported failings “occurred in its UK Correspondent Banking business during the period from November 2010 to July 2013 and in its UAE branches during the period from November 2009 to December 2014.”

The FCA also provided several examples of the failings in question:

  • “opening an account with 3 million UAE Dirham in cash in a suitcase (just over £500,000) with little evidence that the origin of the funds had been investigated;
  • “failing to collect sufficient information on a customer exporting a commercial product which could, potentially, have a military application. This product was exported to over 75 countries, including two jurisdictions where armed conflict was taking place or was likely to be taking place; and
  • “not reviewing due diligence on a customer despite repeated red flags such as a blocked transaction from another bank indicating a link to a sanctioned entity.”

SCB’s agreement to accept the FCA’s findings meant that the bank qualified for a 30 percent discount that resulted in the £102,163,200 fine.  Absent the discount, the FCA stated that the fine would have been £145,947,500.

Note:  This fine against SCB for AML violations, coming on the same day that the U.S. Department of Justice announced the criminal settlement of more than $1 billion with SCB for Iranian sanctions violations, should serve as a cautionary tale for financial institution boards of directors and C-level officials.  Any financial institution in which more than one of its financial-crimes compliance programs has had serious failings during the same periods —  that is, sanctions from 2007 to 2011, and AML from November 2010 to July 2013 (correspondent banking) and from November 2009 to December 2014 (UAE) – cannot seriously claim that it had a culture of compliance during those periods, and should therefore expect penalties of this magnitude.

To understand more clearly the FCA’s findings and reasoning, financial-crime compliance officers should peruse the FCA’s Decision Notice in this case, and use its findings as points of comparison to evaluate the soundness of their own AML programs.  Among other findings, that Notice included a specific observation that

SCB’s failings are particularly serious because they occurred against a background of heightened awareness within SCB of issues with its global financial crime controls arising from action taken by US regulators and prosecutors, direct feedback from the Authority, and through its own internal assessments. In addition, throughout the Relevant Period, the Authority, along with the UK government as well as international and domestic governmental organisations, repeatedly issued communications regarding jurisdictions with a high risk of money laundering and/or financial crime.

Financial institutions should therefore recognize that regulators such as the FCA can and will take into account the cumulative knowledge of a financial institution about its financial-crimes risks, as well as the range of external and internal sources of that knowledge, in determining whether that institution should be held accountable for any lapses or failures of its financial-crimes compliance programs.

UniCredit Group Institutions Resolve Sanctions Investigation with Department of Justice, Agree to Pay More Than $1.3 Billion

On April 15, the United States Department of Justice announced that Munich-based UniCredit Bank AG (UCB AG) had agreed to plead guilty to conspiring to violate the International Emergency Economic Powers Act (IEEPA) and to defraud the United States, “by processing hundreds of millions of dollars of transactions through the U.S. financial system on behalf of an entity designated as a weapons of mass destruction proliferator and other Iranian entities subject to U.S. economic sanctions.”  UCB AG and another bank that is part of the UniCredit Group, Vienna-headquartered UniCredit Bank Austria (BA), agreed to enter into a series of settlements with federal and local departments and agencies, in which the banks agreed to pay a total of more than $1.3 billion.

With regard to UCB AG, the Department stated that

[a]ccording to court documents, over the course of almost 10 years, UCB AG knowingly and willfully moved at least $393 million through the U.S. financial system on behalf of sanctioned entities, most of which was for an entity the U.S. Government specifically prohibited from accessing the U.S. financial system.  UCB AG engaged in this criminal conduct through a scheme, formalized in its own bank polic[i]es and designed to conceal from U.S. regulators and banks the involvement of sanctioned entities in certain transactions.  UCB AG routed illegal payments through U.S. financial institutions for the benefit of the sanctioned entities in ways that concealed the involvement of the sanctioned entities, including through the use of companies that UCB AG knew would appear unconnected to the sanctioned entity despite being controlled by the sanctioned entity.

With regard to BA, the Department stated that

[a]ccording to admissions in the non-prosecution agreement and accompanying statement of facts, between 2002 and 2012, BA used non-transparent methods to send payments related to sanctioned jurisdictions such as Iran through the United States.  BA conspired to violate IEEPA and defraud the United States by processing transactions worth at least $20 million through the United States on behalf of customers located or doing business in Iran and other countries subject to U.S. economic sanctions or customers otherwise subject to U.S. economic sanctions.

The settlements into which the UniCredit institutions entered include the following:

  1. Department of Justice: UCB AG agreed to waive indictment and to be charged in and to plead guilty to a one-count felony criminal information charging it with knowingly and willfully conspiring to commit violations of IEEPA and to defraud the United States, from 2002 through 2011. The plea agreement with UCB AG provides that UCB AG is to forfeit $316,545,816 and to pay a fine of $468,350,000.  In addition, BA entered into a non-prosecution agreement to resolve an investigation into its violations of IEEPA, and agreed to forfeit $20 million.
  2. New York County District Attorney’s Office: UCB AG entered into a plea agreement with the New York County District Attorney’s Office (DANY) for violating New York State law, pursuant to which UCB AG will pay $316,545,816. BA also entered into a non-prosecution agreement with DANY for violating New York State law.
  3. Other Agencies: UniCredit SpA (the parent of both UCB AG and BA), UCB AG, and BA entered into various settlement agreements with the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the Board of Governors of the Federal Reserve System (the Federal Reserve) and the New York State Department of Financial Services (DFS). Under those agreement, the three financial institutions agreed to pay additional penalties of approximately $660 million as follows:  $611,023,421 to OFAC, which will be satisfied in part by payments to the Justice Department and the Federal Reserve; $157,770,000 to the Federal Reserve; and $405 million to DFS.

Note:  This series of settlements is noteworthy not only for the amount of the sanctions-related financial penalties that UniCredit entities agreed to pay, or the duration of the scheme, but for the fact that UCB AG’s sanction-evasion scheme was formalized in UCB AG’s own policies.  That latter fact strongly indicates a serious dereliction of duty by UCB AG’s legal and sanctions-compliance functions.  No company that explicitly articulates a commitment to evasion of legal requirements in its policies can claim to have a culture of compliance.  Other financial institutions should therefore use this set of settlements, at an appropriate time, as a basis for reviewing their own policies, to see that no provisions on those policies even suggest how their institutions should circumvent or violate any legal requirements.