Estonian Minister of Finance: Estonia Should Receive “Majority” of U.S. Fines Against Banks in Danske Bank Scandal

On October 16, the Luxembourg Times reported that, with regard to the Danske Bank scandal, Estonian Minister of Finance Martin Helme stated on his Facebook page that

he wants to figure out “how to ensure that the money laundering investigations of our banks that have been launched by the US authorities, which will very likely end with huge fines, would be conducted so that we would be involved in the process throughout and that the majority of the fine would in the end come into the Estonia budget”.

Helme stated that he was in New York and had had discussions with lawyers in what he described as “an international law office” about “how to ensure that Estonia takes part in investigations by US authorities now underway and that his country receives proceeds from penalties imposed on lenders.”  He added that “We are talking about hundreds of millions at least, possibly about billions.”

An Estonian Ministry of Finance spokesman, Ott Heinapuu, separately stated “that the Estonian government hasn’t signed any contracts yet with ‘any US law offices’ as the minister ‘is exploring different options during his US visit on how to proceed with this topic’.”

N.B.: In view of the central role that Danske Bank’s Estonian branch played in handling some $234 billion in potentially suspicious transactions, and its ripple effect in the banking sector across Estonia, Denmark, and other countries, it is not surprising that Estonia is interested in sharing in any fines and penalties that may emerge from various investigations into the scandal.  Before Minister Helme signs any contracts with U.S. law firms, however, he may want to consider certain factors relevant to Estonia’s chances of sharing substantially in such fines and penalties (if U.S. investigations do result in fines and penalties).

First, in any investigation that the U.S. Department of Justice may conduct into potential international financial crimes, the Department is necessarily dependent on active cooperation from other countries in which evidence or investigative leads may be found.  Indeed, it is commonplace, in Justice Department releases announcing prosecutions of such international crimes (such as cyberfraud, financial institution fraud, and Foreign Corrupt Practices Act (FCPA) schemes), to credit foreign law enforcement and regulatory agencies that have assisted the Department in that case.

Second, as a matter of longstanding practice by the Justice Department, a country is not automatically entitled to share in the financial penalties that the Department may obtain in a case merely because some or all of the crimes in a particular scheme occur in that country, or even when that country has offered a measure of assistance to the Department on particular investigative issues or evidence acquisition.

In recent years, the Department has been willing, in major international cases, to partner with other countries’ law enforcement agencies in entering into coordinated criminal resolutions with corporate entities, where the foreign law enforcement agencies receive a substantial portion, even a majority, of the penalties imposed.  For example:

  • In the Department’s 2016 FCPA resolutions with Brazilian companies Odebrecht and Braskem, the Department agreed that the Brazilian Ministerio Publico Federal (MPF) would receive 80 percent of the $4.5 billion criminal penalty (later reduced) against Odebrecht, with the United States and Switzerland each receiving 10 percent, and that the MPF would receive 70 percent of the $632 million criminal penalty against Braskem, with U.S. and Swiss authorities each receiving 15 percent.
  • In the Department’s 2016-2017 FCPA resolution with Rolls-Royce, which it coordinated with the United Kingdom Serious Fraud Office (SFO) and the MPF, Rolls-Royce agreed to pay total criminal penalties of more than $800 million, which included a total fine of nearly $605 million to the United Kingdom, a payment of nearly $170 million to the United States, and a payment of nearly $25.6 million to the MPF.

In both of those cases, however, the foreign law enforcement agencies engaged in long-term and substantial investigations of their own that were closely coordinated with the Justice Department.  In the case of Rolls-Royce, the SFO conducted its investigation of Rolls-Royce’s involvement with foreign corruption for more than four years before it entered into a Deferred Prosecution Agreement with the company.  In the cases of both Odebrecht and Braskem, those cases stemmed from the MPF’s Operation Lava Jato, which began in 2014.  As a general proposition, then, the greater the investment of a foreign country’s prosecutive resources in investigating a complex case and the deeper and longer that country’s commitment to partnering actively with U.S. prosecutors, the stronger that country’s claim can be to share in the total penalties at the end of the case.

Third, Estonia should be mindful that the Justice Department is not the only U.S. agency that may ultimately play a role in any Danske Bank-related financial penalties.  Federal regulators such as the Financial Crimes Enforcement Network (FinCEN) and the Federal Reserve Board, can impose such penalties on banks for Bank Secrecy Act and anti-money laundering violations.

For those reasons, Estonia needs to recognize is that at this stage, it is far too early to expect or assume entitlement to a substantial share of financial penalties that have yet to be negotiated or imposed.  While it should feel free to consult with law firms about the U.S. legal landscape, it would be of minimal (if not negative) value to have attorneys lobbying the Department or other agencies on its behalf while those investigations are underway.  The best path for Estonia toward the level of future penalties that Minister Helme wants is for Estonian prosecutors and regulators to commit wholeheartedly to working with U.S. authorities and to sustain that commitment all the way to the finish line, whatever that may be.

South African President Cyril Ramaphosa Maintains That The Fuse For Change Is Lit

On October 15, The Economist published an article reporting on its October 13 interview of South African President Cyril Ramaphosa,  In the interview, President Ramaphosa – fully aware of the impatience that big business and the general public in South Africans have with the pace of change after former President Jacob Zuma was forced from office – likened the state of affairs to a scene in the World War II movie Force 10 from Navarone.  In that scene, Allied saboteurs are initially disappointed that the charges they exploded to blow up a dam did not immediately result in the dam’s collapse.  The team’s demolitions expert, however, assures them that the explosion fatally compromised the dam’s structural integrity.  In President Ramaphosa’s retelling, “Once the fuse has been lit, there is no going back.”

For President Ramaphosa, as the Economist correspondent commented,

that fuse is the National Prosecuting Authority of South Africa [NPA], one of several institutions he has sought to revive after their evisceration by Mr Zuma. The spectacular results people want may take time, but the process Mr Ramaphosa has set in motion “is irrevocable”, he says. Arrests will happen.

President Ramaphosa, however, was careful to temper expectations about the speed with which the fuse would burn.  As he told The Economist, “’People are asking when are you going to arrest people? When are you going to put people into jail?’ But it is not his job to arrest people, he argues, correctly. It is to ‘strengthen the institutions that must do their work’.”  When asked whether law enforcement would “be able to go after powerful people,” such as African National Congress Secretary-General Ace Magashule, who is widely considered to be deeply involved in corruption, President Ramaphosa carefully replied, “Once the institutions are strengthened, they should be able to go after anybody—including the president.”

President Ramaphosa was also cautious about committing to other specific measures to address the numerous challenges facing South Africa, including its economic growth rate, “horrifically high unemployment,” and flawed educational system.  In the face of these challenges, he admitted that “’It’s a difficult one. It’s a tough job…being the president of South Africa at this time…I wish had come in when the economy was better’.”

N.B.: One reason for President Ramaphosa’s cautionary notes regarding anti-corruption efforts is the sheer magnitude of the corruption that pervaded the Zuma administration, when, as one writer termed it, “the government’s law enforcement arm become as ineffective as a gangrenous limb.”  In an October 14 speech, he reported that corruption under Zuma likely cost South Africa more than R500 billion ($34 billion).  Another likely reason is the knowledge that the person at the center of that institutionalized corruption, Zuma, is so far succeeding in delaying the start of his long-delayed corruption trial – so to speak, lengthening the fuse that the NPA only recently relit.

Nonetheless, it is not merely desirable, but necessary, that the NPA and the Judicial Commission of Inquiry into Allegations of State Capture show progress over the next few months in their pursuit of corruption, if President Ramaphosa’s promises of reform are to gain credibility.

Europol Issues Internet Organized Crime Threat Assessment

On October 9, the European Union Agency for Law Enforcement Cooperation (Europol) issued its Internet Organised Crime Threat Assessment (IOCTA) for 2019.  The IOCTA contains six categories of findings:

  • Cyber-Dependent Crime
    • With regard to cyber-dependent crime, which Europol defies as “any crime that can only be committed using computers, computer networks or other forms of information communication technology (ICT),” ransomware remains the principal threat. Even though “the overall volume of ransomware attacks has declined as attackers focus on fewer but more profitable targets and greater economic damage,” the number of victims “is still high.”
    • “Phishing and vulnerable remote desktop protocols (RDPs) are the key primary malware infection vectors.” The IOCTA noted that according to some reports, as many as 65 percent of groups “rely on spear-phishing as their primary infection vector.”
    • “Data remains a key target, commodity and enabler for cybercrime.” The IOCTA observed that data compromise “represents the second-most prominent cyber-threat [after ransomware] tackled by European cybercrime investigators.”
    • After the increase in destructive ransomware, “there is a growing concern within organisations over attacks of sabotage.”
    • “Continuous efforts are needed to further synergise the network and information security sector and the cyber law enforcement authorities to improve the overall cyber resilience and cybersecurity.”
  • Child Sexual Exploitation Online
    • The amount of CSEM that law enforcement and the private sector has detected “continues to increase, putting considerable strain on law enforcement resources.” The IOCTA stated that at least 18 EU Member States received referrals from the United States through Europol, and that all Member States received referrals from Canada through Europol.
    • “The online solicitation of children for sexual purposes remains a serious threat with a largely unchanged modus operandi.” Sexual offenders “generally use the open web . . . using a variety of social media services.”
    • Self-generated explicit material (SGEM) – also known as “sexting” — “is more and more common, driven by growing access of minors to high quality smartphones and a lack of awareness of the risks.” The IOCTA stated that “[a]lthough sexual coercion and extortion of minors also happens for financial gain, in the majority of cases the aim is to obtain new CSEM.”
    • Commercial CSE remains limited, but the “notable exception” of live distant child abuse.
  • Payment Fraud
    • Card Not Present (CNP) fraud “continues to be the main priority within payment fraud and continues to be a facilitator for other forms of illegal activity.” Fraud relating to the purchase of physical goods is the leading type of CNP fraud, but “CNP is increasingly moving into other sectors such as travel (hotels, car rentals, etc.) postal services, giftcards, etc.”
    • Card “skimming”, as the second priority for investigators, continues to evolve, as criminals “continuously adap[t] to new security measures.” The IOCTA added the remarkable observation that “[t]he ongoing threat of skimming is the direct result of the fact that not all payment terminals and ATMs in Europe contain the necessary anti-skimming measures.”
    • “Jackpotting” attacks – also known as “black-box attacks,” which are designed to cash out ATMs – “is the most widespread type of logical ATM attack” and “are becoming more accessible and successful.”
  • The Criminal Abuse of the “Dark Web”
    • The “dark web” – defined as “encrypted online content that is not indexed by conventional search engines” – “remains the key online enabler for trade in an extensive range of criminal products and services and a priority threat for law enforcement.”
    • Recent coordinated law enforcement activities, together with extensive Distributed Denial of Service (DDoS) attacks, “have generated distrust in The onion router (Tor) environment.” At the same time, while “there is evidence that administrators are now exploring alternatives,” it appears that “the user-friendliness, existing market variety and customer-base on Tor makes a full migration to new platforms unlikely just yet.”
    • Europol observed “increases in single-vendor shops and smaller fragmented markets on Tor,” including those catering to specific languages. “Some organised crime groups (OCGs) are also fragmenting their business over a range of online monikers and marketplaces, therefore presenting further challenges for law enforcement.”
    • “Encrypted communication applications enhance single-vendor trade on the dark web, helping direct users to services and enabling closed communications. Although there is no evidence of a full business migration, there is a risk the group functions could become increasingly used to support illicit trade.”
  • The Convergence of Cyber and Terrorism
    • The broad array of online service providers (OSPs) that terrorist groups exploit “presents a significant challenge for disruption efforts.” As the IOCTA put it, “the sheer number of OSPs exploited for terrorist purposes presents a challenge for disruption efforts. These include forums, file-sharing sites, pastebins, video streaming/sharing sites, URL shortening services, blogs, messaging/broadcast applications, news websites, live streaming platforms, social media sites and various services supporting the creation and hosting of websites (including [domain name] registries and registrars).”
    • “Terrorist groups are often early adopters of new technologies, exploiting emerging platforms for their online communication and distribution strategies.”
    • “With sufficient planning and support from sympathetic online communities, terrorist attacks can rapidly turn viral, before OSPs and law enforcement can respond.”
  • Cross-Cutting Crime Factors
    • “Phishing remains an important tool in the arsenal of cybercriminals for both cyberdependent crime and non-cash payment fraud (NCPF).” The IOCTA characterized phishing as “a core attack method for all cybercrime.”
    • “While cryptocurrencies continue to facilitate cybercrime, hackers and fraudsters now routinely target crypto-assets and enterprises.” Crypto investigations, according to the IOCTA, “ are now a core part of daily business for law enforcement. As a result, investigators require training to ensure they have the appropriate skills to handle such investigations.”

The IOCTA also provides numerous recommendations for each of those categories, including:

  • Cyber-Dependent Crime
    • Because “(s)uccessfully tackling major crime-as-a-service providers can have a clear and lasting impact,” law enforcement “should continue focusing its concerted efforts into tackling such service providers.
    • Enhanced cooperation and improved data sharing between law enforcement, computer security incident response teams (CSIRTs), and private partners “will be the key to tackling complex cyberattacks, and allow the private sector to take the necessary preventative security measures to protect themselves and their customers.”
    • “In response to major cross-border cyberattacks, all cooperation channels should be explored, including Europol’s and Eurojust’s support capabilities as well as legal instruments designed for closer cross-border cooperation (such as Joint investigation Teams (JITs) and spontaneous exchange of information) in order to share resources and coordinate.”
    • Collaboration between the network and information security sector and cyber law enforcement authorities should be further enhanced, by involving those law enforcement authorities “latter in cyber resilience-related activities such as cyber simulation exercises.”
    • “Low-level cybercrimes such as website defacement should be seen as an opportunity for law enforcement to intervene in the criminal career path of young, developing cybercriminals.”
  • CSEO
    • “Coordinated action with the private sector and the deployment of new technology, including Artificial Intelligence, could help reduce the production and distribution of online CSEM, facilitate investigations, and assist with the processing of the massive data volumes associated with CSEM cases.”
    • “A structural educational campaign across Europe to deliver a consistent high-quality message aimed at children about online risks is of the utmost importance to reduce the risks derived from SGEM such as sexual coercion and extortion.”
    • Because “much CSEM, particularly that arising from LDCA, originates from developing countries, it is essential that EU law enforcement continues to cooperate with, and support the investigations of, law enforcement in these jurisdictions.”
    • “Fighting CSE is a joint effort between law enforcement and the private sector and a common platform is needed to coordinate efforts and prevent a fragmented approach and duplicated efforts.”
    • In order to prevent child sex offenders from traveling to third countries to abuse children sexually, European Union (EU) law enforcement “should make use of passenger name record (PNR) data accessible through the Travel Intelligence team within Europol.”
  • Payment Fraud
    • Public-private sector cooperation – both between and within the sectors – “is crucial to come to fruitful results.” On this point, the IOCTA stated that “speedy and more direct access to and exchange of information from the private sector is essential for Europol and its partners.”
    • Organisations must ensure they train their employees and make their customers aware of how they can detect social engineering and other scams.”
  • The Criminal Abuse of the “Dark Web”
    • More coordinated investigation and prevention actions targeting the phenomenon are required, demonstrating the ability of law enforcement and deterring users from illicit activity on the dark web.”
    • The ability to maintain an accurate real-time information position is necessary to enable law enforcement efforts to tackle the dark web. The capability needs to enable the identification, categorisation, collection and advanced analytical processing, including machine learning and AI.”
    • “An EU-wide framework is required to enable judicial authorities to take the first steps to attribute a case to a country where no initial link is apparent due to anonymity issues, thereby preventing any country from assuming jurisdiction initiating an investigation.”
    • Improved coordination and standardisation of undercover online investigations are required to de-conflict dark web investigations and address the disparity in capabilities across the EU.”
  • The Convergence of Cyber and Terrorism
    • “Limiting the ability of terrorists to carry out transnational attacks by disrupting their flow of propaganda and attributing online terrorism-related offences requires continued and heightened counterterrorism cooperation and information sharing across law enforcement authorities, as well as with the private sector.”
    • “Any effective measure to counter terrorist groups’ online propaganda and recruitment operations entails addressing the whole range of abused OSPs, especially start-ups and smaller platforms with limited capacity for response.”
    • “Cross-platform collaboration and a multi-stakeholder crisis response protocol on terrorist content online would be essential to crisis management [is] the aftermath of a terrorist attack.”
    • “A better understanding of new and emerging technologies is a priority for law enforcement practitioners. Upcoming policy debates and legislative developments should take into account the features of these technologies in order to devise an effective strategy to prevent further abuse.”
  • Cross-Cutting Crime Factors
    • “Law enforcement and the judiciary must continue to develop, share and propagate knowledge on how to recognise, track, trace, seize and recover cryptocurrency assets.”
    • “Law enforcement must continue to build trust-based relationships with cryptocurrency-related businesses, academia, and other relevant private sector entities, to more effectively tackle issues posed by cryptocurrencies during investigations.”
    • Despite the gradual implementation of the Fifth Anti-Money Laundering Directive across the EU, “investigators should be vigilant concerning emerging cryptocurrency conversion and cash-out opportunities and share any new information with Europol.”

N.B.:  Information-security teams and law enforcement cybercrime teams should closely review the IOCTA, as it draws on an extensive range of data from structured surveys and feedback sessions involving 26 Member States and European third-party members, as well as other EU government entities, as well as open-source research and private-sector input.  For their part, EU leadership should closely review the IOCTA recommendations, with a view to enhancing Europol’s roles in intelligence-sharing and public-private collaboration to combat cybercrime.

South African High Court Dismisses Zuma Bid to Stay His Corruption Prosecution

On October 11, the South African High Court in Pietermaritzburg dismissed the applications of former South African President Jacob Zuma and French aerospace and defense manufacturer Thales for a permanent stay of prosecution in the long-running corruption case against them.  The High Court reportedly took less than five minutes to dismiss the applications and to impose litigation costs on the applicants.

In addition, the High Court granted the application of the National Prosecuting Authority (NPA) to strike certain allegations that Zuma had made against the NPA, including an allegation that an NPA prosecutor was motivated by hatred against him.  The High Court concluded that Zuma’s claims “were scandalous and vexatious.”

The pending case, which includes 16 charges against Zuma such as corruption, fraud, racketeering, and money laundering, stems from R30 billion ($2.5 billion) in arms sales, dating back to the 1990s, involving naval vessels, submarines, fighters, and other equipment by European countries to South Africa for modernization of the South African armed forces.  Though the South African government under then-President Nelson Mandela made that deal, the deal reportedly “led to what is considered the single biggest instance of public corruption in the history of post-apartheid South Africa.”  In particular, Zuma, who was Deputy President when the arms deal was made final in 1999, is accused of accepting a R500,000 per year bribe from Thales.

N.B.: The speed with which the High Court ruled on this application stands in dramatic contrast to the glacial pace with which the case against Zuma has moved.  Although Zuma and Thales were originally indicted in 2007, the South African Prosecutor General dropped the case in 2009.  Years later, South African courts ruled that that decision was “irrational,” and in 2018 the South African chief prosecutor – though reportedly close to Zuma —  decided to reinstate the case against Zuma and Thales.

At this stage of the proceedings, Zuma has no incentive to resolve the case in any manner.  Under an agreement between African National Congress (ANC) leaders and Zuma, South Africa has been paying Zuma’s legal fees “because the case relates to actions taken when he was in government,” with the proviso that Zuma would have to repay them if he is ultimately found guilty.

Given the availability of unlimited funds until a guilty verdict, his attorneys have “hewed to a strategy of delaying his trial as long as possible — what analysts have called the ‘Stalingrad strategy’.”  Accordingly, while Zuma is now scheduled to return to court on October 15 to face the charges against him, he can appeal this latest decision by the High Court within the next 15 days, and ultimately take his challenge to the South African Constitutional Court.  In addition, Zuma’s continuing popularity with many ANC supporters is likely to buoy his confidence for some time to come.  For Zuma, justice delayed is not justice denied, but a strategic objective in his war of attrition against the case and the prosecutors.

FBI Issues New Guidance to Victims of Ransomware Attacks

On October 2, the Federal Bureau of Investigation (FBI) issued a Public Service Announcement (PSA) on ransomware attacks that expands on, and in important respects diverges from, its longstanding guidance to victims of ransomware attacks.  Since 2016, the FBI’s public guidance on ransomware attacks has been that it

does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.

The 2016 guidance also stated that it requested victims to contact their local FBI office and/or file a complaint with the Internet Crime Complaint Center, at, with certain ransomware infection details, and that it urged victims “to report ransomware incidents regardless of the outcome.”

The new PSA now states that the FBI “does not advocate paying a ransom” (rather than “does not support”), for the reasons stated above, and that “[r]egardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement.”  (Emphasis supplied)  The  new language, without disavowing or replacing the 2016 guidance, subtly signals to ransomware victims that the FBI will not treat ransomware victims’ complaints less seriously if they choose to pay and then report to the FBI.

The new guidance is less clear on when the FBI would like victims to report (e.g., before or after they pay a ransom).  Because it mentions in passing that reporting to law enforcement “provides investigators with the critical information they need to track ransomware attackers” (emphasis supplied), it should be construed to mean that the FBI would prefer victims to report before any payment.  So long as the FBI can encourage more victims to do so, it improves the chances of its successfully investigating and apprehending the cyberextortionists responsible.