Former McGill University Health Centre Executive Sentenced to 39 Months’ Imprisonment in SNC-Lavalin Bribery Case

On December 17, 2018, a Quebec judge sentenced Yanaï Elbaz, a former McGill University Health Centre (MUHC) executive, to 39 months’ imprisonment for accepting CDN$10 million in bribes in return for helping Canadian engineering firm SNC-Lavalin win a CDN$1.3 billion building contract for MUHC. Previously, on November 26, 2018, Elbaz had pleaded guilty to receiving a bribe, breach of trust, conspiring to launder money with the former Chief Executive Officer of MUHC, Arthur Porter, and transporting or transferring the proceeds of a crime.

Elbaz had been the MUHC’s assistant director general of planning and real estate management and a member of the committee that decided which group would win the MUHC contract.  At the time of his plea, Elbaz admitted

that he supplied SNC-Lavalin with insider information that allowed it to adjust its proposal on how the project should be built. He also used the position he held, between 2007 and 2011, to influence members of a selection sub-committee by praising the consortium led by SNC-Lavalin and denigrating the only rival bid made by another consortium.

Elbaz also admitted that he violated rules intended to keep the selection process impartial by communicating with Pierre Duhaime, then-Chief Executive Officer of SNC-Lavalin, and Riadh Ben Äissa, then a vice-president of SNC-Lavalin’s construction division, prior to submission of the MUHC bid.  Subsequently, in July 2018 Äissa pleaded guilty in the case to using forged documents and was sentenced to one day in jail, given the 29-month sentence that a Swiss court had previously imposed for fraud-related charges relating to SNC-Lavalin’s business in Libya and additional time he had spent wearing a tracking device. Duhaime is now facing trial in the case in February 2019.

Note: Elbaz’s plea and sentencing is significant because it is one of the last milestones in a long-running case that Quebec authorities reportedly described “as the largest corruption fraud case in Canadian history.” Since 2012, when Swiss authorities arrested Äissa, and 2013, when the Quebec police anti-corruption unit issued arrest warrants for SNC-Lavalin executives, the record of law enforcement success in this investigation, designated as “Projet Lauréat,” can fairly be described as mixed, based on the following developments:

  • In 2014, Porter’s wife Pamela Porter, who had pleaded guilty to money-laundering charges in the case, was sentenced to two years’ imprisonment. At the time, the Montreal Gazette declared her conviction “a first legal victory for the Crown after it pressed charges against eight other individuals” in connection with the MUHC contract.
  • In 2015, Arthur Porter – who, with Elbaz, allegedly received a total of CDN$22.5 million in bribes for awarding the MUHC contract to SNC-Lavalin – died as a fugitive in Panamanian custody, having fought extradition to Quebec since his arrest in Panama in 2013.
  • In 2016, prosecutors withdrew all charges in the case against Bahamian businessman Jeremy Morris.
  • In 2017, former SNC-Lavalin financial controller Stéphane Roy was acquitted of fraud and using forged documents charges in the case, after prosecutors decided not to present any evidence against Roy.
  • In 2018, at the time of Elbaz’s guilty plea, Elbaz’s brother Yohann Elbaz – who with his brother controlled a company through which Yanaï Elbaz’s $10 million in bribes reportedly passed – was acquitted after Crown prosecutors stated that they would not prosecute Yohann on charges of conspiracy, recycling the proceeds of crime and using false documents.

Even though the convictions of Elbaz and Äissa were significant developments, the outcome of the Duhaime trial may weigh heavily in any ultimate conclusions about the success of the MUHC investigation.

Ground Services International Pays $12.3 Million to Settle New York State Fraudulent-Kickback Investigation

On December 13, 2018, the Office of New York State Attorney General Barbara D. Underwood (OAG) announced that airport ground handling company Ground Services International (GSI) had entered into a civil settlement to pay $12.3 million, for making fraudulent kickback payments intended to influence various contracts that GSI had at John F. Kennedy International (JFK) Airport and in other airports across the United States.

This settlement – the third stemming from “Operation Greased Runway,” the OAG’s ongoing investigation into the contracting and procurement processes at JFK Airport – resolves claims pursuant to New York State Executive Law Section 63(12), which prohibits “engag[ing] in repeated fraudulent or illegal acts or otherwise demonstrat[ing] persistent fraud or illegality in the carrying on, conducting or transaction of business.”  According to the OAG’s statement, its ongoing investigation “revealed that GSI expanded its business and won new contracts with two major companies, British Airways and Terminal One Group Association L.P. (‘TOGA’), while at the same time making undisclosed payments to the companies’ key executives.”

The investigation found that the then-President of GSI, Jeff Kinsella, “secretly agreed to provide an ownership interest in GSI to a senior British Airways executive who had influence over procurement decisions at the airline, while that executive was promoting GSI’s services within British Airways.”  From 2009 to 2016, Kinsella made regular payments to the British Airways executive that totaled more than $1.2 million.  During that same period, British Airways substantially expanded its business with GSI, including continuing to service Terminal Seven, which British Airways currently operates, at JFK Airport. When Kinsella sold GSI in 2016, according to the OAG, the British Airways executive received an additional payment of $3.6 million from Kinsella “for his secret ownership interest. GSI never disclosed either its payments to the executive, or the executive’s financial stake in GSI, to British Airways, the Port Authority, or any other entity in the airline industry.”

GSI also made improper payments to the then-Executive Director of TOGA, Edward Paquette, whom the OAG termed “the key decision maker with respect to the contract for ground services at JFK’s Terminal One.”  After Paquette recommended GSI for the Terminal One contract, that contract became GSI’s largest contract nationwide.  Shortly after GSI received the Terminal One contract, Kinsella began directing monthly payments to a company set up by Paquette specifically to receive the kickbacks. From 2015 through 2017, during which Paquette oversaw the contract at TOGA, GSI paid him a total of $640,000.  In 2017, as a result of Operation Greased Runway, Paquette pleaded guilty to New York State felony charges related to stealing from his employer and accepting bribes totaling $1.3 million.

The OAG also stated that GSI, while secretly making these improper payments, “made millions of dollars in profits from its contracts at Terminal One and Terminal Seven at JFK Airport with British Airways and TOGA respectively.”  As a consequence, as part of the settlement GSI acknowledged that its conduct was deceptive, improper, and compromised the integrity of business operations at JFK Airport.  In addition, GSI agreed to injunctive relief to improve its compliance and contracting processes:

GSI is required to implement and maintain an anti-bribery and corruption policy, and to train employees on that policy annually. The company will also establish an anonymous tip line where employees can report suspected violations of the policy. GSI must also submit to review by an outside audit firm, appoint a Chief Ethics and Compliance Officer, reform its internal bidding process to ensure that potential conflicts of interest are identified, and submit an annual affirmation of compliance signed either by the company’s CFO or CEO to the Port Authority Inspector General’s Office.

Note:  This settlement is a timely reminder to corporate compliance officers that bribery and corruption risks can arise domestically as well as internationally, and that failure to extend compliance anti-corruption policies and internal controls to domestic activities and transactions can have severe legal and reputational consequences.  The fact that Kinsella was able, over a nine-year period culminating in his sale of GSI in 2016, to make nearly $5 million in illicit payments to the unnamed British Airways executive indicates the severity of the deficiencies in GSI’s prior compliance regime.

Security Researcher Finds Data from Collection of 772 Million+ Email Accounts on Hacker Forum

On January 17, Troy Hunt, an independent cybersecurity researcher and Microsoft Regional Director, posted that he had found a large collection of files containing email addresses and passwords obtained in numerous data breaches, from which data were being socialized on a hacker forum.  Hunt calculated that the collection of files, located on the MEGA cloud storage service that Internet entrepreneur Kim Dotcom founded, included 1,160,253,228 unique combinations of email addresses and passwords.  After cleanup of the data, Hunt found a total of 772,904,991 unique email addresses and 21,222,975 unique passwords.

Hunt stated that he has now loaded the cleaned-up data on a website, have i been pwned?, on which he has previously loaded similar data from many other data breaches (such as Adobe and Ashley Madison), to allow members of the public to check their own online credentials against the data.  For security reasons, Hunt separated the search features for email addresses and passwords: email addresses can be searched on the have I been pwned? homepage, and their passwords at Pwned Passwords.

Note: Chief information security officers and corporate compliance officers should make use of this report in two ways.  First, in explaining to corporate officers and employees the scope and scale of cybercrime, they can cite Hunt’s calculated total of more than 772 million hacked email addresses and more than 21 million unique passwords – the largest collection of breached data that Hunt has found and loaded onto his site – as a recent instance of the volumes of data that hackers routinely work to target businesses, government agencies, and individuals.  Second, they should consider making use of have i been pwned? and Pwned Passwords in live briefing and training sessions, to show corporate employees that the need to pay attention to cybersecurity and change passwords is urgent and important.  Hunt is a highly knowledgeable and respected cybersecurity researcher, speaker, and trainer, and Fox Business reported that millions of people have used his website since its creation in 2013 to check their identifying data.

In any event, readers of this blog should check their details and, whether or not they find their data have been breached, take to heart fundamental rules of personal cybersecurity that Hunt and others have stated many times: Never reuse a password; if you have, change those passwords; and use a password manager to handle the multiplicity of your passwords.  Simple steps are still key to reducing the risk of having your personal or business data hacked and misused.

Irish Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 Becomes Law

On November 14, 2018, Irish President Michael D. Higgins signed the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 into law.  The new Act, which came into effect (other than section 32) as of November 26, 2018, transposes most provisions of the European Union’s (EU’s) Fourth Money Laundering Directive.  Some of the more significant provisions of the 2018 Act are as follows:

  • Risk Assessment: Section 10 adds a new section 30A to the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, to provide that a “designated person” shall carry out a business risk assessment “to identify and assess the risks of money laundering and terrorist financing involved in carrying on the designated person’s business activities taking into account at least the following risk factors:
    • “(a) the type of customer that the designated person has;
    • “(b) the products and services that the designated person provides;
    • “(c) the countries or geographical areas in which the designated person operates;
    • “(d) the type of transactions that the designated person carries out;
    • “(e) the delivery channels that the designated person uses;
    • “(f) other prescribed additional risk factors.”

Section 30A also requires that senior management approve the business risk assessment, and that the designated person keep the business risk assessment and any related documents up to date.  Failure of the designated person to comply with section 30A’s requirements is an offense punishable by up to five years’ imprisonment.

  • Application of Risk Assessment in Applying Customer Due Diligence: Section 10 also adds a new section 30B to the 2010 Act, to require that a designated person “identify and assess the risk of money laundering and terrorist financing in relation to the customer or transaction concerned, having regard to—
    • “(a) the relevant business risk assessment,
    • “(b) the matters specified in section 30A(2) [of the 2010 Act],
    • “(c) any relevant risk variables, including at least the following:
      • “(i) the purpose of an account or relationship;
      • “(ii) the level of assets to be deposited by a customer or the size of transactions undertaken;
    • “(iii) the regularity of transactions or duration of the business relationship;
    • “(iv) any additional prescribed risk variable,
    • “(d) the presence of any factor specified in Schedule 3 or prescribed under section 34A [of the 2010 Act] suggesting potentially lower risk,
    • “(e) the presence of any factor specified in Schedule 4, and
    • “(f) any additional prescribed factor suggesting potentially higher risk.”

Failure of a designated person to document a determination under section 30B is an offense punishable by up to five years’ imprisonment.

  • Simplified Customer Due Diligence: Section 13 adds a new section 34A to the 2010 Act, to specify the criteria and process for using simplified customer due diligence for lower-risk transactions and business relationships.
  • Correspondent Relationships: Section 17 substantially revises section 38 of the 2010 Act with regard to the criteria for correspondent relationships with third-country respondent institutions.
  • Enhanced Customer Due Diligence – High-Risk Third Countries: Section 18 adds a new section 38A to the 2010 Act regarding enhanced due diligence regarding customers established or residing in a high-risk third country.
  • Enhanced Customer Due Diligence – Heightened Risk: Section 19 substantially revises section 38 of the 2010 Act regarding enhanced due diligence in cases of heightened risk.
  • State Financial Intelligence Unit: Section 21 adds a new Chapter 3A to the 2010 Act to provide for the establishment of a State Financial Intelligence Unit (FIU) within the Garda Síochána to receive and analyze “suspicious transaction reports and other information relevant to money laundering or terrorist financing for the purpose of preventing, detecting and investigating possible money laundering or terrorist financing.” It authorizes designated members of FIU Ireland to request from any person information held by that person, “for the purposes of preventing, detecting, investigating or combating money laundering or terrorist financing.”  In addition, it authorizes designated members of FIU Ireland to request in writing for any financial, administrative or law enforcement information that FIU Ireland requires in order to carry out its functions, from a designated person, a competent authority, the Irish Revenue Commissioners, and the Minister for Employment Affairs and Social Protection.  Failure of a designated person, without reasonable excuse, to comply with either type of FIU Ireland request is an offense punishable by up to three years’ imprisonment.  Finally, Chapter 3A empowers FIU Ireland to respond to requests from competent authorities and to share information with other FIUs and competent authorities.

Note: Financial institutions doing business in Ireland should already be working to implement the new legislation in their anti-money laundering (AML) policies and operations, and taking note of the Garda  Síochána’s extensive authority to operate an FIU and to demand provision of various types of information.

At the same time, financial institutions should be anticipating additional changes in Irish AML law.  On January 3, Minister for Justice and Equality Charlie Flanagan received the Irish Cabinet’s approval of the proposed Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2019, which would transpose the EU’s Fifth Money Laundering Directive and enhance current anti-money laundering legislation.  According to the Irish Department of Justice and Equality, the bill includes the following provisions:

  • “[P]revent risks associated with the use of virtual currencies for terrorist financing and limiting the use of pre-paid cards;
  • “[I]mprove the safeguards for financial transactions to and from high-risk third countries;
  • “[B]roaden the scope of designated bodies under the existing legislation;
  • “[E]nhance the customer due diligence (CDD) requirements of the existing legislation;
  • “[P]revent credit and financial institutions from creating anonymous safe-deposit boxes;
  • “[I]nclude a number of technical amendments to other provisions of the Acts already in force.”

In addition, the bill allows for provisions which are not required by the Fifth Directive but will support the Criminal Assets Bureau and the Garda Síochána with regard to their power to access bank records and the administration of their functions in respect of AML.  Finally, according to the Department of Justice, the Department of Finance is also engaged in giving effect to certain provisions of the Fifth Directive, such as “facilitating increasing transparency on who really owns companies and trusts by establishing beneficial ownership registers” and “ensuring the creation of, and access to, centralised national bank and payment account registers or central data retrieval.”

BaFin Issues Money Laundering Act Guidance for German Financial Institutions

On December 11, 2018, the German Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin, or Federal Financial Supervisory Authority) announced that it had issued interpretations and application notes pursuant to Section 51(8) of the Geldwäschegesetz (GwG, or Money Laundering Act).  That subsection of the GwG provides in pertinent part (in unofficial translation) that BaFin shall provide the obliged (covered) entities “with regularly updated interpretative and application instructions for the implementation of due diligence and internal safeguards in accordance with the legal provisions on the prevention of money laundering and terrorist financing.”

The new guidance, downloadable here, applies to all obliged entities under BaFin’s money laundering supervision.  As BaFin  notes, those entities include “not just credit institutions, financial services institutions and payment institutions, but also life insurance undertakings, German asset management companies (Kapitalverwaltungsgesellschaften) and persons and companies that sell or convert e-money.” They also include lawyers conducting certain defined kinds of transactions for their clients, auditors, and chartered accountants.

The new guidance, according to the BaFin press release,

give concrete advice on the legal regulations that are to support the obliged entities in the implementation of their obligations.

The instructions serve to properly implement customer due diligence and internal safeguards and follow a risk-based approach. In particular, legal innovations in the interpretative guidance are explained. Thus, for example, the concept of the fictitious beneficial owner is explained concretely.  In addition, the obligations in connection with the identification of the apparent person are clarified. (Unofficial translation)

Finally, the interpretative guidance addresses developments in the market and regulations.

German financial institutions – and the lawyers who advise them or provide services that come within the scope of the GwG –should therefore pay close attention to the newly issued guidance, and determine whether the guidance warrants changes in their Anti-Money Laundering programs or internal controls.  The full text of the guidance document is 86 pages, so institutions should review it with care to identify specific points on which BaFin has provided guidance for the first time or which may raise complex legal or compliance issues.