Decisionmaking Before and During Disasters: Some Lessons for Compliance Officers

In the immediate aftermath of Hurricane Florence, one question that has recurred in media reports – as it often has after other natural disasters – is why people stayed in their homes and neighborhoods and risked harm to themselves or their families, rather than flee to safety when they had time to do so.  Television or newspaper accounts of a family clinging to a tree to avoid being swept away by floodwaters, or of a mother whose infant son was torn from her grasp when she tried to drive through a flooded street, often prompted reactions of sympathy, along with critical and judgmental questions along the lines of “What were they thinking?”

Compliance officers who are newly hired to build or rebuild corporate compliance programs after a major compliance failure might have similar reactions.  When they learn that executives at their firm, over multiple years, paid tens of millions of dollars in bribes to secure business or to evade U.S. sanctions, or allowed accounts at the firm to be used to launder hundreds of millions of euros, their first thought might also be, “What were they thinking?”

In both cases, however, that question should be factual rather than rhetorical.  Disaster experts and compliance experts alike need to understand the thought processes that prompt people in risky situations to make decisions that put them at greater risk.  In fact, how people make decisions before and during disasters may be critically influenced by the same factors that can influence corporate employees who are tempted (or expected or pressured) to participate in improper or illegal activity.

Those factors, as risk expert Robert J. Meyer recently explained in a Washington Post essay, are “cognitive biases that lead people to underplay warnings and make poor decisions, even when they have the information they need.”  A number of those biases that Meyer – a co-director of the Wharton Risk Management and Decision Processes Center at the University of Pennsylvania – identified can also be found in corporate settings:

Overconfidence Bias: This bias, simply defined, “is the tendency people have to be more confident in their own abilities, such as driving, teaching, or spelling, than is objectively reasonable. This overconfidence also involves matters of character.” In Hurricane Sandy in 2012, Meyer wrote, East Coast residents “knew all too well that a storm was at their doorstep and that many people would be affected – they just thought it wouldn’t affect them.”  Studies have shown “that, even when reliable information about probable danger is available, it is difficult to effectively warn large populations that cannot directly perceive the danger associated with a disaster. If a storm warning is at all vague, people will underestimate the threat and be less likely to heed evacuation orders.” In addition, “the longer people have lived in an area, the less likely it is that they will evacuate, in part because they have successfully ridden out past hurricanes.”

Overconfidence bias is widely prevalent in the business world, including decisionmaking on matters of finance and investment.  As Meyer noted, overconfidence bias “also involves matters of character.”  For example, what Harvard Business School Dean Nitin Nohria calls “moral overconfidence” is evident when there is a gap “between how people believe they would behave and how they actually behave.”  That gap, Dean Nohria wrote, “tends to be most evident in high-pressure situations, where there is some inherent ambiguity, when there are competing claims on our sense of right and wrong, and when our moral transgressions are incremental, taking us down a slippery slope.”  Discussing proposals to expand or retain business in higher-risk markets, especially if the company is suffering declining profits or other reversals, can reflect all of those factors.

“Herd Thinking”/Social Proof: Meyer also noted the effects of “herd thinking” in compounding the problem.  “Herd thinking” is a colloquial term for the cognitive bias that social psychologists term “social proof” or “conformity bias.”  Social  proof, as Professor Robert Cialdini wrote in his seminal work Influence: The Psychology of Persuasion, is “the tendency to see an action as more appropriate when others are doing it.”  In the case of Hurricane Sandy, Meyer wrote that residents who looked around before the storm “and [saw] that few others were making preparations . . . felt no social pressure to do more.” 

Social proof can also influence people in corporate settings.  For example, if one or more meetings are held to discuss and implement a proposal for a course of action that is improper or illegal, and no one speaks up to challenge the improper course of action, participants who have doubts may remain silent when they see that no one else is speaking against the proposed action.

Inertia and Simplification/Normalcy Bias: Meyer also singled out inertia and simplification as

enemies of sound decision-making.  When we are unsure of what to do in the face of an incoming storm, we tend to stick to the status quo — doing nothing. If we are uncertain about when to evacuate, we tend not to evacuate at all. And we tend to simplify our course of action, selectively focusing on a few factors.     . . . Before Hurricane Sandy, for example, 90 percent of residents secured supplies — but typically only enough to get them through a single day without power. Again, most failed to make evacuation plans.

This “status quo” tendency has also been labeled “normalcy bias,” for situations in which people in imminent or immediate danger “freeze” or wait to consult with multiple other people rather than acting immediately to flee that danger.  As journalist Amanda Ripley documented in her book The Unthinkable, the consequences of normalcy bias in those situations are often fatal.

Corporate executives and employees who are caught up as intracorporate misconduct become more severe may also display inertia or normalcy bias.  Especially if they believe that their in-house mechanisms for reporting misconduct are untrustworthy or ineffective, they may default to acting as if there is no heightened or imminent risk to themselves or their company, and keep on with “business as usual.”  Or they may simplify their responses by taking only half-hearted steps – perhaps talking to one or two colleagues or family members — rather than decisive action to separate themselves from the misconduct.

To overcome the effects of these biases and situational factors in disaster situations, Meyer maintained that “[t]he key to better preparedness is not to eliminate those biases – a hopeless task, since they’re part of who we are – but to design measures that anticipate biases.”  Here are some possible approaches to anticipating biases in disaster or business scenarios:

Overconfidence Bias: Two techniques have successfully reduced overconfidence bias, according to Professor David Myers in his book Exploring Social Psychology. One “is prompt feedback on the accuracy of [people’s] judgments.”  For impending natural disasters, that may mean communications at the town or neighborhood level from credible sources – local weather forecasters, emergency-management teams, or police – to convey to residents in specific terms that the danger for them is real.  When a National Weather Service meteorologist, the day before Hurricane Katrina made landfall, issued a warning for the New Orleans area that described the probable dangers in highly specific and graphic terms, that warning was later deemed “the most dire—and effective—weather forecast ever issued by the National Weather Service.”

To address risky corporate situations — say, a proposed entry into a new market in which bribery of national government officials is common – effectively, corporate compliance officers need to take two types of actions.  First, they should make efforts to attend every meeting in which senior executives are discussing or preparing to implement a plan that could involve improper or illegal conduct, to ensure that compliance risks are neither ignored or downplayed.  Second, both in and outside those meetings, they need to engage with participating executives and refute, with specific examples from prior enforcement actions, any assumptions that the planned course of action presents little or no compliance risk.

The other, Professor Myers wrote, relates to the fact that “[w]hen people think about why an idea might be true, it begins to seem true . . . .  Thus, another way to reduce overconfidence is to get people to think of one good reason why their judgments might be wrong, forcing them to consider why opposing ideas might be right . . . .”  For impending disasters, that could mean using local media and community meetings with local officials to confront “we-can-ride-it-out” beliefs with information as specific as possible on the impending disaster’s likely impact in that community – perhaps even supplemented with examples of people in previous disasters who came to regret their “ride-it-out” decisions.  For corporate situations, that could mean compliance officers talking with key participants in a risky course of action about what those participants believe to be non-risky decisions and actions, and pointing out information that would support opposing ideas and recommendations.

“Herd Thinking”/Social Proof: To combat “herd thinking” or social proof-based decisionmaking by people before disasters, officials should use public-service messages and community- meeting talks that call attention to that particular bias.  One example would be, “Folks, don’t assume that just because others in your community are talking about staying, that’s the right decision for you and your families.  Talk with your neighbors and friends all you want, but in the end make your decision based on the latest information, not assumptions about what others are doing and why.”

A similar approach can work in corporate environments.  Compliance training, for instance, can include guidance to employees that says, “If you hear or see something that you feel in your gut is wrong, trust your first instincts and talk about it with someone – your manager or our ethics line.  Don’t assume that because no one else is speaking up about it, no one shares your concerns.”

Inertia and Simplification/Normalcy Bias: To combat inertia, Meyer recommended that governments “work hard to persuade people to develop precise preparedness plans that include a shopping list of supplies and exact plans for when and where to evacuate, should that be necessary.” To combat simplification, he similarly urged officials to present people with short lists of the most important preparation measures they should take.

In corporate settings, compliance officers need to supplement in-house compliance training and messaging to employees in two ways.  First, the training and messaging should convey that the need for employees to speak up or report misconduct is even greater when it appears that that misconduct is well underway.  Second, it should set clear priorities for how employees should report when that misconduct is advanced (i.e., directing an employee to notify a senior compliance officer rather than consulting his or her immediate supervisor or reporting through conventional whistleblower reporting channels).

This discussion cannot do justice to all of the cognitive biases and influences that can affect business decisionmaking and compliance.  It should indicate, however, why compliance officers need to pay closer attention to cognitive biases, and see that their compliance programs move beyond “check-the-box” policies and conventional internal controls to operationalizing measures that can counteract or reduce the influence of those biases.

Danske Bank Publishes Investigations Report on Suspicious Transactions Through Its Estonian Branch, As Bank’s CEO Resigns

On September 19, Danske Bank issued the report of its internal investigations into reported use of its Estonian branch between 2007 and 2015 by non-residents of Estonia for money laundering.  The most dramatic finding in the report, prepared by a Danish law firm, was that during that period, approximately €200 billion ($234 billion) in potentially suspicious transactions flowed through that branch.

The report set forth ten principal findings:

  1. A series of major deficiencies in the bank´s governance and control systems made it possible to use Danske Bank’s branch in Estonia for suspicious transactions
  2. From Danske Bank’s acquisition of Sampo Bank (including Sampo’s Estonian branch) in 2007 until its termination of the customer portfolio in 2015, Danske Bank “had a large number of non-resident customers in Estonia that we should have never had, and [who] carried out large volumes of transactions that should have never happened.”
  3. “[O]nly part of the suspicious customers and transactions were historically reported to the authorities as they should have been
  4. “[I]n general, the Estonian branch had insufficient focus on the risk of money laundering, and branch management was more concerned with procedures than with identifying actual risk.”
  5. “[T]he Estonian control functions did not have a satisfactory degree of independence from the Estonian organization.”
  6. The Estonian branch “operated too independently from the rest of the [Danske Bank] Group with its own culture and systems without adequate control and management focus from the Group.”
  7. “[T]here is suspicion that there have been employees in Estonia who have assisted or colluded with customers.”
  8. “[T]here have been breaches at management level in several Group functions.”
  9. “[T]here were a number of more or less serious indications during the years, that were not identified or reacted on or escalated as could have been expected by the Group.”
  10. “[A]s a result, the Group was slow to realise the problems and rectify the shortcomings. Although a number of initiatives were taken at the time, it is now clear that it was too little and too late.”

The report also highlighted the composition of the Estonian branch’s customers:

  1. Approximately 10,000 customers belonged to the non-resident portfolio. To ensure that all relevant aspects were covered, the investigation covered “a total of around 15,000 customers with non-resident characteristics (that is, a further 5,000 customers).”
  2. Those 10,000 customers “carried out a total of around 7.5 million payments.”
  3. “The around 15,000 customers carried out a total of around 9.5 million payments.”
  4. “For all of the customers covered by the investigation, that is, around 15,000 customers, the total flow of payments amounted to around EUR 200 billion.”

The investigation analyzed “a total of some 6,200 customers found to have hit the most risk indicators. Of these, the vast majority have been found to be suspicious.” Overall, the bank “expect[s] a significant part of the payments to be suspicious.”

The bank also addressed disciplinary measures it had taken against current and former employees.  It stated that “[m]anagement has taken all the steps necessary vis-à-vis the employees and managers involved in Estonia and Denmark in the form, among other things, of warnings, dismissals, loss of bonus payments and reporting to the authorities, but we do not comment on individuals[.] The majority of these employees and managers are no longer employed with Danske Bank.”  The bank added that that the investigation “has established that the Board of Directors, the Chairman and the CEO did not breach their legal obligations towards Danske Bank.”

The bank announced at least 16 remedial measures it had taken or was taking in response to the findings:

  1. The bank “will serve only subsidiaries of our Nordic customers and international customers with a solid Nordic footprint.
  2. “Governance and oversight in relation to the Baltics have been strengthened with the introduction of a new pan-Baltic management.
  3. “The independence of control functions in the Baltics has been strengthened and processes and controls have been raised to Group level to ensure the same level of risk management and control as in other parts of the Group.
  4. “The Baltic units have been migrated to a single shared IT platform, which enables increased transparency and oversight.”
  5. A quadrupling of the staff dedicated to combat financial crime that “now totals 1,200 full-time employees.”
  6. Initiation of a comprehensive AML program, “which has led to major changes in the form of new organisational structures, new routines and procedures, as well as the implementation of new IT systems.”
  7. Strengthening of “the compliance knowledge and culture across the organisation, among other things through a strong management focus and extensive mandatory training.”
  8. Implementation of “risk management and compliance in performance agreements of all members of the Executive Board and senior managers.”
  9. Strengthening of the whistleblower function “by transferring the responsibility for investigating reports to Group Compliance and implementing a stronger governance setup to handle reports,” and introduction of mandatory training about the whistleblower system.
  10. Generally strengthening of the three lines of defense, “which also includes ensuring increased independence of control functions and making sure that whistleblower reports and correspondence with supervisory authorities form part of reporting to the Board of Directors.”
  11. Recruitment of a new Chief Compliance Officer “with broad international experience.”
  12. Implementation of the extra Basel Pillar II capital requirement of DKK 5 billion and increase of the target for the total capital ratio to more than 19 percent.
  13. A Group assessment of management and governance in the Estonian branch.
  14. “Integration of compliance as a fundamental part of our culture at all levels.”
  15. “New initiatives and procedures to ensure that indications of potentially problematic issues are sufficiently investigated escalated in a timely manner and handled effectively.”
  16. Plans to establish a central unit at Group level “to ensure transparency and completeness in Danske Bank’s interaction with the FSA and due, timely and qualified reporting.”

Notwithstanding the bank’s conclusion that its Chief Executive Officer (CEO), Thomas Borgen, had not breached his legal obligations to the bank, Borgen announced, in a coordinated release, that he intended to resign as CEO.  Although the investigation “concludes that I have lived up to my legal obligations,” he said, “I deeply regret” that the bank “has failed to live up to its responsibility in the case of possible money laundering in Estonia.”

Note: The reported total of €200 billion vastly exceeds all prior estimates of suspected money laundering transactions that flowed through the Estonian branch.  Not surprisingly, public officials were quick to react to the report with concern.  Danish Prime Minister Lars Lokke Rasmussen said that he was “shocked” and that the numbers were “of an astronomical magnitude.” The European Commissioner for Justice, Věra Jourová, described the situation as “the biggest scandal, which we have now in Europe,” and said that she “she would summon ministers from Denmark and Estonia to explain how Danske Bank executives and regulators missed the scandal.”  In addition, the head of Denmark’s Financial Supervisory Authority (FSA), Jesper Berg, stated that the FSA was reopening the investigation of Danske Bank that it had “initially” closed in May 2018.

Borgen’s resignation and the unknown number of terminated employees that the bank mentioned are only a portion of the departures from Danske Bank over the last six months.  In April, the bank board member responsible for business banking as well as Estonia resigned, and the head of wealth management reportedly “decided to leave after being with the bank since 1999.”  In July, the head of group compliance resigned, while specifying his resignation was unconnected to the Estonian branch investigation.

Speculation has already begun about the potential financial penalties that Danske Bank could receive if regulators find that it has engaged in wrongdoing.  According to Business Insider, the estimates range from US$630 million (by the Danish government) to US$2.3 billion (Credit Suisse) to US8.3 billion (by a key competitor of Danske Bank).  Those estimates, however, do not make clear whether they take into account the interests of other nations through whose financial systems some of the suspicious transactions may have flowed.  According to the Wall Street Journal, the U.S. Department of Justice, Securities and Exchange Commission (SEC), and Office of Foreign Assets Control have been investigating Danske Bank since a whistleblower filed a complaint with the SEC more than two years ago. A Danish member of the European Parliament said that he had spoken with the U.S. Department of the Treasury in July 2018 and that “there is no doubt that they also follow the Danske Bank case closely.”

Aggressive pursuit by all three of those agencies – and perhaps involvement by United Kingdom or French authorities — could substantially expand the scope and scale of Danske Bank’s ultimate criminal or regulatory liability.  Although the bank will likely emphasize its recent remedial measures, including compliance improvements, in any dealings with those agencies, its acknowledged compliance weaknesses over nearly a decade and its tardiness in responding effectively may weigh heavily in any resolution of potential criminal or civil charges.

In the meantime, the Danske Bank investigation report is a treasure trove for compliance officers, who can use it as a basis for comparison with their own compliance programs and incorporate information from the report into their compliance training.  The very fact that Danske Bank felt compelled to announce at least 16 remedial measures indicates the vast extent of the compliance flaws and weaknesses that may continue to cost the bank dearly, but that may help other financial institutions to avoid repeating its mistakes.

FINMA Finds Significant AML Deficiencies at Credit Suisse, Requires Additional Compliance Measures

On September 17, the Swiss Financial Market Supervisory Authority (FINMA) announced that it had concluded two enforcement procedures against Credit Suisse AG for deficiencies in its anti-money laundering (AML) procedures.  The first enforcement procedure stemmed from FINMA’s investigations since 2015 into several banks with regard to suspected corruption involving the Fédération Internationale de Football Association (FIFA), the Brazilian energy company Petrobras, and the Venezuelan state-owned oil and natural gas company Petróleos de Venezuela, S.A. (PDVSA).  FINMA then commissioned an investigation “to establish the relevant facts at Credit Suisse” for the 2006-2016 period, and launched an integrated enforcement procedure due to the commonalities between the three cases.

Through this enforcement procedure, FINMA determined that Credit Suisse “had infringed its anti-money laundering supervisory obligations in all three instances.”  It found five types of “shortcomings” that occurred repeatedly over a number of years (mostly before 2014): (1) Identifying the client; (2) determining the beneficial owner; (3) categorizing a business relationship as posing an increased risk; (4) performing the necessary clarifications upon increased risk plus associated plausibility checks; and (5) documentation.

Each of these shortcomings ties back to the importance of comprehensive access to and review of client data.  FINMA stated that “[t]o combat money laundering effectively, every relevant department within the bank must be able to see all the client’s relationships with the bank instantly and automatically.”  While it credited Credit Suisse with making progress in implementing such a “single client view,” it found that “this overview is still to be extended outside the Compliance unit. This results in organisational weaknesses in addition to the contraventions of anti-money laundering provisions.”

The second enforcement procedure focused on the management of a what FINMA described as “a significant business relationship for the bank with a politically exposed person (PEP)” who was a client relationship manager.  This investigation led to FINMA’s identification of shortcomings in compliance with AML due diligence obligations.

FINMA was specifically critical of Credit Suisse on this point:

The bank was too slow to identify and treat the PEP client as posing increased risks. Moreover, the due diligence and corresponding documentation relating to the business relationship were incomplete. The bank failed to meet its heightened due diligence obligations regarding investigation, plausibility checks and documentation regarding the client and certain related high-risk transactions.

FINMA also stated that this case also revealed weaknesses in Credit Suisse’s organization and risk management.  Notwithstanding the fact that the manager in question “was very successful in terms of assets under management,” it said that he “breached the bank’s compliance regulations repeatedly and on record over a number of years. However, instead of disciplining the client manager promptly and proportionately, the bank rewarded him with high payments and positive employee assessments. The supervision of the relationship manager was inadequate due to this special status.”  FINMA established that Credit Suisse “had failed to adequately record, contain and monitor the risks arising over a number of years from the PEP business relationship and the responsible (and since criminally convicted) client relationship manager.”   As a result, it “identified both organisational deficiencies (in terms of allocation of responsibilities, supervision and control) and a lack of effective corrective intervention,” and concluded that the bank’s risk management “was not appropriate in this instance.”

FINMA next addressed the issue of measures that it would require to strengthen Credit Suisse’s AML compliance.  It gave credit to the bank for taking certain measures since 2015 and for cooperating with FINMA.  Even so, it required the bank to take two sets of additional measures “designed to further improve the bank’s governance, organisation and risk management in the wealth management business.”  First, with regard to the shortcomings identified in the second procedure, it directed Credit Suisse to “remediate the relevant control systems and processes, and so prove that higher-risk business relationships and transactions are adequately detected, categorised, monitored and documented.”  Second, with regard to the shortcomings in the first procedure, it stipulated that the bank “must have implemented the ‘single client view’ for all relationships and for all relevant functions by the end of 2019.”  Finally, it stated that it would appoint an independent third party to review the implementation of the specified measures, including the measures initiated since 2015, [and] their adequacy and effectiveness.”

Note: These actions by FINMA represent the second significant enforcement reproof of Credit Suisse’s financial-crimes compliance program this year.  Just over two months ago, a Hong Kong-based subsidiary of the bank entered into a resolution with the U.S. Department of Justice and the Securities and Exchange Commission for its role in a corrupt scheme between 2007 and 2013 to win banking business by providing employment to friends and family of Chinese officials.  That resolution included a criminal penalty and disgorgement and prejudgment interest totaling more than $77 million.  In addition, in January 2017, Credit Suisse reached a separate civil resolution with the Justice Department requiring it to pay a total of $5.28 billion related to its conduct in the packaging, securitization, issuance, marketing and sale of residential mortgage-backed securities between 2005 and 2007.  The combination of these enforcement resolutions over a 19-month span is likely to heighten the scope and intensity of regulatory scrutiny of Credit Suisse’s compliance program in multiple jurisdictions.

The breadth of the FINMA findings and compliance improvements also provides compliance officers at other global financial institutions with a template against which they can compare their own AML programs and test for potential deficiencies.  Given the level of maturity of AML regulation at the national and international levels, no leading financial institution can afford to operate a compliance program with significant flaws in customer identification, beneficial-ownership due diligence, AML risk assessment, or customer and transaction documentation, let alone in all of those areas.  Nor can they afford to turn a blind eye to criminal or civil violations by any executive or manager just because he is a “top producer.”   Law enforcement and regulatory agencies will continue to regard consistent enforcement of a corporate AML program, as with other financial-crimes enforcement programs, as essential to demonstrating the program’s success and effectiveness.

Brazilian Police Seize $16.5 Million in Cash and Luxury Watches from Teodorin Obiang Party

For some members of the ultra-wealthy, daily living has become exceptionally frustrating.  Take the case of Teodorin Obiang, First Vice President of Equatorial Guinea and son of the country’s President Teodoro Obiang.  As befitted the son of a man in permanent contact with God, and the heir-apparent in a country blessed with vast oil revenues, Obiang was once able – despite his modest salary of $6,500 a month while serving as the country’s Minister of Forestry and Agriculture — to indulge freely in the good things in life: a Malibu, California mansion costing more than $30 million, homes on at least three other continents, numerous luxury cars, the $20 million art collection of the late Yves St. Laurent, and a Gulfstream jet, to name a few.

In the last decade, however, Obiang has been increasingly beset with vexing demands by various  governments:

  • In 2011, French authorities seized a brace of Obiang’s luxury cars, which were later auctioned off after a French appeals court found “sufficient indications to believe that all the vehicles were acquired through the misappropriation of funds.”
  • In 2012, French authorities seized Obiang’s €107 million mansion near the Champs-Élysées, as well as many of its contents (e.g., a Rodin statue, 300 bottles of wine worth €1 million and art works from the St. Laurent collection), and obtained an international arrest warrant for Obiang.
  • In 2014 — in the face of allegations that he used “relentless embezzlement and extortion [to] shamelessly loo[t] his government and [shake] down businesses in his country to support his lavish lifestyle” — Obiang agreed to relinquish assets totaling more than $30 million (including the Malibu mansion) to resolve civil forfeiture cases that the U.S. Department of Justice had brought in 2011.
  • In 2016, Swiss authorities seized 11 of Obiang’s luxury cars, despite Obiang’s explanation that the cars were only in Switzerland for repairs, and Dutch authorities seized his $120 million luxury yacht at the request of Swiss authorities investigating Obiang for money laundering.
  • 2017 proved even more disruptive to Obiang’s lifestyle. In October, he was convicted in absentia in a French court on corruption- and embezzlement-related charges and handed a three-year suspended sentence and confiscation of more than €100 million of his assets in France, including the Paris mansion.  The conviction and sentence occurred not long after a South African court approved the seizure of his multimillion-rand South African beach cottage.

The latest source of frustration for Obiang was the reception he and his party received when flying into Brazil last week.  Brazilian federal police reportedly found $1.5 million in cash in one bag and watches worth an estimated $15 million in another, and seized the cash and watches.   Even though an Equatorial Guinea diplomatic source later explained that “the money was to pay for medical treatment Obiang was to undergo in São Paulo,” and Obiang was accustomed to traveling with suitcases filled with cash, Brazilian law inconveniently forbids individuals from entering Brazil with more than 10,000 reais ($2,417) in cash.

In a subsequent meeting with the Brazilian Ambassador to Equatorial Guinea, Equatorial Guinea’s Foreign Minister Simeón Oyono expressed concern about Obiang’s treatment, referring obliquely to “behaviour which could disturb the good health enjoyed by the ties of friendship between the two States, peoples and governments.”  Oyono’s concern is understandable.  At this rate, if more countries are minded to follow the American, French, and Swiss examples, certain other governments may be concerned if their ultra-wealthy officials are unable to retain, transfer, or transport their assets merely because they have provably engaged in grand corruption, embezzlement, or money laundering.

Office of Foreign Assets Control Designations Highlight Compliance Risks from North Korean Involvement in Information Technology Sector

On September 13, the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) announced three North Korea-related sanctions designations. OFAC stated that the designations against two entities and one individual — China-based Yanbian Silverstar Network Technology Co., Ltd. (“China Silver Star”), China Silver Star’s North Korean Chief Executive Officer Jong Song Hwa, and its Russia-based sister company, Volasys Silver Star – “targets the revenue North Korea earns from overseas information technology (IT) workers.”

The Treasury Department described China Silver Star as “nominally a Chinese IT company, but in reality  . . . managed and controlled by North Koreans[,]” that as of mid-2018, “had earned millions of dollars from collaborative projects with Chinese and other companies.”  It also explained that Volasys Silver Star was created in early 2017 “as a Russia-based front company” created by a North Korean IT worker and employee of China Silver Star.   As of early 2018, Volasys Silver Star employees, “many of whom had moved to Russia from China Silver Star, had earned hundreds of thousands of dollars in under a year.  Although nominally run by a Russian individual, Volasys Silver Star is also in fact managed by North Koreans.  As its CEO, Jong Song Hwa set company goals for China Silver Star, and he controls the flow of earnings for several teams of developers in China and Russia.”

Earlier this summer, on July 23, U.S. Department of State, with OFAC and the U.S. Department of Homeland Security’s (DHS) Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE), issued an advisory “to highlight sanctions evasions tactics used by North Korea that could expose businesses – including manufacturers, buyers, and service providers – to sanctions compliance risks under U.S. and/or United Nations sanctions authorities.”  The advisory warned that “[b]usinesses should be aware of deceptive practices employed by North Korea in order to implement effective due diligence policies, procedures, and internal controls to ensure compliance with applicable legal requirements across their entire supply chains.”

The advisory set out a list of five factors that are potential indicators of goods, services, and technology with a North Korean nexus, including the following statement regarding IT services:

North Korea sells a range of IT services and products abroad, including website and app development, security software, and biometric identification software that have military and law enforcement applications. North Korean firms disguise their footprint through a variety of tactics including the use of front companies, aliases, and third country nationals who act as facilitators. For example, there are cases where North Korean companies exploit the anonymity provided by freelancing websites to sell their IT services to unwitting buyers.

It also included a list of potential indicators of North Korean overseas labor, as the North Korean government “exports large numbers of laborers to fulfill a single contract in various industries,” including IT services.  It noted that in 2018-2018 North Korean laborers working on behalf of the North Korean government were present in 41 listed countries and jurisdictions.

The advisory also briefly discussed due diligence best practices.  It stressed that “[b]usinesses should closely examine their entire supply chain(s) for North Korean laborers and goods, services, or technology” and including crosslinks to DHS and OFAC recommendations for due diligence practices and potential mitigating factors.  It summarized the penalties for individuals and entities for sanctions violations and enforcement actions, as well as activities that could result in OFAC designation.

Probably because of the mention of IT companies in the State Department advisory, Treasury Secretary Steven Mnuchin stated in the OFAC announcement that “Treasury is once again warning the IT industry, businesses, and individuals across the globe to take precautions to ensure that they are not unwittingly employing North Korean workers for technology projects by doing business with companies like the ones designated today,”

Note:  Corporate compliance officers need to take note of these latest designations, and recognize that North Korea poses an even broader range of financial-crime risks to U.S. companies than money laundering or cyberattacks and network intrusions.  Two separate Executive Orders were applied in these designations: Executive Order 13722, which applies to individuals or entities that are engaged in, facilitated, or are responsible for the exportation of workers from North Korea, including exportation to generate revenue for the Government of North Korea or the Workers’ Party of Korea; and Executive Order 13810, which applies in pertinent part to individuals or entities operating in the IT industry in North Korea.

Compliance officers therefore need to take pains in ensuring that their sanctions compliance programs, especially their supply-chain due diligence processes, are demonstrably effective in addressing any potential engagements with IT companies.  Slipshod due diligence or inconsistently operating internal controls that fail to detect North Korean connections could well result in enforcement actions relating to either or both of those orders under Title III of the Countering America’s Adversaries Through Sanctions Act (CAATSA).  Moreover, lack of vigilance in North Korea sanctions compliance on all fronts could have long-term geopolitical consequences.  As Treasury pointed out in its announcement, the United Nations Security Council acknowledged in its Resolution 2397 (2017) “that the revenue generated from North Korean workers overseas contributes to North Korea’s nuclear weapons and ballistic missile programs.”