Month: October 2018

On October 9, the Basel Institute on Governance released the results of the seventh annual Basel Anti-Money Laundering Index.  The Index Report stated that the Index “focuses on anti-money laundering and countering the financing of terrorism (AML/CFT) frameworks, plus related factors that impact the risk of [money laundering and terrorist financing (ML/TF)], such as corruption, transparency and the rule of law.”  Key features of the Index include an overview of 129 countries, according to their respective risks of money laundering and terrorist financing; an interactive ranking that shows trends and changes in risk over time; a research-led, composite index based on public sources and third-party assessments; and an AML risk assessment tool “covering 203 countries for compliance purposes, policymaking and research (Expert Edition).”

Among the 129 countries in the Index, the 10 countries with the best (i.e., lowest) ML/TF risk scores were Finland (129/2.57), Estonia (128/2.73), Lithuania (127/3.12), New Zealand (126/3.20), Macedonia (125.3.33), Bulgaria (124.3.53), Slovenia (123/3.75), Sweden (122/3.75), Croatia (121/3.83), and Israel (120/3.84).  The 10 countries with the worst (i.e., highest) ML/TF risk scores were Tajikistan (1/8.30), Mozambique (2/8.28), Afghanistan (3/8.28), Laos (4/8.25), Guinea-Bissau (5/8.16), Myanmar (6/7.50), Cambodia (7/7.48), Kenya (8/7.42), Liberia (9/7.40), and Vietnam (10/7.37).  Among the G7 nations, France had the best risk score (113/4.12), followed by the United Kingdom (106/4.23), Germany (102/4.44), Canada (86/4.92), the United States (82/5.00), Italy (77/5.09), and Japan (75/5.11).  The BRIC nations (Brazil, Russia, India, and China) ranked as follows: Brazil (83/4.96), Russia (47/5.83), India (68/5.28), and China (40/6.02).

Overall, the Index Report was highly critical of countries’ commitment to AML:

Most countries are making little or no progress towards ending corruption and public transparency is showing signs of decline, with governments making less information available about how they manage public funds. Despite the recent surge in reporting on high-profile corruption and money laundering schemes, such as the Panama Papers, Odebrecht scandal and Global Laundromat investigation, indications are that global press freedom has declined to its lowest point in 13 years.  [Footnotes omitted]

The Report added that “[t]hese factors are known to impact negatively on the risk of ML/TF.”

The Report also included a discussion of seven key trends:

1. Little measurable progress in countering money laundering: The Report stated that 64 percent of countries in the 2018 ranking (i.e., 83 of 129) “have a risk score of 5.0 or above and can be loosely classified as having a significant risk of money laundering and terrorist financing.”  Furthermore, 42 percent of countries “have worsened their risk scores between 2017 and 2018,” and nearly 37 percent of countries “now have a worse risk score than they did in 2012.”
2. Effectiveness lags behind technical compliance: The Report stated that “[t]he overwhelming majority of countries assessed with the updated [Financial Action Task Force] methodology so far . . . have received dramatically lower scores for effectiveness than for technical compliance.”
3. ML/TF is not a standalone risk: The Report noted that the Institute’s analysis over the last seven years “has consistently shown that countries with a high risk of ML/TF share some or all” of the following six features: (1) weak public institutions, political rights, and rule of law; (2) low levels of financial/political transparency; (3) restrictions on press freedom; (4) lack of resources to control the financial system; (5) predominantly cash-based economies; and (6) high levels of smuggling activity and illegal trafficking (in drugs, humans, wildlife products, etc.).
4. No such thing as zero risk of money laundering: In the Index, no country was rated as having zero risk of ML/TF; in fact, the Index “shows an increase in the minimum risk score, from 1.78 in 2017 to 2.57 in 2018.”
5. What can we learn from low-risk countries?: The Report stated that “the list of countries with the lowest assessed risk has not changed significantly in recent years,” and listed seven characteristics s that low-risk countries typically share: (1) strong AML/CFT legislation, including on the freezing of terrorist funds; (2) “[c]ompetent authorities with the mandate and resources to investigate and prosecute ML/TF offences and issue sanctions for non-compliance; (3) “[c]omprehensive measures for domestic and international cooperation; (4) “[h]igh level of press freedom, with the media playing a central role in uncovering and reporting financial crime; (5) “[f]inancial sector highly regulated with competent supervisory authorities and minimal, if any, cash-based transactions; (6) “[h]igh levels of transparency and integrity in public institutions and businesses”; and (7) “[l]ow levels of corruption.”
6. The two main reasons behind improvements in ML/TF risk ratings: The Report noted that significant changes in the 2018 risk ratings were primarily affected by two factors: (1) countries obtaining better Financial Secrecy Index ratings due to methodology changes; and (2) exclusion of countries from the Jurisdictions of Primary Concern list in the annual U.S. Department of State’s International Narcotics Control Strategy Report.
7. Which countries have significantly worsened their scores and why: The Report stated that “Iceland, Denmark and Slovenia recorded a significantly higher risk rating in 2018 due to having been assessed using the new FATF evaluation methodology, which measures not only technical compliance but importantly emphasises effectiveness . . . .”

Note: The one Index result that appears truly anomalous at first glance, in light of recent events, is Estonia’s second-best ML/TF risk rating.  Now that the Danske Bank investigation has brought to light the potential trillion-dollar scale of money laundering through Estonia over eight years, the Institute may need to examine its methodology and data on Estonia with care when it prepares the next edition of the Index.

Companies or firms wishing to analyze the Index results in greater detail should note that the Index can be filtered by region and Gross Domestic Product.  In addition, the Institute offers a subscription-based Expert Edition of the Index that covers 203 countries.  The Institute describes the Expert Edition as “a more comprehensive and customisable country risk assessment tool. It is used worldwide by financial institutions, researchers, policymakers, compliance officers and other stakeholders to fulfil their regulatory and compliance requirements.”

On October 4, the U.S. Department of Justice announced that a federal grand jury in the Western District of Pennsylvania indicted seven defendants — all officers in the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Russian Federation’s Armed Forces — for computer hacking, wire fraud, aggravated identity theft, and money laundering.  The Department stated that according to the October 3 indictment, “beginning in or around December 2014 and continuing until at least May 2018, the conspiracy conducted persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government.”

The goals of the conspiracy included publicizing stolen information “as part of an influence and disinformation campaign designed to undermine, retaliate against, and otherwise delegitimize the efforts of international anti-doping organizations and officials who had publicly exposed a Russian state-sponsored athlete doping program and to damage the reputations of athletes around the world by falsely claiming that such athletes were using banned or performance-enhancing drugs.”  The GRU officers allegedly unlawfully obtained the information to be exploited in several ways.  First, three of the indicted GRU officers and unindicted coconspirators, “often using fictitious personas and proxy servers, researched victims, sent spearphishing emails, and compiled, used, and monitored malware command and control servers.”  Second,

[w]hen the conspirators’ remote hacking efforts failed to capture log-in credentials, or if the accounts that were successfully compromised did not have the necessary access privileges for the sought-after information, teams of GRU technical intelligence officers, including [four of the defendants], traveled to locations around the world where targets were physically located.  Using specialized equipment, and with the remote support of conspirators in Russia, including [one of the defendants], these close access teams hacked computer networks used by victim organizations or their personnel through Wi-Fi connections, including hotel Wi-Fi networks.  After a successful hacking operation, the close access team transferred such access to conspirators in Russia for exploitation.

While the indictment indicates that the primary focus of the hacking and disinformation campaigns was to undermine anti-doping efforts in the aftermath of the ban of Russian athletes from the 2016 Olympic and Paralympic Games, members of the GRU team also conducted other operations apparently unrelated to the anti-doping disinformation campaign.  These included reconnaissance of Westinghouse Electric Company’s networks and personnel, and operations evidently prompted by the March 2018 poisoning of Sergei V. Skripal, a former Russian double agent who cooperated with British intelligence, and his daughter Yulia Skripal.

Those latter operations allegedly included four of the defendants traveling on diplomatic passports to The Hague in April 2018, to further “another close access operation targeting the Organisation for the Prohibition of Chemical Weapons (OPCW) computer networks through Wi-Fi connections.”  Their intention thereafter was to travel to Spiez, Switzerland, to target the Spiez Swiss Chemical Laboratory.  That facility is an accredited OPCW laboratory that was analyzing military chemical agents, including the Novichok chemical agent that the United Kingdom authorities connected to the Skripals’ poisoning.  Timely intervention by the Dutch Militaire Inlichtingen- en Veiligheidsdienst (MIVD) (Defense Intelligence & Security Service) disrupted the GRU team’ efforts to hack OPCW WiFi connections, and resulted in the four team members’ being “escorted” out of the Netherlands.

Note: Even though the indictment’s principal focus is the Russian targeting of anti-doping organizations and individuals, there are a number of more general takeaways from this case that corporate compliance and information-security teams can incorporate into training courses and presentations to senior executives:

1. Foreign-government intelligence operations can and do target corporate entities for hacking and extraction of corporate data. To illustrate this point, training materials can include information from the MIVD’s public presentation about its disruption of the GRU team, such as photographs of and by the GRU team and of the hacking equipment that the MIVD found in the GRU team’ rental car.
2. Simple and well-known hacking techniques continue to be used successfully to obtain unauthorized access to corporate networks and computers. The GRU case contains multiple examples of corporate employees failing to take basic computer-security precautions, such as refraining from using insecure hotel WiFi networks or opening spearphishing emails.
3. The threat of “remote” access to corporate networks includes close access. The MIVD presentation also documents that the GRU team’ rental car, which contained equipment for hacking WiFi connections, was parked in a hotel parking lot within yards of the OPCW complex.
4. Information-security defense activities can benefit from open-source data. Shortly after the October 4 announcements by S., British, and Dutch authorities, two news organizations, Bellingcat and The Insider, reportedly used open-source databases to check the names of the GRU team defendants and identified 305 other potential GRU agents. Few information-security programs are likely to have the same amount and quality of detail about hackers’ identities and physical appearances as this case had, but review of open-source data as appropriate should always be an element of such programs.

U.S. authorities are unlikely to apprehend or try any of the defendants in this case.  The parallel and independent investigation by the Royal Canadian Mounted Police, however, may yield additional information about GRU hacking methods and techniques from which information-security and compliance teams can benefit.

On October 5, EU Observer reported that the Netherlands has invited European Union (EU) diplomats “to discuss the creation of a new sanctions regime against human rights abusers worldwide.”  The Dutch Foreign ministry reportedly floated the idea with other EU Member States in July, and an informal Dutch paper has been circulated that proposes that “[t]argeted human rights sanctions could be used against individuals acting in or misusing their official capacity and individuals belonging to non-state actors.”

The Dutch government has now scheduled a conference in The Hague for November 20 to discuss the proposal.   It invited each of the other EU Member States “to send two senior diplomats, one dealing with sanctions policy and one with human rights.”  Other invitees include the United States, Canada, Australia, and Japan, as well as an unnamed non-governmental organization and an unnamed legal scholar. The discussions, according to the Dutch invitation note, will focus on topics such as what value a human rights sanctions regime would add, which human rights violations should qualify for sanctions, and “listing/de-listing and due process.”

According to a Dutch diplomat who commented to EU Observer, these talks are meant to see whether there is enough support for the Netherlands to initiate formal EU proceedings.  The diplomat acknowledged that they expected concerns to be raised, but stated, “’We really want this to fly … we hope to have the measures in place in fewer than 12 months’ time. Ideally, before the European Parliament elections [in May 2019]’.”

Note: EU Observer reported that the concept underlying the Dutch proposal is that of the Magnitsky Act, which authorized U.S. officials to seize assets and ban the entry into the United States of Russians who were believed to have been involved in the death of Russian lawyer and whistleblower Sergei Magnitsky.  Subsequently, the United Kingdom, Canada, Estonia, Latvia, and Lithuania all used the term “Magnitsky” in adopting similar legislation.  Perhaps because Russian President Vladimir Putin and his inner circle reportedly have been so furious about the U.S. Magnitsky Act, which has since been expanded to global scope, the Dutch proposal mentioned Congo and Myanmar, but not Russia, as examples of regimes reflecting serious human rights abuses.

Sanctions observers should monitor reports on the upcoming Hague conference closely to gauge the level of traction that the proposal receives.  To date, according to EU Observer, the United Kingdom, Estonia, Latvia, and Lithuania are supportive (especially the United Kingdom), and France, Germany, and Italy have raised no objections, but “some Mediterranean states and the EU foreign service have proved reluctant.”  And Russia may well flex its economic and political muscle vigorously even before the conference, in an effort to head off an EU-wide Magnitsky regime.  Even so, support for such a regime has been building in other quarters within the EU, so the true test will be whether the Netherlands can enlist enough allies to move the proposal to formal status on the timetable the Dutch are envisioning.

On October 3, the International Court of Justice (ICJ) issued an order that directed the United States to remove any impediments arising from certain portions of the sanctions that the United States imposed on Iran on May 8, 2018.  Those sanctions related to President Donald Trump’s decision “to cease the United States’ participation in the Joint Comprehensive Plan of Action (JCPOA) [regarding Iran’s nuclear program], and to begin re-imposing the U.S. nuclear-related sanctions that were lifted to effectuate the JCPOA sanctions relief, following a wind-down period.”

The litigation arose from Iran’s July 16, 2018 application to the ICJ to institute proceedings against the United States.  The application alleged that the United States, through the May 8 and announced further sanctions, had breached various Articles of the 1955 Treaty of Amity, Economic Relations, and Consular Rights between Iran and the United States (1955 Treaty).  It requested the ICJ to order the United States “to terminate the 8 May sanctions without delay” and “immediately [to] terminate its threats with respect to the announced further sanctions.”  It also requested provisional measures requiring that the United States (1) “immediately take all measures at its disposal to ensure the suspension of the implementation and enforcement of all of the 8 May sanctions, including the extraterritorial sanctions, and refrain from imposing or threatening announced further sanctions and measures which might aggravate or extend the dispute submitted to the Court;” and (2) “immediately allow the full implementation of transactions already licensed, generally or specifically, particularly for the sale or leasing of passenger aircraft, aircraft spare parts and equipment.”

The order first found that the ICJ had prima facie jurisdiction in the case because the dispute between the Parties relates to the interpretation or application of the 1955 Treaty.  It then reviewed Iran’s claims and concluded that

at the present stage of the proceedings, some of the rights asserted by Iran under the 1955 Treaty are plausible in so far as they relate to the importation and purchase of goods required for humanitarian needs, such as (i) medicines and medical devices; and (ii) foodstuffs and agricultural commodities; as well as goods and services required for the safety of civil aviation, such as (iii) spare parts, equipment and associated services (including warranty, maintenance, repair services and safety-related inspections) necessary for civil aircraft.

The order also found that “a link exists between some of the rights whose protection is being sought and certain aspects of the provisional measures being requested by Iran,” and that the ICJ would exercise certain provisional measures because there was a risk of irreparable consequences, pertaining to humanitarian and safety concerns, before the ICJ gives its final decision.

Accordingly, the ICJ unanimously directed three provisional measures:

1. It directed the United States to remove any impediments arising from the May 8 sanctions to the free exportation to the territory of the Islamic Republic of Iran of three categories of goods and services: (1) medicines and medical devices; (2) foodstuffs and agricultural commodities; and (3) spare parts, equipment and associated services (including warranty, maintenance, repair services and inspections) necessary for the safety of civil aviation.
2. It directed the United States to “ensure that licences and necessary authorizations are granted and that payments and other transfers of funds are not subject to any restriction” insofar as they relate to the three preceding categories of goods and services.
3. It directed both Iran and the United States to “refrain from any action which might aggravate or extend the dispute before the Court or make it more difficult to resolve.”

In response, United States Secretary of State Mike Pompeo announced that the United States would terminate the 1955 Treaty.  He asserted that the ICJ had no jurisdiction to hear the matter and deemed the case “meritless.” The United States Ambassador to the Netherlands, Peter Hoekstra, seconded the Secretary’s remarks via Tweet.

Note:  As the ICJ has no power to enforce its order, its order in this case will do nothing to hamper the United States’ current and prospective imposition of Iranian sanctions.  Iran can be expected to continue to litigate the case in the ICJ for a final adjudication, which is expected to take years.  In the meantime, both sides can claim a measure of victory: Iran, for the symbolism of besting the United States in the ICJ; and the United States, for a ruling that left untouched the vast bulk of its current Iran sanctions.  Their responses yesterday, however, indicate that neither nation intends to comply with the last provisional measure, “refrain[ing] from any action which might aggravate or extend the dispute before the Court or make it more difficult to resolve.”

On October 3, a Bloomberg article reported that — according to figures that Eesti Pank (the Estonian Central Bank) provided to Bloomberg — between 2008 and 2015, banks doing business in Estonia handled about €900 billion ($1.04 trillion) “in cross-border transactions including non-resident flows.”  In light of Danske Bank’s recent admission that between 2007 and 2015 $234 billion in potentially suspicious transactions flowed through its Estonian branch, the article went on to state that that total “represents less than a quarter of cross-border transactions that passed through the country at the center of the dirty money saga.”

That same day, Eesti Pank issued a response stating that

Bloomberg erroneously said that 900 billion euros’ worth of non-residents’ payments passed through Estonia in 2008-2015. These 900 billion euros are actually the aggregate amount of cross-border payments received in Estonia and paid from Estonia. The sum includes import and export by Estonian companies as well as routine financial transactions such as securities purchases.

Eesti Bank also stated that “[c]ross-border payments certainly include non-resident flows, but the central bank does not collect separate statistics for these transactions,” and that “central bank statistics do not hold information on whether the person who initiated a payment in a foreign or an Estonian bank was a resident of Estonia or not.”

Note: This exchange between Bloomberg and Eesti Pank requires some close reading.  On the one hand, Eesti Pank’s assertion that Bloomberg said €900 billion “worth of non-residents’ payments” is simply incorrect.  The Bloomberg article stated that the €900 billion figure pertained to “cross-border transactions including non-resident flows.”  (Emphasis supplied)

On the other hand, the article’s reference to “cross-border transactions that passed through [Estonia] at the height of the dirty money saga” encourages readers to infer that the €900 billion figure reflects suspicious transactions.  The report of the Danske Bank investigation, however, clearly explained that the $234 billion figure pertained only to 15,000 non-resident customers or customers with non-resident characteristics.  Since Eesti Pank’s reply acknowledged that it could not break out non-resident flow statistics, it would be unreasonable to infer from the data in the article that the €900 billion is necessarily dirty money.

Yet that does not end the analysis.  The Danske Bank investigation report specifically stated (at page 5) that “[b]y the end of 2013, the Non-Resident Portfolio within Danske Bank’s Estonian branch held 44 per cent of the total deposits from non-resident customers in Estonian banks (up from 27 per cent in 2007) . . . .”  If that investigation was able to determine the total deposits from non-resident customers in all Estonian banks in 2013, there must be some source of data on which Eesti Bank or regulators can draw to delineate non-resident flows more precisely.

For the moment, compliance officers at financial institutions should take this exchange into account as an imprecise and unvalidated indicator of the volume of possible money laundering through Estonian banks.  At the same time, they should take the opportunity promptly to review any correspondent bank relationships they had with Estonian banks from 2007 to 2015.  Based on Danske Bank’s statement today that it is cooperating with U.S., Estonian, and Danish criminal investigations regarding its non-resident Estonian portfolio, financial institutions should expect that criminal and regulatory investigations into financial flows through Estonia will continue to widen in scope.