United Kingdom Serious Fraud Office, in Latest Blow to Its Reputation, Handed “No Case to Answer” Judgment in Tesco Executives’ Retrial

On December 5, the Times reported that earlier that day, the Criminal Division of the Court of Appeal (England & Wales) upheld a November 26 judgment in Southwark Criminal Court in London that there was “no case to answer” in the fraud retrial of two Tesco executives, refused leave for the United Kingdom Serious Fraud Office (SFO) to appeal, and ordered an acquittal.  (“No case to answer” means that there was insufficient evidence for a jury to consider with respect to the individual defendants on trial.)

The United Kingdom Serious Fraud Office had begun its investigation of Tesco PLC in 2014, after Tesco publicly reported that its profit forecast had been overstated by £250 million ($328 million).  That disclosure, according to Reuters, “wiped 2 billion pounds off Tesco’s market value and plunged the company into the worst crisis in its near 100-year history.”

In 2016, the SFO charged three individual defendants – Christopher Bush, a former United Kingdom managing director of Tesco, John Scouler, Tesco’s former UK commercial food director, and Carl Rogberg, Tesco’s former finance director – with fraud and false accounting.  In 2017, the SFO concluded a deferred prosecution agreement (DPA) with Tesco, but a judicial contempt-of-court order postponed the disclosure of the terms of that DPA until the conclusion of the trial of Bush, Scouler, and Rogberg.

The first trial of the individual defendants was called off in 2018, shortly before the jury was to hear the trial judge’s summing up of evidence, because Rogberg had a heart attack.  In the retrial, from which Rogberg was severed due to illness, the SFO reportedly argued that Bush and Scouler were “generals” who “were aware that income was being wrongly included in [Tesco’s] financial records to meet targets and make Tesco look financially healthier than it was.”  After the conclusion of the prosecution’s case, however, the trial judge, Sir John Royce, told the jury on December 5 that he had dismissed the case because he had “concluded that in certain crucial areas the prosecution case was so weak.”  The judge further stated:

You may well come to the conclusion that there was fraudulent activity taking place between the buyers [at Tesco] and suppliers to provide documentation that purported to support the recognition of income in a period in which it should not have been recognised. However, one of the major issues in this case has been whether the prosecution could prove that these defendants were party to it and did they have knowledge that improper, unlawful recognition of income was taking place.

A critical portion of the prosecution case turned on a report “into the reporting of income from suppliers, dubbed the ‘legacy paper’, [that] was prepared by Amit Soni, a Tesco finance director, and submitted to the retailer’s legal department.”  The judge characterized Soni as a “gatekeeper,” along with others in Tesco’s finance department, who were responsible for ensuring that income was being properly recognized, but noted that Soni

admitted that he did not tell Mr Bush or Mr Scouler before the legacy paper was prepared that income was being improperly recognised because “he himself did not know”, adding: “If he [Mr Soni] is the gatekeeper and a qualified accountant did not know, how could it be safely assumed that the defendants knew? You would have to be sure, not just suspicious, that they knew.”

The “no case to answer” judgment is the latest blow this year to the reputation of the SFO, coming after the High Court’s refusal to reinstate charges against Barclays Plc and Barclays Bank Plc and the SFO’s obtaining convictions on only two of six bankers being tried this summer for manipulating the Euro Interbank Offered Rate.  While Lisa Osofsky, who took office as the new SFO Director in August, has no control over prior decisions by SFO staff or the vagaries of the trial process, she must now consider whether, as the SFO put it, “to pursue a retrial in light of the judgment.”

Given the strength of that judgment and Rogberg’s reported health problems, a quick decision to seek dismissal of the charges against Rogberg is less likely to fan the flames of media attention.  The larger issue of whether the SFO should be merged into the National Crime Agency – in which Prime Minister Theresa May has been keenly interested for some time – will likely remain sidelined unless and until the Prime Minister can find a way to untie or dissever the Gordian knot of Brexit.

Irish Police Identify University Students Serving As Money Mules, As Part of Multinational European Money Mule Action Operation

On December 5, the Irish Examiner reported that in connection with the European Money Mule Action (EMMA) operation, Irish police (Gardaí) have found criminal groups using college students “to funnel millions of euros through hundreds of Irish bank accounts in the last three years.”  Many of the 420 Irish bank accounts, through which €14.6 million was reportedly laundered, belonged to students, and many of the students agreed to allow their accounts to be used for laundering funds in exchange for a few hundred euros.

Garda Detective Chief Superintendent Pat Lordan stated that because Irish anti-money laundering legislation had made it more difficult for criminals to open accounts directly, criminals designated “herders” approach college students in bats and on social media.  Some students also were solicited by responding to “work-from-home” advertisements.

In the EMMA operation, in which the Gardaí reportedly participated for the first time, the Gardaí conducted 30 interviews, froze 25 bank accounts, and seized €300,000 in cash and four cars, and four individuals were charged.

EMMA began in 2016 as a five-day enforcement action, modeled on a successful Dutch law enforcement operation.  At that time, law enforcement authorities and judicial bodies in eight European nations participated, with support from Europol, Eurojust, and the European Banking Federation (EBF).  EMMA has now become a major law enforcement operation across the European Union.

On December 4, Europol announced that the fourth and latest iteration of EMMA (EMMA 4), conducted during September through November 2018, involved 30 nations – 27 European countries as well as Australia, the United Kingdom, and the United States – along with Europol, Eurojust, and the EBF.  In EMMA 4, more than 300 banks, 20 bank associations, and other financial institutions helped to report 26,376 fraudulent “money mule” transactions, preventing a total loss of €36.1 million.  In addition, 837 criminal investigations were opened, and police forces from more than 20 States arrested 168 people as of December 4 and identified 1,504 money mules and 140 money mule organizers.  Europol particularly noted that “cases involving young people selected by money mule recruiters are on the rise, with criminals increasingly targeting financially-distressed students to gain access to their bank accounts.”

Note: University compliance and security officers at European universities should take note of this information, and use it to inform university students about these recruiting tactics and the potential consequences of serving as money mules.  In addition, European banks that are aware that they have a significant number of university students accountholders should take the opportunity, especially at branches near university campuses, to provide similar information on their premises and online.

United States Court of Appeals Rejects Bill-of-Attainder Challenge to Legislative Ban on Government Use of Kaspersky Lab Services

Information-security lawyers and consultants are unaccustomed to hearing the words “cybersecurity” and “constitutional challenge” in the same sentence.  On November 30, however, a three-judge panel of the United States Court of Appeals for the District of Columbia Circuit, in Kaspersky Lab, Inc. v. Department of Homeland Security, unanimously affirmed the dismissal of a claim by Russian-based cybersecurity vendor Kaspersky Lab that a prospective legislative ban on the use of Kaspersky Lab hardware and software by federal departments and agencies constituted a violation of the Bill of Attainder Clause in Article I of the United States Constitution.

The basis for this legislative ban was a series of concerns that a number of executive and legislative branch officials voiced, beginning in 2017, about the risks stemming from Kaspersky’s ties to Russian intelligence and other government officials.  The first response by the U.S. Government was the issuance of a September 2017 directive by the Acting Secretary of Homeland Security (Directive) that required most federal agencies to begin removing “Kaspersky-branded products” from their information systems within 90 days.  Subsequently, after Congressional hearings in which Members of Congress and the Homeland Security Assistant Secretary for Cybersecurity expressed deep concern about Kaspersky’s Russian ties and the susceptibility of Kaspersky software to Russian exploitation, Congress included in the National Defense Authorization Act for Fiscal Year 2018 (NDAA) a section reflecting those concerns.

Section 1634 of the NDAA, as enacted, provided that beginning October 1, 2018,

No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—(1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership.

Kaspersky then filed two actions in the United States District Court for the District of Columbia, separately challenging the Directive as a violation of the Administrative Procedure Act and section 1634 as a violation of the Bill of Attainder Clause, which states simply that “[n]o bill of attainder . . . shall be passed.”  The District Court dismissed the Directive action on the grounds that Kaspersky lacked standing to sue, and dismissed the section 1634 case for failure to state a claim (i.e., that Kaspersky had failed to plausibly allege that section 1634 constitutes a bill of attainder.

In his opinion for the Ninth Circuit panel, Judge David Tatel presented an elaborate analysis of the ban and the applicability of the Bill of Attainder Clause.  At the outset, he did not find that the Bill of Attainder Clause applies to corporations such as Kaspersky, but stated that the Court would continue to assume, as that Court of Appeals had done previously, to assume that it does so apply (slip opinion, p. 9).  As the critical question for all bills of attainder is whether the law imposes punishment, Judge Tatel conducted the three inquiries for Bill of Attainder analysis that the United States Supreme Court articulated in Selective Service System v. Minnesota Public Interest Research Group, 468 U.S. 841, 852 (1984):

  1. Whether the statute, “viewed in terms of the type of severity of burdens imposed, reasonably can be said to further nonpunitive legislative purposes.” On this issue, Judge Tatel held that section 1634 satisfied the standard that the nonpunitive aims of an apparently prophylactic measure were sufficiently clear and convincing.  He recognized the security of the federal government’s information systems as “the nonpunitive interest at stake” (p. 15), and stated that “[g]iven the not insignificant probability that Kaspersky’s products could have compromised federal systems and the magnitude of the harm such an intrusion could have wrought, Congress’s decision to remove Kaspersky from federal networks represents a reasonable and balanced response” (p. 17).  Noting that Kaspersky “identifies no cyber-product as vulnerable to malicious exploitation as Kaspersky’s” (p.  19), he concluded that “Congress had ample evidence that Kaspersky posed the most urgent potential threat, and this court  must give Congress “sufficient latitude to choose among competing policy alternatives,” lest “our bill of attainder analysis . . . ‘cripple the very process of legislating’” (p. 20, quoting Foretich v. United States, 351 F.3d 1198, 1222–23 (D.C. Cir. 2003)).  He concluded that section 1634 satisfied the reasonableness test.
  2. Whether the challenged statute falls within the historical meaning of legislative punishment. On this issue, Judge Tatel took note of Kaspersky’s admission that the burden that section 1634 imposed was “not precisely identical to any of the burdens historically recognized as punishment” (p. 22).  He stated that “a wide valley separates section 1634 from the small handful of statutes that courts have found to be unconstitutional bills of attainder,” adding that “section 1634 represents no more than a customer’s decision to take its business elsewhere” (p. 27).
  3. Whether the legislative record “evinces a congressional intent to punish.” On this issue, Judge Tatel concluded that Kaspersky had offered no evidence of punitive intent, and that this test did nothing to support Kaspersky’s Bill of Attainder argument (pp. 28-29).

Judge Tatel concluded that Kaspersky’s complaint failed to plausibly allege that section 1634 was a bill of attainder, and affirmed the District Court’s dismissal of Kaspersky’s section 1634 case.  With respect to Kaspersky’s Directive case, he concluded that Kaspersky had “a serious standing problem” – in part because “invalidation of the Directive alone would do nothing to help Kaspersky’s plight as long as section 1634 remains good law” (p. 31) – and affirmed the District Court’s dismissal for lack of subject matter jurisdiction.

Note: Kaspersky should be of interest to more than constitutional law scholars, at least because it demonstrates that the executive, legislative, and judicial branches are capable of playing complementary roles, within the bounds of their respective powers, in addressing potential cyber threats to government operations.  The nonpunitive interest that Judge Tatel identified, the security of the federal government’s information systems, must be of paramount concern to the government when a software vendor has putative connections to foreign governments known to engage in economic espionage or intelligence-gathering through digital means.  When such potential threats are identified – as with Kaspersky in the case of Russia, or Huawei Technologies in the case of China – executive branch officials and legislators need to have the flexibility to craft reasonable and proportional responses to those threats rather than, as Judge Tatel put it, “wait[ing] patiently for those threats to cause empirically provable consequences” (p. 17).  For its part, as Judge Tatel’s opinion demonstrates, the judiciary is entirely capable of conducting a searching analysis of the factual and policy grounds of those responses without overstepping the limits of its own authority.

United Kingdom Information Commissioner’s Office Power to Fine Company Officers for Nuisance Calls and Messages Comes into Force December 17

On December 17, the Privacy and Electronic Communications (Amendment) Regulations (2018 Regulations), which the United Kingdom Secretary of State made on November 15, will come into force.   These regulations, which amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (2003 Regulations), authorize the Information Commissioner’s Office (ICO) to impose monetary penalties on officers of corporate bodies and Scottish partnerships, in addition to corporate bodies themselves, for nuisance calls and messages.

According to the explanatory note for the 2018 Regulations, under the 2003 Regulations

the Information Commissioner may impose a monetary penalty, under the Data Protection Act 1998 as applied to, and modified by, the 2003 Regulations, for a serious breach of regulations 19 to 24 of the 2003 Regulations. The effect of the amendments made by regulation 2 [of the 2018 Regulations] is to enable the Commissioner to impose such a penalty on an officer of a body corporate or Scottish partnership in addition to the body itself, where such a breach occurs as a result of action, or inaction, by that officer.

The 2018 Regulations revise Schedule 1 of the 2003 Regulations to state that if a monetary penalty notice has been served on a body,

the Commissioner may also serve a monetary penalty notice on an officer of the body if the Commissioner is satisfied that the contravention in respect of which the monetary penalty notice was served on the body—

(a) took place with the consent or connivance of the officer, or

(b) was attributable to any neglect on the part of the officer.

They also define the term “officer” to include (a) in relation to a body corporate, (i) “a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity”, and (ii) “where the affairs of the body are managed by its members, a member”; and (b) “in relation to a Scottish partnership, a partner or any person purporting to act as a partner.”  Finally, the 2018 Regulations authorize the ICO to impose a civil monetary penalty on an officer of up to £500,000 for a breach of the 2003 Regulations.

Note: The United Kingdom, like other countries, for some time has been trying to cope with the constant flood tide of nuisance calls and messages.  The Financial Conduct Authority recently stated that in the 12 months before September 2018, firms made 2.7 billion unsolicited calls, texts, and emails just for offers to help people make a claim.

The ICO has been making use of its existing nuisance-call authority to impose significant fines on corporate bodies.  It reportedly issued 26 fines totaling more than £3 million to firms, and continued to impose substantial fines in 2018,.  For example:

  • August 2018: The ICO imposed a £100,000 fine on a firm that made 75,649 nuisance calls who were registered with the Telephone Preference Service (TPS). The TPS, like the “do-not-call” list in the United States, allows people in the United Kingdom to register if they do not want to receive unsolicited sales or marketing calls.
  • October 2018: The ICO imposed a £150,000 fine on a firm that made 63,724 calls over a two-month period from May to July 2017 to people registered with the TPS.
  • November 2018: The ICO imposed fines totaling £250,000 on two firms that made nearly 1.73 million direct marketing phone calls to people registered with the Telephone Preference Service (TPS)

These fines, however, have evidently proved insufficient to stem the tide of nuisance calls and messages to United Kingdom residents.  Moreover, media reports have highlighted the fact that nearly one-half of the £17.8 million of nuisance-call fines issued to companies since 2010 has gone unpaid, as company officers evade the fines “by withholding payment, liquidating their companies and starting business again under new names.”  With luck, the ICO may be able to reverse that trend and put paid to the most unscrupulous marketers whose business models are dependent on nuisance calls.

Public Prosecution Service of Canada Suddenly Stays Major Money Laundering Case Nearing Trial

On November 28, CBC reported that during the week of November 19, a major money laundering case that the Public Prosecution Service of Canada (PPSC) was scheduled to take to trial in January 2019 was stayed (i.e., discontinued) at PPSC’s request.  A press release by the Royal Canadian Mounted Police (RCMP) briefly stated that the charges “were stayed for several reasons that materialized during the course of the file; the nature of which will not be discussed in any detail given operational sensitivities.”

Criminal charges in the case had been laid in 2017 against three defendants: Silver International Investments Ltd., a Richmond, British Columbia-based money-transfer business; Caixuan Qin, the director of Silver; and a second individual, Jain Jun Zhu.  All three defendants were charged with five counts that included laundering proceeds of a crime, possession of property obtained by crime, and failing to ascertain the identity of a client.  Government documents alleged

that organized criminals used Silver as an illegal bank to wash drug money. According to the allegations, a network of “private lenders” in Richmond lent cash from Silver to VIP gamblers recruited from China. These high-rollers visited B.C. for gambling junkets, according to these allegations, and received hockey bags full of cash.

Officials allege these loans allowed wealthy gamblers to get money in Canada, bypassing China’s tight-capital export controls, and pay back the loan through underground banks in China. The VIPs were able to buy betting chips with street-cash $20 bills, mostly at Richmond’s River Rock Casino, and later cash out with $100 bills more suitable for investment in B.C., an audit by B.C.’s gaming enforcement policy branch alleges.

The stay of the case is clearly a setback for Canadian law enforcement’s efforts against money laundering, particularly “Operation E-Pirate,” the investigation that the RCMP had been conducting since 2015 into money laundering in British Columbia.  There is no doubt that money laundering through casinos in British Columbia’s Lower Mainland (i.e., the area in and around Vancouver) has reached grave proportions over multiple years.  A 2018 report, which British Columbia Attorney General David Eby commissioned, stated that for many years, “certain Lower Mainland casinos unwittingly served as launderomats for the proceeds of organized crime.”

The stay does not appear to have imperiled Operation E-Pirate overall.  A statement by Federal Minister of Border Security and Organized Crime Reduction Bill Blair that “[w]e cannot comment further on an ongoing investigation” may indicate that E-Pirate will continue.  On the other hand, the RCMP reportedly stated that it “is reviewing the file to understand ‘its activities which contributed to this stay,” to incorporate relevant lessons and prevent this from happening in the future.”  That statement clearly suggests that the PPSC found it necessary to drop the Silver/Qin/Zhu case because of critical flaws in investigative procedures.  If that proves to be the case, as the United Kingdom Serious Fraud Office found in 2012 when it found it necessary to drop a case fatally flawed by a seriously mishandled investigation, it may take some time to repair the damage to the PPSC’s and RCMP’s reputations.