Month: March 2019

In a March 26 article in Les Echos, Clara Le Stum reported on the general absence of exposure to new technologies, such as artificial intelligence (AI) and blockchain,  in French legal studies.   As Professor Bruno Dondero of the Sorbonne Law School/Paris 1 stated, “It is remarkable that when I ask an amphitheater of 300 third-year students who has previously heard the term “legaltech” . . . only one student raises their hand.”

Although legal professionals agree that legal technologies are too little discussed in French law schools, Le Stum noted that “justice is moving fast towards digital technology and the new technologies strongly impact the uses, the practice, and the professions of the law.”  She rightly recognized that law students must be sensitized to technological developments “without becoming computer experts.”  Professor Dondero’s approach is “to make as many references as possible to new technologies in his classes. In his words, “Teachers and students have a duty to be vigilant about what becomes possible with new technologies.”

Another approach that Le Stum highlights is the “LAB,” a project of the Paris School of Law (EFB) that offers “a mandatory module for all new promotions to make them aware of the digital transformation of their profession.”  As Alexis Deborde, LAB’s pedagogical manager, explained, “We help future lawyers to adopt digital tools so that they are better and more productive, we put them back in the 21st century.” But Deborde also recognizes that “it is only at the end of their law studies, when they are about to be a lawyer, that they are given keys to practice in another way.”

In general, American law schools appear more attuned to the need to integrate information about new technologies into their curricula.  For example, at the law school where I teach, Georgetown University Law Center, the curriculum for J.D. students addresses AI in multiple courses on the law of AI and robotics, and addresses blockchain in multiple courses about derivatives law and regulation, technology policy, and FinTech law.  Georgetown is hardly alone in that respect.  Duke Law School, for example, not only has several courses on AI on the law and a Law & Policy Lab on blockchain, but a university-wide Blockchain Lab in which students, professors, and professional participate.

In one branch of the curriculum, however, law schools everywhere need to ensure that law students are introduced to new technologies.  That branch is courses and seminars dedicated to corporate-compliance issues.  Many courses that focus on key areas of compliance, such as anti-money laundering, bribery and corruption, and sanctions, are taught by practitioners who provide excellent coverage of the legal, policy, and ethical issues associated with those areas.  But they often do not do enough to inform students about the roles that new technologies play in corporate compliance, or to sensitize them to the ethical and compliance issues that those technologies can pose.

Once they graduate, many students will enter private law firms or consulting firms, in which they may soon be called on to assist in representing corporate clients with serious compliance issues.  To function effectively as lawyers in those environments, they must know how AI and other digital systems need to be designed and operate to meet compliance, legal, and ethical obligations.

For that reason, law schools here and abroad should review their compliance-related courses and seminars, and prevail on professors teaching those courses to include specific information about new technologies in those courses.  At law schools such as American, Columbia, Harvard, and Stanford, law students are already demonstrating the keenness of their interest in new technologies by forming student associations dedicated to AI, blockchain, FinTech, and legal technology, and by supporting law school websites dedicated to such topics.  The earlier in their law school careers that law students can integrate legal, ethical, and technological knowledge and understand the real-world implications of that collective knowledge, the better equipped they will be as lawyers to meet the increasingly complex needs of their clients.

Since February, leading Swedish bank Swedbank has experienced a spate of adverse media coverage relating to the Danske Bank money-laundering scandal.  That coverage built gradually, then surged with particular intensity in the past week, culminating in today’s firing of Swedbank’s Chief Executive Officer, Birgitte Bonnesen:

February: Swedish Television (SVT) reported that “50 of Swedbank’s customers that show several risk indicators of suspected money laundering have funneled a total” of US$5.8 billion through Swedbank.

March 22: Swedbank released the results of a third-party audit, which it had quickly commissioned after the February SVT reporting. The heavily redacted audit report said that Swedbank “has cut ties with an undisclosed number of customers who are at the center of money-laundering allegations” against the bank.  Swedbank executives told the Wall Street Journal that the report “shows that the bank has taken the necessary steps to sever relationships with customers deemed suspicious by its internal monitoring systems.”

The immediate public reaction to the audit was highly unfavorable.  Investors, government ministers and money laundering experts all criticized the audit report “as insufficient and damaging to confidence in the Swedish lender’s board and management.”  The Financial Times reported that “most of the key findings such as how many of the Danske clients were also customers of Swedbank were redacted, leaving investors none the wiser as to how grave the potential money laundering problems at the bank are.”

March 26: The Financial Times reported that according to updated SVT reporting, approximately €135 billion of money flowed “through a Swedbank unit dealing mostly with Russian clients in Estonia over a 10-year period, according to an internal report seen by Swedish public TV.” (FT noted that the €135 billion figure “refers to the gross transactions by the customers — mostly Russians — and not to suspicious money flows.”)

The draft report, by a former deputy chief of Norway’s economic crime authority, referred to “[m]ajor breaches of AML (anti-money laundering) obligations identified in Swedbank Estonia,” and “identified a number of failings including accepting customers posing a high risk of money laundering ‘despite the lack of information regarding beneficial owners, corporate structure, source of funds and the real nature and purpose of the business relationship’.”  It also concluded that ““A significant number of the HRNR (high-risk, non-resident) customers should never have been onboarded.”

SVT also reported that in 2016, “Swedbank’s top management withheld information from American investigators about suspicious customers and transactions. In addition, bank transactions show that Donald Trump’s former campaign chairman Paul Manafort received nearly one million dollars in black money through Swedbank.”  When SVT confronted her with the information, Bonnesen reportedly replied, “It sounds incredibly strange that we would have had any intention of covering things up.  That is not at all consistent with the way we work, or how we’ve done things throughout the years.”

In response to the FT/SVT story, Swedbank stated that it “had made the report ‘available’ to regulators” and to consulting firm Forensic Risk Alliance, which was conducting a review of some of Swedbank’s anti-money laundering efforts.  It also said that it “was continuing to conduct a deeper analysis of the information and working with external partners and authorities in investigating the money laundering allegations.”

Swedbank’s response evidently satisfied no one.  For example, Swedish pension fund management firm Alecta, which holds a stake of approximately 5 percent in Swedbank, said that “it was not satisfied with the board’s handling of the money-laundering investigation and called on it to increase transparency as soon as possible.” In addition, in advance of Swedbank’s annual general meeting, Alecta and another pension-fund manager, AMF, issued statements ahead of Swedbank’s annual general meeting on 28 March, “calling for significant changes to the board” in the wake of the money laundering scandal.

March 27: The Swedish Economic Crime Authority conducted a search of Swedbank’s Stockholm headquarters, amid reports that U.S. authorities are now investigating Swedbank.

March 28: Swedbank announced that its Board had fired Bonnesen because of concerns over the continued money-laundering allegations.

Note:  In its report on Bonnesen’s firing, The Economist puckishly asked: “One for Wallander [the fictional Swedish detective]?”  Scrutiny of Swedbank’s actions during the past month will not require exceptional detective skills to determine that Swedbank and its senior management poorly handled its response to the initial SVT reporting.

The underlying suspected criminal money-laundering, on the other hand, will require sustained and patient investigation.  If they have not already done so, the U.S. Department of Justice and the Securities and Exchange Commission, as well as European regulators, are likely to expand their investigations of Danske Bank to include Swedbank.  Swedbank, under a new CEO, will need quickly to demonstrate its commitment to full-blown cooperation with authorities and to prompt and thorough remediation.

On March 22, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Venezuela’s national development bank, Banco De Desarrollo Económico Y Social de Venezuela (BANDES), and four BANDES subsidiaries for operating in the financial sector of the Venezuelan economy.  In a statement, U.S. Secretary of the Treasury Steven T. Mnuchin specifically tied these new sanctions to the arrest of opposition leader Juan Guaidó’s chief of staff Roberto Marrero “and other political prisoners” by the regime of Venezuelan President Nicolás Maduro.

Secretary Mnuchin also declared that

[r]egime insiders have transformed BANDES and its subsidiaries into vehicles to move funds abroad in an attempt to prop up Maduro.  Maduro and his enablers have distorted the original purpose of the bank, which was founded to help the economic and social well-being of the Venezuelan people, as part of a desperate attempt to hold onto power,

Notwithstanding BANDES’s stated purpose as a development bank, the Maduro regime has used BANDES to circumvent existing sanctions.  According to the Treasury Department, in early 2019 Maduro tried to move more than $1 billion out of Venezuela via BANDES to its subsidiary in Uruguay, Banco Bandes Uruguay S.A. (now one of the four sanctioned BANDES subsidiaries).  The other three BANDES subsidiaries that have been sanctioned include Banco Bicentenario del Pueblo, de la Clase Obrera, Mujer y Comunias, Banco Universal C.A., Banco de Venezuela, S.A. Banco Universal, and Banco Prodem S.A.  In addition, the Chief Executive and President of the Board of BANDES, Simon Alejandro Zerpa Delgado, has been subject to OFAC sanctions since 2017.

Note: Financial institutions’ sanctions compliance teams should take note of this latest round of OFAC Venezuelan sanctions, both for its immediate and prospective effects on international financial transactions (including facilitating credit-card transactions, beginning in March 2020) and for its political ramifications.  Although they are far less damaging to the Venezuelan economy than the sanctions already in place against PDVSA, President Donald Trump’s National Security Adviser, John Bolton, stated that BANDES “is to Venezuela’s financial sector what PDVSA is to its oil sector.”

The new sanctions may also create additional collateral pressures on the Maduro regime.  For more than a decade, BANDES reportedly has received billions of dollars from the China Development Bank in exchange for oil.  One opposition legislator has suggested that the sanctions would impede efforts by the regime to restructure its $20 billion debt with China.

Finally, the BANDES sanctions also close another bolt hole for Maduro to transfer state funds out of the country and send a strong signal to the Maduro regime about efforts to repress the burgeoning opposition.  If, as the New York Times suggested, the Marrero arrest was an effort by Maduro to call the Trump Administration’s bluff, the BANDES sanctions are probably sufficient to indicate that the Administration still has hole cards to play.

On March 25, cybersecurity firm Kaspersky Labs reported that it had found an Advanced Persistent Threat (APT) directed at ASUS computers, in the form of a modification to ASUS’s own Live Update Utility.  The actor(s) reportedly “modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.”

In addition, the modified utility – which Kaspersky dramatically labeled “ShadowHammer” —

was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The criminals even made sure the file size of the malicious utility stayed the same as that of the original one.

Kaspersky calculated that more than 57,000 users of its products had installed the backdoored utility, and estimated that it was distributed to a total of approximately 1 million people.  It also reported that the attacker(s) “targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility.”  Finally, Kaspersky stated that while investigating this attack, it found “that the same techniques were used against software from three other vendors,” and notified ASUS and other companies about the attack.

ASUS has since responded, according to TechRadar, that “[a] small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group.”  It should be noted, however, that another leading cybersecurity firm, Symantec, stated that based on its telemetry, at least 13,000 computers received the malicious updates, and that those victims — 80 percent consumers and 20 percent organizations – were evenly distributed around the world.

ASUS further stated that it had implemented a fix in the latest version of the Live Update software that implements “an enhanced end-to-end encryption mechanism,” and that it had updated and strengthened its server-to-end-user software architecture to prevent similar attacks in the future.  ASUS also has made available a page that shows users how to ensure that they are getting the latest and safest version of Live Update Utility.

Note:  Kaspersky’s assessment on SecureList that ShadowHammer is “a very sophisticated supply chain [malware] attack” appears reasonable.  Prior supply-chain attacks that Kaspersky compared to ShadowHammer, such as ShadowPad and CCleaner in 2017, evidently were less complex and sophisticated in execution.

Accordingly, corporate information-security and compliance teams, even in companies that do not provide ASUS computers to its employees, should disseminate information about ShadowHammer internally, as an example of the more sophisticated APTs that may be directed at their systems.  They should also use this incident as a talking point with all of the third-party providers of hardware and cybersecurity products to their companies, to get current information on what those companies are doing to minimize the risk of sophisticated APTs such as ShadowHammer, ShadowPad, and CCleaner infecting their systems.

On March 11, the Organization for Economic Co-operation and Development (OECD) Working Group on Bribery issued a statement expressing concern about “recent allegations of interference in the prosecution of [Canadian engineering firm] SNC-Lavalin” by Canadian authorities.  This concern was prompted by a sequence of recent events relating to Canadian prosecutors’ pursuit of both SNC-Lavalin and former SNC-Lavalin officials for violations of the Corruption of Foreign Public Officials Act (CFPOA).

In February 2019, allegations came to light that one or more officials in the administration of Canadian Prime Minister Justin Trudeau had pressured then-Attorney General Jody Wilson-Raybould to resolve the prosecution of SNC-Lavalin with a deferred prosecution agreement.  By March 11, three senior Trudeau officials had resigned as the controversy over those allegations expanded: Wilson-Raybould (who had been shifted to the less prestigious post of Minister of Veterans Affairs), Prime Minister Trudeau’s top political adviser Gerald Butts, and Treasury Board President Jane Philpott (who resigned in solidarity with Wilson-Raybould).

In its statement, the Working Group pointedly reminded the Canadian government that

[a]s a Party to the OECD Anti-Bribery Convention, Canada is fully committed to complying with the Convention, which requires prosecutorial independence in foreign bribery cases pursuant to Article 5. In addition, political factors such as a country’s national economic interest and the identity of the alleged perpetrators must not influence foreign bribery investigations and prosecutions.

The Working Group also took note of the fact that in February, two inquiries were opened into the alleged political interference: an investigation by the Canadian Federal Conflict of Interest and Ethics Commission into potential violation of Canada’s Conflict of Interest Act, and a Parliamentary inquiry by the Parliamentary Commons Justice Committee.  The Working Group stated that it “is encouraged by these processes, and notes that the Canadian authorities stress that they are transparent and independent.”

The Working Group also included two statements that indicated that it intends to focus on the controversy in connection with its scheduled Phase Four review of Canada’s compliance with the OECD Anti-Bribery Convention.  First, it recognized “Canada’s willingness to keep it fully informed of developments in the proceedings, including at its [the Working Group’s] next meeting in June 2019.”  Second, it stated that it “will closely monitor Canada’s updates, and has also sent a letter to the Canadian authorities confirming its concerns and next steps in this matter.”

Subsequent public comments by Working Group Chair Drago Kos have confirmed those indications.  Kos said that Canada would be subject to a Phase Four review, and that while that review was routine, one aspect of it would address the SNC-Lavalin controversy.

Note:  The Working Group’s statement is extraordinary in two respects: (1) it is only the second time in the last decade that the Working Group has issued a statement about Canada’s compliance with the Convention; and (2) it indicates that the Working Group is likely to make the SNC-Lavalin controversy a centerpiece of its Phase Four review.

One media report termed the OCED Working Group process “toothless,” in light of Kos’s acknowledgment that the Phase Four review does not entail the power to sanction Canada.  No signatory nation to the Anti-Bribery Convention, however, wants to be the subject of a critical review by the Working Group in ordinary circumstances, and the circumstances surrounding the SNC-Lavalin scandal are anything but ordinary.

Since March 11, in fact, the risk of a highly critical review for Canada has already increased substantially.  A fourth Trudeau official, Privy Council Clerk Michael Wernick (who allegedly made “veiled threats” to Wilson-Raybould in the matter), has since resigned.  In addition, the Justice Committee – one of the two inquiries that “encouraged” the Working Group — decided to shut down further hearings on the scandal, even as Wilson-Raybould and Philpott have reportedly indicated they have more to say on the matter but reportedly want the Prime Minister’s waiver of Cabinet privilege before they would testify again.  As Prime Minister Trudeau is continuing to face challenging questions from the media over the controversy, it is unlikely that he and his administration can damp down the controversy before the Working Group’s June meeting.