United Kingdom Financial Conduct Authority Fines UBS £27.6 Million for Transaction Reporting Failures Involving 135.8 Million Transactions

On March 19, the United Kingdom Financial Conduct Authority (FCA) announced that it had fined UBS AG (UBS) £27,599,400 for failings relating to 135.8 million transaction reports over nearly a decade, between November 2007 and May 2017.  The FCA stated that UBS

failed to ensure it provided complete and accurate information in relation to approximately 86.67m reportable transactions. It also erroneously reported 49.1m transactions to the FCA, which were not, in fact, reportable. Altogether, over a period of 9 and a half years, UBS made 135.8m errors in its transaction reporting, breaching FCA rules.

The FCA found that the 135.8 million transactions were the result of 42 errors, for which there were three main root causes (or, in some cases, a combination of those root causes): (1) errors in UBS’s systems, IT logic, and/or reporting processes; (2) weaknesses in change management controls; and (3) weaknesses in controls around the maintenance of static data.  The 135.8 million errors constituted approximately 7.5 percent of the 1.8 billion transaction reports that UBS submitted during the relevant period.

In addition, the FCA found that UBS failed to take reasonable care to organize and control its affairs responsibly and effectively with respect to its transaction reporting. “These failings,” the FCA stated, “related to aspects of UBS’s change management processes, its maintenance of the reference data used in its reporting and how it tested whether all the transactions it reported to the FCA were accurate and complete.”

In its Final Notice, the FSA took into consideration that UBS had recognized the failures within its control framework and either remediated, or had substantially commenced the process of doing so after July 31, 2014.  It also acknowledged that UBS self-identified and notified it of more than 85 percent of the reporting errors described in the Notice, “and has committed significant resources to improving its transaction reporting controls.”

Because UBS agreed to resolve the case, it qualified for a 30 percent discount in the overall penalty. Absent the discount, the FCA stated that it would have imposed a financial penalty of £39,427,795.  In response to the FCA’s action, a UBS spokesperson reportedly said that “there had never been any impact on clients, investors or market users, but the bank had improved its systems and controls.”

Note: A transaction report, according to the FCA, is a data set that a financial firm submits to the FCA relating to “an individual financial market transaction which includes, but is not limited to, details of the product traded, the firm that undertook the trade, the trade counterparty, the client (where applicable) and the trade characteristics, price, quantity and venue.”  The FCA states that it uses the information from transaction reports for four purposes: (1) monitoring for market abuse; (2) firm supervision; (3) market supervision; and (4) sharing with certain external parties, such as the Bank of England.

The basis for the FCA’s rules on transaction reporting are the European Union Markets in Financial Instruments Directive (2004/39/EC) (MiFID), in effect from November 2007 until January 2018, and MiFID II, in effect since January 2018.  MiFID and MiFID II are EU legislation “that regulates firms who provide services to clients linked to ‘financial instruments’ (shares, bonds, units in collective investment schemes and derivatives), and the venues where those instruments are traded.”  MiFID II revised the MiFID requirements in a number of areas, including extending transaction reporting requirements to include additional instruments.

Although the FCA has fined a dozen other financial firms since 2009 for transaction reporting violations, its action against UBS is significant in two respects.  First, the number of transactions associated with UBS’s reporting failures (135.8 million) is by far the highest of any of the 13 FCA MiFID cases.  Second, the amount of the £27.6 million fine is the highest ever imposed for such MiFID violations – more than double the amount of the next highest fine.  United Kingdom financial firms should review the UBS Final Notice with care, and use the FCA’s factual findings therein as a point of reference to check their own systems’ MiFID II compliance.

Lithuanian National Pleads Guilty in $123 Million Business E-Mail Compromise Scheme Affecting Facebook and Google

On March 20, Evaldas Rimasauskas, a Lithuanian national, pleaded guilty to one count of wire fraud in an indictment returned in 2017 in the Southern District of New York, for his conduct of a business e-mail compromise (BEC) scheme that led to defrauding Google and Facebook out of $123 million.

According to the Indictment’s allegations, from 2013 through 2015, Rimasauskas orchestrated a fraudulent BEC scheme designed to deceive Google and Facebook (named in the indictment only as “Victim 1,” “Victim 2,” or “the Victim Companies”) into wiring funds to bank accounts that Rimasauskas controlled.  In particular, Rimasauskas

registered and incorporated a company in Latvia (“Company-2”) that bore the same name as an Asian-based computer hardware manufacturer (“Company-1”), and opened, maintained, and controlled various accounts at banks located in Latvia and Cyprus in the name of Company-2.  Thereafter, fraudulent phishing emails were sent to employees and agents of the Victim Companies, which regularly conducted multimillion-dollar transactions with Company-1, directing that money the Victim Companies owed Company-1 for legitimate goods and services be sent to Company-2’s bank accounts in Latvia and Cyprus, which were controlled by RIMASAUSKAS.

The emails, which purported to be from employees and agents of Company-1,

were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company-1, but in truth and in fact, were neither sent nor authorized by Company-1.  This scheme succeeded in deceiving the Victim Companies into complying with the fraudulent wiring instructions.

After Google and Facebook wired funds intended for Company-1 to Company-2’s bank accounts in Latvia and Cyprus, Rimasauskas

caused the stolen funds to be quickly wired into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.  [He] also caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.

Google reportedly sent more than $23 million and Facebook nearly $100 million to bank accounts that Rimasauskas controlled.  Google stated that it has recouped its money, and Facebook stated that it recovered most of its money.

Rimasauskas was arrested in Lithuania in _ 2017 and extradited to the United States in August 2017.  He is scheduled to be sentenced on July 24.

Note:  The Rimasauskas case is a particularly prominent example of how cybercriminals can set up and carry out a BEC scheme with relative ease.  The total gross proceeds it obtained, and the size of the companies that Rimaskauskas defrauded, make it one of the largest BEC schemes conducted in recent years.  By contrast, the FBI’s 2018 Operation WireWire against international BEC schemes resulted in the seizure of nearly $2.4 million and the recovery of approximately $14 million in fraudulent wire transfers.

Chief Information Security Officers, Chef Compliance Officers, and comptrollers in companies of all types and sizes should use this case as an opportunity to compare notes about their companies’ external fraud programs and test whether their business processes would detect the kind of BEC scheme that Rimasauskas conducted in this case.

United Kingdom House of Commons Treasury Committee Issues Report on Anti-Money Laundering and Sanctions

On March 8, the United Kingdom House of Commons Select Treasury Committee published a report on economic crime that focused on anti-money laundering (AML) supervision and sanctions implementation in the United Kingdom.  The report, which received unanimous approval by the Committee, was critical of the United Kingdom’s “fragmented approach to AML supervision.”

The Committee report contained numerous key findings and recommendations:

  • The Threat of Economic Crime:
    • The scale of economic crime – which the National Crime Agency (NCA) defines as covering a range of crime, including money laundering, crimes covered by the NCA’s International Corruption Unit (ICU) (e.g., foreign bribery and related money laundering), fraud, and counterfeit currency – is “difficult to ascertain and official estimates of the scale of economic crime are highly uncertain.”
    • It “can reasonably be said to run into the tens of billions of pounds, and probably the hundreds of billions,” but “the upper bound of the estimate is unknown.”
    • Because the United Kingdom “holds a prime position in global financial services, with the City of London a dominant financial centre,” recent moves by the United Kingdom Government to keep the City “clean” “are welcome, but must be sustained.”
    • Given the United Kingdom’s expected departure from the European Union (EU), the Government should retain or replicate “the arrangements with the EU to maintain the flow of information between the UK and EU member states’ law enforcement agencies on economic crime,” and the Government should “work to develop strong relationships with other countries and strengthen mutual information sharing and law enforcement power.”
    • Recognizing the substantial amount of time between the Financial Action Task Force’s mutual evaluation review of the United Kingdom’s anti-money laundering and counter-terrorist financing systems, the Government should “institute[e] a more frequent system of public review of the UK’s AML supervision, and law enforcement, that will ensure a constant stimulus to improvement and reform. This review should take a holistic view of the entire system, rather than be undertaken by each individual component supervisor or agency.”
  • Fragmented Approach to AML Supervision:
    • The “fragmented nature” of the United Kingdom’s AML supervisory regime is reflected in the fact that there are 25 entities currently responsible for AML supervision.
    • While the property sector “poses a risk from an anti-money laundering perspective . . . the AML supervisory regime around property transactions is complicated.” HM Revenue and Customs (HMRC) should “carr[y] out further work to ensure estate agents are registered with them and following best anti-money laundering practice.”
    • As “[t]here is a clearly identified risk that company formation may be used in money laundering” and “there appears to be a number of unsupervised entities engaged in company formation,” HMRC should identify and deal with them “as a matter of urgency.”
    • Companies House, whose role is to incorporate and dissolve limited companies and register company information and make it available to the public, has a number of weaknesses in the controls around the information it houses, including not being required to carry out AML checks and not rigorously checking the “people with significant control” (PSC) register. Accordingly, “[t]he Government must urgently consider reform of Companies House to ensure it has the statutory duties and powers to ensure it plays no role in helping those undertaking economic crime . . . .”
    • There should be “a sharp focus on the supervision of the core financial services,” and the Financial Conduct Authority (FCA) should “keep up a constant pressure” on those businesses “and take appropriate enforcement action against them.”
  • Other Issues:
    • Resources: “The resources to combat economic crime available to the private sector dwarf those currently available to the public sector.” Because of concern for maintaining public-sector expertise to combat economic crime, considering the salaries available in the private sector, “[t]he Government and public sector bodies should consider whether there is the pay flexibility available to ensure that the appropriate skills are maintained.”
    • Suspicious Activity Reports: The program for reform of the Suspicious Activity Reports (SARs) system is “an exceptionally important piece of work for the AML regime.” Reform “should focus on increasing the number of SARs reports by those outside the core of the financial system, the so-called enablers.”
    • Politically Exposed Persons: The Government should create a centralized database of Politically Exposed Persons (PEPs) for the use of those registered by AML supervisors.
    • “Derisking”: The Government should publish its strategy on how to address disproportionate derisking strategies within six months.
  • Legislative Reform:
    • On corporate criminal liability, in view of “clear evidence that legislative reform is required to strengthen the hand of law enforcement in the fight against economic crime,” the Government should set out “a timetable for bringing forward legislation to improve the enforcement of corporate liability for economic crime,” taking into account the Serious Fraud Office’s suggested reforms.
  • Financial Sanctions:
    • The Government should review the effectiveness of the Office of Financial Sanctions Implementation (OFSI), which has been in existence for only a year and a half, two years after its formation.
    • Recognizing that “certain elements of Russian money” have had “a malign influence” on the United Kingdom financial system, the Government “must achieve a balance between focussing on financial flows from one country, while not distorting the AML system, and creating a risk that other criminals slip by while attention is focussed on individuals with a specific nationality.”
    • “The United Kingdom’s departure from the European Union could allow additional flexibility in its use of sanctions, though there will always be a need to ensure a multilateral approach.”

The Committee also posted a complete list of its conclusions and recommendations.  It plans to issue a second report on economic crime, focusing on consumers and economic crime, later in 2019.

Note: This report provides a thorough and detailed review of the state of affairs with the United Kingdom’s response to money laundering.  While it is consistently methodical in its analysis and temperate in tone, it constitutes a wide-ranging criticism of the United Kingdom Government’s attention and dedication of resources to the problem.  That criticism – coupled with the recent disclosure that there had been no prosecutions under the United Kingdom money-laundering regulations between their inception in June 2017 and October 2018 – should prompt the Government to undertake comprehensive improvements in and support for its AML regime, particularly if Brexit results in decoupling the United Kingdom from the EU and its own AML initiatives.

4iQ Issues Report on 2018 Identity Breaches, Finding 424 Percent Increase from 2017

On March 5, identity intelligence company 4iQ announced the release of its report on identity-breach trends in 2018, titled “The Changing Landscape of Identities in the Wild: The Long Tail of Small Breaches.” The report, which drew on large amounts of breached and leaked data found from open sources in the surface, deep, and dark web, saw “a significant shift from attacks on not just large companies, but increasing attacks on a greater number of small businesses – the long tail – as hackers targeted unsophisticated and unsecured small businesses and supply chain vendors .”

4iQ’s specific findings about identity-breach trends included the following:

  • There were 12,449 new and authentic breaches and leaks in 2018, reflecting a 424 percent increase from 2017. That total translates to 1,037 breach every month, or 34 breaches every day.
  • The average breach size in 2018, however, was 216,884 records, 4.7 times smaller than in 2017. 4iQ interpreted these results to indicate that hackers were both more willing and able “to attack larger numbers of smaller targets.”
  • 9 billion raw identity records circulated across the web – a 71 percent increase from the 8.7 billion raw identity records circulating in 2017. After 4iQ curated (i.e., analyzed, normalized, and cleansed) the raw data, it found approximately 3.6 billion records that were real and new – a 20 percent increase from 2017’s total of 3 billion curated identity records.  4iQ characterized 2018 as “a record year for breaches caused by open devices, with a much larger number of accidental exposures than exposures due to hacking.”
  • “Government Agencies” had the largest growth as an exposed industry in 2018, increasing 291 percent from 2017. On this point, 4iQ specifically noted that “[f]or the first time we saw underground brokers actively including citizen data, such as voter databases, as part of their data portfolio.”  It also observed that numerous 2018 data dumps from the United States, China, and Russia exposed citizen data and voter records as well as financial and customer databases.
  • The top five exposed industries included forums and referral sites (27.5 percent), government agencies (12.2 percent), gaming and gambling (11.8 percent), e-commerce (11.7 percent), and education and academia (9.2 percent).
  • “The circulation and repackaging of username and password databases into “Combo Lists” has seen a sharp increase in 2018.” One Combo List form May 2018 that 4iQ reviewed contained 98 gigabytes of data; another Combo List from January 2019 contained 1 terabyte of data including 1.82 billion credentials.
  • North America was the continent with the greatest percentage of curated breaches (37.2 percent), followed by Asia (34.5 percent), Europe (17.8 percent), South America (9.9 percent), Oceania (4.2 percent), and Africa (0.18 percent).  4iQ “saw breach exposure growth in China, Russia, Vietnam, Japan, and Brazil” since 2017.
  • Examples of data for sale included a file with 21 million identities from Peruvian citizens that could be used to make fake identity cards, tax data, passport images, and health and auto insurance cards.

Note: In cybersecurity, it is easy for cybersecurity experts and compliance officers, in conceptualizing data-breach risks, to fall back on the availability heuristic and define the problem in terms of data breaches associated with leading brands, such as Marriott Starwood, Cathay Pacific, and Facebook in 2018.  The 4iQ report is instructive in demonstrating that while companies and agencies of all sizes and in all sectors should be concerned about the overall growth of identity breaches in 2018, small- and medium-size enterprises should take particular note of the increased likelihood that they can be targeted for data breaches and take action to bolster their cyber defenses accordingly.

Global Witness Reports That Anonymous Companies Registered in Tax Havens Own More Than 87,000 English and Welsh Properties Worth Up to £100 Billion

On March 17, the anti-corruption organization Global Witness announced that its analysis of HM Land Registry data showed that anonymous companies registered in tax havens own more than 87,000 properties in England and Wales.  It also stated that “[t]he value of these properties is at least £56 billion according to Land Registry data – and likely to be in excess of £100 billion when accounting for inflation and missing price data.”

The Global Witness analysis found that 40 percent of the anonymously owned properties that it identified are in London.  Within London, the areas with the highest number of anonymously owned properties (as of March 2019) are 10,000 in Westminster, 5,729 in Kensington and Chelsea; 2,320 in Camden; and 1,930 in Tower Hamlets.

Note: Since 2016, the United Kingdom Government has made available, through the public register at Companies House, a public central register of company beneficial-ownership information for companies incorporated in the United Kingdom.  The Government, however, has yet to implement its proposal of a public central register for company beneficial-ownership data for non-United Kingdom companies.

It is encouraging to see the Government’s increasing use of its Unexplained Wealth Order authority to reveal ownership of property by persons reasonably suspected of involvement in, or of being connected to a person involved in, serious crime.  But that authority, as valuable as it is for law enforcement, is no substitute for a comprehensive and complete listing of beneficial ownership.   If the Government wants, as Minister of Security Ben Wallace put it, “the ‘full force of the government’ to bear down on criminals and corrupt politicians using Britain as a playground and haven,” and to constrict the laundering of an estimated £90 billion each year, it needs to deploy a comprehensive public register that pieces the veil of foreign ownership of United Kingdom properties and provides much-needed transparency.

There is no guarantee that this latest Global Witness analysis will prompt the Government to reverse course on its recent decision to pull the debate and votes on a bill that would expand public-register requirements to British overseas territories.  It may, however, keep alive debate about the importance of a more extensive public central register, as part of a comprehensive Government response to the problems of money laundering and tax evasion.