Month: April 2019

On April 29, The Times reported that the militant movement Hamas “is experimenting with bitcoin donations to avoid international measures against terrorist funding.”  The Times stated that Hamas’s military wing, the Izz ad-Deen al-Qassam Brigades, “posted an online tutorial that sets out how donors could send money using the cryptocurrency, including using public computers to evade detection.”

The United States, the United Kingdom, and the European Union have placed substantial sanctions on Hamas as a terrorist organization, including sanctions against Hamas leaders and financial facilitators.  In addition, the United States reportedly “has started placing ‘primary sanctions’ on bitcoin wallets found to have been used for terrorist financing and their owners.”

To circumvent these restrictions, according to cryptocurrency analysis firm Elliptic,

Hamas has started using a new wallet for each transaction, meaning that the US Treasury would be forced to place a new sanction order for each transaction.

Although the amount that Hamas has so far received in cryptocurrency is only in the tens of thousands of dollars, researchers at Elliptic told the Reuters news agency that the group was testing the platform with a view to using it on a larger scale.

Note: In a March 2019 RAND Corporation report on terrorist use of cryptocurrencies, the authors opined that “[c]urrent cryptocurrencies are not well matched with the totality of features that would be needed and desirable to terrorist groups but might be employed for selected financial activities.”  They also stated, however, that

should a single cryptocurrency emerge that provides widespread adoption, better anonymity, improved security, and that is subject to lax or inconsistent regulation, then the potential utility of this cryptocurrency, as well as the potential for its use by terrorist organizations, would increase.

In this case, Hamas’s reported use of separate wallets for separate transactions may be a technique that facilitates broader use of bitcoin or other cryptocurrencies by Hamas and other terrorist organizations.  Previously, publicly reported instances of terrorist organizations using bitcoin to transfer funds surreptitiously involved fairly small amounts of money (i.e., thousands of dollars).  The fact that Hamas has already succeeded in moving tens of thousands of dollars during a testing phase indicates that the Treasury Department and its counterparts in Europe will need to increase their monitoring of terrorist financing activities, and presumably the frequency of additional counter-terrorist financing sanctions.

If that happens, financial institutions that do business with cryptocurrency exchanges and businesses must consider conducting enhanced due diligence on those firms, and be prepared to move quickly if the Treasury Department increases the number and frequency of new Hamas-related sanctions.  While bitcoin would be of little value in remote locations where terrorist groups are conducting active operations, the ability to use cryptocurrency channels to move funds routinely to cities close to those operational areas, where bitcoin could be exchanged for cash, would be of great concern to many countries.

The April 16 decision by the European Banking Authority’s (EBA’s) Board of Supervisors to close the EBA’s investigation into the Danish and Estonian Financial Services Authorities’ oversight of Danske Bank “has drawn sharp criticism from senior [European Union (EU)]  policymakers,” according to the Financial Times.  The 45-page draft internal report on which the Board of Supervisors voted reportedly reviewed the period from 2007 to 2014, and

identified breaches of union law including “significant shortcomings” in co-operation between the Danish and Estonian supervisors, a lack of effective monitoring of whether due-diligence procedures were followed by the bank and insufficient reviews of Danske’s governance arrangements.

The draft specified four breaches of EU law in how Danske Bank was supervised by Danish and Estonian authorities and made recommendations to both countries for followup activity.

However, the EBA, in an April 26 letter to the European Commission (EC), stated that the draft report had been “rejected conclusively” by the Board of Supervisors.  The letter commented that “[a] number” of the Board’s members, “while acknowledging that with the benefit of hindsight there were failings in the supervision by the two authorities, did not consider that those failings amounted to a breach of union law.”

In response, Valdis Dombrovskis, the EC vice-president responsible for financial services policy, expressed to the Financial Times his disappointment that the Board “did not act on one of the biggest money-laundering scandals in Europe.”  Dombrovskis reportedly said that “the case showed it was ‘essential’ that legislation be adopted to ‘transform’ the way decisions were taken at the agency.”

In addition, Members of the European Parliament and others in EU government have said that the Board’s decision “is a sign of the agency’s inability to take a tough stand with its own members.”  One MEP, Sven Giegold, even urged the EC “to use its own powers to open ‘infringement procedures’ against Denmark and Estonia for failure to apply EU law.”

Note: At the moment, it is not clear whether MEP Giegold’s recommendation is a viable legal remedy for the EC.  Under EU law, the EC may launch a formal infringement procedure “[i]f the EU country concerned fails to communicate measures that fully transpose the provisions of directives, or doesn’t rectify the suspected violation of EU law.”  Under that process, the EC would send a letter of formal notice requesting further information to both Denmark and Estonia, which would have to send “a detailed reply within a specified period, usually 2 months.”  Should the EC conclude that either or both countries were failing to fulfil their obligations under EU law, it may send a reasoned opinion, constituting a formal request to comply with EU law, and requesting “that the country inform the Commission of the measures taken, within a specified period, usually 2 months.”  If the receiving country does not then comply, the EC “may decide to refer the matter to the Court of Justice.”

The problem is that the EU has already been informed of the EBA Board’s determination – in a manner in conformity with Article 17 of the EBA’s founding Regulation — that the reported failings did not breach EU law.  That fact would likely weigh heavily in the EC’s own decision whether to pursue an infringement procedure, and certainly would weigh heavily in any deliberations by the Court of Justice.

As a practical matter, the EBA Board’s decision is more likely to harden the resolve by EU and EC leaders to pursue creation of an EU-wide agency specifically charged with anti-money laundering (AML) oversight and enforcement, and to prompt further skepticism in Brussels about the EBA’s ability even to oversee EU Member States’ national financial supervisory authorities effectively.

On August 26, the London Evening Standard published an article reporting on an interview with Lisa Osofsky, Director of the United Kingdom Serious Fraud Office (SFO).   In the interview, Osofsky commented on a number of topics relating to the SFO’s work, including the following:

• White-Collar Investigative Techniques: Osofsky touted the effectiveness of the U.S. Department of Justice’s use of tax-related criminal offenses in pursuing complex criminal cases, such as the FIFA-related corruption cases.  The Evening Standard quoted her as saying that “she plans to work with HM Revenue and Customs [HMRC] to uncover breaches, then tell offenders: ‘You can spend 20 years in jail for what you did or wear a wire and work with us’.”
• Unexplained Wealth Orders (UWOs): Osofsky stated that UWOs, on which the High Court ruled favorably last October, “were a ‘very good tool’, but that they have tried and failed to identify possible targets so far.” She added, however, that unspecified “other new powers were being used.”
• Adequacy of United Kingdom Criminal Law: Osofsky blamed the SFO’s low number of convictions “generally on outdated legislation.” She stated that she felt “hamstrung that when we are talking about corporate fraud we are still labouring under an old law that tells me I can’t put a company in the dock unless I have the controlling mind.”
• SFO Conviction Rate: Most notably, Osofsky stated that certain individuals – “some of [whom] may have been elected officials” – had rebuked her “for securing too many convictions.” In Osofsky’s words, she was asked, “ ‘What’s your conviction rate?’ And at the time it was 75 per cent for individuals, 85 per cent for companies and I thought ‘Oh God, they’re going to think that’s too low.’ “No, that was too high — this is what I hear back. If you are winning so many, you are not taking on the hard ones.”

Note: Osofsky’s remarks provide further indications of the directions that she and the SFO are likely to take in selecting new cases and conducting investigations.  Osofsky has previously indicated her interest in using the U.S. Department of Justice’s technique of “persuading insiders to co-operate with investigators to speed up criminal probes.“  Expanding the scope of criminal investigations to identify potential offenses with longer terms of imprisonment could expedite that process.  In addition, her stated concern about the continuing effect of the Tesco “directing mind” test in criminal fraud cases seems to indicate that she will continue the SFO’s support for extending the “failure to prevent” offense concept beyond bribery and tax evasion to fraud and money laundering.

The most disquieting aspect of Osofsky’s remarks is the indication that some elected United Kingdom officials may be trying to exert political pressure on her exercise of prosecutorial discretion.  Certainly the SFO’s recent losses in well-publicized cases, such as the Tesco executives’ retrial and the EURIBOR prosecutions, do nothing to enhance the SFO’s credibility, or move it toward becoming (in the words of Osofsky’s predecessor, Sir David Green) “a vigorous investigator and enforcer of the topmost level of serious and complex fraud, plus commercial bribery.”

On the other hand, the unnamed officials’ comment that “If you are winning so many, you are not taking the hard ones” reflects a fundamental misunderstanding of the work of prosecutors, including the importance of conviction rates.  While a 100 percent conviction rate should be highly suspect – for example, because prosecutors may choose to bring only the most egregious criminal cases or due process limitations may reduce the odds of acquittal – so should a conviction rate of 75 percent or lower, which would tend to indicate inadequacy in prosecutors’ competence and training, case selection, or case preparation.

Moreover, Osofsky’s extensive experience with federal criminal investigations and prosecutions helps to explain why she would consider a 75 percent conviction rate for individuals to be too low.  In the U.S. federal judicial system, the conviction rate since the 1960s rose gradually over two decades from approximately 75 percent to approximately 85 percent.  It is now routine for United States Attorneys and other Justice Department officials to consider a 90 percent conviction rate – even taking into account the most complex criminal cases, such as fraud and corruption – an absolute minimum standard of performance.  As of Fiscal Year 2017, for example, the Justice Department’s conviction rate for all white-collar crimes was 90.9 percent (5,868 out of 6,456 criminal defendants).

The object, in other words, should be to achieve a high rate of just convictions in all categories of meritorious cases, easy and hard.  Any United Kingdom official who may believe otherwise, and insists that the SFO should lose more cases in order to increase its credibility in political circles, risks doing further damage to an agency that is critical to the United Kingdom’s efforts to combat fraud and corruption.

On April 24, Jeremy Fleming, Director of the United Kingdom Government Communications Headquarters (GCHQ), gave the keynote speech on cybersecurity issues at the National Cyber Security Centre’s (NCSC’s) flagship conference, CYBERUK 2019, in Glasgow.  In his speech, Fleming first noted that the technology revolution “is providing extraordinary opportunity, innovation and progress – but it’s also exposing us to increasing complexity, uncertainty and risk.”  That revolution, in his words, “brings with it new and unprecedented challenges for policymakers as we seek to protect our citizens, judicial systems, businesses – and even societal norms.”

Fleming then explained GCHQ’s perspective on cybersecurity.  He stated that “whatever the shape of our cyber security mission, it made no sense to silo it away from other aspects of national security. To be effective, it had to be able to take advantage of high-grade intelligence and other security capabilities,” and that GCHQ “knew that we needed to invest more in getting the public and private partnership really working” and “to set even clearer lines of accountability when cyber incidents happened.”

Accordingly, Fleming stated, the United Kingdom Government’s National Cyber Security Strategy gave GCHQ, through the NCSC, “responsibility for a major national risk for the first time in our hundred year history.”  GCHQ’s roles participation in that process included the GCHQ incident management team’s working on more than 1,500 significant cybersecurity incidents, its use of automation to reduce the harm from thousands of attacks a month, and the major role that GCHQ has played in dealing with strategic threats from hostile states.

Fleming also commented that the first priority for the United Kingdom’s cybersecurity strategy is to make that strategy “more citizen facing and more citizen relevant.”  In that regard, he pointed to a number of the findings in the recently issued “UK Cyber Survey”:

• 89 percent of British people use the Internet to make online purchases, and 24 percent do so daily.
• Only 15 percent said that they knew how to protect themselves online.
• 2 million victims of hacks used the password 123456 to protect their accounts.

Recognizing the challenges that cyber threats pose to the population, Fleming promised several actions by GCHQ to help “take the burden of cyber security away from the individual”: (1) “work[ing] closely with device manufacturers and online platform providers to build security into their products and services at the design stage”; (2) working with Internet Service Providers to enhance the security of internet-connected devices in the home; and (3) “shar[ing] intelligence with banks to enable them to alert customers close to real time.”

A second priority for the United Kingdom that Fleming identified is “is to ensure our national infrastructure has the best defences in the world.”  Pursuing that priority will involve fixing critical national infrastructure (CNI) and discussing “what further legislation or regulation might be required to ensure cyber standards right across the CNI.”  A third priority is “to expand the cyber security ecosystem – and by that I mean taking a bold, interventionalist approach to involve a wider set of stakeholders in protecting the nation’s cyber security.”  Implementing that priority includes expanding the reach and impact of NCSC’s Active Cyber Defence program, which “uses automation to block attacks on an enormous scale,” using a protective Domain Name System for the public sector that blocked access 57.4 million times, and putting in place programs to help small businesses.

Finally, in outlining how to improve public-private sector information sharing, Fleming emphasized GCHQ’s commitment to sharing more information about cyberthreats in real time, to help businesses and the Government defend themselves.  Among various examples of that commitment, he noted that

in the last year we have made it simple for our analysts to share timecritical, secret information in a matter of seconds. With just one click, this information is being shared and action is being taken.

In the coming year, we will continue to scale this capability so – whether it’s indicators of a nation state cyber actor, details of malware used by cyber criminals or credit cards being sold on the Dark Web – we will declassify this information and get it back to those who can act on it.

Note: Director Fleming’s comments present a number of relatively concrete ways in which GCHQ is seeking to enhance cybersecurity – notably the commitment to improve real-time information-sharing with the private and public sectors, in part to enable financial institutions to alert customers quickly to new cyberthreats.

It is interesting to note that although the United States Government’s departmental and agency structure is configured quite differently for pursuing a national cybersecurity strategy, National Security Agency officials, in public speeches in 2017 and 2018, have refrained from endorsing the structure of the NCSC, but have made positive comments about the NCSC’s accomplishments.  GCHQ should make it a point to continue to report periodically and publicly on whether and how well the new initiatives that Director Fleming discussed are bearing fruit.

On April 16, the United States Financial Crimes Enforcement Network (FinCEN) imposed a $35,000 civil money penalty on Eric Powers, who operated as a  peer-to-peer exchanger of convertible virtual currency, for willfully violating registration, program, and reporting requirements of the Bank Secrecy Act’s (BSA).  In particular, FinCEN stated that Powers “failed to register as a money services business (MSB), had no written policies or procedures for ensuring compliance with the BSA, and failed to report suspicious transactions and currency transactions.”

According to FinCEN, Powers advertised his intent to purchase and sell bitcoin on the Internet, and “completed transactions by either physically delivering or receiving currency in person, sending or receiving currency through the mail, or coordinating transactions by wire through a depository institution.”  Powers, however,

processed numerous suspicious transactions without ever filing a SAR, including doing business related to the illicit darknet marketplace “Silk Road,” as well as servicing customers through The Onion Router (TOR) without taking steps to determine customer identity and whether funds were derived from illegal activity.

In addition, FinCEN stated that Powers conducted more than 200 transactions involving the physical transfer of more than $10,000 in currency, but

failed to file a single CTR.  For instance, Mr. Powers conducted approximately 160 purchases of bitcoin for approximately $5 million through in-person cash transactions, conducted in public places such as coffee shops, with an individual identified through a bitcoin forum.  Of these cash transactions, 150 were in-person and were conducted in separate instances for over $10,000 during a single business day.  Each of these 150 transactions necessitated the filing of a CTR.

Powers, who cooperated with FinCEN, agreed to the $35,000 penalty and to “an industry bar that would prohibit him from providing money transmission services or engaging in any other activity that would make him a ‘money services business’ for purposes of FinCEN regulations.”

Note:  This resolution is noteworthy because it is the first instance in which FinCEN brought an enforcement action against a peer-to-peer virtual currency exchanger, and the first instance in which FinCEN penalized a virtual-currency exchanger for failure to file CTRs.  While the amount of the money penalty against Powers is miniscule in comparison to the $110 million fine that FinCEN imposed against virtual-currency exchange BTC-e, it indicates that FinCEN is prepared to pursue enforcement actions against virtual-currency exchangers for failure to comply with the full spectrum of BSA requirements.