Month: April 2019

On April 9, the United States Department of Justice announced that the London-based financial institution Standard Chartered Bank (SCB) had agreed to pay a total of more than $1 billion to the Justice Department and other U.S. and foreign authorities, for conspiring to violate the International Emergency Economic Powers Act (IEEPA).  According to the Justice Department, the reported conspiracy, which lasted from 2007 through 2011, “resulted in SCB processing approximately 9,500 financial transactions worth approximately $240 million through U.S. financial institutions for the benefit of Iranian entities.”

The breakdown of the various settlements into which SCB entered is as follows:

• U.S. Department of Justice: Forfeiture of $240 million, a fine of $480 million, and to the amendment and extension of its existing deferred prosecution agreement (DPA) with the Justice Department for an additional two years;
• New York County District Attorney’s Office (DANY): Amendment of its DPA with DANY and extension of that DPA for two additional years, and an additional financial penalty of $292,210,160;
• Other Settlement Agreements: SCB entered into separate settlement agreements with the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the Board of Governors of the Federal Reserve System (the Federal Reserve), the New York State Department of Financial Services (DFS), and the United Kingdom’s Financial Conduct Authority (FCA) under which SCB shall pay additional penalties totaling more than $477 million. The Justice Department has agreed to credit a portion of these related payments and, after crediting, will collect $52,210,160 of the fine, in addition to SCB’s $240 million forfeiture.

In connection with the conspiracy, the Justice Department filed a superseding information regarding SCB in the U.S. District Court for the District of Columbia, charging SCB with two counts of conspiracy to violate IEEPA.  In addition, an unnamed former employee of the SCB branch in Dubai, United Arab Emirates (UAE) (referred to as Person A), pleaded guilty in the same U.S. District Court for conspiring to defraud the United States and to violate IEEPA, and that court unsealed a two-count criminal indictment charging Mahmoud Reza Elyassi, an Iranian national and former customer of SCB Dubai, with participating in the conspiracy.

The Justice Department stated that, as part of the amended DPA,

SCB admitted that, from 2007 through 2011, two former employees of its branch in Dubai, willfully conspired to help Iran-connected customers conduct U.S. dollar transactions through the U.S. financial system for the benefit of Iranian individuals and entities.  One of these Iran-connected customers was Elyassi, an Iranian national who operated business accounts with SCB’s Dubai branch while residing in Iran.  SCB’s former employees helped Elyassi manage these accounts, concealed their Iranian connections, and facilitated foreign currency transactions in U.S. dollars.  SCB’s former employees knew that Elyassi’s business organizations operated from Iran and conducted U.S. dollar transactions for the benefit of Iranian interests, and helped Elyassi disguise his Iranian connections to avoid suspicion.

According to the unsealed indictment of Elyassi,

Elyassi and his co-conspirators registered numerous supposed general trading companies in the UAE, and used those companies as fronts for a money exchange business located in Iran.  Between November 2007 and August 2011, Elyassi used a business account at SCB’s Dubai branch to cause U.S. dollar transactions to be sent and received through the U.S. financial system for the benefit of individuals and entities ordinarily resident in Iran in violation of U.S. economic sanctions.

SCB admitted that on behalf of Elyassi’s companies between 2007 and 2011, it had processed approximately 9,500 U.S. dollar transactions through the United States that totaled approximately $240 million.  More than half of these U.S. dollar transactions, the Justice Department stated, “were the result of deficiencies in SCB’s compliance program which allowed customers to request U.S. dollar transactions from within sanctioned countries, including Iran.”

The Justice Department credited SCB with having engaged in significant remediation since mid-2013, “including the comprehensive enhancement of its U.S. economic sanctions compliance program and significant improvements to its financial crime compliance program.”  It also acknowledged that after SCB was “presented with evidence of potential post-2007 sanctions violations, SCB provided substantial cooperation in the government’s investigation, including by producing significant evidence of criminal wrongdoing perpetrated by its employees and customers.”

Note: This amendment and extension of the SCB DPA is a substantial expansion of the original DPA that SCB had reached with the Justice Department in 2012. That DPA, as indicated in Count One of the superseding information, addressed SCB’s participation in a criminal conspiracy from 2001 through 2007 and resulted in SCB’s paying a $227 penalty under the terms of that DPA.  Count Two of the superseding information addressed SCB’s participation in a criminal conspiracy to violate IEEPA from 2007 through 2011, which the Justice Department alleged “resulted in SCB intentionally processing U.S. dollar transactions through the U.S. financial system for the benefit of Iranian individuals and entities worth approximately $240 million.”

It may be instructive to compare and contrast the SCB resolution with the Justice Department’s November 2018 sanctions-related DPA and resolution with Société Générale S.A. (SG), with regard to the three factors that are central to corporate resolutions under the Justice Department’s Corporate Enforcement Policy:

• Voluntary Self-Disclosure: Neither institution engaged in voluntary self-disclosure.  In  SG’s case, the U.S. Attorney’s Office for the Southern District of New York specifically stated that “[d]espite the awareness of both SG’s senior management and Group Compliance that SG had engaged in this unlawful conduct, SG did not disclose its conduct to OFAC or any other U.S. regulator or law enforcement agency until well after the commencement of the Government’s investigation.”
• Cooperation: In SCB’s case, the Justice Department credited it with “substantial cooperation.”  In SG’s case, the U.S. Attorney’s Office credited it with “undertaking . . . a thorough internal investigation, [and] collecting and producing voluminous evidence located in other countries to the full extent permitted under applicable laws and regulations . . . .”
• Remediation: In SCB’s case, the Department credited it with “significant remediation.”  In SG’s case, the U.S. Attorney’s Office credited it with “enhancement of its compliance program and sanctions-related internal controls both before and after it became the subject of a U.S. law enforcement investigation.”

In the end, both institutions ended up paying, due to total forfeitures and financial penalties, more than $1 billion each to resolve their sanctions-related misconduct.  That fact alone should prompt other financial institutions that operate globally to take their sanctions compliance programs utterly seriously, including by regularly and thoroughly reviewing them to determine whether they are operating effectively.  If there are any financial institutions that are still unclear about the reach of U.S. law enforcement and regulators to enforce U.S. sanctions, the SCB and SG resolutions should leave no doubt in anyone’s mind.

Since mid-March, a spate of news coverage in the Baltimore – Washington, D.C. region has brought to light a severe conflict of interest by Baltimore Mayor Catherine Pugh that may oust her from office.  The first part of the story emerged on March 12, when the Baltimore Sun reported that

[n]ine [volunteer] members of the University of Maryland Medical System’s [UMMS’s] Board of Directors — including Baltimore Mayor Catherine Pugh — have business deals with the hospital network that are worth hundreds of thousands of dollars each. . . . [A]bout a third of appointed members receive compensation from the medical system through contracts with their businesses. They provide goods and services to the system, ranging from consulting to pest control and civil engineering, according to financial disclosure forms reviewed by The Sun.

In Mayor Pugh’s case, the Sun initially stated that Pugh reported on her 2017 financial disclosure statement making a profit of $100,000 after the hospitals bought 20,000 copies of one of her self-published children’s books under the title “Healthy Holly.”  In short order, additional reporting disclosed that UMMS had made four previous payments of $100,000 each to Pugh, beginning in 2011 – when she was a state senator serving on a committee that partially funded UMMS —  and then in 2013, 2015, and 2017, totaling $400,000.

Additional disclosures within the past two weeks have now made the controversy a matter of intense city- and statewide attention:

• March 18: Mayor Pugh resigned from the UMMS board.
• March 20: Mayor Pugh told a Baltimore radio station that she had returned the most recent payment of $100,000 for her latest “Healthy Holly” book, which she said was “still in the works.”  The Mayor also said that she planned to self-publish the latest book, but a mayoral spokesman told the media that the Mayor had returned the money because “[t]he publisher and illustrator had a medical emergency and the order had to be canceled.”
• April 1: The Washington Post reported that the healthcare company Kaiser Permanente paid Mayor Pugh more than $100,000 for copies of a “Healthy Holly” book “at the same time it was seeking a $48 million contract from a city board controlled by the mayor.” That same day, the Post reported, Mayor Pugh decided to take “an indefinite leave of absence” – according to her spokesman, because the Mayor was battling pneumonia and her doctors had told the Mayor that she “needs to take time to recover and focus on her health.”  Nonetheless, the Associated Press reported that Maryland Governor Larry Hogan, calling the allegations “deeply disturbing,” called on the Maryland state prosecutor to investigate allegations of self-dealing by the Mayor, and Maryland Comptroller Peter Franchot called on her to resign.
• April 3: The Sun’s editorial board called on Pugh to resign, describing her as ”deeply unethical.”
• April 7: A top aide to Mayor Pugh, James T. Smith, submitted his resignation to acting Mayor Bernard Young.
• April 8: The Baltimore City Council called on Pugh to resign as Mayor, but Pugh said she intends to return to her job.

Note:  Ethics and compliance officers in public- and private-sector entities should incorporate this situation, as a classic case of serious conflict of interest, into briefings and training sessions for their entities’ management and employees.  There is no room for debate – other than, apparently, with Mayor Pugh and the UMMS —  that this kind of profitable self-dealing by a public official with fiduciary responsibilities to the public and UMMS is a blatant and long-running actual conflict of interest.

Moreover, ethics and compliance officers should take the opportunity to review their organization’s conflict-of-interest policies and determine whether they clearly state that certain conflicts are prohibited and, in appropriate circumstances, may require corrective action.  In this case, a spokesman for UMMS management maintained that UMMS “has a consistently enforced Conflict of Interest Policy.” Those words, however, must be read closely.  Perusal of that Policy reveals that the only significant obligation of a UMMS board member is to disclose the financial interest in question, after which that board member must leave the room “while the determination of a conflict of interest is discussed and voted upon” and the remaining board members “decide how to manage the conflict.”

By that standard, UMMS may well have “consistently enforced” the Policy, in the sense that the board allowed Mayor Pugh and eight other board members to obtain and retain direct financial benefits from their relationship with UMMS.  If that is the case, UMMS needs to rethink its Policy completely.  Nowhere in the Policy does the phrase “actual conflict of interest” appear, but it is actual conflicts of interest that, as the UMMS Board is now seeing, pose the greatest reputational and financial risk to any enterprise.

UMMS had been resisting pending legislation in the Maryland legislature that reportedly “would make it illegal for [state hospital] board members to profit from contracts with the hospitals they govern.”  But it need not wait for legislative action to demonstrate, by revising its Policy, that  its professed commitment to “the public trust” is genuine.  As for Mayor Pugh, if she were to value the health of city government more highly than she values the profitability of her health-themed books, her own choice should be clear.

This week, Europol issued its Cyber-Telecom Crime Report 2019.  The 57-page report, by cybersecurity firm Trend Micro Research and Europol’s European Cybercrime Centre (EC3), states that it was “written to serve as a guide of sorts to help stakeholders in the industry navigate the telecom threat landscape.”

The report is divided into seven principal sections:

• The Perpetrators: This section states that telecom fraud “is increasingly originating in countries normally considered ‘third world’ or failed states” and is “increasingly being used to prop up failing economies.” It cites several factors as drivers of telecom fraud, including “the reduced cost and increased availability of telecom equipment capable of hacking intercarrier trust, the availability of information on the topic, and the flattening (homogenization) of telecom deployments in 4G,” as well as “the overlap of specific economies — the cost of telecom deployments drops due to economic commonalities driven by the need for automation. Examples of these include rising telecom costs, competition from nontraditional telecom providers, and market saturation.”  The report also states that the annual cost of telecommunications subscription fraud “is estimated by some to reach up to more than US$12 billion, while others foresee the actual losses to be far greater, estimating it to be between 3 percent and 10 percent of the operators’ gross revenues.”  It reviews the principal means of “cashing out” SIM card accounts for the criminals’ benefit, including SIM card billing fraud, customer self-management website accounts, enterprise telecom management, and insider trading.
• Evolution of Telecom Fraud: This section explains the evolution of network operations, from circuit switching to packet switching to “data-switched” network.
• Threat Model Components for Telecom Crime: This section sets out the threat model components for SIM fraud, device types, network types, telecom application types, and customer application types.
• Threat Modeling Telecom Infrastructure: This section covers SIM card accounts, SMS and premium SMS, trunking (i.e., the establishment of bulk call management routing), roaming, and radio.
• Physical Telecom Infrastructure Attacks Facilitating Telecom Fraud: This section describes significant categories of attacks, such as SIM box fraud, international revenue share fraud, prepaid charging abuse, intermarket/interconnect bypass fraud, tromboning (i.e., modifying a running call to make it faster and better) and reverse bypass fraud
• Network-Based Telecom Fraud: This section discusses other attacks, such as Private Branch Exchange (PBX) (i.e., a computer responsible for routing revenue-generating traffic) hacking, subscription fraud, wangiri fraud (i.e., use of an automated fraud infrastructure or autodialer that calls many people, and, for each victim who calls that number back, “becomes the originator of the call (and therefore the one who has responsibility to pay for it)”), and voice phishing (“vishing”).
• Noteworthy Real-World Cases of Telecom Fraud: This section presents two cases that have been anonymized and made generic, but that provide details about the approaches the criminals used.

In conclusion, the report notes that

[t]he emphasis at hacker conferences are on the low-risk ease of attacks, the financial revenue from attacks, interesting information learned as a side effect of attacks as all motivators for this uptick in cybertelecom attacks. Additional motivators drawing attention to this class of attack are the very lucrative employment opportunities for individuals with CyTel security/hacking/fraud skills.

The report recommends that telecommunications companies “provide the needed types of support, training, and investment to engage entities like the Europol EC3 CyTel working group.”  It notes that intelligence and techniques can be shared in that group “for the greater good,” and that [n]on-European entities and national law enforcement groups have joined as well, and benefit from the reduced effort and complexity in performing law enforcement actions.”  It also touts the importance of cyber-telecom intelligence fusion through three approaches: (1) the concept of a global telecom network with unified threat intelligence between telecommunications service providers, between law enforcement, and between providers themselves”; and (2 “[o]ther Europol criminology- and intelligence-sharing groups such as Airline Fraud (Global Airline Action Days) and Euro Money Mule Action (EMMA) operations.

Note: Both information-security and fraud compliance teams should read the report closely – whether to establish or update their understanding of cyber-telecom fraud trends and techniques.  The sophistication of many of these techniques makes it all the more important that companies maintain robust cyber-defenses and include key information from the Europol report in internal briefings and training for executives and employees.

Over the last three weeks, domestic and international media have focused rapt attention on the recent U.S. federal indictment of dozens of parents who, among other actions, allegedly paid substantial bribes to secure their children’s admission to top-flight universities.   Those who track corruption trends around the world might be forgiven for experiencing some bemusement, given the fact that bribery of educators is a deeply entrenched practice in countries across multiple regions, including Africa, Asia-Pacific, Europe and Central Asia, and Latin America and the Caribbean.

A recent report by Global Press Journal about bribery in Ugandan schools provides a timely perspective on the practice, despite official condemnation.  Government policy is reflected in Ugandan Ministry of Education and Sports guidelines, which require “that teachers who favor certain children based on gifts they get receive warnings [and] can even be fired if the problem persists.” At local levels, each school’s head teacher supposedly has responsibility for seeing that teachers are not bribed.

In practice, however,

[c]ash, luxury items and even bags of groceries are now so commonly passed from parents to teachers in Uganda that some teachers now boldly request those items. In exchange, the children of parents who give gifts often sit at the front of the class and receive high marks, whether or not those marks are earned.

While Uganda suffers from widespread corruption in general, one likely reason for public-school teachers’ acceptance of bribes by parents is their low salary range. One teacher stated that “she expects to get at least 200,000 Ugandan shillings [(USh] (about $54) from parents during this season” – the equivalent, for some teachers, of almost one month’s salary.  Another teacher said that she has seen “some parents at her child’s baby class give cash – 10,000 ($2.70), 20,000 ($5.40) and even 50,000 ($13.51) shilling notes – to teachers.”

Ugandan primary school teachers on average earn USh 250,000 (approximately $67) a month, secondary-school teachers have starting salaries of USh 536,000 (approximately $145), and teachers with a degree can be paid approximately USh 600,000 (about $162).  As a point of comparison, entry-level health workers receive approximately USh 313,000 (about $85), and police and prison officers receive between USh 467,000 (approximately $126) and USh 573,000 (approximately $155).

The Global Press Journal article provides a cogent reminder of how deeply corruption can infect and persist in people’s everyday lives, and how difficult it can be to eliminate corruption in the face of significant economic inequalities.

On March 28, The Times reported that London Metropolitan Police (Met) Commissioner Cressida Dick has cited money service businesses (MSBs) in London as the means by which drug gangs are exporting “crate-loads of dirty cash out of the country.”

In March 26 testimony before the United Kingdom Parliament’s Home Affairs Select Committee, Commissioner Dick stated that the approximately 9,000 MSBs in London “are not very well regulated. Huge amounts of cash are going through those institutions and most of it straight out of the country on crates.”  She also testified that based on highly targeted testing that the Met had done over the previous three to four months, “[a] huge amount of that cash” appears “to be illegal finance and most of it comes from the drugs trade.”

In a separate statement, a Met spokeswoman said that “’[a]pproximately £2 billion is moved out of the country a month to places like the United Arab Emirates from MSBs and a lot of this is linked to criminality. When officers seize cash, paper trails often lead to MSBs’.”

Although the Met stated “that it had seized a record £95 million in cash last year using a range of tactics including freezing assets,” with the largest cash seizure to date being £1.3 million, Commissioner Dick said “that new laws and better enforcement were needed.”

Note: In formal terms, MSBs in the United Kingdom are already subject to regulation.  Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, a variety of MSBs must register with HM Revenue & Customs.  MSBs subject to the Regulations include any business acting as a currency exchange office (i.e., a bureau de change), transmitting money or any representation of money by any means (i.e., money remittance), and cashing cheques payable to a customer (i.e., third-party check-cashing).  In addition, money transmitters must be registered or authorized by the Financial Conduct Authority under the Payment Services Regulations 2009.

In practice, however, law enforcement authorities must deal with a vast number of MSBs across the United Kingdom.  According to the Met, Great Britain alone has approximately 45,000 MSBs, compared to approximately 6,000 in France and 220 in the Netherlands.  The Government is well aware of the money-laundering threat that this multiplicity of MSBs poses.  One joint report by the UK Treasury and Home Office specifically warned about “control of MSBs by organised crime groups”

In light of these connections between MSBs and drug money laundering, AML compliance teams in United Kingdom financial institutions should pay close attention to all MSBs whom their institutions are banking, and see that their customer risk assessment frameworks are fully updated in light of current information about key AML trends.  In particular, they should review their customer risk models on all MSBs they are banking, and be prepared to increase the frequency and the range of enhanced due diligence on any high-risk MSBs.  At a time, when attention to AML enforcement is increasing in the United Kingdom, Europe, and elsewhere – only in part because of the continuing ripple effects of the Danske Bank scandal — no United Kingdom financial institution can afford to bend the rules or relax their oversight for any MSBs that are deemed to be high-risk customers.