Month: May 2019

On May 15, the Frankfurt am Mein Public Prosecutor’s Office announced that it, the Bundeskriminalamt (BKA) (Federal Criminal Police), the Frankfurt Landeskriminalamt (LKA) (State Criminal Police), the Frankfurt am Mein Oberfinanzdirecktion (Regional Tax Office), and five municipal tax offices in Germany conducted searches in 29 locations across Germany, as part of a wide-ranging investigation of tax evasion.  The searches included eight individuals’ living quarters in five German cities, towns, and municipalities and on the island of Sylt, the business premises of eleven banks and savings banks in seven cities and towns, the business premises of four tax consultants in four cities and towns, and the business premises of six asset management companies in Hamburg.

The Public Prosecutor’s Office stated that the focus of the investigation was wealthy individuals in Germany suspected of tax evasion.  Each of those individuals, according to that office, intended – with the help of the former subsidiary of a major German bank in the British Virgin Islands – to establish companies in tax havens to hide investment income from the German Treasury and evade taxes.

The Public Prosecutor’s Office reported that the purpose of the search warrants was to obtain evidence regarding the untaxed income, and to clarify the economic conditions of the companies in the tax havens.  It stated that the searches were related to the search of a major German bank in Frankfurt am Main suspected of engaging in money laundering in late November 2018.  It also explained that what prompted the investigation were findings from “Offshore Leaks.”

Note: “Offshore Leaks” is the name of a 2013 investigation by the International Consortium of Investigative Journalists (ICIJ).  The journalistic reporting from Offshore Leaks has already prompted civil and criminal investigations and legislative and policy changes in numerous jurisdictions.  The ICIJ’s Offshore Leaks database, which the public can access, reportedly contains data on “more than 100,000 secret companies, trusts and funds created in offshore locales such as the British Virgin Islands, Cayman Islands, Cook Islands and Singapore.” Those data stemmed from “a massive leak of 2.5 million privately-held business records [that] detailed more than 120,000 offshore companies and trusts.”

The New York Times reported that the German tax-evasion investigation began with Deutsche Bank, “but has widened to involve other lenders.”  According to the ICIJ, the “major German bank” mentioned by the Public Prosecutor’s Office is Deutsche Bank and its “former subsidiary” is Regula Ltd., which the ICIJ described as “a ‘nominee’ shareholder of shell companies.”  Deutsche Bank, whose headquarters and other offices were searched in November 2018 in a major investigation of money laundering through tax havens, publicly stated that its offices were not searched this week.

Financial-crimes compliance teams in financial institutions, particularly in the United States and the United Kingdom, should continue to monitor further developments with this tax-evasion investigation, particularly if it continues to widen to other financial institutions.

On May 16, the European Commission (EC) announced that in two settlement decisions, it fined five global financial institutions — Barclays, The Royal Bank of Scotland (RBS), Citigroup, JPMorgan, and MUFG Bank (formerly Bank of Tokyo-Mitsubishi) – “for taking part in two cartels in the Spot Foreign Exchange market for 11 currencies – Euro, British Pound, Japanese Yen, Swiss Franc, US, Canadian, New Zealand and Australian Dollars, and Danish, Swedish and Norwegian crowns.”

The first EC decision (labeled the “Forex – Three Way Banana Split” cartel, for reasons explained below) imposes a total fine of €811,197,000 on Barclays, RBS, Citigroup, and JPMorgan.  The second EC decision (labeled the “Forex- Essex Express” cartel) imposes a total fine of €257 682 000 on Barclays, RBS and MUFG Bank (formerly Bank of Tokyo-Mitsubishi).

The EC explained that in foreign exchange (“Forex”) currency trading, “Forex spot order transactions are meant to be executed on the same day at the prevailing exchange rate.”  It stated that the 11 currencies listed above are “the most liquid and traded currencies worldwide” and five of which are used in the European Economic Area (EEA).  The EC stated that its investigation

revealed that some individual traders in charge of Forex spot trading of these currencies on behalf of the relevant banks exchanged sensitive information and trading plans, and occasionally coordinated their trading strategies through various online professional chatrooms.

The commercially sensitive information exchanged in these chatrooms related to:

1)     outstanding customers’ orders (i.e. the amount that a client wanted to exchange and the specific currencies involved, as well as indications on which client was involved in a transaction),

2)     bid-ask spreads (i.e. prices) applicable to specific transactions,

3)     their open risk positions (the currency they needed to sell or buy in order to convert their portfolios into their bank’s currency), and

4)     other details of current or planned trading activities.

The EC also noted that these information exchanges, following the tacit understanding that the participating traders reached,

enabled them to make informed market decisions on whether to sell or buy the currencies they had in their portfolios and when.

Occasionally, these information exchanges also allowed the traders to identify opportunities for coordination, for example through a practice called “standing down” (whereby some traders would temporarily refrain from trading activity to avoid interfering with another trader within the chatroom).

According to the EC, “[m]ost of the traders participating in the chatrooms knew each other on a personal basis.”  For example, “one chatroom was called Essex Express ‘n the Jimmy because all the traders but ‘James’ lived in Essex and met on a train to London.” In addition, some of the traders “created the chatrooms and then invited one another to join, based on their trading activities and personal affinities, creating closed circles of trust.” Moreover, “[t]he traders, who were direct competitors, typically logged in to multilateral chatrooms on Bloomberg terminals for the whole working day, and had extensive conversations about a variety of subjects, including recurring updates on their trading activities.”

Under Article 101 of the Treaty on the Functioning of the European Union (TFEU) and Article 53 of the EEA Agreement, cartels and other restrictive business practices are prohibited.  The EC reported that its investigation established the existence of two distinct infringements of those provisions, concerning foreign exchange spot trading.  The first infringement – termed the “Three Way Banana Split” infringement –began on December 18, 2007 and ended on January 31, 2013.  It involved communications in three different, consecutive chatrooms (labeled “Three way banana split / Two and a half men / Only Marge”) among traders from UBS, Barclays, RBS, Citigroup, and JPMorgan. The infringement.

The second infringement – termed the “Essex Express infringement” – began on December 14, 2009 and ended on July 31, 2012.  It involved communications in two chatrooms (labeled “Essex Express ‘n the Jimmy” and “Semi Grumpy Old men”) among traders from UBS, Barclays, RBS, and Bank of Tokyo-Mitsubishi (now MUFG Bank).

The fines that the EC imposed reflected, in particular, the sales value in the EEA that the cartel participants achieved for the products in question, as well as the serious nature, geographic scope, and duration of the infringement.  The EC also stated that under its 2006 Leniency Notice, “UBS received full immunity for revealing the existence of the cartels.”  That disclosure enabled UBS to avoid what the EC calculated would have been an aggregate fine of approximately €285 million.

In the Three Way Banana Split infringement, the EC noted that “all banks involved benefited from reductions of their fines for their cooperation with the Commission investigation,” and that the reductions “reflect the timing of their cooperation and the extent to which the evidence they provided helped the Commission to prove the existence of the cartel in which they were involved.”  In the Essex Express infringement, the ECD noted that “all banks except one benefited from reductions of their fines for their cooperation with the Commission investigation,” and that those reductions “reflect the timing of their cooperation and the extent to which the evidence they provided helped the Commission to prove the existence of the cartels in which they were involved.”  It also noted that MUFG Bank (formerly Bank of Tokyo-Mitsubishi) “did not apply for leniency.”  Finally, it explained that under its 2008 Settlement Notice, it “applied a reduction of 10% to the fines imposed on the companies in view of their acknowledgment of participation in the cartels and of their liability in this respect.”

Note: Compliance teams in financial institutions – not just those engaged in Forex trading — should brief senior executives about these EC decisions, and provide guidance about the specific kinds of trader behaviors that the EC evidently considered probative of collusive conduct.  Because other types of trading also involve rapid execution of transactions, compliance teams at firms that engage in one or more types of trading should also review their firms’ internal controls, to see whether brokers or traders participate in any online fora (like the chatrooms at issue in the Forex decisions), and if so, whether monitoring of brokers’ or traders’ participation in those fora is effective in detecting potential coordinating or collusive exchanges of information.

In its Forex release, the EC briefly commented that it “will continue pursuing other ongoing procedures concerning past conduct in the Forex spot trading market.”  Financial institutions doing business in the European Union, however, should expect that the EC’s Directorate-General for Competition would readily investigate similar conduct by other types of traders.

On May 10, the U.S. Department of Justice announced that Banca IMI Securities Corp. (Banca IMI), a New York broker-dealer and subsidiary of Italian bank Intesa Sanpaolo, “pleaded guilty to an antitrust charge and was sentenced to pay a criminal fine in excess of $2 million for its involvement in a bid-rigging conspiracy for certain financial instruments.”

The Justice Department stated that “Banca IMI admitted, as part of its guilty plea, that from March 2012 until at least August 2014, it conspired with other institutions and individuals to submit rigged bids to borrow pre-release American Depository Receipts (ADRs).”  In particular, it said that

Banca IMI pleaded guilty to conspiring to borrow pre-release ADRs from U.S. depository banks at artificially suppressed rates.  During the conspiracy, a U.S. depository bank began using an auction-style process for pre-release ADRs and invited Banca IMI and other broker-dealers to submit competitive bids for rates to borrow ADRs.  In response, Banca IMI and its co-conspirators intensified their coordination in an effort to increase artificially their profits under the auction-style process.  On at least 30 occasions, Banca IMI reached an agreement with one or more co-conspirators as to the bids they would submit to U.S. depository banks.  On many occasions, the conspirators agreed that they all would submit the same bid.

Note: This is not Banca IMI’s first encounter with U.S. enforcement authorities in connection with pre-release ADRs.  In 2017, Banca IMI agreed to pay more than $35 million to the Securities and Exchange Commission (SEC) to settle charges that it violated federal securities laws when it requested the issuance of and received American Depositary Receipts (ADRs) without possessing the underlying foreign shares.  Nor is this the first recent enforcement action relating to pre-release ADRs, as several other leading financial institutions have also reportedly “settled charges of improper handling of pre-released ADRs with the SEC.”

It is curious that the Department did not specify the criminal offense to which Banca IMI pleaded guilty, other than the generic term “an antitrust charge.”  Nor did it specify the date of the plea, the federal judicial district in which the plea was entered, or the maximum sentence that could be imposed for the violation.  It is customary for the Department, in announcing pleas or trial convictions (including criminal antitrust prosecutions), to refer specifically to all four categories of information, for the sake of the media’s and the public’s understanding.  Although various media reports simply repeated the vague phrase “an antitrust charge” in reporting the plea, the underlying offense can only be section 1 of the Sherman Act, in the light of the Department’s allegations.

In any event, financial-institution compliance officers handling antitrust compliance issues should take note of the plea, and of the Justice Department’s indication that it and the FBI are continuing their investigation into bid rigging in the market for pre-release ADRs, in updating their internal guidance and training for executives.

On May 13, the Financial Times and other media reported that spyware created and marked by an Israeli technology firm, NSO Group, can exploit a security flaw in the popular messaging app WhatsApp “to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call.”

WhatsApp researchers reportedly found the flaw in early May, and identified the spyware as Pegasus, which NSO Group developed.  Previously, according to Forbes, Pegasus was found to exploit iOS vulnerabilities and install on iPhones to acquire “all communications and locations of the targeted iPhones,” including “iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram and Skype communications,” as well as Wi-Fi passwords.

In a public statement responding to these reports, WhatsApp did not name NSO Group, but commented that “[t]his attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.”  It also encouraged people “to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.”  In addition, Facebook, which owns WhatsApp, posted details about the vulnerability for computing professionals.

Note: Given the reported sophistication of the spyware, Information-security teams at companies and government agencies should promptly circulate information about the WhatsApp vulnerability, including instructions on updating the app, to all employees.  Chief Information Security Officers (CISOs) should also emphasize to senior executives the importance of promptly installing the updates, and advise them to inform CISO team members of any unusual occurrences with any mobile device on which the executives have installed WhatsApp.

In the ever-widening wake of the Danske Bank scandal, a series of discussions has begun in European Union (EU) banking circles about possible information-sharing agreements to improve anti-money laundering (AML) oversight.

There are strong indications that bank regulators across the EU are actively discussing how they can share certain data related to customers.  According to Yahoo Finance UK, Marius Jurgilas, a Bank of Lithuania board member, said “that regulators from Sweden, Norway, Finland, Denmark, Estonia, Latvia, and Lithuania are in talks about sharing transaction-level banking data” as part of AML efforts.  Although he declined to provide specific examples of topics under discussion, Jurgilas stated that EU national regulators were discussing how “to create something better,” such as “sharing of data across the regulators, identifying illicit transactions by using transaction-level data across the region, and all of a sudden that region becomes the best ever in terms of risk management.”  (Jurgilas also briefly stated “that regulators were prioritising a joint investigation into all the banks involved in the [Danske Bank] scandal.”)

Confirming Jurgilas’s remarks, Bloomberg reported that Jesper Berg, Director-General of the Danish Financial Supervisory Authority (FSA), “has started lobbying counterparts elsewhere for a broader discussion” about secrecy of bank clients’ data.  Berg reportedly said that “it’s worth considering whether banks should be allowed to share reports of suspicious customers before the police confirm illegal activity, and that a common infrastructure for such reporting “could include ‘customers that have been thrown out of one bank, so they’re not allowed to go to the next bank’.”

Berg acknowledged that “huge privacy issues,” but declared that “we need to figure out how to resolve this.”  He also stated that “letting banks share data would be a more effective tool than creating a single European entity to target money launderers.”

Samu Kurri, head of the financial analysis and operational risks department at the Finnish FSA, seconded Berg’s proposal, calling it “extremely good and supportable.”  Kurri cautioned that this concept of authorizing banks to share data would “represent a fundamental change to traditional tight banking secrecy on a philosophical level”, and “would take very careful preparation to draw up.”

Philippe Vollot, Danske Bank’s head of compliance since October 2018, sounded another cautionary note.  He commented, according to Bloomberg, “that while it makes sense to share general information, privacy concerns make it more challenging to distribute suspicious-activity reports. The subject of such a report may ultimately be found innocent of any involvement.   Vollot also commented, “To have somewhere in the system a capacity that criminals would not be able to move from one financial institution to another – that would be something extremely effective to combat financial crime . . . . The issue here is the data privacy regulation, and it’s actually a philosophical debate about where does it start? Where do you draw the line?”

Note:  Regulatory and AML compliance teams at financial institutions in the EU and elsewhere should continue to watch for further indications that the idea of expanding AML-related information-sharing is gaining traction within the EU.  Key to those discussions, of course – as Vollot rightly indicated – is whether sufficient political will can be mustered to revise the General Data Protection Regulation (GDPR) to facilitate such information-sharing.  Any efforts to revise the GDPR would involve extraordinarily complex debates about how to strike a different balance between individual privacy and law enforcement or financial-sector needs.

As part of that debate, the EU would also need to take into account its Directive (EU) 2016/680, which applies to the processing and movement of personal data for purposes of prevention, investigation, detection, and prosecution of criminal offences.  Because Member States had until May 2018 to translate that latter Directive into law, they would have to revise their own domestic legislation implementing both Directives should the EU revise the GDPR.

At one point, the EU viewed the GDPR as meaning that “businesses benefit from a level playing field.” Thanks to the Danske Bank scandal, the EU and its Member States are starting to recognize that, as between financial institutions and criminals bent on exploiting them, the playing field is tilted very much in the criminals’ favor.  Releveling that playing field will require more than structural revisions in EU AML oversight.