Month: July 2019

On July 30, cybersecurity firm AttackIQ released a report, based on research by the Ponemon Institute, that evaluated the efficacy of enterprise security strategies.  The report, titled “The Cybersecurity Illusion: The Emperor Has No Clothes,” stems from a Ponemon Institute survey of 577 information-technology and information-technology security practitioners in the United States “who are knowledgeable about their organization’s IT security strategy and tactics.”  Fifty-eight percent of those respondents are at or above supervisory levels.

The report’s most prominent finding was that 53 percent of those surveyed admitted that “they don’t know how well the cybersecurity tools they’ve deployed are working. . . . While respondents are most confident in having visibility into the organization’s applications, endpoints and servers, only 35 percent of respondents say they have a high degree of confidence in visibility into their cloud and IoT devices.”

Other significant findings from the survey data included the following:

• Although companies are reportedly spending an average of $18.4 million annually on cybersecurity, data breaches still happen. Seventy percent of respondents attributed  that fact to the skill of the attackers.  Sixty-six percent attributed it to the complexity of computer security infrastructure (66 percent of respondents), “in part because the companies represented in this research have an average of 47 separate security solutions and technologies deployed in their organizations.  Sixty-five percent of respondents attributed it to “the dynamically changing attack surface and lack of adequate security staff with the necessary skills.”
• Only 25 percent of respondents said that “the IT security team is able to respond to security incidents within one day,” primarily because of “a shortage of in-house expertise and the lack of timely response and engagement with other departments and functions.”
• Sixty-three percent of respondents noted that “they have observed a security control reporting it blocked an attack when it actually failed to do so.”
• Organizations have a mixed record of success in using penetrating testing to discover cybersecurity gaps. Even though 57 percent of respondents stated that their IT security teams conduct penetration testing. However, 31 percent of respondents stated that “they have no set schedule for penetration testing.” Similarly, 65 percent of respondents reported that “their penetration testing is very effective or effective in uncovering security gaps,” only 17 percent of respondents stated that “they confirm security gaps every time they are found through penetration testing.”
• Respondents indicated that most organizations represented in the survey “will increase their IT security budget in the next 12 months, and 58 percent of respondents said that their organizations would be increasing their IT security budgets by an average of 14 percent.

Note: Not only Chief Information Security Officers, but other C-level business executives should pay close attention to these findings.  In particular, CISOs should have extended conversations with their information-security teams to see how their organizations’ cybersecurity programs are actually performing, and whether any of the shortcomings that the survey respondents identified are occurring in their own organizations.

While the Ponemon Institute survey asked respondents about their organizations’ expected IT security budget for the next 12 months, the percentage by which it would increase, the dollar range for the 2019 IT security budget, and the allocation of that budget, it did not ask whether they thought their organizations’ current and future cybersecurity budgets were adequate.  For that reason, even if they believe that their current budgets are adequate, CISOs need to revisit that issue with their IT staff members and be prepared to seek additional funding from their organizations if those discussions identify critical deficiencies that must be addressed promptly.

On July 26, in United States v. Lebedev, a panel of the U.S. Court of Appeals for the Second Circuit affirmed the convictions of Yuri Lebedev and Trevon Gross, as well as Gross’s sentence, on bank fraud and bank bribery-related charges.  The defendants’ scheme concerned an internet‐based Bitcoin exchange service known as “Coin.mx,” which concealed from banks and credit card companies processing its transactions that its true purpose was to allow the purchase and sale of Bitcoins.   Although Coin.mx “opened bank accounts in the name of “the Collectables Club,” which falsely purported to be a private members’ association dedicated to collecting and exchanging memorabilia,” and processed credit card transactions listing the Collectables Club as the merchant, “[n]either Coin.mx nor the Collectables Club registered with federal regulators as a money‐transmitting entity or obtained state licensure for that purpose.”

As an information-technology manager at Coin.mx, Lebedev “set up various Internet Protocol (“IP”) addresses to make it appear to banks and payment processors that Coin.mx’s transactions were legitimate Collectables Club transactions.”  Eventually, to avoid the risk of having banks shut down their accounts, “Coin.mx sought control of a credit union to process its transactions.”  In April 2014, Coin.mx representatives contacted Gross, then Chairman of the Helping Other People Excel Federal Credit Union (“HOPE FCU”) to discuss the possibility of Coin.mx’s taking control of HOPE FCU.

In  negotiations between HOPE FCU and the Collectables Club, Gross promised to give the Collectables Club a majority of seats on the credit union’s board of directors, in return for three donations totaling $150,000 to the nearby Hope Cathedral, where Gross was head pastor.  “Evidence at trial demonstrated that Gross frequently used those ‘donations’ for personal expenses.”  In addition, Kapcharge, a Canadian third‐party payment processing company with which another defendant in the case was affiliated sought to process payments through an account at HOPE FCU.  After becoming a member of the credit union, “Kapcharge and its co-conspirators paid Gross $12,000 in so‐called ‘consulting fees’.”

Although Gross eventually had “a falling out” with Lebedev and other coin.mx epresentatives, “which resulted in Gross expelling them from the credit union and terminating their relationship,” he “continued to allow Kapcharge to process transactions through its account after Coin.mx was no longer involved in the credit union.”  When the National Credit Union Administration (NCUA), HOPE FCU’s regulator, conducted an examination of the credit union, Gross failed to disclose a number of transactions, including the “donations,” and made other material misrepresentations.  Ultimately, in October 2015, the NCUA placed HOPE FCU into conservatorship.

At trial, Lebedev and Gross were convicted on all counts.  They were sentenced to 16 months’ and 60 months’ imprisonment, respectively, and were ordered to pay joint and several liability of $126,771.82 with their convicted codefendants.  On appeal, the Second Circuit panel had little difficulty in finding sufficient evidence to support Lebedev’s conviction and rejecting Gross’s challenges to various evidentiary rulings and to his sentence.

Note: While the holdings and reasoning of the panel’s decision are unremarkable, this case is still worthy of attention by anti-money laundering and fraud compliance teams, in part for in-house compliance training.  It indicates the risks of a financial institution’s failure to conduct due diligence on purportedly legitimate customers, and of other senior executives’ failures to challenge a board chairman’s effectively ceding control of the board to representatives of that customer and to inquire further into the reasons for his doing so.

Bank regulators have warned for some time about the risks inherent in financial institutions’ relationships with third-party processors.  This case demonstrates how grave those risks can be for financial institutions that have inadequate compliance oversight and internal controls.

On July 25, ZDNet reported that a number of local Brazilian banks had had an estimated 25 gigabytes of their customers’ personal exposed to public access via an unprotected server of a third-party financial services provider.  The types of personal data exposed include scanned identification and social security cards, “as well as documents provided as proof of address and service request forms filled out by customers based in the capital city of Fortaleza, in the Brazilian state of Ceará.”

Although the data exposure pertains to multiple banks, a substantial amount of the exposed data relates to one local Brazilian bank, Banco Pan.  Banco Pan issued a statement in which it reported “that the server is not owned by Pan and that no intrusion into the bank’s infrastructure has been found.”  It also promised to “take appropriate measures if any misuse of this data is identified,” and stressed that security is a key priority for the firm and that it complies with data protection best practices as well as local regulations.

Note: This latest incident is a reminder to financial institutions’ compliance and information-security teams that they need to remain vigilant in maintaining their due diligence on critical third-party providers.  Servers that have misconfigured cybersecurity software or, in this case, are wholly unprotected are an open invitation to malicious actors.

Third-party providers remain a critical vulnerability for many businesses.  A November 2018 Ponemon Institute survey of U.S. and United Kingdom Chief Information Security Officers and other security and risk professionals found that 59 percent of all respondents, and 61 percent of U.S. respondents (a five percent increase since 2017), stated that that they had “experienced a data breach caused by one of their vendors or third parties.”  More troublesome were the survey findings that 22 percent of respondents indicated that they did not know whether they had had a third-party data breach in the preceding 12 months, and more than three-quarters of respondents “think that third-party cybersecurity breaches are increasing.”

On July 23, the U.S. Department of Justice announced that on July 22, a federal grand jury in the District of New Jersey returned an indictment charging four Chinese nationals and a Chinese company, Dandong Hongxiang Industrial Development Co. Ltd. (DHID), with violating the International Emergency Economic Powers Act (IEEPA), conspiracy to violate IEEPA and defraud the United States, conspiracy to violate, evade, and avoid restrictions imposed under the Weapons of Mass Destruction Proliferators Sanctions Regulations (WMDPSR); and conspiracy to launder monetary instruments.

The four Chinese nationals are Ma Xiaohong (Ma), who formed DHID and was its principal shareholder and senior executive; general manager Zhou Jianshu (Zhou) DHID’s general manager; Hong Jinhua (Hong), DHID’s deputy general manager; and Luo Chuanxu (Luo), DHID’s financial manager.

The indictment alleges that DHID

was a Chinese company whose core business was trade with North Korea.  DHID allegedly openly worked with North Korea-based Korea Kwangson Banking Corporation (KKBC) prior to Aug. 11, 2009, when the Office of Foreign Assets Control (OFAC) designated KKBC as a Specially Designated National (SDN) for providing U.S. dollar financial services for two other North Korean entities, Tanchon Commercial Bank (Tanchon) and Korea Hyoksin Trading Corporation (Hyoksin).

In June 2005, President George W. Bush identified Tanchon as a weapons of mass destruction proliferator, and in July 2009, OFAC designated Hyoksin as an SDN under the WMDPSR in July 2009.  The Justice stated that Tanchon and Hyoksin “were identified and designated because of their ties to Korea Mining Development Trading Company (KOMID), which OFAC has described as North Korea’s premier arms dealer and main exporter of goods and equipment related to ballistic missiles and conventional weapons.”

Beginning after KKBC was designated as an SDN in August 2009, Ma allegedly conspired with Zhou, Hong, and Luo

to create or acquire numerous front companies to conduct U.S. dollar transactions designed to evade U.S. sanctions. The indictment alleges that from December 2009 to September 2015, the defendants established front companies in offshore jurisdictions such as the British Virgin Islands, the Seychelles, Hong Kong, Wales, England, and Anguilla, and opened Chinese bank accounts held in the names of the front companies at banks in China that maintained correspondent accounts in the United States.  The defendants used these accounts to conduct U.S. dollar financial transactions through the U.S. banking system when completing sales to North Korea.

These front companies also facilitated the financial transactions, which KKBC allegedly financed or guaranteed,

to hide KKBC’s presence from correspondent banks in the United States, including a bank processing center in Newark, New Jersey, according to the allegations in the indictment.  As a result of the defendants’ alleged scheme, KKBC was able to cause financial transactions in U.S. dollars to transit through the U.S. correspondent banks without being detected by the banks and, thus, were not blocked under the WMDPSR program.

Note: This case is another in the continuing series of enforcement actions that the Justice Department has taken against individuals and companies that seek to assist sanctioned North Korean entities, for activities such as money laundering or direct sanctions violations.  It should be noted that in 2016, DHID and the same four defendants were charged in a federal criminal complaint with substantially the same conduct, OFAC imposed sanctions on them for their ties to the North Korean government’s weapons of mass destruction proliferation efforts, and the Justice Department filed a civil forfeiture action for all funds contained in 25 Chinese bank accounts that allegedly belonged to DHID and its front companies.

The Justice Department announcement does not mention that any of the individual defendants are in custody.  The United States presumably will ask Interpol to put out a Red Notice – “a request to law enforcement worldwide to locate and provisionally arrest a person pending extradition, surrender, or similar legal action“ — on each of the individuals, though none of them are yet on the public Red Notice list.

On July 22, the U.S. federal bank supervisory agencies and the Financial Crimes Enforcement Network (FinCEN) issued a joint statement ”to emphasize their risk-focused approach to examinations of banks’ Bank Secrecy Act /anti-money laundering (BSA/AML) compliance programs,” and to improve transparency into the risk-focused approach that the agencies use for planning and performing BSA/AML examinations.

The joint statement has two principal sections, each of which addresses multiple topics:

1. BSA/AML Compliance Programs and Risk Profiles:
   • General Requirement: The joint statement first sets out the agencies’ expectations that “banks structure their compliance programs to be risk-based and to identify and report potential money laundering, terrorist financing, and other illicit financial activity,” in order “[t]o assure that BSA/AML compliance programs are reasonably designed to meet the requirements of the BSA.” Such a risk-based compliance program “enables a bank to allocate compliance resources commensurate with its risk.
   • Risk Assessment and Risk Profile: The joint statement briefly notes, with regard to BSA/AML risk assessments, that “[a] bank’s well-developed risk assessment is a critical part of sound risk management and assists examiners in understanding the bank’s risk profile.” With regard to risk profiles, it further states that banks “determine the levels and types of risks that they will assume.”  On this point, the joint statement attaches a footnote stating that “[b] Bank directors provide guidance regarding acceptable risk exposure levels and corresponding policies while management implements policies, procedures, and practices that translate the board’s goals, objectives, and risk limits into prudent operating standards.”
   • Risk Mitigation and “De-risking”: Banks that operate in compliance with applicable law, properly manage customer relationships and effectively mitigate risks by implementing controls commensurate with those risks are neither prohibited nor discouraged from providing banking services.”  This sentence, as the agencies explain in a footnote, “does not create additional requirements or supervisory expectations for banks.”  The joint statement also recapitulates prior statements by the banking agencies on de-risking, encouraging banks “to manage customer relationships and mitigate risks based on customer relationships rather than declining to provide banking services to entire categories of customers.”
   • Agencies’ Approach to Examinations: The joint statement summarizes the agencies approach to BSA/AML examinations as follows:
     • “Federal banking agency examiners evaluate the adequacy of a bank’s BSA/AML compliance program relative to its risk profile, and that bank’s compliance with applicable laws and regulations. Examiners review risk management practices to evaluate and assess whether a bank has developed and implemented effective processes to identify, measure, monitor, and control risks.”
     • The joint statement also recognizes that there is no “one-size-fits-all” risk profile applicable to banks.  It notes that the agencies “recognize that banks vary in focus and complexity, and that these differences create for each bank a unique risk profile. Accordingly, the scope of BSA/AML examinations varies by bank.”  With regard to the variability of focus, it briefly states, in a footnote, that “[f]or example, a bank with a localized community focus likely has a stable, known customer base.”
2. Risk-Focused Examinations: This section begins with a general statement that the federal banking agencies “s conduct risk-focused BSA/AML examinations, and tailor examination plans and procedures based on the risk profile of each bank.” It then explains how the agencies conduct those examinations:
   • Common Practices: This section notes that common practices for assessing the bank’s risk profile include the following actions:
     • “leveraging available information, including the bank’s BSA/AML risk assessment, independent testing or audits, analyses and conclusions from previous examinations, and other information available through the off-site monitoring process or a request letter to the bank”;
     • “contacting banks between examinations or prior to finalizing the scope of an examination”; and
     • “considering the bank’s ability to identify, measure, monitor and control risks.”
   • This section adds that “[t]he information gained from assessing the bank’s risk profile assists examiners in scoping and planning the examination and initially evaluating the adequacy of the BSA/AML compliance program.”

• Resource Allocation: This section declares that the federal banking agencies “generally allocate more resources to higher-risk areas, and fewer resources to lower-risk areas. For example, the pre-examination request list is tailored to the bank’s risk profile, complexity, and planned examination scope.”
• Risk Assessment and Testing: This section further states:
  • “Examiners review a bank’s BSA/AML risk assessment and independent testing to assess the bank’s ability to identify, measure, monitor, and control risks. Risk assessments and independent testing that properly consider and test all risk areas (including products, services, customers, and the geographic locations in which the bank operates and conducts business) are used in determining the examination procedures and transaction testing that should be performed.”
• Examination Manual: This section concludes with a declaration that the risk-focused approach reflected in the joint statement “forms the foundation for the information, instructions, and procedures communicated to examiners through the Federal Financial Institutions Examination Council BSA/AML Examination Manual.”

In its conclusion, the joint statement recapitulates a number of its key points:

• “Risk-focused BSA/AML examinations consider a bank’s unique risk profile”;
• Examiners “use risk assessments and independent testing when planning and conducting examinations,” and “assess the adequacy of a bank’s BSA/AML compliance program during each examination cycle”;
• “The extent of examination activities necessary to evaluate a bank’s BSA/AML compliance program generally depends on a bank’s risk profile and the quality of its risk management processes to identify, measure, monitor, and control risks, and to report potential money laundering, terrorist financing, and other illicit financial activity.”

Note:  Financial institutions’ risk and AML compliance teams should read the joint statement closely, both as a general checklist for reviewing their BSA/AML compliance programs and as a frame of reference in preparing for future BSA/AML examinations.  While the joint statement specifically states that it “does not establish new requirements,” it articulates regulators’ expectations regarding BSA/AML program evaluations in greater detail than before.

The joint statement also may serve as a recognition of the limits to which regulators may go in questioning the adequacy of a bank’s BSA/AML program.  So long as a bank has thought through and provided sufficient processes and resources for each element of is program, taking into account its unique risk profile, it can be in a stronger position to challenge, respectfully but firmly, any suggested revisions to its BSA/AML program that are inconsistent with a risk-based approach.