Month: September 2019

On September 10, the Luxembourg Times reported that the European Public Prosecutor’s Office (EPPO), which is scheduled to open in Luxembourg in November 2020, is already substantially scaling back the size of its planned staffing.  Under a 2015 agreement, the EPPO was originally slated to have 118 full-time positions, in addition to as many as 90 positions that were to be transferred from the European Anti-Fraud Office (OLAF) in Brussels.

According to an unnamed EPPO official, however, “The Council and the European Parliament decided to give less than originally planned to the EPPO.  In the final agreement they decided to give 117. That 117 entails some transferred from OLAF.”  This change will result in a 40 percent reduction in staffing for the EPPO.

The decision likely stems from two separate factors.  The EPPO official commented that European Parliament and Council tend to weigh “global, including political and budgetary questions” when they approve agreements.  But Miguel Vicente-Nunez, president of a trade union that represents European Union institution staff working in Luxembourg, said that

it would have been difficult to convince OLAF staff to move from Brussels to Luxembourg.

He said the problem stems from an ongoing battle between the union and EU institutions over salary gaps in Luxembourg and Brussels. Staff working at most institutions earn the same wages – within their pay grid – whether they are based in Luxembourg or Brussels.

The cost of living in Luxembourg is higher, mainly driven by extortionate real estate prices, making the Grand Duchy less attractive than the Belgian capital, Vicente-Nunez said.

The EPPO official acknowledged that the decision could also be driven by salary and cost-of-living considerations, saying that this is a “general issue for many people from other EU countries and in particular Brussels.” Even so, the official expressed confidence that the EPPO would be able to attract enough staff.

The EPPO reportedly expects to recruit approximately around 30 staff members –including administrative, human resources, budget, and information-technology positions – and to select all 22 European Prosecutors by the end of 2019. Future staffing reportedly will be done “progressively over the next five years.”

Note: Brussels’ decision to reduce the EPPO staff so substantially, even before the EPPO has officially opened, undoubtedly took EPPO leadership aback.  Even so, the loss of OLAF positions being transferred to Luxembourg may not make a substantial difference to the EPPO in the long run, as there is what the Luxembourg Times called an “overlap in skills” between the two agencies and Brussels-based OLAF staff can perform a number of key investigative and analytical functions for the EPPO.

On September 10, Public Health England (PHE), an agency of the United Kingdom Department of Health and Social Care, issued a report on the results of its review “to identify the scale, distribution and causes of prescription drug dependence, and what might be done to address it.”  The review covered adults 18 years and older and five categories of prescription drugs: antidepressants; opioids for chronic non-cancer pain; benzodiazepines (mostly prescribed for anxiety); z-drugs (sleeping tablets with effects similar to benzodiazepines); and gabapentinoids (used to treat epilepsy, neuropathic pain, and (for pregabalin only) anxiety).

With regard to opioids, the PHE report included the following findings:

• Prevalence: During 2017 and 2018, 5.6 million adults in England (13 percent of the population) received, and had dispensed, one or more prescriptions for opioids.
• Trends: “After a long increasing trend, the annual number of prescriptions for opioid pain medicines has slightly decreased since 2016.”
• Association with Deprivation: “Prescribing rates for opioid pain medicines and gabapentinoids had a strong association with deprivation, being higher in areas of greater deprivation.”
• Patients’ Experiences: “Higher initial opioid doses and prior mental health problems were associated with long-term use of opioids and opioid dependence, respectively. Prescribing opioid pain medicines for longer than 90 days was associated with opioid overdose and dependence.”
• Long-Term Receipt of Prescriptions: 540,000 adults in England “received a prescription continuously between April 2015 (and perhaps earlier) and March 2018.”

The report stated that there was insufficient evidence to reach conclusions about the effectiveness and cost-effectiveness of service models (e.g., involvement of general practitioners and other primary-care services, helpline and telephone support, and counselling and support groups).  It concluded, with regard to opioid dependence, that “prescriptions for opioid pain medicines are decreasing, after rising for many years,” but that “[l]ong-term prescribing of opioids for chronic, non-cancer pain is not effective for most patients.”

With regard to all five categories of prescription drugs under review, the report set out five categories of recommendations:

1. Increasing the availability and use of data on the prescribing of medicines that can cause dependence or withdrawal to support greater transparency and accountability and help ensure practice is consistent and in line with guidance.
2. Enhancing clinical guidance and the likelihood it will be followed.
3. Improving information for patients and carers on prescribed medicines and other treatments, and increasing informed choice and shared decision-making between clinicians and patients.
4. Improving the support available from the healthcare system for patients experiencing dependence on, or withdrawal from, prescribed medicines.
5. Further research on the prevention and treatment of dependence on, and withdrawal from, prescribed medicines.

Note: While findings regarding any category of prescription drug dependence should be of interest to the United Kingdom medical community, the review’s findings regarding opioids merit particular attention, not least because the review reportedly “was ordered by ministers amid fears of a US-style opioid crisis.”  According to The Sunday Times, Matt Hancock, the United Kingdom’s Secretary of State for Health and Social Care, described the inquiry’s findings as “shocking.”

Previously, The Sunday Times had reported “a huge rise in the number of opioid prescriptions, which had rocketed to more than 40m a year, and inexplicable differences in prescription rates between the north and south of the country.” It also found

that GPs are doling out the drugs to patients for chronic pain — for which they are often no better than a placebo — and failing to review vulnerable patients left on the drugs for years. One patient was on opioids for 15 years.

Other factors in the crisis include the use by drug firms of US marketing tactics in an apparent effort to boost NHS prescriptions of their pills, and rogue online pharmacies that sell opioids, making it easier to access the drugs.

More recently, The Times disclosed “that a review by the Organisation for Economic Co-operation and Development had found opioid use is now falling in the US, while the UK has the world’s third fastest-growing rates of opioid use.”

If these reports are accurate, they closely resemble the reported patterns of behavior that prompted some 2,000 individual plaintiffs, as well as nearly all of the state attorneys general, to sue multiple pharma firms for fostering the opioid crisis in the United States.  How the United Kingdom Government will respond to the PHE report and to these reports about opioid abuse will be of great interest well beyond the borders of England.

On September 4, Her Majesty’s Revenue & Customs (HMRC) in the United Kingdom announced that it had imposed a record fine of £7.8 million on a West London money service business (MSB), Touma Foreign Exchange Ltd, for ignoring anti-money laundering (AML) regulations.

HMRC stated that it had fined the MSB “for a wide range of serious failures under the Money Laundering Regulations.”  In particular, between June 2017 and September 2018, Touma Foreign Exchange breached rules on (a) risk assessments and associated record-keeping, (b) policies, controls, and procedures; (3) fundamental customer due diligence measures, and (4) adequate staff training.  It also announced that on May 20, an individual who had acted as an officer for the MSB, Hassanien Touma had been banned from any management role at a business governed by AML regulations, because he had failed to pass a vetting test to ensure that he was “fit and proper to carry out the role.”

HMRC further reported that it had announced the fine after a separate HMRC, London Metropolitan Police (MPS), and Financial Conduct Authority (FSA() month-long “crackdown” in July, “on MSBs at risk of being used for money laundering to fund organised crime, such as drug trafficking, violent crime and terrorism.”  The “crackdown” included the following actions:

• Search Warrants and Arrests: MPS and HMRC officers executed warrants at 12 addresses in West London and seized evidence of money laundering, and MPS officers arrested two men in central London and seized £100,000 cash reportedly intended for an MSB.
• Prosecution and Confiscation of Property: After an investigation by HMRC, a London man was given a suspended jail sentence for trading as an MSB without being registered for AML supervision. The judge in that case ruled that the man’s London home “was bought using the proceeds of crime because he was illegally trading as an MSB without being registered with HMRC, and would be subject to confiscation proceedings.”
• Business Education: During July and August, authorities hand-delivered “[s]pecially designed leaflets” to all 9,000 MSBs across London to highlight the money laundering risks and need to properly manage these risks. In addition, HMRC and MPS officers visited 40 MSBs in the Queensway area of London and “reminded them of their obligations under the Money Laundering Regulations.”
• Civil Actions: HMRC officers visited 5 MSBs assessed to be at a higher risk of being used for money laundering and is taking civil action against four of those MSBs “for failing to take adequate measures to protect themselves from criminal abuse.”

Note: United Kingdom law enforcement have recognized that the 9,000 MSBs in London collectively pose a significant challenge for AML compliance.  MPS Commissioner Cressida Dick has stated that drug gangs are using MSBs as the conduit to export ““crate-loads of dirty cash out of the country.” The MPS separately noted that much of the £2 billion moved out of the United Kingdom each month is linked to criminality,” and that police cash seizures often lead back to MSBs.  Law enforcement and regulatory agencies such as the FSA, however, will need to sustain this pressure on MSBs if they are to have a substantial effect on those trends.

On August 27, Gulf News reported that the Dubai Public Prosecutor has ordered the police in the Jebel Ali district of Dubai to investigate possible fraud in the disappearance of 6,000 tons of rice that Indian exporters had shipped into Dubai.  According to Gulf News, a company with offices in Dubai, Al Rawnaq Al Thahbhi General Trading (Al Rawnaq), ordered around 6,000 tons of rice, as well as spices and coconut,  from 20 or so exporters in India between March and April 2019.

In a pattern characteristic of other recent trading fraud schemes in the United Arab Emirates (UAE), Al Rawnaq was ostensibly run by a man who identified himself as Shaikh Tariq Awais, a Pakistani national.  Tariq rented a warehouse in the Al Quoz locality in Dubai, and Al Rawnaq ordered merchandise from the Indian exporters.

One of the exporters stated that they had done due diligence on Al Rawnaq by visiting the Al Rawnaq office, checking its trade license, meeting its general manager, and receiving telex transfer (TT) receipts from a Dubai money exchange that they believed confirmed the acceptance of the remittance request and the initiation of the transaction.  When that exporter saw that there was a gap of 10-15 days between the issue of the TT receipts and the transfer of funds, he said, “We found this odd as such transactions don’t take more than 2-3 working days. When we brought this to Tariq’s attention, he blamed the delay on banks.”

Ultimately, however, each of the 23 TTs, which totaled AED 15.38 million (US $4.18 million), were cancelled after checks issued against them bounced because of insufficient funds.  By the time that exporter representatives arrived in Dubai to inquire further, the Al Rawnaq warehouse where the 6,000 tons of rice had been stored, in some 250 shipping containers, had been emptied, the Al Rawnaq office had been vacated, and Tariq and others supposedly connected with Al Rawnaq had disappeared.  In addition, the post-dated check that Tariq had used to rent the warehouse also bounced, as did a check to a Dubai travel firm that had sold airplane tickets and arranged visit visas for Al Rawnaq.

The Public Prosecutor has now directed the police to investigate accusations of fraud against six men and two companies, including the money exchange house that allegedly handled the TTs, for their “role and alleged complicity in the scam.”

Note:  Fraud schemes involving the use of postdated checks are commonplace in the United States and other countries, and have resulted in losses of as much as $100 million in a single scheme.  In this case, what is more striking is not the amount of money fraudulently taken (though even those losses are proving ruinous to some exporters), but the sheer volume of goods that presumably were resold and reshipped quickly before the exporters recognized that they had been defrauded.  Exporters everywhere should take note of this scheme and treat the offer of postdated checks by a purported buyer anywhere as a red flag indicative of grave risk, if not fraud.

On August 29, cybersecurity firm Kaspersky Lab issued its Incident Response Analytics Report for 2018.  The report, which covers Kaspersky’s own incident response practices for the year, covers in just eight pages a broad range of facts and findings indicating the breadth and depth of cybersecurity challenges:

• General Data on Incident Responses: For regional distribution of incident responses, the Commonwealth of Independent States (including Russia) has by far the highest percentage (48 percent), followed by Latin America (19 percent), Europe (16 percent), the Middle East (6 percent), and Africa, Asia-Pacific, and North America (3 percent each). For industry distribution of incident responses, financial institutions represented the largest segment (33 percent), followed closely by government bodies (30 percent) and industrial companies (22 percent).  The remaining 15 percent of industries included miscellaneous (7 percent) and retail and transport (4 percent each).
• Reasons for Requesting Incident Response: The report stated that “[m]ore than half of the requests for investigation were initiated by customers after detecting an attack that had visible consequences, such as unauthorized money transfers, workstations encrypted by ransomware, service unavailability, etc.” The most common reasons for incident responses were ransomware (26 percent), detection of a suspicious file (22 percent), detection of a suspicious network activity (22 percent), monetary theft (11 percent), and spamming from a corporate account (7 percent).  For ransomware attacks, Wannacry, associated with North Korea since 2017, accounted for by far the largest percentage of victims (40.64 percent), with Cryaki (7.37 percent) and GandCrab (5.15 percent) a distant (though still noteworthy) second and third.
• Relative Infrequency of Incident Response Requests: While 81 percent of organizations that provided data for analysis “were found to have indicators of malicious activity in their internal network,” only 22 percent of companies “where evidence of malicious activity was detected requested an Incident Response service.”
• Industry-Specific Variations in Threat Frequency: For financial institutions, indications of advanced persistent threat (APT) attacks “appeared in the infrastructure of financial institutions one and a half times more often (54%) than in other organizations.” Only 12 percent of financial organizations showed indications of ransomware, and only 8 percent showed indications of banker Trojans.  For government bodies, malicious activity was detected in 95 percent of government bodies – 14 percent greater than across all organizations in general.  By contrast, industrial companies “are more likely to be victims of bankers.” Banker Trojan activity was detected in 27 percent of companies, and APT attacks were detected in 15 percent and ransomware attacks in 25 percent of manufacturing companies.
• Attack Vectors: Cyberattackers used the remote management interface of the Microsoft Remote Desktop Protocol (RDP) in the initial attack vector in one out of three incidents. “In the majority of cases, an adversary successfully obtained a valid user’s credentials as a result of a brute-force attack on the RDP service.”  Notably, in one-third of attacks through remote management interfaces, “the valid credentials were known to the intruder in advance (no brute-force attempts were detected).”   In a finding that should surprise no one, one-third of attacks “occurred due to a lack of security awareness among employees. An employee downloaded a malicious file from untrusted sources and launched it, allowing an adversary to gain control over the workstation.”

The report also includes a discussion of attack durations for various cyberattacks, and a detailed table of attack tactics and techniques.

Note:  Cybersecurity teams at companies of all sizes should read the Kaspersky report in its entirety.  While the data on regional distribution of incident responses may be skewed if Kaspersky, headquartered in Moscow, has a greater percentage of its clients in the CIS, the data are nonetheless instructive.  The report includes a variety of recommendations for improving incident responses, but adds an appropriate cautionary note:

[W]e can see that humans are still the weakest link in the security chain. Even with a high-level security policy and security controls in place, a single employee uneducated in information security can trigger a major compromise of the internal environment and assets.