Month: October 2019

On October 24, The Economist published an article profiling Lithuania’s use of software known as Demaskuok (“debunk” in Lithuanian) to combat disinformation emanating from Russian disinformation factories.  As The Economist noted, Russian-sponsored disinformation “is a bane everywhere, but it is particularly rife in Estonia, Latvia and Lithuania—the three countries that, in 1990, were the first to declare independence from the Soviet Union” and later “join[ed] NATO and the European Union.” Those offenses, in the eyes of certain Russians still nostalgic for the halcyon days of Soviet rule, warrants making the Baltic states “particular targets for falsehoods intended to confuse and destabilise.”

Demaskuok has become the tip of the spear for Lithuanians to combat these relentless Russian disinformation campaigns.  According to The Economist, it is software that searches for the true points of origin of particular disinformation.  Developed by Lithuanian news portal Delfi in conjunction with Google, it

works by sifting through reams of online verbiage in Lithuanian, Russian and English, scoring items for the likelihood that they are disinformation. Then, by tracking back through the online history of reports that look suspicious, it attempts to pin down a disinformation campaign’s point of origin—its patient zero.

Demaskuok searches for a variety of clues characteristics of disinformation, such as:

• “[W]ording redolent of themes propagandists commonly exploit,” including “poverty, rape, environmental degradation, military shortcomings, war games, societal rifts, viruses and other health scares, political blunders, poor governance, and, ironically, the uncovering of deceit”;
• “[A] text’s ability to stir the emotions,” including topics like immigrants, sex, ethnicities, injustice, gossip, and scandal, because effective disinformation has that effect;
• “Virality,” “the number of times readers share or write about an item,” because “disinformation is crafted to be shared”;
• The reputations “of websites that host an item or provide a link to it”;
• “[T]he timing of a story’s appearance”; and
• The names of people quoted in disinformation, “as they sometimes crop up again, and images, which may be posted in other locations.

The software, however, does not do the job all on its own; human scrutiny “is an important part of the process.”  Demaskuok users, who include Delfi journalists, the Lithuanian Foreign Ministry, “and a score of news outlets, think-tanks, universities and other organisations,” review items that Demaskuok flags and provide feedback on the accuracy of those flags to improve the software’s performance.  In addition, more than 4,000 volunteers known as “elves” — about 50 at one time –

scroll through Demaskuok’s feed of suspected disinformation, selecting items to be verified. These are sent to the other elves for fact checking. Reports on the findings are then written up by the software’s users and emailed to newsrooms and other organisations, including Lithuania’s defence ministry, that produce written or video “debunks” for the public.

N.B.: Although disinformation and “deepfake” technology have garnered the most publicity for their geopolitical ramifications, companies must also be attentive to what one expert commentator termed “the threat deep fakes and disinformation more generally pos[e] to corporations, brands and markets.”  Companies with international operations and visibility should therefore look more closely at the successes and techniques of Demaskuok – including its marriage of technology and human judgment – in evaluating their reputation risks and their capacity for timely prevention or response to disinformation campaigns directed at them.

On October 30, the Australian Transaction Reports and Analysis Centre (AUSTRAC) issued a report setting out its money laundering and terrorist financing (ML/TF) risk assessment for the Australian mutual banking sector.  As AUSTRAC explained, mutual bank “are owned by their customers, with profits returning to customers rather than being distributed to shareholders.”  Mutual banks constitute a significant component of Australian banking, as “four million Australians and businesses bank with mutuals holding some [AU]$101 billion in deposits and [AU]$119 billion in assets.”

At the outset, the report noted that over the past ten years (2008-2018), the Australia mutual banking sector has undergone serious consolidation (decreasing from 142 to 71 entities, while experiencing 88 percent growth in both assets and deposits (i.e., from AU$60.2 billion to AU$113.1 billion in assets, and from AU$51.6 billion to AU$96.8 billion in deposits).  Mindful of these trends, the report focused on three primary topics:

• Criminal Threat Environment: AUSTRAC assessed the overall ML/TF risk associated with mutuals’ criminal threat environment to be medium. The report stated that suspicious matter reports (SMRs) “indicate the key threat faced by mutuals is money laundering, with substantial reporting activity detailing large and frequent cash transactions, transactions involving unknown third parties, and the rapid and complex movement of funds between financial products and  ”  It considered many of these reports to be “highly likely to be trigger-based in nature, and describe legitimate, if unusual, transactional activity.”  As for TF activity, AUSTRAC stated that less than one-half of one percent of the SMRs in the dataset “related to terrorism financing,” but that it assessed the nature and extent of TF activity evident in the mutual sector as a medium risk.
• Vulnerabilities: AUSTRAC assessed AUSTRAC assesses the overall ML/TF risk associated with vulnerabilities in the mutual banking sector to be high. The report identified three factors that most expose the sector to financial crime:
  • “The types of products offered by the sector,” particularly transaction accounts with high levels of (1) cash exposure, (2) access to international remittances, including with high-risk jurisdictions , and (3) transactions by unknown third parties;
  • “A high level of non-face-to-face service delivery”; and
  • “High levels of outsourcing of customer-facing and AML/CTF processes, and limited oversight/influence over the operations of third-party service providers.”

The report also singled out the delivery channels that mutuals use to provide their services to their customers – which include ATMs, online banking, banking apps, the nationwide New Payments Platform (NPP), and outsourcing of customer-facing services   — as presenting a high ML/TF risk.

• Consequences: AUSTRAC assessed consequences of ML/TF activity in the mutual banking sector to be moderate. The report noted that those consequences “can include” the following:
  • Personal loss and emotional distress for customers;
  • For mutuals, “loss of revenue and capital from fraud, higher insurance premiums, reputational damage and heightened regulatory attention”;
  • “[I]ncreased predicate offending affecting the community”;
  • “[R]educed government revenue as a result of tax evasion, and higher government expenditure due to welfare fraud, impacting on the delivery of critical government services”;
  • “[D]amage to Australia’s international economic reputation as a safe and secure place to invest’; and
  • “[E]nabling and sustaining the activities of Australian foreign terrorist fighters, or enabling terrorist acts in Australia or overseas.”

The report also assessed the sector’s level of implementation of risk mitigation strategies to be medium.  On this point, it identified four principal areas “in which mutuals’ risk mitigation systems and controls could be strengthened”:

• Risk Assessment: The report characterized a robust risk assessment as “the centrepiece of an effective AML/CTF regime.” Emphasizing the importance of risk assessment processes’ capacity to generate a genuine understanding of ML/TF exposure at an individual reporting entity level,” it cautioned that “the use of of-the-shelf risk assessment tools needs to be tailored to ensure it reflects the actual risks posed to mutuals operating within different contexts.”
• SMR Processes: The report took note of “many examples of good SMR reporting practices from the sector,” but found inadequacies in some SMR processes. These included:
  • Lack of Followup: Mutuals “repeatedly reporting on the same customers exhibiting the same behaviours without any indication they were attempting to address their suspicion by engaging with the customer, conducting further investigation, or even exiting the customer in cases of unacceptably high risk.”
  • Trigger-Based Reporting: Mutuals submitting an SMR to AUSTRAC “solely on the basis of a trigger generated by their transaction monitoring system without conducting further investigation to form suspicion on reasonable grounds.”
  • Insufficient Details: Mutuals submitting SMRs “with insufficient details in the Grounds for Suspicion section.” Some reports “failed to provide details about why the activity was considered suspicious,” and some SMRs reviewed for the risk assessment “contained only 2-3 words.”
• Transaction Monitoring Programs: One industry participant in the risk assessment commented that the most significant vulnerability for the mutual banking sector is the quality of automated systems to detect unusual transaction activity, which is limited by the amount of resources many smaller mutuals have to invest in their technology.” In addition, an industry expert “observed mutuals often have a ‘set and forget’ approach to AML/CTF measures, particularly in the context of growing size and scale.”
• Outsourcing: The report stated that “[m]utuals and industry experts engaged for this assessment indicated they saw outsourcing as a major challenge for the sector.” Their observations about outsourcing included “inadequate documentation and oversight of service-level agreements,” senior management’s inadequate prioritizing of oversight of outsourcing arrangements, and “heavier reliance on of-the-shelf products which are not tailored to individual businesses” limiting effectiveness of controls.

N.B.: Although this AUSTRAC report does not identify any urgent ML/TF threats to the mutual banking sector in Australia, compliance teams at Australian mutuals should nonetheless review it closely and draw on the findings in revising or updating their bank-specific ML/TF risk assessment processes.

On October 27, the Sunday Post reported that Scotland’s prosecution service, the Crown Office & Procurator Fiscal Service (Crown Office), is investigating multinational energy services firm John Wood Group.  That investigation involves payments relating to the foreign-bribery investigations pertaining to Unaoil and other companies by the United Kingdom Serious Fraud Office (SFO), the U.S. Department of Justice, and the U.S. Securities and Exchange Commission (“SEC”).

Since 2016, the SFO has been “conducting a criminal investigation into the activities of Unaoil, its officers, its employees and its agents in connection with suspected offences of bribery, corruption and money laundering.”  Since 2017, it expanded into investigating the activities of London-based engineering company Amec Foster Wheeler, which the Wood Group acquired in October 2017, “and any predecessor companies owning or controlling the Foster Wheeler business, together with the activities of any subsidiaries, company officers, employees, agents and any other person associated with any of these companies for suspected offences of bribery, corruption and related offences.”

In its August 20 statement of its half-year results for 2019, the Aberdeen-based Wood Group included a number of disclosures relating to Unaoil and Amec Foster Wheeler.  With regard to the SFO’s Amec Foster Wheeler investigation, the Wood Group stated that it

is co-operating with and assisting the SFO in relation to this investigation.  Notifications of certain matters within the above investigations have also been made to the relevant authorities in Brazil (namely, the Federal Prosecution Service and the Office of the Comptroller General).

According to the Wood Group, Amec Foster Wheeler made a disclosure to the SFO about “investigations into Amec Foster Wheeler in relation to Unaoil and in relation to historical use of agents and certain other business counterparties by Amec Foster Wheeler and its legacy companies in various jurisdictions.”  In that regard, it noted that “since April 2017, in connection with the SFO’s investigation into Unaoil, the SFO has required Amec Foster Wheeler to produce information relating to any relationship of Amec Foster Wheeler with Unaoil or certain other third parties.”

The Wood Group further disclosed that it had independently “conducted an internal investigation into the historical engagement of Unaoil by legacy Wood Group companies, reviewing information available to the Group in this context.”  That internal investigation “confirmed that a legacy Wood Group joint venture engaged Unaoil and that the joint venture made payments to Unaoil under agency agreements.” Thereafter, in September 2017, the Wood Group informed the Crown Office of the internal investigation’s findings.  It added that the SFO and the Crown Office agreed that the Crown Office “has jurisdiction in respect of this investigation.”

Finally, the Wood Group provided an update on the foreign-bribery investigation of Amec Foster Wheeler by the Justice Department and the SEC.  It reported that it “has received voluntary requests for information from, and continues to cooperate with,” both agencies.

N.B.: This report indicates that four separate enforcement agencies – the SFO, the Crown Office, the Justice Department, and the SEC – are now investigating connections between the Wood Group, Amec Foster Wheeler, and Unaoil for possible foreign bribery, and that two more agencies in Brazil may be doing so as well.   It is also incidentally instructive as a reminder that, while the SFO gets the lion’s share of publicity for enforcement of the Bribery Act 2010, it is the Crown Office that has authority to pursue Bribery Act violations in Scotland.

On October 24, the U.S. Financial Industry Regulatory Authority (FINRA) announced that it fined two BNP Paribas subsidiaries —  BNP Paribas Securities Corp. and BNP Paribas Prime Brokerage, Inc. (collectively BNP) — $15 million for a variety of anti-money laundering (AML) program and supervisory failures that involved penny stock deposits and resales, and wire transfers, over a four-year period.

FINRA stated the following findings with regard to BNP:

• Lack of Written AML Program and Surveillance: From February 2013 to March 2017, BNP, despite its penny stock activity, “did not develop and implement a written AML program that could reasonably be expected to detect and cause the reporting of potentially suspicious transactions.: In fact, according to FINRA, until 2016, “BNP’s AML program did not include any surveillance targeting potential suspicious transactions involving penny stocks, even though BNP accepted the deposit of nearly 31 billion shares of penny stocks, worth hundreds of millions of dollars, from its clients, including from so-called “toxic debt financiers.”
• Lack of Supervisory Systems and Written Procedures: BNP “did not implement any supervisory systems or written procedures to determine whether resales of securities, including the penny stocks deposited by its customers, complied with the registration requirements of Section 5 of the Securities Act of 1933. As a result, BNP facilitated the removal of restrictive legends from approximately $12.5 million worth of penny stocks without any review to evaluate the transactions for compliance with Section 5.”
• Lack of Wire Transfer Review: During the same four-year period, BNP “processed more than 70,000 wire transfers with a total value of over $230 billion, including more than $2.5 billion sent in foreign currencies. BNP’s AML program did not include any review of wire transfers conducted in foreign currencies, and did not review wires conducted in U.S. dollars to determine whether they involved high-risk entities or jurisdictions.”
• Inadequate Staffing of AML Program: BNP’s AML program “was understaffed. For example, although BNP effected more than 70,000 wire transfers during a two-year period, with a total value of $233 billion, during a majority of that period, only one investigator was tasked with reviewing alerts relating to wires originating from BNP’s brokerage accounts. Although BNP identified many of these deficiencies as early as January 2014, BNP did not fully revise its AML program until March 2017. As a result, BNP did not identify “red flags” indicative of—or review—potentially suspicious activity involving the deposit and sales of penny stocks or foreign wire transfers that may have required the filing of a suspicious activity report.”

The settlement of this case involved BNP’s consent to the findings and the fine, and to certify within 90 days that BNP’s procedures are reasonably designed to achieve compliance in the areas previously described.

N.B.:  Compliance teams at broker-dealer firms should read the FINRA Letter of Agreement in this case with care, and compare it and Regulatory Notice 19-18, which FINRA issued this past May, against their current AML programs.  Broker-dealers, and the larger financial institution community, have every reason to expect that both government regulators and self-regulatory organizations such as FINRA will be increasingly intolerant of long-term, sustained failures to address fundamental requirements for AML compliance.

On October 23, the United Kingdom National Cyber Security Centre (NCSC) issued its Annual Review 2019.  The Review stated that during 2019, the NCSC had defended the United Kingdom against 658 cyberattacks.

Other NCSC findings and  accomplishments in the Review included the following:

• General Computer Misuse: In the year ending March 2019, adults 16 and over experienced an estimated 966,000 incidents of computer misuse.
• Public Attitudes: The Review included the results of the first UK Cyber Survey of individuals and organizations. The Cyber Survey included the following findings:
  • 80 percent said that cyber security is a high priority to them, with 50 percent saying it is a “very high” priority and 30 percent saying it is a “fairly high” priority.
  • 68 percent of respondents said that they knew a great deal (15 percent) or a fair amount (53 percent) about how to protect themselves online.
  • 70 percent “believe they will likely be a victim of at least one specific type of cyber crime over the next two years, and most feel there would be a big personal impact.” For example, 42 percent thought that they would have money stolen, but that the money reimbursed, while 27 percent thought that they would have money stolen and not reimbursed.
• Cyber-Defense: The NCSC took down 177,335 phishing URLs, 62.4 percent of which were removed within 24 hours, and produced 154 threat assessments
• Cooperation and Training: The NCSC enabled 2,886 small businesses across the United Kingdom to do simulated cyber exercising for themselves

The Review also contained a number of details regarding “Operation Haulster,” which the NCSC described as a “pioneering” collaboration between the NCSC and the private sector.  Haulster

takes stolen credit cards collected by the NCSC and partners, then, working with UK Finance, repatriates them to banks, often before they are ever used for crime. Card providers are then able to block cards to block cards to protect both financial institutions and the public. In most cases, this has been done before a crime has taken place, meaning hundreds of thousands of victims of high-end cyber crime were protected before they lost a penny.

Haulster reportedly has already flagged “fraudulent intention against more than one million stolen credit cards,” and now “is in the process of scaling this operation,” in hopes of reducing considerably more attacks in the near future.”

N.B.:  Cybersecurity teams at companies doing business in the United Kingdom should read the Review, to learn more about public attitudes towards cybercrime and the NCSC’s cyberdefense and outreach efforts.  Given the rapid pace at which new exploits can be successfully devised and launched, and the sheer number of cyberattacks, increasing public-private cooperation on cybersecurity issues is more important than ever.