Month: October 2019

On October 21, the United Kingdom Charity Commission published a report on the results of its research study about fraud awareness, resilience, and cybersecurity.  The Commission stated that the study’s findings, based on responses earlier this year from more than 3,000 charities, show that “charities are not always recognising how vulnerable they are, and not consistently putting basic checks and balances in place”:

• More than two-thirds of charities (69 percent) “think fraud is major risk to the charity sector and internal (insider) fraud is recognised as one of the biggest threats.” In general, “larger charities (particularly those that have suffered fraud) are more likely to acknowledge the risk of fraud.”
• One-third think that “fraud is a greater risk to the charity sector than other sectors.”
• More than half (53 percent) of charities affected by fraud in the past two years “knew the perpetrator.” In particular, in cases here the identity of the fraudster was known, 29 percent were paid staff members (40 percent in 2009), 18 percent were volunteers (11 percent in 2009), 13 percent were beneficiaries (only 5 percent in 2009), 10 percent were trustees (only 3 percent in 2009), and only 14 percent of fraudsters had no previous connection to the charity (11 percent in 2009).
• But nearly half (48 percent) believe that “they’re not vulnerable to any of the most common fraud enablers,” and more than one-third (34 percent) think that “their organisation is not vulnerable to any of the most common types of charity fraud.”
• 85 percent of charities “think they are doing everything they can to prevent fraud, but almost half don’t have any good-practice protections in place.”
• Fewer than 9 percent even have a fraud awareness training program.
• Only 30 percent have a whistleblower policy.
• 26 percent of charities believe that “they’re vulnerable to fraud because of an over-reliance on goodwill and trust.”

N.B.: These findings indicate that many in the charitable sector are just as vulnerable to overconfidence bias as commercial-sector entities.  Because charities in England and Wales reportedly spend nearly £80 billion each year, it is incumbent on those charities to look unsparingly at themselves and their fraud readiness – including defenses against charity insiders’ misconduct.  For that reason, the Commission’s report bears close reading, both for its findings and for the counter-fraud practices that the Commission recommends.

On October 17, the Office of the Attorney General of Switzerland (OAG) announced that it had held global commodity-trading company Gunvor Group (Gunvor) criminally liable for acts of foreign corruption, and ordered it to pay nearly CHF 94 million ($95 million), including a fine of CHF 4 million ($4 million).

The OAG, whose investigation focused on Gunvor’s activities in the Republic of Congo and Ivory Coast between 2008 and 2011, found that “[d]ue to serious deficiencies in its internal organisation,” Gunvor failed to prevent the bribery of public officials in those countries, in violation of Article 102, paragraph 2 of the Swiss Criminal Code (SCC) (corporate criminal liability) in conjunction with SCC Article 322septies (foreign-official bribery).  Those acts of corruption, which had the aim of securing access to the petroleum markets in both countries, were the subject of a 2018 judgment by the Criminal Chamber of the Swiss Federal Criminal Court.

The OAG investigation identified numerous compliance failures by Gunvor during the 2008-2011 period under investigation:

• Gunvor “had taken no organisational measures to prevent corruption in its business activities: the company did not have a code of conduct to give a clear signal and guidance to its employees on their activities, nor did it have a compliance programme.”
• Gunvor also “did not have an internal audit procedure and had not appointed a staff member to take charge of identifying, analysing or reducing the risk of corruption.”
• Furthermore, “no internal guidelines were in place and no training was offered to raise employee awareness and reduce the risks associated with corruption.” The OAG added that “[i]t therefore seems that Gunvor accepted that a risk of corruption was inherent in the company’s commercial activities, at least in the relevant markets.:
• Gunvor “did not attempt to manage the risk of corruption associated with using agents to obtain petroleum shipments, for which commissions of several tens of millions of US dollars were paid between 2009 and 2012.” In particular, it “had no formal selection process for any of the agents that it used and it did not carry out any checks on their activities, despite the fact that Swiss and international anti-corruption standards (OECD, ICC, SECO) specifically highlight the increased risk of corruption associated with agents’ activities.”  Those standards, according to the OAG, “recommend that properly documented due diligence be carried out, that the selection process is regulated, that warning signs are defined to detect potentially illegal activities and that regular checks are made, in particular when agents’ invoices are paid.’
• Finally, “It was also found that at the time of the events, warning signs had been ignored and other irregularities had occurred, including authorisation being given for a substantial number of payments to third party offshore companies unrelated to oil activities and the backdating of supporting letters to banks.”

In view of the findings of its investigation and the Swiss Federal Criminal Court’s 2018 judgment, on October 14 the OAG issued a summary penalty order that convicted Gunvor and ordered the payment of nearly CHF 94 million ($95 million), including a fine of CHF 4 million ($4 million).

The OAG explained that under the corporate criminal liability provisions in SCC Article 102, paragraph 3, “the fine to be imposed on an undertaking found criminally liable is largely determined by the seriousness of the offence and of the organisational deficiencies, the loss or damage caused and the economic capacity of the undertaking, with the maximum fine being CHF 5 million.  Gunvor’s CHF 4 million fine, in the OAG’s view, “takes account in particular of efforts it has made since 2012 to improve the way it is organised and to prevent corruption by implementing measures based on recognised standards.”

In addition to the fine, the OAG ordered Gunvor to pay compensation of nearly CHF 90 million.  That amount, according to the OAG, “corresponds to the total profit that Gunvor made from the business in question in the Republic of Congo and Ivory Coast.  Under Art. 71 para. 1 SCC, compensation is payable if there are no assets directly available for forfeiture.”

The OAG stated that other individuals, including a former Gunvor employee “and certain financial intermediaries, are currently under investigation, notably on suspicion of bribing foreign public officials (Art. 322septies SCC), money laundering (Art. 305bis SCC) and criminal mismanagement (Art. 158 SCC).”  It declined to comment further on the ongoing criminal investigations.

N.B.: This order and payment provide still more indications that law enforcement and regulatory authorities in multiple countries, such as Brazil and the United States, are paying increasing attention to compliance issues in the commodities sector.   Since the timeframe of the acts that prompted the fine and compensation, Gunvor has developed and implemented a compliance and ethics program that appears to address all of the compliance failures that the OAG identified.  Even so, chief compliance officers, in the commodities sector and other industries, should still review the OAG findings and use them as a point of comparison to check that their own anti-bribery and corruption compliance programs are not deficient in any of those respects.

On October 11, Cure 53, a German-based cybersecurity firm, issued a report on a mobile application, called “Xuexi Qiangguo” (“Study the Great Nation”), that Chinese technology firm Alibaba reportedly developed for the Chinese government’s propaganda department.  Since its release in February 2019, The Times reported, the app “has been downloaded more than 100 million times and has been pushed aggressively by the Chinese government.”  As Cure 53 noted, various sources indicate that the app “is getting heavily promoted by various powerful stakeholders, such as Chinese state media, universities, schools and similar parties.”

On its face, the app appears to be an educational app that “pushes out official news and images and encourages people to earn points by reading articles, commenting on them and playing quizzes about China and its leader, Xi Jinping.”  Use of the app, however, “is mandatory among party officials and civil servants and it is tied to wages in some workplaces.” In addition, as of October 2019, Chinese journalists “must pass a test on the life of President Xi, delivered via the app, in order to obtain a press card which enables them to do their jobs.”

The 18-page report, which Cure53 prepared at the behest of the Open Technology Fund, focused on whether the app “contained unadvertised features which could be seen as aiding the maintainers of the app in data collection,” and by extension, whether the app is collecting data “in a manner that violates human rights,” such as the European Convention on Human Rights (ECHR).  In brief, the report included the following findings:

• “The app stores multiple files insecurely in the SD card, from which other apps can read them.”
• “The app contains code resembling a backdoor which is able to run arbitrary commands with superuser privileges,” although “further investigation is required to unequivocally determine whether this code is used to perform malicious activities such as running arbitrary commands on the phones of citizens.” In addition, “[w]ithout context, it seems difficult to justify why an educational app requires code that looks like a backdoor,” especially if that backdoor “could potentially run arbitrary commands on citizen phones with superuser privileges.”
• The app tries to find specific running applications for 960 other popular apps that include games, navigation, travel and trips, credit cards, and payments.
• The app “avails of significant, privacy-sensitive permissions and functionality, such as location, face recognition, microphone and camera access, call log and contact processing,” and in fact requires sharing many of these features. Yet “the broader context of the evaluated coding practices remains unknown due to extensive obfuscation measures in the affected [coding] classes,” which the report attributes to Alibaba as the official maintainer of the app.

The report concluded that it is

evident and undeniable that the examined application is capable of collecting and managing vast amounts of very specific data. It is certain that the gathered material can become a basis for further actions concerning a specific group (or groups) of citizens. Although some of the collection of meta-data and device information could be legitimized as being aggregated for statistical reasons or software improvement, it is questionable if this is necessary for an app that claims to be educational in nature.

It also concluded that “[i]n a broader sense, the application’s functionality leads Cure53 to believe that violations of human rights are indeed taking place.”  At the same time, it cautioned that Cure53 “operated as a purely technically-driven team and an unbiased investigating entity,”  and therefore “is not a party in any way involved in making final judgements as to whether human rights violations take place from legal, social or political standpoints.”

N.B.:  Cybersecurity and compliance teams at companies doing business in China should read this report closely, with a view to identifying potential cyber-vulnerabilities if their companies allow employees in China to use their personal mobile devices for business under a “Bring Your Own Device” (BYOD) policy.  As the Cure 53 report indicates, the capacity of the app to access and collect such vast amounts of information raises substantial questions about the interest of Chinese police and security authorities in also accessing business and proprietary data.  Cybersecurity and compliance officers may therefore need to pursue appropriate revisions in their BYOD policies.

On October 18, the United Kingdom Local Government Association (LGA) announced that referrals of potential child victims of modern slavery made by councils in England have increased by more than 800 percent over the past five years.

The LGA, which represents 339 of the 343 councils in England, reported that the number of such council referrals to the National Referral Mechanism (NRM), through which the National Crime Agency’s (NCA’s) Modern Slavery and Human Trafficking Unit collects data about victims, rose from 127 in 2014 to 1,152 in 2018 – an increase of 807 per cent.  Most recently, between 2017 and 2018 the number of referrals increased by 67 percent, from 690 in 2017 to 1,152 in 2018.  Moreover, the LGA stated that children accounted for 92 cent of all referrals (both children and adults) that councils in England made in 2018.

The LGA stated that the drastic increases in referral rates “are being fuelled by an increasing awareness of modern slavery and the growing issue of young people being exploited by county lines drugs gangs.”  These county-lines gangs, who traffic drugs into rural areas along routes known as “county lines,” recruit and groom young people – many of them excluded from school as “difficult,” and some as young as nine – “to deal hard drugs on their behalf in market and coastal towns and rural areas.”  According to the NCA, there are more than 1,500 lines across the United Kingdom.

After they are recruited, the children “are made to travel vast distances on trains and in taxis, including Uber cars. Once they reach their destination, they stay in properties rented by gangs, increasingly short-term lets and Airbnb homes.”  Because of the growth of these drug gangs, earlier this month English and Welsh police conducted a coordinated operation that resulted in the arrests of 743 people and seized drugs worth more than £400,000, as well as 12 guns and dozens of other weapons.

This expanding exploitation of children, the LGA noted, “is putting council services under increasing and significant pressure.”  The United Kingdom’s Independent Anti-Slavery Commissioner, Dame Sara Thornton, recently stated that the system is “slowing down” as a result of the increase in child modern slavery referrals.  She also commented that the Government’s estimate of 10,000 to 13,000 modern-slavery victims in the United Kingdom “is way below what it is.”

N.B.:  For corporate compliance teams, the principal focus for Modern Slavery Act compliance programs understandably is on companies’ operations and supply chains.  Companies doing business in the United Kingdom, however, should include information about child modern slavery in their Modern Slavery Act training and messaging,  As executives and employees learn more about the larger dimensions of modern slavery, the more likely they are to appreciate that inclusion of Modern Slavery Act compliance in their company’s “culture of compliance” can play a part in combating this pernicious practice.

On October 16, the Luxembourg Times reported that, with regard to the Danske Bank scandal, Estonian Minister of Finance Martin Helme stated on his Facebook page that

he wants to figure out “how to ensure that the money laundering investigations of our banks that have been launched by the US authorities, which will very likely end with huge fines, would be conducted so that we would be involved in the process throughout and that the majority of the fine would in the end come into the Estonia budget”.

Helme stated that he was in New York and had had discussions with lawyers in what he described as “an international law office” about “how to ensure that Estonia takes part in investigations by US authorities now underway and that his country receives proceeds from penalties imposed on lenders.”  He added that “We are talking about hundreds of millions at least, possibly about billions.”

An Estonian Ministry of Finance spokesman, Ott Heinapuu, separately stated “that the Estonian government hasn’t signed any contracts yet with ‘any US law offices’ as the minister ‘is exploring different options during his US visit on how to proceed with this topic’.”

N.B.: In view of the central role that Danske Bank’s Estonian branch played in handling some $234 billion in potentially suspicious transactions, and its ripple effect in the banking sector across Estonia, Denmark, and other countries, it is not surprising that Estonia is interested in sharing in any fines and penalties that may emerge from various investigations into the scandal.  Before Minister Helme signs any contracts with U.S. law firms, however, he may want to consider certain factors relevant to Estonia’s chances of sharing substantially in such fines and penalties (if U.S. investigations do result in fines and penalties).

First, in any investigation that the U.S. Department of Justice may conduct into potential international financial crimes, the Department is necessarily dependent on active cooperation from other countries in which evidence or investigative leads may be found.  Indeed, it is commonplace, in Justice Department releases announcing prosecutions of such international crimes (such as cyberfraud, financial institution fraud, and Foreign Corrupt Practices Act (FCPA) schemes), to credit foreign law enforcement and regulatory agencies that have assisted the Department in that case.

Second, as a matter of longstanding practice by the Justice Department, a country is not automatically entitled to share in the financial penalties that the Department may obtain in a case merely because some or all of the crimes in a particular scheme occur in that country, or even when that country has offered a measure of assistance to the Department on particular investigative issues or evidence acquisition.

In recent years, the Department has been willing, in major international cases, to partner with other countries’ law enforcement agencies in entering into coordinated criminal resolutions with corporate entities, where the foreign law enforcement agencies receive a substantial portion, even a majority, of the penalties imposed.  For example:

• In the Department’s 2016 FCPA resolutions with Brazilian companies Odebrecht and Braskem, the Department agreed that the Brazilian Ministerio Publico Federal (MPF) would receive 80 percent of the $4.5 billion criminal penalty (later reduced) against Odebrecht, with the United States and Switzerland each receiving 10 percent, and that the MPF would receive 70 percent of the $632 million criminal penalty against Braskem, with U.S. and Swiss authorities each receiving 15 percent.
• In the Department’s 2016-2017 FCPA resolution with Rolls-Royce, which it coordinated with the United Kingdom Serious Fraud Office (SFO) and the MPF, Rolls-Royce agreed to pay total criminal penalties of more than $800 million, which included a total fine of nearly $605 million to the United Kingdom, a payment of nearly $170 million to the United States, and a payment of nearly $25.6 million to the MPF.

In both of those cases, however, the foreign law enforcement agencies engaged in long-term and substantial investigations of their own that were closely coordinated with the Justice Department.  In the case of Rolls-Royce, the SFO conducted its investigation of Rolls-Royce’s involvement with foreign corruption for more than four years before it entered into a Deferred Prosecution Agreement with the company.  In the cases of both Odebrecht and Braskem, those cases stemmed from the MPF’s Operation Lava Jato, which began in 2014.  As a general proposition, then, the greater the investment of a foreign country’s prosecutive resources in investigating a complex case and the deeper and longer that country’s commitment to partnering actively with U.S. prosecutors, the stronger that country’s claim can be to share in the total penalties at the end of the case.

Third, Estonia should be mindful that the Justice Department is not the only U.S. agency that may ultimately play a role in any Danske Bank-related financial penalties.  Federal regulators such as the Financial Crimes Enforcement Network (FinCEN) and the Federal Reserve Board, can impose such penalties on banks for Bank Secrecy Act and anti-money laundering violations.

For those reasons, Estonia needs to recognize is that at this stage, it is far too early to expect or assume entitlement to a substantial share of financial penalties that have yet to be negotiated or imposed.  While it should feel free to consult with law firms about the U.S. legal landscape, it would be of minimal (if not negative) value to have attorneys lobbying the Department or other agencies on its behalf while those investigations are underway.  The best path for Estonia toward the level of future penalties that Minister Helme wants is for Estonian prosecutors and regulators to commit wholeheartedly to working with U.S. authorities and to sustain that commitment all the way to the finish line, whatever that may be.