Financial Crimes Enforcement Network Director States That Bank Secrecy Act “Travel Rule” Applies to Cryptocurrencies Operating Money Services Businesses

On November 18, Reuters reported on remarks that the Director of the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) Kenneth Blanco made at a November 15 conference in New York.  In his remarks, Blanco stated that the federal government will “strictly enforce” a regulation under the Bank Secrecy Act “that requires cryptocurrency firms engaged in money service businesses such as digital asset exchanges and wallet service providers to share information about their customers.”

The so-called “travel rule,” which has been in effect for more than 20 years, “requires cryptocurrency exchanges to verify their customers’ identities, identify the original parties and beneficiaries of transfers $3,000 or higher, and transmit that information to counterparties if they exist.”   According to Reuters, Director Blanco stated that the rule “applies to CVCs (convertible virtual currencies) and we expect that you will comply period.”  To emphasize the point, he added, “That’s what our expectation is. You will comply. I don’t know what the shock is. This is nothing new.”

Blanco also reportedly commented that the travel rule “is the most commonly cited violation with regard to money service businesses [MSBs] engaged in virtual currencies.”  On a related note, he stated that FinCEN “has been conducting examinations that include compliance with the . . . rule since 2014.”

N.B.:  Some in the cryptocurrency industry have professed surprise at Director Blanco’s remarks, in view of guidance that FinCEN issued in May 2019 regarding CVCs.  The Reuters report indicated that some in the cryptocurrency industry interpreted that guidance to mean that the travel rule did not apply to them.

Admittedly, the May 2019 guidance nowhere mentions the travel rule by name, and nowhere specifically states that CVCs are subject to the travel rule.  On the other hand, the BSA regulations thereunder have long defined MSBs as a “financial institution” responsible for BSA compliance, including the travel rule.  In addition, since 2010 FinCEN’s public position has been that any transmitter’s “financial institution” must comply with the travel rule.

While some in the crypto industry may have parsed the May 2019 guidance too closely, it should be no surprise to those familiar with the BSA that a CVC registered as and operating an MSB falls within the travel rule’s requirements.  In any event, Director Blanco has removed any doubt about the industry’s need to comply with the rule.

Sophos Issues Report on How Ransomware Attacks

On November 14, the British cybersecurity company Sophos issued a report, titled “How Ransomware Attacks,” that explains how ransomware variants attack and affect victims.  Because Sophos views ransomware’s behavior as “its Achilles’ heel,” the report describes “some of the behavioral patterns” of the 11 “most common, damaging, and persistent ransomware families.”

The report, by Sophos Director of Engineering Mark Loman, discusses a number of the most prevalent ransomware techniques and behavioral traits, including the following:

  • Ransomware Categories: The report divided various prominent ransomware families into three categories, “distinguishing them by the method attackers use to spread the infection”:
    • Cryptoworm: Ransomware “that replicates itself to other computers for maximum reach and impact.”
    • Ransomware-as-a-Service (RaaS): Ransomware “sold on the dark web as a distribution kit to anyone who can afford it,” allowing people “with little technical skill to attack with relative ease.”
    • Automated Active Adversary: Ransomware that “is deployed by attackers who use tools to automatically scan the internet for IT systems with weak protection.”
  • Cryptographically Signed Code: “Attackers may attempt to minimize detection by security software by signing their ransomware with an Authenticode certificate, which anyone can buy (or steal). . . . Unfortunately, some security tools conflate ‘digitally signed’ with ‘should be allowed to run’.”
  • Privilege Escalation: “[T]oday’s ransomware uses exploits to elevate their own privileges and abuse stolen administrator credentials to make sure the attack is performed using a privileged account.”
  • Attacking Network Drives First: Ransomware causes “the most immediate damage to an organization” when it encrypts mapped network drives first, “as it immediately affects most employees no matter where they are geographically located.”
  • Multi-Threading Technology: “Some ransomware is specifically designed to make efficient use of modern CPU hardware and parallelizes individual tasks to ensure faster and, subsequently, more harmful impact before victims discover they’re under attack.”
  • Cipher.exe Abuse: Certain ransomware abuses Microsoft’s CIPHER.EXE command-line tool “to make sure ransomware victims cannot recover deleted documents from their storage drives.”  Some ransomware also abuses CIPHER.EXE by exploiting its ability to permanently overwrite all of the deleted data on a storage drive.”

The report also provides a summary of 11 common ransomware families’ methods and characteristics.

The report notes that a key vulnerability of ransomware is that “[t]here are behavioral traits that ransomware routinely exhibits that security software can use to decide whether the program is malicious.” As The Register explained, “sooner or later, the malware has to access the file system and begin to encrypt the data. This is the point where the attacks have to expose themselves and the spot where security tools can stop them.”

N.B.: Because ransomware presents continuing threats to companies and governments around the world, this report warrants a closer reading by corporate information-security teams.  While there is no panacea for ransomware, the report offers information-security professionals a number of useful observations and insights for understanding core behaviors of ransomware and reducing the odds that ransomware can successfully infiltrate corporate networks and databases.

United Kingdom Competition Appeal Tribunal Upholds £50 Million Penalty Against Royal Mail for Discriminatory Pricing Against Bulk Mail Operators

On November 12, the United Kingdom Competition Appeal Tribunal (Tribunal) issued a unanimous judgment in which it affirmed a £50 million penalty by the Office of Communications (Ofcom) against Royal Mail plc for discriminatory pricing against bulk mail operators.

Royal Mail plc, once the state-owned monopoly provider of mail services in the United Kingdom, is a publicly traded company that operates as an international parcels and letters delivery service, and that also serves as the United Kingdom’s sole designated provider of the universal postal service throughout the United Kingdom.

In January 2014, according to the Judgment, Royal Mail announced the introduction of differential prices for bulk mail operators for access to Royal Mail’s final delivery service, without which the bulk mail providers could not operate.  One bulk mail operator, Whistl UK Limited (formerly known as TNT Post), “planned to set up its own final delivery service and establish an end-to-end bulk mail service in competition with Royal Mail.”

After Whistl complained to Ofcom that Royal Mail’s new differential access prices “made its end-to-end operations and future plans uneconomic,” in February 2014 Ofcom announced that it would open an investigation into Royal Mail’s pricing.  Thereafter, Royal Mail’s new prices were suspended, and formally withdrawn in 2015.

Ofcom ultimately ruled in 2018 that Royal Mail “had infringed the Chapter II prohibition under the Competition Act 1998 (“CA 1998”) and Article 102 of the Treaty on the Functioning of the European Union (“TFEU”), and imposed a fine of £50 million on Royal Mail.  Royal Mail then appealed the Ofcom decision to the Tribunal.

In a highly detailed 230-page judgment, the Tribunal dismissed each of Royal Mail’s arguments:

  1. Ofcom erred in law and in fact by concluding that, when Royal Mail announced the new prices, prices were applied for the purposes of Article 102(c) TFEU and section 18(2)(c) CA 1998. On this issue, the Tribunal concluded, among other things, “that Royal Mail’s conduct was not ‘competition on the merits’ as that term is understood in competition law,” and that Royal Mail’s issuance of Contract Change Notices, which give notices to access operators of impending changes to the terms and conditions of access, “had the effect of signalling Royal Mail’s commitment to a policy of limiting entry into direct delivery.”
  2. Ofcom erred in concluding that transactions undertaken between Royal Mail and all of its different access customers were equivalent in all material respects, and that the price differential could not be justified. On this issue, the Tribunal concluded “the cost justification as advanced by Royal Mail does not serve to overcome the essentially discriminatory nature of the price differential in the particular circumstances of this case.”
  3. Ofcom erred in its assessment of whether the price differential was likely to give rise to a competitive disadvantage and/or a restriction of competition because it failed to have proper regard to the impact of the conduct on an ‘as efficient competitor’. On this issue, the Tribunal concluded, after an elaborate analysis, that Ofcom was correct in its finding that the test that Royal Mail advanced “was neither appropriate nor necessary in this case and that its analysis of the likely effects  of the conduct in question and its findings on competitive disadvantage were fully justified.”
  4. Ofcom erred in finding that any abuse was not objectively justified under Article 102 and/or Article 106(2) TFEU by reference to the need to preserve the viability of the universal service under economically acceptable conditions.  On this issue, the Tribunal concluded “that Royal Mail cannot claim either that its conduct was objectively justified under Article 102 or that it was exempt from the application of Article 102 by reason of Article 106(2).”
  5. Ofcom committed a fundamental procedural error by basing its findings of a likely competitive disadvantage in the Decision on evidence and analysis that was not previously included, or relied upon, in the Statement of Objections, or otherwise put to Royal Mail during the administrative phase. On this issue, the Tribunal concluded That “notwithstanding the paramountcy of an undertaking’s ability to defend itself without procedural hindrance, Royal  Mail’s ability to do so in this particular case has not been impaired.”
  6. Ofcom erred in imposing a £50 million fine on Royal Mail. On this issue, the Tribunal “[took] the view that a substantial penalty is justified” and concluded that the amount of the penalty was correct.

N.B.:  Corporate officers responsible for compliance with the United Kingdom Competition Act 1998 should take note of this judgment, and incorporate key elements of the Tribunal’s judgment and analysis in their internal guidance on discriminatory pricing.  Although this case arose in the United Kingdom, the Tribunal’s judgment may also provide guidance for other European Union Member States in pursuing discriminatory-pricing cases.

Hong Kong Securities and Futures Commission Fines UBS $51 Million for Ten Years of Client Overcharges and for Systemic Internal Controls Failures

On November 11, the Hong Kong Securities and Futures Commission (SFC) announced that it had reprimanded and fined UBS AG (UBS) $51 million (HK$400 million) “for overcharging its clients over a ten-year period and for related serious systemic internal control failures.”

The SFC set forth specific findings on two categories of misconduct:

  1. Overcharging: Between 2008 and 2015, UBS client advisors (CAs) and client advisors’ assistants (CAAs) in UBS’s Wealth Management division “had overcharged clients when conducting bond and structured note trades by increasing the spread charged after the execution of trades without clients’ knowledge.”  In addition, between 2008 and 2017, UBS had also charged its clients fees in excess of its standard disclosures or rates.  In particular, the SFC stated that

following their clients’ requests to buy or sell products, the CAs and CAAs would enter the limit order price of the clients’ trades into UBS’s client order processing system. In circumstances where the actual execution price achieved in the market was better than the limit order price, the CAs and CAAs would increase the spread after executing the trades in order to retain the price improvement for UBS without agreement with, or disclosure to, the clients, and sometimes misreported the execution price or spread to the clients. On some occasions, they would also falsify the account statements issued to financial intermediaries, who were authorized to trade for clients, by misreporting the spread amount to conceal the overcharges.

On these issues, the SFC concluded “that these malpractices involved a combination of serious systemic failures for a prolonged period of time including inadequate policies, procedures and system controls, lack of staff training and supervision, and failures of the first and second lines of defence functions of UBS.”

  1. Organizational Failures: The SFC identified three additional categories of organizational failures by UBS:
    1. Failure to Disclose: The SFC stated that UBS “failed to understand and properly disclose the capacity in which it acted for its clients when conducting secondary market bond and structured note trades.” It also noted that UBS “acknowledged that its historical approach to capacity was confused, its past communications with regulators regarding its capacity were incomplete, and its communications with clients on whether it was acting as their agent or principal were unclear and, in some cases, erroneous.”
    2. Failure to Report: The SFC stated that UBS “failed to report its spread overcharge practices to the SFC until two years after the identification of the misconduct.” It pointedly remarked that “[t]his was not an isolated incident, but was one of a number of late reporting incidents whereby UBS failed to report the relevant misconduct to the SFC in a timely manner, or at all.”
    3. Failure to Ensure Compliance: After the discovery of the spread overcharge practices, UBS implemented a new order taking platform, One Wealth Management Platform (1WMP), as system enhancements in October 2017.  But, as the SFC stated, “instead of putting in place a system that ensures its compliance with relevant regulatory requirements, UBS reported 15 incidents to the SFC or the Hong Kong Monetary Authority relating to the failures of 1WMP covering a variety of issues, including further spread overcharges.  These issues call into question UBS’s capability to put in place effective remediation to address the spread overcharge practices and proper internal controls to avoid the recurrence of historical deficiencies.”

Taking into account all of these circumstances, the SFC concluded that UBS failed to (1) “act honestly, fairly and in the best interests of its clients”; (2) “act with due skill, care and diligence, in the best interests of its clients”; (3) “avoid conflicts of interest and ensure that its clients are treated fairly”; (4) “provide adequate disclosure of relevant material information to clients”; and (5) “comply with all relevant regulatory requirements applicable to the conduct of its business activities so as to promote the best interests of clients.”

In deciding on the disciplinary sanctions, the SFC stated that it took into account all relevant circumstances.  Those included (1) “the elements of dishonesty in UBS’s spread overcharge practices”; (2) “the duration of UBS’s spread overcharge practices, i.e. around ten years”; (3) “the fact that UBS’s spread overcharge practices were undetected for at least seven years”; (4) “the serious and systemic nature of UBS’s internal control failures”; (5) “UBS’s disciplinary actions against over 20 staff who had engaged in the malpractice”; (6) “UBS’s appointments of independent reviewers to (i) identify the root causes of the spread overcharge practices and assess the magnitude of its spread overcharge practices, (ii) validate the relevant overcharge and compensation arising from 1WMP, and (iii) review the adequacy and effectiveness of UBS’s remediation measures”; and (7) “UBS’s agreement to fully compensate the affected clients.”

In addition to paying the $51 million fine, UBS committed “to compensate the affected clients by repaying them the full value of the overcharged amount together with interest.” The total amount of those repayments (approximately HK$200 million) “covers overcharges made through post-trade spread increases and charges in excess of standard disclosures or rates between 2008 and 2017. The overcharge practices affected about 5,000 Hong Kong-managed client accounts in about 28,700 transactions.”

N.B.:  In view of the SFC’s findings, it is not in the least surprising that the SFC concluded “that these malpractices involved a combination of serious systemic failures for a prolonged period of time including inadequate policies, procedures and system controls, lack of staff training and supervision, and failures of the first and second lines of defence functions of UBS.”  Accordingly, this case provides a number of lessons for financial institutions in and beyond Hong Kong.

Chief Compliance Officers at financial institutions should brief senior management officials in their firms about the key elements of this case, incorporate information from the case into their training materials (especially for senior and mid-level executives in their wealth management divisions), and check their compliance programs against the facts of this case to identify potential shortcomings or opportunities for improvement.

United Kingdom Prudential Regulation Authority Issues Second Warning to HSBC Over Non-Financial Risks

On November 7, Bloomberg reported that the United Kingdom Prudential Regulation Authority (PRA) warned HSBC Holdings, for the second year in a row, that HSBC has not done enough “to tackle concerns about how the bank handles risks including financial crime and staff conduct.”  In a conference call this week, Samir Assaf, CEO of HSBC Global Banking & Markets, reportedly told executives that the PRA, an arm of the Bank of England, “informed the firm that it was making insufficient progress on non-financial risks.”  As the article explained, non-financial risks “are unrelated to credit quality and include problems such as financial crime, staff misconduct, compliance breaches and issues related to a bank’s culture.”

Assaf also stated, according to Bloomberg, that the PRA has issued the warning last year and this year.  He considers it “an emergency requiring attention.”  Accordingly, HSBC Global Banking & Markets is scheduling “a summit of top executives this month to discuss the problems.”

One measure of the concerns facing HSBC is a confidential survey that the United Kingdom Banking Standards Board (BSBP) conducted in 2019.  The survey results showed — as Bloomberg reported based on nonpublic documents it reviewed — that “out of seven investment banks, HSBC’s ranked last when staff were asked about colleagues ‘acting honestly and ethically,’ ‘flexing ethical standards to make career progression’ and ‘turning a blind eye to inappropriate behavior, according to documents seen by Bloomberg.

N.B.:  Notwithstanding the other challenges that HSBC faces as it seeks to reshape its business, Assaf is right to consider the PRA’s more recent admonition an emergency.  For most of the past decade,  Bloomberg noted, “conduct issues have bedeviled HSBC,” as the following examples indicate:

  • 2012: HSBC paid nearly $2 billion in settlements with U.S. authorities in part for failing to maintain an effective anti-money laundering program and to conduct appropriate due diligence on its foreign correspondent account holders. Its settlement with the U.S. Department of Justice included a five-year obligation “to undertake enhanced AML and other compliance obligations and structural changes within its entire global operations to prevent a repeat of the conduct that led to [the U.S. investigation and] prosecution.”
  • 2017: HSBC entered into a civil settlement with the Justice Department, requiring it to pay $2.1 million, to resolve a complaint that it had submitted dozens of loans for payment on Small Business Administration (SBA) guarantees without disclosing to the SBA that those loans had been identified as fraudulent or potentially fraudulent.
  • 2018: HSBC Holdings entered into a deferred prosecution agreement with the Justice Department, requiring it to pay to pay a $63.1 million criminal penalty and $38.4 million in disgorgement and restitution, to resolve charges that HSBC had engaged in a “front-running” fraud scheme to defraud two bank clients.
  • 2018: HSBC agreed with the Justice Department to pay $765 million as a civil penalty, to settle claims related to its packaging, securitization, issuance, marketing and sale of residential mortgage-backed securities between 2005 and 2007.
  • 2019: HSBC’s Swiss private banking unit reached an agreement with Belgian prosecutors, requiring it to pay almost $336 million, to resolve prosecutors’ allegations “that HSBC helped and encouraged the avoidance of the [European Union] savings tax by creating offshore companies in Panama and other tax havens in the Caribbean for wealthy Belgian clients ‘with no other purpose but to hide money’.” Prosecutors reportedly stated that HSBC “has now made and committed to a significant overhaul of its practices to counter financial crime risks.”
  • 2019: The Hong Kong Securities and Futures Commission (SFC) imposed on HSBC a $2.1 million fine (based in part on HSBC’s self-reporting to the SFC and taking remedial action), for non-compliance with telephone recording requirements under the Code of Conduct governing SFC-registered entities.
  • 2019: HSBC Bank N.A. reached a settlement with the U.S. Commodity Futures Trading Commission, requiring it to pay a $650,000 civil penalty (reduced to reflect HSBC’s cooperation and remediation), for “failing to establish appropriate risk management systems for its swap activities or to properly report swap data in certain categories, for certain swap transactions, to a swap data repository.”

There is no question that global financial institutions face considerable challenges and costs in maintaining and improving effective financial-crimes compliance programs, and that even the best of those institutions sometimes run afoul of various statutory or regulatory requirements.  The range of criminal and civil sanctions imposed on HSBC, however, are at variance with HSBC’s professed aspiration “to set the industry standard for knowing our customers and detecting, deterring and protecting against financial crime.”

Such a statement can come back to haunt the bank unless it takes prompt action to demonstrate that it has made meaningful progress across the board on non-financial risk areas, including anti-bribery and corruption, anti-money laundering, and sanctions.  When HSBC is already down two strikes to the PRA, it would do well to avoid a third.