Basel Institute on Governance Releases 2020 AML Index

On July 23, the Basel Institute on Governance released its 2020 AML Index.  The Index, which the Institute has published since 2012, assesses the risk of money laundering and terrorist financing (ML/TF) around the world.  It provides risk scores based on data from 16 publicly available sources, such as the Financial Action Task Force (FATF), Transparency International, the World Bank, and the World Economic Forum.

The 2020 Index’s general conclusions included the following:

  • Changes: The Index “remains unacceptably high at 5.22 out of 10, where 10 equals maximum risk.” Only six countries improved their scores by more than a single point, while 35 countries’ scores decreased.
  • Quality of AML Supervision: Of the 100 countries that have been assessed so far with the new FATF assessment methodology, one-third scored a “zero for the effectiveness of their supervisory bodies and measures designed to safeguard financial systems from abuse.”
  • Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Systems: Since the FATF moved to its fourth-round methodology, which the Institute noted “assess[es] not just the technical compliance of a country’s AML/CFT systems but their effectiveness in practice,” “most countries that undergo a fourth-round FATF evaluation rate poorly for effectiveness.”

The 2020 Index also includes a new indicator for human trafficking, the U.S. State Department’s Trafficking in Persons (TIP) Report.  The Institute stated that this change “reflects the huge and growing proceeds generated by this transnational crime and laundered through international financial systems.”

The Public Edition of the 2020 Index includes scores and rankings for 141 countries, with the proviso that the FATF has not yet assessed many of those countries with its fourth-round methodology, which limits the comparability of those scores and rankings.  (In the Index, the higher the score for a particular country, the greater the ML/TF risk, which translates to a higher ranking for that country.)

The following are some of the noteworthy data on specific countries:

  • Highest and Lowest Rankings: The five highest-ranked (i.e., riskiest) countries were (1) Afghanistan (8.16), (2) Haiti (8.15), (3) Myanmar (7.86), (4) Laos (7.82), and (5) Mozambique (7.81). The five lowest-ranked countries were (141) Estonia (2.36); (140) Andorra (2.83), (139) Finland (2.97), (138) Bulgaria (3.12), and (137) the Cook Islands (3.13),
  • Africa: In addition to Mozambique, other higher-ranked African countries included Sierra Leone (7/7.51), Senegal (8/7.3), Kenya (9/7.18), Angola (13/7.02), Nigeria (14/6.88), and Benin (15/6.85). South Africa ranked 87 (4.83), Ghana 85 (4.89), and Egypt 82(4.96).
  • Asia: In addition to Afghanistan, Myanmar, and Laos, other higher-ranked Asian countries included Yemen (10/7.12), Cambodia (11/7.1), Vietnam (12/7.02), China (18/6.76), and Kyrgyzstan (27/6.32).
  • Australia: Australia ranked 124 (3.84).
  • Europe: The five highest-ranked European countries were Turkey (41/5.76), Bosnia-Herzegovina (47/5.63), Russia (52/5.51), Malta (53/5.48), and Serbia (54/5.47).  The United Kingdom ranked 116 (4.02).
  • North America: The United States ranked 100 (4.57), Canada 94 (4.68), and Mexico 68 (5.2).
  • South America: The five highest-ranked South American countries were Nicaragua (16/6.78), Venezuela (20/6.56), Paraguay (24/6.45), Bolivia (31/6.12), and Panama (36/5.96).
  • Caribbean: After Haiti, the next highest-ranked Caribbean countries were the Cayman Islands (6/7.64), the Bahamas (25/6.43), Jamaica (34/5.99), and Barbados (40/5.87).

Note: In its release concerning the AML Index, the Institute commented that the Index “will disappoint anyone wishing for tangible progress in combating money laundering and terrorist financing (ML/TF) around the world.”  Seasoned AML/CTF observers, on the other hand, should simply make use of the Index and bear its data in mind as various authorities, such as the European Union, strive to strengthen the structure and implementation of regional and national AML/CTF frameworks.

IBM Report Finds Nation-State Cyberattacks Costliest Type of Data Breach

On July 29, IBM announced the release of IBM Security’s Cost of A Data Breach Report 2020.  The Report, which the Ponemon Institute conducted, was based on in-depth interviews with more than 3,200 security professionals in organizations that suffered a data breach during the past year.

Principal findings of the Report included the following:

  • Nation-State Attacks: Data breaches believed to originate from nation-state attacks were the costliest type of data breach (relative to other categories of threat actors), averaging $4.43 million per breach in data-breach costs. Only 13 percent of malicious breaches were believed to have been carried out by nation-state actors, compared to 53 percent by financially motivated cybercriminals, 13 percent by hacktivists, and 21 percent unknown.
  • Root Causes of Malicious Breaches: In incidents where attackers accessed corporate networks by using stolen or compromised credentials, businesses incurred saw nearly $1 million greater data-breach costs, averaging $4.77 million per breach. The second costliest root cause of malicious breaches was exploitation of third-party vulnerabilities, averaging $4.5 million.
  • Data Breach Lifecycles: The average time to identify and contain a data breach, according to the Report, “varied widely depending on industry, geography and security maturity.” Companies with data breaches had an average “lifecycle” of 280 days (i.e., 207 days to identify a breach and 73 days to contain it).   Healthcare sector companies had an average lifecycle of 329 days, while financial-sector firms had a much shorter average lifecycle of 233 days.  The Report noted that companies that had fully deployed security automation had an average lifecycle of 234 days, compared to companies that did not deploy security automation (averaging 308 days).
  • Data Breach Costs: The average total cost of a data breach was $3.86 million, a slight decline from $3.92 million in the 2019 Cost of a Data Breach Report.
  • Cost Factors: Of 25 cost factors that the report addressed, security system complexity was the most expensive, as it increased the average total cost of a breach by $292,000 (resulting in an adjusted average total cost of $4.15 million). Undergoing an extensive cloud migration at the time of the breach increased the average cost of a breach by more than $267,000 (resulting in an adjusted average cost of $4.13 million).
  • Costs of Mega Breaches: Data breaches involving compromise of more than 50 million records had average costs of $392 million (a very slight increase from $388 million in the 2019 Report). Data breaches involving compromise of 40 to 50 million records had average costs of $364 million (also a slight increase from $345 million in the 2019 report).
  • Smart Tech Benefits: Companies surveyed that “fully deployed security automation technologies (which leverage AI, analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs” of those companies that did not deploy those tools ($2.45 million vs. $6.03 million, on average).
  • Incident Response Preparedness: Companies that had an incident response (IR) team and tested an IR plan using tabletop exercises or simulations had an average data-breach total cost of $3.29 million, while companies that had neither an IR team nor IR testing had an average total cost of $5.29 million.

Note:  By now, the cost of data breaches and the length of data-breach lifecycles should not be a surprise in any corporate sector.  Information-security and compliance teams, however, should take note of the disproportionate effects of nation-state attacks, and ensure that their cybersecurity risk assessment processes are monitoring open-source reporting on such attacks.  They should also incorporate a number of the Report’s principal findings – especially those pertaining to security automation tech and IR preparedness — into briefing materials for senior executives and training for corporate employees.

In Japan’s First Plea Bargain Case, Tokyo High Court Imposes $23,300 Fine on Former Mitsubishi Executive for Bribery

On July 21, the High Court in Tokyo imposed a ¥2.5 million (US $23,309) fine on Satoshi Uchida, a former executive of the Japanese power-plant construction company Mitsubishi Hitachi Power Systems Ltd. (MHPS), for his role in bribing a senior Thai official in a power plant project in Thailand.  In this case – the first in Japan involving a corporate plea bargain, with MHPS — the Tokyo District Court in September 2019 had sentenced Uchida to 18 months in prison, suspended for three years, for conspiring with two subordinates in charge of logistics to bribe the Thai official, who was in the Thai Ministry of Transport.

According to the Japan Times, in February 2015 the two subordinates paid 11 million baht ($347,000) to the Thai official, “who informed them the company had failed to meet necessary conditions for unloading cargo.”  The High Court evidently concluded that Uchida, who had approved the bribery, “was in a position to stop the two from bribing [the] official . . . but failed to do so.”

In Uchida’s case, the High Court found that the testimony of the subordinates, who had already been convicted of bribing the Thai official, was not credible.  In the Court’s words, Uchida “was consistently hesitant and urging them to come up with alternatives. The district court ruling . . . leaves reasonable doubt.”  Accordingly, it nullified the suspended sentence and imposed the fine.

Note: This ruling by the Tokyo High Court is significant for three reasons.  First, it involves the first appellate ruling in this first plea-bargain case under the revised Japanese Criminal Procedure Code.

Second, it establishes a precedent for imposing actual financial sanctions on Japanese executives convicted of foreign bribery.  Even if the amount of the fine is a vanishingly small fraction of the 30 billion baht contract that MHPS was awarded in 2013, that precedent should send a message to corporate executives that approving foreign bribery can have real consequences.  It also should send a message to other Japanese courts that future sentencings in such cases must do more than virtually absolve convicted defendants.

Finally, it should provide some added incentive for the Japanese Public Prosecution Office, which reportedly has been cautious about using its plea-bargaining authority, to pursue foreign-bribery cases.  Last year, the Organization for Economic Cooperation and Development’s Working Group on Bribery admonished Japan about stepping up enforcement of its foreign-bribery laws.  Pursuing more criminal-plea resolutions with leading companies could help in demonstrating Japan’s commitment to do so.