Former Banker Convicted at Trial of Price-Fixing and Bid-Rigging in FX Market

On November 20, the U.S. Department of Justice announced that after a three-week trial in the Southern District of New York, a jury convicted Akshay Aiyer of participating “in an antitrust conspiracy to manipulate prices for emerging market currencies in the global foreign currency exchange (FX) market.”  Aiyer, a former JP Morgan Chase Executive Director and FX trader, was convicted on one count under section 1 of the Sherman Antitrust Act for “conspiring to fix prices and rig bids in Central and Eastern European, Middle Eastern and African (CEEMEA) currencies, which were generally traded against the U.S. dollar and the euro, from at least October 2010 through at least January 2013.”

The evidence presented at trial established the following:

  • Aiyer “engaged in near-daily communications with his co-conspirators by phone, text and through an exclusive electronic chat room to coordinate their trades of the CEEMEA currencies in the FX spot market.”
  • Aiyer and his co-conspirators “manipulated exchange rates by agreeing to withhold bids or offers to avoid moving the exchange rate in a direction adverse to open positions held by co-conspirators and by coordinating their trading to manipulate the rates in an effort to increase their profits.”
  • By agreeing not to buy or sell at certain times, Aiyer and the other conspiring traders “protected each other’s trading positions by withholding supply of or demand for currency and suppressing competition in the FX spot market for emerging market currencies.”
  • Aiyer and his co-conspirators “took steps to conceal their actions by, among other steps, using code names, communicating on personal cell phones during work hours and meeting in person to discuss particular customers and trading strategies.”

Aiyer is reportedly scheduled to be sentenced on April 3, 2020.  The release also noted that the investigation into FX spot market collusion is ongoing.

N.B.: This is the most recent conviction stemming from the Department of Justice’s Antitrust Division investigation of collusion in the FX spot market, and apparently the first involving a conviction at trial.  Although five financial institutions and two individual former traders have already pleaded guilty in the investigation, the Antitrust Division’s success in obtaining a conviction at trial could prompt further pleas.

Financial Crimes Enforcement Network Director States That Bank Secrecy Act “Travel Rule” Applies to Cryptocurrencies Operating Money Services Businesses

On November 18, Reuters reported on remarks that the Director of the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) Kenneth Blanco made at a November 15 conference in New York.  In his remarks, Blanco stated that the federal government will “strictly enforce” a regulation under the Bank Secrecy Act “that requires cryptocurrency firms engaged in money service businesses such as digital asset exchanges and wallet service providers to share information about their customers.”

The so-called “travel rule,” which has been in effect for more than 20 years, “requires cryptocurrency exchanges to verify their customers’ identities, identify the original parties and beneficiaries of transfers $3,000 or higher, and transmit that information to counterparties if they exist.”   According to Reuters, Director Blanco stated that the rule “applies to CVCs (convertible virtual currencies) and we expect that you will comply period.”  To emphasize the point, he added, “That’s what our expectation is. You will comply. I don’t know what the shock is. This is nothing new.”

Blanco also reportedly commented that the travel rule “is the most commonly cited violation with regard to money service businesses [MSBs] engaged in virtual currencies.”  On a related note, he stated that FinCEN “has been conducting examinations that include compliance with the . . . rule since 2014.”

N.B.:  Some in the cryptocurrency industry have professed surprise at Director Blanco’s remarks, in view of guidance that FinCEN issued in May 2019 regarding CVCs.  The Reuters report indicated that some in the cryptocurrency industry interpreted that guidance to mean that the travel rule did not apply to them.

Admittedly, the May 2019 guidance nowhere mentions the travel rule by name, and nowhere specifically states that CVCs are subject to the travel rule.  On the other hand, the BSA regulations thereunder have long defined MSBs as a “financial institution” responsible for BSA compliance, including the travel rule.  In addition, since 2010 FinCEN’s public position has been that any transmitter’s “financial institution” must comply with the travel rule.

While some in the crypto industry may have parsed the May 2019 guidance too closely, it should be no surprise to those familiar with the BSA that a CVC registered as and operating an MSB falls within the travel rule’s requirements.  In any event, Director Blanco has removed any doubt about the industry’s need to comply with the rule.

Sophos Issues Report on How Ransomware Attacks

On November 14, the British cybersecurity company Sophos issued a report, titled “How Ransomware Attacks,” that explains how ransomware variants attack and affect victims.  Because Sophos views ransomware’s behavior as “its Achilles’ heel,” the report describes “some of the behavioral patterns” of the 11 “most common, damaging, and persistent ransomware families.”

The report, by Sophos Director of Engineering Mark Loman, discusses a number of the most prevalent ransomware techniques and behavioral traits, including the following:

  • Ransomware Categories: The report divided various prominent ransomware families into three categories, “distinguishing them by the method attackers use to spread the infection”:
    • Cryptoworm: Ransomware “that replicates itself to other computers for maximum reach and impact.”
    • Ransomware-as-a-Service (RaaS): Ransomware “sold on the dark web as a distribution kit to anyone who can afford it,” allowing people “with little technical skill to attack with relative ease.”
    • Automated Active Adversary: Ransomware that “is deployed by attackers who use tools to automatically scan the internet for IT systems with weak protection.”
  • Cryptographically Signed Code: “Attackers may attempt to minimize detection by security software by signing their ransomware with an Authenticode certificate, which anyone can buy (or steal). . . . Unfortunately, some security tools conflate ‘digitally signed’ with ‘should be allowed to run’.”
  • Privilege Escalation: “[T]oday’s ransomware uses exploits to elevate their own privileges and abuse stolen administrator credentials to make sure the attack is performed using a privileged account.”
  • Attacking Network Drives First: Ransomware causes “the most immediate damage to an organization” when it encrypts mapped network drives first, “as it immediately affects most employees no matter where they are geographically located.”
  • Multi-Threading Technology: “Some ransomware is specifically designed to make efficient use of modern CPU hardware and parallelizes individual tasks to ensure faster and, subsequently, more harmful impact before victims discover they’re under attack.”
  • Cipher.exe Abuse: Certain ransomware abuses Microsoft’s CIPHER.EXE command-line tool “to make sure ransomware victims cannot recover deleted documents from their storage drives.”  Some ransomware also abuses CIPHER.EXE by exploiting its ability to permanently overwrite all of the deleted data on a storage drive.”

The report also provides a summary of 11 common ransomware families’ methods and characteristics.

The report notes that a key vulnerability of ransomware is that “[t]here are behavioral traits that ransomware routinely exhibits that security software can use to decide whether the program is malicious.” As The Register explained, “sooner or later, the malware has to access the file system and begin to encrypt the data. This is the point where the attacks have to expose themselves and the spot where security tools can stop them.”

N.B.: Because ransomware presents continuing threats to companies and governments around the world, this report warrants a closer reading by corporate information-security teams.  While there is no panacea for ransomware, the report offers information-security professionals a number of useful observations and insights for understanding core behaviors of ransomware and reducing the odds that ransomware can successfully infiltrate corporate networks and databases.

United Kingdom Competition Appeal Tribunal Upholds £50 Million Penalty Against Royal Mail for Discriminatory Pricing Against Bulk Mail Operators

On November 12, the United Kingdom Competition Appeal Tribunal (Tribunal) issued a unanimous judgment in which it affirmed a £50 million penalty by the Office of Communications (Ofcom) against Royal Mail plc for discriminatory pricing against bulk mail operators.

Royal Mail plc, once the state-owned monopoly provider of mail services in the United Kingdom, is a publicly traded company that operates as an international parcels and letters delivery service, and that also serves as the United Kingdom’s sole designated provider of the universal postal service throughout the United Kingdom.

In January 2014, according to the Judgment, Royal Mail announced the introduction of differential prices for bulk mail operators for access to Royal Mail’s final delivery service, without which the bulk mail providers could not operate.  One bulk mail operator, Whistl UK Limited (formerly known as TNT Post), “planned to set up its own final delivery service and establish an end-to-end bulk mail service in competition with Royal Mail.”

After Whistl complained to Ofcom that Royal Mail’s new differential access prices “made its end-to-end operations and future plans uneconomic,” in February 2014 Ofcom announced that it would open an investigation into Royal Mail’s pricing.  Thereafter, Royal Mail’s new prices were suspended, and formally withdrawn in 2015.

Ofcom ultimately ruled in 2018 that Royal Mail “had infringed the Chapter II prohibition under the Competition Act 1998 (“CA 1998”) and Article 102 of the Treaty on the Functioning of the European Union (“TFEU”), and imposed a fine of £50 million on Royal Mail.  Royal Mail then appealed the Ofcom decision to the Tribunal.

In a highly detailed 230-page judgment, the Tribunal dismissed each of Royal Mail’s arguments:

  1. Ofcom erred in law and in fact by concluding that, when Royal Mail announced the new prices, prices were applied for the purposes of Article 102(c) TFEU and section 18(2)(c) CA 1998. On this issue, the Tribunal concluded, among other things, “that Royal Mail’s conduct was not ‘competition on the merits’ as that term is understood in competition law,” and that Royal Mail’s issuance of Contract Change Notices, which give notices to access operators of impending changes to the terms and conditions of access, “had the effect of signalling Royal Mail’s commitment to a policy of limiting entry into direct delivery.”
  2. Ofcom erred in concluding that transactions undertaken between Royal Mail and all of its different access customers were equivalent in all material respects, and that the price differential could not be justified. On this issue, the Tribunal concluded “the cost justification as advanced by Royal Mail does not serve to overcome the essentially discriminatory nature of the price differential in the particular circumstances of this case.”
  3. Ofcom erred in its assessment of whether the price differential was likely to give rise to a competitive disadvantage and/or a restriction of competition because it failed to have proper regard to the impact of the conduct on an ‘as efficient competitor’. On this issue, the Tribunal concluded, after an elaborate analysis, that Ofcom was correct in its finding that the test that Royal Mail advanced “was neither appropriate nor necessary in this case and that its analysis of the likely effects  of the conduct in question and its findings on competitive disadvantage were fully justified.”
  4. Ofcom erred in finding that any abuse was not objectively justified under Article 102 and/or Article 106(2) TFEU by reference to the need to preserve the viability of the universal service under economically acceptable conditions.  On this issue, the Tribunal concluded “that Royal Mail cannot claim either that its conduct was objectively justified under Article 102 or that it was exempt from the application of Article 102 by reason of Article 106(2).”
  5. Ofcom committed a fundamental procedural error by basing its findings of a likely competitive disadvantage in the Decision on evidence and analysis that was not previously included, or relied upon, in the Statement of Objections, or otherwise put to Royal Mail during the administrative phase. On this issue, the Tribunal concluded That “notwithstanding the paramountcy of an undertaking’s ability to defend itself without procedural hindrance, Royal  Mail’s ability to do so in this particular case has not been impaired.”
  6. Ofcom erred in imposing a £50 million fine on Royal Mail. On this issue, the Tribunal “[took] the view that a substantial penalty is justified” and concluded that the amount of the penalty was correct.

N.B.:  Corporate officers responsible for compliance with the United Kingdom Competition Act 1998 should take note of this judgment, and incorporate key elements of the Tribunal’s judgment and analysis in their internal guidance on discriminatory pricing.  Although this case arose in the United Kingdom, the Tribunal’s judgment may also provide guidance for other European Union Member States in pursuing discriminatory-pricing cases.

Hong Kong Securities and Futures Commission Fines UBS $51 Million for Ten Years of Client Overcharges and for Systemic Internal Controls Failures

On November 11, the Hong Kong Securities and Futures Commission (SFC) announced that it had reprimanded and fined UBS AG (UBS) $51 million (HK$400 million) “for overcharging its clients over a ten-year period and for related serious systemic internal control failures.”

The SFC set forth specific findings on two categories of misconduct:

  1. Overcharging: Between 2008 and 2015, UBS client advisors (CAs) and client advisors’ assistants (CAAs) in UBS’s Wealth Management division “had overcharged clients when conducting bond and structured note trades by increasing the spread charged after the execution of trades without clients’ knowledge.”  In addition, between 2008 and 2017, UBS had also charged its clients fees in excess of its standard disclosures or rates.  In particular, the SFC stated that

following their clients’ requests to buy or sell products, the CAs and CAAs would enter the limit order price of the clients’ trades into UBS’s client order processing system. In circumstances where the actual execution price achieved in the market was better than the limit order price, the CAs and CAAs would increase the spread after executing the trades in order to retain the price improvement for UBS without agreement with, or disclosure to, the clients, and sometimes misreported the execution price or spread to the clients. On some occasions, they would also falsify the account statements issued to financial intermediaries, who were authorized to trade for clients, by misreporting the spread amount to conceal the overcharges.

On these issues, the SFC concluded “that these malpractices involved a combination of serious systemic failures for a prolonged period of time including inadequate policies, procedures and system controls, lack of staff training and supervision, and failures of the first and second lines of defence functions of UBS.”

  1. Organizational Failures: The SFC identified three additional categories of organizational failures by UBS:
    1. Failure to Disclose: The SFC stated that UBS “failed to understand and properly disclose the capacity in which it acted for its clients when conducting secondary market bond and structured note trades.” It also noted that UBS “acknowledged that its historical approach to capacity was confused, its past communications with regulators regarding its capacity were incomplete, and its communications with clients on whether it was acting as their agent or principal were unclear and, in some cases, erroneous.”
    2. Failure to Report: The SFC stated that UBS “failed to report its spread overcharge practices to the SFC until two years after the identification of the misconduct.” It pointedly remarked that “[t]his was not an isolated incident, but was one of a number of late reporting incidents whereby UBS failed to report the relevant misconduct to the SFC in a timely manner, or at all.”
    3. Failure to Ensure Compliance: After the discovery of the spread overcharge practices, UBS implemented a new order taking platform, One Wealth Management Platform (1WMP), as system enhancements in October 2017.  But, as the SFC stated, “instead of putting in place a system that ensures its compliance with relevant regulatory requirements, UBS reported 15 incidents to the SFC or the Hong Kong Monetary Authority relating to the failures of 1WMP covering a variety of issues, including further spread overcharges.  These issues call into question UBS’s capability to put in place effective remediation to address the spread overcharge practices and proper internal controls to avoid the recurrence of historical deficiencies.”

Taking into account all of these circumstances, the SFC concluded that UBS failed to (1) “act honestly, fairly and in the best interests of its clients”; (2) “act with due skill, care and diligence, in the best interests of its clients”; (3) “avoid conflicts of interest and ensure that its clients are treated fairly”; (4) “provide adequate disclosure of relevant material information to clients”; and (5) “comply with all relevant regulatory requirements applicable to the conduct of its business activities so as to promote the best interests of clients.”

In deciding on the disciplinary sanctions, the SFC stated that it took into account all relevant circumstances.  Those included (1) “the elements of dishonesty in UBS’s spread overcharge practices”; (2) “the duration of UBS’s spread overcharge practices, i.e. around ten years”; (3) “the fact that UBS’s spread overcharge practices were undetected for at least seven years”; (4) “the serious and systemic nature of UBS’s internal control failures”; (5) “UBS’s disciplinary actions against over 20 staff who had engaged in the malpractice”; (6) “UBS’s appointments of independent reviewers to (i) identify the root causes of the spread overcharge practices and assess the magnitude of its spread overcharge practices, (ii) validate the relevant overcharge and compensation arising from 1WMP, and (iii) review the adequacy and effectiveness of UBS’s remediation measures”; and (7) “UBS’s agreement to fully compensate the affected clients.”

In addition to paying the $51 million fine, UBS committed “to compensate the affected clients by repaying them the full value of the overcharged amount together with interest.” The total amount of those repayments (approximately HK$200 million) “covers overcharges made through post-trade spread increases and charges in excess of standard disclosures or rates between 2008 and 2017. The overcharge practices affected about 5,000 Hong Kong-managed client accounts in about 28,700 transactions.”

N.B.:  In view of the SFC’s findings, it is not in the least surprising that the SFC concluded “that these malpractices involved a combination of serious systemic failures for a prolonged period of time including inadequate policies, procedures and system controls, lack of staff training and supervision, and failures of the first and second lines of defence functions of UBS.”  Accordingly, this case provides a number of lessons for financial institutions in and beyond Hong Kong.

Chief Compliance Officers at financial institutions should brief senior management officials in their firms about the key elements of this case, incorporate information from the case into their training materials (especially for senior and mid-level executives in their wealth management divisions), and check their compliance programs against the facts of this case to identify potential shortcomings or opportunities for improvement.