Bank of England Refuses to Repatriate Gold to Venezuela After United States Imposes New Sanctions

In the theory of general relativity, increasing pressure increases gravitational pull.  Recent events involving the United States, Venezuela, and the United Kingdom have nicely demonstrated that a similar effect can occur in the field of economic sanctions.

On November 1, U.S. President Donald J. Trump, by Executive Order 13850, imposed new sanctions against Venezuela pertaining to the gold sector.  Subsection 1(a) of that order specifically prohibited defined persons

  • “(i) to operate in the gold sector of the Venezuelan economy or in any other sector of the Venezuelan economy as may be determined by the Secretary of the Treasury, in consultation with the Secretary of State;
  • “(ii) to be responsible for or complicit in, or to have directly or indirectly engaged in, any transaction or series of transactions involving deceptive practices or corruption and the Government of Venezuela or projects or programs administered by the Government of Venezuela, or to be an immediate adult family member of such a person;
  • “(iii) to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any activity or transaction described in subsection (a)(ii) of this section, or any person whose property and interests in property are blocked pursuant to this order; or
  • (iv) to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person whose property and interests in property are blocked pursuant to this order.”

In connection with this intensification of pressure on the Venezuelan Government, the U.S. Office of Foreign Assets Control (OFAC) explained that the order “is designed to counter rampant corruption within the Government of Venezuela” and “provides a powerful tool to impose costs on those who unjustly benefit from dishonest or fraudulent conduct, illicit activity, and/or deceptive transactions within Venezuela’s gold sector or other identified sectors, or in relation to the Government of Venezuela or its projects or programs.”

Shortly thereafter, Reuters reported that the Venezuelan Government was seeking to repatriate about $550 million in gold bars, weighing 14 tons, “from the Bank of England because of fears it could be caught up in international sanctions on the country.”  According to the report, this effort predated the Executive Order, but had been “held up for nearly two months due to difficulty in obtaining insurance for the shipment, needed to move a large gold cargo.”  Gold holdings in the Venezuelan Central Bank declined by more than 50 percent, from 364 tons in 2014 to 160 tons in June 2018, as the expiration of swap operations with various global banks reportedly left those banks, including the Bank of England, continuing to hold Venezuelan gold that served as collateral for the funds lent to Venezuela.

The imposition of the new sanctions, however, apparently prompted the Bank of England to refuse to repatriate the gold to Venezuela.  According to The Times, “British officials are understood to have insisted that standard measures to prevent money-laundering be taken — including clarification of the Venezuelan government’s intentions for the gold.  There are concerns that [Venezuelan President Nicolás] Maduro may seize the gold, which is owned by the state, and sell it for personal gain.”

On its face, the Bank of England’s purported money-laundering argument makes little sense.  It is not unreasonable to think that the Bank of England would not have accepted the Venezuelan Government’s gold years ago if it believed that the gold represented the proceeds of any illegal activity.  That being the case, it would be difficult for the Bank of England now to assert that the repatriation of that same gold, without more, would constitute money laundering.  If Maduro Administration officials were later to divert the repatriated gold for their own benefit, or to sell the gold to raise hard currency and evade existing U.S. sanctions, those actions could constitute criminal violations.  In that event, subsequent transactions with the proceeds of those criminal violations could certainly constitute money laundering.  But predictions of likely future actions are not the same as current facts.

Nonetheless, the Bank of England’s best strategy at the moment, while Maduro contents himself with invective and promises to boost domestic gold production, is to refuse not only to repatriate the gold, but also to engage in any transactions with the gold.  If the Maduro Administration were to change its tactics and seek to sell the gold in the Bank’s possession to a foreign buyer, the Bank would have to assume that Venezuelan officials’ intent was the same, to avoid the U.S. gold sanctions.  Moreover, such transactions would involve the Bank of England even more directly in the Venezuelan Government’s evasion of those sanctions.

It would certainly be better for the Bank, from a legal and diplomatic standpoint, if the European Union (EU) were to expand on its recent extension of its existing sanctions on Venezuela and impose gold-related sanctions that paralleled the November 1 Executive Order’s terms.  Such action would, so to speak, increase international pressure on Venezuela and dramatically increase the Bank’s gravitational pull on the gold.   But as there are no indications yet that the EU is prepared to do so, the Bank must content itself for now with a notion familiar to theoretical physicists: that when pressure is balanced by gravitational pull, a system can reach equilibrium.  How long any system can maintain equilibrium, however, would be beyond the capacity of Einstein – let alone the Governor of the Bank – to predict in the abstract.

U.S. Court Sentences Defendant to 9 Years’ Imprisonment, $1 Million Fine for Arms Export Control Act and Money Laundering Offenses

On November 13, the U.S. District Court for the Northern District of California sentenced the operator of a U.S. business, Naum Morgovsky, to 108 months’ imprisonment, a $1 million fine, and forfeiture of $222,929.61, on his plea to charges of conspiring to illegally export components for the production of night-vision and thermal devices to Russia in violation of the Arms Export Control Act (AECA), and for laundering the proceeds of the scheme.  Morgovsky’s wife, Irina Morgovsky, also pleaded guilty to conspiracy to violate the AECA and misuse of a passport, and was sentenced on October 31 to 18 months’ imprisonment for her role in the conspiracy.

The Department of Justice press release stated that according to their guilty pleas, which occurred during the second day of jury selection in their case on June 12, 2018, Naum and Irina Morgovsky

admitted that from at least April 2012 until Aug. 25, 2016, they conspired to export without the necessary license to a company called Infratech in Moscow, Russia, numerous night and thermal vision components, including image intensifier tubes and lenses.  The couple used their U.S. business, Hitek International, to purchase these components and misrepresented to the sellers that the products would not be exported.  The couple then shipped the products to Russia using a variety of front companies and shipment methods.  Further, defendants knew the night and thermal vision components they exported were on the U.S. Munitions List and that they therefore were not permitted to export the items without a license from the Department of State, Directorate of Defense Trade Controls, which they never sought.

The sentencing judge also found that Naum Morgovsky had taken steps to conceal his crimes so that he and Irina Morgovsky could continue to operate their illegal export business without detection, and that he laundered the proceeds of the AECA crimes.  The government also alleged that Naum Morgovsky used numerous front companies and the identity of at least one deceased person in furtherance of their scheme.

Note: Some attorneys have referred to the “complexity” of the AECA, and one recent commentary has characterized the overall multi-departmental bureaucratic process for reviewing and approving defense exports as “understaffed and organized in a way that can make the approval process inefficient and redundant.”  The Morgovskys’ actions, however, did not involve misunderstanding of fine distinctions in the International Traffic in Arms Regulations (ITAR), or bureaucratic delays in processing export-control paperwork.  Both defendants knew that the night and thermal vision components that they sought to export were unmistakably on the U.S. Munitions List, never sought the license that would therefore have been required, misrepresented to the sellers from whom they bought the components that the components would not be exported, and used numerous front companies and engaged in identity theft in the course of shipping the components to Russia.

In this respect, at least, the Department of Justice’s approach in this Administration to prosecuting AECA violations appears consistent with the approach in the Obama Administration.  Both Administrations have pursued and successfully prosecuted AECA cases when the items in question were on the U.S. Munitions List – such as weapons and weapons parts, sensors for use in high-level applications, and parts designed for missile and space applications – and there was evidence that the defendants knew it was illegal to export such items.  As a final note, Naum Morgovsky’s sentence, though longer than many AECA defendants, is not the longest sentence for an AECA defendant in recent years.

United States Court of Appeals Affirms Sentence of Defendant in EBRD-Related FCPA Prosecution

On November 8, the United States Court of Appeals for the Third Circuit affirmed the sentence of Dmitrij Harder, who had pleaded guilty in 2016 to two counts of violating the Foreign Corrupt Practices Act (FCPA).  At the time of his guilty plea, Harder, the former owner and president of Chestnut Consulting Group Inc. and Chestnut Consulting Group Co. (the Chestnut Group), admitted that between 2007 and 2009, he engaged in a scheme to pay approximately $3.5 million in bribes to an official of the European Bank for Reconstruction and Development (EBRD), to corruptly influence the official’s actions on applications for EBRD financing submitted by the Chestnut Group’s clients and to influence the official to direct business to the Chestnut Group.

Prior to Harder’s sentence, the Probation Office in the United States District Court for the Eastern District of Pennsylvania calculated an advisory range, under the United States Sentencing Guidelines, of 87-108 months’ imprisonment.  At the sentencing hearing, government prosecutors moved for a downward departure, pursuant to section 5K1.1 of the Sentencing Guidelines, in recognition of Harder’s cooperation and testimony during a related corruption trial in England that secured convictions against his former clients. The district court granted the government’s request for downward departure, which resulted in a Guidelines range of 57-71 months’ imprisonment.

Harder sought, but did not receive, an additional downward departure on three grounds that he advanced: (1) the proposed sentence was substantially greater than the average sentence for individual FCPA defendants; (2) “the bribes that he paid did not result in a loss to any victim; and (3) the two projects for which he corruptly sought financing proved successful and highly beneficial to the Eastern Siberia region.”  At sentencing, even after Harder’s counsel “continued to argue that Harder’s actions were less culpable due to the allegedly positive outcome,” the district court remained unpersuaded and sentenced Harder to 60 months’ incarceration (a sentence within the Guidelines range) and approximately $2 million in financial penalties.

On appeal, Harder alleged two procedural errors:

  1. Mitigation: Harder argued that the district court denied him a fundamentally fair sentencing hearing when it refused to hear or consider counsel’s argument in mitigation of offense severity. On this issue, the Third Circuit panel noted that “the record clearly reflects that the district court afforded meaningful consideration to Harder’s mitigation argument,” which it indicated is all that a sentencing court must give to a defendant’s sentencing arguments. It concluded that “the district court did not err by declining to grant Harder’s downward variance on the grounds that his conduct was allegedly less harmful than that of other FCPA defendants.”
  2. Unwarranted Disparity: Harder argued that the district court refused to comply with the statutory obligation to avoid unwarranted sentencing disparities.  On this issue, the panel rejected Harder’s argument, stating that “Harder does not challenge the calculation of his Guidelines range but simply objects to the district court’s refusal to grant a downward variance.”

Note: The decision in this case is not included among published Third Circuit opinions, probably because Harder’s issues on appeal were neither issues of first impression nor arguments that the court considered meritorious enough to warrant detailed analysis.  Three observations are still in order.

First, it should be noted that the sentencing court gave Harder credit for cooperation with the authorities (in the form of a downward departure) due to his testimony in a non-U.S. judicial proceeding.  The language of Guidelines section 5K1.1 states that a federal court may grant a departure from a Guidelines sentence “[u]pon motion of the government stating that the defendant has provided substantial assistance in the investigation or prosecution of another person who has committed an offense.”  Although it might seem that this basis for departure would pertain only to U.S. investigations and prosecutions, neither the text nor the Guidelines commentary thereon contain any limiting language to that effect.

The fact that the government was willing to file a section 5K1.1 motion for Harder’s assistance in a foreign trial indicates that the Justice Department is willing to construe section 5K1.1 expansively, at least in cases where the defendant may be able to render substantial assistance in a foreign prosecution.  It is noteworthy that in its successful prosecution of the EBRD banker whom Harder bribed, Andrey Ryjenko, the United Kingdom Crown Prosecution Service did not mention Harder by name, but credited “effective cross-border partnerships between a number of jurisdictions, including the United States” for making Ryjenko’s conviction possible.

Second, Harden’s argument regarding unwarranted disparity in FCPA sentencings was critically deficient in two respects.  One is the failure to raise the additional issue that the Third Circuit had identified: i.e., challenging the sentencing court’s calculation of the Guidelines range as well as raising the variance issue.  There is no guarantee that the Third Circuit would have found any greater merit in that additional issue, but its absence from the appeal clearly played a role in the panel’s reasoning.

The other is that Harder might have had greater success with his argument had he been able to show significant disparities between his sentence and the sentences of other co-defendants in the case.  Unfortunately for Harder, there were apparently only two other people prosecuted in connection with the bribery, and both were prosecuted in the United Kingdom.  The banker whom Harder bribed, Ryjenko, was sentenced after his London trial in June 2017 to six years’ imprisonment, and Ryjenko’s sister, Tatyana Sanderson, had been declared unfit to stand trial but pleaded guilty to laundering Ryjenko’s bribe payments through accounts in her name and received a suspended sentence of two years’ imprisonment in September 2018.   While reference to those facts would have taken the Third Circuit well outside the record of Harder’s appeal, it might have provided a further basis for the Third Circuit to conclude that Harder had not been the victim of unwarranted disparity in his sentence.

Third, it seems plain that Harder should never have raised the argument, at sentencing or on appeal, that he should be given favorable consideration for a further variance because his bribery of Ryjenko made people in Eastern Siberia more prosperous.  Apart from the fact that the FCPA contains no “bribery creates positive externalities” defense, on a more fundamental level courts are unlikely ever to reward a defendant for criminal conduct that arguably benefited third parties who did not participate in the crime itself.  A defendant who robs Peter to pay Paul should not be able to claim that he deserves leniency because Paul was genuinely deserving of and benefited from the money.

Cathay Pacific Reports Sustained Cyberattacks That Led to Major Data Breach

On November 12, Hong Kong-based airline Cathay Pacific publicly disclosed that the data breach it had first reported on October 24 was the result of a sustained series of cyberattacks that began in March 2018 and continued even after May 2018.  In its October 24 statement, Cathay Pacific had announced only that “as part of its ongoing IT security processes, it has discovered unauthorised access to some of its information system containing  passenger data of up to 9.4 million people.  Upon discovery, the company took immediate action to investigate and contain the event.”

Subsequently, Cathay Pacific prepared and issued the November 12 statement, in advance of a November 14 joint meeting of the Hong Kong Legislative Council’s (LegCo’s) Panel on Constitutional Affairs, Panel on Information Technology and Broadcasting, and Panel on Security.  In that statement, Cathay Pacific described a substantially longer timeline for both the attacks and the response than its October 24 statement had indicated.  That timeline began in March 2018,

when Cathay first detected suspicious activity on its network and took immediate action to understand the incident and to contain it. Cathay did this with the assistance of a leading global cybersecurity firm. During this phase of the investigation, Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter. These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention. . . . Even as the number of successful attacks diminished, we remained concerned that new attacks could be mounted.

The November 12 statement also included details about who was affected by the breach, what information was accessed, and how it conducted its internal investigation.  It explained that the investigation had  three objectives: (i) investigation, containment, and remediation; (ii) confirming which data had been accessed and whether it could be read by the attacker(s); and (iii) determining the types of personal data that pertain to each affected passenger and notification.  “Once we met these objectives,” Cathay Pacific explained, “we notified affected passengers and relevant authorities.”

Cathay Pacific also sought to anticipate criticism about the delay in its disclosure of the full extent of the attacks and breach.  It stated that

the nature of this attack involved a number of complex systems that took significant time to analyse. An enormous amount of work was involved in the investigation, which was highly technical. The process by which the stolen data could be identified, processed, and linked to a specific passenger also contributed to the length of time involved between initial discovery and public disclosure.

With regard to its investigation, Cathay Pacific also stated that “our foremost objective and primary motivation has been to support our affected passengers by providing accurate and meaningful information to them. . . . The investigation was complex, longer than what we would have wished and we would have liked to have been able to provide this information sooner.”

Note:  At the conclusion of its November 12 statement, Cathay Pacific acknowledged “that there [are] many lessons that we can and will learn from this event.”  There are at least two lessons that other companies, from senior management to information-security and compliance officers, can learn from Cathay Pacific’s experience — though those lessons may not necessarily be the ones that Cathay Pacific had in mind.

First, senior management needs to understand how sustained cyberattacks on their information systems can be.  Media reports sometimes seem fixated on the word “sustained” in describing cyberattacks, such as the June 2017 cyberattack on the United Kingdom Parliament.  It should be noted that that attack reportedly lasted on the order of only 24 hours, but included a peak intensity of approximately 200,000 attempts over a number of hours on a single day.  The Cathay Pacific attack, by contrast, lasted for approximately three months.  Although that attack might seem like a “black swan” event, its success over multiple months makes it highly likely that those or other cyberattackers will emulate the concept of multiple-day or week attacks against other companies and government agencies.

For that reason, senior management needs to plan for the possibility that it will need to spend significant sums to supplement their company’s human and technological resources, and remediate hardware and software damage, in the event of a major cyberattack that lasts for an extended period.  As one point of comparison, in March 2018 the City of Atlanta experienced a major ransomware attack that not only caused significant damage to various information resources, but required the City to engage in emergency contract hires of security consultants and crisis-communication experts.  The bill for response and remediation reportedly increased from $2.7 million in April 2018 to $17 million by August 2018.

Second, in their first reports of a major cyberattack or data breach, companies need to choose their words carefully in describing the attack or breach.  In 2018, investors, the media, and the general public can be quick to react adversely to any reports that a company that suffered a data breach did not publicly disclose that breach until well after the event.  While a company must always take steps to see that the nature and timing of such disclosures comply with applicable state laws or national legislation, it must also anticipate that its first statements about the breach will set the tone for immediate and later responses by the media and the investing community.

In Cathay Pacific’s case, its October 24 explanation of the reasons for delaying disclosure – the need to determine the true extent of the damage and to remediate effectively — was not unreasonable on its face, and the company did include specific information about how people who thought they might be affected could contact the airline.  The greater problem appears to have been the wording of that statement.  Though surely not intended to mislead the public, the statements in the lead paragraph that it “discovered unauthorised access to some of its information system” and “took immediate action to investigate and contain the event” could easily be read to mean that the attack was a one-time event of brief duration.  That, coupled with the seven-month delay in disclosing the breach, likely added momentum to the “avalanche of criticism” that the October 24 statement triggered.

Three more specific lessons from this case, for other companies that suffer data breaches in the future, are simple:

  • When you’re ready to make your first statement about the breach, be as concise, and as accurate, as you can without compromising any ongoing internal investigation or remedial efforts. In that critical first disclosure, a company doesn’t need to explain the precise details of attack vectors or of the information-technology defense mechanisms and techniques it used.  It does need to be clearly understood when it describes the general nature and duration of the attack.  In the case of the UK Parliament attack, Parliamentary authorities provided general but prompt information during the weekend that the attack was underway, and were specific and accurate about the attack’s duration and intensity reasonably soon after the attack had ended.
  • Have someone outside the crisis-response team read the draft statement. It’s easy for people operating 24/7 in a crisis-response mode to make the assumption that they’ve said what needs to be said.  But it takes no effort to have someone from outside the team read the draft statements, as well as any draft questions and answers that corporate or government spokespersons propose to use with the media, with a layperson’s eye, and tell the crisis-response team where the public or the media might misunderstand or misconstrue any statements.
  • As with any other corporate crisis response, provide followup details when you can, but only when you’re confident you can provide accurate data. In the case of the UK Parliament attack, less than a month after the attack Parliament provided a concise but specific accounting of the extent of the attack, how many accounts were compromised, and what Parliament had done to respond.

In today’s LegCo joint panel meeting, Cathay Pacific’s representatives are likely to face pointed and critical questioning about its response to the cyberattacks and the timing of its disclosures.  With luck, it will already have learned enough lessons from its experience to date to provide responses that reduce the duration and intensity of that criticism.

European Commission Takes Action Against Luxembourg and Malta for Inadequate Compliance with 4th AML Directive

On November 8, the European Commission took significant actions against two European Union (EU) Member States to underscore the importance of compliance with the 4th Anti-Money Laundering (AML) Directive, Directive 2015/849.  That Directive, according to the Commission,

“reinforces the previously existing rules by:

  • “strengthening the risk assessment obligation for banks, lawyers, and accountants;
  • “setting clear transparency requirements about beneficial ownership for companies and trusts;
  • “facilitating cooperation and exchange of information between Financial Intelligence Units from different Member States to identify and follow suspicious transfers of money to prevent and detect money laundering or terrorist financing;
  • “establishing a coherent policy towards non-EU countries that have deficient anti-money laundering and counter-terrorist financing rules;
  • “reinforcing the sanctioning powers of competent authorities.”

First, the Commission decided to refer Luxembourg to the EU Court of Justice for transposing only part of that Directive into their national law.  The Commission also proposed that the Court of Justice charge “a lump sum and daily penalties until Luxembourg takes the necessary action.”

Second, the Commission adopted an opinion requiring the Maltese anti-money laundering supervisor, the Financial Intelligence Analysis Unit (FIAU), to continue taking additional measures to fully comply with its obligations under the 4th AML Directive.  Previously, on July 11, 2018, the European Banking Authority (EBA) investigated and concluded that the FIAU was breaching Union law.  It determined, per the Commission, “that Malta failed to correctly supervise financial institutions and ensure their compliance with anti-money laundering rules.”  In particular, the Commission called upon the FIAU to take a number of measures, including:

  • “Improving its methodology to assess money laundering and terrorist financing risks;
  • “Enhancing its monitoring and supervisory strategy by aligning resources with the risk of money laundering posed by certain institutions;
  • “Ensuring that the authority is able to react in an appropriate time when a weakness is identified, including by revising its sanctioning procedures;
  • “Ensuring that its decision-making is properly reasoned and documented;
  • “Adopting systematic and detailed record-keeping processes for offsite inspections.”

Note:  The Commission’s actions in these two cases are not unique; it has previously referred Romania and Ireland to the Court of Justice, and taken other actions against 18 other Member States, regarding transposition measures for the 4th AML Directive.  In light of the continuing surge of AML enforcement activity in the European Union, however, the Commission needs to continue to assert its AML oversight authority with vigor, even as it sorts out what additional authority it may seek to exert even greater supervision and control over European financial institutions.

In addition, the Commission doubtless has its eye on the 5th AML Directive, which entered into force on July 9, 2018 and which Member States will have to transpose into national legislation by January 10, 2020.  Given its experience with many Member States’ delays in fully transposing the 4th Directive, the Commission should be concerned about Member States’ ability to transpose the latest Directive into national law in just over 15 months’ time.