Dubai Economy, Six Banks Launch KYC Consortium in United Arab Emirates

On February 19, Dubai Economy announced that it and six leading banks in the United Arab Emirates (UAE) — Emirates NBD, Emirates Islamic, HSBC, RAKBANK, Abu Dhabi Commercial Bank (ADCB), and Commercial Bank of Dubai (CBD) – have formed “a consortium for sharing of verified KYC (Know Your Customer) data between banks and licensing authorities in the UAE.” Dubai Economy stated that the consortium, known as the “KYC Blockchain Consortium” (Consortium) is part of its strategic focus “on enhancing ease of business in Dubai and supporting the smart transformation of the emirate’s economy.”  It also characterized the Consortium as facilitating “a faster, more secure onboarding and exchange of digital customer data and documents through advanced blockchain-powered distributed technologies, a first of its kind in the region.”

The Consortium, as Dubai Economy described it, “will drive the mutualisation of KYC efforts among existing and future ecosystem participants” on a common KYC platform. After launching in the first quarter of 2020, that platform will be open for additional qualified financial institutions and licensing authorities to join.

In the future, Dubai Economy expects that the blockchain will improve ease of doing business and overall regulatory compliance in the UAE.  The Smart Dubai Department, which is responsible for facilitating Dubai’s “smart” transformation, is slated to play, in collaboration with the UAE Central Bank, “a pivotal role” in overseeing and regulating the Consortium’s operations.

Note: The Dubai Consortium is the latest in a series of financial-sector efforts over the past year to establish KYC data-sharing platforms at the national level (such as the Netherlands) and regional level (such as the Nordic banks).   As international money laundering operations have become increasingly complex and sophisticated, it is increasingly unrealistic to expect that financial institutions can effectively conduct their regulatory anti-money laundering and counter-terrorist financing programs by referring only to their own internal KYC data.  Other nations and regions, including the United States, need to move more expeditiously in identifying the legal, technological, and policy challenges associated with multiple-bank KYC data-sharing platforms, and then working to bring such platforms to fruition.

Toshiba Subsidiary Booked More Than $391 Million in Fictitious Sales

On February 14, Japanese conglomerate Toshiba announced that one of its subsidiaries, Toshiba IT-Services Corporation, was found to have booked ¥43.5 billion ($391.6 million) in fictitious sales.  Those fictitious sales pertained to 26 transactions recorded only on paper.

The Japan Times reported that “according to information mainly from a report about an in-house survey involving lawyers and certified accountants,” nine companies, including Toshiba IT-Services, “were found to have been involved in ‘round-tripping transactions’ that did not involve any commercial goods or end users.”  The report, according to the Japan Times article, also stated that the fictitious transactions “related to sales of information technology equipment, such as personal computers, [that] were booked between November 2015 and July 2019.”

Those transactions “are believed to have been masterminded by a former sales manager” at Japanese company Net One Systems Co. “who received help with the paperwork from Toshiba IT-Services officials.”  Toshiba, however, said that it “’confirmed there was no evidence’ that any employees of Toshiba IT-Services or a manager of the subsidiary directly in charge of the transactions initiated the fictitious deals.”  Toshiba also reported that the subsidiary “was involved ‘without realizing that the transactions were illusory or circular’.”

A Toshiba executive vice president admitted that the company failed to recognize the problem until it received information from “an outside party,” but stated that it would “introduce a system to analyze transactions to detect any irregularities speedily.”

Note: It almost defies belief that a company of Toshiba’s statute and reputation – particularly after it had been caught up in a 2015 accounting scandal involving its overstating its revenues by $1.2 billion over a seven-year period – would need to admit such fundamental defects in its recordkeeping and internal controls.  This latest development involves a substantial expansion on Toshiba’s admission last month that Toshiba IT-Services had booked ¥20 billion in fictitious sales in April-September 2019.

The full details of this fictitious-sales scandal will likely be emerging for some time.  Even so, corporate compliance officers should promptly report on the Toshiba situation to C-level executives, and use it as an opportunity to review the accuracy and reliability of their own recordkeeping and internal controls.

Bitcoin “Mixer” Operator Indicted for Money Laundering of Bitcoin Worth More Than $300 Million

On February 13, the U.S. Department of Justice announced that Larry Harmon, the operator of a Darknet-based cryptocurrency laundering service that “mixed” Bitcoin, had been arrested based on a federal indictment that charged him with money laundering conspiracy, operating an unlicensed money transmitting business and conducting money transmission without a District of Columbia license.

Bitcoin “mixers,” as a Bitcoin Magazine post defined them, are “solutions (software or services) that let users mix their coins with other users, in order to preserve their privacy.”  While Bitcoin addresses themselves are pseudonymous, the post explained, “they can often still be linked to real-world identities” through Bitcoin exchange data or blockchain analysis.  By mixing their coins, however, “users can obscure the ties between their Bitcoin addresses and real-world identities.”

Bitcoin mixers use a variety of techniques.  Some use “centralized” mixing, in which a mixer simply takes a batch of Bitcoins that a person owns and sends that person someone else’s Bitcoins.  Others enable a large group of users to collaborate in making a single large payment to themselves, or merge smaller transactions into larger transactions.

The indictment against Harmon alleges that he operated his Bitcoin “mixer” or “tumbler” service, named Helix, from 2014 to 2017.  Helix allegedly allowed customers, for a fee, to send Bitcoin “to designated recipients in a manner that was designed to conceal the source or owner of the bitcoin.”  Harmon advertised Helix to customers on the Darknet as a means of concealing transactions from law enforcement.  Helix was also allegedly linked to and associated with “Grams,” a Darknet search engine that Harmon ran.

The indictment further alleges that Helix moved more than 350,000 Bitcoin (valued at more than $300 million at the time of the transactions) on behalf of customers, with the largest volume of Bitcoin coming from Darknet markets.  Helix partnered with the Darknet market AlphaBay – reputed to be the largest Darknet marketplace in operation when law enforcement seized it in 2017 — to provide Bitcoin laundering services for AlphaBay customers.

Note:  This indictment is reportedly the first that the Justice Department has brought against a Bitcoin mixer.  Observers of the cryptocurrency industry can safely assume that it will not be the last.  Especially after this indictment and last year’s shutdown of Bitcoin mixer Bestmixer by the Dutch Fiscal Information and Investigation Service, law enforcement and anti-money laundering regulators in multiple countries are likely to increase their investigation and pursuit of cryptocurrency mixers and tumblers.  The volume of transactions that mixers have handled – reportedly $200 million by Bestmixer and $300 million by Helix – are substantial enough to cause concern about their continuing utility in concealing and laundering criminal proceeds.

Three Italian Universities Hacked with SQL Injection Attack

On February 13, cybersecurity expert Pierluigi Paganini reported on Security Affairs that the Italian hacktivist collective LulzSec ITA claimed to have hacked three Italian universities: University of Basilicata, University of Naples Parthenope (Uniparthenope), and University of Rome 3.  In all three cases, according to Paganini, LulzSec ITA used a longstanding and well-recognized technique known as a SQL injection attack.

A SQL injection attack can be simply defined as “a computer attack in which malicious code is embedded in a poorly-designed application and then passed to the backend database,” allowing the malicious data “then [to] produc[e] database query results or actions that should never have been executed.”  First discovered in 1998, SQL injection attacks remain a simply but highly effective and popular form of web application malware.

Paganini termed it “embarrassing that universities could be hacked with a so simple technique.”  He wrote that the LulzSec ITA hacktivists told him “that in some cases, they were able to bypass login pages without knowing the username and password, just using simply using SQL Injection strings.”

The LulzSec ITA hackers also asserted that initially, all three universities had failed to disclose the data breach and attempted to hide the incident in violation of the European Union General Data Protection Directive.  Subsequently, according to Paganini, Uniparthenope emailed a data breach notification to affected students and teachers. LulzSec ITA told Paganini that the notification attempted to downplay the incident, even though they claimed “to have accessed data contained in 27 databases and compromised some portals used by the university.”

Note: This latest incident is, regrettably, just one of many examples of colleges and universities’ vulnerability to cyberattacks from many sources.  A variety of reports in just the last year indicate the high degree and prevalence of that vulnerability around the world:

  • Australia: In March 2019, media reported that Chinese authorities stole “huge volumes of highly sensitive personal data from the Australian National University” (ANU) in a sophisticated cyberattack,” even after ANU had received assistance from the Australian intelligence community in bolstering its cyberdefenses.
  • United Kingdom: In an authorized penetration-testing attack by ethical hackers on more than 50 United Kingdom universities, “in every case hackers were able to obtain ‘high-value’ data within two hours.”
  • United States: In March 2019, hackers breached applicant data for Oberlin College in Ohio, Grinnell College in Iowa, and Hamilton College in New York, then emailed applicants and offering them the opportunity to buy and view their admissions files. In April 2019, Georgia Tech University admitted that it had suffered a data breach – its second in less than a year — potentially affecting more than 1.3 million current and former students, faculty, and staff members.  In July 2019, hackers exploited a vulnerability in a popular admissions and enrollment banner software to steal data from at least 62 U.S. universities and create bogus student accounts.
  • Global: In March 2019, the Wall Street Journal reported that “Chinese hackers have targeted more than two dozen universities in the U.S. and around the globe as part of an elaborate scheme to steal research about maritime technology being developed for military use.”

While even well-funded cyberdefenses can be breached by sophisticated cyberattacks, there is little excuse for universities failing to defend against SQL injection attacks.  As one writer put it, “SQL injection is the lowest of the low-hanging fruit for both attackers and defenders. SQLi isn’t some cutting edge NSA Shadow Brokers kit, it’s so simple a three-year old can do it.”  For that reason, the Italian university hacks should prompt university information security teams, at a minimum, to identify all of the web applications on which their universities depend and apply well-recognized techniques for preventing SQL injection attacks.

U.S. Court of Appeals Affirms Fraud Convictions of Former Charter Airline Executives

On February 12, the United States Court of Appeals for the Third Circuit affirmed the convictions and sentences of former Direct Air senior executives Kay Ellison and Judy Tull on eight counts of wire fraud, bank fraud, and conspiracy.  Ellison and Tull had co-founded and served as managing partners of a charter airline called Southern Sky Air & Tours (d/b/a Myrtle Beach Direct Air & Tours (Direct Air)).

Both women were indicted for conducting a scheme to violate U.S. Department of Transportation regulations, which “require airlines to deposit customer payments into an escrow account and prohibit airlines from withdrawing those funds until the completion of the associated flights.”  Instead, Ellison and Tull “inflated the number of passengers on the flights with ‘dummy’ listings,” which enabled them to submit similarly inflated withdrawal requests to the bank, and falsified Direct Air’s profit and loss statements to conceal the scheme.  After their conviction on all counts at trial, the U.S. District Court in New Jersey sentenced them both to 94 months’ imprisonment.

On appeal, the defendants challenged their convictions, claiming prosecutorial misconduct, lack of sufficient evidence, and violations of their constitutional right against self-incrimination, and challenged the sentences as unfair.  The Court of Appeals disposed of each of their claims, finding that the prosecutors did not suppress favorable material evidence and did not engage in misconduct, that there was sufficient evidence of wire fraud and bank fraud, that there was no compelled self-incrimination, and that the District Court did not err in its calculations under the U.S. Sentencing Guidelines.

Note:  This case, considered on its facts, involves no more than garden-variety fraud.  Corporate compliance officers responsible for antifraud programs, however, should use this case in internal briefings and training, as a concrete example of why such programs need to include monitoring and internal controls that reviews transactions and activities of the most senior executives, as well as mid- and lower-level employees.  If some C-level officials are annoyed or discomfited by compliance measures that scrutinize their activities, their board of directors needs to remind them that such measures must extend to all levels of their companies, and be consistently applied, for regulators to conclude that their corporate antifraud program is effective.