Malta Financial Intelligence Analysis Unit Fines Satabank €3 Million for AML Breaches

On July 7, the Sunday Times of Malta reported that the Malta Financial Intelligence Analysis Unit (FIAU) had imposed a €3 million fine on Maltese bank Satabank for what the Sunday Times termed “widespread breaches of money laundering laws.”

This fine – reportedly a record for the FIAU — is the latest in a series of actions concerning Satabank that began in 2018.  At that time, the Malta Financial Services Authority (MFSA) imposed a €60,500 fine on Satabank for poor risk management structures, and a joint inspection and audit by the MFSA and the FIAU found reported “shortcomings” in Satabank’s anti-money laundering (AML), procedures.

That inspection, which found “extremely weak structures in place to prevent its clients from using it to launder potential proceeds of criminal activity,” led to the MFSA’s effectively freezing all 12,000 accounts at Satabank and appointed the consulting firm Ernst & Young to administer the bank’s assets.  Subsequently, the Times of Malta reported that tens of billions of euros in transactions had passed through Satabank during four years of operation “and investigators now believe as much as half of these may have been ‘high risk and highly suspicious’.”

Note: This action continues the disorder in the Maltese financial sector that began with the MFSA’s placing Nemea Bank under administration in 2016, followed by the European Central Bank’s withdrawal of Nemea’s license in 2017 and the MFSA’s appointment of a person to take charge of Pilatus Bank’s assets in 2018.

It may also be an indication that Maltese regulators are reacting to concerns within the European Union that Malta, due to its laxity in selling passports and tolerating corruption, “might pose a serious threat to global efforts to track money laundering, enforce economic sanctions, and maintain fair transnational standards.”  Even after the international outcry about the 2017 murder of Maltese investigative journalist Daphne Caruana Galizia, there appears to have been little overall change in the Maltese government’s attitude toward the country’s burgeoning “reputation for rampant corruption and dubious dealings.”

Financial firms with business operations in Malta should therefore continue to follow closely how vigorously the MFSA and the FIAU police Maltese banks’ management structures and AML measures, and whether the FIAU prevails in other Maltese banks’ appeals of FIAU fines for money-laundering failures.

UK Financial Conduct Authority Fines Bank of Scotland £45.5 Million for Failure to Report Suspicious Activity

On June 21, the United Kingdom Financial Conduct Authority (FCA) fined Bank of Scotland (BOS) £45.5 million “for failures to disclose information about its suspicions that fraud may have occurred at the Reading-based Impaired Assets (IAR) team of Halifax Bank of Scotland [(HBOS)]”  According to the FCA, BOS

identified suspicious conduct in the IAR team in early 2007. The Director of the Impaired Asset Team at the Reading branch, Lynden Scourfield, had been sanctioning limits and additional lending facilities beyond the scope of his authority undetected for at least three years. BOS knew by 3 May 2007 that the impact of these breaches would result in substantial losses to BOS.

Despite that knowledge, the FCA stated, “on numerous occasions” BOS

failed properly to understand and appreciate the significance of the information that it had identified despite clear warning signs that fraud might have occurred. There was insufficient challenge, scrutiny or inquiry across the organisation and from top to bottom. At no stage was all the information that had been identified properly considered. There is also no evidence anyone realised, or even thought about, the consequences of not informing the authorities, including how that might delay proper scrutiny of the misconduct and prejudice the interests of justice.

The FCA made clear that at the time, HBOS’s IAR was not subject to specific rules that the FCA’s predecessor agency, the Financial Services Authority (FSA), imposed on regulated entities, such as “conduct of business rules and complaints handling rules,”  because commercial lending “was and still is largely unregulated” in the in the United Kingdom.  He FCA, however, maintained that “BOS was required to be open and cooperative with the FSA, and the FSA would reasonably have expected to have been notified of BOS’s suspicions that a fraud may have been committed in May 2007.”

Not until July 2009 did BOS provide the FSA “with full disclosure in relation to its suspicions, including the report of the investigation it had conducted in 2007.”  Moreover,  BOS “did not report its suspicions to any other law enforcement agency”; rather, the FSA itself reported the matter to the National Crime Agency (then the Serious Organised Crime Agency) in June 2009.

The FCA was unsparing in its criticism of BOS’s failure to report these matters:

If BOS had communicated its suspicions to the FSA in May 2007, as it should have done, the criminal misconduct could have been identified much earlier. The delay also risked prejudice to the criminal investigation conducted by Thames Valley Police. Full disclosure would also have allowed the FSA, at an earlier opportunity, to assess BOS’s response to the issue and its approach to customers and complaints.

Ultimately, in 2010 the FSA appointed investigators to begin looking at BOS’s misconduct.  The FCA noted, however that that investigation  was “placed on hold” in 2013 “at the request of Thames Valley Police . . . until after the criminal prosecution of relevant individuals had been completed.”  The regulatory investigation was only restarted by the FCA in February 2017, when six individuals – including Scourfield, two of Scourfield’s business associates David and Alison Mills, and HBOS executive Mark Dobson – were sentenced to prison terms for their roles in the fraud.

In addition, the FCA announced that on June 20, it had banned Scourfield, Dobson, and David and Alison Mills “from working in financial services due to their role in the fraud at HBOS Reading.”  For each of the first three persons, the FCA found that he “is not a fit and proper person to perform any function in relation to any regulated activity,” as his conduct “has demonstrated a serious lack of honesty and integrity.” For Alison Mills, the FCA found that she is not a fit and proper person because she “has engaged in a financial crime offence.”

Note:  The FCA’s announcement does not make clear that its actions represent the final enforcement actions stemming from what The Guardian called an “extensive scheme” – in which Scourfield, Dobson, and David and Alison Mills all played key roles – “that drained the bank and small businesses of around £245m and left hundreds of people in severe financial difficulties.”

Financial crimes compliance teams in United Kingdom financial institutions should take note of the FCA’s actions in this case for two reasons.  First, they generally reflect the importance that regulators in multiple countries are attaching to financial firms’ timely reporting of suspicious transactions or conduct.  Second, these actions provide a precedent for the FCA to fine a financial firm or other regulated entity for failure to report certain suspicious activity, even if that entity is not clearly required to file a Suspicious Activity Report, if the FCA determines that the entity’s failure to report constituted  a failure to “to be open and cooperative” with regulators regarding that suspicious activity.

Bank of England Adviser Warns of Cyber-Vulnerabilities in United Kingdom Financial System

On June 18, Anil Kashyap, a professor at the University of Chicago Booth School of Business and external member of the Bank of England’s Financial Policy Committee, testified before the United Kingdom Parliament’s Treasury Committee that “it was only ‘a matter of time before [a cyberattack] happens on a big scale,” and that the Bank of England “was vulnerable despite preparing its defences.”

Although United Kingdom banks reportedly “have focused mainly on stopping service outages,” Professor Kashyap warned that “the falsification of transaction records and other data was an even bigger danger.”  “’If you wanted to do maximum damage’,” he testified, “’that is what you would probably do if you were a state actor’.”

Professor Kashyap also stated that cyberattacks on bank records “would be especially damaging as it would not be easy to identify which records were accurate and which had been corrupted.”  In his words, “’You have this difficult situation where you have to restore the system, where you could be restoring a corrupt system’.”

In addition, Professor Kashyap cautioned Members of Parliament that financial institutions “risked focusing too much on dangers that would damage their individual reputations, rather than threats to the system as a whole, such as overreliance on a handful of providers of cloud computing services.”  He stated that he does not “’really care if bank ‘x’ is offline for a week, even if it’s disastrous for their share price, if the services that they provide, that are critical, can be delivered in some other way.  What is tricky is it could be the case that the (bank) board’s incentives of what to worry about are misaligned with the general incentives’.”

Note: Professor Kashyap’s testimony reinforces a statement to Members of Parliament by Ciaran Martin, Chief Executive of the United Kingdom’s National Cyber Security Centre, “that a ‘category one’ attack that would disable the financial system and national energy supplies was a matter of ‘when, not if’.”  Both witnesses’ views should be of substantial concern not only within the Financial Policy Committee, which is responsible for removing or reducing systemic risks to the United Kingdom financial system, but to Members of Parliament in general and the United Kingdom financial sector as a whole.

The problem, in large part, stems from the fact that there is no predictable timeframe for any particular agency or business to prepare for a major cyberattack.  Any systemic risk that has a low probability on any given day, but high impact if and when it does occur, poses a substantial challenge for boards and Chief Financial Officers in deciding how much to budget and for how long to address that threat.  That challenge becomes even greater when, as with cybersecurity, the nature, variety, and sophistication of the threats is constantly changing.

Nonetheless, United Kingdom financial institutions, if they have not already done so, need to do some sustained benchmarking of their cybersecurity programs against each other and against financial institutions outside the United Kingdom.  That benchmarking should include not only data relating to their cybersecurity budgets in general, but specific programs and practices such as fusion centers that can speed the tasks of strategic and tactical intelligence collection and analysis and incident response.

As Professor Kashyap correctly indicated, state actors (including ostensibly private actors operating on their behalf) pose the greatest cyber-related risk over time to the financial system.  A recent report by the Carnegie Endowment for International Peace has shown that “[c]yberattacks on financial institutions are increasingly being linked to nation-states.”

Financial institutions, in the United Kingdom and elsewhere, must therefore move beyond thinking of cybersecurity as a function linked solely to annual budgeting cycles, and treat the risk of a major cyberattack by at least one state actor as a genuine prospect for which they must be well-prepared on a continuing basis.  The consequences, for any financial institution or government agency that should find its operations crippled for weeks or even months by such a state actor, are too great to risk.

Norwegian Financial Supervisory Authority Fines Santander Consumer Bank $1 Million for Flaws in AML Electronic Monitoring System

On June 28, Finanstilsynet, the Norwegian Financial Supervisory Authority (FSA), ordered a subsidiary of Spanish bank Santander, Santander Consumer Bank, to pay a fine of Kr. 9 million (approximately US$1 million) for violating the Norwegian Money Laundering Act.  In particular, the FSA stated  that Santander Consumer Bank warranted a financial penalty for defects in the operation of its electronic monitoring system “to detect suspicious transactions related to money laundering and terrorist financing.” (Note: All translations of language in the FSA order are informal.)

According to the FSA order, section 38 of the Money Laundering Act requires that banks, mortgage companies, and finance companies have electronic monitoring systems to identify issues that may indicate money laundering and terrorist financing.  The Act also requires that monitoring be conducted on an ongoing basis, and that a bank investigate transactions for which there are indications of money laundering or terrorist financing.  The order further stated that “[a]n effective and fast implementation of investigations and reporting suspicious matters is central to achieving the purpose of the Money Laundering Code.”  When the suspicion about a transaction is not rejected, it is to be reported to Økokrim, the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime, which functions as both a police agency and a public prosecutors’ office with national authority.

The FSA observed that in December 2018, Santander Consumer Bank brought to the FSA’s attention that the bank had discovered an error in the operation of that electronic monitoring system.  The bank informed the FSA that that error had resulted in approximately 1,260,000 transactions not being subject to money laundering review for more than four years, from October 30, 2014 to December 6, 2018.

After further internal review and correction of the error, the bank found that approximately 1.6 million transactions, involving 303,415 customers, had not been verified under the Money Laundering Act.  Reuters reported that a bank spokesperson attributed said the error was connected to the integration of old and new IT systems, and added that it “has fully cooperated with and kept the FSA fully continuously informed.”

In response, the FSA stated that it considered all factors for assessing a financial penalty under section 50 of the Money Laundering Act.  Those factors include the gravity and duration of the offense; the offender’s degree of guilt; the financial offender’s ability; the reporting entity’s risk assessments and processes; benefits that have been achieved or could have been achieved by the violation; whether third parties have suffered losses; the degree of cooperation with the authorities; and any previous violations of the Act or regulations pursuant to the Act.

With regard to those factors, the FSA stated that “the offense has been going on for a long time, and applies to many transactions and customer relationships.”  It also opined “that the error in the system could and should have been uncovered and directed far earlier than was actually the case.”  The FSA specifically stated that “it is particularly aggravating that the bank was, or should have been, aware that there must be errors in the system without the matter being prioritized.”  It also assumed “that the bank have not had sufficient resources and attention on the weaknesses of the system and the error that led to the offense.”  All of these factors, in the FSA’s view, “are relevant during the assessment of the gravity of the violation and duration, the offender’s level of guilt, and the assessment of what benefits Santander Consumer Bank has achieved or could be achieved by the violation.”

The FSA acknowledged that the bank had correctly reported the error and had contributed to the FSA’s inquiry.  Even so, it cited section 46 of the Norwegian Public Administration Act as the source of “a number of factors that can be taken into account in cases concerning administrative sanctions.”  The FSA’s assessment was that “the incident in the bank is of such a nature that it speaks for sanctioning, taking into account both general preventive and individual preventive considerations.”  It found that “the bank did not have enough resources in the fulfillment of its legal requirements, and that the management did not implement the necessary measures even when it knew, or should have known, that there were errors in the systems.”  In the FSA’s view, “it is important that suspicions about system errors and non-compliance with the [money laundering] law lead to a quick follow-up from the reporting party, even where it has to demand more resources and attention from management.”

Note:  The FSA order provides a detailed example of the factors that the FSA weighs in determining whether to penalize financial institutions for failure to comply with the Norwegian Money Laundering Law.  It also provides yet another reminder to financial institutions’ AML compliance teams that their review of AML internal controls must include periodic checks on the completeness, timeliness, and accuracy of their AML electronic monitoring systems.  Other financial institutions have paid a substantial price when their AML compliance failures included failures or gaps in their transaction monitoring systems, and regulators in the United States and the European Union can be expected to reinforce that message in future enforcement actions.

Former Assistant Inspector General Indicted for Involvement in Steering Government Contracts and Disclosing Confidential Government Information to Friend Who Ran IT Firm

On June 27, the U.S. Department of Justice announced that on June 26, a federal grand jury in the District of Columbia returned an indictment against Eghbal “Eddie” Saffarinia, former Assistant Inspector General for Management and Technology in the U.S. Department of Housing and Urban Development Office of Inspector General (HUD-OIG).  The indictment charged Saffarinia with concealing material facts, making false statements, and falsifying Office of Government Ethics (OGE) annual financial disclosure forms, in connection with his allegedly disclosing confidential internal government information to a friend (“Person A”) who was the owner and chief executive officer of a Virginia information technology company (“Company A”) and undertaking efforts to steer government contracts and provide competitive advantages and preferential treatment to Company A.

According to the Indictment, between early 2012 and mid-2016, Saffarinia, while serving as an Assistant Inspector General at HUD-OIG, was HUD-OIG’s Head of Contracting Activity.  In that capacity, he “oversaw procurement review and approval processes, including IT contracts; had access to contractor proposal information and source selection information; and participated personally and substantially in IT procurements.”

Saffarinia and Person A allegedly “were friends who emigrated from the same country, went to college together in the early 1980s, and socialized with each other on a regular basis.”  They also had a long-standing financial relationship, in which Saffarinia owed a total of $80,000 to Person A.  During the period when Saffarinia was receiving payments and loans from Person A, he allegedly “steered significant government business to Company A and its business partners, he disclosed confidential and internal government information to Person A, he gave competitive advantages and preferential treatment to Person A and Company A, and he caused and attempted to cause HUD-OIG to increase the amount of work and hours awarded to Person A and Company A.”

As one consequence of Saffarinia’s alleged efforts, Company A received approximately $1,065,520 for subcontractor work performed under an information technology (IT) services contract with another company.  In addition, Saffarinia allegedly caused HUD-OIG to recompete that IT services contract, and caused another company to form a business partnership with Person A and Company A for the recompete contract, in which Company A was expected to receive approximately $9 million.

Note:  Although there is no plea or conviction yet in this case, ethics and compliance officers in public- and private-sector entities can use the facts as alleged in this case to brief and train executives and employees, to underscore the importance of strict compliance with conflict-of-interest requirements.

This case should also indicate that government agencies and companies cannot simply rely on self-disclosures by their employees to conduct effective monitoring and oversight on compliance with conflict-of-interest requirements.  In this case, the evidence against Saffarinia apparently includes numerous meetings over lunches and dinners, during Saffarinia’s tenure at HUD-OIG, in which they discussed business opportunities for Person A and Company A and the IT services contract, as well as communications between Saffarinia and Person A that included Saffarinia’s forwarding of internal HUD-OIG emails and contract-related materials to Person A.