Author: Jonathan J. Rusch

On August 6, the U.S. Department of Justice announced that on August 5, the U.S. District Court for the Western District of Washington unsealed an indictment charging Muhammad Fahd, a Pakistani national, with multiple offenses relating to his leadership of a conspiracy to illegally unlock cellphones for profit.  The unsealing of the indictment followed Fahd’s extradition from Hong Kong to the United States on August 2.

The indictment alleges that Fahd, using telephone, Facebook, and other communications channels,  contacted and recruited insiders at AT&T, including employees at the AT&T call center in Bethell, Washington, who were willing to take bribes to participate in fraudulently unlocking cellphones.  During the course of the conspiracy, which allegedly ran from 2012 to 2017, Fahd and others not connected with AT&T allegedly paid more than $1 million in bribes to AT&T insiders who joined the conspiracy, including one coconspirator who received a total of $428,500.

Fahd allegedly “paid AT&T insiders to use their computer credentials and access to disable AT&T’s proprietary locking software that prevented ineligible phones from being removed from AT&T’s network.”  According to the Justice Department, he

would send the employees batches of international mobile equipment identity (IMEI) numbers for cell phones that were not eligible to be removed from AT&T’s network.  The employees would then unlock the phones.  After some of the co-conspirators were terminated by AT&T, the remaining co-conspirator employees aided Fahd in developing and installing additional tools that would allow Fahd to use the AT&T computers to unlock cell phones from a remote location.

The scheme reportedly “resulted in millions of phones being removed from AT&T service and/or payment plans, costing the company millions of dollars.”

Fahd is charged in 14 counts of the indictment.  They include conspiracy to commit wire fraud, conspiracy to violate the Travel Act and the Computer Fraud and Abuse Act, four counts of wire fraud, two counts of accessing a protected computer in furtherance of fraud, two counts of intentional damage to a protected computer, and four counts of violating the Travel Act.  To date, three of Fahd’s alleged coconspirators have pleaded guilty, “admitting they were paid thousands of dollars for facilitating Fahd’s fraudulent scheme.”

Note: This case should help anti-bribery and corruption (ABC) and cybersecurity compliance officers to recognize the importance of identifying all internal corporate functions that can pose bribery and corruption risk.  Although many would not think of call-center operations as a high-risk function, the allegations in the indictment indicate that the defendant was able, even remotely, to exploit call-center employees’ discretion to unlock phones for their personal profit at the expense of their employer.

On August 6, Bloomberg reported that Kweku Bedu-Addo, chief executive officer for Standard Chartered Southern Africa, issued an emailed statement in which he urged the financial sector to “become attuned to the [illicit wildlife trade] activity that courses through the system and apply the armory of tools that they use to fight other financial crimes.”  The Bloomberg article stated that the illicit wildlife trade “has an estimated annual worth of as much as $23 billion, according to the Zoological Society of London’s website,” and that a 2017 United Nations Office on Drugs and Crime report found “that only 26% of the 45 jurisdictions it surveyed investigated the financial flows behind the crime.”

Bedu-Addo told Bloomberg that Standard Chartered “is training its bank-branch tellers to spot transactions that could be linked to the illegal wildlife trade and has made them a focus for its financial-crime investigators,” and “is also educating its clients about the threat.”  In his view, “This isn’t simply a conservation issue – the reality is that the illegal wildlife trade is an organized crime which fuels violence, drives corruption, and impoverishes communities.”

Bedu-Addo also cautioned that it

is a mistake to think we can just arrest our way out of this problem. Where one shipment is stopped, another will take its place. Instead, we need to disrupt the business model behind the trade. Its Achilles heel is the very thing that motivates it – the money.

Because ringleaders in the illegal wildlife trade “need to move, store and realize proceeds,” Bedu-Addo explained, that “gives governments and the financial sector the power to identify criminal networks via their financial footprints and help close the net.”

Note: Bedu-Addo’s statement indicates that Standard Chartered is following through on a number of commitments that it made last October to combat the illegal wildlife trade.  At that time, another Standard Chartered official declared (in language virtually identical to Bedu-Addo’s) the bank’s commitment to “disrupting the business model,” identifying the “Achilles heel of the illegal wildlife trade [a]s the very thing that motivates it – the money,” and criminals’ “need to move, store and realise proceeds.”

As part of that commitment — under the aegis of the United for Wildlife Financial Task Force of The Royal Foundation of The Duke & Duchess of Cambridge and the Duke & Duchess of Sussex — Standard Chartered focused on “training bank branch tellers in source countries to spot the signs, making illegal wildlife trade a focus for our financial crime investigators, and enabling those efforts through new artificial intelligence and machine-learning tools,” as well as “sharing what we have learnt with our correspondent banking clients around the world.”

Other objectives that Standard Chartered stated in 2018 included “enabl[ing] conservation activists to deliver intelligence right to the heart of the financial sector;” “creat[ing] a broad, transnational coalition of partners that gives law enforcement, regulators and banks, working with not-for-profits, the ability to spot patterns that no one can see alone’; and “expand[ing] initiatives . . . that strengthen the ability of law enforcement in key hotspots to use financial intelligence.”

It is not too soon for the Task Force to report publicly on the status of its and its members’ efforts to meet these objectives.  While certain details must inevitably be kept private, the more that the Task Force can demonstrate that its efforts are achieving meaningful results, the greater the attraction for other financial institutions and law enforcement agencies to join this vital initiative.

On August 6, the Belgian Public Prosecutor’s Office announced that it had reached a €294.4 million (US$329 million) settlement with HSBC Private Bank SA (Switzerland) (Bank) to resolve a criminal investigation into allegations of tax fraud and money laundering.

The Public Prosecutor’s Office stated that this investigation began in March 2013 and led to searches at the Bank in October 2013.  Subsequently, in 2014 an investigating judge charged the Bank with serious and organized tax fraud, forgery of documents and the use of false documents, money laundering, and illegal exercise of the financial intermediary position.  The authorities’ suspicions were directed at two types of alleged wrongdoing by the bank:

• What the Public Prosecutor’s Office deemed the bank’s “many years of illegal intervention in Belgium with a view to attracting and managing the assets of a very well-to-do clientele, especially from the Antwerp diamond industry”; and
• “[K]nowingly promoting and even encouraging tax evasion by making offshore companies available to a number of its privileged customers, particularly in Panama and on the Virgin Islands, which have no economic activity and whose sole purpose is to hide the assets of their customers.”

The Public Prosecutor’s Office pointed out that “[m]ore than a thousand Belgian taxpayers could be involved for amounts that would amount to several billions of dollars that were invested, managed and / or transferred between 2003 and today,” and that “[l]arge amounts of money may also have been laundered.”

In connection with the settlement, the Public Prosecutor’s Office took note of the fact that the bank “has taken important measures to fully revise its structures, controls and procedures to adjust its risk profile.” Those include (1) recruitment of new general directors, a new director for compliance, and a new director for the fight against financial crime; (2) discontinuance of certain services, such as those related to offshore companies; (2) the bank’s separation “from many markets and customers” and introduction of “a policy of fiscal transparency towards existing customers.”

The Public Prosecutor’s Office noted that under the Belgian Code of Criminal Procedure, the Brussels City Council Chamber must review and approve the agreement, and indicated that it would be possible to have the Council review it in September 2019.

Note: This settlement is significant in its own right, as it is reportedly the largest criminal penalty in Belgium’s history.  It also constitutes the second time within the last several months that Belgian authorities have sanctioned leading financial institutions for money laundering-related misconduct.  On April 24, according to De Standaard, the Sanctions Committee of the Belgian Central Bank fined ING Belgium €350,000 for money-laundering violations relating to a Russian customer of the bank between 2000 and 2013.  The Central Bank reportedly found that ING Belgium had done banking with that customer without having properly identified that customer or identifying why he was opening an account in Belgium as a non-resident of Russian nationality.

Anti-money laundering (AML) compliance teams at financial institutions doing business in the European Union (EU) should share this information within their teams and, as appropriate, to senior executives ta their institutions.  Financial firms that pay attention to AML requirements in the largest EU countries, but neglect AML compliance in other EU countries, increasingly do so at their peril.

On July 31, content delivery network services provider Akamai released its 2019 State of the Internet/Security Financial Services Attack Economy Report.  In that report, which focused particularly on online attacks directed at the financial sector, Akamai’s findings included the following:

• Phishing Domains: Between December 2, 2018, and May 4, 2019, Akamai detected 197,524 phishing domains. Of those domains, 66 percent (130,242) targeted consumers, and 34 percent (67,282) targeted enterprises.
• Focus on Financial Sector: All (100 percent) of the phishing domains targeting enterprise victims were impersonating sites from the high-tech industry.  When only the 130,242 phishing domains targeting consumers were considered, however, financial organizations accounted for the highest number of phishing domains (45,389, 34.8 percent).  Other sector categories among those phishing domains were high-tech (31,795, 24.4 percent),  online retail (12,928, 9.9 percent), media (12,868, 9.9 percent), and social (12,202, 9.4 percent).  Notably, 50 percent of the unique organizations impersonated by the tracked phishing domains were within the financial sector.
• Number of New Phishing Domains: Over time, the number of new phishing domains targeting consumers remained steady, with a single dramatic spike on December 20, 2018, during the holiday shopping season.
• Credential Stuffing: With regard to “credential stuffing” – i.e., a hacking technique in which hackers take a large number of usernames and passwords “and try to ‘stuff’ those credentials into the login page of other digital services” — over 18 months of credential stuffing attacks, from November 2017 through April 2019, there were 57,970,472,311 malicious login attempts, of which 3,547,533,230 (6.1 percent) were against financial services organizations.
• Web Attacks Against Financial Services Subverticals: Of all web attacks against financial services segments, just over half (50.6 percent) targeted banking, while cards and payments accounted for 15.7 percent, insurance 14.5 percent, financial exchanges 8.6 percent, and asset management 5.7 percent.
• Distributed Denial of Service Attacks: Between November 2017 and April 2019, the gaming experienced the highest Distributed Denial of Service (DDOS) attack volume (i.e., nearly 9,000 attacks), but the financial sector had the most unique DDOS targets (more than 40 percent) as well as the most malicious traffic (i.e., in terms of attack density).
• Sales of Bank Drops: The report included some examples of going rates for “bank drops” – “packages of data and services that can be used to open accounts at a given financial institution,” which include “a person’s stolen identity (sometimes called ‘fullz’), including full name, address, date of birth, Social Security number, driver’s license data, credit score details, and access to a secure Remote Desktop Protocol (RDP) connection for one month.”  Drops at two major banks were selling for $150, $200, and $250 per account, the price variations stemming from the additional services offered.  “Another seller had a cache of drops available for one of seven different consumer banks . . . at prices ranging from $300 to $400.”  For both sellers, should a bank detect the drops and close accounts, “both sellers were willing to offer replacements free of charge under certain circumstances.”

Note: Information-security and compliance officers at financial firms should share this report with their teams, not least because of the fairly recent data it includes.  Despite the fact that the report concludes by sounding several optimistic notes – saying that the financial services industry “spends billions on security each year” and has “made the criminal economy come out from the shadows” and that “there is no assured success in any of these criminal endeavors”—cybercriminals would not be attacking the financial sector on such a sustained basis if their overall returns on investment were less than superior.

On July 30, El País reported that the Audiencia Nacional, a Spanish court with nationwide jurisdiction, has launched a formal investigation of multinational Spanish bank BBVA.  The investigation is part of the long-running investigation that Spanish authorities have been conducting regarding former Spanish police commissioner José Manuel Villarejo Pérez.

Villarejo is reportedly “at the heart of an espionage network spanning two decades’ worth of phone taps, undercover recordings and other invasions of privacy against scores of politicians, business leaders, judges and journalists.”  According to the New York Times, he allegedly “worked an illicit and lucrative sideline for years as a secret fixer for Spain’s rich and powerful, who they say used his services to spy on their rivals and smear their enemies.”

In connection with those allegations, the investigation of BBVA is focusing, at Spanish prosecutors’ request, on alleged bribery, disclosure of secrets, and corrupt business practices.  In particular, prosecutors believe BBVA “to have employed the services of a company run by Villarejo to secretly spy on rivals and on officials from the construction giant Sacyr, which launched an unsuccessful takeover bid for BBVA in 2004.”

The prosecutors have argued to the investigating judge that “BBVA hired and made illicit payments to Grupo Cenyt, which Villarejo owned, “affecting several sensitive areas of the bank and various executives for a prolonged period of time.”  They want to investigate “whether BBVA hired Cenyt to spy on individuals with the goal of obtaining information about Sacyr,” which allegedly sought to oust former BBVA Chairman Francisco González in 2004 and 2005.  Previously, the investigating judge had expanded his investigation to eight former BBVA employees.

In response to the reports of the BBVA investigation, BBVA Chief Executive Onur Genc stated that BBVA had been strengthening its internal compliance controls and would “continue to do so,” and was treating the allegations “very seriously.”  He also reiterated BBVA’s “’firm commitment to clarifying the facts and complying with the law’, adding that BBVA’s internal investigation could follow new lines.”

Note: If BBVA is now conducting an internal investigation, as Genc’s remarks indicate, it needs to move quickly in getting a complete and accurate picture of any involvement by BBVA executives and employees in the alleged misconduct.  Under the Spanish Criminal Code, corporate entities can be held criminally liable for certain specified crimes such as bribery, corruption, fraud, and money laundering.  If the allegations concerning Cenyt can be proved, the bank would not be able to avail itself of the “adequate procedures” defense, similar to that in the United Kingdom Bribery Act 2010, to corporate criminal charges.

BBVA should also look beyond the internal-controls improvements that Genc mentioned, and strengthen other aspects of its compliance program to emphasize its commitment to a culture of compliance.  Both the Spanish Supreme Court and the Spanish Public Prosecutor’s Office have stressed the importance of companies’ maintaining a culture of compliance, and the bank should be prepared, before it is charged with criminal conduct, to show prosecutors (as well as the media and the public) that that commitment is genuine.