Author: Jonathan J. Rusch

On July 30, the Dubai Financial Services Authority announced that it had fined two companies associated with the defunct Abraaj Group a total of $315 million for “serious wrongdoing,” including carrying out unauthorized activities in the Dubai International Financial Centre (DIFC) and misusing investors’ monies.  The penalties consisted of $299,300,000 against Abraaj Investment Management Limited (AIML) and $15,275,925 against Abraaj Capital Limited (ACLD).

These penalties, the largest that the DFSA has ever imposed, are the result of a DFSA investigation that began in January 2018.  That investigation, which reportedly extended to multiple jurisdictions, found with regard to AIML, a Cayman Islands company now in provisional liquidation, that it

• “carried out unauthorised financial services, including fund management, within and from the DIFC;”
• “actively misled and deceived investors in Abraaj funds over an extended period;”
• “misused investors’ monies in various funds to meet its own operating and other expenses, which included payments to entities connected to some members of AIML staff, and to meet ever-increasing cash shortfalls;” and
• “concealed this by providing misleading financial information to investors and making false statements about the use of money drawn down from investors and distributions.”

The DFSA stated that AIML used many methods to deceive investors, including

• “borrowing money just prior to financial reporting dates to produce temporary bank balances at a level expected by the investors;”
• “changing the reporting period for a fund to disguise shortfalls;”
• “deflecting demands from various parties to provide updated financial information and bank statements;” and
• “lying about delays in making distributions of exit proceeds to investors.”

Because of these activities, according to the DFSA, two funds that AIML managed had a combined shortfall of at least $180 million at the time that AIML entered into provisional liquidation.

The DFSA investigation found with regard to ACLD, a DIFC company also in provisional liquidation, that it

• “failed to maintain adequate capital resources;
• “deceived the DFSA about its compliance with various rules, including capital adequacy requirements;” and
• “was knowingly concerned in AIML’s unauthorised financial services activities.”

The DFSA further stated that as a result of this misconduct, ACLD also breached the Dubai Regulatory Law because it failed (1) “to observe minimum standards of integrity and fair dealing;” (2) “to ensure its affairs were managed effectively and responsibly;” and (3) “to deal with the DFSA in an open and cooperative manner.”

The DFSA cited internal company correspondence that showed that Abraaj Group’s compliance function raised concerns about the Group carrying on unauthorized financial services within the DIFC as early as 2009, but that ACLD’s senior management ignored those concerns.

Recognizing that AIML and ACLD are in provisional liquidation, the DFSA stated that “[b]efore taking any further action to enforce payment of the fines, the DFSA will consider the firms’ circumstances at that time and the corresponding implications of enforcing the fines for fund investors.”  In addition, Bryan Stirewalt, the DFSA’s Chief Executive, said that “[s]enior management rode roughshod over their compliance function and the misconduct and deceit were pervasive and persistent. We will pursue the persons or entities who perpetrated this activity, including those who allowed this to happen through major corporate governance breaches, to the full extent of our powers.”

Finally, the DFSA committed itself “to investigat[ing] individuals and entities connected with this matter, in respect of their culpability, to the full extent of its powers and considering all sanctions available to it.”

Note: This action by the DFSA is noteworthy for three reasons.  First, the fact that the DFSA imposed its highest-ever financial penalties indicates how egregious it considers the misconduct in this case.   At one time, Abraaj Group was reportedly “one of the largest emerging market investors with $13bn claimed under management.”  Its collapse in 2018 proved to be a devastating blow to private equity across the Middle East.  Bloomberg reported that “virtually no money has been raised by private equity firms based in the Gulf Cooperation Council despite strong performance almost everywhere else.”

Second, the DFSA’s action is the latest in a series of aggressive enforcement actions in several countries over the last four months to pursue those responsible for the collapse:

• April 5: United Kingdom authorities arrested Abraaj Capital’s founder and Chief Executive Ariq Naqvi at London’s Heathrow Airport.  Subsequently, Naqvi was denied bail and detained until May 28, when he posted £15 million security for a bail condition, and now faces extradition to the United States.
• April 11: Abraaj former Managing Partner Mustafa Abdel-Wadood was arrested in New York, and federal indictments were unsealed in New York charging Naqvi and Abdel-Wadood with securities fraud, wire fraud, and conspiracy.
• April 11: The U.S. Securities and Exchange Commission charged Naqvi and AIML under the Investment Advisers Act with “misappropriating funds from a private equity fund client.” Naqvi and AIML allegedly collected more than $100 million over three years from U.S.-based charitable organizations and other U.S. investors for Abraaj’s Growth health fund, but Naqvi allegedly misappropriated money from the Health Fund and commingled the assets with AIML corporate funds and its parent company and used it for purposes unrelated to the health fund.
• April 18: United Kingdom authorities arrested a third former Abraaj executive, Managing Director Sev Vettivetpillai.  Vettivetpillai was released after posting $1.3 million bail, and also awaits extradition to the United States.
• June 13: A federal indictment in New York charged three additional former Abraaj executives — Chief Financial Officer Ashish Dave and Managing Directors Rafique Lakhani and Waqar Siddique, with multiple counts that included wire fraud, securities fraud, money laundering and theft of public funds.
• June 28: Abdel-Wadood pleaded guilty to conspiracy, securities fraud, and wire fraud charges, and agreed to cooperate with U.S. authorities in their investigation of Abraaj.

Third, despite the size of the penalties, the fact that the DFSA took action after U.S. and United Kingdom authorities has prompted criticism by some institutional investors and the media of the speed of the DFSA’s public response.  Even though the DFSA previously stated that its supervision and enforcement teams in 2018 “devoted considerable time and effort” to investigating the conduct of the affairs of Abraaj Capital Limited and its related parties,” Some investors termed the penalties “too little too late,” and a Gulf News editorial asserted that the penalties “should have come earlier” and that the DSFA “should continue to look at what happened at Abraaj and find and prosecute the other individuals — beyond the corporate board room — that allowed these crimes to happen.”

There are indications that the DFSA intends to follow that course in its ongoing investigation.  The DFSA 2018 Annual Report stated that the DFSA is focusing its attention “on senior management responsible for the conduct of the affairs of the relevant companies and funds, and persons who may have failed in their responsibilities to identify or report irregularities.”

That latter statement — coupled with Stirewalt’s remark that “[s]enior management rode roughshod over their compliance function and the misconduct and deceit were pervasive and persistent” — indicates that the DFSA will likely target senior business and compliance executives in the Abraaj companies for further enforcement. Because U.S. authorities already have custody of El-Wadood and are pursuing Naqvi’s and Vettivetpillai’s extraditions, Dubai may need to focus on Dave, Lakhani, and Siddique, as well as other business and compliance managers outside the United States who may have been complicit in the criminal activity.

In its editorial, the Gulf News characterized the penalties as “a solid first step in restoring confidence in the region’s investment sections.” Dubai authorities, however, will need to make their next steps in the investigation more timely and surefooted if they are to restore public confidence in their oversight of the financial sector.

On July 30, cybersecurity firm AttackIQ released a report, based on research by the Ponemon Institute, that evaluated the efficacy of enterprise security strategies.  The report, titled “The Cybersecurity Illusion: The Emperor Has No Clothes,” stems from a Ponemon Institute survey of 577 information-technology and information-technology security practitioners in the United States “who are knowledgeable about their organization’s IT security strategy and tactics.”  Fifty-eight percent of those respondents are at or above supervisory levels.

The report’s most prominent finding was that 53 percent of those surveyed admitted that “they don’t know how well the cybersecurity tools they’ve deployed are working. . . . While respondents are most confident in having visibility into the organization’s applications, endpoints and servers, only 35 percent of respondents say they have a high degree of confidence in visibility into their cloud and IoT devices.”

Other significant findings from the survey data included the following:

• Although companies are reportedly spending an average of $18.4 million annually on cybersecurity, data breaches still happen. Seventy percent of respondents attributed  that fact to the skill of the attackers.  Sixty-six percent attributed it to the complexity of computer security infrastructure (66 percent of respondents), “in part because the companies represented in this research have an average of 47 separate security solutions and technologies deployed in their organizations.  Sixty-five percent of respondents attributed it to “the dynamically changing attack surface and lack of adequate security staff with the necessary skills.”
• Only 25 percent of respondents said that “the IT security team is able to respond to security incidents within one day,” primarily because of “a shortage of in-house expertise and the lack of timely response and engagement with other departments and functions.”
• Sixty-three percent of respondents noted that “they have observed a security control reporting it blocked an attack when it actually failed to do so.”
• Organizations have a mixed record of success in using penetrating testing to discover cybersecurity gaps. Even though 57 percent of respondents stated that their IT security teams conduct penetration testing. However, 31 percent of respondents stated that “they have no set schedule for penetration testing.” Similarly, 65 percent of respondents reported that “their penetration testing is very effective or effective in uncovering security gaps,” only 17 percent of respondents stated that “they confirm security gaps every time they are found through penetration testing.”
• Respondents indicated that most organizations represented in the survey “will increase their IT security budget in the next 12 months, and 58 percent of respondents said that their organizations would be increasing their IT security budgets by an average of 14 percent.

Note: Not only Chief Information Security Officers, but other C-level business executives should pay close attention to these findings.  In particular, CISOs should have extended conversations with their information-security teams to see how their organizations’ cybersecurity programs are actually performing, and whether any of the shortcomings that the survey respondents identified are occurring in their own organizations.

While the Ponemon Institute survey asked respondents about their organizations’ expected IT security budget for the next 12 months, the percentage by which it would increase, the dollar range for the 2019 IT security budget, and the allocation of that budget, it did not ask whether they thought their organizations’ current and future cybersecurity budgets were adequate.  For that reason, even if they believe that their current budgets are adequate, CISOs need to revisit that issue with their IT staff members and be prepared to seek additional funding from their organizations if those discussions identify critical deficiencies that must be addressed promptly.

On July 26, in United States v. Lebedev, a panel of the U.S. Court of Appeals for the Second Circuit affirmed the convictions of Yuri Lebedev and Trevon Gross, as well as Gross’s sentence, on bank fraud and bank bribery-related charges.  The defendants’ scheme concerned an internet‐based Bitcoin exchange service known as “Coin.mx,” which concealed from banks and credit card companies processing its transactions that its true purpose was to allow the purchase and sale of Bitcoins.   Although Coin.mx “opened bank accounts in the name of “the Collectables Club,” which falsely purported to be a private members’ association dedicated to collecting and exchanging memorabilia,” and processed credit card transactions listing the Collectables Club as the merchant, “[n]either Coin.mx nor the Collectables Club registered with federal regulators as a money‐transmitting entity or obtained state licensure for that purpose.”

As an information-technology manager at Coin.mx, Lebedev “set up various Internet Protocol (“IP”) addresses to make it appear to banks and payment processors that Coin.mx’s transactions were legitimate Collectables Club transactions.”  Eventually, to avoid the risk of having banks shut down their accounts, “Coin.mx sought control of a credit union to process its transactions.”  In April 2014, Coin.mx representatives contacted Gross, then Chairman of the Helping Other People Excel Federal Credit Union (“HOPE FCU”) to discuss the possibility of Coin.mx’s taking control of HOPE FCU.

In  negotiations between HOPE FCU and the Collectables Club, Gross promised to give the Collectables Club a majority of seats on the credit union’s board of directors, in return for three donations totaling $150,000 to the nearby Hope Cathedral, where Gross was head pastor.  “Evidence at trial demonstrated that Gross frequently used those ‘donations’ for personal expenses.”  In addition, Kapcharge, a Canadian third‐party payment processing company with which another defendant in the case was affiliated sought to process payments through an account at HOPE FCU.  After becoming a member of the credit union, “Kapcharge and its co-conspirators paid Gross $12,000 in so‐called ‘consulting fees’.”

Although Gross eventually had “a falling out” with Lebedev and other coin.mx epresentatives, “which resulted in Gross expelling them from the credit union and terminating their relationship,” he “continued to allow Kapcharge to process transactions through its account after Coin.mx was no longer involved in the credit union.”  When the National Credit Union Administration (NCUA), HOPE FCU’s regulator, conducted an examination of the credit union, Gross failed to disclose a number of transactions, including the “donations,” and made other material misrepresentations.  Ultimately, in October 2015, the NCUA placed HOPE FCU into conservatorship.

At trial, Lebedev and Gross were convicted on all counts.  They were sentenced to 16 months’ and 60 months’ imprisonment, respectively, and were ordered to pay joint and several liability of $126,771.82 with their convicted codefendants.  On appeal, the Second Circuit panel had little difficulty in finding sufficient evidence to support Lebedev’s conviction and rejecting Gross’s challenges to various evidentiary rulings and to his sentence.

Note: While the holdings and reasoning of the panel’s decision are unremarkable, this case is still worthy of attention by anti-money laundering and fraud compliance teams, in part for in-house compliance training.  It indicates the risks of a financial institution’s failure to conduct due diligence on purportedly legitimate customers, and of other senior executives’ failures to challenge a board chairman’s effectively ceding control of the board to representatives of that customer and to inquire further into the reasons for his doing so.

Bank regulators have warned for some time about the risks inherent in financial institutions’ relationships with third-party processors.  This case demonstrates how grave those risks can be for financial institutions that have inadequate compliance oversight and internal controls.

On July 25, ZDNet reported that a number of local Brazilian banks had had an estimated 25 gigabytes of their customers’ personal exposed to public access via an unprotected server of a third-party financial services provider.  The types of personal data exposed include scanned identification and social security cards, “as well as documents provided as proof of address and service request forms filled out by customers based in the capital city of Fortaleza, in the Brazilian state of Ceará.”

Although the data exposure pertains to multiple banks, a substantial amount of the exposed data relates to one local Brazilian bank, Banco Pan.  Banco Pan issued a statement in which it reported “that the server is not owned by Pan and that no intrusion into the bank’s infrastructure has been found.”  It also promised to “take appropriate measures if any misuse of this data is identified,” and stressed that security is a key priority for the firm and that it complies with data protection best practices as well as local regulations.

Note: This latest incident is a reminder to financial institutions’ compliance and information-security teams that they need to remain vigilant in maintaining their due diligence on critical third-party providers.  Servers that have misconfigured cybersecurity software or, in this case, are wholly unprotected are an open invitation to malicious actors.

Third-party providers remain a critical vulnerability for many businesses.  A November 2018 Ponemon Institute survey of U.S. and United Kingdom Chief Information Security Officers and other security and risk professionals found that 59 percent of all respondents, and 61 percent of U.S. respondents (a five percent increase since 2017), stated that that they had “experienced a data breach caused by one of their vendors or third parties.”  More troublesome were the survey findings that 22 percent of respondents indicated that they did not know whether they had had a third-party data breach in the preceding 12 months, and more than three-quarters of respondents “think that third-party cybersecurity breaches are increasing.”

On July 23, the U.S. Department of Justice announced that on July 22, a federal grand jury in the District of New Jersey returned an indictment charging four Chinese nationals and a Chinese company, Dandong Hongxiang Industrial Development Co. Ltd. (DHID), with violating the International Emergency Economic Powers Act (IEEPA), conspiracy to violate IEEPA and defraud the United States, conspiracy to violate, evade, and avoid restrictions imposed under the Weapons of Mass Destruction Proliferators Sanctions Regulations (WMDPSR); and conspiracy to launder monetary instruments.

The four Chinese nationals are Ma Xiaohong (Ma), who formed DHID and was its principal shareholder and senior executive; general manager Zhou Jianshu (Zhou) DHID’s general manager; Hong Jinhua (Hong), DHID’s deputy general manager; and Luo Chuanxu (Luo), DHID’s financial manager.

The indictment alleges that DHID

was a Chinese company whose core business was trade with North Korea.  DHID allegedly openly worked with North Korea-based Korea Kwangson Banking Corporation (KKBC) prior to Aug. 11, 2009, when the Office of Foreign Assets Control (OFAC) designated KKBC as a Specially Designated National (SDN) for providing U.S. dollar financial services for two other North Korean entities, Tanchon Commercial Bank (Tanchon) and Korea Hyoksin Trading Corporation (Hyoksin).

In June 2005, President George W. Bush identified Tanchon as a weapons of mass destruction proliferator, and in July 2009, OFAC designated Hyoksin as an SDN under the WMDPSR in July 2009.  The Justice stated that Tanchon and Hyoksin “were identified and designated because of their ties to Korea Mining Development Trading Company (KOMID), which OFAC has described as North Korea’s premier arms dealer and main exporter of goods and equipment related to ballistic missiles and conventional weapons.”

Beginning after KKBC was designated as an SDN in August 2009, Ma allegedly conspired with Zhou, Hong, and Luo

to create or acquire numerous front companies to conduct U.S. dollar transactions designed to evade U.S. sanctions. The indictment alleges that from December 2009 to September 2015, the defendants established front companies in offshore jurisdictions such as the British Virgin Islands, the Seychelles, Hong Kong, Wales, England, and Anguilla, and opened Chinese bank accounts held in the names of the front companies at banks in China that maintained correspondent accounts in the United States.  The defendants used these accounts to conduct U.S. dollar financial transactions through the U.S. banking system when completing sales to North Korea.

These front companies also facilitated the financial transactions, which KKBC allegedly financed or guaranteed,

to hide KKBC’s presence from correspondent banks in the United States, including a bank processing center in Newark, New Jersey, according to the allegations in the indictment.  As a result of the defendants’ alleged scheme, KKBC was able to cause financial transactions in U.S. dollars to transit through the U.S. correspondent banks without being detected by the banks and, thus, were not blocked under the WMDPSR program.

Note: This case is another in the continuing series of enforcement actions that the Justice Department has taken against individuals and companies that seek to assist sanctioned North Korean entities, for activities such as money laundering or direct sanctions violations.  It should be noted that in 2016, DHID and the same four defendants were charged in a federal criminal complaint with substantially the same conduct, OFAC imposed sanctions on them for their ties to the North Korean government’s weapons of mass destruction proliferation efforts, and the Justice Department filed a civil forfeiture action for all funds contained in 25 Chinese bank accounts that allegedly belonged to DHID and its front companies.

The Justice Department announcement does not mention that any of the individual defendants are in custody.  The United States presumably will ask Interpol to put out a Red Notice – “a request to law enforcement worldwide to locate and provisionally arrest a person pending extradition, surrender, or similar legal action“ — on each of the individuals, though none of them are yet on the public Red Notice list.