Author: Jonathan J. Rusch

On June 18, Anil Kashyap, a professor at the University of Chicago Booth School of Business and external member of the Bank of England’s Financial Policy Committee, testified before the United Kingdom Parliament’s Treasury Committee that “it was only ‘a matter of time before [a cyberattack] happens on a big scale,” and that the Bank of England “was vulnerable despite preparing its defences.”

Although United Kingdom banks reportedly “have focused mainly on stopping service outages,” Professor Kashyap warned that “the falsification of transaction records and other data was an even bigger danger.”  “’If you wanted to do maximum damage’,” he testified, “’that is what you would probably do if you were a state actor’.”

Professor Kashyap also stated that cyberattacks on bank records “would be especially damaging as it would not be easy to identify which records were accurate and which had been corrupted.”  In his words, “’You have this difficult situation where you have to restore the system, where you could be restoring a corrupt system’.”

In addition, Professor Kashyap cautioned Members of Parliament that financial institutions “risked focusing too much on dangers that would damage their individual reputations, rather than threats to the system as a whole, such as overreliance on a handful of providers of cloud computing services.”  He stated that he does not “’really care if bank ‘x’ is offline for a week, even if it’s disastrous for their share price, if the services that they provide, that are critical, can be delivered in some other way.  What is tricky is it could be the case that the (bank) board’s incentives of what to worry about are misaligned with the general incentives’.”

Note: Professor Kashyap’s testimony reinforces a statement to Members of Parliament by Ciaran Martin, Chief Executive of the United Kingdom’s National Cyber Security Centre, “that a ‘category one’ attack that would disable the financial system and national energy supplies was a matter of ‘when, not if’.”  Both witnesses’ views should be of substantial concern not only within the Financial Policy Committee, which is responsible for removing or reducing systemic risks to the United Kingdom financial system, but to Members of Parliament in general and the United Kingdom financial sector as a whole.

The problem, in large part, stems from the fact that there is no predictable timeframe for any particular agency or business to prepare for a major cyberattack.  Any systemic risk that has a low probability on any given day, but high impact if and when it does occur, poses a substantial challenge for boards and Chief Financial Officers in deciding how much to budget and for how long to address that threat.  That challenge becomes even greater when, as with cybersecurity, the nature, variety, and sophistication of the threats is constantly changing.

Nonetheless, United Kingdom financial institutions, if they have not already done so, need to do some sustained benchmarking of their cybersecurity programs against each other and against financial institutions outside the United Kingdom.  That benchmarking should include not only data relating to their cybersecurity budgets in general, but specific programs and practices such as fusion centers that can speed the tasks of strategic and tactical intelligence collection and analysis and incident response.

As Professor Kashyap correctly indicated, state actors (including ostensibly private actors operating on their behalf) pose the greatest cyber-related risk over time to the financial system.  A recent report by the Carnegie Endowment for International Peace has shown that “[c]yberattacks on financial institutions are increasingly being linked to nation-states.”

Financial institutions, in the United Kingdom and elsewhere, must therefore move beyond thinking of cybersecurity as a function linked solely to annual budgeting cycles, and treat the risk of a major cyberattack by at least one state actor as a genuine prospect for which they must be well-prepared on a continuing basis.  The consequences, for any financial institution or government agency that should find its operations crippled for weeks or even months by such a state actor, are too great to risk.

On June 28, Finanstilsynet, the Norwegian Financial Supervisory Authority (FSA), ordered a subsidiary of Spanish bank Santander, Santander Consumer Bank, to pay a fine of Kr. 9 million (approximately US$1 million) for violating the Norwegian Money Laundering Act.  In particular, the FSA stated  that Santander Consumer Bank warranted a financial penalty for defects in the operation of its electronic monitoring system “to detect suspicious transactions related to money laundering and terrorist financing.” (Note: All translations of language in the FSA order are informal.)

According to the FSA order, section 38 of the Money Laundering Act requires that banks, mortgage companies, and finance companies have electronic monitoring systems to identify issues that may indicate money laundering and terrorist financing.  The Act also requires that monitoring be conducted on an ongoing basis, and that a bank investigate transactions for which there are indications of money laundering or terrorist financing.  The order further stated that “[a]n effective and fast implementation of investigations and reporting suspicious matters is central to achieving the purpose of the Money Laundering Code.”  When the suspicion about a transaction is not rejected, it is to be reported to Økokrim, the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime, which functions as both a police agency and a public prosecutors’ office with national authority.

The FSA observed that in December 2018, Santander Consumer Bank brought to the FSA’s attention that the bank had discovered an error in the operation of that electronic monitoring system.  The bank informed the FSA that that error had resulted in approximately 1,260,000 transactions not being subject to money laundering review for more than four years, from October 30, 2014 to December 6, 2018.

After further internal review and correction of the error, the bank found that approximately 1.6 million transactions, involving 303,415 customers, had not been verified under the Money Laundering Act.  Reuters reported that a bank spokesperson attributed said the error was connected to the integration of old and new IT systems, and added that it “has fully cooperated with and kept the FSA fully continuously informed.”

In response, the FSA stated that it considered all factors for assessing a financial penalty under section 50 of the Money Laundering Act.  Those factors include the gravity and duration of the offense; the offender’s degree of guilt; the financial offender’s ability; the reporting entity’s risk assessments and processes; benefits that have been achieved or could have been achieved by the violation; whether third parties have suffered losses; the degree of cooperation with the authorities; and any previous violations of the Act or regulations pursuant to the Act.

With regard to those factors, the FSA stated that “the offense has been going on for a long time, and applies to many transactions and customer relationships.”  It also opined “that the error in the system could and should have been uncovered and directed far earlier than was actually the case.”  The FSA specifically stated that “it is particularly aggravating that the bank was, or should have been, aware that there must be errors in the system without the matter being prioritized.”  It also assumed “that the bank have not had sufficient resources and attention on the weaknesses of the system and the error that led to the offense.”  All of these factors, in the FSA’s view, “are relevant during the assessment of the gravity of the violation and duration, the offender’s level of guilt, and the assessment of what benefits Santander Consumer Bank has achieved or could be achieved by the violation.”

The FSA acknowledged that the bank had correctly reported the error and had contributed to the FSA’s inquiry.  Even so, it cited section 46 of the Norwegian Public Administration Act as the source of “a number of factors that can be taken into account in cases concerning administrative sanctions.”  The FSA’s assessment was that “the incident in the bank is of such a nature that it speaks for sanctioning, taking into account both general preventive and individual preventive considerations.”  It found that “the bank did not have enough resources in the fulfillment of its legal requirements, and that the management did not implement the necessary measures even when it knew, or should have known, that there were errors in the systems.”  In the FSA’s view, “it is important that suspicions about system errors and non-compliance with the [money laundering] law lead to a quick follow-up from the reporting party, even where it has to demand more resources and attention from management.”

Note:  The FSA order provides a detailed example of the factors that the FSA weighs in determining whether to penalize financial institutions for failure to comply with the Norwegian Money Laundering Law.  It also provides yet another reminder to financial institutions’ AML compliance teams that their review of AML internal controls must include periodic checks on the completeness, timeliness, and accuracy of their AML electronic monitoring systems.  Other financial institutions have paid a substantial price when their AML compliance failures included failures or gaps in their transaction monitoring systems, and regulators in the United States and the European Union can be expected to reinforce that message in future enforcement actions.

On June 27, the U.S. Department of Justice announced that on June 26, a federal grand jury in the District of Columbia returned an indictment against Eghbal “Eddie” Saffarinia, former Assistant Inspector General for Management and Technology in the U.S. Department of Housing and Urban Development Office of Inspector General (HUD-OIG).  The indictment charged Saffarinia with concealing material facts, making false statements, and falsifying Office of Government Ethics (OGE) annual financial disclosure forms, in connection with his allegedly disclosing confidential internal government information to a friend (“Person A”) who was the owner and chief executive officer of a Virginia information technology company (“Company A”) and undertaking efforts to steer government contracts and provide competitive advantages and preferential treatment to Company A.

According to the Indictment, between early 2012 and mid-2016, Saffarinia, while serving as an Assistant Inspector General at HUD-OIG, was HUD-OIG’s Head of Contracting Activity.  In that capacity, he “oversaw procurement review and approval processes, including IT contracts; had access to contractor proposal information and source selection information; and participated personally and substantially in IT procurements.”

Saffarinia and Person A allegedly “were friends who emigrated from the same country, went to college together in the early 1980s, and socialized with each other on a regular basis.”  They also had a long-standing financial relationship, in which Saffarinia owed a total of $80,000 to Person A.  During the period when Saffarinia was receiving payments and loans from Person A, he allegedly “steered significant government business to Company A and its business partners, he disclosed confidential and internal government information to Person A, he gave competitive advantages and preferential treatment to Person A and Company A, and he caused and attempted to cause HUD-OIG to increase the amount of work and hours awarded to Person A and Company A.”

As one consequence of Saffarinia’s alleged efforts, Company A received approximately $1,065,520 for subcontractor work performed under an information technology (IT) services contract with another company.  In addition, Saffarinia allegedly caused HUD-OIG to recompete that IT services contract, and caused another company to form a business partnership with Person A and Company A for the recompete contract, in which Company A was expected to receive approximately $9 million.

Note:  Although there is no plea or conviction yet in this case, ethics and compliance officers in public- and private-sector entities can use the facts as alleged in this case to brief and train executives and employees, to underscore the importance of strict compliance with conflict-of-interest requirements.

This case should also indicate that government agencies and companies cannot simply rely on self-disclosures by their employees to conduct effective monitoring and oversight on compliance with conflict-of-interest requirements.  In this case, the evidence against Saffarinia apparently includes numerous meetings over lunches and dinners, during Saffarinia’s tenure at HUD-OIG, in which they discussed business opportunities for Person A and Company A and the IT services contract, as well as communications between Saffarinia and Person A that included Saffarinia’s forwarding of internal HUD-OIG emails and contract-related materials to Person A.

On July 1, according to NL Times, two Ministers in the Dutch Cabinet – Minister of Finance Wopke Hoekstra and Minister of Justice and Security Ferdinand Grapperhaus — sent to the Dutch Parliament a set of anti-money laundering (AML) measures that include:

• Prohibiting cash payments of more than €3,000;
• Regulating cryptocurrencies, reportedly “to limit the risks associated with cryptocurrencies”;
• Calling for the €500 euro banknote to be taken out of circulation;
• Increasing the capacity of the Dutch Financial Intelligence Unit, FIU Nederland, “and other investigative authorities;”
• Encouraging banks “to share information about suspicious clients”; and
• “Advocat[ing] for the establishment of a European regulator on money laundering.”

In addition, the government reportedly government is “looking into a ‘black list’ where banks can register clients they suspect are involved in money laundering.”

Finance Minister Hoekstra stressed the importance of interagency cooperation, saying that the government, regulators, the FIU, the Dutch Public Prosecution Service, the Fiscal Information and Investigation Service (the Dutch anti-fraud agency), the financial sector, and accountants are “now joining forces to ensure that criminals cannot get a foothold in our financial system.”  Justice Minister Grapperhaus added that through this joint effort, “we want to take the approach against money laundering to a higher level. The Netherlands must be among the international leaders in tackling money laundering.”

Note: Dutch authorities have known for some time that criminals have been seeking to exploit Dutch financial institutions for money laundering.  The Ministers stated that an estimated €16 billion is laundered every year in the Netherlands, and the Organized Crime and Corruption Reporting Project reported that nearly €1 billion was laundered through the Netherlands by a single operations moving billions of euros out of Russia.  That latter report apparently prompted Dutch prosecutors to examine possible Dutch involvement with Russia-related money laundering.

These proposed measures indicate that the Dutch Government, while supportive of enhanced European Union-wide AML oversight authority, is not waiting for EU action to initiate its own national-level AML action plan.   Because the European Central Bank has emphasized that the €500 notes still in circulation will continue to be legal tender, even after all EU Member States had ceased issuing new €500 notes, it is not clear whether the Ministerial proposal on withdrawing the €500 note is intended to deny those notes legal tender status.

Two recent developments regarding former Canadian cryptocurrency exchange QuadrigaCX and its late founder and sole director Gerald Cotten provide strong indications that QuadrigaCX was the locus for a massive fraud that victimized QuadrigaCX’s customers.  First, on June 3, the Federal Bureau of Investigation announced that it, the Internal Revenue Service Criminal Investigation {IRS CI), the United States Attorney’s Office for the District of Columbia, and the United States Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS) “are conducting an ongoing investigation” and seeking information from potential victims of QuadrigaCX.

Second, on June 19, the consulting firm Ernst & Young (EY) filed its latest report with the Nova Scotia Supreme Court, in its capacity as Monitor in the bankruptcy proceedings pertaining to the business and affairs of QuadrigaCX and related companies and Cotten.  Although it noted that “the lack of formal books and records and inability to access certain encrypted devices have limited [its] review”, and that Cotten’s death and lack of other “key corporate representative” deprived EY of the ability to seek an explanation or justification, if any,” for the actions under review, EY provided the Court with a number of preliminary observations and findings.

Some of the most significant observations and findings are as follows:

• “No accounting records have been identified by [EY] and there appears to have been no segregation of assets between Quadriga Funds and User Funds. Funds received from and held by Quadriga on behalf of Users appear to have been used by Quadriga for a number of purposes other than to fund User withdrawals. With its available infrastructure, Quadriga does not appear to have had visibility into its profitability, if any.”
• “The Company appears to have engaged in significant “cash” transactions. The Monitor has been unable to verify if cash deposits were deposited into accounts containing User Funds and or properly recorded; (d) The Monitor has been unable to locate basic corporate records including the location and security passwords associated with Quadriga’s Fiat and Cryptocurrency inventories between TPPs, bank accounts, wallet addresses and third-party exchanges. In addition, the Monitor understands passwords were held by a single individual, Mr. Cotten and it appears that Quadriga failed to ensure adequate safeguard procedures were in place to transfer passwords and other critical operating data to other Quadriga representatives should a critical event materialize (such as the death of key management personnel).”
• “User Cryptocurrency was not maintained exclusively in Quadriga’s hot and cold wallets. Significant volumes of Cryptocurrency were transferred off Platform outside Quadriga to competitor exchanges into personal accounts controlled by Mr. Cotten. It appears that User Cryptocurrency was traded on these exchanges and in some circumstances used as security for a margin trading account established by Mr. Cotten. Trading losses incurred and incremental fees charged by exchanges appear to have adversely affected Quadriga’s Cryptocurrency reserves. In addition, substantial amounts of Cryptocurrency were transferred to wallet holders whose identity the Monitor has been unable to confirm.”
• “Mr. Cotten created Identified Accounts under aliases where it appears that Unsupported Deposits were deposited and used to trade within the Platform resulting in inflated revenue figures, artificial trades with Users and ultimately the withdrawal of Cryptocurrency deposited by Users.” The Report stated that those accounts “had no [Know Your Customer] information and were maintained under various pseudonyms (examples include Chris Markay, Aretwo Deetwo and Seethree Peaohh).”
• “Substantial Funds were transferred to Mr. Cotten personally and other related parties,” and EY “has not located any support justifying these transfers.” For example, in one case, EY reported that it appears that Cotten liquidated nearly all of the bitcoin deposited in a particular exchange account, for the equivalent of approximately CDN $80 million over the course of three years. To date, EY stated, it “has been unable to account for what happened to the proceeds of the sale” of that cryptocurrency.

Note: While the Monitor’s Report contains numerous facts reflecting Cotten’s putative fraud, the FBI’s announcement contains a number of facts from which one can infer how the Justice Department is conducting its investigation with the FBI and the IRS CI.  Although both Cotten and his companies were Canadian, it is likely that a substantial number of the 76,000 users of QuadrigaCX’s services were American.  Should the FBI and IRS-CI find evidence of international transfers of funds or email communications between Cotten and U.S. QuadrigaCX customers, those acts could provide the basis for wire fraud charges, and any subsequent transfers of victim funds could provide the basis for money laundering charges, against Quadriga or its related companies.

In addition, the announced involvement of both the United States Attorney’s Office in Washington, DC and CCIPS suggests that the investigation warrants collaboration between CCIPS, whose attorneys have considerable legal and technological expertise with cybercrime investigations, and the United States Attorney’s Office.  That expertise may be especially important as investigators continue to try to access Cotten’s encrypted devices and text messaging services and to trace customer funds.