Author: Jonathan J. Rusch

On June 25, the United Kingdom Water Services Regulation Authority (Ofwat), a government department that serves as the economic regulator of the water sector in England and Wales, published a notice of its proposal to impose a penalty on Southern Water Services Limited (Southern Water) totaling £126 million. The penalty consists of payments to Southern Water customers totaling about £123 million over the next five years, and a £3 million financial penalty on Southern Water “for significant breaches of its licence conditions and its statutory duties.”

Ofwat stated that Southern Water –which The Times reported “supplies water and treats sewage in Kent, Sussex, Hampshire and the Isle of Wight, serving 4.7 million people in two million properties” —  had “deliberately misreported data to us about the performance of its wastewater treatment works,” and

has failed: to have adequate systems of planning, governance and internal controls in place to be able to manage its wastewater treatment works; to accurately report information about the performance of these works; and to properly carry out its general statutory duties as a sewerage undertaker, to make provision for effectually dealing with and treating wastewater.

Among other findings in its investigation, Ofwat concluded

that a material number of Southern Water’s wastewater treatment works have faced a wide range of problems, including some over a long period of time. This includes critical assets – including those used to monitor performance at treatment works and those which form a key part of the treatment process (such as screening equipment) – failing to perform effectively, either through lack of timely investment by the company or inadequate maintenance of those assets. These problems have contributed to the widespread use and adoption of improper practices within Southern Water, including at senior management levels, to present a false picture of compliance.

Ofwat further determined that this situation

has been compounded by failings of corporate culture and governance within the company. Southern Water’s Board did not take the steps that we would expect a diligent and reasonable company to take; firstly to put in place and check that there were adequate systems and processes to ensure that wastewater treatment works were being operated in a compliant manner, and secondly steps to ensure it had sight of and could identify problems at an early stage in order to take action to prevent these.

Among Southern Water’s failures in corporate culture and governance, Ofwat’s notice cited the following:

• Southern Water itself stated “that whilst there is limited direct evidence of front line staff incentives or rewards linked to the implementation of ANFs, there was a potential that incentive schemes for senior management led to inappropriate behaviours to avoid [Ofwat Outcome Delivery Incentive] penalties.”
• “Senior management within the Wastewater Operations division colluded to conceal the actual performance of [wastewater treatment works]. A culture of data manipulation was the norm and was accepted by staff across the division.”
• Southern Water acknowledged
  • “that there were deficiencies in its organisational culture which prevented employees from being comfortable with speaking out about inappropriate or non-compliant behaviours. This included having in place ineffective whistleblowing processes which resulted in no staff coming forward to report their concerns despite certain staff being obviously uncomfortable about the implementation of ANFs and feeling pressured to act in an improper manner . . . .”
• The whistleblower policy that Southern Water had in place at the time
  • “included on its first page and highlighted in bold the following text: ‘Should any investigation conclude that the disclosure was designed to discredit another individual or group, prove to be malicious or misleading then that worker concerned would become the subject of the Disciplinary Procedure or even action from the aggrieved individual’.”
  • Southern Water since confirmed that
    • “this policy has since been replaced with a new policy which makes clear that its whistleblower policy is completely anonymous and that Southern Water is committed to protecting the career of anyone who reports wrongdoing, and would not tolerate any form of retaliation or threat should the person choose not to remain anonymous.”
  • Ofwat also observed “that a company’s board should have oversight over the values and culture of the company to satisfy itself that behaviours throughout the business are aligned with the company’s purpose,” but that “this oversight was absent for the duration of the failures that are described in this notice.”

In summarizing its investigation and findings, Ofwat noted that its findings regarding Southern Water

are purely about regulatory obligations in respect of which Ofwat has jurisdiction. We are not seeking to make findings about environmental permit failures or whether the acts of Southern Water or its employees, were criminal in nature. These matters are currently being dealt with by the Environment Agency, as the environmental regulator.

Note: This action by Ofwat demonstrates that utility companies (including water and sewage) are no less responsible than any other sector for maintaining effective corporate-compliance programs, including with regarding to environmental compliance.  Compliance teams in multiple sectors should review the notice, particularly the section addressing the company’s culture and compliance failures, and compare it against their companies’ compliance programs to identify shortcomings or opportunities for improvement.

Since Ofwat issued the notice, Matthew Wright, who headed Southern Water from February 2011 to the end of 2016, reportedly stated that he had been “genuinely shocked” by Ofwat’s findings of wrongdoing, and that “there was ‘no suggestion’ that he or [the company’s] board were aware of the practices set out in the Ofwat report.”  If both of those statements are taken at face value, they provide further evidence of how substantial the company’s culture and compliance failures were.

Southern Water has already taken steps to address the reported compliance failures.  These include a draft confidential Action Plan that it presented to Ofwat, “listing various measures the company had already taken, was taking or planned to take with the aim of addressing the areas of concern” that Ofwat had previously identified.  Moreover, Ian McAulay, who took over as Southern Water’s chief executive in 2017, stated that the company was “profoundly sorry for these failures,” “that a former member of its executive management, who had since left the company in a restructuring, was among those aware of the cover-up,” and that an unspecified “number of people were dismissed.”

These measures, while necessary, will not suffice to resolve all aspects of Southern Water’s situation.  As Ofwat noted, Southern Water remains under criminal investigation, and the Environment Agency informed The Times “that it expected to start court proceedings ‘soon’.”  In addition, the revelations about Southern Water’s lengthy record of compliance failures have encouraged Labour Party calls for renationalization of Britain’s utilities.  The fact that Ofwat had previously fined Southern Water Ofwat £20.3 million for similar conduct – i.e., “’systematically manipulating information to conceal its true performance over an extended period of time’ — in that case to conceal woeful customer service” – can only increase the challenges for the company to demonstrate that it is truly committed to a culture of compliance.

Recently, Australian telecommunications company Telstra released its Security Report 2019.  This whitepaper drew on interviews with 1,298 security professionals – 61 percent in Asia-Pacific (APAC) and 39 per cent in Europe – in businesses of all sizes across 13 countries.

Highlights of the Report included the following:

• Priorities: In the past 12 months, there has been “a material shift in the priorities of both defenders and attackers. Some aspects of security, like malware, are better-known. However, other emerging security technologies, though not as well understood, are high on the list of considerations to improve cyber defences. For example, 93 per cent of the global respondents are considering, trialling or have implemented next gen endpoint detection and response.”
• Data Breaches: “Breaches, defined as incidents that result in the confirmed disclosure of sensitive data to an unauthorised party, are on the rise. Our survey shows nearly two thirds of respondents have fallen victim to a security breach, showing these events are happening more frequently and continue to be more varied.”
• Phishing: In particular, of the 63 per cent of global respondents and 65 per cent of Australian respondents who reported that their business was interrupted due to a security breach in the past year, “35 per cent of Australian organisations reported phishing incidents on a weekly or monthly basis.”  The Report also noted that “[p]hishing is one of the most common ransomware infection vectors . . . .”
• Ransomware Attacks: Some of the most interesting findings concerned companies’ experiences with ransomware attacks:
  • Frequency: Across multiple regions, a significant percentage of companies that reported being interrupted due to a security breach in the past 12 months reported interruptions “on a weekly or monthly basis” from ransomware attacks:
    • Australia – 32 percent. In addition, 81 per cent of Australian respondents indicated they had experienced a ransomware attack at least once during 2018 – an increase of five percent over 2017.
    • APAC – 26 percent
    • Europe – 24 percent
    • Germany – 27 percent
    • France – 26 percent
    • United Kingdom – 19 percent
  • Ransom Payment: The Report stated that 51 percent of Australian respondents who were victims of ransomware reported paying the ransom – an increase of four percent year on year. “This rate is higher than in the APAC and European regions, where 48 per cent and 50 per cent respectively indicate having paid a ransom. Singapore and New Zealand both reported a higher incidence of ransomware attacks, and also report the highest rate of paying the ransom after an attack (61 per cent respectively).”
  • Success with Data Retrieval: The Report stated that 77 percent of Australian businesses that paid a ransom “were able to retrieve their data after making the payment” – a decrease of nine percent year on year. In contrast, the APAC and European regions reported much higher rates of retrieval (83 and 88 percent, respectively), and Germany and France has been higher retrieval rates (96 percent for both).
  • Willingness to Pay Again: A surprisingly high percentage of respondents indicated that they would pay the ransom again next time if no backup files were available:
    • Australia – 79 percent
    • APAC – 75 percent
    • Europe – 73 percent
    • Germany – 78 per cent
    • France – 68 percent

The Report also commented that “[w]hile ransomware is still pervasive and profitable for cyber criminals, most potential victims have adopted policies and safeguards against such attacks.”

• Cryptocurrency Attacks: “Many adversaries are now turning to cryptocurrency related products, which can often be bolted onto traditional malware and easily activated. The rise in popularity of these currencies makes this market attractive for crypto mining and cryptojacking.” The Report also stated that “[i]n some quarters in 2018, crypto mining was seen on a grand scale, making an appearance on all platforms, devices, operating systems, and in all browsers.”
• Advanced Persistent Threats (APTs): The Report stated that APTs have been a pervasive part of the cyber threat landscape year on year,” citing a recent report from FireEye that “shows an increased use of this attack type by nation-state groups, such as Iran.”
• Formjacking: Formjacking, “the injection of malicious JavaScript code that is written to steal credit card data and other information,” typically “occurs on untrustworthy e-commerce websites.”
• Defender Responses: “This year, an interesting trend is emerging where defenders are striking back. Awareness and understanding of the strategic importance of security is improving. In all regions we surveyed this year, businesses reported investing more resources in security awareness and training, more so than what we saw in our 2018 Security Report. This includes delivering formal education focusing on information management and incident response.”
• Corporate Attention to Cybersecurity: In 2018, “all respondents surveyed identified that within their role they are responsible for both cyber and electronic security within their organisation. There are also early signs of increased C-level participation. . . . Additionally, about one third of businesses told us that because of new regulations, the frequency of C-level and senior management meetings on security in Australia, APAC, and Europe is increasing.”

Note: The key message from the Report, in the words of Telstra Group Executive Michael Ebeld, is that “security has moved far beyond the maintenance of firewalls and is now a whole-of-business concern for C-level executives and boards.”  Although the Report’s survey population included only respondents from Australia, APAC, and Europe, cybersecurity and anti-fraud compliance teams at companies, of all sizes and in all industries, that do business internationally should take note of these principal findings, and include them in their briefings to C-level officials and board members.

On June 13, according to Reuters, Pedro Felicio, head of the Economic and Property Crime Unit at the European police agency Europol, stated that “huge inflows of criminal money” are principally entering Europe from Russia and China.  Felicio, whose duties include combating money laundering in Europe, said that “[t]here are billions of criminal money that are being taken out of the Russian economy,” and  “warned of the dangers of a repeat of scandals involving tainted Russian money in the Baltics . . . .”

Although he recognized that anti-money laundering (AML) oversight has improved since the Danske Bank scandal that came to public attention last year, Felicio reportedly noted that “there are still gaps particularly in the Baltic states.”  In his words, “Some of the banks in the Baltic area are very vulnerable to money laundering activities especially coming in from Russia. It has improved but it is far from being solved.”  He also commented that “It is just a matter of time until we see another scandal coming in from the area and it will probably be very similar to the scandals we have seen in the past.”

In addition, Felicio observed that while the Baltics were in the “front line” for receiving criminal proceeds, those proceeds were being invested elsewhere, particularly via real estate in London and Rome.  He cited two factors that were exacerbating the money-laundering problem in Europe: the high burden of proof in European states, and “zero cooperation from Russia in providing . . . evidence.”

Note: Felicio’s remarks should serve as a reminder to financial institutions with European operations that they need to maintain vigilance in monitoring international financial transactions that, like the funds that flowed through Danske Bank’s Estonian branch, may have their origin in nations such as Russia and China but transit through third countries as part of the layering process.  They also highlight one of the continuing challenges for the European Union in devising and implementing a more robust and effective system of AML oversight and enforcement.

On June 19, the Financial Times reported on signs that North Korea, due to “immense economic pressure from sanctions, increasingly depends on cash from cyber-based theft.”  According to cybersecurity experts, North Korean leader Kim Jong Un’s regime

controls an army of thousands of hackers who bring in hundreds of millions of dollars annually . . . . With North Korea cut off from most trade with the outside world, the cash generated from illicit cyber-based activities is thought to have become a core revenue stream for Pyongyang and has now probably surpassed the value of sales of weapons and military services.

The reported increase in North Korean online crime “also marks the latest example of the Kim regime’s decades-long struggle to bring in cash to the country via unorthodox and illicit means, and follows reported cases of global insurance fraud and the production of counterfeit money and drugs.”  For example, in 2018 the U.S. Department of Justice unsealed charges against “a North Korean citizen, Park Jin Hyok, a member of a conspiracy backed by the North Korean government that carried out numerous computer intrusions.  Those charges alleged that the conspiracy utilized a strain of malware, ‘Brambul,’ which was also used to propagate” the Joanap botnet (i.e., “a global network of numerous infected computers under the control of North Korean hackers that was used to facilitate other malicious cyber activities”).  Subsequently, the Department announced “an extensive effort to map and further disrupt, through victim notifications, the Joanap botnet.”

While the Financial Times cautioned that “[e]stimates vary as to exactly how much money North Korea now makes from any of its illicit activities,” the Department of Justice has alleged that Park and his coconspirators stole $81 million from Bangladesh Bank in 2016 and sought to steal at least $1 billion from financial institutions.  A former U.S. National Security Agency analyst, Priscilla Moriuchi, stated that North Korean operatives “had proved to be ‘persistent, patient and skilled’.  “There was an impression that these [banking hacking operations] were opportunistic targets.  We can see they are decidedly not . . . .”

In addition, the Financial Times reported that “[a]nalysts stressed it was difficult to pinpoint what happens to the stolen cash, cryptocurrencies or gaming credits. But, one expert said, there were signs stolen cryptocurrencies were quickly laundered through several different exchanges, making them ‘virtually untraceable’.”

Note: The increasing sophistication and persistence of these North Korean-authorized cybertheft operations — coupled with the efforts of sanctioned North Korean banks to use companies to launder funds on behalf of those banks – represent serious compliance challenges for the financial sector.  Cybersecurity and compliance teams in financial firms should take this opportunity, if they have not done so recently, to review the capacity of their cybersecurity and AML programs to address these kinds of threats to their firms, and to seek additional funding if necessary from senior management.

On June 17, ANZ Bank announced that the Chief Executive Officer (CEO) of its New Zealand business, David Hisco, was leaving ANZ reportedly “after concerns he ‘mischaracterised’ personal expenses including the use of corporate chauffeured cars and wine storage.”  ANZ Bank New Zealand’s Chairman (and former New Zealand Prime Minister) Sir John Key cited unspecified “’health issues’ and the board’s concern over the expenses, which were worth tens of thousands of dollars and spanned nine years.”

Key also stated, according to the Sydney Morning Herald, that Hisco “was not paying the money back to ANZ because he was ‘adamant’ he had the authority to spend it, and the bank’s main concern was not the money itself,” but that  “there had been a ‘lack of transparency’ in how the expenses were recorded in the bank’s books.”  In Key’s own words,

What is at the heart of this issue, though, is the way that that expenditure was recognised in our books, in other words, it was either in our view mis-characterised or there was a lack of transparency. So it’s not about the money itself, it’s the way it was recognised in the ANZ records . . . .

Hisco’s departure has not ended the controversy.  The New Zealand Reserve Bank is continuing to question ANZ, which the Reserve Bank regulates as a New Zealand incorporated bank, about Hisco’s hasty departure.

Note:  Ethical violations have become increasingly prevalent as a basis for CEO terminations.  A May 2019 PwC study of turnover among the top 2,500 global companies found not only that a record 18 percent of CEOs were replaced, but that 39 percent of the CEOs dismissed “had been accused of ethical lapses . . . the first time ethical lapses led the causes of CEO turnover in the study’s 19-year history.”

In ANZ’s case, the facts as reported indicate that ANZ in theory may have more than domestic regulatory concerns to take into account.  Given Sir John’s statements indicating that Hisco’s expenses were inaccurately recorded in ANZ’s books and records, ANZ should recognize that inaccurate books and records may bring the matter within the purview of the United States Securities and Exchange Commission (SEC).  Under the “books and records” provisions of the Foreign Corrupt Practices Act (FCPA), publicly traded entities – which includes foreign issuers, like ANZ, whose American Depository Receipts are traded on the over-the-counter market – can be held liable for failure to maintain accurate  records regarding the company’s transactions.

The SEC would be highly unlikely to pursue an FCPA investigation of ANZ on “mischaracterized” expenses of tens of thousands of dollars unrelated to foreign bribery.  Nonetheless, other companies whose shares or ADRs trade on U.S. securities markets should use the Hisco case as an opportunity to remind senior executives about the ethical and legal ramifications of their misrepresenting or falsely reporting the nature and basis of transactions benefiting themselves that involve company funds.