Author: Jonathan J. Rusch

On May 21, Irish Tech News reported that the Irish professional services firm Mazars Ireland published the results of a survey to examine occupational fraud and abuse in Ireland.  The survey, conducted in February 2019, obtained information from nearly 100 senior figures in the Irish private, nonprofit, and public sectors for insight into the level of actual occupational fraud and abuse.

Key findings from the Mazars survey included the following:

• Approximately 50 percent of respondents had suffered a loss due to occupational fraud and abuse in the past two years. The average financial loss was between €10,000 and €20,000.
• Twelve percent of respondents suffered losses greater than €500,000 in the past two years.
• The principal causes of such losses related to the theft of cash (32 percent) and of goods (19 percent), but businesses also experienced losses due to expense fraud (16 percent) as well as payroll, invoice fraud, and conflict of interest issues.
• Thirty-three percent of the frauds reportedly was detected by internal audits, and 25 percent by whistleblowing or “speak up” channels.
• Nearly two-thirds (65 percent) “had not undertaken a formal fraud risk assessment or implemented proactive data monitoring across their business operations.”
• Approximately 34 percent of respondents “did not have formal investigation procedures or anti-fraud policies in place.”
• Forty percent placed a high degree of reliance on the head of internal audit to perform Investigations.
• Eighty percent “provided a strong indication that they have whistleblowing or speak up arrangements in place.”
• Forty percent indicated that, in addition to their own organizations’ staff, customers and suppliers could also use the organizations’ whistleblowing arrangements.

The report also “pointed to a worryingly low level of awareness of anti-bribery and corruption legislation amongst Irish businesses.”  Fifty percent of respondents reportedly were unaware of the recent Criminal Justice (Corruption Offences) Act 2018, “which introduced the new corporate liability offence and allowed for a corporate body to be held liable for the corrupt actions committed for its benefit by any director, manager, secretary, employee, agent or subsidiary.”

Note: The Mazars survey provides strong indications that Irish small, medium, and large private- and public-sector concerns need to review the state of their fraud risk management programs, and be prepared to remedy any significant shortfalls in risk and compliance program implementation.  Certainly not all businesses and agencies can completely prevent fraud directed at their operations, but when nearly two-third of respondent companies have not even conducted formal risk assessments or put proactive data monitoring in place, they run the risk of substantial losses and – depending on the industry, nonprofit, or government function they perform – further adverse consequences from regulatory enforcement actions.

The survey’s finding that half of respondents are unaware of the new Irish corruption-offenses legislation, which has been in force since July 2018, also indicates that public- and private-sector entities need to undertake a new round of publicity and training about the Act’s key provisions.  In addition to the corporate-liability offense and “failure to prevent”-style liability mentioned above, businesspeople and government employees need to recognize that the Act contains a number of other new offenses that expands criminal liability to other aspects of corruption.  These include active and passive trading in influence; an Irish official doing a corrupt act in relation to his or her office;  giving a gift, consideration, or advantage, knowing that it will be used to commit a corruption offence; creating or using false documents; and intimidation where a threat of harm, rather than a bribe, is used.

Irish  companies and agencies, regardless of their size, need to incorporate that information into their internal trainings and briefings, and to expand their compliance programs appropriately, including internal controls, if they are to be able to demonstrate the effectiveness of those programs.

On May 7, the global cryptocurrency exchange Binance issued a statement that it had discovered “a large scale security breach” in which “hackers used a variety of techniques, including phishing, viruses and other attacks,” to withdraw 7000 Bitcoin in a single transaction.  That withdrawal, according to The Times, was equivalent to more than $40 million.

Binance’s Chief Executive, Changpeng Zhao, emphasized in the statement that the attack “impacted our BTC hot wallet only (which contained about 2% of our total BTC holdings). All of our other wallets are secure and  unharmed.”  He also described the general outlines of the attack:

The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that.

Zhao committed to using Binance’s Secure Asset Fund for Users (SAFU), an emergency insurance fund stored in a separate cold wallet, “to cover this incident in full. No user funds will be affected.”  While Zhao informed customers that Binance was temporarily suspending deposits and withdrawals pending a thorough security review, he promised that Binance would continue to enable trading, but added a caveat that “the hackers may still control certain user accounts and may use those to influence prices in the meantime.”  On May 15, Binance issued a supplemental statement that it had completed its system upgrade and would resume all trading activity.

Note: Although one Binance admirer tweeted that at Binance “they take security serious” [sic], this latest incident involving massive cyberthefts from cryptocurrency exchanges does nothing to enhance the financial sector’s confidence in the crypto sector’s commitment to cybersecurity.  Unlike other recent large losses by cryptocurrency companies, Binance – reportedly one of the world’s largest cryptocurrency exchanges — at least has its SAFU to provide customers with protection from individual losses.  Other cryptocurrency exchanges need to establish similar insurance funds for customers’ deposits, and to make the size and operations of such funds highly transparent, if they are to broaden their still relatively narrow base of public confidence.

On May 15, the APWG (formerly the Anti-Phishing Working Group) published its Phishing Activity Trends Report, 1^st Quarter 2019.  The Report addressed the following topics:

• Unique Phishing Websites Detected: The total number of unique phishing websites that the APWG detected in 1Q 2019 was 180,768. That represents a 30.7 percent increase from 4Q 2018 (138,328), and a 19.7 percent increase from 3Q 2018 (151,014).
• Unique Phishing Reports from Consumers to the APWG: The total number of unique phishing reports that the APWG received from consumers in 1Q 2019 was 112,393. It should be noted that although the number of phishing reports received in January and February was almost identical (34,630 and 35,364, respectively), the number of reports received in March was 42,399 – a 19.9 percent increase since February.
• Brands Targeted by Phishing Campaigns: The number of brands that phishing campaigns targeted remained fairly even during 1Q 2019 (327, 288, and 330 for January-March, respectively).
• Most Targeted Industry Sectors: For the first time in APWG quarterly reports, Software-as-a-Service (SaaS) and webmail services became the most-targeted industry sector, with 36 percent of all phishing attacks (compared to 30 percent in 4Q 2018 and 20.1 percent in 3Q 2018).  The next four most-targeted industry sectors were payment (27 percent), financial institution (16 percent), e-commerce/retail (3 percent) and telecom (3 percent).  Attacks against cloud storage and file hosting sites accounted for only 2 percent of all attacks in 1Q 2019 – a substantial decline from 11.3 percent of all phishing attacks in Q1 2018.
• Use of Encryption to Deceive Victims: In 1Q 2019, 58 percent of phishing sites used SSL certificates, indicating that they were protected by the HTTPS encryption protocol, to create a false appearance of legitimacy. That represents a 26 percent increase since 4Q 2018 (i.e., 46 percent using SSL certificates), as well as the highest percentage of phishing attacks hosted on HTTPS since Q1 2015.  According to John LaCour, Chief Technology Officer of PhishLabs, there are two reasons for phishers’ increased use of SSL certificates: more web sites in general are using SSL, because browsers are warning users when SSL is not used, “[a]nd most phishing is hosted on hacked, legitimate sites.”
• Brazil Phishing Trends: In 1Q 2019, the volume of Brazil-related phishing (i.e., e attacks against Brazilian brands or against foreign services that are available in Portuguese in Brazil) increased since 4Q 2018 to 3,220, including more than 1,200 in January alone.  Brazil-related malware cases in 1Q 2019 were 180, and malware detections in March were less than at any time since the start of  4Q 2018.  The report also states that “[e]ach kind of malware identified during this period, on average, aimed to affect up to thirteen Brazilian financial institutions and their customers. The largest number of targets found in a single malware device was nineteen.”

Note: Chief Information Security Officers and Chief Compliance Officers should share these data with their respective teams for general awareness.  As with other APWG quarterly reports, this report reflects general data on phishing trends and not the severity of any single phishing attack on a particular company or financial institution.  Companies offering SaaS and webmail services, however, should take particular note of the significant increase in phishing attacks targeting their sectors.

On May 15, the Frankfurt am Mein Public Prosecutor’s Office announced that it, the Bundeskriminalamt (BKA) (Federal Criminal Police), the Frankfurt Landeskriminalamt (LKA) (State Criminal Police), the Frankfurt am Mein Oberfinanzdirecktion (Regional Tax Office), and five municipal tax offices in Germany conducted searches in 29 locations across Germany, as part of a wide-ranging investigation of tax evasion.  The searches included eight individuals’ living quarters in five German cities, towns, and municipalities and on the island of Sylt, the business premises of eleven banks and savings banks in seven cities and towns, the business premises of four tax consultants in four cities and towns, and the business premises of six asset management companies in Hamburg.

The Public Prosecutor’s Office stated that the focus of the investigation was wealthy individuals in Germany suspected of tax evasion.  Each of those individuals, according to that office, intended – with the help of the former subsidiary of a major German bank in the British Virgin Islands – to establish companies in tax havens to hide investment income from the German Treasury and evade taxes.

The Public Prosecutor’s Office reported that the purpose of the search warrants was to obtain evidence regarding the untaxed income, and to clarify the economic conditions of the companies in the tax havens.  It stated that the searches were related to the search of a major German bank in Frankfurt am Main suspected of engaging in money laundering in late November 2018.  It also explained that what prompted the investigation were findings from “Offshore Leaks.”

Note: “Offshore Leaks” is the name of a 2013 investigation by the International Consortium of Investigative Journalists (ICIJ).  The journalistic reporting from Offshore Leaks has already prompted civil and criminal investigations and legislative and policy changes in numerous jurisdictions.  The ICIJ’s Offshore Leaks database, which the public can access, reportedly contains data on “more than 100,000 secret companies, trusts and funds created in offshore locales such as the British Virgin Islands, Cayman Islands, Cook Islands and Singapore.” Those data stemmed from “a massive leak of 2.5 million privately-held business records [that] detailed more than 120,000 offshore companies and trusts.”

The New York Times reported that the German tax-evasion investigation began with Deutsche Bank, “but has widened to involve other lenders.”  According to the ICIJ, the “major German bank” mentioned by the Public Prosecutor’s Office is Deutsche Bank and its “former subsidiary” is Regula Ltd., which the ICIJ described as “a ‘nominee’ shareholder of shell companies.”  Deutsche Bank, whose headquarters and other offices were searched in November 2018 in a major investigation of money laundering through tax havens, publicly stated that its offices were not searched this week.

Financial-crimes compliance teams in financial institutions, particularly in the United States and the United Kingdom, should continue to monitor further developments with this tax-evasion investigation, particularly if it continues to widen to other financial institutions.

On May 16, the European Commission (EC) announced that in two settlement decisions, it fined five global financial institutions — Barclays, The Royal Bank of Scotland (RBS), Citigroup, JPMorgan, and MUFG Bank (formerly Bank of Tokyo-Mitsubishi) – “for taking part in two cartels in the Spot Foreign Exchange market for 11 currencies – Euro, British Pound, Japanese Yen, Swiss Franc, US, Canadian, New Zealand and Australian Dollars, and Danish, Swedish and Norwegian crowns.”

The first EC decision (labeled the “Forex – Three Way Banana Split” cartel, for reasons explained below) imposes a total fine of €811,197,000 on Barclays, RBS, Citigroup, and JPMorgan.  The second EC decision (labeled the “Forex- Essex Express” cartel) imposes a total fine of €257 682 000 on Barclays, RBS and MUFG Bank (formerly Bank of Tokyo-Mitsubishi).

The EC explained that in foreign exchange (“Forex”) currency trading, “Forex spot order transactions are meant to be executed on the same day at the prevailing exchange rate.”  It stated that the 11 currencies listed above are “the most liquid and traded currencies worldwide” and five of which are used in the European Economic Area (EEA).  The EC stated that its investigation

revealed that some individual traders in charge of Forex spot trading of these currencies on behalf of the relevant banks exchanged sensitive information and trading plans, and occasionally coordinated their trading strategies through various online professional chatrooms.

The commercially sensitive information exchanged in these chatrooms related to:

1)     outstanding customers’ orders (i.e. the amount that a client wanted to exchange and the specific currencies involved, as well as indications on which client was involved in a transaction),

2)     bid-ask spreads (i.e. prices) applicable to specific transactions,

3)     their open risk positions (the currency they needed to sell or buy in order to convert their portfolios into their bank’s currency), and

4)     other details of current or planned trading activities.

The EC also noted that these information exchanges, following the tacit understanding that the participating traders reached,

enabled them to make informed market decisions on whether to sell or buy the currencies they had in their portfolios and when.

Occasionally, these information exchanges also allowed the traders to identify opportunities for coordination, for example through a practice called “standing down” (whereby some traders would temporarily refrain from trading activity to avoid interfering with another trader within the chatroom).

According to the EC, “[m]ost of the traders participating in the chatrooms knew each other on a personal basis.”  For example, “one chatroom was called Essex Express ‘n the Jimmy because all the traders but ‘James’ lived in Essex and met on a train to London.” In addition, some of the traders “created the chatrooms and then invited one another to join, based on their trading activities and personal affinities, creating closed circles of trust.” Moreover, “[t]he traders, who were direct competitors, typically logged in to multilateral chatrooms on Bloomberg terminals for the whole working day, and had extensive conversations about a variety of subjects, including recurring updates on their trading activities.”

Under Article 101 of the Treaty on the Functioning of the European Union (TFEU) and Article 53 of the EEA Agreement, cartels and other restrictive business practices are prohibited.  The EC reported that its investigation established the existence of two distinct infringements of those provisions, concerning foreign exchange spot trading.  The first infringement – termed the “Three Way Banana Split” infringement –began on December 18, 2007 and ended on January 31, 2013.  It involved communications in three different, consecutive chatrooms (labeled “Three way banana split / Two and a half men / Only Marge”) among traders from UBS, Barclays, RBS, Citigroup, and JPMorgan. The infringement.

The second infringement – termed the “Essex Express infringement” – began on December 14, 2009 and ended on July 31, 2012.  It involved communications in two chatrooms (labeled “Essex Express ‘n the Jimmy” and “Semi Grumpy Old men”) among traders from UBS, Barclays, RBS, and Bank of Tokyo-Mitsubishi (now MUFG Bank).

The fines that the EC imposed reflected, in particular, the sales value in the EEA that the cartel participants achieved for the products in question, as well as the serious nature, geographic scope, and duration of the infringement.  The EC also stated that under its 2006 Leniency Notice, “UBS received full immunity for revealing the existence of the cartels.”  That disclosure enabled UBS to avoid what the EC calculated would have been an aggregate fine of approximately €285 million.

In the Three Way Banana Split infringement, the EC noted that “all banks involved benefited from reductions of their fines for their cooperation with the Commission investigation,” and that the reductions “reflect the timing of their cooperation and the extent to which the evidence they provided helped the Commission to prove the existence of the cartel in which they were involved.”  In the Essex Express infringement, the ECD noted that “all banks except one benefited from reductions of their fines for their cooperation with the Commission investigation,” and that those reductions “reflect the timing of their cooperation and the extent to which the evidence they provided helped the Commission to prove the existence of the cartels in which they were involved.”  It also noted that MUFG Bank (formerly Bank of Tokyo-Mitsubishi) “did not apply for leniency.”  Finally, it explained that under its 2008 Settlement Notice, it “applied a reduction of 10% to the fines imposed on the companies in view of their acknowledgment of participation in the cartels and of their liability in this respect.”

Note: Compliance teams in financial institutions – not just those engaged in Forex trading — should brief senior executives about these EC decisions, and provide guidance about the specific kinds of trader behaviors that the EC evidently considered probative of collusive conduct.  Because other types of trading also involve rapid execution of transactions, compliance teams at firms that engage in one or more types of trading should also review their firms’ internal controls, to see whether brokers or traders participate in any online fora (like the chatrooms at issue in the Forex decisions), and if so, whether monitoring of brokers’ or traders’ participation in those fora is effective in detecting potential coordinating or collusive exchanges of information.

In its Forex release, the EC briefly commented that it “will continue pursuing other ongoing procedures concerning past conduct in the Forex spot trading market.”  Financial institutions doing business in the European Union, however, should expect that the EC’s Directorate-General for Competition would readily investigate similar conduct by other types of traders.