Author: Jonathan J. Rusch

On May 10, the U.S. Department of Justice announced that Banca IMI Securities Corp. (Banca IMI), a New York broker-dealer and subsidiary of Italian bank Intesa Sanpaolo, “pleaded guilty to an antitrust charge and was sentenced to pay a criminal fine in excess of $2 million for its involvement in a bid-rigging conspiracy for certain financial instruments.”

The Justice Department stated that “Banca IMI admitted, as part of its guilty plea, that from March 2012 until at least August 2014, it conspired with other institutions and individuals to submit rigged bids to borrow pre-release American Depository Receipts (ADRs).”  In particular, it said that

Banca IMI pleaded guilty to conspiring to borrow pre-release ADRs from U.S. depository banks at artificially suppressed rates.  During the conspiracy, a U.S. depository bank began using an auction-style process for pre-release ADRs and invited Banca IMI and other broker-dealers to submit competitive bids for rates to borrow ADRs.  In response, Banca IMI and its co-conspirators intensified their coordination in an effort to increase artificially their profits under the auction-style process.  On at least 30 occasions, Banca IMI reached an agreement with one or more co-conspirators as to the bids they would submit to U.S. depository banks.  On many occasions, the conspirators agreed that they all would submit the same bid.

Note: This is not Banca IMI’s first encounter with U.S. enforcement authorities in connection with pre-release ADRs.  In 2017, Banca IMI agreed to pay more than $35 million to the Securities and Exchange Commission (SEC) to settle charges that it violated federal securities laws when it requested the issuance of and received American Depositary Receipts (ADRs) without possessing the underlying foreign shares.  Nor is this the first recent enforcement action relating to pre-release ADRs, as several other leading financial institutions have also reportedly “settled charges of improper handling of pre-released ADRs with the SEC.”

It is curious that the Department did not specify the criminal offense to which Banca IMI pleaded guilty, other than the generic term “an antitrust charge.”  Nor did it specify the date of the plea, the federal judicial district in which the plea was entered, or the maximum sentence that could be imposed for the violation.  It is customary for the Department, in announcing pleas or trial convictions (including criminal antitrust prosecutions), to refer specifically to all four categories of information, for the sake of the media’s and the public’s understanding.  Although various media reports simply repeated the vague phrase “an antitrust charge” in reporting the plea, the underlying offense can only be section 1 of the Sherman Act, in the light of the Department’s allegations.

In any event, financial-institution compliance officers handling antitrust compliance issues should take note of the plea, and of the Justice Department’s indication that it and the FBI are continuing their investigation into bid rigging in the market for pre-release ADRs, in updating their internal guidance and training for executives.

On May 13, the Financial Times and other media reported that spyware created and marked by an Israeli technology firm, NSO Group, can exploit a security flaw in the popular messaging app WhatsApp “to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call.”

WhatsApp researchers reportedly found the flaw in early May, and identified the spyware as Pegasus, which NSO Group developed.  Previously, according to Forbes, Pegasus was found to exploit iOS vulnerabilities and install on iPhones to acquire “all communications and locations of the targeted iPhones,” including “iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram and Skype communications,” as well as Wi-Fi passwords.

In a public statement responding to these reports, WhatsApp did not name NSO Group, but commented that “[t]his attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.”  It also encouraged people “to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.”  In addition, Facebook, which owns WhatsApp, posted details about the vulnerability for computing professionals.

Note: Given the reported sophistication of the spyware, Information-security teams at companies and government agencies should promptly circulate information about the WhatsApp vulnerability, including instructions on updating the app, to all employees.  Chief Information Security Officers (CISOs) should also emphasize to senior executives the importance of promptly installing the updates, and advise them to inform CISO team members of any unusual occurrences with any mobile device on which the executives have installed WhatsApp.

In the ever-widening wake of the Danske Bank scandal, a series of discussions has begun in European Union (EU) banking circles about possible information-sharing agreements to improve anti-money laundering (AML) oversight.

There are strong indications that bank regulators across the EU are actively discussing how they can share certain data related to customers.  According to Yahoo Finance UK, Marius Jurgilas, a Bank of Lithuania board member, said “that regulators from Sweden, Norway, Finland, Denmark, Estonia, Latvia, and Lithuania are in talks about sharing transaction-level banking data” as part of AML efforts.  Although he declined to provide specific examples of topics under discussion, Jurgilas stated that EU national regulators were discussing how “to create something better,” such as “sharing of data across the regulators, identifying illicit transactions by using transaction-level data across the region, and all of a sudden that region becomes the best ever in terms of risk management.”  (Jurgilas also briefly stated “that regulators were prioritising a joint investigation into all the banks involved in the [Danske Bank] scandal.”)

Confirming Jurgilas’s remarks, Bloomberg reported that Jesper Berg, Director-General of the Danish Financial Supervisory Authority (FSA), “has started lobbying counterparts elsewhere for a broader discussion” about secrecy of bank clients’ data.  Berg reportedly said that “it’s worth considering whether banks should be allowed to share reports of suspicious customers before the police confirm illegal activity, and that a common infrastructure for such reporting “could include ‘customers that have been thrown out of one bank, so they’re not allowed to go to the next bank’.”

Berg acknowledged that “huge privacy issues,” but declared that “we need to figure out how to resolve this.”  He also stated that “letting banks share data would be a more effective tool than creating a single European entity to target money launderers.”

Samu Kurri, head of the financial analysis and operational risks department at the Finnish FSA, seconded Berg’s proposal, calling it “extremely good and supportable.”  Kurri cautioned that this concept of authorizing banks to share data would “represent a fundamental change to traditional tight banking secrecy on a philosophical level”, and “would take very careful preparation to draw up.”

Philippe Vollot, Danske Bank’s head of compliance since October 2018, sounded another cautionary note.  He commented, according to Bloomberg, “that while it makes sense to share general information, privacy concerns make it more challenging to distribute suspicious-activity reports. The subject of such a report may ultimately be found innocent of any involvement.   Vollot also commented, “To have somewhere in the system a capacity that criminals would not be able to move from one financial institution to another – that would be something extremely effective to combat financial crime . . . . The issue here is the data privacy regulation, and it’s actually a philosophical debate about where does it start? Where do you draw the line?”

Note:  Regulatory and AML compliance teams at financial institutions in the EU and elsewhere should continue to watch for further indications that the idea of expanding AML-related information-sharing is gaining traction within the EU.  Key to those discussions, of course – as Vollot rightly indicated – is whether sufficient political will can be mustered to revise the General Data Protection Regulation (GDPR) to facilitate such information-sharing.  Any efforts to revise the GDPR would involve extraordinarily complex debates about how to strike a different balance between individual privacy and law enforcement or financial-sector needs.

As part of that debate, the EU would also need to take into account its Directive (EU) 2016/680, which applies to the processing and movement of personal data for purposes of prevention, investigation, detection, and prosecution of criminal offences.  Because Member States had until May 2018 to translate that latter Directive into law, they would have to revise their own domestic legislation implementing both Directives should the EU revise the GDPR.

At one point, the EU viewed the GDPR as meaning that “businesses benefit from a level playing field.” Thanks to the Danske Bank scandal, the EU and its Member States are starting to recognize that, as between financial institutions and criminals bent on exploiting them, the playing field is tilted very much in the criminals’ favor.  Releveling that playing field will require more than structural revisions in EU AML oversight.

Since 2017, when the European Union (EU) established the European Public Prosecutor’s Office (EPPO), the European law enforcement and business communities, as well as EU Member State governments,  have been watching the gradual development and implementation of the EPPO with great interest.

Although all EU Member States have their own national law enforcement agencies, and the EU has had the EU Agency for Law Enforcement Cooperation (Europol) and the EU Judicial Cooperation Unit (Eurojust) to address crimes affecting multiple Member States, the EU chose to create a Europe-wide prosecutor’s office because of two primary concerns.  First, it concluded that national criminal justice authorities were “currently not always sufficiently investigat[ing] and prosecut[ing]” criminal offenses affecting  to protect the EU’s financial interests against criminal offenses such as fraud, corruption, or serious cross-border value-added tax (VAT) fraud.  Second, it believed that “[e]xisting EU-bodies such as Eurojust, Europol and the EU’s anti-fraud office (OLAF) lack the necessary powers to carry out criminal investigations and prosecutions.”

When it established the EPPO, the EU expected that the EPPO would require a three-year build-up before it could begin operations.  That build-up appears to be on course for a November 2020 commencement of EPPO operations.  The EPPO’s structure envisions a division between strategic and operational functions, and between central- and national-level activities:

• Strategy and Operations: For strategy, the European Chief Prosecutor and two Deputies will head the EPPO, and a College of Prosecutors – consisting of one European Prosecutor per participating Member State – who will participate in decision-making “on strategic matters to ensure coherence, consistency and efficiency within and between cases.” For operations, the EPPO will have a Permanent Chambers of three prosecutors (two European Prosecutors and either the Chief Prosecutor, a Deputy, or another European Prosecutor) who will monitor and direct investigations and prosecutions by European Designated Prosecutors (EDPs) and make operational decisions (e.g., when to bring or dismiss a case), and EDPs (at least two per participating country), who will be responsible for investigating, prosecuting, and bringing to judgment cases within the EPPO’s competence.
• Central and National Levels: The central level will consist of the Chief Prosecutor, the Deputies, and the European Prosecutors to supervise investigations and prosecutions carried out at the national level. The national level will consist of the EDPs, who will be located in the participating Member States and “[a]s a rule” carry out the investigation and prosecution in their respective Member States.

Although the European Council and Parliament have yet to agree on the selection of the EPPO Chief Prosecutor, the EPPO has now begun hiring an estimated 117 staff members for its Luxembourg headquarters.  In addition, on May 9, the Luxembourg Government announced plans for the EPPO’s occupancy of an office building in Luxembourg City.

Note: The EPPO has made considerable progress to date in its operationalization, but EU watchers should expect that the most challenging aspects of its development lie ahead.  On the one hand, the European Commission has described the EPPO as “an independent and decentralised prosecution office of the European Union” that “will operate as a single office across all participating Member States and will combine European and national law-enforcement efforts in a unified, seamless and efficient approach.”

On the other hand, the EU Council, in Council Regulation (EU) 2017/1939, expressly contemplated “a system of shared competence between the EPPO and national authorities in combating crimes affecting the [EU’s] financial interests,” and invoked “the principle of sincere cooperation” in asserting that “both the EPPO and the competent national authorities should support and inform each other with the aim of efficiently combatting the crimes falling under the competence of the EPPO.”  It also specified that “the EPPO should be established from Eurojust, and implied there should be “a close relationship between them based on mutual cooperation.”

These two sets of aspirational statements may have been intended to be consistent.  In practice, they leave ample room for jurisdictional and operational conflicts, as the EPPO begins to take on investigation- and case-related decisionmaking that national-level law enforcement authorities have traditionally understood to be their province.  If the Council and Parliament can agree soon on a Chief Prosecutor, and overcome other sources of opposition, that official would do well to meet with national law enforcement authorities well in advance of November 2020.  The prime objective of those meetings should be to reduce suspicions and mistrust about how the EPPO intends to go about its day-to-day business, and how broadly the EPPO will define what constitutes day-to-day business.  Considering the level of tensions that have arisen just in the Chief Prosecutor section process, even that objective may prove a formidable task.

On April 24, the New York State Supreme Court (New York County) entered an ex parte order granting preliminary injunctive relief against cryptocurrency exchange Bitfinex, Bitfinex’s owner iFinex, and various corporate entities connected with the cryptocurrency tether.

The order stated that the court was granting injunctive relief “because alleged fraudulent practices of [the defendant companies] threaten continued and immediate injury to the public and that the potential dissipation of [those companies’] assets would render a judgment directing restitution or disgorgement ineffectual.”  The order also directed the defendant companies to produce an extensive array of documents, including various financial records, documents concerning Bitfinex users, accounts, clients, or customers and tether holders in New York, and “[i]dentification of all New York and United States customers of Bitfinex whose funds were provided to Crypto Capital and the amount of any such outstanding funds.”

This order stems from  an investigation by the New York State Attorney General’s Office (NYAG) into Bitfinex and tether that began in 2018.  Filings by the NYAG in connection with the order explained that Bitfinex, as a cryptocurrency trading platform,

allows New Yorkers to purchase and trade virtual currencies, including the so-called “tether” stablecoin, a virtual currency the companies long claimed was “backed 1-to-1” by U.S. dollars held in cash reserve.

The filings explain how Bitfinex no longer has access to over $850 million dollars of co-mingled client and corporate funds that it handed over, without any written contract or assurance, to a Panamanian entity called “Crypto Capital Corp.,” a loss Bitfinex never disclosed to investors.  In order to fill the gap, executives of Bitfinex and Tether engaged in a series of conflicted corporate transactions whereby Bitfinex gave itself access to up to $900 million of Tether’s cash reserves, which Tether for years repeatedly told investors fully backed the tether virtual currency “1-to-1.”

According to the filings, Bitfinex has already taken at least $700 million from Tether’s reserves.  Those transactions – which also have not been disclosed to investors – treat Tether’s cash reserves as Bitfinex’s corporate slush fund, and are being used to hide Bitfinex’s massive, undisclosed losses and inability to handle customer withdrawals.  The Office’s filings further detail how the companies obfuscated the extent and timing of these corporate transactions during the Office’s investigation.

Previously, in 2018 Bitfinex had maintained that the $850 million was deposited with Crypto Capital Corp. “and then, through no fault of Bitfinex’s, seized by government authorities in the U.S., Poland and Portugal.”

In its public response to the court order, Tether made three principal assertions.  First, the NYAG’s court filings  “were written in bad faith and are riddled with false assertions, including as to a purported $850 million ‘loss’ at Crypto Capital.”  Second, the $850 million entrusted to Crypto Capital “are not lost but have been, in fact, seized and safeguarded.” Third, “[b]oth Bitfinex and Tether are financially strong – full stop.”

At a May 6 hearing, New York State Supreme Court Justice Joel Cohen criticized the injunction as “vague, open-ended and not sufficiently tailored to precisely what the AG has shown will cause imminent harm,” adding, “I think it’s both amorphous and endless.”  Accordingly, Justice Cohen gave the parties one week to agree on what the scope of the injunction should be.

Note: The developments to which the Supreme Court’s order relates provide a concrete example of why the financial sector remains exceedingly wary of cryptocurrency firms and exchanges.  Bitfinex and Tether Ltd., both of which iFinex controls, have reportedly been the target of scrutiny by the U.S. Department of Justice and the Commodity Futures Trading Commission for more than a year — in part because of allegations that both companies were involved in efforts to manipulate the price of Bitcoin in 2017.  As for Crypto Capital, it has reportedly been “slowly emerging as the central bank of the crypto industry,” facilitating banking services to cryptocurrency firms and exchanges (including Bitfinex) even as traditional financial institutions shy away from cryptocurrency business..

While the NYAG investigation, and the related litigation, are likely to run for some time, an apparently related case may reveal additional details about the disputed $850 million.  On April 30, the United States Attorney’s Office for the Southern District of New York announced the arrest of Arizona businessman Reginald Fowler on charges of bank fraud and operating an unlicensed money transmitting business, as well as the unsealing of an indictment against Fowler and co-conspirator Ravid Yosef, who remains at large.

The United States Attorney’s Office alleged that

FOWLER and YOSEF, who worked for several related companies that provided fiat-currency banking services to various cryptocurrency exchanges (the “Crypto Companies”), allegedly participated in a conspiracy in which FOWLER made numerous false and misleading statements to banks to open bank accounts that were used to receive deposits from individuals purchasing cryptocurrency, and in which FOWLER and YOSEF falsified electronic wire payment instructions to conceal the true nature of a voluminous cryptocurrency exchange business.  Hundreds of millions of dollars flowed through the Crypto Companies’ accounts from banks located across the globe.

The indictment also contains forfeiture allegations that include detailed references to the government’s 2018 seizures of funds in bank accounts held by Fowler and Global Trading Solutions LLC.  The cryptocurrency news website The Block recently reported that Fowler owned Global Trading Solutions, and that Global Trading Solutions was an agent for Crypto Capital.  In addition, Bloomberg reported that federal prosecutors, in a May 1 filing, stated that “interviews conducted during their investigation have ‘corroborated in part’ that companies affiliated with [Fowler] may have failed to return $851 million to an unnamed client . . . .”

If the Justice Department can obtain a plea and prompt cooperation from Fowler, that could expedite both federal and state investigations of Bitfinex and Tether.  In the meantime, even as Bitfinex has seen a withdrawal of at least $430 million from its cold wallets after the NYAG announcement, it reportedly plans “to raise up to $1 billion from investors to shore up its financials through an initial exchange offering.  Time – and the market, and the judicial process – will tell.