Author: Jonathan J. Rusch

On March 8, the United Kingdom House of Commons Select Treasury Committee published a report on economic crime that focused on anti-money laundering (AML) supervision and sanctions implementation in the United Kingdom.  The report, which received unanimous approval by the Committee, was critical of the United Kingdom’s “fragmented approach to AML supervision.”

The Committee report contained numerous key findings and recommendations:

• The Threat of Economic Crime:
  • The scale of economic crime – which the National Crime Agency (NCA) defines as covering a range of crime, including money laundering, crimes covered by the NCA’s International Corruption Unit (ICU) (e.g., foreign bribery and related money laundering), fraud, and counterfeit currency – is “difficult to ascertain and official estimates of the scale of economic crime are highly uncertain.”
  • It “can reasonably be said to run into the tens of billions of pounds, and probably the hundreds of billions,” but “the upper bound of the estimate is unknown.”
  • Because the United Kingdom “holds a prime position in global financial services, with the City of London a dominant financial centre,” recent moves by the United Kingdom Government to keep the City “clean” “are welcome, but must be sustained.”
  • Given the United Kingdom’s expected departure from the European Union (EU), the Government should retain or replicate “the arrangements with the EU to maintain the flow of information between the UK and EU member states’ law enforcement agencies on economic crime,” and the Government should “work to develop strong relationships with other countries and strengthen mutual information sharing and law enforcement power.”
  • Recognizing the substantial amount of time between the Financial Action Task Force’s mutual evaluation review of the United Kingdom’s anti-money laundering and counter-terrorist financing systems, the Government should “institute[e] a more frequent system of public review of the UK’s AML supervision, and law enforcement, that will ensure a constant stimulus to improvement and reform. This review should take a holistic view of the entire system, rather than be undertaken by each individual component supervisor or agency.”
• Fragmented Approach to AML Supervision:
  • The “fragmented nature” of the United Kingdom’s AML supervisory regime is reflected in the fact that there are 25 entities currently responsible for AML supervision.
  • While the property sector “poses a risk from an anti-money laundering perspective . . . the AML supervisory regime around property transactions is complicated.” HM Revenue and Customs (HMRC) should “carr[y] out further work to ensure estate agents are registered with them and following best anti-money laundering practice.”
  • As “[t]here is a clearly identified risk that company formation may be used in money laundering” and “there appears to be a number of unsupervised entities engaged in company formation,” HMRC should identify and deal with them “as a matter of urgency.”
  • Companies House, whose role is to incorporate and dissolve limited companies and register company information and make it available to the public, has a number of weaknesses in the controls around the information it houses, including not being required to carry out AML checks and not rigorously checking the “people with significant control” (PSC) register. Accordingly, “[t]he Government must urgently consider reform of Companies House to ensure it has the statutory duties and powers to ensure it plays no role in helping those undertaking economic crime . . . .”
  • There should be “a sharp focus on the supervision of the core financial services,” and the Financial Conduct Authority (FCA) should “keep up a constant pressure” on those businesses “and take appropriate enforcement action against them.”
• Other Issues:
  • Resources: “The resources to combat economic crime available to the private sector dwarf those currently available to the public sector.” Because of concern for maintaining public-sector expertise to combat economic crime, considering the salaries available in the private sector, “[t]he Government and public sector bodies should consider whether there is the pay flexibility available to ensure that the appropriate skills are maintained.”
  • Suspicious Activity Reports: The program for reform of the Suspicious Activity Reports (SARs) system is “an exceptionally important piece of work for the AML regime.” Reform “should focus on increasing the number of SARs reports by those outside the core of the financial system, the so-called enablers.”
  • Politically Exposed Persons: The Government should create a centralized database of Politically Exposed Persons (PEPs) for the use of those registered by AML supervisors.
  • “Derisking”: The Government should publish its strategy on how to address disproportionate derisking strategies within six months.
• Legislative Reform:
  • On corporate criminal liability, in view of “clear evidence that legislative reform is required to strengthen the hand of law enforcement in the fight against economic crime,” the Government should set out “a timetable for bringing forward legislation to improve the enforcement of corporate liability for economic crime,” taking into account the Serious Fraud Office’s suggested reforms.
• Financial Sanctions:
  • The Government should review the effectiveness of the Office of Financial Sanctions Implementation (OFSI), which has been in existence for only a year and a half, two years after its formation.
  • Recognizing that “certain elements of Russian money” have had “a malign influence” on the United Kingdom financial system, the Government “must achieve a balance between focussing on financial flows from one country, while not distorting the AML system, and creating a risk that other criminals slip by while attention is focussed on individuals with a specific nationality.”
  • “The United Kingdom’s departure from the European Union could allow additional flexibility in its use of sanctions, though there will always be a need to ensure a multilateral approach.”

The Committee also posted a complete list of its conclusions and recommendations.  It plans to issue a second report on economic crime, focusing on consumers and economic crime, later in 2019.

Note: This report provides a thorough and detailed review of the state of affairs with the United Kingdom’s response to money laundering.  While it is consistently methodical in its analysis and temperate in tone, it constitutes a wide-ranging criticism of the United Kingdom Government’s attention and dedication of resources to the problem.  That criticism – coupled with the recent disclosure that there had been no prosecutions under the United Kingdom money-laundering regulations between their inception in June 2017 and October 2018 – should prompt the Government to undertake comprehensive improvements in and support for its AML regime, particularly if Brexit results in decoupling the United Kingdom from the EU and its own AML initiatives.

On March 5, identity intelligence company 4iQ announced the release of its report on identity-breach trends in 2018, titled “The Changing Landscape of Identities in the Wild: The Long Tail of Small Breaches.” The report, which drew on large amounts of breached and leaked data found from open sources in the surface, deep, and dark web, saw “a significant shift from attacks on not just large companies, but increasing attacks on a greater number of small businesses – the long tail – as hackers targeted unsophisticated and unsecured small businesses and supply chain vendors .”

4iQ’s specific findings about identity-breach trends included the following:

• There were 12,449 new and authentic breaches and leaks in 2018, reflecting a 424 percent increase from 2017. That total translates to 1,037 breach every month, or 34 breaches every day.
• The average breach size in 2018, however, was 216,884 records, 4.7 times smaller than in 2017. 4iQ interpreted these results to indicate that hackers were both more willing and able “to attack larger numbers of smaller targets.”
• 9 billion raw identity records circulated across the web – a 71 percent increase from the 8.7 billion raw identity records circulating in 2017. After 4iQ curated (i.e., analyzed, normalized, and cleansed) the raw data, it found approximately 3.6 billion records that were real and new – a 20 percent increase from 2017’s total of 3 billion curated identity records.  4iQ characterized 2018 as “a record year for breaches caused by open devices, with a much larger number of accidental exposures than exposures due to hacking.”
• “Government Agencies” had the largest growth as an exposed industry in 2018, increasing 291 percent from 2017. On this point, 4iQ specifically noted that “[f]or the first time we saw underground brokers actively including citizen data, such as voter databases, as part of their data portfolio.”  It also observed that numerous 2018 data dumps from the United States, China, and Russia exposed citizen data and voter records as well as financial and customer databases.
• The top five exposed industries included forums and referral sites (27.5 percent), government agencies (12.2 percent), gaming and gambling (11.8 percent), e-commerce (11.7 percent), and education and academia (9.2 percent).
• “The circulation and repackaging of username and password databases into “Combo Lists” has seen a sharp increase in 2018.” One Combo List form May 2018 that 4iQ reviewed contained 98 gigabytes of data; another Combo List from January 2019 contained 1 terabyte of data including 1.82 billion credentials.
• North America was the continent with the greatest percentage of curated breaches (37.2 percent), followed by Asia (34.5 percent), Europe (17.8 percent), South America (9.9 percent), Oceania (4.2 percent), and Africa (0.18 percent).  4iQ “saw breach exposure growth in China, Russia, Vietnam, Japan, and Brazil” since 2017.
• Examples of data for sale included a file with 21 million identities from Peruvian citizens that could be used to make fake identity cards, tax data, passport images, and health and auto insurance cards.

Note: In cybersecurity, it is easy for cybersecurity experts and compliance officers, in conceptualizing data-breach risks, to fall back on the availability heuristic and define the problem in terms of data breaches associated with leading brands, such as Marriott Starwood, Cathay Pacific, and Facebook in 2018.  The 4iQ report is instructive in demonstrating that while companies and agencies of all sizes and in all sectors should be concerned about the overall growth of identity breaches in 2018, small- and medium-size enterprises should take particular note of the increased likelihood that they can be targeted for data breaches and take action to bolster their cyber defenses accordingly.

On March 17, the anti-corruption organization Global Witness announced that its analysis of HM Land Registry data showed that anonymous companies registered in tax havens own more than 87,000 properties in England and Wales.  It also stated that “[t]he value of these properties is at least £56 billion according to Land Registry data – and likely to be in excess of £100 billion when accounting for inflation and missing price data.”

The Global Witness analysis found that 40 percent of the anonymously owned properties that it identified are in London.  Within London, the areas with the highest number of anonymously owned properties (as of March 2019) are 10,000 in Westminster, 5,729 in Kensington and Chelsea; 2,320 in Camden; and 1,930 in Tower Hamlets.

Note: Since 2016, the United Kingdom Government has made available, through the public register at Companies House, a public central register of company beneficial-ownership information for companies incorporated in the United Kingdom.  The Government, however, has yet to implement its proposal of a public central register for company beneficial-ownership data for non-United Kingdom companies.

It is encouraging to see the Government’s increasing use of its Unexplained Wealth Order authority to reveal ownership of property by persons reasonably suspected of involvement in, or of being connected to a person involved in, serious crime.  But that authority, as valuable as it is for law enforcement, is no substitute for a comprehensive and complete listing of beneficial ownership.   If the Government wants, as Minister of Security Ben Wallace put it, “the ‘full force of the government’ to bear down on criminals and corrupt politicians using Britain as a playground and haven,” and to constrict the laundering of an estimated £90 billion each year, it needs to deploy a comprehensive public register that pieces the veil of foreign ownership of United Kingdom properties and provides much-needed transparency.

There is no guarantee that this latest Global Witness analysis will prompt the Government to reverse course on its recent decision to pull the debate and votes on a bill that would expand public-register requirements to British overseas territories.  It may, however, keep alive debate about the importance of a more extensive public central register, as part of a comprehensive Government response to the problems of money laundering and tax evasion.

Since last November, when President Trump signed an Executive Order that authorized sanctions directed at Venezuela’s gold sector, officials in Venezuelan President Nicolas Maduro’s administration have tried multiple routes to move large quantities of Venezuelan gold reserves out of the country, to relieve the considerable financial pressures on the regime.  In late January, Venezuelan authorities shipped three tons of gold to the United Arab Emirates (UAE), reportedly as the first step in a plan to fly up to 29 tons of gold reserves to the UAE and to sell them for cash in euros.  Even after plans for that larger shipment were canceled, Maduro’s team has continued to search for international gold buyers willing to risk running afoul of U.S. sanctions.

The latest chapter in this saga began on February 27, when, according to Reuters, a Venezuelan opposition leader and government sources stated that at least eight tons of gold had been removed from the Venezuelan Central Bank’s vaults.  At the time, those sources did not indicate that they knew where that quantity of gold was headed.

That mystery now appears to have been solved.  Today The Times reported that in early March, two flights from Venezuela had delivered a total of 7.4 tons of gold into Uganda.  Entebbe-based African Gold Refinery (AGR)  – the largest gold refinery in East Africa – received one shipment of 3.8 tons on March 2, and a second shipment of 3.6 tons on March 4, “neither of which are said to have passed through customs.”  When Ugandan police raided AGR on March 7, they reportedly found the March 2 shipment missing, but the March 4 shipment is now in the custody of the Ugandan central bank.

This report indicates the extreme lengths – in logistical and geographic terms — to which the Maduro regime is apparently willing to go to ensure its own survival, even at the cost of inflicting long-term damage to the nation’s economy.  The larger mystery is now whether the opposition can win control of the country before Maduro can exhaust the remaining 140 tons of gold reserves in his central bank or succeed in repatriating the 31 tons of Venezuelan gold that the Bank of England has in its vaults.

On March 5, FINRA announced that it had fined financial services firm Cantor Fitzgerald & Co. (Cantor) $2 million for violations of SEC Regulation SHO (Reg SHO) —  which addresses concerns regarding persistent failures to deliver and potentially abusive “naked” short selling — and supervisory failures spanning a period of at least five years, from January 2013 through December 2017.

FINRA found that, during that five-year period, “Cantor’s supervisory system, including its written supervisory procedures (WSPs), was not reasonably designed to achieve compliance with the requirements of Reg SHO.”  It specifically identified the following examples of those deficiencies and failures:

• Use of Manual System to Supervise Reg SHO Compliance: FINRA found that in light of Cantor’s business expansion and increased trading activity – which more than doubled over just two years, from 35 billion shares in 2013 to 79 billion shares in 2014 – its use “of a predominantly manual system to supervise its compliance with Reg SHO was not reasonable.”
• Failure to Address Deficiencies by Compliance Personnel Over Multiple Years: FINRA found that

Cantor’s compliance personnel identified red flags in 2013, 2014 and 2015 indicating that the firm had systemic issues with Reg SHO and that its supervisory systems were not reasonably tailored to its business. While Cantor made some changes, it did not adapt and enhance its supervision to address the deficiencies its personnel identified, commit additional staffing to monitoring its compliance with Reg SHO, or implement WSPs relating to its new lines of business until 2016.

• Ineffective Enhancements: FINRA found that “Cantor’s enhancements to its supervisory systems and procedures were not fully effective. For example, Cantor failed to identify fails-to-deliver in accounts that were not monitored by its supervisory systems.”
• Failure to Remediate Timely: FINRA also found that

Cantor failed to timely remediate issues identified by its personnel. This was not reasonable considering, among other things, the firm’s prior disciplinary history relating to Reg SHO. As a result, Cantor did not timely close-out at least 4,879 fails-to-deliver, and routed and/or executed thousands of short orders in those securities without first borrowing (or arranging to borrow) the security or issuing notice of the need for a pre-borrow to the broker-dealers for whom it cleared and settled trades.

Cantor neither admitted nor denied the findings, but consented to the entry of FINRA’s findings.  In addition, as part of the settlement, Cantor agreed to retain an independent consultant to conduct a comprehensive review of the firm’s policies, systems, procedures, and training related to Reg SHO.

Note: In its Letter of Waiver, Acceptance and Consent, FINRA noted that Cantor had made efforts to improve its supervisory systems, including hiring a new Chief Compliance Officer (CCO) in April 2015, creating a Reg SHO working group in the fall of 2015, and seating additional compliance personnel on the trading floor.  Nonetheless, the fact that Cantor, according to the findings, continued to engage in misconduct for more than 2 ½ years after the hiring of the new CCO suggests a deeper problem with the firm’s culture of compliance during that period.

In one sense,  Cantor was fortunate that its compliance failures involved Reg SHO.  Had the program in question involved a higher-profile category of compliance, such as anti-money laundering (AML), the kinds of systematic program failures that FINRA identified could well have resulted in criminal or civil penalties amounting to tens of millions, even hundreds of millions, of dollars.

Even so, CCOs in financial services firms should regard this resolution as a reminder that each specific compliance program under his or her supervision needs to be appropriately resourced and implemented to show regulators that all of those programs are effective, and that senior management needs to understand that fact.  Regulators will not average the results of each component of a firm’s compliance program — giving, so to speak, an A to its anti-bribery program, a C to its AML program, and an F to its broker-dealer program – and conclude that each component is entitled to an overall passing grade.  Systemic, long-term supervisory failures and ignoring of red flags in any particular compliance program is virtually guaranteed to invite enforcement action by the relevant regulator or law enforcer.