Author: Jonathan J. Rusch

Today, The Times reported that leading German automakers BMW, Daimler, and Volkswagen “are facing fines of up to €50 billion as the European Commission [(EC)] investigates claims that they conspired as a cartel to cover up their cheating on diesel emissions.”  The article cited a report that Margrethe Vestager, the EC Commissioner who oversees the Directorate-General (DG) for Competition, is preparing to send the three companies “a formal letter of complaint that would be a prelude to heavy penalties.”  Once the EC completes its work, reportedly in the spring of 2019, the penalties it could levy under EU competition law could be as much as “10 per cent of each company’s annual turnover, which last year amounted to a combined total of nearly €500 billion.”

The Times explained that “German prosecutors suspect that the car manufacturers not only systematically gamed pollution tests on their diesel engines but also colluded over at least eight years to conceal their actions from the authorities.”  According to The Times, the German business newspaper Handelsblatt obtained a substantial quantity of emails indicating “that the three carmakers were aware that their vehicles were emitting illegal levels of nitrous oxide and nitrogen dioxide at least 12 years ago.”  Although German automotive engineers had devised a method of reducing those levels by washing a cleaning fluid known as Adblue through a car engine after the combustion process, “this method turned out to be prohibitively expensive and left potentially damaging residues in the machinery.”

This reportedly led to a “crisis meeting” in Munich between representatives of the three German companies in 2007.  The representatives “allegedly made a pact to limit their use of Adblue and to cover up their tracks,” as reflected in various emails, such as:

• An email circulated within BMW after the meeting “is said to have included a warning that its contents should ‘by no means be shown to the authorities’.”
• In January 2008, an Audi manager “allegedly wrote to his colleagues in an email with the subject line Adblue consumption: ‘My verdict: we won’t make it without cheating’.”
• A subsequent email in 2008 by “another senior developer at Audi apparently warned Volkswagen executives that the Adblue taskforce’s conclusions were ‘not to be mentioned in any way’ to American environmental regulators.”

Handelsblatt also stated that the three companies, seeking to expand their U.S. market share, reached an agreement to put smaller Adblue tanks in their vehicles.

Note: The DG-Competition investigation, which began in September 2018, appears to be part of a broad-based enforcement program by the EC directed at cartel behavior in the German automotive industry.  Just yesterday, the EC announced that it was fining Autoliv and TRW, two car safety equipment suppliers, a total of €368,277,000 ($416,851,000) for their participation in two cartels for the supply of car seatbelts, airbags, and steering wheels to the Volkswagen and BMW Groups.  The EC stated that because those two carmakers sell approximately three out of every ten cars bought in Europe, the cartel behavior “is likely to have had a significant effect on European customers.”

Even though Commissioner Vestager has yet to make a final decision regarding the three German automakers’ own cartel behavior, both she and the companies must be mindful that in its emissions-cheating scandal, Volkswagen paid a total of $25 billion in fines, penalties, and restitution in the United States, but nothing to authorities in Europe, where it sold nearly 14 times as many diesels.  The DG-Competition will likely have little patience with the three companies’ allegedly compounding diesel-emissions cheating with concerted action to conceal that cheating.

On March 4, APWG (formerly the Anti-Phishing Working Group released its report on phishing trends for the fourth quarter of 2018.  The report included the following key trends and developments:

• Phishing Sites: In Q4, APWG detected 138,328 phishing sites. This continued the steady decline in phishing sites over Q1 (263,538), Q2 (233,040), and Q3 (151,014), and amounts to only 52 percent of the Q1 total.  As was the case in Q3, APWG members still detected an increased number of redirectors before the phishing landing page, and after the victim submitted his or her data, “in an effort to obfuscate phishing URLs from detection.”
• Phishing Reports: In Q4, 239,910 phishing reports were submitted to APWG, slightly lower overall than Q2 (262,704) and Q3 (264,483).
• Most-Targeted Industry Sectors: According to MarkMonitor data, phishing that targeted software as a service (SaaS) and Webmail services’ brands increased dramatically, from 20.1 percent of all attacks in Q3 to nearly 30 percent in Q4. In contrast, attacks against cloud storage and file hosting sites continued to decrease, from 11.3 percent of all attacks in Q1 to 4 percent in Q4.
• Use of Domain Names for Phishing: 6,718 confirmed phishing URLs reported to APWG in Q4 were hosted on 4,485 unique second-level domains.  The highest-ranked Top Level Domain (TLD) used for phishing was the legacy globalTLD .com, which accounted for 2,098 unique domains for phishing.
• Use of HTTPS Encryption Protocol: APWG contributor PhishLabs found that in 4Q, for the first time since it began measuring use of the HTTPS encryption protocol by phishing sites, the number of phishing sites protected by HTTPS fell slightly to 47 percent of all phishing sites. That 47 percent, however, is still the second-highest percentage (other than 3Q 2018) since Q1 2015.
• Phishing Kits with “Black Friday” Theme: In November 2018, Brazil-based firm Axur saw

phishing kits being sold with a Black Friday [November 23, 2018] theme. Phishing kits are software packages that allow a phisher to set up phishing sites, send out spam messages to lure in victims, collect the data from the victims, and other useful capabilities. This kind of phishing is very popular in Brazil during the week preceding Black Friday and it affects the country’s main e-commerce companies.

Note: Chief Information Security Officers (CISOs) and Chief Compliance Officers (CCOs), should share this information with their respective teams.  Because cybercrime techniques change so quickly, information that identifies critical trends affecting particular business sectors needs to disseminated quickly as well.

Within the past week, The Telegraph published several articles reporting on two issues involving compliance and governance at digital bank startup Revolut Ltd.  First, on February 28, it reported that the London-based firm, which offers a variety of retail financial-services products through its app, had failed “to block thousands of potentially suspicious transactions on its platform, due to Revolut’s switching off an automated system designed to stop dubious money transfers” between July and September 2018.  The report speculated that “thousands of illegal transactions may have passed through [Revolut’s] system” during that period.

On March 1, The Telegraph stated that Revolut launched an internal investigation in late 2018 after a whistleblower contacted its board about “serious issues with its sanctions screening system.”  It reported that Revolut’s head of legal drafted a letter to the FCA that detailed the change, but that “a  decision was made internally not to send the document.”

On March 1, the Financial Conduct Authority acknowledged that it had been in contact with Revolut “to understand and assess the issues” that the Telegraph reporting raised. It further stated that it “expects all firms to have appropriate systems and controls in place at all times to monitor and counter the risk their services are abused for financial crime.”  A Revolut spokesman stated that “the company investigated after a whistleblower went to Revolut’s board with concerns that the sanctions compliance system had been turned off.”

Second, on March 1, The Telegraph reported that Peter O’Higgins, Revolut’s Chief Financial Officer, had resigned from the company in January 2019.  It said that Revolut confirmed that O’Higgins, an experienced financial-services executive who had been at Revolut since 2016, “quit the company at the start of the year.”  A Revolut spokesman separately responded that O’Higgins had left the company, but asserted that “there is no relation whatsoever to the compliance issue suggested by The Telegraph.”

The founder and Chief Executive Officer, Nik Storonsky, responded with a blog post, entitled “Let me set the record straight,” on both the compliance-controls issue and O’Higgins’s resignation.  On the compliance issue, Storonsky characterized The Telegraph’s reporting as “some misleading information in the media relating to our compliance function.”  He explained that in July 2018

we rolled out a more advanced sanctions screening system in parallel with our existing controls. Like any other technology company, we’re always looking to improve our systems.

During the initial testing stage of these new systems, we decided that they were not calibrated to a standard that we would expect, so we therefore decided to temporarily revert to our existing controls, while we continued to enhance the new systems. In our view, the new systems were imprecise and were resulting in too many false positive cases, which in turn resulted in an increase in customer dissatisfaction.

He also stated that

[a]t no point during this time did we fail to meet our legal or regulatory requirements. We conducted a thorough review of all transactions that were processed during this time, which confirmed that there were no breaches. Unfortunately, this fact was not included in the original news story. This roll-out did not result in a breach of any sanctions or money laundering laws and requirements – so we did not send a formal notification to the regulator.

With regard to O’Higgins’s resignation, Storonsky explained that O’Higgins’s decision to resign was unfortunately “caught up” in the media coverage on the compliance issue:

Any suggestion that Peter’s resignation is in any way, shape or form connected to this roll-out is utterly false and damaging. Peter has since expressed to me that he has been hurt by this suggestion and sad that his departure has been tainted in this way.

In reality, Peter has decided to step down on the basis that he feels that the business will require someone with global retail banking experience as we prepare to apply to become a licensed bank in multiple jurisdictions.

Storonsky added that the Revolut team “will be sad to see Peter go,” but respect his decision to step down, and expressed his gratitude to O’Higgins “for his commitment, enthusiasm and accomplishments” over his three-year tenure.

Note: These reports are the latest in a spate of unwelcome publicity for Revolut in the past month.  On February 8, Revolut admitted that in its series of London Underground ads, precise data in the text about the spending habits of users of its app were “just made up.”  On February 28, Wired reported, based in part on interviews with former company staff, that Revolut’s dramatic growth “has come at a high human cost – with unpaid work, unachievable targets, and high-staff turnover.”

As of this writing, the FCA has not made any determination about whether Revolut’s changeover of its sanctions compliance system last year involved a compliance breakdown.  At a minimum, other companies should treat this situation as a reminder that whenever they need to revise or test any compliance system, such as anti-money laundering or sanctions, that require constant screening of specific financial transactions, they need to be certain that they do not lose transaction data or fail to review those data timely in order to prevent processing prohibited transactions.

In his post, Storonsky wrote that although they reverted to their existing controls for a time, they “conducted a thorough review of all transactions that were processed during this time” and found no breaches.  Storonsky, however, did not specify how promptly that review occurred.  Even if the facts bear out Storonsky’s statement that they found no breaches, the FCA will undoubtedly want to determine whether there were significant delays in that review that could have allowed prohibited transactions to clear through Revolut’s app.

Storonsky’s statements about O’Higgins’s resignation also warrant a closer look.  At several points in his post, he used conditional, perfect, and future tenses to refer to that action (emphasis supplied):

• “Yesterday, it was reported that my friend, Peter O’Higgins, would be stepping down as our Chief Financial Officer . . . .”
• “ . . . Peter has decided to step down on the basis . . . .”
• “ . . . myself and the wider team will be sad to see Peter go . . . .”

If, as The Telegraph reported, O’Higgins quit Revolut at the start of 2019, these statements by Storonsky are needlessly misleading.  Regardless of the reasons for a senior executive’s departure, if an executive has in fact left, the company needs to inform the public (and potentially regulators) promptly that he or she has departed, and not to imply that the departure is a future event.  For Revolut to fail to report a C-level executive’s departure for a month or more, then to issue statements by its CEO that suggest the executive has not yet done so, can only invite additional scrutiny from regulators.

On February 19, the European Banking Authority (EBA) announced that on February 18, it had opened a formal investigation into a possible breach of European Union (EU) law “by the Estonian Financial Services Authority (Finantsinspektsioon) and the Danish Financial Services Authority (Finanstilsynet) in connection with money laundering activities linked to Danske Bank and its Estonian branch in particular.”

This announcement is the second step in a process that began with a September 21, 2018 letter from Tiina Astola, Director-General of the European Commission (EC) Directorate-General Justice and Consumers, to Andrea Enria, then EBA Chairman.  In her letter, Director-General Astola took note of Danske Bank’s September 19, 2018 issuance of its internal investigation into money-laundering activities through its Estonian branch.  In that regard, he referred to provisions of the EU’s Fourth Anti-Money Laundering Directive, including Article 48.  Article 48 directs EU Member States, in pertinent part, to “require the competent authorities to monitor effectively, and to take the measures necessary to ensure, compliance with this Directive,” and “ensure that the competent authorities have adequate powers, including the power to compel the production of any information that is relevant to monitoring compliance and perform checks, and have adequate financial, human and technical resources to perform their functions.”

Director-General Astola then addressed three principal concerns:

1. Finantsinspektsioon: Astola raised questions regarding the extent and depth of Finantsinspektsioon’s inspections of the Estonian branch’s anti-money launder (AML) compliance, and whether “sanctions were applied in an appropriate way”;
2. Finanstilsynet: Astola started that “[t] he actions of the Danish [AML] supervisor, as the one responsible for the compliance with group-wide AML/CFT policies and procedures remain unclear and raise questions as to whether the Danish supervisor carried out effective supervision of the Danske Bank group.”
3. Finantsinspektsioon-Finanstilsynet Information Exchange: Astola remarked that Finantsinspektsioon “notified their Danish counterparts of the exposure of Danske Bank’s branch to non-resident deposits,” and questioned “whether the exchange of information between the two supervisors was adequate and relevant, given that the AML problems at the Danske Bank Estonian branch did not relate only to non-resident deposits.”

Accordingly, Astola requested that the EBA “investigate this possible breach or non-application of Union law both by the Estonian as well as the Danish supervisors.”

Under Article 17 of the EBA’s founding regulation, Regulation (EU) No 1093/2010 (as amended), upon request of one or more “competent authorities” (e.g., national financial supervisory agencies), “the European Parliament, the Council, the Commission or the Banking Stakeholder Group, or on its own initiative, and after having informed the competent authority concerned, the [EBA] may investigate the alleged breach or non-application of Union law.”  Each competent authority in question must provide the EBA, “without delay, . . . with all information which the [EBA] considers necessary for its investigation.”  No later than two months after initiating such an investigation, the EBA “may, not later than 2 months from initiating its investigation, address a recommendation to the competent authority concerned setting out the action necessary to comply with Union law.”  Thereafter, the competent authority has only 10 working days from receipt of the EBA’s recommendation to inform the EBA “of the steps it has taken or intends to take to ensure compliance with Union law.”

On the basis of its preliminary inquiries into both competent authorities, the EBA notified the EC on February 18 that it had opened a formal Breach of Union Law Investigation under Article 17.

Note: The EBA’s investigation represents a new escalation of the scrutiny to which authorities are subjecting the actions relating to the Estonian branch’s massive channeling of apparently laundered funds.  While criminal authorities in Europe and the United States are already conducting criminal investigations of Danske Bank, the EBA’s action indicates that the EU, with EC support, is preparing to hold national AML regulators accountable for their failure to conduct adequate supervision of Danske Bank.

Given the two-month timeframe for the EBA’s recommendations to Finantsinspektsioon and Finanstilsynet and the 10-day timeframe for their responses, Danske Bank watchers can expect significant next steps to be announced by the latter part of April and early May.  Depending on the degree of severity of its findings, the EBA’s recommendations could implicate not only the two financial services authorities, but by extension their respective national governments if the EBA concludes that the competent authorities lacked adequate powers and resources to do their jobs effectively.

On February 21, the United Kingdom Ministry of Justice published its Criminal Justice Statistics quarterly report for England and Wales for the year ending September 2018.  The report stated that while the conviction ration for court prosecutions increased to 87 percent – the highest such ratio in a decade — the total number of defendants prosecuted fell 4 percent to 1.37 million.

The report also observed that the 4 percent decline in overall prosecutions (compared to the preceding year ending September 2017)

is primarily driven by a 12% decrease in defendants prosecuted for indictable offences, continuing the downward trend seen since 2011. Compared to the previous year, there have been decreases in prosecutions for all indictable offence groups except possession of weapons, where there was a 2% increase.

It also reported that 1.19 million offenders were convicted during the 2017-2018 reporting period, reflecting a 3 percent fall from the previous year.  It noted that “[a]s with prosecutions, this decrease is driven by a fall in convictions for indictable and summary motoring offences (down 12% and 2% respectively) and there have been decreases in convictions for all indictable offences apart from possession of weapons, which continue to show an increasing trend.”

What this report does not clearly state is that, as The Times reported, “the number of suspects dealt with [via prosecution] fell to its lowest since records began almost 50 years ago,” while “recorded crime in England and Wales rose by more than 8 per cent to 5 million offences in the same period.”  It also does not make clear the practical consequences of rigid and sustained dedication to austerity.

Last October, the then-outgoing head of the Crown Prosecution Service (CPS), Alison Saunders, said that “the CPS and police were failing to investigate thousands of cases efficiently – from rape to fraud to modern slavery – and were critically short of the skills and resources required to combat crime.”  In particular, she noted that she “had to lose a third of her workforce as a result of funding cuts of more than 25%.”

Such drastic and sustained reductions in force cannot help but diminish the quantity and complexity of fraud cases that prosecutors can bring.  According to data that the auditing and consulting firm BDO gathered, in 2018 only 525 reported cases for fraud exceeding £50,000 were brought in the United Kingdom – a decrease from 577 in 2017.  A BDO executive characterized that 2018 total as “the tip of the iceberg . . . Cases are rarely being brought against individuals for fraud.  Given the amount of frauds we see out there, the amount of prosecutions at a corporate and individual level is tiny.”

In 2018, the United Kingdom Parliament’s Home Affairs Committee issued a report declaring the proportion of fraud cases investigated “shockingly low,” in comparison to the calculated total of 1.7 million offenses a year, adding: “It appears highly unlikely that more than one in 200 victims ever sees their perpetrator convicted.”  The likely effects of this continuing drain of prosecutive capacity include not only a general decline in public confidence about the criminal justice system, but a risk of high-value complex fraud, as the BDO executive opined, “increasingly being dealt with [‘]outside the judicial system’ as companies attempted to avoid reputational damage.”

At a time when large-scale external or internal fraud schemes can involve a billion pounds or more,  regulators, as important as their work is, should not be expected to be the sole public authority to protect the public as well as the public fisc.  Criminal prosecutors and regulatory enforcers can work effectively and in close coordination to meet those critical needs – but only if they are adequately resourced to do so.