Author: Jonathan J. Rusch

Over the past four weeks, a series of law enforcement actions by U.S. and Mozambique authorities have targeted alleged participants in a bribery and corruption scheme, involving $2 billion in loans with which former Credit Suisse Group AG bankers and Mozambique government officials were connected.  Some media reports referred to the underlying situation as the “tuna bond” scandal, because of representations that the loans would be used in part to create a tuna fishing fleet for Mozambique.

The timeline of the law enforcement actions is as follows:

• December 19, 2018: An indictment returned on December 19, 2018 (later unsealed January 3) in the Eastern District of New York charged three former Credit Suisse Group AG bankers – Andrew Pearce, Surjan Singh, and Detelina Subeva – as well as former Mozambique finance minister Manuel Chang and lead salesman for Abu Dhabi-based shipbuilding holding company Privinvest Group Jean Boustani with four counts of conspiracy to commit wire fraud and securities fraud, to violate the Foreign Corrupt Practices Act (FCPA), and to commit money laundering. (Based on the redactions in the unsealed indictment, there are apparently between two and four additional defendants named in the indictment who presumably have not yet been apprehended.)

The indictment alleges that through a series of financial transactions between approximately 2013 and 2016, three companies owned by the Mozambique government borrowed more than $2 billion through loans that the Mozambique government guaranteed, and that two investment banks arranged and sold to investors worldwide.  Over the course of the transactions, the co-conspirators in the scheme conspired to defraud investors and potential investors in the financings

through numerous material misrepresentations and omissions relating to, among other things: (i) the use of loan proceeds, (ii) bribe and kickback payments to Mozambican government officials and bankers, (iii) the amounts and maturity dates of debt owed by Mozambique, and (iv) Mozambique’s ability and intention to pay back the investors.

It also alleged that each of the three Mozambican companies

entered into contracts with Privinvest to provide equipment and services to complete the maritime contracts.  The loan proceeds were supposed to be used exclusively for the maritime projects, and nearly all of the borrowed money was paid directly to Privinvest, the sole contractor for the projects, to benefit Mozambique and its people.  In reality, the defendants JEAN BOUSTANI, [redaction], MANUEL CHANG, [redaction] ANDREW PEARSE, SURJAN SINGH and DETELINA SUREVA, together with others, created the maritime projects as fronts to raise money to enrich themselves and intentionally diverted portions of the loan proceeds to pay at least $200 million in bribes and kickbacks to themselves, Mozambican government officials and others.

• December 29, 2018: South African authorities arrested Chang.
• January 3: United Kingdom authorities arrested Pearce, Singh, and Subeva in London, and U.S. authorities arrested Boustani in New York.
• January 4: Credit Suisse issued a statement in which it pledged to cooperate with the United States’ investigation and indicated that it was not a target of that investigation.
• January 8: The Mozambique Attorney General, who had previously filed a legal action in Mozambique’s Administrative Court challenging officials and entities involved in the $2 billion loans, announced the indictment of 18 individuals allegedly connected to the scheme, on charges of abuse of power, abuse of trust, swindling and money laundering.
• January 10: The Mozambique government reportedly filed its own extradition request for Chang with South African authorities.
• January 15: The head of the United Kingdom Financial Conduct Authority (FCA), Andrew Bailey, stated that the FCA, which reportedly had begun looking into Credit Suisse’s involvement in Mozambique in 2016, had downgraded its investigation from a criminal investigation. Bailey also stated that “our regulatory powers still apply to both the individuals and the firm, and that would be in respect of systems and controls of the firm, and also in respect to fitness and properness in respect to the individuals.”

Note: These prosecutions are significant not only because of the amount of fraud, bribery, and corruption allegedly involved, but because of the devastating effect of the scheme on Mozambique itself. Previously, as details of the fraudulent loans became public, they reportedly helped to “plunge Mozambique into its worst financial crisis since independence in 1975.  Debt soared to 112 percent of gross domestic product (GDP) by the end of 2017, forcing the country to suspend repayments and arousing distrust from investors.”

Mozambique’s situation now is less catastrophic, but still dire.  As allAfrica reported, all three of the Mozambique companies associated with the scheme “are effectively bankrupt, and so the Mozambican state has become liable for repaying the loans.”  In addition, though the purported reason for setting up the companies “was to provide a sophisticated system of coastal protection and a tuna fishing fleet,” the coastal protection system is nonexistent and the fishing fleet consists of only 24 small boats that do no fishing and have no fishing licenses.  Moreover, the securities-fraud charge reflects the fact that major institutional investors, according to the Wall Street Journal, stand to lose money.

Earlier today, a prominent anti-corruption expert, Rick Messick, posted that South Africa now has a dilemma about which extradition request they should honor first: the United States’ or Mozambique’s.  While Messick may be correct that Mozambique’s request is intended to shield Chang, a leading member of Mozambique’s ruling party FRELIMO, from prosecution or cooperation in the United States, it is more likely that South African courts, after due consideration, will rule in favor of the United States’ “first-in-time” extradition request, while paying appropriate respect to Mozambique’s authority and recognizing the serious effects of the scandal on its economy.  As Chang, Pearce, Singh, and Subeva all can be expected to context their extraditions vigorously, it will likely be some time before the U.S. Department of Justice can pursue plea negotiations with, or prosecutions of, the key players in this case.

On December 17, 2018, a Quebec judge sentenced Yanaï Elbaz, a former McGill University Health Centre (MUHC) executive, to 39 months’ imprisonment for accepting CDN$10 million in bribes in return for helping Canadian engineering firm SNC-Lavalin win a CDN$1.3 billion building contract for MUHC. Previously, on November 26, 2018, Elbaz had pleaded guilty to receiving a bribe, breach of trust, conspiring to launder money with the former Chief Executive Officer of MUHC, Arthur Porter, and transporting or transferring the proceeds of a crime.

Elbaz had been the MUHC’s assistant director general of planning and real estate management and a member of the committee that decided which group would win the MUHC contract.  At the time of his plea, Elbaz admitted

that he supplied SNC-Lavalin with insider information that allowed it to adjust its proposal on how the project should be built. He also used the position he held, between 2007 and 2011, to influence members of a selection sub-committee by praising the consortium led by SNC-Lavalin and denigrating the only rival bid made by another consortium.

Elbaz also admitted that he violated rules intended to keep the selection process impartial by communicating with Pierre Duhaime, then-Chief Executive Officer of SNC-Lavalin, and Riadh Ben Äissa, then a vice-president of SNC-Lavalin’s construction division, prior to submission of the MUHC bid.  Subsequently, in July 2018 Äissa pleaded guilty in the case to using forged documents and was sentenced to one day in jail, given the 29-month sentence that a Swiss court had previously imposed for fraud-related charges relating to SNC-Lavalin’s business in Libya and additional time he had spent wearing a tracking device. Duhaime is now facing trial in the case in February 2019.

Note: Elbaz’s plea and sentencing is significant because it is one of the last milestones in a long-running case that Quebec authorities reportedly described “as the largest corruption fraud case in Canadian history.” Since 2012, when Swiss authorities arrested Äissa, and 2013, when the Quebec police anti-corruption unit issued arrest warrants for SNC-Lavalin executives, the record of law enforcement success in this investigation, designated as “Projet Lauréat,” can fairly be described as mixed, based on the following developments:

• In 2014, Porter’s wife Pamela Porter, who had pleaded guilty to money-laundering charges in the case, was sentenced to two years’ imprisonment. At the time, the Montreal Gazette declared her conviction “a first legal victory for the Crown after it pressed charges against eight other individuals” in connection with the MUHC contract.
• In 2015, Arthur Porter – who, with Elbaz, allegedly received a total of CDN$22.5 million in bribes for awarding the MUHC contract to SNC-Lavalin – died as a fugitive in Panamanian custody, having fought extradition to Quebec since his arrest in Panama in 2013.
• In 2016, prosecutors withdrew all charges in the case against Bahamian businessman Jeremy Morris.
• In 2017, former SNC-Lavalin financial controller Stéphane Roy was acquitted of fraud and using forged documents charges in the case, after prosecutors decided not to present any evidence against Roy.
• In 2018, at the time of Elbaz’s guilty plea, Elbaz’s brother Yohann Elbaz – who with his brother controlled a company through which Yanaï Elbaz’s $10 million in bribes reportedly passed – was acquitted after Crown prosecutors stated that they would not prosecute Yohann on charges of conspiracy, recycling the proceeds of crime and using false documents.

Even though the convictions of Elbaz and Äissa were significant developments, the outcome of the Duhaime trial may weigh heavily in any ultimate conclusions about the success of the MUHC investigation.

UPDATE: On February 1, Pierre Duhaime pleaded guilty in the case to a charge of helping a public servant commit breach of trust.  The Quebec court judge reportedly accepted a joint recommendation from prosecutors and defense that Duhaime receive a 20-month suspended sentence, to be served under house arrest.  Duhaime will also serve one year of probation and 240 hours of community service, and has been ordered to donate CDN $200,000 to a center that aids victims of crime.

An agreed statement of facts presented to the judge indicated that Duhaime was guilty of “wilful blindness” as SNC-Lavalin’s CEO, that he did not receive any money from the crime, and that he was not connected to and had no knowledge of the $22.5 million in bribes paid to Porter and Elbaz.

On December 13, 2018, the Office of New York State Attorney General Barbara D. Underwood (OAG) announced that airport ground handling company Ground Services International (GSI) had entered into a civil settlement to pay $12.3 million, for making fraudulent kickback payments intended to influence various contracts that GSI had at John F. Kennedy International (JFK) Airport and in other airports across the United States.

This settlement – the third stemming from “Operation Greased Runway,” the OAG’s ongoing investigation into the contracting and procurement processes at JFK Airport – resolves claims pursuant to New York State Executive Law Section 63(12), which prohibits “engag[ing] in repeated fraudulent or illegal acts or otherwise demonstrat[ing] persistent fraud or illegality in the carrying on, conducting or transaction of business.”  According to the OAG’s statement, its ongoing investigation “revealed that GSI expanded its business and won new contracts with two major companies, British Airways and Terminal One Group Association L.P. (‘TOGA’), while at the same time making undisclosed payments to the companies’ key executives.”

The investigation found that the then-President of GSI, Jeff Kinsella, “secretly agreed to provide an ownership interest in GSI to a senior British Airways executive who had influence over procurement decisions at the airline, while that executive was promoting GSI’s services within British Airways.”  From 2009 to 2016, Kinsella made regular payments to the British Airways executive that totaled more than $1.2 million.  During that same period, British Airways substantially expanded its business with GSI, including continuing to service Terminal Seven, which British Airways currently operates, at JFK Airport. When Kinsella sold GSI in 2016, according to the OAG, the British Airways executive received an additional payment of $3.6 million from Kinsella “for his secret ownership interest. GSI never disclosed either its payments to the executive, or the executive’s financial stake in GSI, to British Airways, the Port Authority, or any other entity in the airline industry.”

GSI also made improper payments to the then-Executive Director of TOGA, Edward Paquette, whom the OAG termed “the key decision maker with respect to the contract for ground services at JFK’s Terminal One.”  After Paquette recommended GSI for the Terminal One contract, that contract became GSI’s largest contract nationwide.  Shortly after GSI received the Terminal One contract, Kinsella began directing monthly payments to a company set up by Paquette specifically to receive the kickbacks. From 2015 through 2017, during which Paquette oversaw the contract at TOGA, GSI paid him a total of $640,000.  In 2017, as a result of Operation Greased Runway, Paquette pleaded guilty to New York State felony charges related to stealing from his employer and accepting bribes totaling $1.3 million.

The OAG also stated that GSI, while secretly making these improper payments, “made millions of dollars in profits from its contracts at Terminal One and Terminal Seven at JFK Airport with British Airways and TOGA respectively.”  As a consequence, as part of the settlement GSI acknowledged that its conduct was deceptive, improper, and compromised the integrity of business operations at JFK Airport.  In addition, GSI agreed to injunctive relief to improve its compliance and contracting processes:

GSI is required to implement and maintain an anti-bribery and corruption policy, and to train employees on that policy annually. The company will also establish an anonymous tip line where employees can report suspected violations of the policy. GSI must also submit to review by an outside audit firm, appoint a Chief Ethics and Compliance Officer, reform its internal bidding process to ensure that potential conflicts of interest are identified, and submit an annual affirmation of compliance signed either by the company’s CFO or CEO to the Port Authority Inspector General’s Office.

Note:  This settlement is a timely reminder to corporate compliance officers that bribery and corruption risks can arise domestically as well as internationally, and that failure to extend compliance anti-corruption policies and internal controls to domestic activities and transactions can have severe legal and reputational consequences.  The fact that Kinsella was able, over a nine-year period culminating in his sale of GSI in 2016, to make nearly $5 million in illicit payments to the unnamed British Airways executive indicates the severity of the deficiencies in GSI’s prior compliance regime.

On January 17, Troy Hunt, an independent cybersecurity researcher and Microsoft Regional Director, posted that he had found a large collection of files containing email addresses and passwords obtained in numerous data breaches, from which data were being socialized on a hacker forum.  Hunt calculated that the collection of files, located on the MEGA cloud storage service that Internet entrepreneur Kim Dotcom founded, included 1,160,253,228 unique combinations of email addresses and passwords.  After cleanup of the data, Hunt found a total of 772,904,991 unique email addresses and 21,222,975 unique passwords.

Hunt stated that he has now loaded the cleaned-up data on a website, have i been pwned?, on which he has previously loaded similar data from many other data breaches (such as Adobe and Ashley Madison), to allow members of the public to check their own online credentials against the data.  For security reasons, Hunt separated the search features for email addresses and passwords: email addresses can be searched on the have I been pwned? homepage, and their passwords at Pwned Passwords.

Note: Chief information security officers and corporate compliance officers should make use of this report in two ways.  First, in explaining to corporate officers and employees the scope and scale of cybercrime, they can cite Hunt’s calculated total of more than 772 million hacked email addresses and more than 21 million unique passwords – the largest collection of breached data that Hunt has found and loaded onto his site – as a recent instance of the volumes of data that hackers routinely work to target businesses, government agencies, and individuals.  Second, they should consider making use of have i been pwned? and Pwned Passwords in live briefing and training sessions, to show corporate employees that the need to pay attention to cybersecurity and change passwords is urgent and important.  Hunt is a highly knowledgeable and respected cybersecurity researcher, speaker, and trainer, and Fox Business reported that millions of people have used his website since its creation in 2013 to check their identifying data.

In any event, readers of this blog should check their details and, whether or not they find their data have been breached, take to heart fundamental rules of personal cybersecurity that Hunt and others have stated many times: Never reuse a password; if you have, change those passwords; and use a password manager to handle the multiplicity of your passwords.  Simple steps are still key to reducing the risk of having your personal or business data hacked and misused.

On November 14, 2018, Irish President Michael D. Higgins signed the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 into law.  The new Act, which came into effect (other than section 32) as of November 26, 2018, transposes most provisions of the European Union’s (EU’s) Fourth Money Laundering Directive.  Some of the more significant provisions of the 2018 Act are as follows:

• Risk Assessment: Section 10 adds a new section 30A to the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, to provide that a “designated person” shall carry out a business risk assessment “to identify and assess the risks of money laundering and terrorist financing involved in carrying on the designated person’s business activities taking into account at least the following risk factors:
  • “(a) the type of customer that the designated person has;
  • “(b) the products and services that the designated person provides;
  • “(c) the countries or geographical areas in which the designated person operates;
  • “(d) the type of transactions that the designated person carries out;
  • “(e) the delivery channels that the designated person uses;
  • “(f) other prescribed additional risk factors.”

Section 30A also requires that senior management approve the business risk assessment, and that the designated person keep the business risk assessment and any related documents up to date.  Failure of the designated person to comply with section 30A’s requirements is an offense punishable by up to five years’ imprisonment.

• Application of Risk Assessment in Applying Customer Due Diligence: Section 10 also adds a new section 30B to the 2010 Act, to require that a designated person “identify and assess the risk of money laundering and terrorist financing in relation to the customer or transaction concerned, having regard to—
  • “(a) the relevant business risk assessment,
  • “(b) the matters specified in section 30A(2) [of the 2010 Act],
  • “(c) any relevant risk variables, including at least the following:
    • “(i) the purpose of an account or relationship;
    • “(ii) the level of assets to be deposited by a customer or the size of transactions undertaken;
  • “(iii) the regularity of transactions or duration of the business relationship;
  • “(iv) any additional prescribed risk variable,
  • “(d) the presence of any factor specified in Schedule 3 or prescribed under section 34A [of the 2010 Act] suggesting potentially lower risk,
  • “(e) the presence of any factor specified in Schedule 4, and
  • “(f) any additional prescribed factor suggesting potentially higher risk.”

Failure of a designated person to document a determination under section 30B is an offense punishable by up to five years’ imprisonment.

• Simplified Customer Due Diligence: Section 13 adds a new section 34A to the 2010 Act, to specify the criteria and process for using simplified customer due diligence for lower-risk transactions and business relationships.
• Correspondent Relationships: Section 17 substantially revises section 38 of the 2010 Act with regard to the criteria for correspondent relationships with third-country respondent institutions.
• Enhanced Customer Due Diligence – High-Risk Third Countries: Section 18 adds a new section 38A to the 2010 Act regarding enhanced due diligence regarding customers established or residing in a high-risk third country.
• Enhanced Customer Due Diligence – Heightened Risk: Section 19 substantially revises section 38 of the 2010 Act regarding enhanced due diligence in cases of heightened risk.
• State Financial Intelligence Unit: Section 21 adds a new Chapter 3A to the 2010 Act to provide for the establishment of a State Financial Intelligence Unit (FIU) within the Garda Síochána to receive and analyze “suspicious transaction reports and other information relevant to money laundering or terrorist financing for the purpose of preventing, detecting and investigating possible money laundering or terrorist financing.” It authorizes designated members of FIU Ireland to request from any person information held by that person, “for the purposes of preventing, detecting, investigating or combating money laundering or terrorist financing.”  In addition, it authorizes designated members of FIU Ireland to request in writing for any financial, administrative or law enforcement information that FIU Ireland requires in order to carry out its functions, from a designated person, a competent authority, the Irish Revenue Commissioners, and the Minister for Employment Affairs and Social Protection.  Failure of a designated person, without reasonable excuse, to comply with either type of FIU Ireland request is an offense punishable by up to three years’ imprisonment.  Finally, Chapter 3A empowers FIU Ireland to respond to requests from competent authorities and to share information with other FIUs and competent authorities.

Note: Financial institutions doing business in Ireland should already be working to implement the new legislation in their anti-money laundering (AML) policies and operations, and taking note of the Garda  Síochána’s extensive authority to operate an FIU and to demand provision of various types of information.

At the same time, financial institutions should be anticipating additional changes in Irish AML law.  On January 3, Minister for Justice and Equality Charlie Flanagan received the Irish Cabinet’s approval of the proposed Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2019, which would transpose the EU’s Fifth Money Laundering Directive and enhance current anti-money laundering legislation.  According to the Irish Department of Justice and Equality, the bill includes the following provisions:

• “[P]revent risks associated with the use of virtual currencies for terrorist financing and limiting the use of pre-paid cards;
• “[I]mprove the safeguards for financial transactions to and from high-risk third countries;
• “[B]roaden the scope of designated bodies under the existing legislation;
• “[E]nhance the customer due diligence (CDD) requirements of the existing legislation;
• “[P]revent credit and financial institutions from creating anonymous safe-deposit boxes;
• “[I]nclude a number of technical amendments to other provisions of the Acts already in force.”

In addition, the bill allows for provisions which are not required by the Fifth Directive but will support the Criminal Assets Bureau and the Garda Síochána with regard to their power to access bank records and the administration of their functions in respect of AML.  Finally, according to the Department of Justice, the Department of Finance is also engaged in giving effect to certain provisions of the Fifth Directive, such as “facilitating increasing transparency on who really owns companies and trusts by establishing beneficial ownership registers” and “ensuring the creation of, and access to, centralised national bank and payment account registers or central data retrieval.”