Author: Jonathan J. Rusch

On December 3, the Financial Crimes Enforcement Network (FinCEN) and the four federal financial institution supervisory agencies (the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency) issued a joint statement encouraging banks (i.e., banks, savings associations, credit unions, and foreign banks) “to consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their Bank Secrecy Act/anti-money laundering (BSA/AML) compliance obligations, in order to further strengthen the financial system against illicit financial activity.”

The statement expressed the agencies’ recognition “that private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks identify and report money laundering, terrorist financing, and other illicit financial activity by enhancing the effectiveness and efficiency of banks’ BSA/AML compliance programs.”  The statement declared that “[i]nnovation has the potential to augment aspects of banks’ BSA/AML compliance programs, such as risk identification, transaction monitoring, and suspicious activity reporting.”  In that regard, it cited examples of innovations that some banks have already undertaken:

Some banks are becoming increasingly sophisticated in their approaches to identifying suspicious activity, commensurate with their risk profiles, for example, by building or enhancing innovative internal financial intelligence units devoted to identifying complex and strategic illicit finance  vulnerabilities and threats. Some banks are also experimenting with artificial intelligence and digital identity technologies applicable to their BSA/AML compliance programs. These innovations and technologies can strengthen BSA/AML compliance approaches, as well as enhance transaction monitoring systems.

The statement specifically noted that the agencies “welcome these types of innovative approaches to further efforts to protect the financial system against illicit financial activity,” and that “these types of innovative approaches can maximize utilization of banks’ BSA/AML compliance resources.”

The statement offered an additional assurance that the agencies are committed to continued private-sector engagement with financial institutions, advocating early engagement with bank management to discuss pilot programs for innovative BSA/AML approaches.  Such early engagement, according to the statement, “can promote a better understanding of these approaches by the Agencies, as well as provide a means to discuss expectations regarding compliance and risk management,” and provide the agencies with the opportunity to “clarify supervisory expectations, as appropriate and necessary.”

The statement also made four points critical to assuring financial institutions that the agencies do not intend to whipsaw them by encouraging innovation but then effectively penalizing them for the consequences of innovation.  First, it said that they “will not penalize or criticize banks that maintain effective BSA/AML compliance programs commensurate with their risk profiles but choose not to pursue innovative approaches.”  Second, it stated that while they expected banks to maintain effective BSA/AML compliance programs, they “will not advocate a particular method or technology for banks to comply with BSA/AML requirements.”  Third, it indicated the agencies’ openness to banks’ conducting pilot programs, “in conjunction with existing BSA/AML processes, [as] an important means of testing and validating the effectiveness of innovative approaches,” and to providing feedback to the banks on such pilot programs.  In particular, it stated that “pilot programs in and of themselves should not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful.”  Fourth, it offered a measured assurance that “pilot programs that expose gaps in a BSA/AML compliance program will not necessarily result in supervisory action with respect to that program.”

Note:  This statement is the second result of the ongoing work of a working group that the United States Department of the Treasury’s Office of Terrorism and Financial Intelligence and the Federal depository institutions regulators formed with the aim of improving the effectiveness and efficiency of the BSA/AML regime.  Previously, on October 3, FinCEN and the agencies issued a joint interagency statement on sharing Bank Secrecy Act resources.

Both of these statements are welcome developments in two respects.  First, they provide some specific assurance that federal bank regulators are genuinely interested in positive engagement with the financial sector, and not merely regulation and enforcement.  Second, they appear not to be pressing for or insisting that financial institutions must adhere to particular types of innovative methods or technologies that regulators have previously endorsed.  Financial institutions should therefore take the December 3 statement at its word and develop innovative AML/CTF approaches that they believe make sense from a risk-based perspective, and test the strength of the regulators’ professed commitment to engagement with the financial sector.

During 2018, a number of media reports highlighted the reluctance or resistance of governing bodies overseeing various professional sports to confront the problem of corruption aggressively.  In soccer, FIFA – despite an undeniable history of corruption that reached the highest levels of the sport – saw fit to delete the word “corruption” from its code of ethics.   In professional tennis, it took an independent panel, after a two-year inquiry, to inform multiple tennis associations that a “tsunami” of match-fixing had reportedly become “endemic” across lower levels of the sport.  In Major League Baseball (MLB),  MLB severed its ties with the Liga Mexicana de Beisbol (LMB) because of professed concerns about corruption and fraud, but reportedly only “after years of complaints failed to effect change” in the LMB.  Subsequently, Sports Illustrated reported that the United States Department of Justice “has begun a sweeping probe into possible corruption tied to [MLB teams’] recruitment of international players, centered on potential violations of the Foreign Corrupt Practices Act.”

There are, however, other international sports associations that are demonstrating more timely and meaningful responses to corruption and fraud within their sports.  In professional cricket, after an Al-Jazeera journalist reported that evidence had been uncovered reflecting “corruption at the highest levels of cricket,” the general manager of International Cricket Council (ICC), the sport’s governing body, confirmed that the ICC “is investigating and called for the full co-operation of Al Jazeera.”

In professional badminton, the Badminton World Federation (BWF) recently upheld a ruling by its Ethics Hearing Panel that a former BWF Council member, Raj Gaya, would be banned from “performing any function in badminton for life” and be fined $50,000, based on his diversion and use of BWF funds for his personal benefit.  Gaya had told BWF officials that “he had used the funds for ‘badminton related expenses’, as well as ‘political reasons’ including ‘to get African people on his side’.”

Gaya is not the first individual this year that the BWF has severely sanctioned for corruption-related activities  In May 2018, in the first case of its kind for the BWF, the BWF banned two Malaysian players for 15 and 20 years respectively, and fined them $15,000 and $25,000 respectively, for match-fixing.

Such reports of demonstrated commitment to combating corruption are always welcome news.  It remains to be seen whether these latter sports will sustain that commitment or lapse into complacency over time as they grow in popularity and profitability.

On December 5, the Times reported that earlier that day, the Criminal Division of the Court of Appeal (England & Wales) upheld a November 26 judgment in Southwark Criminal Court in London that there was “no case to answer” in the fraud retrial of two Tesco executives, refused leave for the United Kingdom Serious Fraud Office (SFO) to appeal, and ordered an acquittal.  (“No case to answer” means that there was insufficient evidence for a jury to consider with respect to the individual defendants on trial.)

The United Kingdom Serious Fraud Office had begun its investigation of Tesco PLC in 2014, after Tesco publicly reported that its profit forecast had been overstated by £250 million ($328 million).  That disclosure, according to Reuters, “wiped 2 billion pounds off Tesco’s market value and plunged the company into the worst crisis in its near 100-year history.”

In 2016, the SFO charged three individual defendants – Christopher Bush, a former United Kingdom managing director of Tesco, John Scouler, Tesco’s former UK commercial food director, and Carl Rogberg, Tesco’s former finance director – with fraud and false accounting.  In 2017, the SFO concluded a deferred prosecution agreement (DPA) with Tesco, but a judicial contempt-of-court order postponed the disclosure of the terms of that DPA until the conclusion of the trial of Bush, Scouler, and Rogberg.

The first trial of the individual defendants was called off in 2018, shortly before the jury was to hear the trial judge’s summing up of evidence, because Rogberg had a heart attack.  In the retrial, from which Rogberg was severed due to illness, the SFO reportedly argued that Bush and Scouler were “generals” who “were aware that income was being wrongly included in [Tesco’s] financial records to meet targets and make Tesco look financially healthier than it was.”  After the conclusion of the prosecution’s case, however, the trial judge, Sir John Royce, told the jury on December 5 that he had dismissed the case because he had “concluded that in certain crucial areas the prosecution case was so weak.”  The judge further stated:

You may well come to the conclusion that there was fraudulent activity taking place between the buyers [at Tesco] and suppliers to provide documentation that purported to support the recognition of income in a period in which it should not have been recognised. However, one of the major issues in this case has been whether the prosecution could prove that these defendants were party to it and did they have knowledge that improper, unlawful recognition of income was taking place.

A critical portion of the prosecution case turned on a report “into the reporting of income from suppliers, dubbed the ‘legacy paper’, [that] was prepared by Amit Soni, a Tesco finance director, and submitted to the retailer’s legal department.”  The judge characterized Soni as a “gatekeeper,” along with others in Tesco’s finance department, who were responsible for ensuring that income was being properly recognized, but noted that Soni

admitted that he did not tell Mr Bush or Mr Scouler before the legacy paper was prepared that income was being improperly recognised because “he himself did not know”, adding: “If he [Mr Soni] is the gatekeeper and a qualified accountant did not know, how could it be safely assumed that the defendants knew? You would have to be sure, not just suspicious, that they knew.”

The “no case to answer” judgment is the latest blow this year to the reputation of the SFO, coming after the High Court’s refusal to reinstate charges against Barclays Plc and Barclays Bank Plc and the SFO’s obtaining convictions on only two of six bankers being tried this summer for manipulating the Euro Interbank Offered Rate.  While Lisa Osofsky, who took office as the new SFO Director in August, has no control over prior decisions by SFO staff or the vagaries of the trial process, she must now consider whether, as the SFO put it, “to pursue a retrial in light of the judgment.”

Given the strength of that judgment and Rogberg’s reported health problems, a quick decision to seek dismissal of the charges against Rogberg is less likely to fan the flames of media attention.  The larger issue of whether the SFO should be merged into the National Crime Agency – in which Prime Minister Theresa May has been keenly interested for some time – will likely remain sidelined unless and until the Prime Minister can find a way to untie or dissever the Gordian knot of Brexit.

On December 5, the Irish Examiner reported that in connection with the European Money Mule Action (EMMA) operation, Irish police (Gardaí) have found criminal groups using college students “to funnel millions of euros through hundreds of Irish bank accounts in the last three years.”  Many of the 420 Irish bank accounts, through which €14.6 million was reportedly laundered, belonged to students, and many of the students agreed to allow their accounts to be used for laundering funds in exchange for a few hundred euros.

Garda Detective Chief Superintendent Pat Lordan stated that because Irish anti-money laundering legislation had made it more difficult for criminals to open accounts directly, criminals designated “herders” approach college students in bats and on social media.  Some students also were solicited by responding to “work-from-home” advertisements.

In the EMMA operation, in which the Gardaí reportedly participated for the first time, the Gardaí conducted 30 interviews, froze 25 bank accounts, and seized €300,000 in cash and four cars, and four individuals were charged.

EMMA began in 2016 as a five-day enforcement action, modeled on a successful Dutch law enforcement operation.  At that time, law enforcement authorities and judicial bodies in eight European nations participated, with support from Europol, Eurojust, and the European Banking Federation (EBF).  EMMA has now become a major law enforcement operation across the European Union.

On December 4, Europol announced that the fourth and latest iteration of EMMA (EMMA 4), conducted during September through November 2018, involved 30 nations – 27 European countries as well as Australia, the United Kingdom, and the United States – along with Europol, Eurojust, and the EBF.  In EMMA 4, more than 300 banks, 20 bank associations, and other financial institutions helped to report 26,376 fraudulent “money mule” transactions, preventing a total loss of €36.1 million.  In addition, 837 criminal investigations were opened, and police forces from more than 20 States arrested 168 people as of December 4 and identified 1,504 money mules and 140 money mule organizers.  Europol particularly noted that “cases involving young people selected by money mule recruiters are on the rise, with criminals increasingly targeting financially-distressed students to gain access to their bank accounts.”

Note: University compliance and security officers at European universities should take note of this information, and use it to inform university students about these recruiting tactics and the potential consequences of serving as money mules.  In addition, European banks that are aware that they have a significant number of university students accountholders should take the opportunity, especially at branches near university campuses, to provide similar information on their premises and online.

Information-security lawyers and consultants are unaccustomed to hearing the words “cybersecurity” and “constitutional challenge” in the same sentence.  On November 30, however, a three-judge panel of the United States Court of Appeals for the District of Columbia Circuit, in Kaspersky Lab, Inc. v. Department of Homeland Security, unanimously affirmed the dismissal of a claim by Russian-based cybersecurity vendor Kaspersky Lab that a prospective legislative ban on the use of Kaspersky Lab hardware and software by federal departments and agencies constituted a violation of the Bill of Attainder Clause in Article I of the United States Constitution.

The basis for this legislative ban was a series of concerns that a number of executive and legislative branch officials voiced, beginning in 2017, about the risks stemming from Kaspersky’s ties to Russian intelligence and other government officials.  The first response by the U.S. Government was the issuance of a September 2017 directive by the Acting Secretary of Homeland Security (Directive) that required most federal agencies to begin removing “Kaspersky-branded products” from their information systems within 90 days.  Subsequently, after Congressional hearings in which Members of Congress and the Homeland Security Assistant Secretary for Cybersecurity expressed deep concern about Kaspersky’s Russian ties and the susceptibility of Kaspersky software to Russian exploitation, Congress included in the National Defense Authorization Act for Fiscal Year 2018 (NDAA) a section reflecting those concerns.

Section 1634 of the NDAA, as enacted, provided that beginning October 1, 2018,

No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—(1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership.

Kaspersky then filed two actions in the United States District Court for the District of Columbia, separately challenging the Directive as a violation of the Administrative Procedure Act and section 1634 as a violation of the Bill of Attainder Clause, which states simply that “[n]o bill of attainder . . . shall be passed.”  The District Court dismissed the Directive action on the grounds that Kaspersky lacked standing to sue, and dismissed the section 1634 case for failure to state a claim (i.e., that Kaspersky had failed to plausibly allege that section 1634 constitutes a bill of attainder.

In his opinion for the Ninth Circuit panel, Judge David Tatel presented an elaborate analysis of the ban and the applicability of the Bill of Attainder Clause.  At the outset, he did not find that the Bill of Attainder Clause applies to corporations such as Kaspersky, but stated that the Court would continue to assume, as that Court of Appeals had done previously, to assume that it does so apply (slip opinion, p. 9).  As the critical question for all bills of attainder is whether the law imposes punishment, Judge Tatel conducted the three inquiries for Bill of Attainder analysis that the United States Supreme Court articulated in Selective Service System v. Minnesota Public Interest Research Group, 468 U.S. 841, 852 (1984):

1. Whether the statute, “viewed in terms of the type of severity of burdens imposed, reasonably can be said to further nonpunitive legislative purposes.” On this issue, Judge Tatel held that section 1634 satisfied the standard that the nonpunitive aims of an apparently prophylactic measure were sufficiently clear and convincing.  He recognized the security of the federal government’s information systems as “the nonpunitive interest at stake” (p. 15), and stated that “[g]iven the not insignificant probability that Kaspersky’s products could have compromised federal systems and the magnitude of the harm such an intrusion could have wrought, Congress’s decision to remove Kaspersky from federal networks represents a reasonable and balanced response” (p. 17).  Noting that Kaspersky “identifies no cyber-product as vulnerable to malicious exploitation as Kaspersky’s” (p.  19), he concluded that “Congress had ample evidence that Kaspersky posed the most urgent potential threat, and this court  must give Congress “sufficient latitude to choose among competing policy alternatives,” lest “our bill of attainder analysis . . . ‘cripple the very process of legislating’” (p. 20, quoting Foretich v. United States, 351 F.3d 1198, 1222–23 (D.C. Cir. 2003)).  He concluded that section 1634 satisfied the reasonableness test.
2. Whether the challenged statute falls within the historical meaning of legislative punishment. On this issue, Judge Tatel took note of Kaspersky’s admission that the burden that section 1634 imposed was “not precisely identical to any of the burdens historically recognized as punishment” (p. 22).  He stated that “a wide valley separates section 1634 from the small handful of statutes that courts have found to be unconstitutional bills of attainder,” adding that “section 1634 represents no more than a customer’s decision to take its business elsewhere” (p. 27).
3. Whether the legislative record “evinces a congressional intent to punish.” On this issue, Judge Tatel concluded that Kaspersky had offered no evidence of punitive intent, and that this test did nothing to support Kaspersky’s Bill of Attainder argument (pp. 28-29).

Judge Tatel concluded that Kaspersky’s complaint failed to plausibly allege that section 1634 was a bill of attainder, and affirmed the District Court’s dismissal of Kaspersky’s section 1634 case.  With respect to Kaspersky’s Directive case, he concluded that Kaspersky had “a serious standing problem” – in part because “invalidation of the Directive alone would do nothing to help Kaspersky’s plight as long as section 1634 remains good law” (p. 31) – and affirmed the District Court’s dismissal for lack of subject matter jurisdiction.

Note: Kaspersky should be of interest to more than constitutional law scholars, at least because it demonstrates that the executive, legislative, and judicial branches are capable of playing complementary roles, within the bounds of their respective powers, in addressing potential cyber threats to government operations.  The nonpunitive interest that Judge Tatel identified, the security of the federal government’s information systems, must be of paramount concern to the government when a software vendor has putative connections to foreign governments known to engage in economic espionage or intelligence-gathering through digital means.  When such potential threats are identified – as with Kaspersky in the case of Russia, or Huawei Technologies in the case of China – executive branch officials and legislators need to have the flexibility to craft reasonable and proportional responses to those threats rather than, as Judge Tatel put it, “wait[ing] patiently for those threats to cause empirically provable consequences” (p. 17).  For its part, as Judge Tatel’s opinion demonstrates, the judiciary is entirely capable of conducting a searching analysis of the factual and policy grounds of those responses without overstepping the limits of its own authority.