Author: Jonathan J. Rusch

On September 4, the editorial board of the Financial Times published an editorial that calls for a central anti-money laundering body for Europe.  The foundation for the editorial was the extensive and growing series of media reports about money laundering through the Estonian branch of Danske Bank, the largest bank in Denmark.

Since September 2017, when Danske Bank initiated what it termed “thorough and comprehensive investigations into the non-resident portfolio of the Estonian branch,” estimates of the scope and scale of alleged money laundering through that branch have continued to rise:

• In May 2018, the Danish Finanstilsynet (Financial Supervisory Authority (FSA)) issued a report to the bank’s Board of Directors and Executive Board that while it recognized “that the bank has made various improvements in the AML and compliance areas in recent years,” it was issuing eight orders and eight reprimands relating to the Estonian branch activity. In particular, the FSA found that the branch “had high earnings on Russian and other non-Baltic customers (non-resident customers), whose total volume of payments through the branch was very considerable. For example, 35% of the profit in the branch in 2012 was generated by Russian customers, who made up 8% of the customer base.”
• In July 2018, the Danish newspaper Berlingske reported that as much as $8.3 billion may have been laundered through the Estonian branch from 2007 to 2015.
• Most recently, on September 3 the Financial Times reported that an independent investigation commissioned by the bank found “that as much as $30 billion (€26 billion) of Russian and ex-Soviet money moved through the Estonian branch” in 2013. A draft report of the investigation, by the financial consulting firm Promontory Financial, also disclosed that the $30 billion was reflected in nearly 80,000 transactions, and that after 2013, the volume began to decrease and accelerated its decline after the Estonian Financial Services Authority began its own investigation.
• UPDATE: On September 7, the Wall Street Journal reported that Danske Bank is now examining $150 billion in transactions that moved through the Estonian branch between 2007 and 2015.

The Financial Times editorial referred to the $3 billion as “an eye-popping volume for a small branch operation [that] suggests serious gaps in the bank’s safeguards, and in Europe’s efforts to combat money-laundering.”  It also pointedly remarked that “US officials — who have repeatedly, and embarrassingly, proved better able to police European money laundering than Europe’s own authorities — have not confirmed whether they are probing Danske themselves, but said they are ‘following the case closely’.”

Noting that the Danske Bank case had “highlighted again the patchwork nature of Europe’s anti-money laundering supervision,” it concluded:

While the European Central Bank scrutinises banks’ business models and governance, policing criminal financial flows is still a national competence. An EU-wide anti-money laundering body is sorely needed to harmonise and enforce rules, and direct additional resources to where they are most needed. EU institutions and member states need to find the political will to close what is a gaping hole in the continent’s regulatory framework.

Note: The Financial Times editorial understandably paints with a broad brush.  In doing so, it fails to take into account the existence of the current European Union AML legal framework, including the 4^th and 5^th Anti-Money Laundering Directives, or of other multinational governmental bodies such as the European Banking Authority or the Financial Action Task Force, which has played a highly influential role in setting standards and promoting effective implementation of AML and terrorist-financing measures.  But broadbased compliance failures at leading European financial institutions such as Danske Bank and ING indicate that the current structure of national and supranational AML regulation in Europe is falling short in timely identification of and response to significant instances of AML noncompliance.

In that respect, the Financial Times editorial is a welcome call to action — albeit one to which the European Union so far is not responding with any dispatch.  According to Reuters, a preliminary EU plan to enhance AML  “acknowledges that “there may be gaps in the EU’s supervisory framework” to counter money laundering, but pushes back any meaningful action to late next year or beyond.

On September 4, the Netherlands Openbaar Ministerie (Public Prosecution Service) (NPPS) announced, in English and Dutch, that ING Bank N.V. (ING), a global financial institution headquartered in Amsterdam, had accepted and paid a settlement of  €775,000,000 (equivalent to US$900 million) to resolve an investigation focused on violation of the Dutch Wet ter voorkoming van witwassen en financieren van terrorisme (Anti-Money Laundering and Counter Terrorism Financing Act) (Wwft) by ING’s business unit ING Bank Netherlands (ING NL).  The NPPS specified that ING NL’s Wwft violation had occurred “for many years and on a structural basis”, and took note of ING NL’s culpable money laundering involving its failure “to prevent bank accounts held by ING clients in the Netherlands between 2010 and 2016 from being used to launder hundreds of millions of euros.”  The settlement consisted of a fine of €675,000,000, disgorgement of €100,000,000, and compliance and remediation measures.

Because of the size of the criminal resolution and the NPPS’s inclusion of both a detailed summary of the case and a detailed statement of facts, in the manner of the U.S. Department of Justice and the UK Serious Fraud Office, the NPPS announcement warrants a detailed review.  According to the NPPS summary (ING NL) ”did not properly fulfil its role as gatekeeper of [the Dutch] financial system, as outlined in the [Wwft], which requires financial gatekeepers to conduct client due diligence and report unusual transactions to the Dutch Financial Intelligence Unit (FIU).  The NPPS found ING to be “seriously deficient in this respect,” allowing ING NL clients to use accounts held with ING NL for criminal activities for many years, “virtually undisturbed.”  The NPPS also criticized ING NL for having wrongly taken insufficient action, as “ING NL should have seen that certain cash flows through bank accounts held by ING NL clients were possibly the result of crime.”

The investigation by the Dutch Fiscale inlichtingen- en opsporingsdienst (Fiscal Information and Investigation Service (FIOD), which began in early 2016, focused on suspicions “that ING NL was not sufficiently investigating clients, was insufficiently monitoring bank accounts and did not report unusual transactions, or reported them too late.”  The FIOD became concerned that ING NL had structural shortcomings that included (1) the absence of or insufficient conduct of client due diligence, (2) misclassification of clients that could lead to high-risk clients being subject to less stringent anti-money laundering measures, (3) insufficient monitoring of client relationships and bank accounts (and, when necessary, failure to terminate such relationships and accounts in a timely manner, (4) understaffing and inadequate training of the compliance department, (5) establishment of a transaction-monitoring system that generated only a limited number of money laundering signals, and (6) irregular or late reporting of unusual transactions to the FIU.

The summary also cited four specific cases it examined in detail as illustrative examples of actual misuse of bank accounts by ING NL clients.  One was an “international telecom provider” – unnamed in the summary, but named as Vimpelcom (now VEON) in the statement of facts — that transferred bribes worth tens of millions of dollars via its ING NL accounts to a company owned by Gulnara Karimova, the daughter of the then-president of Uzbekistan.  Another was an unnamed

The NPPS further noted that De Nederlandsche Bank N.V. (the Dutch Central Bank) (DNB) had warned ING NL on multiple occasions and taken unspecified “formal measures,” and was consulted by the NPPS when the NPPS decided to approach ING NL’s conduct as criminal activity.  According to a Reuters article, Dutch prosecutors said that the DNB “had warned ING as early as 2008 that its procedures were insufficient, but lead prosecutor Margreet Frohberg told Reuters that it had failed to act in earnest until 2016.”

Ultimately, the NPPS decided to attribute the offenses in question to the organization as a whole, and not to pursue individuals for criminal prosecution for two reasons.  The first was the fractured structure of ING NL’s compliance risk management.  As the NPPS explained, “The responsibility for compliance with the AML/CTF Act rests with three different divisions of the bank. None of these divisions oversaw the whole picture. This in part explains why senior management was not fully aware of the seriousness of the shortcomings, and their persistence.”  The second was the standard of proof that Dutch courts require for prosecutions of individuals in such a setting:

Many individual persons are responsible for part of the culpable behaviour. The offences are therefore not individually attributable to specific persons, not even the management at ING NL. The Supreme Court (Hoge Raad) sets a high bar for prosecuting individuals for directing criminal offences. In this case, not only must awareness be proven, but also that those persons consciously instigated criminal offences or deliberately failed to stop them. The ING NL investigation did not demonstrate that this was the case.

In its statement of facts, the NPPS identified five factors that led to its decision to offer a resolution to ING:

1. “ING NL publicly acknowledges and regrets the mistakes made;”
2. “ING NL cooperated in the criminal investigation and investigated the matter internally and the outcomes have been reported to the NPPS;”
3. “ING NL will continue to actively allow the NPPS to investigate possible criminal offenses arising from shortcomings in the FEC [Customer Due Diligence] policy to which the settlement relates;”
4. “ING NL, under the supervision of DNB, has developed and implemented a remediation plan. ING NL also provided the NPPS with insight into the progress of this remediation plan throughout the criminal investigation;”
5. “As part of this settlement, ING NL is taking responsibility for criminal offenses committed over a period of several years.”

On the same day, ING issued a press release regarding the settlement.  The release, which it also submitted to the U.S. Securities and Exchange Commission (SEC) via a Form 6-K, stated that ING “has fully cooperated” with the NPPS investigation, but added that that investigation and its own internal investigation “established serious shortcomings in the execution of policies to prevent financial economic crime (FEC) at ING Netherlands in the period investigated (2010-2016),” with specific reference to the six NPPS-identified defects listed above.  It also said that ING “sincerely regrets that as a result of the above shortcomings ING Netherlands did not adequately fulfil its role as gatekeeper to the financial system, helping fight financial crime.”

As part of its remediation response, ING noted that it has initiated measures – including “holdbacks of variable remuneration and suspension of duties” – “against a number of (former) employees in senior management positions who had a broader responsibility for the safeguarding and execution of FEC CDD policies and procedures in the Netherlands. In addition, the members of the Executive Board of ING Group, in consultation with the Supervisory Board, agreed “to forego their variable remuneration over 2018.”

Moreover, ING listed various initiatives it was taking at ING NL to strengthen compliance risk management: (1) an enhancement program to ensure compliance with “know your customer” (KYC) and “client activity monitoring” requirements; (2) centralization and simplification of operational KYC activities into a single “KYC Centre” across divisions; (3) establishment of Client Risk Committees across business units, to decide “on client on-boarding and exit escalations to ensure KYC risk mitigation”; (4) an engagement program “to strengthen the internal compliance culture and awareness by better enabling employees to act in both the letter and the spirit of the law”; and (4) active involvement in and contribution to the Financieel Expertise Centrum (FEC)-raad (Council) taskforce, in which “Dutch authorities that have supervisory, control, prosecution or investigation tasks cooperate with financial sector actors to strengthen the integrity of the sector.”

Finally, ING expressed its hope that based on the settlement agreement with the NPPS, the U.S. Securities and Exchange Commission, with whose information request ING had been cooperating, would take no further action and not require “further payment or the imposition of further conditions.”

Postscript:  In a September 5 release, ING stated that it “has received a formal notification from the SEC that it has concluded its investigation. In the letter the Division of Enforcement states that, based on information as of this date, it does not intend to recommend an SEC enforcement action against ING.”

On August 27, Larry D. Thompson, the Independent Compliance Auditor (ICA) for the so-called “VW Defendants” (VW), issued the first annual report on compliance by the VW Defendants (including Volkswagen AG (VW)) with their injunctive relief obligations stemming from federal and state consent decrees regarding VW’s emissions cheating (Report).  (N.B.: The Report, dated August 17, addresses only the VW Defendants’ civil obligations pursuant to the consent decrees.  Thompson has separate duties as Independent Compliance Monitor under the Plea Agreement in United States v. Volkswagen AG, No. 16-cr-20394-SFC (E.D. Mich.), and the Monitor’s Plea Agreement reports are not comparable to the ICA’s annual reports, in part because “the Plea Agreement reports include a broader evaluation of the ‘effectiveness’ of the overall compliance program of Volkswagen AG and its subsidiaries and affiliates” (Report, p. 4).)

The Report includes sections on the following:

• VW Defendants’ Reporting of Violations (pp. 6-8): The VW Defendants identified and reported two violations of the injunctive relief provisions: failure to add certain questions to employee survey “managers’ guides”, and failure to give 10 days’ notice (per the California Consent Decree) to the California Air Resources Board (CARB) of testing using the Portable Emissions Measurement System (PEMS) (Report, pp. 6-7).
• General Obligations under the Consent Decrees (pp. 8-9): This section included the following issues:
  • VW Defendants’ cooperation with the ICA: On this issue, the Report stated that the Volkswagen Project Management Office “has cooperated with the ICA,” but that
    • “[o]ccasionally, the ICA has contended with the VW Defendants’ reluctance to share certain information. This reluctance has included the VW Defendants’ use of redactions in documents provided to the ICA, based on claims of attorney-client privilege, attorney work-product, and data privacy. . . . The ICA has discussed this issue with VW Defendant personnel on numerous occasions throughout the reporting period, and has documented its concerns. With respect to the VW Defendants’ assertions of privilege and work-product, the ICA has disagreed with some of the VW Defendants’ assertions. The VW Defendants have promised further improvements in their provision of information, and increased the frequency of discussions with the ICA regarding this topic. The ICA is committed to working with the VW Defendants to resolve all redaction issues and other withholding of information.” (P. 8)
  • Appointment of an Environmental Compliance Officer.
  • The VW Defendants’ submission of their first Annual Report to the Justice Department and California authorities.
• Recommended Actions to Achieve Compliance (pp. 9-10): This section sets forth the ICA’s seven recommendations to the VW Defendants to achieve compliance with the consent decrees, including:
  • Designing and implementing additional, ongoing monitoring and auditing procedures to assess compliance by the VW Defendants with their obligations under the Consent Decrees (p. 9);
  • Preparing and providing a comprehensive written analysis of the implementation of the so-called “Golden Rules” (i.e., a set of thirteen mandatory processes, supported by a total of 109 “minimum requirements” that prescribe the implementation of certain controls and best practices to optimize the operation of the Internal Control System in the VW Defendants’ product development process) (pp. 9-10).
• Injunctive Relief Obligations Related to the Product Development Process (pp. 11-27). This section reports on obligations pertaining to segregation of duties between product development and certification testing (pp. 11-15), establishment and maintenance of Group Steering Committees for monitoring and complying with U.S. laws regarding vehicle certification and vehicle emissions (pp. 15-17), PEMS testing (pp. 17-20), definition of managers’ responsibilities (pp. 21-22), and implementation of the “Golden Rules” (pp. 22-27).
• Efforts by the VW Defendants to Establish and Maintain a Whistleblower System (pp. 27-30).
• Efforts by the VW Defendants Regarding the Employee Survey and Managers’ Guides (pp. 30-32).
• Efforts by the VW Defendants Regarding Codes of Conduct (pp. 32-35): This section reports on the VW Defendants’ efforts to ensure that their corporate Codes of Conduct included provisions regarding both environmental protection and responsibility for compliance.
• Efforts by the VW Defendants Regarding Third-Party and Internal Audits (pp. 35-46).

Note: The most critical language in the ICA report, as quoted above, is with regard to the VW Defendants’ resistance to information-sharing and redaction of documents.  In a joint news conference on August 27, Thompson and Hiltrud D. Werner, a member of Volkswagen’s board who is responsible for integrity, reportedly said “they were trying to work out differences over access to documents amicably.”  Nonetheless, it should be noted that – allowing for the fact that devising and implementing effective compliance measures in any large organization takes significant amounts of time and effort – the ICA report is devoid of any indication that Thompson regards the VW Defendants as having made substantial progress toward compliance with its civil obligations.

Due to the Labor Day holiday, there will be no DTG post today.  DTG will resume tomorrow, September 4.

On August 24, in United States v. Hoskins, the U.S. Court of Appeals for the Second Circuit, in an interlocutory appeal, affirmed in part and reversed in part the dismissal of part of one count in a multi-count indictment that charged a foreign national with Foreign Corrupt Practices Act (FCPA) offenses relating to alleged bribery of Indonesian officials.

Lawrence Hoskins, a former senior vice president for the Asia region for the French power and transportation company Alstom, was a defendant in multiple indictments in the District of Connecticut in the same FCPA case.  Hoskins was charged with conspiracy to violate the FCPA and to launder money, as well as substantive FCPA and money laundering violations.  During the relevant time period (2002-2009), according to the Second Circuit, Hoskins “was employed by Alstom’s UK subsidiary, but was assigned to work with another subsidiary called Alstom Resources Management, which is in France.”  (P. 6)

The Department of Justice asserted that Hoskins, while working from France for Alstom Resources Management, was one of the people responsible for approving the selection of, and authorizing payments to, certain consultants, knowing that a portion of the payments to the consultants was intended for Indonesian officials in exchange for their influence and assistance in awarding a $118 million power contract for an Alstom subsidiary, Alstom Power Inc. and its associates.  But the Department also conceded on appeal that while Hoskins repeatedly e-mailed and called U.S.-based coconspirators regarding the scheme while they were in the United States, he did not travel to the United States while the alleged bribery scheme was ongoing. (See pp. 6-7.)

Prior to trial, the U.S. District Court for the District of Connecticut concluded that Congress did not intend to impose accomplice liability on non-resident foreign nationals who were not subject to direct liability under one of the FCPA’s provisions.  It therefore dismissed Count One of the indictment to the extent that that count (1) sought to charge Hoskins with conspiring to violate Section 78dd-2 of the FCPA without demonstrating that Hoskins fell into one of the FCPA’s enumerated categories, and (2) alleged that Hoskins conspired to violate Section 78dd-3, which prohibits acts “while in the territory of the United States,” because Hoskins had never entered the United States during the relevant period.  The District Court also denied Hoskins’s motion in part, because the indictment charged him with conspiring to violate the FCPA, or aiding and abetting a violation, as an agent of an American company, which is a category covered by Section 78dd-2 of the FCPA.

The principal opinion, by Judge Rosemary Pooler, framed the central question of the appeal as follows:

whether Hoskins, a foreign national who never set foot in the United States or worked for an American company during the alleged scheme, may be held liable, under a conspiracy or complicity theory, for violating FCPA provisions targeting American persons and companies and their agents, officers, directors, employees, and shareholders, and persons physically present within the United States. In other words, can a person be guilty as an accomplice or a co-conspirator for an FCPA crime that he or she is incapable of committing as a principal? (P. 18)

The Court determined “that the FCPA defines precisely the categories of persons who may be charged for violating its provisions [and] . . . stated clearly the extent of its extraterritorial application.”(P. 2)  It “agree[d] with the district court that the FCPA’s carefully-drawn limitations do not comport with the government’s use of the complicity or conspiracy statutes in this case,” and affirmed the District Court’s ruling “barring the government from bringing the charge in question.” (P. 5)  It also reversed the District Court’s holding on the second object of the conspiracy, “because the government’s intention to prove that Hoskins was an agent of a domestic concern places him squarely within the terms of the statute and takes that provision outside our analysis on the other counts.” (Id.)

Note: Headlines in some recent legal commentaries on Hoskins have characterized the decision in absolute terms (e.g., as an outright rejection of the Department’ interpretation of the FCPA, or as a dismissal of the entire conspiracy count).  Lawyers and compliance professionals, however, should read Hoskins with some care to discern what the Second Circuit panel said and did not say.  Perusal of Hoskins will show that the Justice Department’s capacity to charge foreign-based individuals in FCPA cases is largely intact:

1. Agent/Conspiracy Theory of Culpability: The panel opinion clearly stated that the question before the Court was “whether conspiracy and complicity charges can be used to extend liability beyond the categories delineated in the[FCPA],” and that the Court “assume[d] that Hoskins is not an agent of Alstom U.S. only for the sake of arguments advanced on appeal and express[es] no views on the scope of agency under the FCPA.” (P. 4, n.1)  Its denial of the District Court’s holding on the second object of the conspiracy clearly allows the Department to pursue its agency theory at trial.  Moreover, in his concurring opinion, Judge Gerard Lynch wrote:

[T]he FCPA explicitly contemplates the prosecution of at least some foreign nationals who operate entirely abroad, in that it penalizes foreign  nationals who act as the agents of American companies in paying bribes abroad.  Thus, for example, if Alstom U.S. had channeled its bribes to Indonesian officials through Indonesian citizens who were low‐level Alstom employees in Indonesia, the FCPA would appear to penalize those employees. Indeed, our decision today  leaves intact the possibility that Hoskins himself may be convicted under this indictment for violating the FCPA, if the government establishes that he functioned as the agent of the American company, rather than as one who directed the actions of the American company in the interests of its French parent company.  (Pp. 15-16)

Judge Lynch went on to state that that seemed to him “a perverse result, and one that is unlikely to have been specifically anticipated or intended by Congress” (p. 16).  Nonetheless, his prior statement above concerning the scope of the FCPA indicates that, depending on the underlying facts in future FCPA cases, the Justice Department could plausibly pursue an agency theory of criminal culpability for FCPA conspiracy – as it can continue to do in the Hoskins trial — without running afoul of the main strands of Hoskins.

2. Causation Theory of Culpability: The panel opinion addressed Hoskins’s conduct in relation only to the principal general federal offenses for conspiracy and complicity, 18 U.S.C. §§371 and 2(a) (aiding and abetting) (see pp. 18-19).  Neither the indictment nor the opinions in Hoskins addressed a third option for charging a foreign-based defendant: i.e., combining a substantive FCPA count with 18 U.S.C. §2(b).  Subsection 2(b) provides that anyone “[w]hoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States, is punishable as a principal.”  Though a form of accomplice liability rather than conspiratorial liability, subsection 2(b) can be used against criminal activity in which, as one analysis put it, the defendant “work[s] through either witting or unwitting intermediaries, through the guilty or the innocent.”