Charity Commission Issues Formal Regulatory Alert to International Aid Charities on Safeguarding People

Since 2018, the international aid sector has lived under the shadow of the long-running scandal involving Oxfam GB, one of the components of the global charitable confederation Oxfam.  At that time, initial media reports that Oxfam had covered up an investigation into the hiring of sex workers for orgies by Oxfam staff who were working in Haiti after the 2010 earthquake quickly led to a cascade of problems for Oxfam GB: a statutory inquiry by the Charity Commission for England and Wales, widespread international criticism, the loss of thousands of its donors, and ultimately a three-year ban on receipt of overseas development funding from the United Kingdom government.

Moreover, even though Oxfam GB regained its eligibility to bid for UK government funds this spring, almost immediately the UK government again suspended Oxfam GB’s eligibility when new allegations of Oxfam workers’ sexual exploitation and bullying of people in the Democratic Republic of the Congo came to light.  As a spokesman for the UK Foreign and Development Office explained, “All organisations bidding for UK aid must meet the high standards of safeguarding required to keep the people they work with safe.”

The Charity Commission has now taken the extraordinary step of issuing a formal regulatory alert to assist trustees of international aid charities in improving their safeguarding practices.  The Commission noted that international aid charities had delivered “tangible safeguarding improvements” in various areas, but cautioned that “further work is required to deliver transformative change.” It also stated that “[a]nalysis of recent safeguarding serious incident reports, including those related to activities in the Democratic Republic of the Congo, has also identified specific areas of ongoing risk.”

Accordingly, the Commission directed three sets of recommendations to trustees of international aid charities to achieve more effective safeguarding arrangements:

  1. Strengthening safeguarding risk prevention and risk management measures: On this issue, the Commission advised that every trustee “should have clear oversight of how safeguarding and protecting people from harm are managed within their charity,” including monitoring performance with statistics and supporting information.  In particular, the Commission offered five key steps for trustees to consider:
    • “making sure policies, communications and ongoing performance management help maintain appropriate behaviours by charity staff and workers to each other and the beneficiaries they serve
    • joining the Steering Committee for Humanitarian Response’s Misconduct Disclosure Scheme to help protect charities and other organizations in the sector “from individuals who pose a safeguarding risk”;
    • exploring whether gender and diversity imbalances in a charity’s trustee board and senior management “are potential safeguarding risk factors which require proactive management”;
    • determining whether trustees “can use the sector-led safeguarding culture tool as part of developing and modelling a positive safeguarding culture”; and
    • reviewing the UK charity Keeping Children Safe’s “summary findings from safeguarding-specific central assurance assessments of charities” to identify any relevant lessons for a charity, such as whistleblowing and safeguarding risk management.
  2. Improving reporting by local beneficiaries: On this issue, the Commission reported that it had recently contacted a sample of international aid charities “and found that several had not received any safeguarding reports from third parties or partner agencies.”  Recognizing that “underreporting of safeguarding incidents directly to international aid charities persists,” it offered four key steps for trustees to consider:
    • “giving victims and survivors, and their families and friends, a safe means to report their concerns and complaints”;
    • “designing reporting mechanisms that are sensitive to the local context, considering face-to-face reporting and safe spaces for witnesses and survivors to report”;
    • “where appropriate, using community-based organisations to hold open and frank conversations with beneficiaries about any concerns in a safe and trusted environment”; and
    • “reviewing the reporting arrangements in place with any third parties or partner agencies and assessing what steps can be taken to develop them.”
  3. Developing management responses including victim and survivor support:  On this issue, the Commission urged trustees to ensure that support is available to victims and survivors.  It offered four key steps for trustees to consider:
    • “developing a survivor-centred approach to safeguarding that accurately reflects the range of potential harms faced and considers possible victim and survivor support services from programme/project conception”;
    • “clearly communicating what support is available to victims and survivors and how it is accessed”;
    • “acting quickly to prevent or minimise any further harm or damage when incidents or allegations occur”; and
    • “launching robust and timely investigations into allegations or concerns where they arise.”

All of the Commission alert’s recommendations are salutary.  What the alert omits to address is that charities’ trustees and senior leaders must also unequivocally state, in codes of conduct and periodic internal training, that any form of exploitation, such as sexual or financial, of beneficiaries is strictly forbidden and may result in severe disciplinary action, including termination.  The future credibility of the international aid sector will depend substantially on how well aid charities communicate their commitment to safeguarding vulnerable populations and demonstrate that commitment through concrete action.

Two Former London Precious Metals Traders Sentenced to U.S. Federal Prison for “Spoofing” Trades

With the enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act), it is a U.S. federal crime for commodities traders to engage in “spoofing.”  Spoofing is a trading practice that involves the placement of bids to buy or offers to sell futures contracts and cancellation of the bids or offers prior to the deal’s execution.

Because spoofing can result in massive market manipulation, U.S. enforcement authorities have vigorously pursued enforcement actions against companies and individuals for systematic spoofing.  In 2020, for example, the U.S. Commodity Futures Trading Commission imposed a record $920 million fine on J.P. Morgan Chase & Co. for engaging in spoofing and market manipulation over at least eight years.  In addition, the U.S. Department of Justice, which has authority to prosecute criminal spoofing violations, has prosecuted a variety of spoofing cases against U.S.- and foreign-based commodities traders.

Two recent sentences of London-based commodities traders show the Justice Department’s continuing commitment to prosecute spoofing, as well as the vagaries of the sentencing process in U.S. federal courts.  On June 25 and 28, respectively, two former Deutsche Bank commodities traders, James Vorley and Cedric Chanu, were each sentenced to one year and a day imprisonment.  The cases against Vorley and Chanu were part of a larger Justice Department investigation of Deutsche Bank for Foreign Corrupt Practices Act and spoofing-related violations that resulted in corporate resolutions with Deutsche Bank involving more than $130 million in criminal and civil penalties.

Vorley and Chanu, who had been precious metals traders with Deutsche Bank in London, were indicted by a federal grand jury in Chicago on spoofing-related charges.  Both men were convicted after a five-day trial in 2020, based on evidence that they and other Deutsche Bank traders engaged in a scheme to defraud other traders on the Commodity Exchange Inc.

Although the federal prosecutors had recommended a sentence of 57 to 61 months’ imprisonment, the Chicago U.S. Probation Office (which, among other functions, formulates independent sentencing recommendations for federal judges in that judicial district) reportedly recommended no prison time for either defendant.  Despite – or perhaps because of – the prosecutors’ vigorous opposition to the Probation Office recommendations, the sentencing judge imposed sentences on each defendant that were less than 25 percent of the minimum sentences that prosecutors had sought.

Firms engaging in commodities trading should take note of three lessons to be learned from the Vorley and Chanu cases. First, these prosecutions show that the Justice Department has authority to prosecute traders for spoofing, regardless of where the traders are physically located, if it can show the effect on U.S. markets, use of U.S. financial channels, or communications to or from the United States in furtherance of the spoofing scheme.  Second, the Varley and Chanu sentences should not be taken as an indication of probable sentences in future cases.  Under the U.S. Commodities Exchange Act, a conviction for spoofing can result in up to ten years’ imprisonment.  Finally, firms should use these cases as an opportunity to review their compliance programs and make sure that their internal controls are effective in detecting possible ongoing spoofing activity.

Belgian Security-Services Firm Agrees to Plead Guilty to U.S. Charges of Bid-Rigging, Customer Allocation, and Price-Fixing

In its enforcement of U.S. criminal antitrust laws, the Department of Justice has long focused on price-fixing, bid-rigging, and market allocation as “hard-core violations.” Since 2019, however, the Justice Department has intensified that focus with regard to federal procurement, through its creation of the Procurement Collusion Strike Force (PCSF).  The Department has described the PCSF as “a joint law enforcement effort to combat antitrust crimes and related fraudulent schemes that impact government procurement, grant, and program funding at all levels of government – federal, state and local.”  Last year, the Department expanded the ambit of the PCSF’s responsibilities with the creation of “PCSF: Global”, which it states is “designed to deter, detect investigate and prosecute collusive schemes that target government spending outside of the United States.”

On June 25, the Department announced, as the PCSF’s first international resolution, that a Belgian security-services firm, G4S Secure Solutions NV (G4S), had agreed to plead guilty for its role “in a conspiracy to rig bids, allocate customers, and fix prices for defense-related security services, including a multimillion-dollar contract issued in 2020 to provide security services to the U.S. Department of Defense for military bases and installations in Belgium.”  In a criminal information that it filed in U.S. District Court in Washington, D.C., the Department alleged that G4S had violated section 1 of the Sherman Act, which prohibits conspiracies in restraint of trade, by participating in a conspiracy between 2019 and 2020 with unspecified co-conspirators

to allocate security services contracts in Belgium among themselves and to determine the prices at which contracts would be bid. The contracts affected by the conspiracy include those for the U.S. Department of Defense and the North Atlantic Treaty Organization Communications and Information Agency, which is funded in part by the United States.

As part of a plea agreement with the Justice Department, G4S agreed to plead guilty to the information and to pay a $15 million criminal fine.  While the plea agreement is subject to court approval, the Department stated that “began cooperating with the United States in April 2020 and will continue to cooperate in the ongoing investigation.”

Observers of federal procurement law and policy should expect, that based on longstanding practice of the Department’s Antitrust Division in its criminal investigations, the Department will announce additional criminal resolutions with other firms that participated in the alleged conspiracy with G4S.  There is no set timetable for such resolutions, and the dates of the alleged conspiracy are quite recent.  No one should be surprised, therefore, if the Department does not announce additional plea agreements with other security firms for several months, if not a year or more.

European Commission Proposes Joint Cyber Unit to Respond to Major Cyberattacks

Since the start of 2020, there has been explosive growth in the number of sophisticated cyberattacks directed at public- and private-sector entities around the world.  Some of these attacks have been broadscale, such as the SolarWinds attack that successfully compromised approximately 100 companies (including leading high-tech companies such as Microsoft, Intel and Cisco and approximately a dozen U.S. government agencies (including the Departments of Defense, Energy, Justice, and the Treasury).  Others have been narrowly targeted, such as ransomware attacks directed at critical infrastructure companies including Colonial Pipeline and meat producer JBS.

Moreover, these cyberattacks are rapidly increasing the costs that governments and businesses must bear.  One recent report estimates that global cybercrime costs will increase by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025.

Although many of the widely reported cyberattacks focused on American targets, Europe is no less vulnerable to such attacks.  According to the European Union Agency for Cybersecurity (ENISA), in 2020 there were 304 significant malicious attacks against critical sectors in 2020 — more than twice as many as recorded in 2019 (146), and a 47 percent increase in cyberattacks on hospitals and health care networks.

The European Union (EU) has taken a variety of measures to provide closer coordination on cybercrime issues, such as Europol’s European Cybercrime Centre and the Joint Cybercrime Action Task Force.  But the speed and severity of recent cyberattacks, particularly when conducted by state actors confident of their impunity, make clear that closer coordination and information-sharing among EU Member States is essential to cope with such attacks.

In response to these developments, on June 23 the European Commission (EC) announced that it was proposing the creation of a new Joint Cyber Unit “to tackle the rising number of serious cyber incidents impacting public services, as well as the life of businesses and citizens across the European Union.”  First proposed by EC President Ursula von der Leyen in her Political Guidelines for 2019-2024, the Cyber Unit would constitute “a virtual and physical platform of cooperation” that would bring together cybersecurity communities (including civilian, law enforcement, diplomatic, and cyberdefense communities, as well as private sector partners) to “build progressively a European platform for solidarity and assistance to counter large-scale cyberattacks.”

The EC announcement stated that the Joint Cyber Unit would allow participants, who would be expected to contribute operational resources to the Unit, to share best-practice and real-time threat information:

It will also work at an operational and at a technical level to deliver the EU Cybersecurity Incident and Crisis Response Plan, based on national plans; establish and mobilise EU Cybersecurity Rapid Reaction Teams; facilitate the adoption of protocols for mutual assistance among participants; establish national and cross-border monitoring and detection capabilities, including Security Operation Centres (SOCs); and more.”

The EC also outlined “a gradual and transparent process” for building the new Unit, with the aim of moving the Unit to the operational phase by June 30, 2022 and full establishment by June 30, 2023.  ENISA is to serve as secretariat for the preparatory phase of the Unit, which reportedly will operate close to the Brussels offices of ENISA and the office of CERT-EU, the Computer Emergency Response Team for the EU institutions, bodies, and agencies.

Nation-state adversaries and cybercrime organizations are certain to maintain, if not to increase, the number and sophistication of their cyberattacks against European agencies and companies of all sizes.  For that reason, key European information-technology and industrial firms should actively support the Joint Cyber Unit and be prepared to provide the necessary operational resources to stand it up as early as possible.  As one EC official put it, the EU must prepare against “the nightmare scenario” that the Colonial Pipeline attack presented.  The faster that cyberattackers can infiltrate and compromise critical infrastructure, the faster that coordinated public-private responses to such attacks need to become.

Former Chief Operating Officer of Network Security Company Indicted for Conducting Cyberattack on Medical Center

It is common for companies and cybersecurity providers to talk about “cyber due diligence” as something that needs to be conducted in connection with pending mergers or acquisitions.  A 2020 survey of 1,000 executives at U.S. corporations and private equity investor firms found that cybersecurity threats were the respondents’ principal concern about executing a deal in a virtual environment.

Cyber due diligence, however, must be a year-round concern for companies as they engage external providers of cyber-related services.  Regrettably, a recent indictment that the U.S. Department of Justice obtained shows that companies cannot assume that the cybersecurity providers they engage are guaranteed to be trustworthy merely because they offer legitimate cybersecurity solutions.

On June 10, the Justice Department announced that on June 8, it had obtained an indictment in the Northern District of Georgia against Vikas Singla, the former chief operating officer of a metro-Atlanta network security company that served the health care industry, for allegedly conducting a cyberattack on Gwinnett Medical Center (GMC).  The alleged attack, which took place in 2018, was conducted, in part, for financial gain.

The indictment charges Singla with 17 counts of intentional damage to a protected computer and one count of obtaining information by computer from a protected computer.  It alleges that on September 27, 2018, Singla – aided by unknown others – intentionally caused damage to GMC computers that operated a GMC phone system and multiple printers, and obtained information from a Hologic digitizing device.

As the information regarding this indictment suggests, a company with an established working relationship with an external cybersecurity provider should maintain a “trust but verify” relationship between its internal information-security team and the external provider.  Any indications from the company’s intrusion-detection systems that the provider (or an employee thereof) is seeking to enter the company’s networks or systems without clear prior approval may require an immediate cyberdefense response that does not involve the provider.  By way of comparison, in GMC’s case GMC reportedly began investigating an unspecified security breach in 2018 after some of its patients’ data began appearing online. That investigation may have been what led to the Singla indictment.