Dipping Through Geometries

On April 2, the Swiss Financial Market Supervisory Authority (FINMA) published its 2019 Annual Report.  The Report for the first time integrates FINMA’s Enforcement Report, which previously had been published separately.  While it covers all aspects of FINMA’s supervisory and regulatory activity, three elements of the Report are of particular interest from a risk and compliance perspective.

Enforcement Statistics

The Report presented the following statistical data regarding FINMA’s 2019 enforcement efforts:

• Investigations: FINMA had 307 open investigations at year-end 2019, which represents a 14 percent decline from 2018 (355) and a 4 percent decline from 2017 (320) (p. 52).
• Enforcement Rulings: FINMA had 48 enforcement rulings in 2019.  That represents a nearly 50 percent decline from 2018 (90) and a nearly 30 percent decline from 2017 (67) (p. 52).   In addition, because FINMA rulings can be contested in court, there were 37 court rulings in 2019.  Of those rulings, FINMA had 84 percent of its enforcement rulings upheld wholly or predominantly (p. 48).
• International Cooperation: FINMA received 337 incoming requests for international assistance from other countries. That total reflects a 10 percent decline from 2018 (371) and a 25 percent decline from 2017 (444).  It made 32 outgoing requests regarding enforcement proceedings that it was conducting.  That total reflects a 10 percent increase from 2018 (29) and a 23 percent increase from 2017 (26) (p. 52).

Focal Points for Risk-Based Supervision

Consistent with its “risk-based approach to supervision” (p. 6), FINMA stated that “money laundering remains one of the principal risks for FINMA’s supervised institutions and the Swiss financial centre” (p. 28).  Another key area of FINMA’s supervision and enforcement activities was the FinTech sector.   FINMA reported that it “paid close attention” to Initial Coin Offerings (ICOs) in Switzerland, conducting investigations into approximately 60 ICOs.  At more than 10 ICOs, FINMA identified a breach of the AMLA and brought charges against persons responsible.  FINMA made entries for eight additional cases on its warning list and initiated enforcement proceedings against three companies (p. 48).

In addition, FINMA “identified an increasing involvement on the part of Swiss providers in secondary market-related financial services in the crypto-area,” which included trading and custody of tokens as well as operation of trading venues and associated support activities.  FINMA‘s Enforcement Division conducted investigations into a number of those providers (p. 48).

FINMA also required a number of FinTech companies to comply with measures “to restore compliance with the law” (p. 48).  These measures included the repayment of unlawfully received public deposits under the Banking Act and the removal of the word “bank”, or the withdrawal of advertisements, in cases where FINMA had not granted a license. (P. 48)

Finally, in December 2019 FINMA published its first-ever Risk Monitor.  The Risk Monitor, which will be published annually every fourth quarter beginning in 2020, provides an overview of the main risks to the financial sector “with a time horizon of up to three years and the corresponding supervisory aims for the year ahead” (p. 28).  It identifies six principal risks for its supervised institutions and the Swiss financial center: (1)  the persistent low interest-rate environment; (2) a “possible correction on the real estate and mortgage market”; (3) cyberattacks; (4) what FINMA described as “a disorderly abolition of LIBOR benchmark interest rates”; (5) money laundering; and (6) increased impediments to cross-border market access, particularly in the European Union.

Money Laundering Enforcement Case Analysis

A notable feature of the Report was FINMA’s analysis of enforcement cases concerning the Swiss Anti-Money Laundering Act (AMLA) from recent years.  FINMA conducted this analysis “to learn lessons that can be applied to regular money laundering supervision activities” (p. 28).

That analysis highlighted two types of features identified in those enforcement cases.  The first feature was business relationships displaying risk factors (measured as a percentage of AMLA cases involving such business relationships):

• High level of assets under management and/or transaction volumes: 68 percent
• Client relationships with a beneficial owner with multiple domiciliary companies or private accounts: 50 percent
• Business relationships with profitability from institution’s perspective: 36 percent
• Relationships with government-affiliated clients: 32 percent
• Relationships involving independent asset managers: 27 percent
• Business relationships from markets with significant money laundering risks, where the institution is pursuing a growth strategy: 23 percent
• Business relationships in which an Executive Board/Board of Directors member/owner of an institution is heavily involved: 18 percent
• Business relationships in which multiple locations/units are involved: 18 percent
• Business relationships that do not correspond to the institution’s business model: 14 percent
• Pass-through transactions: 14 percent
• Business relationships that were taken over from a predecessor institution: 14 percent
• Retained correspondence business relationships: 9 percent (p. 29)

The second feature was legal shortcomings and breaches in business relationships (also measured as a percentage of AMLA cases involving such business relationships):

• Clarification of plausibility of transactions: 100 percent
• Clarification of plausibility of business relationships: 86 percent
• Defective organization or risk management, or breach of guarantee of irreproachable conduct: 77 percent
• Failure to recognize a risk category and/or no license: 77 percent
• Breach of disclosure obligation: 55 percent
• Incorrect identification of beneficial owner: 50 percent
• Lack of overall monitoring of business relationships and transactions: 36 percent
• Documentation obligation: 36 percent
• Defective monitoring system for high-risk transactions: 32 percent
• Weak point, lack of risk awareness at second line of defense: 27 percent
• Lack of anti-money laundering training: 14 percent
• Defective monitoring of independent asset managers after having delegated client identification process: 14 percent (p. 29)

Assessment

Overall, FINMA had a series of notable risk- and compliance-related accomplishments during 2019, including its enforcement procedures against Credit Suisse for AML deficiencies, its issuance of the Risk Monitor, and continuing cooperation with foreign regulators such as the U.S. Securities and Exchange Commission.  FINMA has continued to maintain an aggressive stance in its investigative and enforcement efforts during 2020, such as its imposition of measures and sanctions against Julius Baer for serious AML failings and its investigation of the corporate surveillance at Credit Suisse that led to the ouster of its chief executive.

Enforcement-watchers should nonetheless take note of the significant declines in FINMA investigations and enforcement actions.  Those declines are highly likely to continue in 2020, as the coronavirus pandemic takes its toll of the Swiss population and the national lockdown constrains supervision and enforcement operations.

In any event, attorneys advising financial institutions on AML compliance and AML compliance officers should peruse the FINMA enforcement case analysis with some care.  That analysis indicates that AML compliance programs need to focus not only on sustaining standard components of AML compliance programs, such as overall monitoring and training, but also on informing business leaders and first- and second-line compliance team members that certain factors indicate the implausibility and illogic of certain types of transactions and  business relationships from an AML perspective.  Moreover, AML compliance officers should compare the FINMA risk factors against their own AML risk and compliance programs, to see whether other aspects of their programs can be strengthened.

On March 27, Luxembourg’s financial regulator, the Comite de Surveillance du Secteur Financier (CSSF), announced (in French) that it had suspended Marc Ambroisien, the former chief executive officer of Luxembourg private bank Edmond de Rothschild (Europe), for ten years, based on a “loss of professional repute.”  (Note: All translations to English herein are unofficial.)

The CSSF noted “serious shortcomings,” both individually and personally, with regard to Ambroisien’s service as a former certified director and former member of the board of directors of Rothschild.  It specifically cited him for having failed in his obligations to see that Rothschild (1) “put in place a solid internal governance system and sound and prudent risk management”; and (2) “respects its professional obligations with regard to the fight against money laundering and terrorist financing.”

As a result, the CSSF concluded that Ambroisien no longer met the requirement, under section 7(1) of Luxembourg’s Law of April 5, 1993 on the Financial Sector, that authorization for a bank established under Luxembourg law be subject to the condition that members of a management body “shall at all times be of sufficiently good repute . . . to perform their duties.”

Note: This extraordinarily severe sanction by the CSSF can be directly traced to Rothschild’s entanglement in the Malaysian 1 MDB corruption and money-laundering scandal.  In 2017, the CSSF fined Rothschild €8,985,000 in connection with the bank’s alleged involvement in the scandal.  While the CSSF did not accuse Rothschild of money laundering related to 1 MDB, it cited the bank – in language highly similar to its recent suspension of Ambroisien – for “having failed in its obligation to put in place a solid internal governance system that covered, in particular, a compliance policy and respect for banks’ professional obligations with regard to the fight against money laundering and terrorist financing.”

At that time, media reports had accused Ambroisien, who had left his directorship at Rothschild in 2015, of having “knowingly received gray money” amounting to hundreds of millions of dollars from transactions related to 1MDB.  Ambroisien has not been charged in any 1MDB-related criminal cases, but the CSSF suspension effectively terminates his banking career in Luxembourg.

On March 30, the Japan Times reported that Kansai Electric Power Company (Kepco) publicly stated, in response to a directive by the Japanese Ministry of Economy, Trade and Industry (METI), that it would reform its corporate governance by appointing a new chairman and creating panels “consisting mostly of outside directors to oversee the nomination, remuneration and audits of its executives.”

The plan is a direct response to the public outcry caused when a third-party investigation found that for more than three decades starting in 1987, the late Deputy Mayor of the town of Takahama, Eiji Moriyama, had paid some ¥360 million ($3.4 million) in cash and gifts to 75 people that included a number of Kepco executives, “to favor a construction company that was linked to him.”

According to the Japan Times, the executives “said they could not reject the bribes for fear of retribution against their companies and themselves.”  METI has directed Kepco to report on its progress in improving corporate governance by the end of June 2020.

Note: Kepco will need to do more than fill executive positions to address its governance problems in the wake of the Moriyama scandal.  As the Japan Times has separately reported, since 1987 Moriyama “had served as a powerful local fixer between Kepco officials and Takahama businesses, giving cash and gifts to Kepco officials in exchange for kickbacks and giving contracts to construction-related firms with ties to Moriyama, which then paid Moriyama a consulting fee.”

Although Moriyama may have been uniquely powerful in his relationships with Kepco executives, the new Kepco leadership will also need to consider further changes in its governance and compliance structures to dispel the deep-seated corporate tolerance for bribery.  That effort will not be easy, as there are indications that Kepco’s prevailing culture has operated to shield senior executives from accountability for misdeeds and errors.  The Japan Times noted that

18 executives who took pay cuts totaling about ¥1.94 billion between March 2012 and June 2019 due to the utility’s poor performance after 3/11 [the 2011 earthquake and tsunami that caused nuclear accidents at the Fukushima nuclear power plant] then secretly received a total of ¥260 million [$2.4 million] between July 2016 and October 2019 upon their respective retirements, as way to at least partially repay the earlier cuts.

Kepco has reportedly said that it will seek a return of the money secretly paid to the 18 executives.  Yet it continues to face questions whether those executives will be investigated, and whether Kepco officials received bribes from other local officials connected with other nuclear power plants in the region.  Ultimately, Kepco will need to demonstrate – to METI and to the public  — that its commitment to responsible governance and effective compliance is real and that it is actively working toward a genuine culture of compliance.

On March 23, Reuters reported that during March, cyberattackers attempted to hack into the World Health Organization (WHO), which has been playing a leading role in informing people about the coronavirus pandemic.  According to Reuters, cybersecurity expert Alexander Urbelis noticed around March 13 that a group of hackers that he had been following “activated a malicious site mimicking the WHO’s internal email system.”

The WHO’s Chief Information Security Officer, Flavio Aggio, told Reuters that the hackers’ identity was unclear and their effort unsuccessful.  He also stated that “[t]here has been a big increase in targeting of the WHO and other cybersecurity incidents.  There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled.”

In addition to cyberattackers’ likely interest in personal identifying information, Costin Raiu, head of global research and analysis at Kaspersky Labs, identified strategic intelligence as another motive for the WHO attacks.  In his words, “At times like this, any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country.”

Note: Chief Information Security Officer (CISO) teams should pass on this information promptly to all of their enterprise’s employees, whether working in corporate offices or from home.  In particular, they need to remind employees (including senior executives) that they should never respond to any unsolicited emails or texts that purport to come from the WHO or other government agencies offering information about the coronavirus, and should report any such emails received through their enterprise’s email system through the appropriate enterprise channels.

In addition, CISO teams should remind employees that if they are interested in obtaining coronavirus-related information from government agency websites, they should use only their personal computers to access trusted search engines and verify that the sites in which they are interested are legitimate official sites.  All public- and private-sector employees need to recognize that there are cyberattackers who have no compunctions about exploiting the public’s fear and confusion about the coronavirus, as the WHO itself put it in a recent public advisory, “to steal money or sensitive information.”

On March 19, the anti-bribery business association and training provider TRACE issued its 2019 Global Enforcement Report.  The Report characterized 2019 as “a relatively slow year for enforcement actions in transnational bribery cases.”

The Report’s principal findings included the following:

• The numbers of enforcement actions in cases involving bribery of foreign officials decreased for both the United States (19 percent, from 21 to 17) and non-U.S. jurisdictions (45 percent, from 11 to 6) (pp. 3, 8).
• The United States had by far the highest number of investigations concerning bribery of foreign officials (121), followed by the United Kingdom (46), Germany (27), Switzerland (20), and France (16) (p. 6). As of the end of 2019, Brazil was conducting the most investigations concerning alleged bribery of domestic officials by foreign companies (32), followed by India (17) and China (14) (p. 13).
• Companies in the extractive industries had the highest number of U.S. investigations concerning bribery of domestic and foreign officials (24, constituting approximately 19 percent of all U.S. investigations), followed by financial services (20, constituting 16 percent) and manufacturers/service providers (15, constituting 12 percent) (p. 20).
• Companies in the extractive industries had the highest number of non-U.S. investigations concerning bribery of foreign and domestic officials (95, of which 49 were investigations involving foreign officials and 46 investigations involving domestic officials). Engineering/construction companies had a total of 83 non-U.S. investigations, and aerospace/defense/security companies a total of 72 non-U.S. investigations (p. 18).
• Among countries of bribe recipients in investigations concerning bribery by U.S.-headquartered companies, China has the highest number (27), followed by Brazil (19) and India (11) (p. 16).
• Since 1977, China also had the highest prevalence of alleged bribery by foreign companies. Chinese officials were the alleged recipients of bribes in more than 110 different enforcement events (p. 15).

Note: The Report correctly states that “the resulting enforcement levels were not out of line with historical trends of anti-bribery enforcement” (p. 3).  That means, among other things, that while multinational cooperation in foreign-bribery investigations and enforcement actions continued through 2019, since 1977 the United States has continued to outpace other countries in the number of enforcement actions concerning bribery of foreign officials (279), with the United Kingdom and the Netherlands a distant second and third (42 and 14, respectively) (p. 7).

At this point in the coronavirus pandemic, it is highly likely that many countries, including the United States, will be forced to slow the pace and productivity of their anti-corruption enforcement programs through the remainder of 2020.  Whether participants in ongoing foreign-bribery schemes will be similarly constricted in their maintenance of those schemes remains to be seen.