Dipping Through Geometries

On October 24, the U.S. Financial Industry Regulatory Authority (FINRA) announced that it fined two BNP Paribas subsidiaries —  BNP Paribas Securities Corp. and BNP Paribas Prime Brokerage, Inc. (collectively BNP) — $15 million for a variety of anti-money laundering (AML) program and supervisory failures that involved penny stock deposits and resales, and wire transfers, over a four-year period.

FINRA stated the following findings with regard to BNP:

• Lack of Written AML Program and Surveillance: From February 2013 to March 2017, BNP, despite its penny stock activity, “did not develop and implement a written AML program that could reasonably be expected to detect and cause the reporting of potentially suspicious transactions.: In fact, according to FINRA, until 2016, “BNP’s AML program did not include any surveillance targeting potential suspicious transactions involving penny stocks, even though BNP accepted the deposit of nearly 31 billion shares of penny stocks, worth hundreds of millions of dollars, from its clients, including from so-called “toxic debt financiers.”
• Lack of Supervisory Systems and Written Procedures: BNP “did not implement any supervisory systems or written procedures to determine whether resales of securities, including the penny stocks deposited by its customers, complied with the registration requirements of Section 5 of the Securities Act of 1933. As a result, BNP facilitated the removal of restrictive legends from approximately $12.5 million worth of penny stocks without any review to evaluate the transactions for compliance with Section 5.”
• Lack of Wire Transfer Review: During the same four-year period, BNP “processed more than 70,000 wire transfers with a total value of over $230 billion, including more than $2.5 billion sent in foreign currencies. BNP’s AML program did not include any review of wire transfers conducted in foreign currencies, and did not review wires conducted in U.S. dollars to determine whether they involved high-risk entities or jurisdictions.”
• Inadequate Staffing of AML Program: BNP’s AML program “was understaffed. For example, although BNP effected more than 70,000 wire transfers during a two-year period, with a total value of $233 billion, during a majority of that period, only one investigator was tasked with reviewing alerts relating to wires originating from BNP’s brokerage accounts. Although BNP identified many of these deficiencies as early as January 2014, BNP did not fully revise its AML program until March 2017. As a result, BNP did not identify “red flags” indicative of—or review—potentially suspicious activity involving the deposit and sales of penny stocks or foreign wire transfers that may have required the filing of a suspicious activity report.”

The settlement of this case involved BNP’s consent to the findings and the fine, and to certify within 90 days that BNP’s procedures are reasonably designed to achieve compliance in the areas previously described.

N.B.:  Compliance teams at broker-dealer firms should read the FINRA Letter of Agreement in this case with care, and compare it and Regulatory Notice 19-18, which FINRA issued this past May, against their current AML programs.  Broker-dealers, and the larger financial institution community, have every reason to expect that both government regulators and self-regulatory organizations such as FINRA will be increasingly intolerant of long-term, sustained failures to address fundamental requirements for AML compliance.

On October 23, the United Kingdom National Cyber Security Centre (NCSC) issued its Annual Review 2019.  The Review stated that during 2019, the NCSC had defended the United Kingdom against 658 cyberattacks.

Other NCSC findings and  accomplishments in the Review included the following:

• General Computer Misuse: In the year ending March 2019, adults 16 and over experienced an estimated 966,000 incidents of computer misuse.
• Public Attitudes: The Review included the results of the first UK Cyber Survey of individuals and organizations. The Cyber Survey included the following findings:
  • 80 percent said that cyber security is a high priority to them, with 50 percent saying it is a “very high” priority and 30 percent saying it is a “fairly high” priority.
  • 68 percent of respondents said that they knew a great deal (15 percent) or a fair amount (53 percent) about how to protect themselves online.
  • 70 percent “believe they will likely be a victim of at least one specific type of cyber crime over the next two years, and most feel there would be a big personal impact.” For example, 42 percent thought that they would have money stolen, but that the money reimbursed, while 27 percent thought that they would have money stolen and not reimbursed.
• Cyber-Defense: The NCSC took down 177,335 phishing URLs, 62.4 percent of which were removed within 24 hours, and produced 154 threat assessments
• Cooperation and Training: The NCSC enabled 2,886 small businesses across the United Kingdom to do simulated cyber exercising for themselves

The Review also contained a number of details regarding “Operation Haulster,” which the NCSC described as a “pioneering” collaboration between the NCSC and the private sector.  Haulster

takes stolen credit cards collected by the NCSC and partners, then, working with UK Finance, repatriates them to banks, often before they are ever used for crime. Card providers are then able to block cards to block cards to protect both financial institutions and the public. In most cases, this has been done before a crime has taken place, meaning hundreds of thousands of victims of high-end cyber crime were protected before they lost a penny.

Haulster reportedly has already flagged “fraudulent intention against more than one million stolen credit cards,” and now “is in the process of scaling this operation,” in hopes of reducing considerably more attacks in the near future.”

N.B.:  Cybersecurity teams at companies doing business in the United Kingdom should read the Review, to learn more about public attitudes towards cybercrime and the NCSC’s cyberdefense and outreach efforts.  Given the rapid pace at which new exploits can be successfully devised and launched, and the sheer number of cyberattacks, increasing public-private cooperation on cybersecurity issues is more important than ever.

On October 21, the United Kingdom Charity Commission published a report on the results of its research study about fraud awareness, resilience, and cybersecurity.  The Commission stated that the study’s findings, based on responses earlier this year from more than 3,000 charities, show that “charities are not always recognising how vulnerable they are, and not consistently putting basic checks and balances in place”:

• More than two-thirds of charities (69 percent) “think fraud is major risk to the charity sector and internal (insider) fraud is recognised as one of the biggest threats.” In general, “larger charities (particularly those that have suffered fraud) are more likely to acknowledge the risk of fraud.”
• One-third think that “fraud is a greater risk to the charity sector than other sectors.”
• More than half (53 percent) of charities affected by fraud in the past two years “knew the perpetrator.” In particular, in cases here the identity of the fraudster was known, 29 percent were paid staff members (40 percent in 2009), 18 percent were volunteers (11 percent in 2009), 13 percent were beneficiaries (only 5 percent in 2009), 10 percent were trustees (only 3 percent in 2009), and only 14 percent of fraudsters had no previous connection to the charity (11 percent in 2009).
• But nearly half (48 percent) believe that “they’re not vulnerable to any of the most common fraud enablers,” and more than one-third (34 percent) think that “their organisation is not vulnerable to any of the most common types of charity fraud.”
• 85 percent of charities “think they are doing everything they can to prevent fraud, but almost half don’t have any good-practice protections in place.”
• Fewer than 9 percent even have a fraud awareness training program.
• Only 30 percent have a whistleblower policy.
• 26 percent of charities believe that “they’re vulnerable to fraud because of an over-reliance on goodwill and trust.”

N.B.: These findings indicate that many in the charitable sector are just as vulnerable to overconfidence bias as commercial-sector entities.  Because charities in England and Wales reportedly spend nearly £80 billion each year, it is incumbent on those charities to look unsparingly at themselves and their fraud readiness – including defenses against charity insiders’ misconduct.  For that reason, the Commission’s report bears close reading, both for its findings and for the counter-fraud practices that the Commission recommends.

On October 17, the Office of the Attorney General of Switzerland (OAG) announced that it had held global commodity-trading company Gunvor Group (Gunvor) criminally liable for acts of foreign corruption, and ordered it to pay nearly CHF 94 million ($95 million), including a fine of CHF 4 million ($4 million).

The OAG, whose investigation focused on Gunvor’s activities in the Republic of Congo and Ivory Coast between 2008 and 2011, found that “[d]ue to serious deficiencies in its internal organisation,” Gunvor failed to prevent the bribery of public officials in those countries, in violation of Article 102, paragraph 2 of the Swiss Criminal Code (SCC) (corporate criminal liability) in conjunction with SCC Article 322septies (foreign-official bribery).  Those acts of corruption, which had the aim of securing access to the petroleum markets in both countries, were the subject of a 2018 judgment by the Criminal Chamber of the Swiss Federal Criminal Court.

The OAG investigation identified numerous compliance failures by Gunvor during the 2008-2011 period under investigation:

• Gunvor “had taken no organisational measures to prevent corruption in its business activities: the company did not have a code of conduct to give a clear signal and guidance to its employees on their activities, nor did it have a compliance programme.”
• Gunvor also “did not have an internal audit procedure and had not appointed a staff member to take charge of identifying, analysing or reducing the risk of corruption.”
• Furthermore, “no internal guidelines were in place and no training was offered to raise employee awareness and reduce the risks associated with corruption.” The OAG added that “[i]t therefore seems that Gunvor accepted that a risk of corruption was inherent in the company’s commercial activities, at least in the relevant markets.:
• Gunvor “did not attempt to manage the risk of corruption associated with using agents to obtain petroleum shipments, for which commissions of several tens of millions of US dollars were paid between 2009 and 2012.” In particular, it “had no formal selection process for any of the agents that it used and it did not carry out any checks on their activities, despite the fact that Swiss and international anti-corruption standards (OECD, ICC, SECO) specifically highlight the increased risk of corruption associated with agents’ activities.”  Those standards, according to the OAG, “recommend that properly documented due diligence be carried out, that the selection process is regulated, that warning signs are defined to detect potentially illegal activities and that regular checks are made, in particular when agents’ invoices are paid.’
• Finally, “It was also found that at the time of the events, warning signs had been ignored and other irregularities had occurred, including authorisation being given for a substantial number of payments to third party offshore companies unrelated to oil activities and the backdating of supporting letters to banks.”

In view of the findings of its investigation and the Swiss Federal Criminal Court’s 2018 judgment, on October 14 the OAG issued a summary penalty order that convicted Gunvor and ordered the payment of nearly CHF 94 million ($95 million), including a fine of CHF 4 million ($4 million).

The OAG explained that under the corporate criminal liability provisions in SCC Article 102, paragraph 3, “the fine to be imposed on an undertaking found criminally liable is largely determined by the seriousness of the offence and of the organisational deficiencies, the loss or damage caused and the economic capacity of the undertaking, with the maximum fine being CHF 5 million.  Gunvor’s CHF 4 million fine, in the OAG’s view, “takes account in particular of efforts it has made since 2012 to improve the way it is organised and to prevent corruption by implementing measures based on recognised standards.”

In addition to the fine, the OAG ordered Gunvor to pay compensation of nearly CHF 90 million.  That amount, according to the OAG, “corresponds to the total profit that Gunvor made from the business in question in the Republic of Congo and Ivory Coast.  Under Art. 71 para. 1 SCC, compensation is payable if there are no assets directly available for forfeiture.”

The OAG stated that other individuals, including a former Gunvor employee “and certain financial intermediaries, are currently under investigation, notably on suspicion of bribing foreign public officials (Art. 322septies SCC), money laundering (Art. 305bis SCC) and criminal mismanagement (Art. 158 SCC).”  It declined to comment further on the ongoing criminal investigations.

N.B.: This order and payment provide still more indications that law enforcement and regulatory authorities in multiple countries, such as Brazil and the United States, are paying increasing attention to compliance issues in the commodities sector.   Since the timeframe of the acts that prompted the fine and compensation, Gunvor has developed and implemented a compliance and ethics program that appears to address all of the compliance failures that the OAG identified.  Even so, chief compliance officers, in the commodities sector and other industries, should still review the OAG findings and use them as a point of comparison to check that their own anti-bribery and corruption compliance programs are not deficient in any of those respects.

On October 11, Cure 53, a German-based cybersecurity firm, issued a report on a mobile application, called “Xuexi Qiangguo” (“Study the Great Nation”), that Chinese technology firm Alibaba reportedly developed for the Chinese government’s propaganda department.  Since its release in February 2019, The Times reported, the app “has been downloaded more than 100 million times and has been pushed aggressively by the Chinese government.”  As Cure 53 noted, various sources indicate that the app “is getting heavily promoted by various powerful stakeholders, such as Chinese state media, universities, schools and similar parties.”

On its face, the app appears to be an educational app that “pushes out official news and images and encourages people to earn points by reading articles, commenting on them and playing quizzes about China and its leader, Xi Jinping.”  Use of the app, however, “is mandatory among party officials and civil servants and it is tied to wages in some workplaces.” In addition, as of October 2019, Chinese journalists “must pass a test on the life of President Xi, delivered via the app, in order to obtain a press card which enables them to do their jobs.”

The 18-page report, which Cure53 prepared at the behest of the Open Technology Fund, focused on whether the app “contained unadvertised features which could be seen as aiding the maintainers of the app in data collection,” and by extension, whether the app is collecting data “in a manner that violates human rights,” such as the European Convention on Human Rights (ECHR).  In brief, the report included the following findings:

• “The app stores multiple files insecurely in the SD card, from which other apps can read them.”
• “The app contains code resembling a backdoor which is able to run arbitrary commands with superuser privileges,” although “further investigation is required to unequivocally determine whether this code is used to perform malicious activities such as running arbitrary commands on the phones of citizens.” In addition, “[w]ithout context, it seems difficult to justify why an educational app requires code that looks like a backdoor,” especially if that backdoor “could potentially run arbitrary commands on citizen phones with superuser privileges.”
• The app tries to find specific running applications for 960 other popular apps that include games, navigation, travel and trips, credit cards, and payments.
• The app “avails of significant, privacy-sensitive permissions and functionality, such as location, face recognition, microphone and camera access, call log and contact processing,” and in fact requires sharing many of these features. Yet “the broader context of the evaluated coding practices remains unknown due to extensive obfuscation measures in the affected [coding] classes,” which the report attributes to Alibaba as the official maintainer of the app.

The report concluded that it is

evident and undeniable that the examined application is capable of collecting and managing vast amounts of very specific data. It is certain that the gathered material can become a basis for further actions concerning a specific group (or groups) of citizens. Although some of the collection of meta-data and device information could be legitimized as being aggregated for statistical reasons or software improvement, it is questionable if this is necessary for an app that claims to be educational in nature.

It also concluded that “[i]n a broader sense, the application’s functionality leads Cure53 to believe that violations of human rights are indeed taking place.”  At the same time, it cautioned that Cure53 “operated as a purely technically-driven team and an unbiased investigating entity,”  and therefore “is not a party in any way involved in making final judgements as to whether human rights violations take place from legal, social or political standpoints.”

N.B.:  Cybersecurity and compliance teams at companies doing business in China should read this report closely, with a view to identifying potential cyber-vulnerabilities if their companies allow employees in China to use their personal mobile devices for business under a “Bring Your Own Device” (BYOD) policy.  As the Cure 53 report indicates, the capacity of the app to access and collect such vast amounts of information raises substantial questions about the interest of Chinese police and security authorities in also accessing business and proprietary data.  Cybersecurity and compliance officers may therefore need to pursue appropriate revisions in their BYOD policies.