Dipping Through Geometries

On September 24, the U.S. Department of Justice announced that Igor Yurkovetsky pleaded guilty in the District of Minnesota to a criminal violation of the Sherman Act.  The information charged Yurkovetsky with participating in a conspiracy, from about July 2012 until as late as May 2018, to rig bids at online public auctions of surplus government equipment that the U.S. General Services Administration (GSA) held.

According to the Department, the GSA operates GSA Auctions, which conducts online auctions allowing the general public “the opportunity to bid electronically on a wide variety of federal assets, including computer equipment that is no longer needed by government agencies.”  Proceeds of GSA auction sales are distributed to the government agencies that made the equipment available for auction, or to the U.S. Treasury general fund.

The Department stated that “the primary purpose of the conspiracy was to suppress and eliminate competition,” and that “the co-conspirators obtained the equipment by agreeing which co-conspirators would submit bids for particular lots offered for sale by GSA Auctions and which co-conspirator would be designated to win a particular lot.”

Yurkovetsky, who reportedly agreed to cooperate in the ongoing investigation of this conspiracy, is the second person charged in that investigation. The Assistant Attorney General for the Justice Department’s Antitrust Division, Makan Delrahim, promised, “This charge will not be the last in this investigation.”

N.B.:  Although more facts about the alleged bid-rigging conspiracy are likely to emerge as the Antitrust Division continues its investigation, antitrust-compliance and legal officers in companies that conduct auctions as part of their operations should bring this plea to the attention of senior executives.  Business executives need to recognize that bid-rigging is a core criminal violation that the Antitrust Division has long made an enforcement priority, and that the Sherman Act’s prohibitions apply whether the auctions in question are brick-and-mortar or virtual and government or private.

On September 30, the Independent Broad-based Anti-corruption Commission (IBAC), a commission charged with investigating public corruption and police misconduct in the State of Victoria (Australia), issued a special report on corruption risks associated with local government procurement (Report).  The Report presented findings from two of its investigations into alleged corruption in the local government sector: Operation Dorset, which focused on an unnamed former project manager in the capital works department of the Darebin City Council; and Operation Royston, which focused on Lukas Carey, who was a manager responsible for sports and recreation for the City of Ballarat Council.

In Operation Dorset, IBAC reported that the project manager had received cash, gifts, and other benefits from an unnamed “Company A,” which received more than AU$16 million in city contracts.  That investigation also identified a number of other conflicts of interest, including (1) the manager’s failure to declare his prior association with a number of contractors (“Companies A and B”); (2) the manager’s having a  controlling and financial interest in “Company C”; and (3) the manager’s “direc[t] and inappropriate[e] involve[ment] in amending invoices submitted by Company A and Company B.”

In Operation Royston, IBAC found that IBAC found that Carey “was instrumental in setting up Company D (which was solely owned and operated by his wife) and engaging the company on behalf of council.”  His actions

played a critical role in his family obtaining a financial advantage ($55,885 in contracts awarded to Company D between June and October 2015). This advantage was obtained in circumstances where Mr Carey dishonestly represented parts of his own university thesis as work performed by Company D. Mr Carey was also actively involved in engaging three associates on behalf of council. Again he played a critical role in those companies obtaining a financial advantage ($128,238 in contracts between 2013 and 2015) in exchange for which he solicited and received secret commissions totalling $47,745.

That investigation also found various conflicts of interest including (1) Carey’s failure “to declare his familial connection with Company D and associations with Companies E, F and G”; (2) Carey’s “direc[t] and inappropriate[e] involve[ment] in the management of Company D, including its purported work for the council and submitting invoices for payment by council”; and (3) Carey’s failure “to comply with the [Ballarat] council’s policies in areas including procurement, declaration of conflicts of interest and information management.”  In both cases, IBAC found that the city councils had failed to provide adequate oversight of senior employees, which resulted in missed opportunities to detect and correct the managers’ conduct.

The Report also identified various key corruption risks and opportunities.  These included the need for competitive processes for sourcing suppliers; the need for “clear policies and rigorous [conflict of interest] processes that are actively monitored and tested”; the importance of adequate internal controls; segregation of duties and rotation of employees involved with procurement; robust information-management processes; ongoing monitoring of expenditures; random internal checks and an internal audit program; and the risks of allowing employees great autonomy without meaningful supervision and oversight.

On the latter issue, one of the supervisors of the Darebin manager said:

I thought [he] was doing a great job, he was very efficient and knowledgeable so I continued the current system where he had [a] lot of freedom to just get things done quickly. He got twice as many projects done as other people.

The Report stated that as a result of the IBAC investigation,

• Carey pleaded guilty to obtaining financial advantage by deception, attempting to commit an indictable offence, and soliciting secret commissions, and was sentenced to three years’ imprisonment and ordered to repay AU$31,200 to the City of Ballarat Council;
• Carey’s wife, the sole director of Company D, pleaded guilty to obtaining a financial advantage by deception and attempting to commit an indictable offence, and was fined AU$3,000 and ordered to repay $20,500 to the council;
• The sole director of Company E pleaded guilty to charges of paying secret commissions, and was fined AU$15,000 without conviction;
• The sole director of Company F pleaded guilty to charges of paying secret commissions, and was fined AU$8,000 and sentenced to 200 hours of community work without conviction.

The Report recommended “that all Victorian councils consider their procurement policies, systems and practices to identify how they can strengthen their resistance to corruption.”  It also found “merit in local government suppliers being subject to a code of conduct.”  Such a code of conduct, as IBAC put it, “could explicitly outline the standards expected of suppliers, including in relation to reporting suspected misconduct or corrupt conduct on the part of council employees and other suppliers.”

N.B.: This report demonstrates the need for state and local governments to have strong and consistent oversight and internal controls for their procurement activities, as well as clear codes of conduct for all government employees.  While national governments and global companies often attract far more public attention when fraud or corruption affect their procurement activities, states and cities often have substantial procurement budgets comparable to those of some smaller nations and companies.  As the IBAC Report noted about Victoria,

Victorian councils play a pivotal role in providing and maintaining a wide range of services, programs and infrastructure for their communities. With responsibility for the management of community infrastructure worth approximately $90 billion and delivery of more than $7 billion in critical public services every year, councils spend between 45 per cent and 60 per cent of their annual budgets on procurement.

On September 29, an auction in Cheserex, Switzerland sold 25 “supercars” that had been confiscated from Equatorial Guinea Vice President Teodorin Obiang.  The origin of this auction was a criminal investigation that the Geneva Public Prosecutor’s Office had opened in October 2016 against Obiang and two others for money laundering and unfaithful management of public interests.  In the fall of 2016, Swiss authorities seized 25 exotic cars belonging to Obiang that were located in Switzerland, and in December 2016, Dutch authorities, at Swiss authorities’ request, seized a yacht belonging to Obiang.

In February 2019, the Geneva Public Prosecutor announced that the 25 vehicles would be confiscated and sold and the net proceeds would be dedicated to a program of a social character to be conducted in Equatorial Guinea for the benefit of its people, on the basis of an agreement to be negotiated by the Swiss Federal Department of Foreign Affairs.  In addition, the seizure of Obiang’s yacht was lifted and the Equatorial Guinea government agreed to pay the State of Geneva CHF 1.3 million for “procedural costs” associated with the investigation.

The auction reportedly included a “rare and remarkable” 2014 Lamborghini Veneno, which was sold for $8.3 million (a world record-setting price for a Lamborghini sold at auction); an Aston Martin One-77 Coupe, which was sold for $1.5 million; and other exotic cars that included Ferraris, Bentleys, and Rolls Royces.  In total, the sales generated approximately $27 million or CHF 26 million.

Note: Now that the auction has taken place, the critical question remains whether the Swiss government can craft an agreement that will ensure that the auction proceeds are not diverted to the pockets of the ruling Obiang family.  The odds of doing so are vanishingly small, given the country’s low ranking in the Corruption Perceptions Index and President Teodoro Obiang’s unrelenting grip on power.

On September 18, global insurance broker Marsh and global technology company Microsoft jointly issued the 2019 Global Cyber Risk Perception Survey (Survey).  The Survey, which built on a related survey conducted in 2017, reflects responses from 1,500 business leaders, in all six inhabited regions of the world, in a variety of key functions that included risk management, information technology/information security, finance, legal/compliance, C-suite officers, and boards of directors.

The Survey’s results fall into six principal categories:

• Priority and Confidence. Over the past two years, even as cyber risk “became even more firmly entrenched as an organizational priority, . . .  organizations’ confidence in their ability to manage the risk declined.”  For example, 79 percent of respondents ranked cyber risk as a “top five” concern for their organizations – increase from 62 percent in 2017.  Yet firms’ confidence “declined in each of three critical areas of cyber resilience “.  In particular, those who responded that they had “no confidence” increased (1) from 9 percent to 18 percent for understanding and assessing cyber risks; (2) from 12 percent to 19 percent for preventing cyber threats; and (3) from 15 percent to 22 percent for responding to and recovering from cyber events.
• New Technology. In this category, 77 percent of 2019 respondents cited at least one innovative operational technology that they have adopted or are considering.  Half (50 percent) responded that cyber risk “is almost never a barrier to the adoption of new technology,” but 23 percent (including many smaller firms) responded that “for most new technologies, the risk outweighs potential business benefits.”  Nearly three-fourths (74 percent) reported that they “evaluate technology risks prior to adoption,” but only 5 percent said that they “evaluate risk throughout the technology lifecycle, and 11 percent said that they do not perform any evaluation.
• Supply Chain. Although “[t]he increasing interdependence and digitization of supply chains brings increased cyber risk to all parties,” many firms apparently “perceive the risks as one-sided.”  Nearly two-fifths (39 percent) responded that the cyber risk that their supply chain partners and vendors posed to their organization was high or somewhat high., but only 16 percent responded the cyber risk that they themselves pose to their supply chain was high or somewhat high.
• Government Role. Respondents generally credited industry standards more than government regulation for having high effectiveness in helping to manage cyber risk.  Only 28 percent viewed government regulations or laws as being very effective in improving cybersecurity, while 37 percent viewed soft industry standards as being very effective in improving cybersecurity.  At the same time,  54 percent responded that they “are highly concerned about nation-state cyber-attacks,” and 55 percent said that “government needs to do more to protect organizations against nation-state cyber-attacks.”
• Cybersecurity Culture and Resilience. The Survey reported that “[m]any organizations focus on technology defenses and investments to prevent cyber risk, to the neglect of assessment, risk transfer, response planning, and other risk management areas that build cyber resilience.”  The vast majority of respondents (88 percent) responded that information technology/information security (IT/InfoSec) “is one of the three main owners of cyber risk management” – the other two being executive leadership/ board (65 percent) and risk management (49 percent).  Only 17 percent of respondents said that they “spent more than a few days on cyber risk over the past year.  Nearly two-thirds (64 percent) said that a cyber-attack on their organization “would be the biggest driver of increased cyber risk spending.”   More respondents (30 percent) this year reported that their companies are using quantitative methods to express cyber risk exposures (an increase from 17 percent in 2017).  The vast majority (83 percent) also reported that their firms “have strengthened computer and system security over the past two years,” but fewer than 30 percent “have conducted management training or modelled cyber loss scenarios.”
• Cyber Insurance. As cyber insurance coverage “is expanding to meet evolving threats,” companies’ attitudes toward policies are reportedly also changing.  Nearly half of respondents (47 percent) replied that they have cyber insurance (an increase from 34 percent in 2017), and larger firms were more likely to have cyber insurance.  More than half (57 percent) of those with annual revenues above $1 billion reportedly had a cyber insurance policy, compared to 36 percent of companies with revenue under $100 million.  Respondents also indicated lessening uncertainty about whether available cyber insurance could meet their firms’ needs, as 31 percent reported such uncertainty (compared to 44 percent in 2017).  Finally, 89 percent of respondents in companies with cyber insurance “were highly confident or fairly confident their policies would cover the cost of a cyber event.”

Among other takeaways from the Survey, Joram Borenstein, General Manager of Microsoft Cybersecurity Solutions Group, identified five best practices

that the most cyber resilient firms employ and which all firms should consider adopting:

• Create a strong organizational cybersecurity culture with clear, shared standards for governance, accountability, resources, and actions.
• Quantify cyber risk to drive better informed capital allocation decisions, enable performance measurement, and frame cyber risk in the same economic terms as other enterprise risks.
• Evaluate the cyber risk implications of a new technology as a continual and forward-looking process throughout the lifecycle of the technology.
• Manage supply chain risk as a collective issue, recognizing the need for trust and shared security standards across the entire network, including the organization’s cyber impact on its partners.
• Pursue and support public-private partnerships around critical cyber risk issues that can deliver stronger protections and baseline best practice standards for all.

Note: Bernstein expressed optimism “that more organizations are now clearly recognizing the critical nature of the threat and beginning to seek out and embrace best practices.”  Another way of looking at the Survey results is to state that many companies around the world continue to lag in demonstrating that they have the cultural, as well as the technological, capacity to meet the constantly changing array of cyber risks.  Cybersecurity, legal, and compliance officers in every industry should read the Survey closely, compare the Survey results with the state of their companies’ own cybersecurity programs, and discuss with their senior leadership where their companies are doing well or poorly in contending with cyber risk.

Two recent reports over the past two weeks show the intensity of efforts by criminal to recruit young people, especially students, in Scotland and Ireland to serve as “money mules” by allowing their bank accounts to be used for money laundering.  First, on September 13, The Journal.ie reported that dozens of young women “have unwittingly been recruited by criminal gangs at [Irish] musical festivals to launder money through online applications as well as through their own bank accounts.”

The Gardaí (Irish Police) stated that students “are often targeted by the practice.” According to The Journal.ie, “Experts in the field believe that the recruiters use music festivals as a way to access bank accounts from vulnerable women, often times taking advantage of someone who is in an intoxicated state.”

Irish banks are reporting an average of 1,600 cases of money muling per year.  The Journal.ie cited sources who

explained how young teenage women are commonly targeted in person, while it is men who are usually recruited online.

Multiple sources have told TheJournal.ie that events such as Longitude in the Marlay Park, All Together Now and the Electric Picnic were infiltrated by a number of these criminals. Some of those attempting to recruit people have come from the UK, attempted to start a romantic relationship with the young women and then asked to use their accounts.

The Head of Fraud for the Banking and Payments Federation Ireland (BPFI), Niamh Davenport, told the Journal.ie that “[a] significant amount of the money which is moved through money mules in Ireland is done using a method called invoice redirect fraud.”  This form of fraud involves

criminals send[ing] emails to businesses purporting to be one of their legitimate suppliers. These emails contain an instruction to change the bank account details that the business has for a legitimate supplier, to bank account details that ultimately benefit the criminals. These requests can also come by way of letter or phone call so caution should attach to any request of this nature.

In late 2018, the Gardaí reportedly conducted a three-month operation in Ireland, with support from Europol, that identified 420 money mule accounts that had been used to launder €14.6 million over the previous two to three years, as well as five so-called “herders” operating in Ireland to recruit money mules.

Second, on September 19, The Times reported that “[t]he number of young Scots falling prey to money laundering has tripled in two years, amid concerns that thousands of students do not know how to protect themselves from fraud.”

According to data from the United Kingdom-based bank Barclays, “Three times as many young Scots fell prey to the schemes last year” as in 2016.  In addition, in 2018, police addressed 9,636 cases of money muling across the United Kingdom, and in April 2019 Police Scotland charged 29 people in a “money mule” operation.

The Barclays data also showed that

[m]ore than 70 per cent of Scottish students said they were unaware of the consequences of money muling, which can include a prison sentence and difficulties getting bank accounts or student loans. Almost 60 per cent would be tempted by a “too good to be true” job advert from an unknown company, and 45 per cent would be interested in an offer to make quick cash from home — all terms used to recruit mules.

Note: These reports indicate that Barclays, Facebook, and government authorities have been seeking to publicize the risks that young people may unwittingly assume by agreeing to serve as money mules – including the potential for prison time.  Even so, social-media companies and financial institutions operating in Europe clearly need to increase their educational efforts on this issue.

The problem is by no means limited to European nations, but the vast concentration of students in the United Kingdom and other parts of Western Europe represent a vast and tempting target for money-laundering operations.  The public and private sectors need to do more to collaborate in reducing that threat.