Dipping Through Geometries

On October 12, the Assistant Attorney General for the Criminal Division at the United States Department of Justice, Brian A. Benczkowski, delivered remarks that addressed two significant aspects of corporate compliance: improving the compliance expertise of Criminal Division prosecutors; and the Department’s approach to corporate monitors.  This post will review his remarks on the latter topic, as well as the October 11 policy memorandum that he issued to provide guidance on corporate monitorships.

Benczkowski stated that he knew, from personal experience,

that the issue of whether a monitor will be required is one of the most significant aspects of any corporate resolution.   When the Criminal Division decides to impose a monitor, I believe we have an obligation to ensure that we have done so for the right reasons.  We also have a continuing obligation to interact with the monitor and address any problems that may arise during the course of the monitorship.

While Criminal Division attorneys “have performed quite admirably in this area,” he said, “there is always room for improvement in our policies and procedures to ensure we are acting responsibly when we impose this significant, but often times necessary burden on a corporation.”  After reviewing the Department’s monitorship policies and procedures, he issued a new policy memorandum titled “Selection of Monitors in Criminal Division Matters” (hereafter “Benczkowski Memorandum”).

The Benczkowski Memorandum states that it “supplements the guidance” provided by the March 7, 2008 Department memorandum by then-Acting Deputy Attorney General, Craig S. Morford, on selection and use of monitors (“Morford Memorandum”), and supersedes the June 24, 2009 memorandum by then—Assistant Attorney General Lanny A. Breuer on monitor selection (“Breuer Memorandum”).    It addressed seven topics relating to monitor selection:

1. Principles for Determining Whether a Monitor is Needed in Individual Cases: The Morford Memorandum included three considerations concerning the need for and propriety of a monitor: (a) “[a] monitor should only be used where appropriate given the facts and circumstances of a particular matter”; (b) prosecutors should consider, when assessing the need and propriety of a monitor, “(1) the potential benefits that employing a monitor may have for the corporation and the public, and (2) the cost of a monitor and its impact on the operations of a corporation”; and (c) a monitor should never be imposed for punitive purposes.  The Benczkowski Memorandum elaborated on those considerations by addressing four issues:
   1. Weighing of Potential Benefits: It articulates four specific factors, “among others,” for prosecutors to consider in weighing the potential benefits:
      1. “whether the underlying misconduct involved the manipulation of corporate books and records or the exploitation of an inadequate compliance program or internal control systems;”
      2. “whether the misconduct at issue was pervasive across the business organization or approved or facilitated by senior management;
      3. “whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal control systems;” and
      4. “whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future.”
   2. Adequacy of Changes in Corporate Culture and/or Leadership: It states that
      1. “[w]here misconduct occurred under different corporate leadership or within a compliance environment that no longer exists within a company, Criminal Division attorneys should consider whether the changes in corporate culture and/or leadership are adequate to safeguard against a recurrence of misconduct. Criminal Division attorneys should also consider whether adequate remedial measures were taken to address problem behavior by employees, management, or third-party agents, including, where appropriate, the termination of business relationships and practices that contributed to the misconduct. In assessing the adequacy of a business organization’s remediation efforts and the effectiveness and resources of its compliance program, Criminal Division attorneys should consider the unique risks and compliance challenges the company faces, including the particular region(s) and industry in which the company operates and the nature of the company’s clientele.”
   3. Cost-Benefit Factors: It requires that “[i]n weighing the benefit of a contemplated monitorship against the potential costs, Criminal Division attorneys should consider not only the projected monetary costs to the business organization, but also whether the proposed scope of a monitor’s role is appropriately tailored to avoid unnecessary burdens to the business’s operations.”
   4. Cost-Benefit Standard: It provides that “[i]n general, the Criminal Division should favor the imposition of a monitor only where there is a demonstrated need for, and clear benefit to be derived from, a monitorship relative to the projected costs and burdens. Where a corporation’s compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will likely not be necessary.”
   5. Punitive Monitorship:  In addition, on the latter consideration listed above, Benczkowski stated in his speech that the new approach “began with the foundational principle that the imposition of a corporate monitor is never meant to be punitive. It should occur only as necessary to ensure compliance with the terms of a corporate resolution and to prevent future misconduct.”
2. Approval, Consultation, and Concurrence Requirement for Monitorship Agreements: The Benczkowski Memorandum briefly states that before agreeing to a monitorship in any case, Criminal Division attorneys must first receive approval from their supervisors, including the concurrence of the Assistant Attorney General for the Criminal Division or his/her designee.
3. Terms of Criminal Division Monitorship Agreements: The Benczkowski Memorandum states, at greater length than the Breuer Memorandum, the contents of any DPA or NPA agreement that would require a monitorship.
4. Standing Committee: The Benczkowski Memorandum, in effect, recreates in modified form the Criminal Division Standing Committee on the Selection of Monitors that the Breuer Memorandum had created, and establishes procedures highly similar to those in the Breuer Memorandum for monitor selection and approval.
5. Selection Process: These provisions in effect track similar provisions in the Breuer Memorandum.
6. Retention of Records Regarding Monitor Selection: These provisions in effect track similar provisions in the Breuer Memorandum.
7. Departure from Policy and Procedure: These provisions in effect track similar provisions in the Breuer Memorandum.

In his speech, Benczkowski also explained that while the Morford Memorandum applied only to DPAs and NPAs, the new memorandum “makes clear that the Criminal Division also will apply the same principles to court-approved plea agreements that impose a monitor.”

Note: To appreciate the significance of the Benczkowski Memorandum, it is important to understand the general nature and scope of the Morford Memorandum.   That Memorandum set forth nine principles, with associated comments, to guide prosecutors in drafting provisions pertaining to the use of monitors in connection with DPAs and NPSs with corporations.  Those principles dealt with the following topics: (1) monitor qualifications and selection; (2) independence of monitors; (3) the monitor’s responsibility; (4) scope of the monitor’s responsibilities; (5) periodic reporting by the monitor; (6) noncompliance with monitor recommendations; (7) required reporting of previously undisclosed or new misconduct; (8) duration of the agreement provisions on monitorship; and (9) opportunity for extension or early termination of monitorship provisions.  As Benczkowski’s speech indicates, the Benczkowski Memorandum continues to require adherence to those nine principles in any Criminal Division case in which monitorship is under consideration.

Where the Benczkowski Memorandum clearly breaks new ground is the specification of factors that Criminal Division prosecutors are to apply in weighing the benefits and costs of monitorship, as well as the cost-benefit test to be applied to any and all corporate monitorships in Criminal Division cases.  The Morford Memorandum, as mentioned above, broadly required prosecutors to weigh the benefits and costs of monitorships.  The Benczkowski Memorandum substantially expands on that general cost-benefit requirement.  It not only specifies the cost-benefit factors that prosecutors will be required to address, but states a general rule – i.e., a “demonstrated need for, and clear benefit to be derived from, a monitorship relative to the projected costs and burdens” — that indicates that the Criminal Division will favor a monitorship if and only if its projected benefits more than outweigh the projected costs.  Neither the Benczkowski Memorandum nor Benczkowski’s speech address by how much benefits must outweigh costs, but it is safe to assume that the Criminal Division’s approach going forward will be to require more than a a 51-49 balance of benefits and costs.

The Department likely considers this new approach generally beneficial to both prosecutors and companies, by guiding and confining prosecutors’ discretion in deciding whether to require a corporate monitorship.  The cost-benefit test that the Benczkowski Memorandum lays down, however, requires further consideration by the Department, principally because its current language is imprecise on a critical issue on which both prosecutors and companies need precision: by how much must benefits outweigh costs?  If the Memorandum tacitly indicates that 51-49 will not suffice as a general rule, will 55-45, or 60-40?

Moreover, future efforts to apply the Benczkowski Memorandum’s cost-benefit analysis in actual cases may prove the concept of a highly detailed cost-benefit analysis to be chimerical.  There is no mathematical formula or methodology by which companies, any more than prosecutors, can use quantitative measures to establish the benefits of monitorship.  So long as prosecutors and regulators continue to use imprecise and subjective terms, such as a “culture of compliance” and “adequacy of a compliance program,” in setting enforceable expectations for corporate conduct, they will have little choice but to use qualitative and subjective criteria in identifying the projected benefits of monitorships.

That, however, may be the decisive factor in future Criminal Division corporate cases in which prosecutors believe a monitorship to be appropriate.  If companies present highly detailed cost projections to the Department, and prosecutors can articulate only qualitative benefits, it may prove to be virtually impossible to show a “clear benefit” from monitorship except in the most extreme cases.  That may not be a policy goal of the new approach, but it is an entirely plausible outcome.

Postscript:  In an October 30 podcast with Professor Mike Koehler, “the FCPA Professor,” I commented about the Benczkowski Memorandum and other recent Department of Justice compliance developments.  The podcast is available here.

On Halloween, it seems especially timely to focus on a risk topic that has been described as “frightening,” even “terrifying”: cybercrime statistics. On October 18, the United Kingdom Office for National Statistics (ONS) released the latest estimates from the Crime Survey for England and Wales (CSEW) on fraud and computer misuse, as well as referrals of potential offenses to the City of London Police’s National Fraud Intelligence Bureau (NFIB) by Action Fraud, the United Kingdom’s public-facing national fraud and cybercrime reporting center.

The ONS’s summary bulletin summarized the cybercrime data as follows:

• “In the year ending June 2018, the CSEW estimated that offences involving computer misuse showed a 30% decrease from the previous year (down to 1.1 million offences . . . ). This decrease was largely owing to a fall in “computer viruses” (down 43% to 606,000 offences).
• “Incidents involving ‘unauthorised access to personal information (including hacking)’ (515,000 offences) did not show a significant change from the previous year.”
• “All ‘computer misuse crime’ referred to the NFIB by Action Fraud increased by 4% in the latest year (up to 21,947 offences). This rise was less pronounced than that seen in year ending June 2017, due in part to a notable decrease of 24% for the latest year in computer viruses (down to 6,260 offences).
• “This fall in computer viruses is consistent with the latest CSEW fall in this type of crime. It follows a previous substantial rise where a high number of such offences were reported to Action Fraud in the first part of 2017.
• “The overall rise in computer misuse recorded by Action Fraud was driven by an increase in ‘hacking – social media and email’ over the last year (up 42% to 8,834 offences). This is thought to reflect an increasing awareness of social media scams among the public, leading to a greater likelihood of incidents being reported.”

Because the CSEW computer-misuse survey questions date only from October 2015, the ONS cautioned that it has only two data points from which to draw conclusions.  It stated, however, that the CSEW “provides the best indication of the volume of computer misuse offences,” as Action Fraud data on computer misuse “represent only a small fraction of all computer misuse crime” since many incidents are not reported.

Note: The most substantial problem with this ONS cybercrime reporting is the ONS’s characterizations of those data.  While survey data – assuming the survey methodology is sound — can have value in measuring the incidences (and changes in those incidences) of behavior over time, users of such data must take care to refrain from inferring that survey responses necessarily reflect the actual incidences of behavior in the whole population under consideration.

In this case, the ONS stated, without qualification, its “estimate” that computer-misuse offenses – to be clear, not reports of such offenses, but the actual offenses – “showed a 30% decrease” from the prior reporting period.  Nothing in the CSEW’s explanation of its methodology explains the basis for the ONS’s “estimate” regarding the actual number of computer-misuse offenses.  For the other cybercrime categories, the ONS did not even characterize its statements as estimates of the incidence of those cybercrimes, but stated categorically that “unauthorized-access” offenses (as opposed to the survey-measured incidence of such offenses) “did not show a significant decrease” and referred to the “fall in computer viruses” (as opposed to the fall in computer-virus reports).  These categorical statements by the ONS immediately prompted some critical comments in computer-related media.

A second concern is the limited options for response to the CSEW’s cybercrime questions.  The current survey asks about only two categories of computer misuse: “Computer virus” and “Unauthorised access to personal information (including hacking).”  The problem is that these categories are not mutually exclusive.  Viruses are just one type of exploit that hackers have long used to obtain unauthorized access to computers and networks and to acquire personally identifying information.  Moreover, as indicated in a recent Computer Business Review article, survey respondents who lack sophisticated understanding of hacking and current exploits may not understand the differences between various cybercrime-related terms such as “hacking,” “exploit kits,” and viruses, and may not even know that their computers have been subject to cyberattacks and compromises.

A third concern is the limited population to which the CSEW cybercrime survey questions are directed.  The ONS, to its credit, acknowledges in its bulletin that “[w]hile questions on computer misuse in the CSEW provide fuller coverage of computer misuse crimes against the household population, they do not generally include offences committed against businesses and other organisations.”  Nonetheless, that is a significant gap in the survey’s coverage. A recent report by Malwarebytes, for example, found, according to TechTarget, that total business threat detections were trending upward by 55 percent, while consumer detections increased by only 4 percent quarter over quarter, and that attacks in the third quarter of 2018 “were targeting businesses in full force through exploit kits, ransomware and banking Trojans alike.”

The ONS deserves support for seeking to compile and disseminate national statistics on cybercrime trends.  It needs, however, to refine its methodology to capture more meaningful data about cyberattacks directed at businesses, to revise its questions to compile more data about distinct categories of cybercrime that a lay survey respondent can understand,, and – above all – to characterize its survey and referral data accurately and refrain from inferring actual incidences of cybercrime from survey responses those data.  In the meantime, compliance and information-security officers should treat these ONS data with circumspection – though hardly with terror.

On October 29, McAfee released its Cloud Adoption and Risk Report 2019.  Beginning with the fact that 83 percent of organizations worldwide store sensitive data in the cloud, the Report first discussed the major sources of cloud data risk:

• Growth of Sensitive Data in the Cloud: Not only has the absolute number of files stored in the cloud “increased rapidly,” but “the percentage of files that contain sensitive data has also grown”: now at 21 percent, but with a dramatic increase of 17 percent over the last two years.
• Growth of Confidential Data: “Confidential data” now constitutes the largest share of all sensitive data in the cloud, at percent – an increase of 28 percent over the last two years..
• Growth of Email: 20 percent of all sensitive data in the cloud runs through email services such as Exchange Online in Office 365 – an increase of 59 percent in the past two years.
• Decline of PII: Personally Identifiable Information (PII) has declined by 20 percent year over year.

The Report next focused on the role of Amazon Web Services (AWS), stating that AWS

has been not-so-quietly driving the transformation of server and data center infrastructure to cloud-based services, classified as Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS – think serverless computing like AWS Lambda). Today, 65% of organizations around the world use some form of IaaS, 52% for PaaS.

With these important services, however, comes the risk of data theft.  The Report sets out several critical findings about the relationship between misconfiguration and data theft:

• “[O]n average, enterprises using IaaS/PaaS have 14 misconfigured services running at any given time, resulting in an average of 2,269 misconfiguration incidents per month.”
• The top AWS misconfigurations include: (1) Certain data encryption not being turned on; (2) Unrestricted outbound access; (3) Access to resources not being provisioned using Identity and Access Management roles; (4) Misconfiguration of the Amazon Elastic Compute Cloud (EC2) security group port; (5) Misconfiguration of EC2 security group inbound access; (6) Discovery of unencrypted Amazon Machine Images; (7) Discovery of unused security groups; (8) Disabling of Amazon Virtual Private Cloud flow logs; (9) failure to enable multi-factor authentication for IAM users; and (10) failure to turn on Amazon S3 object storage bucket encryption.
• When organizations with which McAfee works “turn on Data Loss Prevention (DLP), they see an average of 1,527 DLP incidents in their IaaS/PaaS storage per month. That means they detected sensitive data that either shouldn’t be there, or that requires additional monitoring and security controls. All told, 27% of organizations using PaaS have experienced data theft from their cloud infrastructure.”

The Report also identified leading internal and external threats relating to cloud-stored corporate data:

• “The average enterprise organization experiences 31.3 cloud-related security threats each month, a 27.7% increase over [the] same period last year.” These include threats arising from potentially compromised accounts. insider threats, and privileged user threats:
  • Compromised Accounts: “On average, organizations experience 12.2 incidents each month in which an unauthorized third-party exploits stolen account credentials to gain access to corporate data stored in a cloud service. These incidents affect 80.3% of organizations at least once a month. Additionally, 92% of companies have cloud credentials for sale on the Dark Web.”
  • Insider Threats: “Organizations experience an average of 14.8 insider threat incidents each month, and 94.3% of organizations experience at least one per month on average.”
  • Privileged User Threats: “Privileged user threats occur monthly at 58.2% of organizations, with organizations experiencing an average of 4.3 each month.”

The Report also identified several concerns relating to security controls for cloud service providers:

• “[G]iven the prevalence of data breaches caused by stolen credentials, it is alarming to find that only 19.2% of cloud services support multi-factor authentication.”
• “Due to the general lack of critical security controls across cloud services, employees will inevitably (and inadvertently) select risky cloud services to use.” The Report calculated that 173 of the 1,935 cloud services in use at the average organization (8.9 percent) rank as high risk services.

Finally, the Report summarized the results of a survey it conducted to find out how much respondents trusted their cloud providers to keep their organization’s data secure.  Even though cloud security is a shared responsibility and no cloud provider “delivers 100% security,” 69 percent of the respondents said “that they trusted the cloud providers to keep their data secure,” and 12 percent of respondents claimed that the service provider is solely responsible for securing their data.

Note: Each of the key findings summarized above should be the focus of a sustained discussion between compliance officers concerned with cybersecurity and their information security counterparts.  A number of the points of vulnerability, such as misconfigurations, can be addressed with relative ease.  Failure to establish suitable robust internal controls for cloud security, and failure to understand that companies must play a significant role in maintaining cloud security, are issues that require more sustained attention, and not just at CCO or CISO levels.  Corporate dependency on cloud services can only continue to increase in the next several years, which makes continued vigilance about cloud security all the more important.

On October 29, two significant sentencings took place in the United Kingdom and the United States for former corporate executives with Afren and Julius Baer, respectively.  In the United Kingdom, the Southwark Criminal Court (Judge Michael Gledhill QC) sentenced Osman Shahenshah, former co-founder and Chief Executive Officer of Afren, was sentenced to 6 years’ imprisonment to be served (16 years’ total imprisonment), as follows according to the Serious Fraud Office:

• “6 years jail for one count of fraud, contrary to section 1 of the Fraud Act 2006”;
• “6 years concurrent for one count of money laundering, contrary to section 329 of the Proceeds of Crime Act 2002”; and
• “4 years concurrent for one count of money laundering, contrary to section 328 of the Proceeds of Crime Act 2002.”

In sentencing Shahenshah, Judge Gledhill reportedly stated in part: “You believed that you were above the law, you believed that you were so clever that no one would ever discover your offending.”

Shahid Ullah, former Chief Operating Officer of Afren, was sentenced to a total of five years’ imprisonment to be served (ten years’ total imprisonment), as follows:

• “5 years jail for one count of fraud, contrary to section 1 of the Fraud Act 2006”;
• “5 years concurrent for one count of money laundering, contrary to section 329 of the Proceeds of Crime Act 2002”; and
• “4 years concurrent for one count of money laundering, contrary to section 328 of the Proceeds of Crime Act 2002.”

Both men had been involved in making a secret side deal, undisclosed to their own board, with a Nigerian oil field partner of Afren that enabled them to divert $45 million from a $300 million payment to the partner.

In the United States, the United States District Court for the Southern District of Florida (Judge Cecilia M. Altonaga) sentenced Matthias Krull, a former managing director and vice chairman of the Swiss bank Julius Baer, to ten years’ imprisonment, a $50,000 fine, and a $600,000 forfeiture money judgment, on his guilty plea to conspiracy to commit money laundering.  Krull admitted his participation in a conspiracy to launder $1.2 billion worth of funds that were embezzled from the Venezuelan state-owned oil company Petróleos de Venezuela, S.A. (PDVSA).

Note:  If one ignores the SFO’s literally true but misleading headline that Shahenshah and Ullah were “sentenced to 30 years,” the two men’s sentences are respectable, if hardly draconian.  Under the revised Sentencing Council Guidelines for fraud, bribery, and money laundering that have been in effect since 2014, each Fraud Act section 1 offense has a maximum of 10 years’ custody and an offence range from discharge to eight years’ custody, while each section 328 or 329 Proceeds of Crime Act offense has a maximum of 14 years’ custody and an offence range from a Band B fine (the second lowest of the Sentencing Council’s fine categories) to 13 years’ custody.

Krull’s sentence, though substantially higher, bears watching, given his reported cooperation with U.S. investigators.  That cooperation could implicate a wider circle of participants in the conspiracy, including former PDVSA officials, professional third-party money launderers, and members of the Venezuelan elite that may include Venezuelan President Nicolas Maduro, his three stepsons, and Raul Gorrin, owner of the Venezuelan television network Globovision.

Under section 5K1.1 of the U.S. Sentencing Guidelines, a federal prosecutor may move, prior to sentencing, for a reduction of a convicted defendant’s sentence if the defendant “has provided substantial assistance in the investigation or prosecution of another person who has committed an offense.”  Because Krull was arrested on July 24 and pleaded guilty on August 22, he likely did not have enough time to earn a so-called “5K motion” if he has information on criminal involvement by high-ranking members of Venezuela’s economic and political elite.

Under Rule 35 of the Federal Rules of Criminal Procedure, however, a defendant who has been sentenced may still be eligible for a sentence reduction “if the defendant, after sentencing, provided substantial assistance in investigating or prosecuting another person.”  Although Rule 35 generally limits to one year the time within which the government would have to move for a sentence reduction, the Rule permits Rule 35 motions to be made more than one year after sentencing if, for example, the defendant’s substantial assistance involved “information provided by the defendant to the government within one year of sentencing, but which did not become useful to the government until more than one year after sentencing.”  Krull’s ten-year sentence would seem to provide ample motivation for him to cooperate fully with U.S. agents and prosecutors in the ongoing investigation.

On October 24, a jury in London’s Southwark Criminal Court, after a seven-week trial, convicted two former officials of the defunct oil and gas producer Afren Plc of fraud and money laundering charges stemming from their secret diversion of $45 million from a $300 million payment to Afren’s oil field partner in Nigeria.

Former Afren Chief Executive Officer (CEO) Osman Shahenshah and former Afren head of operations Shahid Ullah were each convicted on one count of fraud by abuse of position, contrary to sections 1 and 4 of the Fraud Act 2006, and two counts of money laundering, contrary to sections 328 and 329 of the Proceeds of Crime Act 2002.  Both men were acquitted on one count of fraud by abuse of position, contrary to sections 1 and 4 of the Fraud Act 2006, relating to a management buyout of another of Afren’s business partners.

At trial, which began September 3, the jury heard evidence that Shahenshah, who was being paid £6.6 million as CEO, and Ullah, who was being paid £3.8 million, were faced with possible reduction of their salaries in the wake of shareholder opposition.  The defendants then created a scheme to increase their compensation without disclosing that fact to the Afren Board.  According to the Serious Fraud Office (SFO), which prosecuted the case, both defendants

recommended that the Afren Board agree to a $300 [million] payment to Oriental Energy Resources Ltd, the company’s oil field partner in Nigeria. Unknown to the Afren board, Shahenshah and Ullah had struck a side deal with Oriental which led to 15% of the $300 [million] . . . then [being] paid out to a Caribbean shell company controlled by the defendants. The men then used the $45 [million] to purchase luxury properties in Mustique and the British Virgin Islands. A smaller portion of the $45 [million] laundered was split between Oriental employees and a close network of Afren staff dubbed ‘The A Team’.

After Afren fired Shahenshah and Ullah in 2014, an internal investigation by KPMG and the Willkie Farr & Gallagher law firm reportedly uncovered evidence of the secret deal.  In 2015, after “a combination of alleged corporate governance abuses and a slumping oil price” left it unable to service its substantial debts, Afren, which once had been valued at $2.6 billion and had ranked in the FTSE 250, collapsed.

The sentencing hearing in the case is scheduled for next Monday, October 29.

Note: The convictions are significant for two reasons.  First, the facts at trial demonstrate, for corporate boards and chief compliance officers, the importance of conducting enhanced due diligence in major corporate transactions, to guard against the kind of secret deals and diversion of corporate funds in which the defendants engaged.

Second, these convictions represent a significant trial victory for the SFO.  Although complex fraud and money laundering cases always pose challenges for even the most experienced prosecutors, the SFO has not always fared well in some of its more prominent cases at trial.   A victory of this type should bolster the SFO’s credibility in dealing with defense attorneys in future investigations.