Dipping Through Geometries

On September 28, the Interim Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Commission) was tabled in the Australian Parliament.  The Letters Patent that the Australian Governor-General issued provided the Commission, which was established in December 2017, with terms of reference that included ten primary responsibilities:

• “[w]hether any conduct by financial services entities (including by directors, officers or employees of, or by anyone acting on behalf of, those entities) might have amounted to misconduct and, if so, whether the question of criminal or other legal proceedings should be referred to the relevant Commonwealth, State or Territory agency;”
• “[w]hether any conduct, practices, behaviour or business activities by financial services entities fall below community standards and expectations;”
• “[w]hether the use by financial services entities of superannuation members’ retirement savings, for any purpose, does not meet community standards and expectations or is otherwise not in the best interests of those members;”
• “[w]hether any findings in respect of the matters mentioned in paragraphs (a), (b) and (c):
  • “(i) are attributable to the particular culture and governance practices of a financial services entity or broader cultural or governance practices in the relevant industry or relevant subsector; or
  • “(ii) result from other practices, including risk management, recruitment and remuneration practices, of a financial services entity, or in the relevant industry or relevant subsector;”
• “the effectiveness of mechanisms for redress for consumers of financial services who suffer detriment as a result of misconduct by financial services entities;”
• “the adequacy of:
  • “(i) existing laws and policies of the Commonwealth (taking into account law reforms announced by the Commonwealth Government) relating to the provision of banking, superannuation and financial services; and
  • (ii) the internal systems of financial services entities; and
  • (iii) forms of industry self-regulation, including industry codes of conduct;

“to identify, regulate and address misconduct in the relevant industry, to meet community standards and expectations and to provide appropriate redress to consumers;”

• “the effectiveness and ability of regulators of financial services entities to identify and address misconduct by those entities;”
• “whether any further changes to any of the following are necessary to minimise the likelihood of misconduct by financial services entities in future (taking into account any law reforms announced by the Commonwealth Government):
  • the legal framework;
  • practices within financial services entities;
  • the financial regulators;”
• “any matter that has occurred or is occurring overseas, to the extent the matter is relevant to a matter mentioned in paragraphs (a) to (h);” and
• “any matter reasonably incidental to a matter mentioned in paragraphs (a) to (i).”

The Letters Patent also directed the Commission “to have regard to the implications of any changes to laws, that you propose to recommend, for the economy generally, for access to and the cost of financial services for consumers, for competition in the financial sector and for financial system stability,” and authorized it “to have regard to comparable international experience, practices and reforms.”

In view of the breadth of the terms of reference, it is not surprising that the Interim Report is a voluminous 347 pages.  The Commission summarized the Interim Report in exceedingly cursory terms:

• Overview: So far, the Commission’s work “has shown conduct by financial services entities that has brought public attention and condemnation. Some conduct was already known to regulators and the public generally; some was not.”
• Why Did It Happen?: Too often, selling “became the sole focus of attention” for banks and all financial services entities, and “[f]rom the executive suite to the front line, staff were measured and rewarded by reference to profit and sales.”  Moreover, “[w]hen misconduct was revealed, it either went unpunished or the consequences did not meet the seriousness of what had been done. The conduct regulator, ASIC, rarely went to court to seek public denunciation of and punishment for misconduct. The prudential regulator, APRA, never went to court.”
• What Can Be Done to Prevent Recurrence of the Conduct?: The Commission noted that “entities and regulators have increasingly sought to anticipate what will come out, or respond to what has been revealed, with a range of announcements,” and that “[t]here have been changes in industry structure and industry remuneration.” It also posed a series of questions about possible legal changes:
  • “Should the existing law be administered or enforced differently? Is different enforcement what is needed to have entities apply basic standards of fairness and honesty: by obeying the law; not misleading or deceiving; acting fairly; providing services that are fit for purpose; delivering services with reasonable care and skill; and, when acting for another, acting in the best interests of that other? The basic ideas are very simple. Should the law be simplified to reflect those ideas better?”

The full text of the Interim Report, however, contains extensive details about the magnitude and prevalence of misconduct in Australian financial services.  They include information about (1) conduct that five leading Australian financial institutions – AMP, ANZ, Commonwealth Bank (CBA), National Australia Bank (NAB), and Westpac – acknowledged with regard to consumer lending, financial advice, small and medium enterprises, agricultural lending, and remote communities, and (2) regulation and the regulators, with specific reference to the Australian Securities & Investments Commission (ASIC).  With regard to each of those topics, the Interim Report also sets out a series of questions for further consideration.

Note: Although the Letters Patent generally referred to conditions in the banking industry in anodyne terms, what prompted the Commission’s creation was “a decade of scandals that have rocked the [banking and financial] sector,” including leading Australian institutions, as well as more than AU$1 billion in penalties and compensation that Australian banks have paid since the 2008 financial crisis.  As highly profitable banks in Australia have become deeply unpopular, the Commission’s ultimate findings and recommendations may play a vital role in setting the industry on a path, however uncomfortable it may be, to reform and recovery of public trust.

The Commission’s Interim Report provides significant substantive content about reported misconduct regarding banking, superannuation, and financial services, without seeking to provide definitive answers and recommendations.  In general, that means that interested parties have ample time to provide additional information and recommendations to the Commission.  The Commission will be scheduling additional rounds of hearings as its work progresses, and its final report is scheduled to be presented to the Australian Governor-General on February 1, 2019.

Those interested in submitting public comments on the Interim Report, however, must do so no later than 5:00 pm (Melbourne time) on Friday, October 26.  Public submissions on policy issues relating to the insurance industry must be made by 12:00 noon (Melbourne time) on Thursday, October 25.

On October 9, the Basel Institute on Governance released the results of the seventh annual Basel Anti-Money Laundering Index.  The Index Report stated that the Index “focuses on anti-money laundering and countering the financing of terrorism (AML/CFT) frameworks, plus related factors that impact the risk of [money laundering and terrorist financing (ML/TF)], such as corruption, transparency and the rule of law.”  Key features of the Index include an overview of 129 countries, according to their respective risks of money laundering and terrorist financing; an interactive ranking that shows trends and changes in risk over time; a research-led, composite index based on public sources and third-party assessments; and an AML risk assessment tool “covering 203 countries for compliance purposes, policymaking and research (Expert Edition).”

Among the 129 countries in the Index, the 10 countries with the best (i.e., lowest) ML/TF risk scores were Finland (129/2.57), Estonia (128/2.73), Lithuania (127/3.12), New Zealand (126/3.20), Macedonia (125.3.33), Bulgaria (124.3.53), Slovenia (123/3.75), Sweden (122/3.75), Croatia (121/3.83), and Israel (120/3.84).  The 10 countries with the worst (i.e., highest) ML/TF risk scores were Tajikistan (1/8.30), Mozambique (2/8.28), Afghanistan (3/8.28), Laos (4/8.25), Guinea-Bissau (5/8.16), Myanmar (6/7.50), Cambodia (7/7.48), Kenya (8/7.42), Liberia (9/7.40), and Vietnam (10/7.37).  Among the G7 nations, France had the best risk score (113/4.12), followed by the United Kingdom (106/4.23), Germany (102/4.44), Canada (86/4.92), the United States (82/5.00), Italy (77/5.09), and Japan (75/5.11).  The BRIC nations (Brazil, Russia, India, and China) ranked as follows: Brazil (83/4.96), Russia (47/5.83), India (68/5.28), and China (40/6.02).

Overall, the Index Report was highly critical of countries’ commitment to AML:

Most countries are making little or no progress towards ending corruption and public transparency is showing signs of decline, with governments making less information available about how they manage public funds. Despite the recent surge in reporting on high-profile corruption and money laundering schemes, such as the Panama Papers, Odebrecht scandal and Global Laundromat investigation, indications are that global press freedom has declined to its lowest point in 13 years.  [Footnotes omitted]

The Report added that “[t]hese factors are known to impact negatively on the risk of ML/TF.”

The Report also included a discussion of seven key trends:

1. Little measurable progress in countering money laundering: The Report stated that 64 percent of countries in the 2018 ranking (i.e., 83 of 129) “have a risk score of 5.0 or above and can be loosely classified as having a significant risk of money laundering and terrorist financing.”  Furthermore, 42 percent of countries “have worsened their risk scores between 2017 and 2018,” and nearly 37 percent of countries “now have a worse risk score than they did in 2012.”
2. Effectiveness lags behind technical compliance: The Report stated that “[t]he overwhelming majority of countries assessed with the updated [Financial Action Task Force] methodology so far . . . have received dramatically lower scores for effectiveness than for technical compliance.”
3. ML/TF is not a standalone risk: The Report noted that the Institute’s analysis over the last seven years “has consistently shown that countries with a high risk of ML/TF share some or all” of the following six features: (1) weak public institutions, political rights, and rule of law; (2) low levels of financial/political transparency; (3) restrictions on press freedom; (4) lack of resources to control the financial system; (5) predominantly cash-based economies; and (6) high levels of smuggling activity and illegal trafficking (in drugs, humans, wildlife products, etc.).
4. No such thing as zero risk of money laundering: In the Index, no country was rated as having zero risk of ML/TF; in fact, the Index “shows an increase in the minimum risk score, from 1.78 in 2017 to 2.57 in 2018.”
5. What can we learn from low-risk countries?: The Report stated that “the list of countries with the lowest assessed risk has not changed significantly in recent years,” and listed seven characteristics s that low-risk countries typically share: (1) strong AML/CFT legislation, including on the freezing of terrorist funds; (2) “[c]ompetent authorities with the mandate and resources to investigate and prosecute ML/TF offences and issue sanctions for non-compliance; (3) “[c]omprehensive measures for domestic and international cooperation; (4) “[h]igh level of press freedom, with the media playing a central role in uncovering and reporting financial crime; (5) “[f]inancial sector highly regulated with competent supervisory authorities and minimal, if any, cash-based transactions; (6) “[h]igh levels of transparency and integrity in public institutions and businesses”; and (7) “[l]ow levels of corruption.”
6. The two main reasons behind improvements in ML/TF risk ratings: The Report noted that significant changes in the 2018 risk ratings were primarily affected by two factors: (1) countries obtaining better Financial Secrecy Index ratings due to methodology changes; and (2) exclusion of countries from the Jurisdictions of Primary Concern list in the annual U.S. Department of State’s International Narcotics Control Strategy Report.
7. Which countries have significantly worsened their scores and why: The Report stated that “Iceland, Denmark and Slovenia recorded a significantly higher risk rating in 2018 due to having been assessed using the new FATF evaluation methodology, which measures not only technical compliance but importantly emphasises effectiveness . . . .”

Note: The one Index result that appears truly anomalous at first glance, in light of recent events, is Estonia’s second-best ML/TF risk rating.  Now that the Danske Bank investigation has brought to light the potential trillion-dollar scale of money laundering through Estonia over eight years, the Institute may need to examine its methodology and data on Estonia with care when it prepares the next edition of the Index.

Companies or firms wishing to analyze the Index results in greater detail should note that the Index can be filtered by region and Gross Domestic Product.  In addition, the Institute offers a subscription-based Expert Edition of the Index that covers 203 countries.  The Institute describes the Expert Edition as “a more comprehensive and customisable country risk assessment tool. It is used worldwide by financial institutions, researchers, policymakers, compliance officers and other stakeholders to fulfil their regulatory and compliance requirements.”

On October 4, the U.S. Department of Justice announced that a federal grand jury in the Western District of Pennsylvania indicted seven defendants — all officers in the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Russian Federation’s Armed Forces — for computer hacking, wire fraud, aggravated identity theft, and money laundering.  The Department stated that according to the October 3 indictment, “beginning in or around December 2014 and continuing until at least May 2018, the conspiracy conducted persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government.”

The goals of the conspiracy included publicizing stolen information “as part of an influence and disinformation campaign designed to undermine, retaliate against, and otherwise delegitimize the efforts of international anti-doping organizations and officials who had publicly exposed a Russian state-sponsored athlete doping program and to damage the reputations of athletes around the world by falsely claiming that such athletes were using banned or performance-enhancing drugs.”  The GRU officers allegedly unlawfully obtained the information to be exploited in several ways.  First, three of the indicted GRU officers and unindicted coconspirators, “often using fictitious personas and proxy servers, researched victims, sent spearphishing emails, and compiled, used, and monitored malware command and control servers.”  Second,

[w]hen the conspirators’ remote hacking efforts failed to capture log-in credentials, or if the accounts that were successfully compromised did not have the necessary access privileges for the sought-after information, teams of GRU technical intelligence officers, including [four of the defendants], traveled to locations around the world where targets were physically located.  Using specialized equipment, and with the remote support of conspirators in Russia, including [one of the defendants], these close access teams hacked computer networks used by victim organizations or their personnel through Wi-Fi connections, including hotel Wi-Fi networks.  After a successful hacking operation, the close access team transferred such access to conspirators in Russia for exploitation.

While the indictment indicates that the primary focus of the hacking and disinformation campaigns was to undermine anti-doping efforts in the aftermath of the ban of Russian athletes from the 2016 Olympic and Paralympic Games, members of the GRU team also conducted other operations apparently unrelated to the anti-doping disinformation campaign.  These included reconnaissance of Westinghouse Electric Company’s networks and personnel, and operations evidently prompted by the March 2018 poisoning of Sergei V. Skripal, a former Russian double agent who cooperated with British intelligence, and his daughter Yulia Skripal.

Those latter operations allegedly included four of the defendants traveling on diplomatic passports to The Hague in April 2018, to further “another close access operation targeting the Organisation for the Prohibition of Chemical Weapons (OPCW) computer networks through Wi-Fi connections.”  Their intention thereafter was to travel to Spiez, Switzerland, to target the Spiez Swiss Chemical Laboratory.  That facility is an accredited OPCW laboratory that was analyzing military chemical agents, including the Novichok chemical agent that the United Kingdom authorities connected to the Skripals’ poisoning.  Timely intervention by the Dutch Militaire Inlichtingen- en Veiligheidsdienst (MIVD) (Defense Intelligence & Security Service) disrupted the GRU team’ efforts to hack OPCW WiFi connections, and resulted in the four team members’ being “escorted” out of the Netherlands.

Note: Even though the indictment’s principal focus is the Russian targeting of anti-doping organizations and individuals, there are a number of more general takeaways from this case that corporate compliance and information-security teams can incorporate into training courses and presentations to senior executives:

1. Foreign-government intelligence operations can and do target corporate entities for hacking and extraction of corporate data. To illustrate this point, training materials can include information from the MIVD’s public presentation about its disruption of the GRU team, such as photographs of and by the GRU team and of the hacking equipment that the MIVD found in the GRU team’ rental car.
2. Simple and well-known hacking techniques continue to be used successfully to obtain unauthorized access to corporate networks and computers. The GRU case contains multiple examples of corporate employees failing to take basic computer-security precautions, such as refraining from using insecure hotel WiFi networks or opening spearphishing emails.
3. The threat of “remote” access to corporate networks includes close access. The MIVD presentation also documents that the GRU team’ rental car, which contained equipment for hacking WiFi connections, was parked in a hotel parking lot within yards of the OPCW complex.
4. Information-security defense activities can benefit from open-source data. Shortly after the October 4 announcements by S., British, and Dutch authorities, two news organizations, Bellingcat and The Insider, reportedly used open-source databases to check the names of the GRU team defendants and identified 305 other potential GRU agents. Few information-security programs are likely to have the same amount and quality of detail about hackers’ identities and physical appearances as this case had, but review of open-source data as appropriate should always be an element of such programs.

U.S. authorities are unlikely to apprehend or try any of the defendants in this case.  The parallel and independent investigation by the Royal Canadian Mounted Police, however, may yield additional information about GRU hacking methods and techniques from which information-security and compliance teams can benefit.

On October 5, EU Observer reported that the Netherlands has invited European Union (EU) diplomats “to discuss the creation of a new sanctions regime against human rights abusers worldwide.”  The Dutch Foreign ministry reportedly floated the idea with other EU Member States in July, and an informal Dutch paper has been circulated that proposes that “[t]argeted human rights sanctions could be used against individuals acting in or misusing their official capacity and individuals belonging to non-state actors.”

The Dutch government has now scheduled a conference in The Hague for November 20 to discuss the proposal.   It invited each of the other EU Member States “to send two senior diplomats, one dealing with sanctions policy and one with human rights.”  Other invitees include the United States, Canada, Australia, and Japan, as well as an unnamed non-governmental organization and an unnamed legal scholar. The discussions, according to the Dutch invitation note, will focus on topics such as what value a human rights sanctions regime would add, which human rights violations should qualify for sanctions, and “listing/de-listing and due process.”

According to a Dutch diplomat who commented to EU Observer, these talks are meant to see whether there is enough support for the Netherlands to initiate formal EU proceedings.  The diplomat acknowledged that they expected concerns to be raised, but stated, “’We really want this to fly … we hope to have the measures in place in fewer than 12 months’ time. Ideally, before the European Parliament elections [in May 2019]’.”

Note: EU Observer reported that the concept underlying the Dutch proposal is that of the Magnitsky Act, which authorized U.S. officials to seize assets and ban the entry into the United States of Russians who were believed to have been involved in the death of Russian lawyer and whistleblower Sergei Magnitsky.  Subsequently, the United Kingdom, Canada, Estonia, Latvia, and Lithuania all used the term “Magnitsky” in adopting similar legislation.  Perhaps because Russian President Vladimir Putin and his inner circle reportedly have been so furious about the U.S. Magnitsky Act, which has since been expanded to global scope, the Dutch proposal mentioned Congo and Myanmar, but not Russia, as examples of regimes reflecting serious human rights abuses.

Sanctions observers should monitor reports on the upcoming Hague conference closely to gauge the level of traction that the proposal receives.  To date, according to EU Observer, the United Kingdom, Estonia, Latvia, and Lithuania are supportive (especially the United Kingdom), and France, Germany, and Italy have raised no objections, but “some Mediterranean states and the EU foreign service have proved reluctant.”  And Russia may well flex its economic and political muscle vigorously even before the conference, in an effort to head off an EU-wide Magnitsky regime.  Even so, support for such a regime has been building in other quarters within the EU, so the true test will be whether the Netherlands can enlist enough allies to move the proposal to formal status on the timetable the Dutch are envisioning.

On October 3, the International Court of Justice (ICJ) issued an order that directed the United States to remove any impediments arising from certain portions of the sanctions that the United States imposed on Iran on May 8, 2018.  Those sanctions related to President Donald Trump’s decision “to cease the United States’ participation in the Joint Comprehensive Plan of Action (JCPOA) [regarding Iran’s nuclear program], and to begin re-imposing the U.S. nuclear-related sanctions that were lifted to effectuate the JCPOA sanctions relief, following a wind-down period.”

The litigation arose from Iran’s July 16, 2018 application to the ICJ to institute proceedings against the United States.  The application alleged that the United States, through the May 8 and announced further sanctions, had breached various Articles of the 1955 Treaty of Amity, Economic Relations, and Consular Rights between Iran and the United States (1955 Treaty).  It requested the ICJ to order the United States “to terminate the 8 May sanctions without delay” and “immediately [to] terminate its threats with respect to the announced further sanctions.”  It also requested provisional measures requiring that the United States (1) “immediately take all measures at its disposal to ensure the suspension of the implementation and enforcement of all of the 8 May sanctions, including the extraterritorial sanctions, and refrain from imposing or threatening announced further sanctions and measures which might aggravate or extend the dispute submitted to the Court;” and (2) “immediately allow the full implementation of transactions already licensed, generally or specifically, particularly for the sale or leasing of passenger aircraft, aircraft spare parts and equipment.”

The order first found that the ICJ had prima facie jurisdiction in the case because the dispute between the Parties relates to the interpretation or application of the 1955 Treaty.  It then reviewed Iran’s claims and concluded that

at the present stage of the proceedings, some of the rights asserted by Iran under the 1955 Treaty are plausible in so far as they relate to the importation and purchase of goods required for humanitarian needs, such as (i) medicines and medical devices; and (ii) foodstuffs and agricultural commodities; as well as goods and services required for the safety of civil aviation, such as (iii) spare parts, equipment and associated services (including warranty, maintenance, repair services and safety-related inspections) necessary for civil aircraft.

The order also found that “a link exists between some of the rights whose protection is being sought and certain aspects of the provisional measures being requested by Iran,” and that the ICJ would exercise certain provisional measures because there was a risk of irreparable consequences, pertaining to humanitarian and safety concerns, before the ICJ gives its final decision.

Accordingly, the ICJ unanimously directed three provisional measures:

1. It directed the United States to remove any impediments arising from the May 8 sanctions to the free exportation to the territory of the Islamic Republic of Iran of three categories of goods and services: (1) medicines and medical devices; (2) foodstuffs and agricultural commodities; and (3) spare parts, equipment and associated services (including warranty, maintenance, repair services and inspections) necessary for the safety of civil aviation.
2. It directed the United States to “ensure that licences and necessary authorizations are granted and that payments and other transfers of funds are not subject to any restriction” insofar as they relate to the three preceding categories of goods and services.
3. It directed both Iran and the United States to “refrain from any action which might aggravate or extend the dispute before the Court or make it more difficult to resolve.”

In response, United States Secretary of State Mike Pompeo announced that the United States would terminate the 1955 Treaty.  He asserted that the ICJ had no jurisdiction to hear the matter and deemed the case “meritless.” The United States Ambassador to the Netherlands, Peter Hoekstra, seconded the Secretary’s remarks via Tweet.

Note:  As the ICJ has no power to enforce its order, its order in this case will do nothing to hamper the United States’ current and prospective imposition of Iranian sanctions.  Iran can be expected to continue to litigate the case in the ICJ for a final adjudication, which is expected to take years.  In the meantime, both sides can claim a measure of victory: Iran, for the symbolism of besting the United States in the ICJ; and the United States, for a ruling that left untouched the vast bulk of its current Iran sanctions.  Their responses yesterday, however, indicate that neither nation intends to comply with the last provisional measure, “refrain[ing] from any action which might aggravate or extend the dispute before the Court or make it more difficult to resolve.”