By Brian Monroe
bmonroe@acfcs.org
August 24, 2016
In this week’s Financial Crime Wave, a large audit firm gets sued in the wake of a bank failure, putting more pressure financial crime compliance consultancies, a Chinse bank sends customers and AML notice priming them to look for dirty money and be accurate, timely and honest related to how their accounts will be used, several experts note that while cyber attacks are surging, there is a lack of qualified systems and security officers to handle them, and more.
Auditor lawsuits
This piece highlights what could be a chilling trend for large audit firms and anti-money laundering consultancies, where interested parties and investors are suing the audit firm in the aftermath of a bank collapse, alleging that if the audit firm had found the purported fraud, it could have potentially prevented the resultant collapse. A Dubai-based investment group is suing the Middle Eastern arm of Deloitte and Touche after the accounting firm failed to flag more than $200 million in illicit funds that flowed through the now-defunct Lebanese bank. Lebanese Canadian Bank paid over $100 million, or £76 million, in 2011 to settle claims brought by US authorities that it was involved in laundering drug money and funneling funds to Hezbollah and other militant organizations. Deloitte and Touche has been the bank’s main auditor from 1995 and remains its auditor in liquidation. LCB was shut down after an investigation by the US Federal Bureau of Investigations and Drug Enforcement Administration, and most of its assets were sold to Societe Generale. Nest Investments Holdings, along with 10 other minority shareholders, is preparing to bring a negligence lawsuit against the accounting firm and Middle East managing partner Joseph El Fadl at the Dubai International Financial Centre. The US Treasury said in a 2011 report that LCB bank accounts were used “extensively by persons associated with international drug trafficking and money laundering” as a result of “management complicity.” Nearly $230 million of illicit funds had passed through LCB’s accounts while Deloitte and Touche were in charge of reviewing the bank’s books. The global accounting firm PricewaterhouseCoopers is being sued for $5.5 billion (£4 billion) in a Florida court after failing to spot the fraud that led to the sixth-largest banking collapse in US history. Trustees for the Taylor Bean & Whitaker Mortgage Corporation, which went bankrupt in 2009, accused PwC of negligence in its audits of the bank’s parent company, Colonial Bank. Top executives of TBW faked loan data for seven years starting in 2002, sending information on mortgages that either did not exist or had already been pledged to other investors to Colonial, the parent bank, (via Business Insider).
AML Compliance
The Bank of China, Hong Kong, has sent an anti-money laundering (AML) notice to an unknown number of customers to better sensitize them to financial crime compliance obligations and to prevent illicit funds from flowing through personal and business accounts. The “Notice of Raising Your Anti-Money Laundering Awareness,” is a relatively rare example of a large, international financial institution pushing its regulatory obligations to detect and prevent financial crime down to customers. The notice stated the bank was sending around these points to build awareness among customers and to “protect their interest.” The notice asks for customers to do five things:
Provide Accurate Information
Such as account opening purposes, reasons, source of funds, expected transaction pattern and volume, etc
Promptly Update Personal Details
Please promptly update BOCHK your personal details, e.g. address, phone number, email address, occupation and income, etc
To protect your interest, if you lost or replaced your identification document, please notify BOCHK as soon as possible
Don’t Use Personal Account for Business Purposes
Personal accounts should only be used for personal financial management and investments
Please open a business account if you need to manage transactions for businesses or registered societies (such as receiving donations)
Don’t Allow Unauthorized Persons to Use Your Account
This may expose yourself to the risk of money laundering through your account
Know Your Tax Obligations and Regulations on Remittances
Please know and comply with your tax obligations in all applicable jurisdictions
Some countries have restrictions on remittances. Please don’t break up your remittances to avoid these restrictions, (via the Bank of China).
Enforcement
A survey of 121 investment and commercial banks in Europe and North America by analytics firm SAS found 19% said they were fined by regulators in the past three years for failing to stop financial crime, with 22% of that group saying the penalty was $1 billion or more. The survey found 82% of firms have set up or are planning to create a financial crime intelligence unit, with 98% saying FCIU is a top corporate priority and 94% saying they plan to improve FCIU training. “A key reason a bank invests in personnel and technology for its FCIU is because the traditional approaches to combating financial crime are not working,” the survey report said. “The banking industry has earmarked billions of dollars to fund the continued rollout of cross-bank FCIUs,” (via the Wall Street Journal).
Taiwan’s financial regulator says it will investigate Mega Financial Holding Co. after New York state ordered its banking unit to pay a $180 million penalty and install an independent monitor for violating the state’s laws against money laundering. The Financial Supervisory Commission said in a statement that it was looking over records at the bank, and investigating possible violations. The commission said it also intends to strengthen money laundering controls. New York’s Department of Financial Services announced the fine for Mega International Commercial Bank last Friday. It ordered the bank to beef up compliance after finding its staff, unfamiliar with U.S. regulations, failed to conduct reviews meant to detect suspicious transactions. U.S. regulators expressed strong concern given that Mega International has branches in Panama, a “high-risk area” for money laundering, (via the Associated Press).
Cybersecurity
This analysis of a recent government order against a medical firm for lax security practices makes a very important point that is also relevant for financial institutions: that “actual harm” in a data breach doesn’t need to be proven as a precursor to enforcement actions or penalties. While much of Washington, D.C. is enjoying the slow and hazy days of summer, the Federal Trade Commission (FTC) is staying busy solidifying its presence as the go-to authority for data security. This is also the second time a company, the first was a hotel chain, challenge the FTC’s cyber authority, and lost. Most recently, on July 29, 2016, the FTC issued a unanimous Opinion and Final Order against LabMD, Inc., for its unreasonable data security practices, reversing an Administrative Law Judge (ALJ) Initial Decision that had dismissed FTC charges.Between 2001 and 2014, LabMD collected and tested patient medical samples for physicians. The FTC’s decision found that from 2005 to 2010, LabMD failed to maintain basic security practices. Among other things, LabMD:
lacked file integrity monitoring and intrusion detection;
failed to monitor digital traffic;
failed to provide security training to its personnel;
lacked a strong password policy and allowed at least a half a dozen employees to use the same, weak password, “labmd”;
failed to update its software to address known vulnerabilities;
granted employees administrative rights to their laptops, which allowed these employees to download any software they wanted;
allowed the downloading of peer-to-peer software (LimeWire), which enabled a file containing 1,718 pages of confidential information relating to approximately 9,300 customers to be downloaded through LimeWire; and
failed to respond to warnings about data vulnerability after being made aware of the issue with respect to LimeWire.
The case was heard by an ALJ, who issued a decision in November 2015 (the “ALJ Decision”). The ALJ decision dismissed the complaint due to lack of evidence that LabMD’s data security practices either caused or were likely to cause substantial injury to its consumers. In its recent Opinion and Final Order, however, the FTC reversed the ALJ Decision and found that LabMD’s data security practices were unreasonable and caused, or were likely to cause, substantial injury to consumers. The FTC’s thirty-seven page Opinion and Final Order details what the FTC found to be insufficient data security standards that left consumers at risk. In reaching its decision, the FTC repeatedly referenced the well-known data privacy and security standard in the Health Insurance Portability and Accountability Act (HIPAA). While the FTC used HIPAA to identify reasonable data security practices, its analysis of substantial injury is not limited to the health care industry. Indeed, the FTC has made it clear that any industry in possession of sensitive consumer data (such as names, addresses, dates of birth, Social Security numbers, and insurance information) will be required to maintain reasonable data security practices, and that enforcement actions may result even if there has been no identifiable harm to the subjects of such data, (via Lexology and McGuireWoods).
An analysis and related chart by a Standard Chartered analyst revealed several jarring realities about the state of cybersecurity, including that the number of cyberattacks is growing exponentially, particularly in the last two years and that potential scenarios show damage from these incursions could be far worse than the already “devastating” successful attacks against high-profile hard and soft, government and private targets. These threats are already materializing, and their impact is growing in terms of financial cost, reputational damage and national security risks. The proliferation of platforms for internet delivery (computers, smartphones, tablets, and now the ‘Internet of Things’), combined with exponential user and traffic growth, compounds this impact. In just five years (2010-15), the number of malware viruses grew 560%, and almost one-third of all viruses ever recorded were produced in 2015. A large-scale cyberattack against either systemic financial infrastructure (e.g., SWIFT; a major clearing house; or two or three stock markets simultaneously) or critical military infrastructure has not yet happened, but is a tangible risk. Intelligence services have identified the escalating number of cyberattacks as a growing concern. Between 2014 and 2015, the number of web attacks per day increased 117%, and new mobile vulnerabilities rose 214%. There are growing fears of a strike to the heart of the financial system – where data protection deficiencies have already resulted in the theft of financial and credit card details and ‘phishing’ – or a crucial weaponized military installation. While cyberattacks have receded as a topic of public debate, they remain a major risk. Most large corporates are deemed inadequately equipped to deal with a serious cyberattack. An estimated three-quarters of all legitimate websites have unpatched vulnerabilities, according to Symantec Corporation, (via Standard Chartered).
This report notes two disturbing convergent factors that could cause problems for banks, and companies the world over, in trying to bolster their cybersecurity programs: A critical and growing lack of qualified cyber officers occurring at the same time cyber attacks are peaking in terms of quantity, creativity and aggressiveness. By various estimates, there will be a global shortage of between four and six million security pros between now and 2020. The Peninsula Press project of the Stanford University Journalism Program determined that more than 209,000 cybersecurity jobs in the U.S. were unfilled, with vacancies up 74% over the past five years. A recent Enterprise Strategy Group survey found that 46% of organizations say they have a “problematic shortage” of cybersecurity skills. There are no magic wands to make this problem go away, but there are steps you can take to lessen the severity and plan for the future. While specialized technical skills are scarce and expensive, the most pervasive security problems require neither extensive training nor even much technical knowledge. Lackadaisical password practices are the number one security threat most organizations face. One study found that just 20 passwords make up more than 10% of all passwords in use. Another said up to 45% of people can be tricked by well-constructed phishing attacks, (via CSO Online).
Bangladesh’s central bank said it has reversed its plans to sue the Federal Reserve Bank of New York and the SWIFT money transfer network, and instead intends to seek their help recovering $81 million stolen by cyber thieves in February. “At the moment we have no plan to go for any legal action against the Fed bank or SWIFT; rather we will seek their assistance,” said Subhankar Saha, the spokesman for Bangladesh Bank. He declined to provide reasons for the turnabout. A source close to the Asian central bank last month said it was preparing litigation to seek compensation, claiming errors by the New York Fed and SWIFT had made Bangladesh Bank vulnerable. In the February heist, hackers issued false transfer orders on the SWIFT network to move funds out of Bangladesh Bank’s account at the Fed. Bangladesh’s finance minister had also said in March he was weighing legal action. The shift came as meetings were to begin in New York on Tuesday between officials from Bangladesh Bank, the New York Fed and SWIFT. It also comes after the New York Fed last week published its standard contract with correspondent banks, which spells out that the burden of preventing and reporting breaches lies largely with the correspondent bank, in this case Bangladesh Bank, (via Reuters).
This piece analyzes recent regulatory warnings on cyber risks tied to interbank messaging and payment networks, with a checklist of preparatory procedures to ward off attacks before they start or better identify current intrusions. On June 7, 2016, the Federal Financial Institutions Examination Council (FFIEC) reminded banks of the cyber risks associated with interbank messaging and wholesale payment networks. FFIEC made its announcement after hackers allegedly used the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system to steal millions of dollars from banks around the world, including $81 million from the Bangladesh central bank. Consistent with federal banking agency regulations and FFIEC guidance, financial institutions should take the following steps to improve cybersecurity controls:
conduct ongoing information security risk assessments and ensure that third party service providers also perform effective risk management and implement cybersecurity controls;
perform security monitoring, prevention and risk mitigation by confirming protection and detection systems, such as intrusion detection systems and antivirus protection, are up-to-date and firewall rules are configured properly and reviewed periodically;
protect against unauthorized access by limiting the number of credentials with elevated privileges across the institution, especially administrator accounts, with the ability to assign elevated privileges to access critical systems;
implement and test controls around critical systems by adopting cybersecurity controls, such as access control, segregation of duties, audit, and fraud detection and monitoring systems;
manage business continuity risk by validating existing policies and procedures that support the bank’s ability to recover and maintain payment processing operations;
enhance information security awareness and training programs by conducting regular, mandatory education and employee training across the enterprise, including how to identify and prevent phishing attempts; and
participate in industry information-sharing forums including the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the U.S. Computer Emergency Readiness Team (U.S.-CERT), (via Lexology and McGuireWoods).
Underground banks
This story highlights the battle between the Chinese government and individuals, companies and criminals to stop money from leaving the country by evading currency controls, critical details that could inform foreign correspondent ties to China. Chinese authorities said 450 suspects have been arrested this year in a crackdown on using offshore companies and “underground banks” to transfer money illegally, underscoring the scale of the task for officials trying to control capital flows. The cases involved almost 200 billion yuan ($30 billion) of transactions, the Ministry of Public Security said in a statement on its website Wednesday. In China, individuals sometimes use unofficial channels described as underground banks to bypass government restrictions on moving money across the nation’s borders. While the potentially destabilizing outflows of capital have slowed in 2016, weakness in the yuan could encourage another pickup, (via Bloomberg).
SARs
The National Crime Agency (NCA) has published its Annual Report on Suspicious Activity Reports (SARs) covering the period from October 2014 to September 2015 (the Period). The UK’s NCA is the enforcement agency tasked with gathering, processing, analysing and disseminating information relevant to financial crime in the UK. The Fraud Intelligence Unit (FIU) is a division of the NCA and is responsible for the receipt of SARs. Some Key statistics:
The total sum restrained by law enforcement partners relating to consent requests in the Period was £43,079,328, showing a dramatic reduction from £141,517,652 during the previous year. The NCA states that the previous year’s figure was skewed by five large cases with a cumulative value of £119m. The total figure of assets denied to criminals as a result of consent requests (refused and granted) during the Period is £46,375,449.
The number of financial intelligence requests made by the UKFIU to international partners increased by 32.52% on the previous year, from 1,359 to 1,801.
A total of 269 ‘suspect based’ SARs were fast-tracked to police forces over the Period (SARs which law enforcement had requested early sight of relating to specific individuals).
The UKFIU disseminated 72 SARs relating to politically exposed persons during the Period.
The largest submitter of SARs was the banking sector, making up 83.39% of all SARs received. From the remainder, 4% came from building societies, 3% from money service businesses, 3% from other credit institutions, 1% from accountants & tax advisors and 1% from legal professionals, (via DLA Piper, through Lexology).
Tax evasion
In this story, the United Kingdom takes aim at large consultancies, rather than their historical targeting of banks, to crack down on tax evasion. Accountants, lawyers and consultants whose multibillion pound industry provides advice on how to aggressively avoid tax could face large financial penalties under government proposals. Plans set out in a consultation document released on Wednesday will suggest that tax advisers whose schemes are defeated in the courts might pay a fine of up to 100% of the money lost to the taxpayer. It follows prime minister Theresa May’s pledge last month to clamp down on corporate tax avoidance – widely seen as part of an appeal to working-class Britons struggling with their finances. Firms including PriceWaterhouseCoopers, KPMG, Deloitte and Ernst & Young and a select band of tax lawyers have previously been accused by MPs on the public accounts committee (PAC) of helping major corporate clients to minimize tax by exploiting complex schemes. Thousands of wealthy individuals, meanwhile, were revealed to have avoided tax on their Swiss bank accounts through offshore companies marketed by HSBC and other European lenders. Currently tax avoiders face significant financial costs when HM Revenue & Customs (HMRC) defeats them in court but those who advised on, or facilitated, the avoidance bear little risk, (via The Guardian).