By Brian Monroe
bmonroe@acfcs.org
February 18, 2016
In this week’s Financial Crime Wave, criminals in a multi-million dollar cyber scheme use purloined phones to dial for dollars, MoneyGram pays $13 million to settle fraud claims, hackers use corruption to try to take a bite out of Apple, and more.
Cybersecurity
A Pakistani national has pleaded guilty to money laundering worth over $19 million on behalf of the perpetrators of a massive international computer hacking and telecommunications fraud scheme in the US. Muhammad Sohail Qasmani, 47, who was arrested at Los Angeles International Airport after he arrived on a flight from Bangkok in December 2014, now faces up to 20 years of imprisonment and a fine up to $250,000. His sentencing is scheduled for May. His co-conspirator Noor Aziz, 53, of Karachi, was indicted on June 20, 2012 and remains a fugitive. According to court documents, Aziz was involved in an unauthorized access to the computer systems commonly known as PBX systems that ran the internal telephone networks of numerous businesses and organizations in the US, eventually hacking the numbers to call premium service numbers controlled by co-conspirators. Telephone company representatives who suspected fraudulent activity and called the numbers heard recordings of fake rings, fake password prompts, fake voicemail messages, music, or dead air on continuous loops. It is estimated that over nearly four years, Qasmani initiated money transfers to approximately 650 unique transferees, located in at least 10 countries, including the Philippines, India, Pakistan, Malaysia, China, the UAE, Saudi Arabia, Indonesia, Thailand, and Italy. Qasmani moved a total of approximately USD 19.6 million in fraud proceeds from November 2008 through December 31, 2012. He kept laundering the money even after Aziz was arrested in connection with this scheme and later released by foreign authorities, (via RTT News).
The bigger picture: I went back and forth with myself deciding whether or not to brief this. Because I know readers are going to say, hey, Brian, this is not a bank. Why are you writing about this? Well, here is why. This group likely had to have bank accounts to move the money around internationally, even if they tried to also use a disparate and seemingly unconnected group of money transfer operations. So potentially some banks would have had account relationships with these fake phone organizations. That begs the question: what kind of due diligence did these banks do for these firms? Did they even score them as high risk at the beginning of the relationship? Did they even try calling any of the numbers to see if the companies actually provided any kind of legitimate service? Because, apparently, it only took a few phone calls to find out these numbers led to fake rings, dead air and hold music – that kept you on hold forever. I hope you don’t think I am reaching here, but I just remember what a seasoned investigator told me once. It was this: Brian, every large scale fraud or money laundering operation needs a bank. Well, apparently in this instance, they found one – or more.
Hackers have been offering money to employees in Ireland in return for their usernames and passwords. Apple employees working at the electronic giant’s facilities in Ireland are being offered thousands of euros by hackers in return for their usernames and passwords. Employees at the Apple Operations International offices in Cork have been sent emails from hackers offering up to €20,000 (£15,000, $23,000) in return for internal company-login details, which could potentially allow them to gain access to lucrative inside information on the technology giant. “You’d be surprised how many people get on to us, just random Apple employees. You get emails offering you thousands [of euros] to get a password to get access to Apple,” an Apple employee in Ireland told Business Insider. “I could sell my Apple ID login information online for €20,000 tomorrow. That’s how much people are trying,” (via International Business Times).
The bigger picture: At ACFCS, we are ceaselessly reinforcing the point that financial crime compliance teams need to create programs that deal with a range of criminal groups and activities, not just stopping a particularly crime, such as money laundering – even though banks are bound by law to create anti-money laundering programs. Now, why do we do this? No, it’s not do drive compliance officers more crazy than they already are juggling so many disparate program elements. Your jobs are hard. But here’s the rub, bad guys have no problem weaving together different criminal elements to try and get into your institution, much like the story above. A hacking group using corruption and bribery tactics to steal technology, then create illicit funds that need to be laundered. I know this is not happening at a bank in this instance, but it just as easily could have. This is a wake up call for institutions to ensure compliance precepts are ingrained in staff at all levels, not just in compliance capacities. The weakest links can sometimes be at the lowest rungs of the organization. Soap box rant end.
Money laundering
Illustrating what can happen when a bank gets tied to large scale money laundering and tax evasion investigations, the Superintendent of Financial Institutions on Wednesday moved to protect depositors and creditors of the Canadian branch of Maple Bank GmbH by taking temporary control of the assets of the branch. On Feb. 6, Germany’s Federal Financial Supervisory Authority (BaFin) ordered Maple Bank to close its doors amid concerns about its balance sheet, particularly its debt position. Maple Bank operates in Canada as a foreign bank branch based in Toronto that is regulated by OSFI. The branch holds a “small number” of wholesale deposits in Canada, but the branch’s primary businesses are securitization, securities financing and structured secured wholesale lending, OSFI notes. Maple Bank is not a member of the Canada Deposit Insurance Corp., so its deposits are not insured by CDIC, OSFI says, (via Investment Executive). OSFI made no mention of the money laundering investigation. In September 2015, nearly 300 German investigators raided 30 location linked to Maple Bank across Germany, pursuing evidence against 11 people thought to have illegally claimed more than 100 million euros ($112 million) in tax returns between 2006 and 2010, using a strategy known as dividend stripping. Previous cases of dividend stripping in Germany have involved buying a stock just before losing rights to a dividend, then selling it to take advantage of a now-closed legal loophole that allowed both buyer and seller to reclaim capital gains tax, (via Reuters).
Spanish police searched offices of China’s ICBC bank in downtown Madrid and arrested five people Wednesday as part of a money laundering and tax fraud probe. A police statement said the search of the Industrial and Commercial Bank of China was a follow-up on a police operation in 2015 that targeted gangs using the bank to launder to China some 40 million euros ($45 million) proceeding from Chinese-run bargain stores across Spain. A statement from Europol, the European Union’s police agency, said five bank directors were arrested. It said the 2015 operation against Chinese organized crime groups based in Spain dismantled a criminal network suspected of importing huge amounts of goods from China without declaring them on customs forms, to avoid import and tax duties. Europol said subsequent investigations revealed that the network deposited the money earned into ICBC, which is accused of sending the funds to China without checking their origin as required by law (via ABC News/AP). As well, in November, London-based ICBC Standard Bank entered into the country’s first-ever deferred prosecution agreement with the Serious Fraud Office (SFO) for failing to prevent a former sister company from paying $6 million in bribes to Tanzanian official to win business from a state bank. The multi-jurisdictional and multi-agency penalty resulted in $32.5 million to the SFO, $4.2 million to the US Securities Exchange Commission and another $7 million to the US government. The action highlighted the risks of insiders and how they can evade compliance controls and the broader issue of how to craft an enterprise-wide, cross-border program (via ACFCS).
Families of U.S. citizens murdered by drug gangs in Mexico sued HSBC Holdings Plc, claiming the bank can be held responsible for the deaths because it let cartels launder billions of dollars to operate their businesses. The lawsuit brings fresh scrutiny to the Mexican activities of HSBC, which in 2012 paid $1.9 billion to resolve a criminal investigation into whether it violated U.S. sanctions laws and laundered at least $881 million on behalf of drug cartels. HSBC said it would fight the claims in the lawsuit, filed Tuesday in federal court in Brownsville, Texas. The new case recounts a series of murders in 2010 and 2011 in horrific detail, arguing that the bank should be held to account for them under the U.S. Anti-Terrorism Act, (via Bloomberg).
The bigger picture: Put simply, this lawsuit is very scary for banks. At ACFCS, we have seen how large compliance penalties, particularly those linked with a particular fraud, criminal or terrorist act, can have severe civil repercussions. For example, some banks have been sued civily when their transactions were tied to terror groups, the theory being terror groups can’t operate without money and if a bank knowingly moved funds for such a group, they are liable for the aftermath, such as individuals who died in related attacks. As well, we saw large US and Canadian banks get taken to task by US regulators tied to compliance and monitoring failures around high-profile Ponzi schemers. This is perhaps a new wrinkle in that legal logic, arguing that if a bank allegedly moved funds tied to an illicit narco group, it should be responsible for deaths tied to the group. I don’t know how this case will play out, but it’s one that bank compliance teams will be watching with interest…and dread.
Fraud
MoneyGram International Inc will pay $13 million to settle an investigation by U.S. states stemming from customer complaints that scam artists duped them into wiring funds via the money transfer service, state attorneys general said on Thursday. The settlement with attorneys general in 49 states and Washington, D.C., includes $9 million for a nationwide fund that will facilitate the return of money to some MoneyGram customers and $4 million to cover states’ costs and fees, according to numerous announcements by state attorneys general on Thursday. MoneyGram, based in Dallas, must also improve fraud-detection measures, the statements said. The company has a global network of approximately 350,000 locations where money transfers are sent and received. This follows prior problems tied to fraud and AML. In 2012, MoneyGram was hit with a $100 million monetary penalty by the US Department of Justice for widespread failings in its AML and fraud programs. In 2014, The US Financial Crimes Enforcement Network (FinCEN) levied a $1 million individual penalty on Thomas Haider, who oversaw MoneyGram’s AML and fraud prevention program during a six-year period in which the money transfer service processed thousands of transactions for agents involved in fraud schemes. Haider is currently fighting those charges, (via Reuters).
The bigger picture: This second penalty for additional fraud-related compliance and control deficiencies means several things for the broader compliance community. First, it shows that money remitters have a duty to ensure extensive financial crime compliance training – not just about AML – needs to be extended to the most distant nerve endings of the organization, no matter the region or size of the operation. Why? Because if the actual agents on the ground are not taught to critically think about why certain individuals are coming to them or asking questions to clients, for instances even below CTR and SAR thresholds, then criminals and fraudsters will keep turning to that avenue to move funds. This is also evidence that there are still persisting challenges when creating compliance programs for money remitters, because they don’t have typically client relationships, like a bank. They do, however, have powerful analytics that can create virtual accounts and log activity based on addresses, transactional patterns and other details, to at least attempt to piece together disparate data elements and see if certain potentially illict trends rise to the fore. Lastly, this is another wake up call to money remitters of all sizes to review the systems, training and policies they have in place to ensure they are not making the same mistakes, or have similar gaps, that brought this penalty.
Compliance
In order for banks to be both competitive and have a strong control environment across the risk and compliance spectrum, institutions broadly must adopt new paradigms that give them more information on risk, and hence ownership and understanding of underlying and residual risk, and be viewed not as an adviser, but an equal partner in bank business initiatives. In most cases, banks need to transform the role of the compliance department from serving in an advisory function to having direct influence on risk management and monitoring. In practice, that means becoming an active co-owner of risks and providing independent oversight of the control framework. Given this evolution, compliance specialists now must focus on these four responsibilities: having an independent and objective perspective on the quantum of residual compliance risk; translating laws, rules and regulations into specific operational requirements; requesting and approving remediation activities; and shaping the bank’s overall risk culture and literacy, (via Bloomberg).
Border security
A multi-country operation to strengthen border controls along the Abidjan-Lagos corridor has resulted in major seizures of drugs, stolen cars, currency, firearms and fake travel documents, in addition to arrests for migrant smuggling, according to INTERPOL.The 10-day Operation Adwenpa saw more than 100 officers deployed to 10 air and land border control points across five countries ‒ Benin, Côte d’Ivoire, Ghana, Nigeria and Togo – to conduct additional security checks against INTERPOL’s databases. Investigators caught two individuals already highlighted in INTERPOL Red Notices – a Ghanaian national wanted by Brazil for drug trafficking and a French national wanted for fraud and embezzlement. A Ghanaian man attempting to smuggle two migrants into Togo using counterfeit travel documents was also arrested, and at the Nigeria/Benin border six child victims aged between 13 and 17 who were suspected of being trafficked for labour exploitation were handed into the care of national authorities. Authorities also seized nearly 900 kg of narcotics, including cocaine, cannabis, methamphetamine and khat. Searches against INTERPOL’s database of stolen motor vehicles led to the recovery of seven vehicles which had been stolen in Canada, France, Germany and Italy. Officials also snared smuggled bulk cash, gold ingots and jewelery worth more than $1 million, as well as nearly 80 kg of trafficked ivory and a number of counterfeit passports (via Interpol).