By Brian Monroe
bmonroe@acfcs.org
March 24, 2016
In this week’s Financial Crime Wave, FIFA hilariously sues US prosecutors for seized funds, an audacious audiologist gets the judge’s ear at sentencing, Philippines apologizes for role in massive hack, laundering debacle, and more.
Corruption
FIFA acknowledged Wednesday that past World Cups were awarded based on bribes, and the organization wants U.S. prosecutors to give it “tens of millions of dollars” seized from former FIFA officials who skimmed cash from broadcasting rights. FIFA submitted a 22-page claim to the U.S. Attorney’s Office in New York on Tuesday that seeks a big share in restitution from more than $190 million already forfeited by soccer and marketing officials who pleaded guilty in a sprawling corruption case that mostly involves non-FIFA competitions. Tens of millions of dollars more is likely to be collected by U.S. authorities when sentences are handed down, and from dozens of officials currently indicted but who have denied bribery charges or are fighting extradition. FIFA claims it is the victim of corrupt individuals, despite widespread criticism that bribe-taking was embedded in its culture in the presidencies of Joao Havelange and Sepp Blatter, who was forced from office after 17 years by the current scandal, (via the Associated Press).
The bigger picture: Before you read this, go to the Internet and try to find a meme of a guy laughing so hard, he falls out of his chair. Then the person rolls on the floor, tries to get up, and then falls back down because the thing the person is laughing about is so hilarious, they have quite literally chortled themselves into oblivion. Now, once you have those series of images firmly planted into your short term memory, go ahead and read the above story. Because that is what US officials, authorities and prosecutors are doing right now after they read the FIFA claim. Wow. Just. Wow. Somehow, this really should make it into an aside referenced by Peter Griffin in Family guy. So let me recap the legal logic here. FIFA: Oh noez, our top officials are SOEZ CORRUPTZ, HOW DID THAT HAPPENZ????. Global investigators: THATZ why we are charging themz. FIFA: UMZ, no wait, we had no idea they were doing that stuff. And because your prosecutionz make us look bad, we are suing you for the money we used to bribe people, I mean, um, no wait, the money THEY STOLE from us to bribe, and we need that back. Pretty pleaz. LOLZORZ. I can even tell the writer of that story had a hard time keeping his face straight. The only place to find a story with more irony and hilarity than this is by going to the Onion. Good luck FIFA. But I have a feeling the US is going to um, BLOCK your goal of getting that money. Final score: US 1, FIFA 0.
Auditors in the Iraqi parliament say that the defense ministry has spent $150 billion on weapons in the last decade but only a fraction of that has gone to buying weapons and the rest is missing. Iraq’s defense ministry “is one of the most corrupt ministries,” the spokesperson for the parliamentary auditing committee, Adil Nuri, told Rudaw. “Only around $20 billion worth of arms has been bought and the other $130 billion has disappeared in corruption, such as giving bribes to officials of countries they signed the deals with, or falsifying the prices,” he said. The auditing committee conducted an inquiry into three new arms deals of the defense ministry last month, according to Nuri. He said he found “that the ministry had signed $350 million worth of contracts with Eastern European countries but the inquiries showed that there has been a lot of corruption in the price and types of weapons.” Abadi recently announced wide-ranging reform plans starting with cutting the size of the bulging bureaucracy and reshuffling military posts in an effort to boost the country’s finances and strengthen the army, which many blamed for the fall of the city of Mosul in 2014 to the Islamic State (ISIS) group. However, Nuri believes there might be officials in the prime minister’s own government who cover up the corruption cases, such as the latest arms deals. Nuri said that his committee has called for the impeachment of defense minister Khalid al-Obaidi and other defense officials. But he suggested that Abadi also had been caught up in trying to cover up the case, (via Rudaw).
Health care fraud
A U.S. district judge sentenced a Florida audiologist to nearly eight years in prison Monday for her role in a multimillion-dollar health care fraud and money laundering scheme. U.S. District Judge Steven Merryday of the Middle District of Florida sentenced Terri Schneider, 57, of Lakeland, Florida to the lengthy term and also ordered her to pay more than $2.5 million in restitution. In December 2015, a jury in Tampa found Schneider and co-conspirator David Brock Lovelace guilty on all charges, which included conspiracy to commit health care fraud and wire fraud, health care fraud, conspiracy to commit money laundering, money laundering and aggravated identity theft. On March 7, Lovelace was sentenced to 174 months in prison and ordered to pay the same in restitution. According to evidence presented at trial, from approximately June 2010 through approximately May 2014, Schneider and her co-conspirators used three purported medical clinics in Florida, Cornerstone Health Specialists, Summit Health Specialists and Coastal Health Specialists, to submit approximately $12.4 million in false and fraudulent claims to Medicare seeking reimbursement for radiology, audiology, cardiology and neurology services. Medicare paid approximately $2.9 million in reimbursement on the fraudulent claims. The evidence showed that Schneider and her co-conspirators used forged and falsified documents in the Medicare enrollment process for the medical clinics that they operated under false pretenses, and billed Medicare for services that had not been rendered by physicians. The co-conspirators also paid illegal kickbacks in exchange for access to Medicare patients and Medicare patient information used in the fraud scheme, the evidence showed, (via the U.S. Department of Justice).
The bigger picture: Several federal investigators and state officials have told me, and further research has backed it up, that Florida is the country’s epicenter for a host of frauds, including healthcare fraud, Medicare fraud and car insurance fraud. Now, this is an alarming trend that banks also likely have clued into, or should – very soon. That’s because while doctors’ offices might be considered historically low-risk, that is simply not the case in many parts of Florida, particularly South Florida. I remember doing stories that some organized crime groups have concluded that healthcare fraud is more profitable and less risky than selling illicit drugs. But these illicit operations, that typically overbill, bribe patients and falsify records to fleece the government, can’t get their funds and continue the scams without bank accounts. Whenever I read these stories of yet another healthcare fraud, I wonder, hmmm, did the banks know about these guys? Did they do due diligence? Did they properly risk ratre the company? Did they file SARs on these customers? Did the banks ask any questions like, um, how is small office like yours doing such huge business? Again, I only bring this up because this story has gotten a decent amount of play in the press and in compliance circles. That will no doubt catch the interest of federal and state examiners who will find out which banks held these accounts and will ask the exact same questions I am proffering. And if they don’t like the answers they get, expect much more severe and agitated questions to come about these institutions entire compliance processes, from KYC to CIP, monitoring, training and SARs.
Cybersecurity
Yuchengco-led Rizal Commercial Banking Corp. (RCBC) on Wednesday apologized to the public for the involvement of its personnel in the $81-million money laundering scheme. The bank issued the apology two weeks after the heist hit the headlines and a day before the country went on its annual four-day long weekend to commemorate Christ’s death and resurrection. “RCBC offers its sincerest apologies for the involvement of its personnel in the money laundering scheme now subject of Senate Blue ribbon and AMLC investigations. Within legal bounds, RCBC will cooperate with these and any subsequent government proceedings,” RCBC said in a statement. RCBC said the bank is also conducting its own inquiry to identify and address any weaknesses in its controls and operations which may be facilitated the scheme. It will also take appropriate action against any bank officer or staff found guilty of fault or negligence. “RCBC recognizes the evils wrought by money laundering and will do its utmost in the fight against it.” RCBC has terminated Deguito and Angela Torres, the top two officials of the bank’s Jupiter branch, for violating bank policies and procedures and falsification of commercial documents. The RCBC said that the branch and bank officials are expected to be meted out various sanctions ranging from termination to suspension in the coming days when the internal investigation is expected to be completed, (via the Manilla Bulletin).
The bigger picture: This is still yet more fallout from the hack of the potentially billion dollar hack involving a foreign central bank, the Federal Reserve and Philippine casinos. But RCBC’s problems are not going to go away with this so-called apology. This was considered one of the worst hack and laundering episodes in banking history. Part of the standard aftershocks of something of this magnitude include mea culpas for those involved that may or may not have know about the gravity of the situation. But this also shows that many banks around the world simply don’t have the understanding, training or ability to grasp or realize how devious criminal hackers are or how creative they can be. The only hope is that this institution, others in the region and the regulators that oversee these banks will take an honest and thorough account of their missteps and uncover with fresh eyes the broader vulnerabilities at play. The answers may mean more than just better systems and training, but may even mean new laws and stronger regulatory oversight.
Researchers at Trend Micro have been monitoring a business email compromise (BEC) campaign aimed at companies from all around the world. The campaign, dubbed by experts Olympic Vision based on a piece of malware used by the attackers, is believed to be run by two Nigerian cybercriminals — one located in Lagos, Nigeria’s largest city, and one in Kuala Lumpur, the capital of Malaysia. According to the security firm, the cybercriminals target organizations in sectors such as manufacturing, real estate and construction from the Asia Pacific region (38 percent), Europe and the Middle East (38 percent), and North America (22 percent). The list of targeted countries includes Canada, the United States, China, Indonesia, Malaysia, Thailand, Germany, the Netherlands, Slovakia, Spain, the United Kingdom, Iran, Iraq, Qatar, Saudi Arabia, UAE, and the African country Zimbabwe. In BEC attacks, cybercriminals compromise the targeted organization’s business email accounts, particularly ones of executives and employees in charge of wire transfers. This access is used to obtain information and manipulate employees into transferring large amounts of money to bank accounts controlled by the fraudsters, (via Security Week).
A survey of 597 U.S. IT executives who direct either cybersecurity activities and/or control the budget for such activities by Ponemon Institute and security firm Cyphort found 39% said their organization is effective at detecting cyberthreats, while 30% said their organization is effective at preventing cyberattacks. Only 17% said they do well at prioritizing alerts and 13% said they were effective at detecting false positives, with 68% saying they spend a significant amount of time chasing false positives. “Getting malware attacks under control continues to be a challenge for companies,” the survey report said. “Despite such catastrophic data breaches as Target, cyber threats are not getting the appropriate attention from senior leadership they deserve. … Respondents say they do not have the necessary intelligence to make a convincing case to the C-suite about the threats facing their company,” (via the Wall Street Journal).
The bigger picture: Now don’t start wagging your finger at me and say, “But Brian, why are you pulling a bait and switch, reading about general IT trends when you should be writing about compliance?” Well, because these trends also cross into banking and could end up causing broader problems for other compliance departments, including fincrime. Those figures should be worrying because several of those major breaches, such as JPMorgan, hit banks in a very high-profile way. Now, I have written about these institutions taking a very proactive and aggressive approach to shoring up their virtual vaults, including massively boosting funds and resources to upgrade hardware and software systems, get uber-qualified tech whiz kids from private industry and even government and employ white hat, see “good guy,” hackers to test systems and find cracks before hackers can. But that is just at the large institutions with significant resources. Just imagine how many smaller and medium-sized banks are struggling to have intertwined financial crime departments that include IT or even had a dedicated person devoted to the concept of cyber defenses, resilience and recovery, rather than just resetting passwords when Mabel lockds herself out, again.
Enforcement
Denmark’s financial regulator has reported Danske Bank, the country’s largest bank, to the police for violating Danish anti-money laundering rules. Danske Bank was ordered in 2012 to ensure that the banks with which it co-operated, so-called correspondent banks, had sufficient control procedures to reduce the risk of money laundering. Last year the Danish Financial Supervisory Authority (FSA) conducted an inquiry to see if it had followed this order. “Based on the study’s conclusions, the FSA has reported the bank to the police for violation of the money laundering act’s clauses for correspondent banks, including failure to follow FSA’s order on the area from 2012,” the FSA said. Danske Bank’s Group General Counsel Flemming Pristed told Reuters that the bank had been working constructively with the FSA on the matter and intended to do so with the police. Pristed said Danske Bank had halved the number of correspondent banks to lower the risk of money laundering, and that it had around 400 employees working on reducing the risk. The FSA also gave the bank a reprimand for not having identified and reduced “significant money laundering risks” in its branch in Estonia. The bank was ordered to carry out “adequate assessments” of the risks of money laundering and terrorist financing from its business units and from those business customers the bank itself had rated as being relatively high risk, (via Reuters).
The bigger picture: I would it has been in the past three years that many of my large bank compliance sources confirmed they were getting extra scrutiny from regulators and investigators about their correspondent connections, what oversight they had for the transactions going through those portals, what kind of AML controls were employed by the correspondent and what networks did that institution have connections. Moreover, several enforcement actions over the past 12-18 months by US regulators have dinged US and foreign banks for the correspondent oversight. As a result, these and other institutions have significantly pruned those correspondent connections, particularly with banks in high-risk jurisdictions and they have forced banks for the accounts they kept to engage in more stringent financial crime compliance procedures, monitoring and training to reduce risk. Typically, foreign jurisdictions take cues from the US, as it is considered one of the most aggressive in terms of regulatory enforcement of compliance missteps. I would imagine that other countries in Europe and beyond will continue this correspondent crackdown. So banks, prepare yourselves.
Money laundering
In February 2013, the Philippines was up against a deadline to amend its Anti-Money Laundering Act and get itself off the ‘gray list’ of a global watchdog, and lawmakers were bickering over whether to include casinos under the legislation. With one day to go, a Congressional committee heard repeated pleas not to hamstring an industry that could rival other Asian gambling meccas by obliging casinos to report suspicious transactions. Finally, the senator chairing the meeting agreed “with a heavy heart” to exclude them, a transcript of the proceedings shows. That same senator now heads a panel trying to fathom how $81 million hacked last month from the New York Federal Reserve account of Bangladesh’s central bank wound up with two casinos and a junket operator in the Philippines – and then disappeared. It is one of the biggest cyber heists in history, and since the money trail has gone cold in the Philippines, the perpetrators may never be identified. The senator, Teofisto Guingona, told Reuters after a public hearing on the case last week that fierce lobbying by the gaming industry over the law had left the Philippines one of the world’s softest targets for money launderers, putting the financial system at serious risk, (via Reuters).
The Serious Fraud Office has been branded incompetent and accused of major lapses after two men it prosecuted for money laundering on behalf of a $120m (£83m) boiler room scam were acquitted. In the latest humiliation for the embattled agency, a jury took under four hours to find Jim Sutherland and Jack Flader not guilty last week after a nine-week trial and nine-year investigation. The Hong Kong-based co-defendants were accused by the SFO of knowingly channelling money on behalf of share fraudsters through Zetland Fiduciary Services, a company providing transaction services to companies and wealthy individuals. Prosecutors claimed that 67-year-old Mr Sutherland, Zetland’s owner and chairman, had received $5.25m for laundering around $120m for an Australian high-pressure share sales fraudster and his associates, who were convicted and jailed in two trials in 2013 and 2014. But Mr Sutherland’s defence demonstrated, using documents entered in evidence by the SFO itself, that he did not receive such an illegal payment. They successfully argued that the prosecution had failed to follow money trails and a lacked of understanding of Zetland or the services it provides. The defence asked the SFO to drop the case at the halfway point, but prosecutors pressed ahead, (via the Telegraph).
Information sharing
The nation’s financial intelligence unit has signed an agreement with is Argentine counterpart in a bid to better counter criminals, terrorists and organized crime groups by sharing banking and other data between the two countries. The new accord renews a relationship that splintered when the Argentine unit disclosed certain privileged information originated from the US Treasury’s Financial Crimes Enforcement Network (FinCEN) last year, (via FinCEN).
The bigger picture: This is interesting, but for more than just the face value action of FinCEN creating another MoU. The agency has, likely dozens with countries around the world. But Shasky-Calvery realizes that the only way to really make a dent against large-scale, international organized crime groups is through forging these kinds of partnerships and data sharing agreements with as many countries as possible and including the regions most at risk for narco and other criminal activities. This, at times, may also mean countries that don’t have the same understanding of AML country-to-country sharing or have iron-clad data protection practices. That, of course, puts information that FinCEN is sharing at risk. If any criminal finds out that the US is after them, surveilling them, tapping their phone or have insight into bank accounts, of course that bad guy will disappear. I applaud FinCEN’s director for giving Argentina another chance. It will reap major dividends in the war on criminals and terrorists in the future.
Compliance
Want to know what United Kingdom compliance officers, legal and risk staff are worried about as being the top priority for the next year? Well here it is: a markets and derivative directive, financial crime and more oversight and accountability for senior managers. In all, over 300 legal, risk and compliance staff from a range of financial services firms (including banks, insurers, asset management firms) responded to a survey on that issue. Here are the results for the top three regulatory challenges for 2016: MiFID II (24%); Financial Crime (16%); and The new Senior Managers and Certification Regime (10%), (via Lexology).
Fraud
Financial fraud losses across payment cards, remote banking and checks totaled £755m in 2015, up 26 percent on 2014 and driven largely by identity theft, according to Financial Fraud Action UK(FFA UK). Cyber criminals are increasingly using malware and social engineering attacks to acquire personal, financial and card data that can be used to commit fraud. Payment card fraud accounted for 75 percent of the total losses, followed by remote banking fraud (22 percent) and check fraud (3 percent). Fraud losses on UK cards totaled £567.5m in 2015, a rise of 18 percent from the previous year. The largest proportion of card fraud losses was due to remote purchase fraud (70%), followed by lost and stolen cards (13%), counterfeit cards (8%) and card ID theft (7%). Remote purchase fraud, including e-commerce fraud, accounted for £398.2m in losses, up 20% from the previous year in value and up 17% in volume. According to FFA UK’s latest annual report, much of the increase in remote purchase fraud is due to fraudsters using card details stolen though data hacks and malware, (via Computer Weekly).