By Brian Monroe
bmonroe@acfcs.org
May 19, 2016
In this week’s Financial Crime Wave, Panama feels the heat on AML issues, anti-corruption efforts get a morale boost, hackers pierce Linkedin, and more.
Enforcement
Wall Street’s industry-funded watchdog has fined Raymond James Financial Inc. $17 million, the largest ever penalty for financial crime compliance failings, for widespread failures in anti-money laundering compliance, the regulator said on Wednesday. The Financial Industry Regulatory Authority (FINRA) also suspended the company’s former anti-money laundering compliance officer, Linda Busby, for three months and fined her $25,000, the regulator said. Raymond James and Busby both agreed to the sanctions in settlements with FINRA, without admitting nor denying FINRA’s charges, the regulator said. Raymond James’ processes to prevent money laundering did not match its business growth from 2006-2014, FINRA said. Instead, the company relied on a “patchwork” of procedures and systems to detect suspicious activity, missing “red flags” in the process, FINRA said, (via Reuters).
Compliance
Ineffective anti-money laundering controls in some banks have come to light recently in Panama, Honduras and Guatemala and reputational risk could spread throughout the region. This brings another layer of risks to the region’s banks and exposes them to heightened event risk, says Fitch Ratings. Regulators are taking measures to bolster controls and rated banks have taken steps to bring controls into line with international standards. Since the fourth quarter of 2015, a handful of unrelated incidents highlighted that Central American banks are exposed to risks from weaknesses in their regulatory frameworks. The ‘Panama Papers’ scandal, reported by the press in April, leaked information about over 11 million financial and legal records relating to offshore companies set up by a Panamanian law firm. The incident is not directly related to the Panamanian banking sector, but it undermines credibility in the country. We think Panama’s reputation has been tarnished by the incident. The authorities responded by saying they intend to adopt data-sharing arrangements consistent with the US Foreign Account Tax Compliance Act law and the OECD’s Common Reporting Standards (CRS), (Fitch, via Reuters).
Fredrick E. Curry III has been named Deloitte Advisory anti-money laundering (AML) and economic sanctions practice leader and Michael Shepard has been named Deloitte Global AML, economic sanctions and financial crimes leader. They succeed Alison Clew who will retire in May. Curry, Shepard and Clew are principals in Deloitte Transactions and Business Analytics LLP. Based in Washington, D.C., Curry has served Deloitte Advisory’s clients with AML, sanctions and financial crimes matters since 2005. Earlier in his career, he led AML and OFAC examinations for the Federal Reserve Bank of New York, served as a senior director advising financial service industry clients on legal and regulatory risk compliance related matters at a national law firm, and spent 16 years in operations for a major U.S. bank. He is a board member of Transparency International USA, as well as a Certified Anti-money Laundering Specialist and Certified Third-Party Risk Professional. Curry earned his bachelor’s degree from Adelphi University, his master’s degree in business administration from Fordham University, and his law degree from the Brooklyn Law School, (via the Deloitte).
Cybersecurity
Just how securely are banks moving money around the world? New details emerged on Friday about a pair of related attacks on banks that use the Swift message service, which allows financial firms and companies to transfer payments around the world. Computer security researchers briefed on the investigation into one of the attacks, on the Bangladesh Bank, raised several theories about the crime, including the possibility that groups from Pakistan and North Korea may have been spying on the bank. Other analysts investigating the attacks said there were striking similarities between the “multiple bespoke tools” used by the hackers in both the banking cases and the attack on Sony Pictures in 2014. The latest breach detailed by Swift in a letter to its users on Friday occurred at a commercial bank that appeared, according to a leading online security firm BAE Systems on Friday, to be located in Vietnam. That attack and the $81 million heist from the Bangladesh central bank account at the Federal Reserve Bank of New York in February are thought to be part of a broad assault on the global banking system by thieves whose operating methods and digital fingerprints are being studied carefully by analysts worldwide. In both attacks on banks, the intruders obtained legitimate credentials to sign in to the Swift network. They initiated fraudulent money transfers, then covered their tracks using tailor-made malware, (via the New York Times).
A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users. The hacker, who goes by the name “Peace,” told Motherboard that the data was stolen during the LinkedIn breach of 2012. At the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach. Turns out it was much worse than anybody thought. Peace is selling the data on the dark web illegal marketplace The Real Deal for 5 bitcoin (around $2,200). The paid hacked data search engine LeakedSource also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords. “It is only coming to the surface now. People may not have taken it very seriously back then as it was not spread,” one of the people behind LeakedSource told me. “To my knowledge the database was kept within a small group of Russians.” LeakedSource provided Motherboard with a sample of almost one million credentials, which included email addresses, hashed passwords, and the corresponding hacked passwords. The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked. One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours,” (via Motherboard).
Corruption
It will take more than a “Global Declaration Against Corruption” to rid the world of an age-old scourge, but don’t dismiss last week’s anti-corruption summit in London too quickly. The surge of interest in the issue is all to the good — and an opportunity that shouldn’t be wasted. Graft may always be with us, but governments can choose either to tolerate and even assist it, or to confront it vigorously. One of the simplest and best ways to fight back is through sharing information. Letting the fruits of bribery, embezzlement and tax evasion be hidden away enables the crime. Ahead of the meeting, more than 300 economists called on world leaders to restrict the use of shell companies and vehicles that conceal the ownership of assets. They make a good case. There’s nothing wrong with owning assets abroad, and investors are entitled to expect appropriate confidentiality — but that doesn’t justify a policy of hiding information from other tax and law enforcement authorities. Pressure on governments that offer such invisibility can yield results. Following the outcry over the so-called Panama Papers, for example, Panama and four other jurisdictions have promised to share information on nonresidents’ holdings of assets, (via Bloomberg).
The U.K. government, as part of its Anti-Corruption Summit, said it would consider legislation that would criminalize the failure to prevent economic crime, which experts say could overturn a century of U.K. corporate criminal law. U.K. Prime Minister David Cameron proposed the idea last week in a letter to the Guardian newspaper ahead of the summit, saying the government will consult on extending the criminal offense of “failing to prevent” crimes, which already exists in the context of bribery, to broader economic offenses such as fraud and money laundering. A press release issued last week said the consultation could be published by summer. While a corporate registry of property owners received much of the press attention from the summit, the proposal under consultation is a game-changer, experts say. “It reverses the burden of proof. If there’s an offense, [the company] is guilty unless it has policies to prevent it in the first place,” said Barry Vitou, a partner in the law firm Pinsent Masons, (via the Wall Street Journal).
Panama Papers
Panamanian regulators have disputed the accuracy of a recent article detailing the imminent loss of correspondent accounts in the US by Panamanian financial institutions, notwithstanding that customers of Banco General have been told by their account representatives that there will be problems with the processing of inbound wire transfers, and on checks they deposit drawn on foreign banks. However, the reasons why an American or Canadian bank would choose to close a Banco General correspondent account all point to money laundering:
(1) Banco General accepted deposits of funds corruptly obtained from Panama’s National Assistance program, commonly known as PAN, which have resulted in the filing of related criminal charges.
(2) Banco General is under investigation by the organized crime prosecutor for laundering the proceeds of corruption obtained by the administration of the former president, Ricardo Martinelli, who faces multiple criminal charges, and a number of his close associates, and former government officials.
(3) Convicted former Supreme Court of Justice president, Judge Alejandro Moncada Luna, moved criminal proceeds through Banco General. The bank’s failure to interdict large payments made to or on behalf of senior, yet underpaid, government officials amounts to gross negligence. This case is also under investigation by the organized crime prosecutor. Moncada Luna is serving a five-year sentence for accepting bribes and kickbacks.
(4) Links between Banco General and the Financial Pacific/Petaquilla Mine insider trading scandal have been established, and this connection is now part of a pending investigation being conducted by a foreign law enforcement agency, (via Caribbean News Now).
Law firms
Law firms are generally effective at tackling money laundering, but the Solicitors Regulation Authority says solicitors must avoid complacency after it uncovered examples of malpractice during site audits. The regulator’s Anti-Money Laundering Report says firms inspected had a designated money laundering reporting officer and most had ‘effective’ AML compliance frameworks. However, ‘weaknesses’ were identified at some firms and the regulator is ‘actively investigating evidence’ of potential money laundering in a ‘limited’ number. The regulator found that some firms still referred to the Serious Organised Crime Agency (SOCA) rather than the National Crime Agency (NCA), which replaced SOCA in 2013. ‘This suggested a failure to review and amend policies regularly, and raised questions about their use and effectiveness and the firm’s commitment to AML generally,’ the report states. One large firm, which had undergone a merger, had not updated its AML systems and processes. Another large firm’s training records suggested some staff had not had AML training since 2008, including staff in a ‘high-risk’ commercial sector. Several partners and associates at another large firm who did transactional work ‘had not received AML training for up to seven years,’ (via the Law Gazette).
Money laundering
There are many ways in which a criminal can illegally acquire money electronically. Whether it’s through malicious malware, phishing, vishing and smishing scams, account takeovers or other vectors, a commonality across all these attack methods is that fraudsters will need to move the illicit funds fast to avoid being caught and have the sum confiscated. Moving funds within the financial system generally only occurs with very large sums of money. Some of the most common methods for this include the use of:
Offshore accounts;
Anonymous shell accounts;
Money mules; and
Unregulated financial services.
Financial institutions, trusts, shell corporations and other financial groups in these regions may welcome money from almost anywhere and often do not require disclosure of information regarding where the money originated from. In turn, these institutions do not file any reporting back to the country in which the funds were generated, (via Security Intelligence).
Money services business
A federal grand jury has indicted Daniel Barrs for failing to follow anti-money laundering requirements for his role running an Atlanta money transmitting business that processed hundreds of millions of dollars’ worth of financial transactions for entities located around the world. According to U.S. Attorney John Horn, the indictment, and other information presented in court: Daniel Barrs, of the United Kingdom, ran a money transmitting business located in metro Atlanta named “Global Transaction Services” (GTS), along with several interrelated entities that transmitted hundreds of millions of dollars’ worth of wires on behalf of customers located around the world, many of whom Barrs knew were not able to obtain access to U.S. banking on their own and were sending or receiving wires from countries that posed money laundering concerns. GTS was marketed as a company that could minimize the costs associated with transactions from entities located in one country and customers in other countries. The Bank Secrecy Act requires money transmitters like GTS to guard against money laundering and illegal activity by developing, implementing, and maintaining an effective anti-money laundering program. Money transmitters that identify certain types of suspicious financial transactions are also typically required to file a “Suspicious Activity Report” (SAR) with the U.S. Department of Treasury, Financial Crimes Enforcement Network, (via the Atlanta Business Chronicle).
Securities
The compliance mindset must be set by senior management. Although it might not necessarily be top-of-mind for a start-up manager, if they are serious about building a proper business then establishing a culture of compliance from the get-go is important. A new hedge fund manager that is not required to register with the SEC “doesn’t necessarily need to have as detailed a compliance manual as an SEC-registered investment adviser,” says Brian Roberts, Senior Compliance Analyst and Hedge Fund Practice Associate for ACA Compliance Group, a regulatory compliance and consulting firm. However, unregistered fund managers still owe their clients a fiduciary duty and are subject to a number of legal and regulatory requirements, including prohibitions on insider trading, restrictions on principal transactions, anti-money laundering and anti-corruption laws. “One of the things we often hear when talking to start-ups is whether they can get a template off-the-shelf compliance manual,” says Roberts. “That is something the SEC frowns upon. They don’t want managers to have cookie-cutter compliance manuals; they want them to be customized to address compliance risks of the specific manager implementing the policies and procedures.” For hedge fund advisers that plan to register with the SEC, the compliance manual should include, among other things: policies and procedures covering portfolio management; filings and disclosures; custody and safeguarding of assets; maintenance of required books and records; trading, valuation, and a code of ethics. Registered hedge fund advisers should also plan to adopt a Written Information Security Program, including an incident response plan and a business continuity plan, but as Roberts explains, these “tend to be separate documents due to the technical details they contain,” (via Hedge Week).