Berliner, Corcoran & Rowe has released a regulatory alert regarding the recent sanctions imposed on Venezuela by the Trump Administration.
Three weeks ago, Australia’s chief financial intelligence agency, the Australian Transaction Reports and Analysis Center (AUSTRAC), launched civil penalty proceedings against the country’s largest bank, Commonwealth Bank, for allegedly violating the 2006 Anti-Money Laundering and Counterterrorism Financing Act.
In its August 3 filing, AUSTRAC alleges that the bank racked up over 53,700 violations of the AML/CTF Act since May 2012. In May 2012, Commonwealth Bank introduced a fleet of Intelligent Deposit Machines (IDMs) at its branches. These “smart ATMS” allow users to deposit cash and checks without interacting with a teller, and have the funds instantly credited to their account as well as made available for both domestic and international transfers. AUSTRAC claims that Commonwealth Bank neglected to implement appropriate fraud controls following the introduction of the IDMs. The bank’s IDM can accept up to 200 notes – or up to $20,000 in cash – per deposit, with no limit on the number of transactions a customer makes per day.
The main violations detailed in the filing include:
- Failure to carry out a Money Laundering/Terrorism Financing risk assessment, despite an “exponential rise in cash deposits through IDMS” as well as alerts from internal monitoring systems;
- Failure to report 53,506 “threshold transactions” (TTRs), or transactions that involve the transfer of $10,000 ore in physical currency), to AUSTRAC within 10 business days of the transactions; and
- Failure to file suspicious matter reports (SMRs), despite internally identifying a pattern of “structured” cash deposits designed to avoid triggering the bank’s TTR reporting obligation.
As a result of these violations, AUSTRAC claims that at least four money laundering syndicates, three of which engaged in drug trafficking, used the IDMs for roughly $77 million worth of suspicious transactions, all of which went either entirely unreported or only partially reported to law enforcement in a timely manner.
On August 17, AUSTRAC CEO Peter Clark reported to the Australian parliament’s Senate Estimates Committee that “Six of those (in the transactions listed in the statement of claims) relate to cash transactions by five customers in whom the bank has assessed a potential link to terrorism or terrorism financing.”
The bank issued a statement earlier in the month implying that the “vast majority” of breaches were the result of a “coding error” in a 2012 software update to the IDMs that went undetected until 2015.
I will be following this developing story. For more updates and analysis, see the upcoming September issue (Vol. 33, Issue 9) of the International Enforcement Law Reporter.
On July 27, 2017, France’s national data protection authority (CNIL) fined Hertz France, the French branch of the American car rental company Hertz Corporation, €40,000 for a data breach that rendered roughly 35,000 individuals personal information easily accessible through a URL address.
According to CNIL’s filing, on October 15, 2016, an editor of the French cybercrime news site Zataz.com alerted the data protection authority of a security vulnerability lurking on the website of Hertz France’s discount program. After conducting an investigation, CNIL authorities discovered that 35,327 customers’ personally identifiable information – including names, dates of birth, post and email addresses, as well as driver’s license numbers – could be easily accessed through a URL address. CNIL alerted Hertz France of the security breach, and Hertz France in turn alerted its IT service provider. An audit by the car rental company of the service provider revealed that the security breach was the result of a botched server change operation, in which the IT service provider mistakenly deleted a line of code from the website while transferring the site to a new server.
The 2016 Digital Republic Bill and CNIL’s Expanded Enforcement Powers
This incident constitutes the first monetary penalty issued by CNIL for a data breach since the passage of France’s 2016 Digital Republic Bill (Loi n°2016-1321 pour une République numérique) on October 7, 2016.
The French National Assembly and Senate enacted the massive omnibus bill after months of legislative debate and a period of open online consultation with French citizens. With 113 articles, the Digital Republic Bill constitutes a comprehensive piece of national data protection legislation deliberately crafted to conform to France’s republican tenets, while also securing the nation’s relevance and longevity in the digital age. The bill has its own website that outlines its fundamental tenets: “wider data and knowledge dissemination,” “equal rights for internet users,” and “fraternity through an inclusive digital society.”
In practice, these tenets translate to placing stringent requirements on data controllers regarding the erasure, transfer, and retention of personal data, as well as increasing penalties for violations of the French Data Protection Act.
To realize these policies, the Bill expands the enforcement powers of CNIL. CNIL may now impose a maximum monetary penalty of €3 million, a significant increase from the previous maximum of €150,000 for any infringement of French data protection laws. Once the European Union’s General Data Protection Regulation (GDPR) comes into full effect in May 2018, CNIL’s maximum enforceable penalty will rise to €20 million, or, in the case of large companies, up to 4% of the company’s worldwide gross national turnover.
What to Expect, in France and Beyond
For a multinational company such as the Hertz Corporation, €40,000 is a paltry sum. However, CNIL is merely flexing its muscles at this point. In the filing announcing the penalty, CNIL notes that it had considered Hertz’s swift response to and resolution of the data breach as well as full cooperation with CNIL as mitigating factors, and thus imposed a light penalty despite the corporation’s “negligence.” In the future, other entities might not get so lucky. Once the GDPR takes full effect, CNIL may take particular aim at U.S. based companies such as Facebook, on which it imposed a €150,000 penalty in March, as well as Google, which it is gearing up to battle in Europe’s highest court for an extraterritorial version of the digital “right to be forgotten.”
What about other countries, in the European Union and beyond? Will they follow France’s lead, and stringently enforce their national data protection laws on U.S. companies? In general, we may expect greater enforcement from data protection authorities in the European Union, especially once the GDPR takes effect. Furthermore, among U.S. rivals such as Russia and China, we will likely see national data protection directives repurposed as political capital, especially against the United States. In late 2016, one month after the U.S. government accused Russia of hacking the Democratic National Committee’s servers, Russia’s internet watchdog Roskomnadzor blocked Linkedin for alleged data protection violations. Similarly, in China, U.S. companies have faced increased restrictions on cloud-computing as they struggle to comply with new cybersecurity regulations that outside groups allege discriminate against non-Chinese businesses.
Berliner, Corcoran & Rowe has issued a Sanctions Alert detailing the newest U.S. sanctions imposed by the Trump administration on Russia, Iran, and North Korea.
In February of last year, Spanish authorities raided the Madrid subsidiary of the world’s largest bank by assets: the Industrial and Commercial Bank of China (ICBC). They arrested seven of the bank’s directors for their alleged involvement in large-scale money laundering operations. News outlets widely covered the raid and the ensuing arrests at the time, but Spanish authorities kept developments concerning the subsequent investigation confidential.
Nearly 18 months after the initial raid, Reuters has published the first detailed account of the investigation — a two-part exposé based on the review of “thousands of pages of confidential case submissions” as well as “interviews with investigators and former ICBC employees.”
The Reuters account reveals that, according to phone communications intercepted by Spanish law enforcement and court filings, ICBC sustained a privileged relationship with a cohort of the Chinese business community residing in Spain that had allegedly accumulated large sums of cash as a result of avoiding import sales taxes on goods from China. Bank staff allegedly accepted forged documents, failed to report suspicious transactions, and solicited money transfers from individuals under Spanish police surveillance.
The collusion between the bank and Chinese money laundering networks extended into the upper levels of ICBC management. Transcripts of phone conversations wiretapped by Spanish law enforcement include at least 30 conversations between bank managers and individuals under police surveillance for suspected laundering. In a particularly incriminating conversation dated August 8, 2012, Wang Jing, a senior executive of ICBC’s Madrid branch, says to Xu Kai, an alleged senior member of a transnational money laundering network: “You have to look out for yourself and make sure these people are obedient.” From assessing the transcript of the call, officials have concluded that Wang is instructing Kai on how to avoid detection of his money laundering operation by ensuring that the individuals involved remain fully committed to the scheme.
What does the ICBC investigation tell us about the future of anti-money laundering (AML) compliance enforcement against Chinese banks?
One possibility is that Europe and the United States diverge in their approaches to this enforcement issue, with the United States pursuing a more aggressive enforcement stance, despite the risk of political fallout with Beijing. As Evan W. Krick notes in his post on the Money Laundering Watch blog, the United States’ recent slew of harsher enforcement actions against Chinese based-banks suggest that the United States “may take an increasingly aggressive path” in the near future.
As for Europe, the Reuters report notes that the 2016 raid on the Madrid ICBC branch “ignited a behind-the-scenes diplomatic spat” between Madrid and Beijing officials, and it is possible that the concern over additional diplomatic fallout may temper Spain’s as well as Europe’s enforcement efforts toward ICBC’s European branches. At present, despite the mounting evidence, provided by wiretapped communications as well as cash flow records obtained by Spanish law enforcement, that officials at ICBC facilitated large-scale money laundering operations, not a single suspect identified during the investigation has been formally charged.
For the past several months, European branches of major international banks have been gearing up for the launch of the Fourth Anti-Money-Laundering Directive. According to a European Commission press release, the EU-wide directive takes measures to strengthen existing anti-money laundering and terrorism financing rules in member states, and also “improves transparency to prevent tax avoidance.” The directive was supposed to take effect across the EU on June 26, but thus far as many as 17 member countries are reported to have failed to fully implement the rules of the directive.
On August 2, authorities arrested British cybersecurity researcher Marcus Hutchins, 22, at the Las Vegas airport. Hutchins, who works for the cybersecurity firm Kryptos Logic, was in Las Vegas attending the Black Hat and Defcon security conferences for the week.
The Department of Justice unsealed an indictment against Hutchins upon his arrest that alleges the security researcher was part of a conspiracy to create and distribute the Kronos banking Trojan, a widespread malware attack that security experts believe was created in early 2014 and distributed through the cryptocurrency marketplace AlphaBay, whose servers the DOJ seized just last month. For his alleged involvement in the Kronos scheme, the indictment charges Hutchins with “one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavoring to intercept electronic communications, and one count of attempting to access a computer without authorization.”
Hutchins is hailed as somewhat of a hero in the cybersecurity community for his role in single-handedly crippling the worldwide WannaCry ransomware attack. Three months ago, he discovered a kill switch in the WannaCry code that immediately halted the spread of the bug. His arrest thus comes as a shock to members of the cybersecurity community, many of whom have taken to social media to voice their skepticism regarding the charges.
On July 26, 2017, the Financial Crimes Enforcement Network (FinCEN), a bureau of the United States Treasury Department, levied a $110 million civil penalty against BTC-e Virtual Currency Exchange and a $12 million penalty against its suspected operator, Russian national Alexander Vinnik, for willfully violating the Bank Secrecy Act. The Bank Secrecy Act requires financial institutions to assist the United States government in reporting and preventing suspected money laundering.
A FinCEN assessment alleges that senior leadership at BTC-e willfully failed to implement basic internal controls designed to prevent a money services business from facilitating money laundering. BTC-e failed to collect and verify customer verification information, as well as to implement procedures to identify and report suspicious transactions to authorities. The assessment claims that as a result of these violations the cryptocurrency exchange “attracted and maintained a customer base that consisted largely of criminals who desired to conceal proceeds from crimes such as ransomware, fraud, identity theft, tax refund fraud schemes, public corruption, and drug trafficking.”
Vinnik was arrested on Tuesday in northern Greece and indicted on Wednesday before a grand jury in Northern California. The recently unsealed indictment charges BTC-e and Vinnik with 21 counts, including one count of operation of an unlicensed money service business, one count of conspiracy to commit money laundering, seventeen counts of money laundering, and two counts of engaging in unlawful monetary transactions.
The $110 million fine marks the Treasury Department’s first penalty levied against a foreign-located money services business. According to a Department of Justice press release, Acting FinCEN Director Jamal El-Hindi stated that the FinCEN bureau “will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate U.S. AML laws.”