The Premium Newsletter No. 4 for IELR Volume 33, Issue 8 is here! Read about the 1MDB civil forfeiture case, OFAC’s targeting of a major Mexican drug kingpin, and more. Like our abstracts? For full access to the articles listed in the newsletter, subscribe to the IELR.
On July 27, 2017, France’s national data protection authority (CNIL) fined Hertz France, the French branch of the American car rental company Hertz Corporation, €40,000 for a data breach that rendered roughly 35,000 individuals personal information easily accessible through a URL address.
According to CNIL’s filing, on October 15, 2016, an editor of the French cybercrime news site Zataz.com alerted the data protection authority of a security vulnerability lurking on the website of Hertz France’s discount program. After conducting an investigation, CNIL authorities discovered that 35,327 customers’ personally identifiable information – including names, dates of birth, post and email addresses, as well as driver’s license numbers – could be easily accessed through a URL address. CNIL alerted Hertz France of the security breach, and Hertz France in turn alerted its IT service provider. An audit by the car rental company of the service provider revealed that the security breach was the result of a botched server change operation, in which the IT service provider mistakenly deleted a line of code from the website while transferring the site to a new server.
The 2016 Digital Republic Bill and CNIL’s Expanded Enforcement Powers
This incident constitutes the first monetary penalty issued by CNIL for a data breach since the passage of France’s 2016 Digital Republic Bill (Loi n°2016-1321 pour une République numérique) on October 7, 2016.
The French National Assembly and Senate enacted the massive omnibus bill after months of legislative debate and a period of open online consultation with French citizens. With 113 articles, the Digital Republic Bill constitutes a comprehensive piece of national data protection legislation deliberately crafted to conform to France’s republican tenets, while also securing the nation’s relevance and longevity in the digital age. The bill has its own website that outlines its fundamental tenets: “wider data and knowledge dissemination,” “equal rights for internet users,” and “fraternity through an inclusive digital society.”
In practice, these tenets translate to placing stringent requirements on data controllers regarding the erasure, transfer, and retention of personal data, as well as increasing penalties for violations of the French Data Protection Act.
To realize these policies, the Bill expands the enforcement powers of CNIL. CNIL may now impose a maximum monetary penalty of €3 million, a significant increase from the previous maximum of €150,000 for any infringement of French data protection laws. Once the European Union’s General Data Protection Regulation (GDPR) comes into full effect in May 2018, CNIL’s maximum enforceable penalty will rise to €20 million, or, in the case of large companies, up to 4% of the company’s worldwide gross national turnover.
What to Expect, in France and Beyond
For a multinational company such as the Hertz Corporation, €40,000 is a paltry sum. However, CNIL is merely flexing its muscles at this point. In the filing announcing the penalty, CNIL notes that it had considered Hertz’s swift response to and resolution of the data breach as well as full cooperation with CNIL as mitigating factors, and thus imposed a light penalty despite the corporation’s “negligence.” In the future, other entities might not get so lucky. Once the GDPR takes full effect, CNIL may take particular aim at U.S. based companies such as Facebook, on which it imposed a €150,000 penalty in March, as well as Google, which it is gearing up to battle in Europe’s highest court for an extraterritorial version of the digital “right to be forgotten.”
What about other countries, in the European Union and beyond? Will they follow France’s lead, and stringently enforce their national data protection laws on U.S. companies? In general, we may expect greater enforcement from data protection authorities in the European Union, especially once the GDPR takes effect. Furthermore, among U.S. rivals such as Russia and China, we will likely see national data protection directives repurposed as political capital, especially against the United States. In late 2016, one month after the U.S. government accused Russia of hacking the Democratic National Committee’s servers, Russia’s internet watchdog Roskomnadzor blocked Linkedin for alleged data protection violations. Similarly, in China, U.S. companies have faced increased restrictions on cloud-computing as they struggle to comply with new cybersecurity regulations that outside groups allege discriminate against non-Chinese businesses.
Berliner, Corcoran & Rowe has issued a Sanctions Alert detailing the newest U.S. sanctions imposed by the Trump administration on Russia, Iran, and North Korea.
In February of last year, Spanish authorities raided the Madrid subsidiary of the world’s largest bank by assets: the Industrial and Commercial Bank of China (ICBC). They arrested seven of the bank’s directors for their alleged involvement in large-scale money laundering operations. News outlets widely covered the raid and the ensuing arrests at the time, but Spanish authorities kept developments concerning the subsequent investigation confidential.
Nearly 18 months after the initial raid, Reuters has published the first detailed account of the investigation — a two-part exposé based on the review of “thousands of pages of confidential case submissions” as well as “interviews with investigators and former ICBC employees.”
The Reuters account reveals that, according to phone communications intercepted by Spanish law enforcement and court filings, ICBC sustained a privileged relationship with a cohort of the Chinese business community residing in Spain that had allegedly accumulated large sums of cash as a result of avoiding import sales taxes on goods from China. Bank staff allegedly accepted forged documents, failed to report suspicious transactions, and solicited money transfers from individuals under Spanish police surveillance.
The collusion between the bank and Chinese money laundering networks extended into the upper levels of ICBC management. Transcripts of phone conversations wiretapped by Spanish law enforcement include at least 30 conversations between bank managers and individuals under police surveillance for suspected laundering. In a particularly incriminating conversation dated August 8, 2012, Wang Jing, a senior executive of ICBC’s Madrid branch, says to Xu Kai, an alleged senior member of a transnational money laundering network: “You have to look out for yourself and make sure these people are obedient.” From assessing the transcript of the call, officials have concluded that Wang is instructing Kai on how to avoid detection of his money laundering operation by ensuring that the individuals involved remain fully committed to the scheme.
What does the ICBC investigation tell us about the future of anti-money laundering (AML) compliance enforcement against Chinese banks?
One possibility is that Europe and the United States diverge in their approaches to this enforcement issue, with the United States pursuing a more aggressive enforcement stance, despite the risk of political fallout with Beijing. As Evan W. Krick notes in his post on the Money Laundering Watch blog, the United States’ recent slew of harsher enforcement actions against Chinese based-banks suggest that the United States “may take an increasingly aggressive path” in the near future.
As for Europe, the Reuters report notes that the 2016 raid on the Madrid ICBC branch “ignited a behind-the-scenes diplomatic spat” between Madrid and Beijing officials, and it is possible that the concern over additional diplomatic fallout may temper Spain’s as well as Europe’s enforcement efforts toward ICBC’s European branches. At present, despite the mounting evidence, provided by wiretapped communications as well as cash flow records obtained by Spanish law enforcement, that officials at ICBC facilitated large-scale money laundering operations, not a single suspect identified during the investigation has been formally charged.
For the past several months, European branches of major international banks have been gearing up for the launch of the Fourth Anti-Money-Laundering Directive. According to a European Commission press release, the EU-wide directive takes measures to strengthen existing anti-money laundering and terrorism financing rules in member states, and also “improves transparency to prevent tax avoidance.” The directive was supposed to take effect across the EU on June 26, but thus far as many as 17 member countries are reported to have failed to fully implement the rules of the directive.
On August 2, authorities arrested British cybersecurity researcher Marcus Hutchins, 22, at the Las Vegas airport. Hutchins, who works for the cybersecurity firm Kryptos Logic, was in Las Vegas attending the Black Hat and Defcon security conferences for the week.
The Department of Justice unsealed an indictment against Hutchins upon his arrest that alleges the security researcher was part of a conspiracy to create and distribute the Kronos banking Trojan, a widespread malware attack that security experts believe was created in early 2014 and distributed through the cryptocurrency marketplace AlphaBay, whose servers the DOJ seized just last month. For his alleged involvement in the Kronos scheme, the indictment charges Hutchins with “one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavoring to intercept electronic communications, and one count of attempting to access a computer without authorization.”
Hutchins is hailed as somewhat of a hero in the cybersecurity community for his role in single-handedly crippling the worldwide WannaCry ransomware attack. Three months ago, he discovered a kill switch in the WannaCry code that immediately halted the spread of the bug. His arrest thus comes as a shock to members of the cybersecurity community, many of whom have taken to social media to voice their skepticism regarding the charges.
On July 26, 2017, the U.S. Treasury Department’s Office of Foreign Assets Control announced that it had placed 13 Venezuelan nationals on the list of Specially Designated Nationals with whom U.S. persons are forbidden from doing business. The people added to the list are high-ranking officials in buisnesspeople well-connected to the administration of Venezuelan President Nicolas Maduro, including Venezuelan interior minister Reverol Torres.
The sanctions come as Maduro has called for a national vote to elect a constituent assembly to re-write his country’s constitution, a move which critics including the Trump administration have derided as a power grab. The new constitution seems likely to be written in a way to solidify Maduro’s power by weakening democratic institutions, even as his approval ratings fall below 20% amidst an economic crisis which has caused widespread poverty and protest in the nation.
Treasury Secretary Steve Mnuchin, in the statement announcing the sanctions, explicitly stated that they were in response to the Maduro regime’s actions: “As President Trump has made clear, the United States will not ignore the Maduro regime’s ongoing efforts to undermine democracy, freedom and the rule of law. As our sanctions demonstrate, the United States is standing by the Venezuelan people in their quest to restore their country to a full and prosperous democracy.”
“Anyone elected to the National Constituent Assembly should know that their role in undermining democratic processes and institutions in Venezuela could expose them to potential U.S. sanctions,” Mr. Mnuchin added in his statement.
Among the names included on this round of sanctions includes Simón Zerpa, vice president of finance at Petróleos de Venezuela, known as Pdvsa, the state-run oil company. Mnuchin also mentioned in a conference call after the announcement that further sanctions could additionally target the state oil sector. Venezuela currently exports 700,000 barrels of crude oil a day into the U.S., and imports 100,000 barrels a day of refined oil from the U.S.; more expansive sanctions limiting that trade would further cripple the nation’s oil-reliant economy (an economy which has already suffered as oil prices have declined globally).
The full list of sanctioned individuals can be found here: https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20170726.aspx
On July 26, 2017, the Financial Crimes Enforcement Network (FinCEN), a bureau of the United States Treasury Department, levied a $110 million civil penalty against BTC-e Virtual Currency Exchange and a $12 million penalty against its suspected operator, Russian national Alexander Vinnik, for willfully violating the Bank Secrecy Act. The Bank Secrecy Act requires financial institutions to assist the United States government in reporting and preventing suspected money laundering.
A FinCEN assessment alleges that senior leadership at BTC-e willfully failed to implement basic internal controls designed to prevent a money services business from facilitating money laundering. BTC-e failed to collect and verify customer verification information, as well as to implement procedures to identify and report suspicious transactions to authorities. The assessment claims that as a result of these violations the cryptocurrency exchange “attracted and maintained a customer base that consisted largely of criminals who desired to conceal proceeds from crimes such as ransomware, fraud, identity theft, tax refund fraud schemes, public corruption, and drug trafficking.”
Vinnik was arrested on Tuesday in northern Greece and indicted on Wednesday before a grand jury in Northern California. The recently unsealed indictment charges BTC-e and Vinnik with 21 counts, including one count of operation of an unlicensed money service business, one count of conspiracy to commit money laundering, seventeen counts of money laundering, and two counts of engaging in unlawful monetary transactions.
The $110 million fine marks the Treasury Department’s first penalty levied against a foreign-located money services business. According to a Department of Justice press release, Acting FinCEN Director Jamal El-Hindi stated that the FinCEN bureau “will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate U.S. AML laws.”
Yesterday, the American Bar Association (ABA) and the international community celebrated International Criminal Justice Day. https://www.americanbar.org/news/abanews/aba-news-archives/2017/07/statement_of_abapre.html
In particular, the ABA and the international community recognized that 15 years ago the International Criminal Court (ICC) was created. Today depending on your perspective the ICC has accomplished significant victories in bringing prosecutions and holding trials that have been judged to meet international standards of fairness. However, the ICC suffers from a shortage of resources and inability to implement its orders. Its reliance on other countries to carry out arrest warrants and requests for witnesses to testify mean that in a number of cases countries do not comply. Just as in national courts many cases are politicized. Many , if not most defendants, have significant resources and utilize criminalized power structures to resist indictment or prosecution by the ICC.
As some of the key powers, such as the China, United States, and Russia are not members of the ICC, the Court often lacks the ability to carry out its mandates.
As the production and distribution of arms, including sophisticated weapons like drones, increasingly become available to both state and non-state actors, the ability of persons in international and internal conflicts to perpetrate mass destruction becomes easier and the growth of international atrocities outpaces the ability of the ICC and the international community to stop such conflicts and adjudicate the violations of the laws of war.
Increasingly, one of the values of the ICC is to help other ad hoc criminal tribunals as the latter try to develop and implement norms to meet best standards of operation.
On July 14, 2017, the World Bank Group announced that it had debarred two subsidiaries of American multinational engineering firm AECOM for malfeasance involving the misrepresentation of consultants. As part of two separate Negotiated Resolution Agreements (NRA), AECOM Asia Company Limited has been suspended for 18 months, and AECOM New Zealand Limited has been suspended for 6 months.
The AECOM Asia Company Limited suspension comes after a World Bank investigation revealed that AECOM Asia’s predecessor, Metcalf & Eddy Limited, had “failed to disclose a conflict of interest in its proposal for the Bengbu Integrated Environment Improvement Project.” The company also “misrepresented the input of key staff during implementation of its contract under the Tai Basin Urban Environment Project.” These violations constituted sanctionable practices, according to the World Bank press release announcing the debarment. In addition to the 18 month suspension, AECOM Asia will be required to adopt a Corporate Compliance Program consistent with the standards of the World Bank Group’s Integrity Compliance Guidelines.
AECOM New Zealand faces suspension after it “submitted documents that misrepresented the availability and experience of certain experts in its proposal for the Trung Son Hydropower Project in Vietnam.” In addition to creating a compliance program, both companies are required to cooperate fully with the investigations of the World Bank Integrity Vice Presidency.
The debarment of AECOM Asia Company Limited qualifies for cross-debarment by other Multilateral Development Banks under the 2010 Agreement of Mutual Recognition of Debarments.
In addition to the World Bank, parties to the cross-debarment agreement are the Asian Development Bank, the European Bank for Reconstruction and Development, the Inter-American Development Bank, and the African Development Bank.
The press release announcing the debarment can be found here: http://www.worldbank.org/en/news/press-release/2017/07/14/world-bank-debars-aecom-asia-company-limited-and-aecom-new-zealand-limited
On June 29th, 2017, after a U.S. Supreme Court ruling partially lifted the stay on the executive action, the Trump administration enacted a revised, limited version of its controversial travel ban into effect. The Supreme Court ruling places limitations on the ban, forcing the Trump administration to make revisions to comport with the decision, and opening the door to possible further litigation regarding whether or not the revisions actually satisfy those limitations.
The per curiam order in Donald Trump v. the International Refugee Assistance Project and Donald Trump v. Hawaii both partially stays the preliminary injunction placed on the Executive Order by a district court judge in Hawaii (and upheld by the 9th Circuit Court of Appeals) and grants a writ of certiorari to review the case and make a final ruling on the order’s ultimate legality. The qualified stay of the injunction is careful to explain that it is not a decision on the ultimate legality of the executive order. The order explains that an injunction is intended to provide “interim relief” to the affected parties to the suits; in this case, a plaintiff going by John Doe who is a permanent resident in the U.S. and whose Iranian wife is seeking entry to the U.S., Dr. Ismail Elshikh, an American citizen whose Syrian mother-in-law is seeking entry into this country, and the state of Hawaii, whose standing is derived in part from the fact that students who had been accepted to the University of Hawaii would be adversely impacted by the travel ban.
The order thus seeks to provide interim injunctive relief to the affected parties, but limits this relief to those “foreign nationals with a credible claim of a bona fide relationship with a person or entity in the United States”. The Court reasons that the injunction previously issued and affirmed, which bar enforcement of the Executive Order “against foreign nationals abroad who have no connection to the United States at all” provided relief to harm not imparted on the plaintiffs, and are thus too broad.
In response to this ruling, the State Department has taken to defining what constitutes a “bona fide relationship” to the U.S. The relatives deemed sufficiently close family members to exempt people from the travel ban, whether as visitors or refugees, are: a parent, spouse, child, an adult son or daughter, son-in-law, daughter-in-law or sibling, as well as their stepfamily counterparts. The administration’s new rules do not allow grandparents, grandchildren, uncles, aunts, cousins and fiances.
Lawyers for the state of Hawaii have once again petitioned the court to injoin the government from enforcing the ban, reasoning that the government has taken far too narrow a definition of what constitutes a “bona fide relationship”. “The Government does not have discretion to ignore the Court’s injunction as it sees fit,” the lawyers wrote. “The State of Hawaii is entitled to the enforcement of the injunction that it has successfully defended, in large part, up to the Supreme Court — one that protects the State’s residents and their loved ones from an illegal and unconstitutional Executive Order.”
The Supreme Court order can be found here, in its entirety: https://www.supremecourt.gov/opinions/16pdf/16-1436_l6hc.pdf
A Washington Post article explaining the government’s revisions to the ban in response to the Court order is linked to here: https://www.washingtonpost.com/world/national-security/travel-ban-to-take-effect-as-state-department-defines-close-family/2017/06/29/03eb8a8e-eba6-4749-9fa2-79117be89884_story.html