QuestionsWe had an interesting week of anti-corruption enforcement actions last week, both in the US and the UK. We have now had four Foreign Corrupt Practices Act (FCPA) enforcement actions since the announcement of the Depart Of Justice (DOJ) Pilot Program in April. I thought this would be a good time to review some of the recent enforcement actions, to see what lessons they may impart to the compliance practitioner. So this week will be dedicated to blog post dealing with enforcement. I will begin with a troubling report issued by a committee of the US House of Representative over the Department of Justice’s handling of the money laundering enforcement action against the UK bank, HSBC back in 2012.

Of all the things that US Congress criticized former Attorney General (AG) Eric Holder over, one might think his protections of financial institutions might not have been one of them. Yet last week there was a scathing report issued, entitled “Too Big To Jail, by the GOP staff of the House of Representatives Financial Services Committee, which was discussed by Gretchen Morgenson in her New York Times (NYT) Fair Game column entitled “Kid Gloves For a Bank With Clout. The report deals with the DOJ investigation into the UK financial institution HSBC and subsequent resolution of allegations that the bank “laundered nearly $900 million for drug traffickers” and sanctioned countries.

While the report does not deal with the DOJ’s lack of prosecution of individuals from the 2008 financial crisis, it certainly provides insight into how Holder conducted such resolutions with large financial institutions and may well explain how it occurred that there were no individual prosecutions. The piece begins that even with a nearly $2bn fine, it was not “a body blow” to HSBC. Of course, there was the ubiquitous Deferred Prosecution Agreement (DPA) put in place, where the DOJ would “delay or forgo prosecution of a company if promises to change its behavior.”

While I am most generally supportive of the practice of using corporate DPAs to help enhance compliance programs, Morgenson’s article does bring up some troubling questions about how and why HSBC was able to get off with not only an agreement not to prosecute any individuals at the bank going forward, but even have individual incentives removed from the final DPA. The House report found that DOJ leadership, in the form of AG Holder, “overruled an internal recommendation to prosecute HSBC” because of concerns that prosecution of HSBC “could result in a global financial disaster.”

That final line is one we have (unfortunately) heard before. However, the NYT article also reports on how HSBC was able to “soften the deal”. The original agreement with HSBC had language which “provide no protection from prosecution for employees who ‘knowingly and willfully” processed financial transactions with countries under American sanctions”. University of Pennsylvania Law School Professor David A. Skeel, who was quoted in the piece, said, “This is one case where it looks like the government might have been able to prosecute misbehaving executives during the crisis period, yet waived its right to do so.” Not failed to do so, but waived its right to do so.

Even more inextricably, the DPA waived future penalties for bank executives who failed to comply with the DPA. Originally there were sanctions against bank executives who did not meet the compliance obligations set forth in the DPA. These sanctions were financial penalties in the form of loss of bonuses. However, in the final version this language was removed and the House report noted the DPA, “apparently leaves open the possibility for executives to get their bonuses, despite failing to meet compliance standards.”

Another troubling aspect unearthed by the House report was ‘how much influence officials at the Financial Services Authority – Britain’s top financial regulator at the time – had on the Justice Department’s process in the HSBC matter”. Morgenson quoted a Washburn University School of Law professor, Mary Kreiner Ramirez for the following, “It would seem that in making the decision with respect to HSBC, (AG) Holder gave more attention to the concerns expressed by the F.S.A than he did with respect to our own agencies.” Moreover, the FSA got the documents on apparently something close to a real-time basis as “at the time events were unfolding.”

There has been both legal and academic criticism of DPAs. However the article brings up another criticism of the settlement vehicles, which is less discussed, the internal process by which a settlement is reached. Edward J. Kane, a professor of finance at Boston College, noted, “The fact that so many of these cases are settled rather than going to court means we don’t get an airing of facts and challenges of fact.”

The Yates Memo would seem to be one response to pre-emptively address some of the concerns raised by the lack of individual prosecution. For if the DOJ now requires prosecutors to go after culpable individuals in white collar crime cases such as the HSBC money laundering prosecution or cases under the FCPA for that matter, any settlement via a DPA would not exempt out future prosecutions against culpable individuals. Further, it would also seem that the DOJ would strengthen up the compliance program components of any DPA to have appropriate financial disincentives for the lack of compliance program adherence. When you put on top of this the Yates Memo requirement that companies must dig up facts on culpable individuals and turn those facts over to the DOJ, it would seem that individuals would be more in the sights of DOJ for prosecution.

The other factor not fully explored by commentators is that DPAs, Non-prosecution agreements (NPAs) and other settlement mechanisms are the product of negotiations by the parties, i.e. the government and the company involved. In the context of FCPA resolutions with the Securities and Exchange Commission (SEC), no company is going to put facts supporting a criminal indictment or even claim of criminal conduct in a civil based Cease and Desist Order or other form of civil based resolution. To do so would open up the company to a very high degree of liability, which is not required if the DOJ declines to prosecute a company for criminal violations of the FCPA. That explains why there is never evidence of criminal liability in a resolution document if there is no criminal charge.

Yet the House report does point up some troubling questions about not only how the HSBC settlement was reached but also the lack of prosecutions against any financial institutions after the 2008 financial crisis.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Shell GamesOne of the more prescient authors I know is Ryan C. Hubbs, a senior manager of fraud investigation and dispute services at Ernst & Young LLP (EY), who, in 2014, wrote an article for Fraud Magazine entitled “Shell Games”. In this piece, Hubbs wrote about how criminals use shell corporations to launder money and perpetuate frauds such as violations of the Foreign Corrupt Practices Act (FCPA). He explained what shell companies are and how certified fraud examiners could assist companies in internal investigations around these issues. His prescience was foretelling the information that would begin to become available with the release of the Panama Papers. Today I will begin a two-part series, where I describe some of the issues raised by Hubbs back in 2014, reporting on information in the Panama Papers and what you can do with the detect prong of your compliance program.

As Hubbs noted “Unfortunately, the landscape of international crime and fraud has changed dramatically in the last quarter century. Shell companies aren’t just for big tax evaders anymore. If your organization is engaging in any type of transaction in today’s economy, shell companies should be a concern. They’re the financial and deception vehicle of choice for some of the most corrupt, dangerous and ruthless individuals and entities in the world. Arms dealers, drug cartels, corrupt politicians, scammers, terrorists and cybercriminals are just a few of the frequent users of shells.”

Fortunately Hubbs provided his insight into how a Chief Compliance Officer (CCO) or compliance practitioner can investigate companies more thoroughly. All of this is not simply about performing adequate due diligence so that you will know with whom you are doing business. Internal corporate investigators need to be aware of how shell corporations are set up to help detect fraud in their own organizations. In his piece Hubbs cited to a Department of Justice (DOJ) Press Release from then Deputy Assistant Attorney General Bruce Swartz around the resolution of the Hewlett-Packard (HP) FCPA resolution for the following, “Hewlett-Packard subsidiaries created a slush fund for bribe payments, set up an intricate web of shell companies and bank accounts to launder money, employed two sets of books to track bribe recipients, and used anonymous e-mail accounts and prepaid mobile telephones to arrange covert meetings to hand over bags of cash.”

Yet it is not simply one shell company that you will need to investigate in any due diligence process. As noted in the New York Times (NYT) piece by Eric Lipton and Julie Creswell, entitled “Documents Show How Wealthy Hid Millions Abroad, the Panamanian law firm of Mossack Fonseca had an entire service line offering for US citizens who wanted to shelter many outside the country. The article cited to one person, William Ponsoldt, who the law firm set up eight shell companies for, “moving at least $134 million through seven banks in six countries.”

Moreover, it appears the Panamanian firm set up entities to specifically help high net worth individuals, in the US, evade taxes. The piece noted, “In 2006, using a secret email account set up by Mossack Fonseca so his correspondence would not be traced by the authorities, a businessman from Washington State asked a common question from among the firm’s potential American clients: “How does a US citizen legally get funds to Panama without the knowledge of the US government and how can those funds be profitably invested without the US government knowing about them?”” Why else would you want to invest funds “without the US government knowing about them”?

Hubbs pointed to three general areas that you should consider in your investigation. The Panama Papers have certainly borne these out. First is to consider shell companies, shelf companies and incorporators. As noted by the services provided Mossack Fonseca, “In many instances, one shell company isn’t enough — fraudsters need a network. Dozens of shells, nominee directors, addresses and fake shareholders might be required to conceal a scheme or criminal plot. Big-time criminal conspirators will utilize shell incorporators to do the heavy lifting and help create a corporate web of disguise that can perplex and confuse the best of investigators. Shells can come in different shapes and sizes, and the jurisdiction in which they reside can help further the concealment.”

The next step is with what Hubbs terms “shelf companies”. He defines these as one formed but not used for a long period of time. This provides the facade of “appearing legitimate and fooling a novice investigator or basic due diligence mechanisms because it appears to have existed longer than it really has. An older shelf could predate any specific areas of concern, which would allow it to engage in business activities when it otherwise shouldn’t.”

The creation of the entity is only the first step though. As Hubbs noted and the NYT article confirmed, the new shell company will need directors and nominees. Hubbs said, “Fraudsters use nominee directors, and in some instances, other shell companies, to disguise true owners of entities while giving the appearance of legitimacy. Some nominees simply sell their names to fraudsters who use them on company documents. Others actually provide limited services for the shell companies such as processing corporate records, signing for company documents and forwarding mail.”

It is these nominee directors who stand as the “linchpins to linking and disguising” criminal cartels and money laundering schemes. As the Times piece noted, “For many of its American clients, Mossack Fonseca offered a how-to guide of sorts on skirting or evading United States tax and financial disclosure laws. These included locating an individual from a “tax-convenient” jurisdiction to be the straw man owner of an offshore account, concealing the true American owner, or encouraging one client it knew was a United States resident to use his foreign passports to open accounts offshore, again to avoid scrutiny from regulators, the documents show.”

Yet the same technique can be used for an individual. As the NYT article reported, “Marianna Olszewski, the New York City-based author of “Live It, Love It, Earn It: A Woman’s Guide to Financial Freedom,” wanted to shift $1 million held by HSBC in Guernsey to a new overseas account. The catch? She did not want her name to appear anywhere near the transaction. Mr. Owens, the Mossack Fonseca lawyer, again offered a solution. Mossack Fonseca would locate what he called a “natural person nominee” in a “tax-convenient” jurisdiction to stand in for Ms. Olszewski as the owner of the account.”

“The Natural Person Trustee is a service which is very sensitive,” Mr. Owens wrote. “We need to hire the Natural Person Nominee, pay him, make him sign lots of documents to cover us, make him sign resignations, make him get some proofs evidencing that he has the economic capacity to place such amount of moneys, letters of reference, proof of domicile, etc., etc.””

The final area of concern from Hubbs is shell incorporation hot spots. He cited to one such address hot spot from a report called “Grave Secrecy” by Global Witness which was noted to be ““103 Sham Peng Tong Plaza” in Victoria, Seychelles. A simple Google search of this address identifies more than 160,000 hits associated with websites, companies and individuals. Another address identified in unrelated criminal filings and sanctions is PO Box 3444 Road Town, Tortola, BVI. A Google search of this address yields more than 600,000 hits. These addresses represent just a few incorporation hot spots. An entity identified with one of these addresses should be a huge red flag.”

Tomorrow I will review some of the areas you can research to help you in investigating and tracking shell companies.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

7K0A0116Yesterday I began an exploration of the potential individual liability of a Chief Compliance Officer (CCO) based upon the Financial Industry Regulatory Authority (FINRA) enforcement action against Raymond James Inc. and its former CCO, Linda Busby. Today, I will consider the specific deficiencies laid out in the Letter of Acceptance, Waiver and Consent (Letter of Acceptance) and what lessons might be drawn going forward.

It is incumbent to note the basis of liability is FINRA Rule 3310, which requires the company to “develop and implement a written anti-money laundering program reasonably designed to achieve and monitor the member’s compliance with the requirements of the Bank Secrecy Act…” The required policies and procedures needed are to detect and report suspicious activity and monitor transactions for specified red flags. If such red flags were detected, additional investigation was required and any clearance of such a red flag required documentation. Some of the specifics of 3310 included appropriate due diligence on both customers and corresponding accounts for foreign financial institutions, a risk-based assessment of new clients and a review of red flags that might be raised in the above. Busby, as CCO, was required to implement the foregoing.

As noted yesterday, Busby was sorely understaffed, underfunded and probably could never have overseen a functioning and effective compliance program, had the company deigned to put one in place. However, the company obviously thought it did not have to do so. As noted in the Letter of Acceptance, the company “did not have a single written procedures manual describing AML procedures; rather to the extent written procedures existed addressing supervision related to AML, they were scattered through various departments.” Moreover, Busby did not have control or even oversight into individuals in other departments handing anti-money laundering (AML) issues. Finally, the company did not have any oversight for monitoring suspicious activity. The Letter of Acceptance noted these shortcomings were failures of both the company and Busby.

FINRA dived deeper into the weeds when it faulted both the company and Busby for not monitoring known high-risk transactions or individuals. The Letter of Acceptance listed high-risk activity as:

  • Transfers of funds to unrelated accounts without any apparent business purpose;
  • Journaling securities and cash between unrelated accounts for no apparent business purpose, particularly internal transfers of cash from customer accounts to employee or employee-related accounts; and
  • Movement of funds, by wire transfer or otherwise, from multiple accounts to the same third party account.
  • The company did not have any procedures “in place to reasonably monitor for high-risk incoming wire activity, such as third-party wires and wires received from known money laundering or high-risk jurisdictions.”

All of this meant that neither the company nor Busby were able to monitor or later investigate suspicious activity. FINRA turned up 513 accounts that engaged in high-risk activity that were never even spotted let alone investigated. There was no overall risk assessment performed which might have allowed Busby to marshal her limited resources and focus on the highest risk transactions. As you would expect there was no technological solution in place that allowed Busby to “conduct any trend or pattern analysis or otherwise combine information generated by the multiple reports to look for patterns”. All of Busby’s analysis had to be done the old fashioned way, through manual review.

While there were some reports generated by the company that might have been of use in an AML analysis, they were either deficient or not tied to similar reports. Even when the information was available there was no overall risk ranking for the company’s customers that would have allowed transaction monitoring on a more proactive basis. Finally, and this one is perhaps the most unbelievable, there was no linking of customer accounts so no pattern of single customer activity could be reviewed.

In addition to these overall AML program deficiencies, the Letter of Acceptance listed failures by Busby when sufficient information was available to her. There were thousands of alerts generated regarding suspicious activities each month that were closed out with no documentation as to the rationale for closing the suspicious activity alert. There was no documented clearance of red flags raised, even in the process the company did have in place.

The customer due diligence report was not even provided to Busby or the AML team but to the company’s credit department, one of those departments that Busby had no visibility into. When there was sufficient information to investigate customers, Busby and her team failed to do so and the Letter of Acceptance listed several instances where Busby failed to document that customers had been sanctioned by the US Department of the Treasury. The Letter of Acceptance laid out some useful indicia of suspicious transactions including (1) rounded dollar amounts; (2) purpose of payment inconsistent with the customer’s prior activities; (3) the domicile of the individual receiving the funds was not the location where the funds were transferred; (4) the Letter of Authorization provided to the company was dated at or near the date of transfer.

Finally, and to no doubt warm the heart of every process analysis and professional out there, FINRA criticized the lack of oversight. Busby was criticized for failing to engage in appropriate oversight of the company’s AML risk. But the company also failed in its oversight role of providing oversight to the CCO and the compliance function. If it had done so perhaps the company would have realized the impossible position Busby was in and the utterly impossible role she had to accomplish.

Fortunately for the Foreign Corrupt Practices Act (FCPA) compliance CCO, the financial services industry has specific rules that require compliance programs. Such regulations do not exist around the FCPA. However the analysis that FINRA used to bring charges against Busby could well bleed over to CCOs and compliance professionals in the future. With the new Department of Justice (DOJ) compliance counsel, the role of the CCO may be given more scrutiny going forward. It is painful to picture an anti-corruption CCO assessed with liability for a corporation which views compliance as poorly as did Raymond James but they are out there.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Mister Ed

A horse is a horse, of course, of course,

and no one can talk to a horse, of course.

That is, of course, unless the horse is the famous Mister Ed.

Those lines were the opening verse to the theme song of the TV comedy Mr. Ed, which we celebrate today with the passing of (non-horse) star Alan Young who died this past week. While the name Mr. Ed may not mean much to the current television watching audience, his role as Wilburrrr, the foil of that universally famous talking horse Mr. Ed, should bring a few smiles to faces out there. Mr. Ed had an initial run from 1961-1966 on CBS and then reintroduced itself to an entire new audience on Nickelodeon network on the ubiquitous Nick at Nite in the 1980s and 1990s.

Mr. Ed and his ongoing antics and shenanigans seemed a good introduction to the this issue of individual liability of a Chief Compliance Officer (CCO) in the financial services industry and whether that individual liability may bleed over into the wider anti-corruption compliance world. For when should a CCO have liability and should the regulators, whether in the financial services industry or in the broader anti-corruption world of the Foreign Corrupt Practices Act (FCPA), have such individual liability? While the financial services world is regulated by both the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) they have specific regulations requiring companies they regulate to have anti-money laundering (AML) compliance programs, the FCPA does not have any such requirements, either written directly into the statute or by interpretation therefrom.

In late 2014, SEC Enforcement Chief, Andrew Ceresney, gave a speech where he laid out the three areas of potential individual liability for a CCO. He said that CCOs should be concerned: (1) where there is actual willful misconduct with participation in the illegal activity; (2) when they have helped misleading regulators; and (3) where there is the clear responsibility to implement compliance programs or policies and a wholly fail to carry out those responsibilities. I do not think there would be any debate that a CCO who engages in illegal conduct should be sanctioned or one who wholly fails to engage in the statutorily mandated duties of position. However, if regulators are going to move into evaluating the specific compliance program implementation and execution by CCOs, that would provide a sea-change in enforcement and potential personal liability for CCOs.

Last year there were two SEC individual enforcement actions against CCOs in the financial services industry. The two enforcement actions were styled Blackrock Advisors LLC and Bartholomew A. Battista (Blackrock) and SFX Financial Advisory Management Enterprises, Inc. and Eugene S. Mason (SFX). The Blackrock case involved an internal conflict of interest which led to a $12MM fine paid by the company. The company had a conflict of interest policy. However, according to the Cease and Desist Order, the CCO liability turned on “BlackRock’s CCO, Battista was responsible for the design and implementation of BlackRock’s written policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules. Battista knew and approved of numerous outside activities engaged in by BlackRock employees (including Rice), but did not recommend written policies and procedures to assess and monitor those outside activities and to disclose conflicts of interest to the funds’ boards and to advisory clients. As such, Battista caused BlackRock’s failure to adopt and implement these policies and procedures.” Battista was fined $60,000 separately.

According to the SFX Cease and Desist Order, the company President, Brian Ourand, “misappropriated at least $670,000 in assets from three client accounts.” The company was ordered to pay a civil penalty of $150,000. However, the SEC accused SFX CCO Eugene Mason of three general violations. First, Mason did not effectively implement “an existing compliance policy requiring that there be a review of “cash flows in client accounts.”” Second Mason did not require an appropriate segregation of duties in that he did not guarantee that account cash flow reviews were done by someone other than the President. This caused the following statement in SFX’s brochure to be untrue: “Client’s cash account used specifically for bill paying is reviewed several times each week by senior management for accuracy and appropriateness.” Finally, and perhaps most troubling, while CCO he was in the midst of an internal investigation following the discovery of [the President’s] misappropriation, the company did not conduct an annual review of its compliance program. The SEC believed that “Mason was responsible for ensuring the annual review was completed and was negligent in failing to conduct the annual review.”

One of the difficulties with assessing these actions in the context of the role of a CCO in the broader FCPA world is that they are the end results of lengthy processes of negotiations. This is particularly true when it comes to the final resolution documents, such as the SEC Cease and Desist Orders, from both cases.

Last week there was an enforcement action initiated by the FINRA against Raymond James and Associates, Inc. and its former CCO Linda Busby (the “Raymond James matter”). Raymond James paid a fine of $17MM and Busby was fined $25,000 and banned from the industry for three months. The resolution was in the form of a Letter of Acceptance, Waiver and Consent (Letter of Acceptance). The facts laid out in the Letter of Acceptance were accepted and consented to by the defendants without admitting or denying same.

In the Letter of Acceptance, FINRA laid out the specific failings of Busby in her role as CCO. The basis of liability is FINRA Rule 3310 that requires a company to “develop and implement a written anti-money laundering program reasonably designed to achieve and monitor the member’s compliance with the requirements of the Bank Secrecy Act…” The required policies and procedures to detect and report suspicious activity and monitor transactions for specified red flags. If such red flags were detected, additional investigation was required and any clearance of such a red flag required documentation.

Busby’s role within the company, from 2002-2013, was to ensure that the company’s AML compliance program was “tailored to the Firm’s business and for appropriately monitoring, detecting and reporting suspicious activity.” Unfortunately for Busby, she was the Lone Ranger of Raymond James compliance from 2002-2012. She did, however, increase head count in the compliance function by 100% in late 2012 “by adding a second employee.” The size of this compliance function, when compared to the size of the company as laid out in the Letter of Acceptance, is stunning, “the firm’s “size increased from approximately 2,398 registered persons in 190 branches in 2006, to approximately 5,294 registered persons in 445 branches in January 2014.” Busby oversaw all of their work and one might see how her position was untenable to start with before there was any analysis of her work.

These head count numbers are rendered starker when one considers the number of transactions of the company. By 2014, the company had approximately 2.2 million accounts, generating “over 51 million transactions” annually. Busby and her team (such that it was) “were responsible for, among other things, reviewing more than a dozen lengthy AML exception reports for suspicious activity across the millions of accounts, filing suspicious activity reports (SARs), and communicating with branch managers and registered representatives regarding client actions and account activity.” It sure does not sound like a position set up for success.

Tomorrow, we will review that work and see what lessons may be drawn…stay tuned.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

 

Days of the WeekThere are many different types of risk that an entity may face. However I confess I had rarely thought about a day of the week as a risk until I read a story on the Wall Street Journal (WSJ), by Syed Zain Al-Mahmood and Cris Larano, entitled “From the Fed to the Philippines: Bangladesh’s Stolen-Money Trail”. Their article detailed the initial investigations around the fraudulent transfer of money from the bank account of the Central Bank of Bangladesh, out of the Federal Reserve Bank of New York (the Fed).

The theft occurred in early February but was not publicly reported until early March. On Friday, February 5, the Fed began to receive requests for wire transfers purportedly from the central bank of Bangladesh. Some $101 million was wired out from the Fed on that Friday but there were requests for an additional $950 million to go out as well. In Bangladesh, the weekend is Friday and Saturday. It turned out that the Fed had sent out 35 separate requests for confirmation that the requests were legitimate and requesting the Bangladesh central bank reconfirm the initial requests to transfer the money. However, “The computer terminal that connected Bangladesh’s central-bank computers to the secure interbank messaging system knows as Swift was “unresponsive” on Feb. 6, the morning after the theft, a senior official working at the bank’s secure server room said in the police report seen by The Wall Street Journal.” Moreover, “According to the report, Zubair Bin Huda, the senior official in charge of the glass-walled server room – known as the “Dealing Room” – was concerned when a printer connected to the terminal couldn’t print out the interbank messages received during the night.”

It was not until the Bangladesh workweek began on Sunday that Bangladesh central bank employees hooked up a backup server and printed out the 35 messages from the Fed. They were able to stop the fraudulent transfers at that point, thus averting another set of transfers for the remaining $950 million, which had been requested, but $101 million had already been transferred out. The Bangladesh central bank then “sent urgent messages to the Philippines central bank on Feb. 8 asking it to freeze four accounts” where the money had been sent but by then it was too late.

Of the $101 million, “$20 million [went] to Sri Lanka … to the account of a newly formed nongovernmental organization, according to the officials in Dhaka. The Sri Lankan bank handling the account reported the unusual transaction to the country’s central bank and authorities reversed the transfer.” Unfortunately the remaining $81 million was wired to a bank in the Philippines. On Monday, February 8 (the first day of the workweek in the Philippines), “Senior Bangladeshi officials sent urgent messages to the Philippines central bank on Feb. 8 asking it to freeze four accounts at the RCBC where $81 million had flowed”.

An executive at Rizal Commercial Banking Corp (RCBC), Romualdo Agarrado, testified at a Philippine Senate hearing that the bank did receive the requests from Bangladesh, on February 9, they did issue stop orders internally but one bank manager “Maia Santos Deguito ignored it. Instead, she moved the money to a foreign-currency account opened Feb. 5 under the name of Centurytex Trading, a local brokerage firm owned by businessman William Go, Mr. Agarrado testified.”

From there the money was then washed out through casinos in the Philippines. In an article in the Financial Times (FT), entitled “Philippines eyes reform in wake of $81m heist”, Avantika Chilkoti reported, “$50m was passed on to two casino groups and another $31m delivered in cash to a “junket agent” organizing trips for gamblers.” The Philippines, with one of the most porous anti-money laundering (AML) regimes around, has completely exempted the country’s casinos from its even more paltry laws.

This was clearly a very sophisticated crime, with many moving parts. However the basic timing is something that companies need to consider as a risk going forward. Have you thought about getting a request to make a payment late Friday as suspicious? What about a suspicious payment request on a Thursday? Did you consider the weekend days of the country where the payments were being wired to? Did you send a request for confirmation as the Fed did, 35 times?

What if there was no response, as was the case from the central bank of Bangladesh. Does that mean the bank was incompetent? How about a potential inside job that took the primary server down so the individual requests for confirmation could not be printed out? Or maybe they are all simply out at the beach for the weekend?

The reason you need to continually evaluate risk is because the risks change. Risks change because the bad guys change in their approaches to getting your money. Whether those bad guys are within your organization or without, you need to evolve your risk assessments and risk management as new risks arise.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016