Fincrime Briefing: Deutsche Bank files SAR on itself, video game ‘Counter-Strike’ taken over by fraudsters, investors sue Danske Bank in wake of laundering scandal, and more

By Brian Monroe
bmonroe@acfcs.org
November 4, 2019

Quote of the Day: “Imagine if you had baseball cards that showed all the performance stats for your people: batting averages, home runs, errors, ERAs, win/loss records. You could see what they did well and poorly and call on the right people to play the right positions in a very transparent way.” – Ray Dalio

In today’s ACFCS Fincrime Briefing, Deutsche is a house divided against itself, files SAR on Russian-tinged real estate deal, popular video game “Counter-Strike” infested with fraudsters trying to launder money, irate investors sue Danske Bank as stock prices plummet due to mushrooming money laundering scandal, and more. 

Please enjoy this unlocked story, part of the many benefits of being an ACFCS member. 

Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content! 

COMPLIANCE

In rare move, Deutsche Bank U.S. operations files SAR on itself tied to Russian-linked real estate deal pushed by executives in Germany 

Deutsche Bank was already under federal investigation for helping wealthy Russians launder money when it struck a deal last year to sell a property it co-owned in California, leading to a clash between U.S.-based officials worried about additional financial crime compliance scrutiny by authorities and German executives who wanted to make a deal.

The $72 million sale of an office complex might not have been notable, except for one thing: The purchaser was linked to the son of a former top Kremlin official.

The German bank was facing multiple money laundering investigations as well as political scrutiny over its ties to President Trump. 

Against that backdrop, bank executives in the United States raised objections about the proposed transaction, warning that while not illegal, it could further damage the bank’s reputation. Executives in the bank’s Frankfurt headquarters decided to go forward with it anyway.

After the sale went through, Deutsche Bank officials in the United States took the rare step of contacting the federal watchdog that polices financial crimes to report the bank’s own transaction as suspicious, according to three people briefed on the matter who were not authorized to speak publicly.

So-called suspicious activity reports are common — banks file thousands of them a year to flag potentially troubling money transfers and other transactions to the government. But they generally involve activities conducted by banks’ customers or even their customers’ customers – not the banks themselves.

Deutsche Bank recently contacted regulators in the United States and overseas to explain the Menlo Park transaction, the three people said.

An investment fund run by the bank’s asset-management division bought a 50 percent stake in the low-slung office complex on Willow Road in Menlo Park in 2016. (The other half was owned by Embarcadero Capital Partners, a real estate firm.) 

Deutsche Bank at the time heralded the site’s proximity to Palo Alto and Stanford University as key selling points.

The Deutsche Bank investment fund agreed to sell the office complex to a limited liability company called Willow Project, the people said. 

Some bank officials worried about the problematic appearance of doing business with a company they believed was owned by Vitaly Yusufov, the son of the former energy minister under President Vladimir V. Putin of Russia.

A committee of Deutsche Bank executives in New York tried to block the transaction, citing the potential damage it could inflict on the bank’s reputation, according to the people. The decision was appealed to Europe, where another committee gave the green light.

Later, bank officials in the United States filed a suspicious activity report about the transaction to the Treasury Department’s Financial Crimes Enforcement Network, the country’s financial intelligence unit, which houses a database of millions of anti-money laundering filings by banks and other entities considered financial institutions and subject to compliance rules, (via the New York Times).

Monroe’s Musings: This story surprised me because Deutsche bank over the last decade has paid billions of dollars in penalties for a broad array of financial crime and compliance failings, including tied to AML and corruption weaknesses, toxic mortgage-backed securities, tax issues, manipulating benchmark interest rates and others. 

However, one of the most high-profile penalties came in 2015, with the Russian “mirror trades” scandal, eventually agreeing to pay more than $600 million in fines tied to $10 billion in sham Russian mirror trades potentially helping individuals launder money out of the iron curtain. 

So I would have expected any deals with a Russian connection, particularly one with a politically-exposed person (PEP), would have been given more attention by Deutsche Bank headquarters – all the more after U.S. teams raised questions and expressed fears about how regulators and investigators may see the riskier real estate deal. 

FRAUD

Valve: ‘Worldwide fraud networks’ have taken over ‘Counter-Strike’ game as money laundering tool 

In a missive that has sent shockwaves from the video gaming, law enforcement and financial crime compliance communities, game-making behemoth Valve said virtually all in-game micropayments were actually found to be “fraud-sourced,” making the popular video game the latest to fall victim to cyber criminals.

The video game Counter-Strike: Global Offensive pits players against each other in a world of bomb-making and hostage-taking. And until this week, the game was host to a real-life crime ring: virtually all in-game micropayments were being used to launder money.

Normally, Counter-Strike players can buy what are known as in-game keys to open boxes full of supplies. The game lets players trade items, leading to an online market for rare keys. But that virtual market has been flooded by frauds trying to move dirty money, gamemaker Valve said.

“Worldwide fraud networks have recently shifted to using CS:GO keys to liquidate their gains,” Valve announced in an update this week.

Counter-Strike has a long and rich history for hardcore gamers. 

Twenty years ago, the game started as a humble Half-Life mod that changed the gaming world. Half-Life, a first-person shooter itself decades old about a lone scientist fighting creates from another dimension that have infiltrated his facility, has been named by PC media gaming outlets as the best computer video game ever created. 

“Constantly evolving and shifting over the years, Counter-Strike has never lost its fundamentals: it’s easy to learn, takes a lifetime to master, and is supported by a massive global community,” Valve said in June when getting wistful about the game’s 20-year anniversary. 

And like a playground bully hogging the kickball, these crime rings have gone and ruined key-trading privileges for everyone.

“Nearly all key purchases that end up being traded or sold on the marketplace are believed to be fraud-sourced,” Valve said. “As a result we have decided that newly purchased keys will not be tradeable or marketable.”

In-game microtransactions have been a running headache for everyone from game manufacturers to regulators to concerned parents who liken them to gambling. 

A whole genre of YouTube tutorials promises big winnings to players who participate in online marketplaces for in-game items, sometimes resulting in scams. 

The Federal Trade Commission previously fined two popular YouTubers who encouraged viewers to sell items through the website CSGO [Counter-Strike: Global Offensive] Lotto. The YouTubers were secretly investors in the site.

The wildly popular game Fortnite is also ripe for fraud, a January report found. Cyber-criminals allegedly stole credit cards, then used them to buy in-game money, which they sold at a discount on the dark web. The game could also be used to scam money from unsuspecting players. 

One popular scam promised cheap in-game money in an attempt to learn players’ credit card details. Fortnite’s large audience with children meant an ocean of easy targets, Slate noted at the time.

Sometimes the schemes transcend simple credit card theft. Games like World of Warcraft are notorious for “gold farming,” a dubious industry in which players put in long hours earning in-game money, then sell it for real money to wealthier players who want to save time. The practice is especially popular in China, (via The Daily Beast).

Monroe’s Musings: Borrowing some thoughts I did on a prior piece on the same subject around money laundering in virtual worlds and the intersection of real world financial crime compliance departments. 

This story is a further reminder that criminals will flock to any and all opportunities to monetize and legitimize their digital hauls of credit and debit card numbers, whether they are low level opportunists, large, sophisticated organized criminal networks or a hacker collective looking to enrich their coffers. 

This also reminds me of several stories I have written, one going back more than a decade from now (wow! I have been writing on these topics a while) on groups laundering money through World of Warcraft, Second Life and Entropia Universe.

The compliance takeaway: AML investigators should be aware of any video game where users can quickly and easily purchase virtual in-game items with real money. 

So if, all of a sudden, a bank notices a surge in credit and debit card accounts tied to Counter-Strike loot keys or Fortnite V-bucks, it might behoove the institution to see if the accountholder – such as a still-spry retired spinster – is really that excited about purchasing a Christmas-themed parachute. Hint: she is not. She is crocheting.

MONEY LAUNDERING

Danske Bank’s $234 billion money-laundering scandal results in institution losing nearly $13 billion in value, with irate investors seeking more than $750 million in lawsuits

In a series of successive disclosures over the past few years, Danske Bank, Denmark’s largest bank, admitted to a massive money-laundering scandal involving Danske’s branch in Estonia and causing CEO Thomas Borgen and other top executives to resign, with tangible reputational tendrils in the form of plummeting stock prices. 

These disclosures resulted in stock price declines that have wiped out nearly $13 billion in market capital, in less than a year dropping from more than $10 a share to $6.41 a share. The price is currently hovering at just more than $7 a share. 

Not surprisingly, the case has spawned lawsuits for investors all over the world who have seen the reputation and market value of Danske Bank sink. 

Grant & Eisenhofer has been following the emerging story of Danske’s money laundering and continues to investigate avenues for investors to recover their losses under Danish law.

In February 2018, credible news reports revealed that the bank’s top management had been part of a four-year-long cover-up of large-scale money laundering of illicit funds from Russia at the bank’s Estonian branch, which was first reported to management in December 2013 and then confirmed by the bank’s own internal audit committee in February 2014. 

In July 2018, Danske and several investigative news outlets reported that the money laundering concerned at least $8 billion from which Danske had profited to the tune of more than $200m. 

In early September 2018, Danske disclosed that the scope of illegal money laundering through Danske’s channels was closer to $150 billion – just weeks later finally revealing that it actually involved a staggering $234 billion, nearly a 30-fold increase over the already-shocking amount initially reported.

On the same day, Danske released a report of a year-long independent investigation ordered by the bank’s board of directors. 

The report erases any doubt that the bank’s anti-money laundering (AML) procedures “were manifestly insufficient and in breach of international standards as well as Estonian law” and that the bank ignored that its non-resident customers were “categorized as high risk.” 

The report also unambiguously states that by no later than early 2014 management knew of the problem – and that its internal controls had been manifestly inadequate – but failed to disclose it to banking regulators in Estonia and Denmark – let alone to its investors.

In March, investors filed the first civil damages claims against Danske for more than $450 million on behalf of 169 institutional investors in the City Court of Copenhagen, Denmark, with a second wave pushing the figure to nearly double the original. 

Just a month later in April 2019, the Danish Business Authority announced that it has reported Danske’s auditor, Ernst & Young (E&Y), to the police. 

In connection with E&Y’s audit of Danske’s annual and consolidated financial statements for 2014, E&Y reportedly became aware of information that should have led it to carry out further investigations and notify the Money Laundering Secretariat, both of which it failed to do. 

A second filing of damages claims is being prepared against Danske on behalf of additional institutional investors, and claims against E&Y are also being investigated, with investors seeking a figure totaling more than $1 billion, (via the Local Government Chronicle). 

Monroe’s Musings: This story should be read by financial crime and compliance professionals in Denmark, the Baltic and Nordic regions and, of course, Europe and the U.S. as a reason why AML controls are vitally important to an institution. 

The scandal, which as this piece accurately recounted, has spiraled from an initial estimate of in the hundreds of millions of dollars to the hundreds of billions of dollars, a gross initial miscalculation revealing the depth of fincrime compliance gaps. 

The soaring illicit financial figure has resulted in a bevy of aftershocks that are causing the bank, investors, auditors, regulators and investigators in multiple jurisdictions, including in Denmark, Europe, the United States and others, to quake – and with good reason.

The scandal has wiped billions of dollars in value from the bank, and that is not even including the cost of internal AML investigations, remediations, consultant fees and retooling and upgrade systems, procedures and resources. 

In short, when an executive or budget bean counter tries to challenge a fincrime compliance professional on their assertions, conclusions or reticence to bank certain customers or transact in certain regions, the AML officer can simply and powerfully say: “This is why we comply.”  

CYBERSECURITY

Italian banking giant UniCredit has uncovered a data breach involving the personal records of some three million domestic clients, just the latest in a string of cybersecurity failures at Italy’s largest bank in recent years

In a short missive, the UniCredit last week stated it “identified a data incident involving a file generated in 2015 containing a defined set of approximately 3 million records limited to the Italian perimeter.” 

The records included customer names, cities, telephone numbers and email addresses. 

Officially founded in 1870, UniCredit is Italy’s biggest banking and financial services companies and one of the leading European commercial banks with more than 8,500 branches across 17 countries.

The bank is quick to point out it could have been much worse. 

“Consequently no other personal data or any bank details permitting access to customer accounts or allowing for unauthorized transactions have been compromised,” the bank said in a statement, adding that UniCredit quickly launched an internal probe and has informed the relevant authorities, including the police, which are doing their own investigation. 

This is also not UniCredit’s first rodeo with hackers, with the bank being punctured several times in recent years to the tune of hundreds of thousands of customers. 

Digital brigands victimized the bank at least twice previously with successful hack attacks in 2016 and 2017, capturing key details related to some 400,000 Italian clients.

Those attacks had been carried out via an external commercial partner which UniCredit did not identify, the bank said at the time, according to Reuters. 

The bank is attempting to minimize the collateral damage of the latest breach by contacting potentially affected persons by post and online banking notifications, it said in a statement.  

“Customer data safety and security is UniCredit’s top priority,” according to the statement, noting that the institution engaged in a broad cybersecurity upgrade in 2016, and has since invested more than 2.4 billion euros in upgrading and strengthening its information technology systems. 

More recently, in June 2019, the banking group implemented a more stringent customer identification process for accessing its web and mobile services, as well as allowing users to engage in certain payment transactions. 

This new process required a onetime password or biometric identification, which UniCredit believes further reinforced its “strong security and client protection” initiatives, (via UniCredit).

Monroe’s Musings: Hackers have gotten more creative and aggressive, meaning there are more risks than ever for banks to suffer data breaches, have accounts hacked, have bank staff fall prey to phishing, spear phishing and business email compromise attacks and have their entire organization crippled and held hostage by a ransomware fusillade.

As is the case, though, for many institutions, the hack wasn’t a direct fault of their own, but resulted from a failure by a closely-related third party. 

In the AML context, banks in recent years have started to ask operations like third-party payment processors and other groups they work with that are not subject to financial crime compliance rules to voluntarily take on certain AML duties to lower the risk of criminals, launderers and fraudsters from getting in and gaming the system. 

Similarly in the cybersecurity context, large banking groups should be querying vendors, third parties and other groups with access to customer data about their cybersecurity protocols – including cyber defense, resilience and recovery plans – to better risk assess if these operations need to bolster any vulnerable virtual vaults before the hackers find them.