Fincrime Briefing: Embattled Estonia tops new AML index, CipherTrace tackles FATF crypto ‘travel rule,’ and more

By Brian Monroe
bmonroe@acfcs.org
August 26, 2019

Quote of the Day: “Believe you can and you’re halfway there.” – Theodore Roosevelt

In today’s ACFCS Fincrime Briefing, in an ignoble irony, Estonia is crowned king of an annual AML index, CipherTrace offers an architectural lesson on how to potentially comply with FATF’s crypto “Travel Rule,” SEC fines Deutsche Bank $16 million for “referral hire” graft failings, and more.

Please enjoy this unlocked story, part of the many benefits of being an ACFCS member.

Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content!

Compliance

Estonia, at epicenter of EU money laundering scandals, ranked country least likely to launder money: AML index

A new report grading countries for perceived financial crime proclivities, in an ironic twist showing the inherent challenges of creating such rankings, has crowned Estonia the global champ – a region at the center of a money laundering scandal roiling Europe to the tune of hundreds of billions of dollars.

Overall, the eighth edition of the Basel AML Index, released this month, scrutinized and categorized 125 countries, noting some broad trends revealing the duality of countries seemingly on the cleaner end of the spectrum along with highlighting the persistent gap in many regions between technical compliance, laws on the books, and effectiveness, such as assets forfeited and large, complex cases crushed.

Even as many countries incrementally improved counter-crime regimes, globally, “ineffective anti-money laundering and counter financing of terrorism (AML/CFT) systems and lack of transparency are leaving the door open to increasingly sophisticated money laundering schemes,” according to the group.

More countries “showed slight improvements in their risk scores in 2019 than last year, but there have been no substantial changes indicating significant progress in tackling ML/TF,” the group said.

“This confirms the general trend visible over the eight years since the Basel AML Index was first calculated: most countries are slow to improve their resilience against ML/TF risks,” according to the group.

High scores, based on a 10-point scale, indicate a country is more vulnerable to money laundering. Nearly 30 percent of the countries have higher ratings than they did in 2018, the study found, but by a very slim margin.  

Estonia, Finland, New Zealand, Macedonia and Sweden have the best scores on the latest index, with some helped by a greater weighting toward effectiveness by global AML standard-bearer, the Paris-based Financial Action Task Force (FATF).

FATF updated its country evaluations in 2013 to factor in more concrete counter-crime laws in action. Some were also helped by FATF not yet reviewing their regions for effectiveness – which can drag down formerly gleaming scores considerably.

But the index also reveals that those positive scores can be deceiving.

Denmark in late 2018 stated it plans to strengthen its financial regulator to make it better able to fight money laundering, as the country’s largest bank, Danske Bank is embroiled in a major scandal. 

The scandal involves some 200 billion euros ($230 billion) in payments through Danske’s Estonian branch between 2007 and 2015, many of which the bank said in a prior report it thinks are suspicious.

The scandal has led the bank’s former chief executive Thomas Borgen to resign and almost halved Danske Bank share price since February, along with authorities in Denmark essentially kicking the bank out of the country.

Other banks, including Swedbank, have been dragged into the mire, with bank controls, regulators and even EU authorities getting their feet held to the collective fire.

The AML index is cognizant of these developments and reviewers are hedging their bets Estonia may not hold the crown for long, particularly when FATF reviews the country through the lens of effectiveness.

The country’s overall risk score of 2.68 out of 10 “may worsen when Estonia is re-assessed according to the FATF fourth-round methodology focusing on the effectiveness of AML/CFT measures and not only technical compliance.”

“Not only is it common for countries to obtain poorer scores when assessed with the latest methodology, but Estonia has been subject to recent criticism of its effectiveness in preventing [money laundering],” the group stated.  

“It is important to note that the data does not reflect the risk of Estonia’s geographic proximity to Russia and the issues that may be associated with this,” the index stated in its analysis. “Estonia has been labelled as one of the first ports of entry for Russian money launderers wishing to gain access to the European financial market.”

The worst countries for money laundering risk this year were Mozambique, Laos, Myanmar, Afghanistan and Liberia, according to the index, though some perennial bottom dwellers have not made the list in recent years, including Iran and North Korea.  

In the 2018 rank, Tajikistan was the top country for money-laundering risk, according to the index, followed by Mozambique, Afghanistan, Laos and Guinea Bissau. The lowest-risk countries, according to the index, last year were similar to the current year: Finland, Estonia, Lithuania, New Zealand and Macedonia. 

The most concerning aspect of the report, according to the institute, is that countries aren’t enforcing the laws they have on the books to fight money laundering.

For instance, Colombia, Latvia, Finland, China and Lithuania “fell significantly in this year’s Basel AML Index rankings due to poor assessments of the effectiveness of their AML/CFT systems by global money laundering watchdog, the Financial Action Task Force,” according to the group.

Interestingly, the index also noted that “compliance and effectiveness often do not go hand in hand,” with some countries good and creating laws, but doing little after that.  

“Vanuatu’s AML/CFT system, for example, scores highly for technical compliance but zero percent for effectiveness,” according to the group.

 “Governments who are really serious about combating financial crime should get in the driver’s seat and start fixing the weaknesses that FATF assessments reveal,” said Gretta Fenner, Managing Director of the Basel Institute on Governance, in a statement.

“Countries benefit far more from being seen as a trustworthy, low-risk location for investment than by letting the dirty money of criminals flow through the loopholes,” (via the Basel AML Index.)

Cryptocurrency

CipherTrace tackles impending FATF crypto ‘travel rule’ obligations with Travel Rule Information Sharing Architecture whitepaper

Several powerful regulatory and economic bodies have issued guidelines, guidance and statements in recent months that could fundamentally change the nature of crypto transactions and how virtual currency exchanges and other related entities share information on users with each other in a bid to counter financial crime, with CipherTrace answering the call for compliance.

At the forefront of this change is global anti-money laundering (AML) watchdog, the Paris-based Financial Action Task Force (FATF), which in June updated guidance that includes a “Funds Travel Rule,” for crypto exchanges, which it calls virtual asset service providers (VASPs).

To foster compliance with the upcoming obligations tied to the travel rule, CipherTrace has issued a whitepaper offering a potential solution in the form of a Travel Rule Information Sharing Architecture, or TRISA.

The ultimate goal of the TRISA is to “enable compliance with the FATF and FinCEN Travel Rules for transaction identity information without modifying the core blockchain and cryptocurrency protocols,” according to the whitepaper.

“Trying to modify the protocols is bound to fail, as there are many different protocols, and forcing hard forks is simply not feasible,” the whitepaper stated. “A better option involves creating a separate out-of-band mechanism to augment existing blockchains and cryptocurrencies for compliance purposes.”

This whitepaper describes a “peer-to-peer mechanism for VASPs to comply with the respective Funds Travel Rule for transaction identification exchange between originators and beneficiaries,” according to the document.

The new FATF requirement mimics so-called Travel Rules that have for years required financial institutions to share sender and beneficiary information when executing bank wire transfers and SWIFT electronic funds transfers, but come with technical tethers aplenty when attempting to graft the same dynamic for crypto transactions.

In short, the new rule requires VASPs to share and store sender (originator) and receiver (beneficiary) information related to cryptocurrency transactions.

Just a month prior to FATF’s seminal June crypto guidance, in May 2019, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) further clarified its guidance to categorize certain VASPs as money service business (MSBs), which means they must now comply with the long-standing Funds Travel Rule under the Bank Secrecy Act (BSA).

The recent FinCEN guidance detailed some of the more arcane areas of crypto compliance, including person-to-person, or P2P, exchanges and what actions and scenarios trip AML rules. In short, if a person exchanges crypto funds to fiat and bank for others and as a business, they are a crypto exchanger and thus must craft a full AML program.

The FinCEN crypto guidance was an update to its historic March 2013 guidance that provided clarity and regulatory certainty for businesses and individuals in the cryptocurrency space.

In its 2013 guidance, FinCEN created and identified three classifications for those engaged in creating, obtaining, distributing, exchanging, accepting, or transmitting virtual currencies: “users,” “exchangers,” and “administrators.”

Users typically are not subject to AML rules, while exchangers are, with administrators being caught depending on their structures, actions and ability to move value geographically.

As a point of context, the moves by FATF, FinCEN and other watchdog groups come as crypto crime soars into the billions of dollars and global investigators identify and cripple the major money laundering hubs at the nexus of the real and virtual worlds.

In recent years federal law enforcement agencies in the U.S. and other countries have taken down the world’s largest darknet markets, the related exchanges and more recently, crypto tumbling services – operations that attempt to anonymize crypto transactions for a price.

Further cementing that crypto travel information travails are on the horizon is that at the close of their summit held in Osaka, Japan on June 29, finance ministers and central bankers of the G20 economic bloc formally announced their support for FATF’s updated virtual guidelines, including the Travel Rule.

But that requirement comes with inherent technical, privacy and cost challenges.

Subsequently, a “number of major voices in the crypto economy have complained that the new rule is not only impractical given current blockchain technology but also antithetical to the pseudo-anonymous nature of cryptocurrencies,” according to CipherTrace.

“Developing a solution that will help VASPs to overcome this compliance challenge presents major technical obstacles,” according to CipherTrace. “For example, trying to modify the existing blockchain protocols is bound to fail, as there are many different protocols, and forcing hard forks is simply not feasible.”

TRISA applies, according to CipherTrace, the “trusted Public Key Infrastructure (PKI) to identify and verify VASPs reliably. It is similar to the way clients and servers establish trusted communication on the web and other internet applications.”

The certificate authority (CA) is the “cornerstone” of trust for PKI, by “issuing trusted digital certificates and managing, distributing, and revoking these certificates,” CipherTrace stated.

“The CA issues digital certificates that identify the entity associated with a given pubic key to ensure users are confidently working with the said entity and not a fraudster posing as the entity,” according to the paper. “PKI is the key to trusted information sharing,” (via CipherTrace). To read the full CipherTrace TRISA whitepaper, click here.

Monroe’s Musings: Many pundits, prognosticators and soothsayers have said the end of the Wild West period for crypto coins is nigh, which may or may not be a bad thing.

The rollicking sector, as has been shown in recent years, can be abused by criminals of all stripes, just as it opens the door to moving value around the world quickly, cheaply and securely.

Regardless of where you stand on the issue – for or against crypto, the wave of the future of value or merely Monopoly money – there are two very large trains on a collision course.

Fincrime compliance is coming to crypto in a big way and it appears the sector is going to have to come together to figure it out – or see some countries cracking down on crypto exchanges that don’t, can’t or aren’t falling in line with where FATF believes they need to be.

Enforcement

Australia’s financial regulator plans to get tough on big banks on when it comes to money laundering

Australia’s big banks will face potential penalties within the next six months for breaching money laundering laws, Australia’s financial intelligence agency head said on Tuesday.

Austrac Chief Executive Nicole Rose said banks have stepped up self-reporting of breaches to the agency by 70 percent since it launched civil action against Commonwealth Bank of Australia two years ago.

“I can say that we will have more enforcement action in the next six months – warnings all the way through to civil penalty – because of the increased intelligence that we’ve been receiving. There will be appropriate action,” Rose said in an interview on Australian Broadcasting Corp radio.

CBA was lumped with an additional A$1 billion capital requirement in 2018 after it was accused of thousands of breaches, mostly for late filing of transaction reports.

The rest of Australia’s Big Four – Westpac Banking Corp, Australia and New Zealand Banking Group Ltd and National Australia Bank Ltd – were required to set aside an additional A$500 million each the following year.

Australia’s casinos have also been in the frame for some time for potential breaches of anti-money laundering and countering terrorism financing laws, with AUSTRAC looking since last year at the risks around casino junkets, she said.

Those probes were not specifically related to recent media reports claiming that Crown Resorts hired travel agents with ties to drug traffickers to bring Chinese gamblers into Australia and knowingly laundered money at its casinos, Rose said, (via Reuters).

Monroe’s Musings: For more than a decade, the U.S. has been the global leader in aggressive AML and sanctions enforcement at banks, with historic actions against HSBC and BNP Paribas hitting figures of nearly $2 billion and $9 billion.

These were statement-making figures meant to shock the industry into compliance. Even more so when you realize the related remediation costs can be many times the actual penalty.

But it is only recently, in the last few years and as a result of embarrassing banking, compliance and money laundering scandals that other jurisdictions are starting to take the lead in being more aggressive in terms of AML oversight, enforcement actions and monetary penalties, including the EU, U.K., Canada – and finally, Australia.

What does this mean for large global banks? In one word: enterprise. Yes, you have had this term before, but now it has to be implemented across an entire banking institution and across boundaries. Enterprisewide compliance. Just as strong in one region as another. No weak links.

Get ready. Look for your pockets of non-compliance now, or the examiners in Australia, or Europe, may find them first.   

Corruption

SEC penalizes embattled Deutsche Bank more than $16 million to settle graft failings tied to China, Russia ‘referral hires’ – third bank to fall

The Securities and Exchange Commission (SEC) has penalized Deutsche Bank AG more than $16 million to settle charges that it violated the U.S. Foreign Corrupt Practices Act (FCPA) by hiring relatives of foreign government officials in order to improperly influence them in connection with investment banking business.

According to the SEC’s order, Deutsche Bank employees hired relatives at the request of foreign officials in both the Asia-Pacific region and Russia to obtain or retain business or other benefits, just the latest household name bank to engage in a “princelings” scandal in a bid to bolster profits.  

These “Referral Hires” bypassed Deutsche Bank’s highly competitive and merit-based hiring process and were often less qualified than applicants hired through the bank’s formal hiring process.

“Between at least 2006 and 2014, Deutsche Bank provided valuable employment to the relatives of foreign government officials in various parts of the world as a personal benefit to the officials in order to improperly influence them to assist the bank in obtaining or retaining business or other benefits,” according to the SEC.

The hires happened even though since at least 2009, Deutsche Bank’s Global Anti-Corruption Policy “prohibited employees from providing ‘anything of value’ to a government official to gain an improper business advantage,” though the SEC admits the policy was weakly enforced and policed.

“From the outset, the primary goal of Referral Hiring was to generate business for Deutsche Bank by extending personal favors to clients, including government officials, through hiring their relatives,” the SEC stated in the action.  

For example, “during the time Deutsche Bank was working to obtain an IPO from a Chinese client, the client’s Chairman asked Deutsche Bank to hire his son. The banker working to obtain the IPO told Deutsche Bank management that if Deutsche Bank hired the Chairman’s son, he believed they would be awarded the business.”

In other instances, when bankers submitted a client referral hire request, management in APAC then “asked what role the parent performed at the SOE to determine if the parent could steer business to the bank and asked the banker to quantify the fees Deutsche Bank could expect to earn from the referring client.”

Similar misconduct took place from 2009 to 2012 in Russia, where Deutsche Bank employees hired relatives at the request of foreign officials in Russia to obtain or retain business or other benefits.

As was the case in APAC, Russian Referral Hires were sometimes unqualified and couldn’t perform the given tasks, no matter how many times they were moved, re-assigned or given chances to learn.  

In some instances, if requested by the candidate or parent, Deutsche Bank’s London-based global management “authorized unqualified Russian Referral Hires to work in London. One Russian Referral Hire performed so poorly in London that he was deemed ‘a liability to the reputation of the program, if not the firm…’ by a London-based human resource employee,” according to the SEC.

In one very overt instance, Deutsche Bank hired “Referral Hire D” at the request of her father, a Deputy Minister at a Russian government entity “from which Deutsche Bank had repeatedly, and unsuccessfully, sought business,” according to the SEC.

Referral Hire D’s father asked Deutsche Bank Russia’s Chief Country Officer (Russia Chief) to hire his daughter to work at a Deutsche Bank office in Moscow, London, or New York in 2009.

“The Russia Chief enthusiastically voiced his support for the hire to his supervisors in London, ‘We must do it! We should have her in London as it is NOT politically correct to have her in Moscow!’ Deutsche Bank hired Referral Hire D as a temporary employee in Moscow with the understanding that she would be given a permanent job with Deutsche Bank in London.”

But the deal from Russia never materialized – that is until the permanent position for “D” came to fruition.

“Referral Hire D’s move to London was approved and approximately 10 days after Referral Hire D was transferred to London, Deutsche Bank received a request for proposal signed by Referral Hire D’s father regarding a €2 billion Eurobond issuance which was the first step to obtain the business,” according to the SEC.

To cover their tracks, Deutsche employees in some cases created falsified books and records that obfuscated the corrupt hiring practices and failed to accurately capture and record certain related expenses, violating internal accounting rules, while also faking some of the qualifications and abilities of the referral hires, (via the SEC).

Monroe’s Musings: Deutsche Bank, which is in the midst of a bevy of financial crime compliance and related probes, is not the only bank to find itself violating the FCPA for similar failings.

In 2016 JPMorgan paid U.S. authorities more than $260 million to resolve charges it hired the children of Chinese officials to capture certain choice banking deals, while Credit Suisse just a few years later paid nearly $80 million to settle a similar probe.

As I mentioned above, until large, international financial institutions can create a “culture of compliance” that is truly enterprisewide, the banks will still have to contend with pockets of non-compliance, particularly in regions known to consider corruption as just another way of doing business.