Fincrime Briefing: Ericsson pays $1 billion on corruption, Deutsche pays $16 million for compliance gaps, Latvia fines bank nearly $2 million on AML, and more

By Brian Monroe
bmonroe@acfcs.org
December 6, 2019

Quote of the Day: “Everyone has inside of him a piece of good news. The good news is that you don’t know how great you can be! How much you can love! What you can accomplish! And what your potential is!” – Anne Frank

In today’s briefing, Ericsson pay $1 billion for longstanding graft in Asia, Middle East, Deutsche reckoning with home country regulator, but more probes ongoing, Latvia gets tough on AML with bank penalty, and more.

Please enjoy this unlocked story, part of the many benefits of being an ACFCS member.

Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content!

CORRUPTION

Ericsson pays $1 billion to settle U.S. corruption probe

  • For more than 16 years, Ericsson paid tens of millions of dollars in bribes
  • Company to be monitored, agrees on deferred prosecution deal
  • Company engaged in bribes in Asia, the Middle East

A unit of Ericsson AB pleaded guilty to foreign bribery and the parent company agreed to pay more than $1 billion to resolve a long-running U.S. corruption investigation involving payoffs in Asia and the Middle East, the latest massive penalty spearheaded by U.S. authorities and is the largest ever against a telecommunications firm.

The Stockholm-based company admitted to a years-long campaign of corruption aimed at solidifying its grip on the telecommunications business, U.S. Attorney Geoffrey S. Berman in Manhattan said in announcing the settlement that outlined tens of millions of dollars in illicit payments in five countries.

“Through slush funds, bribes, gifts and graft, Ericsson conducted telecommunications business with the guiding principle that ‘money talks,’” Berman said in a written statement announcing the settlement.

From 2000 to 2016, Ericsson conspired with others to violate the U.S. Foreign Corrupt Practices Act, paying bribes, falsifying books and records and failing to implement reasonable internal accounting controls, the Justice Department said. The company bribed government officials through third-party agents and consultants, it said.

The settlement includes a $520 million criminal penalty imposed by the U.S. Justice Department and a civil payment of about $540 million to the Securities and Exchange Commission. As part of a deferred-prosecution deal, an Egyptian subsidiary of the company pleaded guilty to a conspiracy charge.

The company will add an independent monitor to ensure its compliance with anti-bribery laws as part of the settlement in federal court in New York, which had been expected.

The government, in its settlement announcement after the close of U.S. markets, outlined bribery spanning the globe.

By way of a subsidiary, the company made approximately $2.1 million in bribe payments between 2010 and 2014 to high-ranking government officials in Djibouti to obtain a contract with the state-owned telecommunications company, it said. An Ericsson subsidiary entered into a sham contract and approved fake invoices to conceal the payments, it said.

In China, Ericsson subsidiaries caused tens of millions of dollars to be paid to consultants and service providers over 16 years through 2016, the government said. Some of that went to fund a travel expense account in China that covered gifts, travel and entertainment for foreign officials, it said.

The government outlined $45 million in off-the-book payments to create slush funds to win business in Indonesia, and described other off-the-book schemes in Vietnam and Kuwait aimed at winning business.

Ericsson said 49 individuals who were involved in misconduct have either had their employment terminated or left the company voluntarily.

The $1 billion overall penalty is near the top of foreign-corruption cases and above those assessed against other telecommunications companies. Telia Co. paid $965 million in penalties in 2017 after admitting to paying hundreds of millions of dollars in bribes to a government official in Uzbekistan, (via Bloomberg). To read the full DOJ action, click here.

Monroe’s Musings: This penalty should make many large corporates in the telecommunications, technology, energy and other sectors at risk or bribery – particularly those intersecting regions known for corruption – shudder with fear.

Why? Because this kind of graft goes on all the time. The penalty also makes it clear that the U.S. is not just going to go after low hanging fruit, such as corruption against, say, energy companies in the Americas, which has been a key focal point in recent years.

But what should also not be lost on compliance professionals is that, yet again, the corruption happened through third-parties with little scrutiny and funds came through “slush funds” marked for things like travel and other seemingly innocuous expenses.

If you are a compliance officer at a large risky corporate, there should be no internal or external parties that get to spend money or offer trips and other expensive offerings without oversight from compliance – and in fact, these funds should get approval from compliance before they moved to more far-flung parties who state they are working on the corporate’s behalf.

I have said this before and I will say it again: these large corporates should take some pages out of the compliance manuals of their banking brethren and create programs where all money movements, no matter how small, are tracked, monitored and analyzed – similar to how financial institutions have transaction monitoring systems.

Corporates shouldn’t let cash move – at all. Every person should have some kind of company credit or debit card with limits so that the corporation can track who is doing what and where.

That way, if someone tries to purchase an ostentatious expense – either saying it was for the employee or someone else – that transaction will produce an alert so that potential instances of graft can be nipped in the bid more quickly, without spiraling out of control, going on for more than a decade and resulting in a penalty among the largest ever handed out for corruption failings. 

ENFORCEMENT

Deutsche Bank agrees to pay German authorities €15 million in money laundering probe

Deutsche Bank AG said Friday it agreed to pay €15 million ($16.6 million) in penalties to end a probe into possible money-laundering and tax evasion involving German clients, closing an investigation that featured a high-profile raid of the bank’s Frankfurt headquarters in November 2018.

The bank and the Frankfurt public prosecutor’s office said in statements Friday afternoon that the settlement reflects shortcomings in Deutsche Bank’s compliance and filing of suspicious-activity reports involving German clients connected to offshore accounts from 2015 to 2018.

The Frankfurt prosecutor’s office said it closed its parallel criminal probe into two Deutsche Bank employees without bringing any action against them, citing a lack of evidence. The prosecutor’s office said last year it was investigating whether those and other employees improperly helped clients create offshore entities in tax havens, potentially facilitating money laundering.

The investigation had a “heavy impact” on Deutsche Bank last year, spokesman Joerg Eigendorf said in the bank’s statement. “It is true that the bank had weaknesses in its control environment in the past. We identified these weaknesses and we have addressed them in a disciplined manner.”

The prosecutor’s office praised the lender’s cooperation. It said authorities are still looking into Deutsche Bank’s role in a big money-laundering scandal that has rocked Denmark’s largest bank, Danske Bank. Deutsche Bank also faces other investigations, including in the U.S., into its past business with Danske. The bank has said it terminated its relationship with Danske in 2015 after seeing suspicious activity by its clients, (via KYC360 and the WSJ). To read the full Deutsche Bank release, click here.

Monroe’s Musings: The fine figure this time around for Deutsche bank is surprisingly small, but the action is likely the first of many. Deutsche has struggled with AML compliance in the past and already paid significant penalties in this area.

It has also been linked to high-profile money laundering scandals, including the Danske Bank affair, where the institution’s now-defunct Estonian branch allegedly moved some $230 billion on behalf of risky Russian and foreign entities.

So while one penalty in one jurisdiction may be negotiated and paid, the bank must still negotiate others and remediate and juggle the various enforcement actions, timelines and ongoing international investigations.

It can be done, and other banks have done it, going from compliance pariahs to law enforcement partners.

Some recent examples include HSBC and BNP Paribas, which over the last decade paid billions of dollars for AML and sanctions failings, but now employ many of the greatest minds and thought leaders in compliance structures and government investigations.

It might be wise for Deutsche to strengthen its compliance partnerships with these and other institutions to find the best way to manage its many compliance and reputational challenges to join the ranks of elite banks that are aggressively countering the criminals of today and working on new technologies, training and tactics for the unknown threats of tomorrow. 

LATVIA

Latvia fines Baltic International Bank nearly $2 million over AML compliance failings in ‘disproportionate’ action

Latvia’s financial watchdog said on Friday it had fined Baltic International Bank 1.56 million euros ($1.72 million) for lax anti-money laundering controls in many high-risk areas, including the power brokers behind opaque ownership structures and highlighting and reporting on potentially suspicious transactions.

The Financial and Capital Market Commission (FCMC) said in a statement that a review of the country’s eighth-biggest bank had shown it did not have an adequate control system for the prevention of money laundering and terrorism financing.

The bank, which has mainly been serving non-resident clients but now says it is shifting towards investment banking in the Baltics, will most likely appeal the decision, its chief executive Viktors Bolbats told Reuters.

“Baltic International Bank considers the administrative fine imposed by the FCMC as disproportionate,” a spokeswoman said.

The FCMC, however, detailed a bevy of failures in higher risk flashpoint areas, including beneficial owners, engaging in stronger due diligence for key customers and identify, investigating and reporting on large, aberrant and atypical transactions.

The regulator gave these reasons for the AML penalty:

  •      Beneficial ownership battles: in several cases, the Bank had not taken sufficient measures to make certain that a beneficial owner indicated was the beneficial owner;
  •      Source of funds: in several cases, the Bank had not obtained documentation and had not taken necessary measures to make certain of the origin of financial means in its customer accounts and had not documented conclusions;
  •      Scrimping on scrutiny: the Bank had not ensured appropriate and high-quality enhanced customer due diligence and the documentation of results thereof;
  •      The terminator: the Bank had not duly decided on termination of business relationship with customers;
  •      Short attention span theater: the Bank had not paid sufficient and special attention to untypical large, complex, inter-related transactions with no apparent economic purpose or clear legal purpose, including had not timely obtained documents supporting the economic activities of customers;

It is the latest in a string fines on Latvian banks by the FCMC as Latvia tries to clean up its financial sector after several scandals, including the closure of ABLV last year after U.S. authorities accused it of money laundering.

Latvia will next year undergo a review by Moneyval, the money laundering and terrorism financing monitoring body of the Council of Europe.

Meanwhile, Latvia’s central bank governor Ilmars Rimsevics is accused of bribery in the first corruption trial of a European Central Bank governor, (via Reuters). To read the full FCMC order, click here.

Monroe’s Musings: Latvia, much like Estonia and other Baltic and Nordic regions firmly entrenched in the Danske Bank scandal have had their banks, regulators and overall country reputations heavily tarnished.

Not surprisingly, one of the ways these countries are responding is with having regulators more aggressively scrutinize regional institutions and bring the hammer with statement-making penalties – well, let’s be real here, statement-making in that part of the world.

The United States still holds the crown for the largest AML and sanctions penalties ever handed out, with the current title by BNP Paribas and its $9 billion mostly sanctions action.

In short, these will not be the last you hear from the FCMC, particularly with Moneyval calling. As you all know. Moneyval is the group that examines non-FATF member countries for compliance with the watchdog body’s recommendations.

The pressure is on for Latvia and how it responds will determine its future in the world’s eye as either a playground for criminals and kleptocrats to move and cleanse their funds or, conversely, as a safe and staid country that makes countering financial crime a top priority. 

CYBERSECURITY

Are my passwords on the dark web? How to monitor your data after a breach

By the time a company tells you your data’s been stolen as part of a breach, your login credentials may already be on the dark web, opening the door to identity theft, stolen credit cards and drained bank accounts, and more. Here’s how to keep pace with the hackers.

You usually learn long after a breach that your data’s been stolen, when EquifaxYahoo, or some other company you’ve trusted with your information notifies you that your birthday, social security or credit-card number, health records or some other piece of personal information has been exposed as part of a hack.

With your stolen information, hackers can do everything from making purchases and opening up credit accounts in your name to filing for your tax refunds and making medical claims, all posing as “you.”

And what’s worse, billions of these hacked login credentials are available on the dark web, neatly packaged for hackers to easily download for free.

But after a hack, a couple of monitoring tools can alert you to which of your stolen credentials are out in the wild on the dark web, giving you a running start at limiting the damage the thieves can do.

Here’s how to use two free monitoring tools — Mozilla’s Firefox Monitor and Google’s Password Checkup — to see which see which of your email and passwords are compromised so you can take action, tools that should be used in tandem with a powerful password manager.

How to use Mozilla’s Firefox Monitor  

Mozilla’s free Firefox Monitor service helps you track which of your emails have been part of known data breaches. 

1. To start, head to Firefox Monitor page.

2. Enter an email address and tap Check for Breaches. If the email was part of a known breach since 2007, Monitor will show you which hack it was part of and what else may have been exposed.

3. Below a breach, tap More about this breach to see what steps Mozilla recommends, such as updating your password.

You can also sign up to have Monitor notify you if your email is involved in a future data breach. Monitor scans your email address against those found data breaches and alerts you if you were involved. 

1. On the Firefox Monitor page, tap the Sign up for Alerts button.

2. If you need to, create a Firefox account.

3. Tap Sign in to see a breach summary for your email. 

4. At the bottom of the page, you can add additional email addresses to monitor. Mozilla will then send you an email at each address you add with a subject line “Firefox Monitor found your info in these breaches” when it finds that email address involved in a breach, along with instructions about what to do about following the breach.

How to use Google’s Password Checkup 

As part of its password manager service, Google offers the Password Checkup tool, which monitors usernames and passwords you use to sign into sites outside of Google’s domain and notifies you if those login credentials have been exposed.

1. If you use Google’s password service to keep track of your login credentials in Chrome or Android, head to Google’s password manager site and tap Check passwords.

2. Tap Check passwords again to verify it’s you.

3. Enter the password for your Google account.

4. After thinking for a bit, Google will display any issues it’s found, including compromised, reused and weak passwords.

5. Next to each reused or weak password is a Change password button you can tap to pick a more secure one, (via C|Net).

Monroe’s Musings: This is a very helpful story, particularly now around the holidays when criminals, fraudsters and hackers up their game to steal personal information and monetize them through creating fake identities, running up credit cards or purchasing items on someone else’s dime.

This is also one of the few pieces I have seen that has a nice defensive capability, rather than just how to recover after you or your company has been breached.