Fincrime Briefing: GAO details AML exam gaps for banks banking MSBs, U.S. digs deeper on Deutsche in Danske scandal, 1MDB enforcement update, and more

By Brian Monroe
bmonroe@acfcs.org
December 3, 2019

Quote of the Day: “The first question which the priest and the Levite asked was: ‘If I stop to help this man, what will happen to me?’ But… the good Samaritan reversed the question: ‘If I do not stop to help this man, what will happen to him?’” – Martin Luther King, Jr.

In today’s briefing, U.S. watchdog uncovers lack of AML clarity for regulators reviewing banks banking MSBs, offers solutions, U.S. giving Deutsche more scrutiny tied to Danske scandal, Swiss authorities fine bankers on 1MDB failings, and more. 

Please enjoy this unlocked story, part of the many benefits of being an ACFCS member. 

Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content! 

COMPLIANCE

When it comes to gauging bank AML compliance for MSB customers, federal bank examiners need more information to grade when enough is enough: GAO report  

A U.S. government watchdog group is stating there is still a lack of clarity, leading to an abundance of subjectivity, when it comes to federal examiners grading banks on their financial crime compliance oversight of money services business customers – a dynamic that has led to friction, unwanted enforcement scrutiny and even institutional de-risking of remitter clients. 

Those are just some of the findings from a Government Accountability Office (GAO) report that weighs in on one of the great debates in the anti-money laundering (AML) space: for bank compliance teams with money services business (MSB) accounts, how much compliance is enough to keep examiners happy? 

“Some federal bank examiners were unclear about how much due diligence they should expect from banks’ site visits and reviews of their money transmitter customers,” according to the report, adding that the agency is recommending banking regulators “update examination procedures, provide examiner training, or take other steps to improve evaluation of banks’ compliance.”

As anyone can tell you on the bank, money remitter and regulator side, this answer has changed over time, sliding back and forth depending on the size of the MSB, compliance resources at the bank, mood of the examiner or, well, depending on which way the wind was blowing that day – or that is how it has felt for many money remitters that have had their accounts dropped by banks with little warning and given scant reasons why. 

The report includes some interesting recommendations for regulators, including to consider creating more guidance and potentially bright line boundaries around what banks have to do to successfully bank a wide array of MSBs without fear of examiner reprisal, a move that could come in the form to an update to the interagency AML manual. 

Steps may also include “providing updates to examination procedures, examiner training, or a combination of methods,” according to GAO.  

This report examines, among other issues: 

  • Datamining derisking: The extent to which banks are terminating or limiting services for money transmitters. 
  • What is enough: Challenges in assessing banks’ BSA/AML compliance related to money transmitters.
  • Examiner accountability: What have been regulators’ actions and responses to address MSB derisking concerns and bank fears that even having such clients will result in a more painful and stringent AML exam.

GAO is making a total of four recommendations to the federal banking regulators – including the U.S. Treasury’s Office of the Comptroller of the Currency, Federal Reserve, Federal Deposit Insurance Corp. and National Credit Union Administration – that each regulator “improve examiners’ ability to evaluate banks’ BSA/AML compliance as applied to money transmitter accounts.” 

The federal banking regulators agreed with GAO’s recommendations and are currently in various stages of implementation and analysis, with a recently formed working group tied to helping examiners better risk-asses their own exam procedures potentially tackling the derisking debacle as well. 

GAO also reiterates its recommendation that the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) and the federal banking regulators conduct a retrospective review of BSA regulations and implementation, (via GAO).

Monroe’s Musings: The report also touches on one of most oft-heard frustrations for MSBs due to the nebulous requirements around what banks have to do to bank them: the rising specter of de-risking. 

At issue is that when a bank decides to wholesale drop, say, a remittance firm dealing with certain countries, or even could be the main financial conduit for a risky country, that means hundreds of thousands, even millions of individuals, lose a monetary lifeline due to actual or perceived financial crime or terror finance risks. 

In tandem, desperate, de-banked and de-risked populations may be forced to then turn to illicit sources to move money, fueling the coffers of organized criminal groups and their money laundering machinations, while at the same time taking away vital oversight of transactions and vital portals for financial intelligence for law enforcement.

MONEY LAUNDERING

U.S. digs deeper into Deutsche role in Danske money laundering scandal – sources

The U.S. Department of Justice has in recent weeks has stepped up its investigation into Deutsche Bank’s role in the 200 billion euro ($220 billion) Danske Bank money laundering scandal, opening the door for hefty penalties from regulators in multiple jurisdictions, four people familiar with the inquiry told Reuters.

One source said the Department of Justice’s (DoJ’s) new line of inquiry is whether Deutsche helped move tainted money from Danske, Denmark’s largest lender, into the United States. If proven, that could lead to steep financial penalties – figures further magnified by double, triple or more when factoring in related, expected and expensive compliance remediation engagements.

Officials from the DoJ, who have been working closely with Estonian prosecutors for around a year, have also begun cooperating with Frankfurt state prosecutors in an investigation expected to wrap up next year, the sources said.

Danske’s admission last year that suspicious payments totaling 200 billion euros from Russia and elsewhere flowed through its branch in Estonia has triggered worldwide probes.

The bulk of these payments were processed by Deutsche, sources have previously told Reuters.

Although the Justice Department requested information from Deutsche last year relating to Danske transactions, at the time its executives believed that the investigation was focused on Danske and that the German bank itself was not a target.

However, Deutsche officials were made aware in recent months that the scope of the DoJ probe had broadened to the bank’s role in facilitating the Danske trades and its possible failure to report suspicious transactions quickly enough, one of the people said.

Deutsche has already paid nearly $700 million in fines by New York and British regulators in a separate money laundering case involving $10 billion in so-called mirror trades from Russia, which the DoJ is still investigating.

FOLLOWING THE MONEY

U.S. investigators have spoken to current and former Deutsche compliance staff in the U.S. who raised concerns over possible suspect transactions with supervisors but were ignored, two people said, adding that some involved Danske.

Estonian prosecutors are sharing their findings on Danske, hoping they will share in the proceeds in the event of U.S. fines, four people said.

One source said Estonian prosecutors are examining more than ten transactions involving up to $2 billion of suspect criminal funds in total. Reuters could not ascertain the details of those deals.

Deutsche alerted Germany’s money laundering data authority and state prosecutors in February to more than one million suspect money transfers, two people said, five years after a whistleblower raised the alarm at Danske.

Washington and Frankfurt are now asking what led to the delay and whether there were lapses as some of the contested money transfers, which were earlier singled out by compliance staff, are among those Deutsche later flagged, two people said.

Frankfurt prosecutors have also questioned Sylvie Matherat, Deutsche’s former top official in charge of anti-moneylaundering and the highest ranking of ten Deutsche bankers and executives they have interviewed.

Matherat, who left Deutsche this year, and the others were interviewed as witnesses whose first-hand knowledge is being drawn on to form an overall picture, the person said, (via Reuters).

Monroe’s Musings: If what these unnamed individuals and investigators in multiple jurisdictions are saying is true – that Deutsche was the main conduit for Danske’s tainted billions – this is going to make for a very difficult 2020 for the German banking behemoth, and put intense pressure on the AML compliance function. 

This friction between regulators, investigators and Danske could further inflame if, during the interviews with current or former compliance professionals, these individuals note that they desperately tried to identify the problems and make adequate changes, but senior executives willfully ignored their protestations and overruled them in the name of profits and revenue targets. 

Deutsche has its compliance work for next year cut out for it to both take a cold, hard look in the mirror to get at the root of the problem, and remediate the issues while bringing the AML function up to international standards – moves that will be heavily scrutinized by regulators and investigators in Germany, the United States and likely key powerbrokers in Europe as well. 

As for potential AML penalties against Deutsche, the bank has already paid in the hundreds of millions of dollars for compliance control failures. Banks in similar egregious fincrime failures tied to money laundering have paid individually nearly $2 billion and, tied to sanctions, one institution paid a record $9 billion. 

What’s worse, that is actually the smaller of the costs associated with AML failures. 

The costs related to a broad AML compliance remediation can, in some cases according to conversations with multiple consultants who have done this work, can cause the final financial tally to soar to 10 times the original penalty figure. So any AML compliance investments now to bolster technology, teams and resources would be money well spent indeed. 

INDIVIDUAL LIABILITY

In rare enforcement action against individuals, Swiss bankers fined over dealings tied to 1MDB scandal

Two bankers who worked at Coutts private bank in Zurich were fined by the Swiss authorities for failing to report suspicious transactions linked to the sovereign wealth fund 1MDB scandal, according to a just-released report. 

The Sonntag Zeitung and Le Matin Dimanche newspapers reported on Sunday that two Coutts bankers who had dealt with Jho Low, the Malaysian financier allegedly at the heart of the 1Malaysia Development Berhad (1MDB) scandal, were fined by the Federal Department of Finance in September. 

A risk control manager at Coutts received a CHF13,000 ($13,000) for negligence, while an anti-money laundering manager has appealed against his fine, the papers said. The two managers left Coutts, which was sold by Royal Bank of Scotland to Union Bancaire Privée in March 2015.

1MDB is at the centre of money laundering probes in at least six countries, including the United States, Switzerland and Singapore. 

The US authorities say about $4.5 billion (CHF4.5 billion) was siphoned from 1MDB, founded in 2009 by then-Malaysian prime minister, Najib Razak. He is facing a third corruption trial, which opened last week, linked to the looting of the 1MDB fund. 

Swiss connection

According to the Swiss newspaper report, billions of dollars passed via Zurich, Lugano and Geneva. Based on a 50-page penal decree from the finance ministry, the article alleges that 28-year-old Low opened accounts at Coutts Bank in 2009 and reportedly transferred millions from 1MDB. 

Low, who faces charges in the United States and Malaysia over what authorities say is his central role in the 1MDB case, has denied wrongdoing. 

Last month, the US Department of Justice reportedly struck a deal with Low to recoup $1 billion in funds allegedly looted from the Malaysian state fund. The deal did not include an admission of guilt or wrongdoing and was not tied to the criminal action against Low. 

According to the Tages-Anzeiger newspaper, the Office of the Attorney General of Switzerland is conducting criminal proceedings against six individuals and the private banks Falcon and BSI. 

It said the Swiss financial watchdog FINMA has identified serious violations of Swiss money laundering rules at the banks BSI, Falcon, Coutts, Rothschild and JP Morgan, and has also issued a complaint to UBS and Credit Suisse. 

In 2017 Finma sanctioned Coutts for breaching money-laundering regulations in its business relationships with 1MDB and ordered the bank to “disgorge unlawfully generated profits” of CHF6.5 million. 

In April 2019, the Swiss Federal Court rejected an appeal by Falcon against CHF2.5 million in “illegally generated profits” that Switzerland’s financial watchdog seized from the private bank in 2016. BSI private bank was also forced to sell up to the EFG banking group in 2016 after being sanctioned by FINMA, (via Swissinfo).

Monroe’s Musings: The IMDB case has been called by many the biggest fraud in history. It’s good to see that individuals at banks are being held accountable, rather than simply a bank paying some sort of penalty for anti-money laundering (AML) compliance failings. 

Going after individuals in enforcement actions has a very powerful deterrent effect to make profit-hungry bankers think twice about skirting the rules to enrich their coffers. 

But another key detail that should not be lost on fincrime compliance professionals: the Swiss financial regulator is not letting any of the banks potentially involved off the hook, engaging in more than a half-dozen investigations of AML compliance practices. 

So that means even if no individuals at the banks are identified as key culprits and manipulative masterminds, the AML compliance program – including systems, expertise, individuals, decision-making and suspicious activity report filings, or lack thereof – will be put under a microscope. 

This could lead to very expensive AML remediations and penalties along with a more muted form of individual enforcement action.

What may that look like?

The action informally chastising individuals in compliance could come in the form of regulators directly or indirectly forcing out the current AML regime at some institutions due to their lack of performance or simply the need for a more savvy, experienced team to lead the remediation and raise AML standards at a given institution across the board to ensure something like this never happens again. 

CYBERSECURITY

Millions of text messages, including sensitive details tied to authentication, user access, exposed in database security lapse

A massive database storing tens of millions of SMS  text messages, most of which were sent by businesses to potential customers, has been found online, another huge information security fumble that could give hackers and fraudsters more ammunition to pilfer from the masses.

The database is run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students. 

The Austin, Texas-based company says one of the advantages to its service is that recipients can also text back, allowing them to have two-way conversations with brands or businesses.

The database stored years of sent and received text messages from its customers and processed by TrueDialog. But because the database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside.

Security researchers Noam Rotem and Ran Locar found the exposed database earlier this month as part of their internet scanning efforts.

TechCrunch examined a portion of the data, which contained detailed logs of messages sent by customers who used TrueDialog’s system, including phone numbers and SMS message contents. The database contained information about university finance applications, marketing messages from businesses with discount codes, and job alerts, among other things.

But the data also contained sensitive text messages, such as two-factor codes and other security messages, which may have allowed anyone viewing the data to gain access to a person’s online accounts. 

Many of the messages we reviewed contained codes to access online medical services to obtain, and password reset and login codes for sites including Facebook and Google accounts.

The data also contained usernames and passwords of TrueDialog’s customers, which if used could have been used to access and impersonate their accounts.

Because some of the two-way message conversations contained a unique conversation code, it’s possible to read entire chains of conversations. One table alone had tens of millions of messages, many of which were message recipients trying to opt-out of receiving text messages.

TechCrunch contacted TrueDialog about the exposure, which promptly pulled the database offline.

The company is just one of many SMS providers that have in recent months left systems — and sensitive text messages — on the internet for anyone to access. Not only that but it’s another example of why SMS text messages may be convenient, but is not a secure way to communicate — particularly for sensitive data, like sending two-factor codes, (via TechCrunch).

Monroe’s Musings: These stories are becoming all too commonplace. For companies that are wielding hefty amounts of user information, they must also be more accountable for keeping that information secure. 

To leave this information online in an unsecured fashion is like catnip to hackers and criminal groups, who can either attempt to dupe individuals directly, or combine the details with other stolen data to create synthetic identities and maximize their monetary haul – all the while leaving innocent victims to foot the bills and deal with the severe economic aftermath.