“Hitch your wagon to a star.” – Ralph Waldo Emerson

In today’s briefing, latest ICIJ “Luanda Leaks” cache reveals grand corruption tied to Africa, ties to PwC, new resource to counter insider fraud, focus on U.K. fincrime countermeasures, challenges under new regime, and more.

Heads could roll at PwC over Isabel dos Santos links, says chairman, tied to Luanda Leaks, Isabel dos Santos grand corruption scheme

• PwC global chairman promises swift investigation, retribution for firm ties to dos Santos grand corruption scheme.
• PwC did audit work for companies belonging to Isabel dos Santos, Africa’s richest woman battling corruption allegations.
• Dos Santos has amassed a fortune of more than $2 billion at the expense of impoverished Angola, according to latest ICIJ leaks cache.

The global chairman of PwC has warned that heads could roll at the professional services firm over its links to Isabel dos Santos, Africa’s richest woman, who is battling allegations that she obtained her wealth through corruption and nepotism.

Bob Moritz, whose firm advised companies belonging to Dos Santos and her husband across multiple jurisdictions, told the Guardian he was “shocked and disappointed” by recent disclosures about the British-headquartered accounting firm’s work for the daughter of Angola’s former president.

The complex financial schemes that helped Dos Santos amass an estimated $2.2bn (£1.7bn) fortune at the expense of the Angolan state have been revealed this week in the Luanda Leaks investigation, based on a huge cache of documents leaked from her business empire.

Moritz said a PwC investigation would examine whether any individuals at the partnership should lose leadership positions, have their bonuses docked or lose their jobs.

Dos Santos has denied that her fortune is the result of nepotism or corruption, and she and her husband have rejected any allegations of wrongdoing, saying their wealth is the result of decades of hard work, and that moves to freeze their assets in Angola are part of a politically motivated “witch-hunt” by her father’s successor as president.

On Monday a Portuguese bank part-owned by Dos Santos announced that she and her associates had been banned as customers. After being shut out by some of the world’s biggest banks, Dos Santos had been relying increasingly on Eurobic, in which she holds a 42.5% stake, to move money.

The move comes as the fallout from the Dos Santos revelations shifts to the lawyers, accountants and other western companies that aided her business empire.

The Luanda Leaks consist of a cache of 715,0000 files from the administrators of her empire, examined by the Guardian and media outlets in 20 countries in an investigation led by the International Consortium of Investigative Journalists (ICIJ).

The documents suggest PwC, one of the big four global accountancy firms, acted as auditor, consultant and tax adviser to companies controlled by Dos Santos and her husband in Switzerland, Malta, the Netherlands and Angola.

According to the New York Times, another ICIJ partner, PwC worked with 20 of their companies.

Moritz said that from a reputational perspective, the Dos Santos story was the worst thing to have happened to PwC under his chairmanship, but he believed it was an exception and not the norm.

How Angola’s state oil firm was left with just $309 in its account

The company, which made millions from its work for Dos Santos, previously said it was terminating any work for entities controlled by members of her family “in response to the very serious and concerning allegations”.

After graduating from a British university, Dos Santos began her career at Coopers & Lybrand, which went on to become PricewaterhouseCoopers, or PwC. She later hired former PwC staff as close advisers.

They include the chair of Fidequity, the Lisbon wealth management outfit that helped administer her empire and whose data forms part of the leak.

When Dos Santos was appointed to run the Angolan state oil company, Sonangol, she recruited her chief financial officer from PwC, (via The Guardian). To read the full Luanda Leaks report and related ICIJ stories, click here.

Monroe’s Musings: This is yet another homerun in the battle against endemic global corruption schemes by the incredible journalists and partners at the ICIJ.

The story follows many of the classic models of grand graft: a powerful person running a state-owned energy firm in a region with weak rule of law, poverty and a penchant for bribery somehow (gasp!) miraculously amasses millions or billions of dollars. Now, thanks to the brave souls at ICIJ, we could have an answer of where, how and why.

There have been several media groups, including the International Consortium of Investigative Journalists (ICIJ), that have taken on massive international corruption and money laundering scandals.

These historic pieces, like the Panama and Paradise Papers, have exposed the ways in which the corrupt, elite and criminal move and hide assets – some illicit.

These investigations and leaks are also goldmines for financial crime compliance professionals.

The reason: because banks could unknowingly be providing accounts to the related companies, individuals or simply have operations and customers from the region – relationships that institutions may have to re-risk rank to appease regulators, or engage in some expedient and prudent customer “pruning.”

What is more likely, however, is that many banks, large and small, could have a review or audit relationship with PwC and may not want to be tainted by association with a firm that, itself, may soon be under greater investigative and regulatory scrutiny.

Why do some employees become insider threats and others not? Take a harder look at tech-savvy insiders with broad access to funds, systems

While it may be difficult for any company to look into a crystal ball and try to determine ahead of time when a good employee is going to break bad and become a liability instead of an asset, there are some broad commonalities among insidious insiders.

So how can a bank take a page from its anti-money laundering (AML) team and better risk rate those employees at a higher chance for engaging in insider abuses?

Look for those who are very tech savvy, such as those who have the technical capacity to hack, those who have extensive access to information technology systems, to better cover their digital tracks, or those with access to company funds and, lastly, those who are just greedy, according to an “A-Z of internal banking fraud,” resource by Netguardians, a Swiss-based fintech firm helping banks use artificial intelligence to better fight financial crime.

Frauds carried out by bank employees are a huge global problem, according to the group. Recent research puts the cost of banking fraud at around $70 billion a year – and cases involving bank insiders account for about 70 percent of that total.

The anti-fraud alphabet crafted by NetGuardians, replete with practical breakouts and graphics aplenty, highlights the scale of this problem and the different vulnerabilities that internal fraudsters exploit, and explains how advanced anti-fraud technologies can combat it.

Bank employees are uniquely well placed to discover and take advantage of weaknesses in their organization’s internal controls – perhaps by abusing their level of access to the bank’s IT systems or by targeting dormant accounts.

But FinTech anti-fraud solutions are improving all the time – their ability to identify and block suspicious activity in real time is becoming the first line of defense against the biggest fraud risk in banking,

Here are some snapshots:

• A – Abuse of administrator privileges: Abuse of administrator privileges is one of the key internal-fraud risks facing financial institutions.
• B – Behavioral profiling: Behavioral profiling lies at the heart of technology-based anti-fraud systems and represents a major recent advance in fraud detection made possible by the increasing power of Big Data analytics
• C – Cressey’s Triangle: Conceived by American criminologist Donald Cressey as a model to explain workplace fraud. It comprises the three elements Cressey argued must be present for internal fraud to occur: Pressure, Opportunity and Rationalization, (via NetGuardians).

Monroe’s Musings: So, quick funny story here: This piece is the result of a complete LinkedIn rabbit hole trip.

I was perusing LinkedIn as I do for content ideas, and someone posted one graphic from this A-Z resource, which I didn’t even know existed yet, but really found useful, fun and a great way to learn about a very challenging internal threat area.  

The graphic didn’t have a source, so I started researching “Insider fraud infographic,” and related terms and all of a sudden, I find this entire alphabet of insider fraud terms, tactics, counters and the like.

So, really, what I had done when I found the original graphic from that proactive fincrime professional was literally just grabbing the toe of a giant. Once I saw the depth, breadth, value and relevance of the resource page, I knew I had to share with you, the community.

Enjoy and I hope you found resource as valuable and enjoyable to peruse as I did.

U.K. SFO updates ‘internal’ guidance for evaluating fincrime compliance programs, with emphasis on effectiveness, training, decision-making

• U.K. watchdog body publishes guidance on evaluating compliance programs.
• While a welcome addition to help guidance compliance professionals, guidance lacks specificity, doesn’t offer clear, bright-line, practical steps.
• Move to offer U.K. compliance guidance follows similar move by U.S. regulators, investigative agencies.

This month the UK Serious Fraud Office published new guidance about how it assesses the compliance programs of the companies it investigates, a move that follows similar guidance by allies, like the United States – but overall is an “opportunity missed” to deliver bright-line boundaries in bolstering program effectiveness.  

The SFO’s eight-page document “Evaluating Compliance Programs,” arrived with very little fanfare late last week.

The guidance is actually part of the SFO’s Operational Handbook, which by its terms is “internal guidance” for the SFO only, “and is published on the SFO’s website solely in the interests of transparency.”

With those caveats in mind, let’s look at what’s in the new document.

It outlines the stages at which the SFO will examine a company’s compliance: at the time of the alleged offending, when a decision is being made on whether to charge the company and, in some cases, in the future when introducing and maintaining an effective compliance program as a condition of avoiding prosecution.

The new guidance pays close attention to the six principles detailed in the Bribery Act guidance published in 2011 by the Ministry of Justice.

So it goes on in some detail about the importance of proportionate procedures, top-level commitment, risk assessment, due diligence, communication and training and monitoring and review.

This is all laudable. But it is hard not to see this as an opportunity missed.

That is because this guidance isn’t really grasping the nettle and telling companies in cold, hard terms exactly what they should be doing. There is very little in what the SFO has just put out that can be classed as solid advice that companies can apply to their workplaces.

We have known for years that the defense of adequate procedures is available. What the business world needs to know is just how the SFO weighs up precisely what it will consider adequate.

And then there’s the issue of theory and practice: a company may have a well thought-out, carefully developed compliance program but where does it stand if that program fails to prevent wrongdoing?

The SFO needs to come out and clarify where it stands when it comes to assessing a compliance program that has fallen short of its goals. We needed to know if such a program could ever be considered adequate and, if so, why. Unfortunately, we haven’t been given this.

A few months ago, the SFO’s General Counsel Sarah Lawson said that corporate compliance functions had to be well resourced and should not suffer as a result of cost cutting.

Part of this, I believe, is because compliance cannot be done on a one-size-fits-all basis, due to the variations in companies’ size and structure, the nature of their business and the risks they face.

If we take the U.S. Department of Justice’s updated guidance Evaluation of Corporate Compliance Programs from 2019, it emphasizes that a compliance program will only be genuinely effective if compliance personnel are empowered in a company.

Its message essentially boils down to the importance of a compliance program being well designed, it being implemented effectively and in good faith and it working in practice. It is hard to see anyone using those words about what the SFO has just published, (via the FCPA Blog).

Monroe’s Musings: I agree with the writer about this guidance, but I also offer a counterpoint of why the SFO would couch a piece of “internal guidance” in terms that seem to offer more vagaries that concrete clarities.

Over the past decade and through multiple administrations, attorney generals and leaders at agencies like the U.S. Department of Justice (DOJ), the country has been rather erratic on where guidance falls in terms of the panoply of compliance program requirements.

Go back a decade ago, fincrime compliance guidance is a welcome addition to at-times murky and dense regulations – fleshing out some of the more nuanced program areas, but not necessarily opening up an institution to penalty exposure for failing to implement in triplicate.

Jump forward a few years, and a different government powerbroker, and the guidance spigot is unceremoniously forced shut, with some stating AML guidance is simply rulemaking without going through Congress.

In recent years, the pendulum has continued to swing both ways, with DOJ and other agencies coming out with guidance tied to corporate compliance programs while the administration, just months later, stating publicly guidance can’t be used as the basis for enforcement actions.

So it’s no surprise the SFO when offering its own guidance has to walk a tightrope between clearly and forcefully telling a company what it can and don’t do in crafting compliance defenses versus delivering guidance so amorphous and general, it provides no value to the officers desperately trying to comply and pass muster with regulators.  

Getting the Economic Crime Plan Done: Why Economic Crime Matters for Johnson’s ‘Global Britain,’ a new RUSI commentary

This fantastic analysis from RUSI covers many of the tensions at play in the United Kingdom’s fight against financial crime, including the potential willingness of a new regime following a country-wide counter-crime plan that was largely created by a political predecessor.

Tackling economic crime should be high on the new government’s agenda and will deliver benefits for both the national security and ‘Global Britain’ agendas

The UK’s first ever cross-government, public-private Economic Crime Plan, a collection of policy, legislative and operational commitments, was published just days before the passing of the baton from Theresa May to Boris Johnson.

In this respect, the plan could be viewed as a cuckoo in Prime Minister Johnson’s policy nest, it being very much the brainchild of his predecessor convinced, from her time as Home Secretary, of the importance to national security of tackling the UK’s longstanding economic crime problems.

In the first months of Johnson’s tenure, the Economic Crime Plan seemed to have been brushed aside.

It sat at odds with some of the new premier’s flagship policies such as freeports (a recognized economic crime risk); a key ‘oven-ready’ piece of financial crime legislation (the Registration of Overseas Entities Bill, a Bill aimed at ending anonymous ownership of UK real estate) was excluded from the Johnson cabinet’s first Queen’s Speech, which set out the UK government’s legislative agenda.

The Economic Crime Plan also failed to make it into the Conservative Party’s 2019 election manifesto.

Despite this, we have seen early signs that economic crime hasn’t fallen completely off the agenda.

The prime minister’s second Queen’s Speech, immediately after winning the 12 December elections, contained the previously omitted Registration of Overseas Entities Bill; a key piece of legislation tackling the use of real estate to launder illicit funds.

However, one swallow does not a summer make. A busy legislative and wider policy agenda dominated by ‘getting Brexit done’ does not bode well for ‘getting the Economic Crime Plan done’.

Yet the case for getting to grips with the UK’s economic crime problem remains as strong as ever.

THE CASE FOR TACKLING ECONOMIC CRIME

First, it has taken successive governments of all hues many years to wake up to the fact that the UK has been sleepwalking through the growth of economic crime as a systemic national security risk.

Far from criminal proceeds flowing benignly into, out of and through the UK economy, it has finally been realised that economic crime facilitates other national security threats (such as organised crime and terrorism), has a corrupting influence on the economy and political institutions and undermines the integrity of the UK’s financial system.

Second, delivery of the actions in the Economic Crime Plan could repair some of the damage to Britain’s reputation in the world. As successive ‘laundromat’-style scandals unearth a web of UK companies and professional service providers at their heart and the scale of global corrupt wealth enmeshed in the UK’s real estate market becomes ever clearer, British financial crime finger-pointing has turned firmly back on itself. Promoting Britain as a bastion of fair play, the rule of law and integrity will ring hollow if it remains central to the financial crime and corruption woes of others.

Showing Britain is tackling its own domestic economic crime problems would allow Johnson to stand tall behind his vision for a ‘Global Britain’.

Finally, and importantly, is the case for protecting the UK public from the crime which is more likely to befall them than any other – fraud.

According to the Economic Crime Plan, one in 15 people in the UK fall victim to fraud every year, accounting for one third of crime experienced by individuals. Add to this the £5.9 billion annual economic cost of organised fraud against businesses cited in the Plan, the case for delivering on its fraud aspects alone has merit, (via RUSI).

Monroe’s Musings: Again, RUSI highlights major inflection points, tensions and trends that could have serious implications in how a country fights financial crime and empowers investigators and compliance professionals in their roles in the overall battle.

The U.K. has for decades been very aggressive in creating and implementing standards set out by global watchdog bodies, with some saying London “gold plates” rules to make them even stronger.

But where the U.K. has historically been lax has been in other key areas: financial crime compliance enforcement and promoting effectiveness, rather than just simply being in “technical compliance” by following rules.

The U.K. is also a critical ally to the U.S., helping law enforcement with international investigations.

Even so, the U.K. has also had glaring holes related to companies with opaque ownership structures buying real estate and moving money for many years, right under the noses of a supposed world-class counter-crime regime.

With that in mind, I absolutely agree with RUSI, as I always do in their reports and analyses, that refining and implementing the country’s financial crime plan needs to be a top priority – along with penalizing entities that don’t get on board quickly enough.