“Perseverance is not a long race; it is many short races one after the other.” – Walter Elliot

In today’s ACFCS Fincrime Briefing, Australia’s Westpac sheds top leaders as laundering scandal grips, regulators gripe, OFAC sanctions Apple for ties to designated steroid trafficker, Samsung penalized $75 million for corruption failings, tarrying on transparency, and more.  

Please enjoy this unlocked story, part of the many benefits of being an ACFCS member.

Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content!

Westpac CEO, Chairman first corporate casualties in mushrooming money-laundering scandal

Westpac Banking Corp.’s chief executive and chairman are stepping down as Australia’s second-largest bank seeks to steady itself after being accused of breaching anti-money-laundering rules millions of times – and potentially missing the red flags and related reporting obligations on transactions tied to child sexual exploitation.

Bowing to shareholder pressure, the bank said Brian Hartzer will leave Dec. 2 after more than four years as CEO and managing director. Lindsay Maxsted, the chairman of almost eight years, will retire in the first half of 2020, a managerial bloodletting done in hopes of proving to regulators the bank has changed its tune on compliance – a potential hard sell reviewing how it recently treated a top compliance professional working to rectify the issues.

The moves follow issues raised by the Australian Transaction Reports and Analysis Centre (Austrac) last week.

The anti-money laundering and terrorism financing regulator applied to the Federal Court of Australia alleging Westpac was involved in “systemic non-compliance” with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) on over 23 million occasions.

Specifically, Austrac said the bank had consistently failed to assess and monitor ongoing money laundering and terrorism financing risks; report over 19.5 million International Funds Transfer Instructions (IFTIs) to Austrac over nearly five years for transfers both into and out of Australia; pass on information about the source of funds to other banks in the transfer chain; keep records relating to the origin of some of these international funds transfers; and carry out appropriate customer due diligence on transactions in the Philippines and South East Asia that were related to potential child exploitation risks.

“As CEO I accept that I am ultimately accountable for everything that happens at the bank. And it is clear that we have fallen well short of what the community expects of us, and we expect of ourselves,” Hartzer said of his departure.

The news is tinged with irony as other media reports highlighted that Westpac in its initial response to compliance problems didn’t support the person who brought them to the bank’s attention, but removed her from the position.

Westpac also laid out a four-page Austrac and overall compliance remediation “Response Plan,” which details some of the more immediate and long terms plans the bank has to address issues uncovered internally and externally, including:

• Immediate fixes, including closing LitePay, a remittance arm that allowed wires of thousands of dollars for a flat fee, but failed in user oversight and transaction monitoring.
• Lifting our standards, including priority screening and improving cross-industry data sharing, a move done as a mea culpa to help better identify larger, interconnected crimes.
• Protecting people, including investments to reduce the human impact of financial crime, in the form of spending more than $30 million on various initiatives to better spotlight and protect children and convene with experts to better be part of the solution and not the problem.

The news of executive upheaval roughly coincides with Westpac stating it will invest $25 million Australian dollars to improve cross-border and cross-industry data sharing and analysis as one of the “immediate fixes” as part of its response plan, following issues the raised Austrac, (via ZD Net).

Monroe’s Musings: This story is turning into Australia’s Danske Bank, with an institution taking the rare step of jettisoning executives as a show of faith and force to regulators. The future looks costly for Westpac when it comes to compliance.

But what is clear reading these stories is that the bank also had a failure of what U.S. regulators call a “culture of compliance” where a financial crime compliance officer is valued, their concerns addressed and suggestions taken seriously and implemented.

In the case of Westpac, it appears the compliance officer who first found the problems and was working for months to get to the root of the issue, was given the sacrificial lamb treatment, most likely as a way for the bank to quickly and immediately show Austrac it “did something.”

If that culture doesn’t change, along with setting a compliance “tone at the top,” all the technology improvements and investments to various child protection organizations in the world won’t make the changes needed to turn Westpac from a failing entity from a compliance perspective to a law enforcement ally.

Securing the Integrity of the EU’s Financial System is Overdue – Why is Progress so Slow?, a special RUSI report

Over the past couple of years, the inadequacy of financial crime supervision across EU member states has been brutally and repeatedly revealed through Baltic and Nordic banking scandals that saw hundreds of billions of dollars in suspect Russian funds flow through the Estonian branch of a Danish bank with little oversight, regulatory intervention or law enforcement scrutiny.

As the European Commission notes, in a number of money laundering cases, ‘supervisors only intervened after significant risks had materialised or in the face of repeated compliance and governance failures’, further observing that ‘in many cases, primary compliance failures kept recurring over years before being picked up by supervisory activity or before the bank reported on them’.

The evaluations of the Financial Action Task Force (FATF) – the global anti-financial crime standard setter and watchdog – have likewise illuminated systemic failings. As night follows day, more revelations are likely to emerge via leaks, investigative journalism and (hopefully) supervisory activity.

Despite proposals for action and rare ad hoc interventions by the European Central Bank, European authorities seem paralysed – much like our frog in the increasingly bubbling pot. The Commission has diagnosed the problem and has called for ‘deeper reflection’ on responses, but engendering meaningful action appears to be far more challenging for the Eurocrats.

Since scandal engulfed, among others, Malta’s Pilatus Bank, Latvia’s ABLV, Denmark’s Danske Bank, the Netherlands’ ING, Sweden’s Swedbank and Germany’s Deutsche Bank, the focus of attention has been on the failure of national supervisors. Certainly, the FATF’s evaluations have made uncomfortable reading for supervisors in countries like Denmark.

Some have argued for the expansion of staff and powers at the European Banking Authority (EBA), the independent EU authority which ‘works to ensure effective and consistent prudential regulation and supervision across the European banking sector.’

It would certainly seem that the EBA is currently deficient when it comes to meeting the second element of its mission, and its capacity and resources to act with any sort of authority to ensure effective EU member state financial crime supervision are all but absent.

Its decision to reject its own report on the supervisory failings in Denmark and Estonia connected with the Danske Bank scandal suggests the EBA still has a very long way to go if it wants to become an effective EU-wide supervisor of supervisors.

Given the systemic importance of many of the banks implicated in money laundering scandals, the European Central Bank also has a prudential role to play to ensure that money laundering does not threaten the stability of the EU’s financial system.

More recently, talks have reportedly focused on the creation of a new independent EU enforcement body with ‘direct powers’, seemingly bypassing national supervisors; a group of concerned EU member states has also floated the idea of a more active EU-level supervisor.

Clearly, effective supervision and enforcement are important elements in enhancing the integrity of the EU’s financial system.

To date, both have been absent; a dereliction brought into sharp relief by the repeated action taken by US authorities against EU financial institutions.

But a third important – and thus far, seemingly overlooked – element completes the triumvirate needed to achieve the necessary radical overhaul, namely intelligence. Importantly, as almost all of the EU’s money laundering scandals underline, this must include the sharing of intelligence between countries to combat the transnational nature of large-scale financial crime activity, (via RUSI).

Monroe’s Musings: Tom at RUSI has done it again. This story nails all the key issues, nuances, hopes and challenges to bolstering AML and countering financial crime in the EU and mirrors many of the conclusions in recent ACFCS stories that have covered the still-reverberating tremors of the banking scandals.

It’s unclear what EU regulator will lead the way, or if it will be some sort of coalition approach between current EU-wide authorities and member-state watchdog bodies.

But what is crystalline to all involved is that the bloc must make a bevy of bold moves, and make them quickly, to come from a region that simply has strong AML laws on the books to a region that makes implementation, effectiveness and results top priorities.

The Samsung FCPA enforcement action: Compliance lessons learned to avoid a similar fate

Last week, another Foreign Corrupt Practices Act (FCPA) case was resolved. It involved Samsung Heavy Industries Company Limited (SHI), a South Korea-based engineering company that provides shipbuilding, offshore platform construction, and other construction and engineering services.

The company agreed to pay total penalties of more than $75 million to resolve the government’s investigation into violations of the FCPA arising out of a scheme to pay millions of dollars in bribes to officials in Brazil. The company settled via a Deferred Prosecution Agreement (DPA). The basic facts were admitted to by the company in a Criminal Information.

According to the Department of Justice (DOJ) Press Release, the penalty of $75,481,600 was split, with 50%, or $37,740,800, to be paid to the United States the remaining 50% to be paid to Brazilian authorities pursuant to agreements between SHI and Controladoria-Geral da União (CGU), Advogado-Geral da União (AGU) and Ministério Público Federal (MPF).

If such payment is not paid to the Brazilian authorities on or before Nov. 25, 2020, payment must be made back to the US government. In related proceedings in Brazil, SHI entered into a memorandum of understanding with CGU and AGU and a complementary agreement for the negotiation of a leniency agreement with MPF.

The case involves SHI’s bribery of officials at Petróleo Brasileiro S.A. (Petrobras) to facilitate the sale of a SHI constructed oil drillship through a third-party entity, identified in the Criminal Information as Chartering Company, who had the contract with Petrobras. Chartering Company obtained a unilateral option to purchase a SHI drillship if it obtained a contract with Petrobras to charter a drillship.

This relationship led SHI to retain Brazilian Agent 1 to facilitate the payment of bribes directly to the Petrobras officials in charge of contracting with Chartering Company. A SHI senior executive agreed to a $20 million payment, the majority of which would be the pot of money to fund the bribe payments.

The payment scheme was also detailed in the Criminal Information. The corrupt agents (there were now two) created sham “Intermediary Companies” to bill SHI for the bribe funds.

Illegal payments were made to these Intermediary Companies from which monies were transferred in tranches from accounts in the US to banks in Monaco for the benefit of the corrupt Brazilian Agent. This same agent then had the monies further transferred to banks in Brazil for the benefit of the corrupt Petrobras officials.

A further wrinkle was added to try and hide this paper trail.

One of the Intermediary Companies created a sham loan agreement with one of the shell companies in Switzerland. Monies were paid to this shell company, allegedly to repay a non-existing loan. Since the loan was false, as it had never existed, this shell company forwarded the money as a bribe payment to one of the corrupt Petrobras officials.

Yet another interesting aspect was the cooperation (or perhaps lack thereof) by SHI which cost it a pretty penny.

First, SHI did not self-disclose the matter to either US or Brazilian authorities so no Declination was available. However, the company did receive credit for its cooperation with the DOJ’s investigation and for taking remedial measures.

Some of these remedial measures included making significant enhancements to its compliance program, including hiring additional compliance staff, implementing enhanced anti-corruption policies and heightened due diligence controls over third party vendors, instituting mandatory anti-corruption training and improving whistleblower policies and procedures.

However, the DPA made clear that the company did not receive full credit for its cooperation. Somewhat amazingly, given its credit for cooperation, SHI failed “to meet reasonable deadlines imposed by the Fraud Section and delays it caused in reaching a resolution.”

These actions cost SHI five percent off its total reduction so the “total criminal penalty reflects a 20 percent reduction off the bottom of the applicable United States Sentencing Guidelines fine range.” This failure cost SHI between $4 to $5 million in additional discounts. I hope the company found this conduct worthwhile for it surely was expensive.

It seems there is quite a bit to consider as lessons learned for the compliance professional. Obviously, the money trail was critical in this case. It was not clear from the Criminal Information who selected, vetted or approved the agents in this matter.

However, any review of them who have surely revealed multiple red flags, none of which appeared to be investigated. The most interesting additional fact in this case was the customer between SHI and Petrobras.

After all, the entire deal was contingent on the Chartering Company getting a contract with Petrobras for a drilling charter so that SHI could build and sell a drillship. This clearly speaks to the continued risk we have seen from the series of Petrobras enforcement actions where the end using customer was in on the bribery scheme.

This SHI case was no different but here the end using customer of the product was the Chartering Company not Petrobras. All of this would portend the need for greater involvement by the compliance function in the entire sales cycle.

Finally, is the clear and very expensive lesson that if you agree to deadlines with the DOJ, you must meet them. Failure to do cost SHI a very pretty penny, (via the FCPA Compliance Report). To read the full enforcement action, click here.

Monroe’s Musings: I have known Tom for many years and his insight and analysis of the corruption and compliance issues in this case is on the money, as usual. He is a well known thought leader in the corruption and compliance spaces.

We have written about similar cases against corporates and banks, and this action has some of those common threads, including the need for an operation to take a more transparency versus opacity stance when it comes to reporting violations and working with regulators.

At the same time, the case reveals a persistent gap for many corporates: having proper oversight of internal, external and third parties working on a firm’s behalf.

If any of those areas fail, the entity can be put at risk and, as this case points out, by tarrying in terms of accurately assessing, gathering and reporting information to authorities, firms can lose out on millions of dollars in potential discounts – funds that would be better spent remediating the problem that led to the action occurring in the first place.

Tech heavyweight Apple pays OFAC nearly $500,000 for violating sanctions tied to steroid trafficking network

Apple Inc. has agreed to pay about $467,000 to settle allegations it violated U.S. sanctions by dealing with a blacklisted entity for more than two years, the Treasury Department said Monday, a relatively diminutive penalty from an agency that has handed out fines as high as $9 billion. 

The Cupertino, Calif.-based technology giant allegedly violated U.S. sanctions by hosting, selling and facilitating the transfer of software applications from a Slovenian software company that was previously blacklisted by the U.S., according to the Office of Foreign Assets Control.

The settlement amount is small for a company the size of Apple, which has a market cap of about $1 trillion. But the case illustrates how compliance efforts by even sophisticated multinational companies can break down.

Apple allegedly entered into an app development agreement with SIS d.o.o., an app developer based in Trzin, Slovenia, in 2008, according to the settlement agreement between OFAC and Apple.

In February 2015, OFAC blacklisted SIS and its majority owner Savo Stjepanovic for allegedly being part of an international steroid trafficking network.

As a result of the designations, any property that SIS or Mr. Stjepanovic had an interest in were blocked, and U.S. individuals and entities were prohibited from dealing with them. In May 2017, OFAC removed Mr. Stjepanovic and SIS from its blacklist.

During the time SIS was blacklisted, Apple made 47 payments related to the company’s blocked apps, including making payments directly to SIS, OFAC said. Apple also collected about $1.2 million from customers that downloaded SIS’s apps.

OFAC said the span of time over which the alleged violations happened and the multiple points of failure within Apple’s sanctions compliance program showed “reckless disregard for U.S. sanctions requirements,” according to the agreement.

On the day Mr. Stjepanovic and SIS were blacklisted, Apple ran the new designations against its app developer account holder names. But the company’s sanctions-screening tool failed to identify SIS as a blacklisted entity because Apple’s system listed the company as “SIS DOO,” rather than “SIS d.o.o” on OFAC’s list, according to the agreement.

Apple allegedly failed to identify Mr. Stjepanovic as a blacklisted individual in its system as well, because Apple didn’t screen all individual users associated with an App Store account at the time, according to the agreement.

Apple also allegedly helped transfer the ownership of SIS’s apps to two other companies several months after the designation, according to OFAC.

In February 2017, after making changes to its sanctions screening tool and related processes, Apple identified SIS as a blacklisted entity, OFAC said. Apple then suspended making payments to the company that administered SIS’s App Store account, but continued to make payments to the other company that owned some of SIS’s apps for several months after the discovery, according to OFAC.

Mr. Stjepanovic didn’t respond to a request for comment. Efforts to reach SIS for comment weren’t successful.

OFAC credited Apple for its voluntary self-disclosure of the alleged violations and concluded the case was nonegregious.

OFAC also said the company had made changes to its compliance program, including increasing the role of the company’s global export and sanctions compliance officer in the review and escalation process and expanding sanctions screening to app developers’ payment beneficiaries and associated banks, (via WSJ). To read the OFAC settlement, click here.

Monroe’s Musings: The story said it best, noting that even an advanced technology company with a massive budget, market share and some of the best and brightest minds in the world can run afoul of undulating U.S. sanctions.

So what hope does that leave for the rest of us? Yes, in short, despite your best efforts, OFAC will get you.