Daily Briefing: BNP CCO shifts risk culture to frontline, nearly $1 billion Uzbek FCPA fine and more
Tuesday, April 2, 2019
Posted by: Brian Monroe
By Brian Monroe
April. 2, 2019
Quote of the Day: “The pessimist sees difficulty in every opportunity. The optimist sees the opportunity in every difficulty.” – Winston Churchill
In today’s ACFCS Fincrime Daily Briefing, BNP Paribas’ CCO talks shifting a risk, compliance mindset to the front line, DOJ, SEC levy nearly $1 billion FCPA penalty on Uzbek telco, terror, crypto finance, and more.
Please enjoy this unlocked story, part of the many benefits of being an ACFCS member.
Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content!
BNP Paribas puts front-line business in charge of conduct to conquer compliance, behavior is 'evolving frontier,' says America’s CCO
BNP Paribas put its front-line businesses in charge of overseeing conduct within the bank, by embedding “chief conduct and control officers” who are responsible for spotting behavior that could put the institution at risk, according to Eric Young, chief compliance officer for the French lender’s operations in the Americas.
Young, who oversees a compliance staff of around 600 across the United States, Canada and Latin America, outlined numerous changes the bank has implemented to tackle conduct and culture, including putting greater responsibility on the business, and using behavior as key criteria in the firm’s executive review and promotion process.
Young joined the bank in 2015 after serving as chief compliance officer at S&P Global, the ratings agency.
BNP Paribas is nearing completion of a remediation plan under a 2014 agreement with the U.S Department of Justice over U.S. sanctions violations, which it paid $8.9 billion to settle.
It is also taking measures to strengthen foreign-exchange compliance after the New York Department of Financial Services in 2017 fined the bank $350 million for illegal foreign exchange related conduct.
“What we’ve done at BNP on the wholesale side over the past four years is to roll out a conduct program owned by the first-line businesses, which is a bit still unique to the rest of the banking industry because conduct often is associated with the second-line compliance department,” said Young.
“The first line businesses own and are accountable for misbehavior, particularly relating to the client,” added the executive.
Young’s past experience includes senior roles at JPMorgan, the Federal Reserve Bank of New York and General Electric.
“For example, on an end-to-end deal, meaning: before the deal, during the deal and after the deal, BNP has built conduct ‘toll gates.’ And that’s part of our decision process whether it’s in pricing committees, deal committees, governance committees at the top of the house, conduct is front and center about what we consider the impact is on our client,” said Young.
The “toll gates” essentially serve as check points that the business has to go through when considering various stages of a deal or transaction.
The question that is asked at each toll gate — whether in the formulation or marketing stage, structuring the terms of the deal, or completion — is whether the customer’s interests are being served, and if not, what needs to be done to ensure that those interests are protected.
Having business heads play a more active role in managing conduct and culture in the financial industry has been an emerging theme over the past few years, as regulators such as Federal Reserve Bank of New York seek new ways of tackling what many see as an enduring issue, particularly for the largest banks, (via Reuters).
This is a great interview with one of the brightest and creative minds in the financial crimes and compliance space and gives a potential glimpse of the future on how large, complex and international banks can better manage anti-money laundering risk in and out of the dedicated compliance function.
The idea of the re-distribution of risk, responsibility and accountability for having a counter-crime mindset by shifting the front line of the fight to the frontline is something we have been championing for years at ACFCS and is a strategy highlighted by other top thought leaders and government investigators, including Robert Mazur, the subject of the movie “The Infiltrator.”
He analyzed this tactic in a recent American Banker article, when then became the focal point for an ACFCS Tip of Week video, which you can view here.
I have had many discussions with Eric on how his philosophies and the mission of ACFCS are in complete alignment. As well, his movement to make allies out of classic AML compliance foils – including business line manager and account executives charged with adding revenues – also firmly implements two regulatory hot button buzzwords: culture of compliance and tone at the top.
Banks are under more pressure than even, particularly an institution like BNP which paid a record AML and sanctions penalty, to prove they have instituted a truly interwoven, holistic, convergent and enterprisewide compliance program that extends within and without compliance, building strengthen upon strength to the most far flung and distant nerve endings of an organization – regardless of jurisdiction.
Eric is implementing this mantra in a bevy of concrete steps and has turned a bank that had been decried as a potential conduit for criminal money launders and sanctions evaders into a true law enforcement partner that puts counter-crime priorities above profits, a change of heart of mind no doubt noticed by regulators the world over.
DOJ penalizes Russia’s largest mobile telecommunications company, Uzbek sub nearly $1 billion for broad corruption failings
Federal prosecutors have penalized Russia’s largest mobile telecommunications company and an Uzbek subsidiary nearly $1 billion for a massive corruption and money laundering scheme that reached to the highest levels of Uzbekistan political and business elite – including ties to the country’s former president.
This U.S. Department of Justice (DOJ) and Securities Exchange Commission (SEC) last month levied an $850 million fine against Moscow-based Mobile TeleSystems PJSC (MTS), the largest mobile telecommunications company in Russia and an issuer of publicly traded securities in the United States, and its wholly owned Uzbek subsidiary, Kolorit Dizayn Inc. LLC (KOLORIT), for related to hundreds of millions of dollars in bribes in Uzbekistan.
Investigators also unveiled charges corruption and money laundering charges against a former Uzbek official who is the daughter of the former president of Uzbekistan and against the former CEO of Uzdunrobita LLC, another MTS subsidiary, involving more than $865 million in bribes.
The sprawling scheme included graft-gilt payments from MTS, VimpelCom Limited (now VEON) and Telia Company AB (Telia) to the former Uzbek official to “secure her assistance in entering and maintaining their business operations in Uzbekistan’s telecommunications market.”
The individuals and companies involved violated the U.S. Foreign Corrupt Practices Act (FCPA)
In particular, authorities charged Gulnara Karimova, 46, a citizen of Uzbekistan, with one count of conspiracy to commit money laundering. Karimova is a former Uzbek official who “allegedly had influence over the Uzbek governmental body that regulated the telecom industry.”
The corruption scheme hinged on wooing a high-ranking regulator and parlaying that influence into choice business contracts to the tune of nearly $1 billion.
Karimova and Akhmedov, in or around the early 2000s, agreed that Akhmedov would solicit and facilitate corrupt bribe payments from telecommunications companies seeking to enter the Uzbek market.
In exchange, Karimova allegedly used her influence over Uzbek authorities to help the telecommunications companies obtain and retain lucrative business opportunities in the Uzbek telecommunications market.
In total, Akhmedov conspired with the telecom companies and others to pay Karimova more than $865 million in bribes, and Akhmedov and Karimova conspired with others to launder and conceal those funds to, from and through bank accounts in the United States, in order to promote the ongoing bribery scheme, the indictment alleges.
The companies admittedly structured and concealed the bribes through payments to shell companies that members of MTS’s and other related companies’ management knew were beneficially owned by Karimova.
“Gulnara Karimova stands accused of exploiting her official position to solicit and accept more than $865 million in bribes from three publicly traded telecom companies, and then laundering those bribes through the U.S. financial system,” said Assistant Attorney General Brian Benczkowski, (via DOJ).
This penalty, one of the largest ever FCPA actions, has yet again put corruption compliance front and center at the forefront of compliance risk, with banks holding the accounts of the companies involved no doubt fretting anew what transactional ties they had to the firms directly and any tenuously related third parties.
Don’t forget just a few years, in 2016, FCPA enforcement hit record highs. And while that momentum waned somewhat in 2018, the U.S. has in recent months stated publicly it is making the identification and investigation of grand kleptocracy a priority for counter-crime agencies and recently-creates special ops-style task forces with a more precise and aggressive mission.
And while this penalty is not hitting a bank directly, it is hitting on what is in some countries under the ambit of financial institution in the securities space.
Moreover, this case has AML tethers aplenty as these companies no doubt had accounts with domestic and international banks in order to facilitate the cycle of corruption, including the firms doling out the graft-gilt dollars to the nebulous and opaque shell companies taking the bribe funds.
So bank compliance teams should scour their transactional records anew with this new lens to see if any payments to or from these companies seem like a higher corruption risk in hindsight and, in particular, institutions with relationships with the shell companies should re-check the due diligence and risk assessment at account opening and, again with 20/20 hindsight, review if any suspicious activity reports were missed.
Jihadists upping their Bitcoin game, creating unique addresses for visitors to stymie investigators, block blacklists
Bitcoin may have lost its luster for many speculators chasing skyrocketing prices before the bubble burst, but some terrorists desperately want the cryptocurrency anyhow because of the speed at which the group can acquire financial support and the challenges for banks and virtual currency exchanges to realize that a random recently-created Bitcoin address is actually tied to a terror group.
Last week, the terrorist organization Hamas--which controls the Gaza Strip--released a video urging supporters to send the group money in the form of bitcoins.
Hamas’ military wing started the Bitcoin campaign back in January, but only raised a few thousand dollars. Undeterred, the group is doubling down on Bitcoin crowdfunding and getting more sophisticated in handling the technology.
The sleek Hamas video is in Arabic with English subtitles and recommends ways for acquiring and sending bitcoins while reducing the chance of being discovered.
Hamas previously told donors to send all funds to a specific Bitcoin address, but the group’s website now generates unique addresses for each site visitor – a move that will also make it harder for investigators to identify and then pass that information to the sanctions arm of the U.S. for blacklisting.
This method will make it harder for authorities to identify and track donations, and shows that Hamas is more careful about cryptocurrency operational security. The group has climbed high up the crypto learning curve in just a few months. Hamas is not the first terrorist organization to raise funds through Bitcoin.
Various jihadist groups have been experimenting with cryptocurrency campaigns the past few years, but Hamas apparently has learned from them and is teaching supporters how to use Bitcoin more securely.
Last year, for the first time, the U.S. Treasury Department added cryptocurrency wallet addresses to its sanctions blacklist.
This was a groundbreaking move to show illicit actors that financial authorities will go after them even in the digital currency realm. However, the Hamas activity exemplifies how easy it is for terrorist groups to adapt to such efforts by using readily available software tools.
Cryptocurrency addresses are unlike bank accounts where a regulated institution vets you before giving you access to the bank. In the crypto space, in many ways, you can be your own bank. No one can stop you from acquiring a Bitcoin address, (via Forbes).
This story should serve as a further wake up call to both financial institutions overall and crypto currency exchange houses that terror groups and operations already on sanctions and other blacklists are getting more creative and aggressively to enrich their coffers through crypto coinage.
This should spur banks with relationships with crypto currency exchanges to more rigorously review what AML compliance practices they have in place and get a sense of how well these exchanges truly understand the fincrime, terror and OFAC risks of customers directly and if they have a sense of what regions of their world they customers operate.
In a similar vein, crypto exchanges should ensure they don’t have an AML and OFAC gaps by engaging in a pro-active compliance lookback through the terror and hybrid threat finance lens, cross-referencing crypto addresses with their own customer rolls to find hits.
Or, at the very least, logging and attempting to do a deeper terror risk dive for customers with thin or nebulous due diligence details, with the understanding that a bevy of new addresses coming to the fore in a similar timeframe and then engaging in transactions near or below customer reporting thresholds could be a threat that leads to terror ties.
Microsoft: Windows 10 devices open to 'full compromise' from Huawei PC driver
As part of its effort to protect Windows 10 from the next WannaCry, security researchers at Microsoft discovered a buggy Huawei utility that could have given attackers a cheap way to undermine the security of the Windows kernel – a further knock against the Chinese technology behemoth that is under already intense scrutiny from the U.S. for potential national security issues.
Microsoft has now detailed how it found a severe local privilege escalation flaw in the Huawei PCManager driver software for its MateBook line of Windows 10 laptops. Thanks to Microsoft's work, the Chinese tech giant patched the flaw in January, but that still leaves potential lingering software vulnerabilities for operations that have not updated systems with the latest patches.
As Microsoft researchers explain, third-party kernel drivers are becoming more attractive to attackers as a side-door to attacking the kernel without having to overcome its protections using an expensive zero-day kernel exploit in Windows.
The flaw in Huawei's software was detected by new kernel sensors that were implemented in the Windows 10 October 2018 Update, aka version 1809.
The sensors are part of Microsoft's response to the WannaCry malware outbreak of 2017, which caused havoc in the UK's National Health Service and infected about 200,000 Windows PCs around the world. The malware was attributed to North Korean hackers.
Specifically, the sensors are designed to catch malware like DoublePulsar, a backdoor implant created by US National Security Agency hackers that was leaked by The Shadow Brokers in early 2017. DoublePulsar runs in kernel mode and was the vehicle for delivering WannaCry, copying the malware from the kernel to user-space.
The kernel sensors are meant to address the difficulty of detecting malicious code running in the kernel and are designed to detect user-space asynchronous procedure call (APC) code injection from the kernel, (via ZD Net).
This news, even while stating the issue has a potential patch to fix the identified vulnerability, won’t help Huawei’s case that it is not an ongoing national security threat to the United States, with the administration giving intense scrutiny to the Chinese tech monolith in an ongoing trade spat.
Huawei doesn’t want to lose access to the U.S. market, or worse, entre to revenue opportunities in ally countries, like the United Kingdom and even European Union.
Whatever decision the U.S. makes – for or against allowing Huawei phones and other hardware into the market, will have risk, security, financial crime compliance and espionage ramifications outside the states, similar to the tipping of a domino setting off a global chain reaction.