Europe

Sucre Highs and Sucre Lows; Money Laundering and Virtual Currency

Sucre, the virtual trade currency set up to facilitate transactions between Venezuela, Ecuador, Cuba, Bolivia and Nicaragua, and subject to a 2014 investigation by the Ecuadorian authorities amid allegations of serious abuse and money laundering control issues, is still a relevant use case that demonstrates the importance of implementing the proper financial crime and network risk management controls to ensure that what was in essence a perfect solution to a commercial challenge is not undermined by involvement – albeit inadvert – in financial crime.

Background

Sucre, an invention of Hugo Chávez in 2010, stands for the Unified System of Regional Compensation (in Spanish) and is also the last name of the 19th century Venezuelan leader, Antonio José de Sucre y Alcalá. It is primarily a trading currency managed by a board of central bankers, which is used by importers and exporters to make and receive payments in their local currencies. As The Wall Street Journal points out, “Sucre’s appeal lies in its implicit payment guarantee…In a typical sucre transaction, a company in Ecuador sends the Venezuelan importer an invoice denominated in U.S. dollars, which is Ecuador’s national currency. The Venezuelan company then sends that invoice to the Venezuelan central bank, handing over bolívares. The Venezuelan central bank converts the bolívares to sucre and transfers the sucre to Ecuador’s central bank. There, it is converted into U.S. dollars, Ecuador’s national currency, and the exporting company receives its payments.”

Criminal opportunity

In 2014 a joint investigation between the Ecuadorian and Venezuelan authorities was launched into abuses of Sucre transactions, primarily focussed on the use of so-called “ghost companies” which over-invoiced for goods received and took advantage of favourable exchange rates, a common tactic used in money laundering. Ecuadorian newspaper El Universo and the Miami daily El Nuevo Herald reviewed and highlighted schemes involving various transactions carried out with Sucre currency. The investigation found that Sucre served as a platform for at least 60 Venezuelan companies and 30 Ecuadorian firms to carry out multi-million dollar operations involving fictitious exports and ghost companies — as well as bank accounts in Panama, the Bahamas, and Anguilla. Reporting indicates that at the time up to 5% of Sucre transactions were suspicious in nature – which FINTRAIL assess to be very high by current bank standards.

This is further compounded by allegations in the public domain that senior figures in the Ecuadorian and Venezuelan governments were privy to some of the money laundering schemes, specifically a company called Fonglocons (Global Construction Fund), which was incorporated just four days before the bilateral agreements between Venezuela and Ecuador were signed and which was created with the specific purpose of trading between the two countries. None of the allegations against Fonglocons has yet been proven, however.

On face value the potential attractiveness and vulnerability of the Sucre scheme to money launderers was clearly not fully considered in the strategy and planning mechanisms around the currency and its deployment, leaving it open to relatively easy misuse by criminal or otherwise corrupt enterprises, sullying its reputation as a reliable virtual trade currency and undermining its otherwise strong utility in markets trying to reduce their reliance on the US dollar. Appropriate network risk management through a comprehensive understanding of the threats facing a virtual currency such as Sucre and the implementation of a clear control infrastructure to mitigate particular vulnerabilities would likely have prevented such infractions.

The Reality of Financial Crime Risk in FinTech

As the global FinTech sector continues to grow – KPMG and CB Insights show the surge of investment continuing to a multi-year high of USD13.8 billion in 2015 – so are the instances of financial crimes at FinTech firms.  The examples of Trustbuddy, Mt. Gox, Ripple Labs and Ezubo (to name but a few) – which have been hit by financial crime scandals ranging from internal misconduct, money laundering, fraud and embezzlement – demonstrate this trend all too neatly, and underscore the need for FinTech firms, and their investors to ensure that the right financial crime risk management controls are in place, to protect their brands and their investments respectively.

Peer to peer (P2P) lending, mobile payments, virtual currency trading and crowdfunding platforms all offer an alternative and potentially more attractive solution to traditional banking. However, you only need to dig a little deeper to find examples of poor financial crime risk management, which if replicated across the FinTech industry have the potential to cause significant damage to the investment attractiveness of such firms and reputation of the industry.

Ezubo – where did all the money go?

Chinese courts last year handled 1.4 million cases involving P2P lending worth a total of CNY821 billion. As an example, just a few months ago, Chinese authorities pressed charges against Ezubo Ltd for defrauding investors out of CNY50bn through a Ponzi scheme. It is alleged that Ezubo sold fake investment products to nearly 1m investors, with promises of annual returns of up to 15 per cent.

The irony of Trustbuddy

Financial crime’s tainting of the P2P model is not confined to those markets with loose or limited regulation. Sweden-based Trustbuddy had a SEK 44 million discrepancy between the amount owed to lenders and the available balance of client bank accounts. This was discovered by the company’s new CEO, and just as he was hired, Trustbuddy filed for bankruptcy, with reports that internal misconduct had taken place since operations began in 2009.

Mt. Gox – on the rocks

In Japan, Mt. Gox, one of the world’s first BitCoin exchanges and at one point handling around 80% of the world’s bitcoin trades, filed for bankruptcy in 2014. The then-CEO Mark Karpeles was accused of manipulating trade volumes and taking JPY321 million from the company to fund personal projects. Interestingly Mark Karpeles had reportedly been sentenced to a year in custody on fraud accusations prior to founding Mt. Gox.

Ripple Labs – making waves for all the wrong reasons

In the US, Ripple Labs was subject to the first civil enforcement action brought against a digital currency exchange. The company reached a settlement with the US Department of Justice and Department of Treasury in excess of USD1.1 million, and admitted to not having an effective AML programme in placeIn the Financial Crimes Enforcement Network (FinCEN’s) ‘Statement of Facts and Violations’ report, it was noted inadequate KYC checks lead to a USD250,000 transaction taking place with an individual who had a previous federal felony conviction for dealing in, mailing, and storing explosive devices.

Crowdfunding – necesSARy notifications

According to FinCEN, there has been a 171% increase in Suspicious Activity Reports (SARs) filed between January 2015 and May 2015 for rewards-based crowdfunding, compared to those filed in the whole of 2013. Analysis indicates various forms of potential illicit use of platforms, including money laundering, fraud schemes, possible terrorist financing, and other criminal activities. It is important to stress that in the grand scheme of FinCEN SAR data the overall numbers of SARs associated with Crowdfunding are still relatively small.  The increase in SAR activity is likely driven by greater awareness of SAR reporting requirements, as well as the growing popularity of the product for ordinary customers as well as those with illicit intent.

The European Securities and Markets Authority (ESMA) has explicitly said:

“Investment-based Crowdfunding carries a risk of misuse for terrorist financing, particularly where platforms carry out limited or no due diligence on project owners and their projects. Project owners could use investment-based Crowdfunding platforms to raise funds for terrorist financing, either overtly or secretly.” 

So What?

There is significant opportunity for strong financial performance within FinTech and its various facets, but these examples demonstrate the risks as well as rewards that apply to founders, investors and customers of these firms. Understanding and mitigating the potential financial crime risks ensures the protection of investments and the regulatory and reputational longevity of a firm.

 

https://flic.kr/p/Cgp24k | Flickr Creative Commons Waves | The stormy seas crashing on the rocks by Chris Dine

UK Action on Money Laundering and Terrorism Financing

This morning Theresa May announced what is being touted as “the most significant change to the UK’s anti-money laundering and terrorist finance regime in over a decade“.

The Action Plan promises “A more effective response to the threat, so that resources can be better targeted at areas of real risk, for example by removing duplication or conflicting compliance advice, will help lift unnecessary bureaucratic burdens that do not contribute to the fight against crime and help resource be used better elsewhere.

The Government is committed to reducing the regulatory burden on business, which can distract or make it harder for companies to focus on real risks and will also ensure that any additional burdens placed on businesses and individuals are targeted, proportionate and justified by evidence of significant need.”

The Action Plan for anti-money laundering and terrorist financing outlines legislative as well as operational actions designed to improve the UK’s response to the threat posed from illicit financial activity. Annex B to the report is the Findings from the Call for Information on the Suspicious Activity Reports (SARs) Regime that also provides some interesting insight on the state of the UK regime.

A few observations:

  1. Joint Money Laundering Intelligence Taskforce (JMLIT) – is perceived as a success and is now being moved to a permanent footing. This is a positive endorsement of public/private partnerships and how sharing expertise and knowledge can have significant impact when countering complex illicit finance. However, one glaring gap is that the representative cadre is still focused on the incumbent financial institutions. As disruption of financial services continues and customers diversify to non-core solutions there is a critical need to proactively address the gap in representation from disruptors as well as non-banking financials. After all this is meant to be a plan for the future.

  2. The importance of information sharing – The Action Plan makes it clear that a key priority is improving the UK’s framework for public/private and international information sharing. There is currently massive complexity and inefficiency in global anti-illicit finance and establishing clear frameworks will breakdown the current silos and present huge opportunities for public and private sector stakeholders.

  3. A need for greater awareness and better training – The plan calls for Prevent campaigns to raise awareness across regulated professionals. Interestingly comments collated in Annex B highlight weakness in the UK reporting and SAR process due to a lack of quality training and knowledge on typologies or ‘what to look for’. Considering that many regulated companies and industries are required to deliver AML and associated training at huge cost would suggest that the current approach is not working and training solutions need to be improved to ensure they are effective.

  4. To what extent are non-banks exposed – Comments in Annex B state “The banking sector is subject to considerable regulation, and is responsible for most SARs. Criminals may have recognised this, and will use other avenues where there is less reporting. Improved oversight, and rationalisation of supervisors in some of the non-bank sectors is required to address this.” There is no denying that criminals are versatile and looking for vulnerabilities to exploit. Businesses need to be alive to this risk and proactively consider and address their frameworks to avoid becoming the target or vehicle of choice.

  5. Information sharing on risks and threats – Respondents in Annex B suggest SAR filing is hampered as there is not enough support available on typologies and threats to help identify suspicious activity. This has wider implications as the foundation of a good financial crime risk management framework has to be built on knowledge of the threats faced, vulnerabilities to those threats and the impacts they may have. A lack of knowledge of the threats and vulnerabilities facing a business has a material impact on the ability to implement proportionate risk management and creates a ‘compliance’ focused strategy.

These reports provide an interesting insight into the current state of UK anti-illicit finance efforts and the perceived priorities for action. How that materialises into physical effect will be interesting to observe.

E-Money, Pre-Paid Cards, Virtual Currencies and Terrorist Financing

Do the terror attacks in Paris and Brussels mark a significant shift in terrorist financing typologies and what does it mean for EU Law Enforcement?

Since we drafted our first post on terror financing (available here) there have been a number of key developments worthy of consideration and comment. Firstly there is now more information available on the financial activity of the Paris attackers. The French finance ministry’s intelligence unit Tracfin said prepaid cards, some bought in Belgium, were used to pay for cars and apartments used by the assailants in the 48 hours preceding the attacks. French Finance Minister Michel Sapin told a news conference attackers financed the assault by amassing several “tiny sums” which are hard to track, notably by using prepaid credit cards and “The cost of these latest attacks, the financing of the attacks, represents a sum not exceeding €30,000“.

Secondly Europe has witnessed a second major terrorist incident in Brussels on 22 March 2016. Media and government sources are suggesting that both the Paris and Brussels attackers are linked and potentially part of the same network. A great piece of visual analysis by the NY Times (available here) provides a clear picture of the social and geographic relationships between the attackers and support networks.

Image: http://www.nytimes.com/interactive/2016/03/23/world/europe/how-the-brussels-and-paris-attackers-could-be-connected.html?_r=1

Image: http://www.nytimes.com/interactive/2016/03/23/world/europe/how-the-brussels-and-paris-attackers-could-be-connected.html?_r=1

While details in the public domain remain scant it would not be a stretch to assess it as highly likely that the Brussels attackers and support network used similar or the same financing mechanisms to facilitate their activities. The volumes are likely to be broadly similar as they rented accommodation, purchased pre-cursor material, manufactured TATP, bought weapons (AK-47’s) and other subsistence. As noted by French investigators some of the pre-paid cards used in the Paris attacks were “bought in Belgium” and the close association between key facilitators in Paris such as Salah Abdeslam and Najim Laachraoui would create the right conditions for them to leverage proven mechanisms to finance the Brussels attack planning.

If our assessment is proved to be accurate it would be the second significant terrorist incident in less than a year where pre-paid cards and E-Money played a role in terrorist activities, albeit it as part of the same overall network. Additionally it is the second incident to go un-detected by EU law enforcement and while terror financing can be exceptionally difficult to identify due to the small sums involved, it highlights a potential intelligence and enforcement gap across new forms of E-Money and virtual currencies. When combined with the existing mechanisms of terror financing across global informal money remitters and physical cash, it makes for a growing challenge.

The UK National Risk Assessment (NRA) of Money Laundering & Terrorist Financing published in October 2015 stated “The money laundering risk associated with e-money (inc pre-paid cards) is medium, however terrorist financing risk associated with e-money is low.” It clearly calls out the challenge of E-Money regulation across the EU “At the EU level there are discrepancies between the 3MLD and the Second E-money Directive (2EMD). This has led to other EU member states applying discretion in the application of AML/CFT legislation to agents and/or distributors and different rules applying to different entities in the transaction chain. Passporting within the EU can add a further layer of confusion.” Significant is the admission that “Understanding criminal exploitation of the e-money sector remains an intelligence gap for law enforcement agencies. This is compounded by operational challenges. For example, in the majority of cases, prepaid cards do not carry a marking to differentiate them from other credit or debit cards”. 

It is interesting to see the sea-change in opinion between the UK NRA and comments driven through the EU by the French post Paris. On 02 Feb 2016 the European Commission released a statement outlining proposals to strengthen regulations and controls, proposing the following targeted amendments to the Fourth Anti-Money Laundering Directive by the end of second quarter 2016 (only relevant amendments provided in this post):

  • Ensuring a high level of safeguards for financial flows from high risk third countries: The Commission will amend the Directive to include a list of all compulsory checks (due diligence measures) that financial institutions should carry out on financial flows from countries having strategic deficiencies in their national anti-money laundering and terrorist financing regimes. Applying the same measures in all Member States will avoid having loopholes in Europe, where terrorists could run operations through countries with lower levels of protection;

  • Centralised national bank and payment account registers or central data retrieval systems in all Member States: the Directive will be amended to give Financial Intelligence Units easier and faster access to information on the holders of bank and payment accounts;

  • Tackling terrorist financing risks linked to virtual currencies: to prevent their abuse for money laundering and terrorist financing purposes, the Commission proposes to bring virtual currency exchange platforms under the scope of the Anti-Money Laundering Directive, so that these platforms have to apply customer due diligence controls when exchanging virtual for real currencies, ending the anonymity associated with such exchanges;

    • As a first step the Commission will propose to bring anonymous currency exchanges under the control of competent authorities by extending the scope of the AMLD to include virtual currency exchange platforms, and have them supervised under Anti-Money Laundering / countering terrorist financing legislation at national level. In addition, applying the licensing and supervision rules of the Payment Services Directive (PSD) to virtual currency exchange platforms would promote a better control and understanding of the market. The Commission will examine this option further. The Commission will also examine whether to include virtual currency “wallet providers”.

  • Tackling risks linked to anonymous pre-paid instruments (e.g. pre-paid cards): the Commission proposes to lower thresholds for identification and widening customer verification requirements. Due account will be taken of proportionality, in particular with regard to the use of these cards by financially vulnerable citizens.

    • In order to address the above concerns, the Commission will present further changes to the AMLD, which could focus in particular on reducing existing exemptions such as thresholds below which identification is not required, notably for cards used face-to-face, and requiring customer identification and verification at the time of online activation of the prepaid cards. The Commission is currently exploring the detailed design of such measures, taking into account their impact and the need for proportionality.

While it is far too early to suggest we are seeing a wholesale change in how terror financing is being facilitated it is important to recognise the important milestone these incidents represent. The apparent success of the Paris and Brussels attackers to go un-detected during a period of what can only have been relatively intense attack planning is likely to highlight the vulnerabilities in intelligence coverage and general knowledge amongst regulators and law enforcement of these products and the associated risks. A challenge the industry and regulators will always face is balancing the benefits new products and technology bring against the risks. What is clear is there is a need for industry to further increase education and awareness efforts with regulators and law enforcement, closing the gaps and setting the conditions for a sustainable long-term relationship.

 

Learn From History; FinTech, New Payment Methods, Correspondent Banking and Financial Crime

FinTech should take advantage of the lessons learnt the hard way by established correspondent banking institutions, avoid repeating history and emerge stronger.

Established financial organisations have been battling the challenges of financial crime risks within correspondent banking for years, but in the last three to four that focus and complexity has increased as international regulators have rightly raised the level of oversight and enforcement. Collectively the fines have run into billions of dollars and have severely affected a number of international household banking names.

We would not be the first people to say FinTech and new payments technology are the new kids on-the-block with the ability to disrupt the status quo, improve financial inclusion and drive efficiency but there is also a need to learn the hard lessons of their forefathers in correspondent banking. Here are a few areas for consideration:

  1. Understand the financial crime threats your business faces – and we mean genuinely understand them! Are sanctions a concern because of the type of products you offer, or the markets you cover?  Or is money-laundering the primary concern because you’re operating in markets with limited transparency and weak legislation in the anti-money laundering arena? Understanding threats, and the risk they pose (the likelihood and impact of those threats materialising) is crucial to determining the next steps you take and should, in all truth, influence your overall strategy.

  2. Define and understand your risk appetite – once you’ve understood the threat landscape, define what and how much financial crime risk you can realistically manage and what will you do if it is exceeded. This will help shape and refine your strategy.

  3. Clearly understand your business strategy – use your knowledge of financial crime risks and overall risk appetite to set a cohesive strategy and monitor that it is working. You can’t blindly onboard or target new sectors, customers or markets without considering the impacts on your risk profile. Go into those decisions with your eyes open.

  4. Understand your network and its constituent parts – who are you doing business with, who provides you with services or facilitates your business, do you use exchanges, what financial crime controls are they applying and does your network pose any risk to you, your concept, product or reputation. Understand the core components of your internal (affiliated) and external network and the risks they pose.

  5. Identify and monitor the high risk parts of your network – once you understand your network and its components, identify those areas that are likely to present or incur financial crime risk and monitor them.

  6. Don’t just trust what people say – make sure your have due diligence and assurance processes in place to identify when things in your network start to go wrong and standards are not being adhered to.

  7. KYC, KYC, KYC – know your customer and understand what they should and actually are doing. Is it your customer or a customer’s customer? Do you know what KYC they have done? Effectively monitoring transactions, payments, transfers or associated deviations requires knowledge of the expected to recognise the abnormal. We don’t want to be too regulatory focused here but you really need to think carefully about what it is is you need to know about your customers.

  8. Understand what is normal and monitor for any deviation – do you expect to see a high volume of transfers or payments to high risk jurisdictions, locations or customer groups?  Has there been any increase or significant decrease in flow volume or value? You would be surprised at how rarely this is done effectively but can be one of the best indicators that something is going wrong.

Some of the points above seem obvious but the background for each is based on actual organisational failings evidenced in multiple publicly available documents such as the various Deferred Prosecution Agreements against international banks. There are hugely exciting opportunities to leverage developments in the FinTech and payments space to solve critical financial inclusion, transparency, efficiency and sustainability issues, but without learning from past experiences, and getting a grip on risk management early on, none of these opportunities for true disruption will be realised.

Photo by jarmoluk (Pixabay)

Ticking a box or managing financial crime?

Is solely complying with regulations really managing financial crime risk? FinTech and start-ups have the opportunity to carve a new path in risk management strategy

Over the years the term and structural title of Compliance has become associated with a perception of a tick box nature, obeying the rules or guidelines of regulation with little room for dynamism and flexibility.

Is that what the industry and regulators want? What does it conjure in your mind when you think of the word Compliance?  This is what the dictionary says:

The state or fact of according with or meeting rules or standards

It is not exactly inspirational and equally, in the rapidly evolving world of financial crime risk management it is not particularly accurate or effective. Do you want to meet rules or standards or do you want to manage risk? Do criminals operate within a framework of regulatory guidelines? No. They are far more agile in their ability to exploit vulnerabilities.

Adopting a tick box mentality can be hugely detrimental to the success of an organisation to manage and adapt to rapidly changing financial crime typologies. You need to be using innovation and working collaboratively across teams to hit the desired effect. Yes, the lines of defence model is there for a reason and you absolutely must comply with regulations as they apply to you but more importantly you must understand why you are applying them and how you may need to adapt the concepts and even go beyond in a dynamic way. As the situation dictates you may need to go beyond the regulatory guidelines in order to meet the risks head on. It is a dichotomy that large financial organisations have been battling for years.

Would it not be refreshing to hear more about the financial crime and regulatory professions empowering business strategy, on the front foot, going beyond the norms of regulation to add maximum value to the business they support.

We think part of the problem is in the title – Compliance.  Let’s talk about risk management strategy instead.

Guilt By Association; Reputational risk for FinTech and the changing dynamics of terrorist financing

Are FinTech firms and new payments providers doing enough to manage the financial crime and reputational risks associated with terrorist financing?

Lots has been written about the changing dynamic in terrorist funding in recent months after the revelations that a $28,500 loan may have been used by Syed Farooq and his wife in preparations for the San Bernadino attack, which took place on 02DEC15 and resulted in 14 killed and 22 seriously wounded. Pre-paid or value stored cards were reportedly used by the Paris attackers to fund preparations for their attack on 13NOV15 that resulted in 130 killed and 368 wounded.  Indeed in October 2015 weeks before the Paris attacks the Financial Action Task Force (FATF) released a paper ‘Emerging Terrorist Financing Risks’where they analysed some of the evolving typologies being reported by global contributors to the study.  Of particular interest under section B & C is the assessment of fundraising via social media and new payment products and services. The horrific incidents in Paris and San Bernadino are a sign of changing landscape but are not isolated in nature as the FATF report highlights. The abuse of product offerings by FInTech firms is likely to continue as terrorists and illicit actors continually seek new ways to transfer money globally to fund their activities.  Below, we examine the detail around the San Bernadino attack to highlight some of the areas FinTech firms need to be aware of when managing their financial crime risk, and the concomitant reputational risk appropriately.  We’ve sourced our findings from the likes of the FTAlphavilleWall Street Journal and LA Times.

To simplify the overall picture, Prosper Marketplace facilitated a loan to Syed Farooq via WebBank (the actual provider) and the packaged loan products were purchased by Citigroup for securitisation. We are not commenting here as to whether any of the organisations named in these articles did anything but complied with the applicable regulations, but even so the association is in itself likely to have an immediate or longer term reputational impact. The Google Trend analysis below clearly shows the spike of negative internet activity associated with WebBank and Prosper as a result of the San Bernadino shooting.

In fact the Wall Street Journal article suggests that Prosper Marketplace purchased the specific Farooq loan back from Citi not long after news broke of this issue, signifying the seriousness of the scenario and perceived reputational impact felt by both parties.  The FT Alphaville ‘ugly duckling’ blog post also paints a picture of WebBank as an organisation with a legacy of negative compliance findings but albeit a positive commercial outlook at the time of the San Bernadino attack.

Could or should more have been done in this specific scenario is a question we will not try and answer here and is best answered by the investigators close to the enquiry but it is a natural question that starts to pervade the commentary. One thing that is clear is that for those entrepreneurs, businesses, investors venturing into the exciting and rapidly evolving fintech, payments and online loan space it will always pay to take a long term view on how you manage these risks.  Is complying with regulation enough or when the chips are down can you or should you do more?

 

Photo credit: http://www.flickr.com/photos/21508313@N06/3210361238_not trying to be political via http://photopin.com