globa anti-corruption, money and commodities flows, data security 8-19-14

Part 2:

Global Anti-CorruptionMoney and Commodities Flows

Data SecurityEthics

Asset Recovery

CFCS Examination Preparation SeriesAugust 20, 2014

Presented ByBrian Kindle

Brian KindleExecutive Director

Association of Certified Financial Crime SpecialistsMiami, FL

Certification, News, Guidance, Training, Networking

Global Anti-Corruption


5

Overview• Corruption has many definitions, takes many forms

• “Grand” corruption• Petty corruption• Commercial bribery and corruption

• Widespread negative consequences of corruption to economic development, fair markets and competitiveness, civil society

• ACFCS focuses on corruption of public officials, especially involving corporations, business entities

6

What is a Corrupt Payment?• Bribe or corrupt “payment” does not have to be made in cash

• Made from “payor” to recipient

• Can include nearly anything that induces recipient to grant some official favor or advantage that payor should not or would not otherwise have received

• Luxury goods• Services• Free use of property or goods• Access and influence

7

Methods to Make and Conceal Corrupt Payments

• Gifts, travel and entertainment expenses• Charitable contributions, contributions to nonprofits under control of

government official• Direct payment of campaign expenses• Payments to fictitious employees, or adding associates of official to

company payrolls• Payments to fictitious businesses, inflated payments to businesses for

the products or services provided• Payments through loans, or allowing official free use of services or

property• Third parties – sales agents, vendors, contractors, attorneys

8

Red Flags of Corrupt Payments• Records of fee payments to a third party are significantly higher

than other third parties in the same industry sector, without compelling business rationale

• Abnormal compensation arrangements, such as excessive commissions or unusual reimbursements

• Payments to domestic businesses, persons made to offshore accounts

• Substantial payments to contractors , employees or third parties with little experience in the field they purportedly work in

9

Red Flags of Corrupt Payments• Invoices from companies or third parties that are vaguely

worded or do not clearly describe services performed

• Employees or third parties with close ties or past business associations with government officials

• Employees or third parties who have entered into business arrangement or transaction at request of a government official

• Third parties using multiple shell companies to conduct transactions, or are themselves a shell company

10

NGOs and Anti-Corruption Advocacy• Non-governmental organizations, with and without backing of

national governments, have been active in anti-corruption

• World Bank• Transparency International

• Corruption Perceptions Index, other publications• United Nations and UN Office on Drugs and Crime

• Convention Against Corruption with 140 signatories• Organization for Economic and Cooperation and Development

• Anti-Bribery Convention with 40 signatories

What Is the Foreign Corrupt Practices Act?

• US law enacted in 1977• Two areas

- Anti-bribery provision

- Books and records/internal controls provisions • Enforceable by DOJ and SEC

- DOJ: Criminal, civil jurisdiction over US companies, their subsidiaries

- SEC: Civil jurisdiction over US “issuers”

12

Who the FCPA Covers• Any issuer under US securities laws

• Domestic or foreign public companies registered required to file periodic reports with SEC

• Domestic concerns, including US companies, citizens, nationals, residents

• Person or entity that engages in any act in furtherance of corrupt payment while in US territory

• International scope – 9 of top 10 largest FCPA cases are non-US companies

FCPA Anti-Bribery Provision

• Prohibits corruptly making, offering or

promising to make a payment, gift, or anything

of value, directly or indirectly, to a foreign

official for purpose of obtaining or retaining

business

14

• 2013: Twelve companies paid $731 million to resolve FCPA cases• 91 Pending Corporate Investigations as of January 2014 (FCPA Blog)

Weatherford (2013)*

Daimler AG (2010)

JGC Corp. (2011)*

Technip (2010)*

Snamprogenti Netherlands BV (2010)*

ENI/Snamprogetti (2010)*

Alcoa (2013)

Total S.A. (2013)*

BAE Systems (2010)*

KBR/Haliburton (2009)

Siemens (2008)*

0 100 200 300 400 500 600 700 800 900

Top Ten FCPA Monetary Settlements (corporations)

Settlements (in millions)

FCPA Enforcement

Who Is A Foreign Official?

• Very broadly defined• Not limited to high-level officials• Includes people acting on behalf of government entity• Includes employees of government-owned or

government-controlled entities- "Instrumentality" = fact-specific inquiry

• Includes political parties, party officials and candidates• Includes employees of international organizations• Effective "control" of the entity is key

Books and Records Provisions• Only applicable to issuers under US securities laws

-BUT: Should still be part of robust compliance program for private companies

• Issuers must "[m]ake and keep books, records… which… accurately and fairly reflect transactions and dispositions of assets of the issuer“

• Issuer also must "devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances" that transactions are:

- Executed and access to assets is permitted only in accordance with management authorization- Transactions are recorded in a way to permit financial statements to be prepared according to GAAP

17

UK Bribery Act

• Enacted in 2010, effective July 2011

• Goes beyond FCPA in enforcement scope, strictness

• Covers any UK citizen, all corrupt activities in UK, and any company with operations in UK

• Stiff penalties – unlimited fines for corporations, 10 years for individuals

• Very limited enforcement so far

18

Provisions of UK Bribery Act

• Blanket prohibition on bribing any person, public or private

• Specific provision criminalizing bribery of public officials – can be any “financial or other advantage”

• Creates standalone offense of “failing to prevent bribery” at an organization• Organizations can avoid prosecution by

demonstrating effective anti-corruption compliance

19

Global Anti-Corruption Crackdown

• Brazil Clean Companies Act in 2013• Russia Anti-Corruption Law in 2012• China’s ongoing domestic anti-corruption campaign • US – Africa Summit this year – anti-corruption

efforts were a major focus

20

Anti-Corruption Compliance

US, UK have provided guidance, along with many public and private-sector organizations. Best practices include:

• Commitment from senior management• Effective procedures for risk assessment and internal audit• Clearly articulated compliance policies, procedures, code of

conduct• Compliance program oversight by senior management with

autonomy, adequate resources• Ongoing training for new and current employees, as well as

third parties

21

Anti-Corruption Compliance

• Procedures for confidential reporting of corruption violations and internal investigation

• Updating compliance programs and policies through testing and review

• Risk-based due diligence on third parties and transactions

• Due diligence on mergers, acquisitions and proper integration after acquisition, merger, or joint venture

Third Parties• Managing third-party relationships is critical for FCPA, anti-

corruption compliance

• Three steps to retain third parties, reduce FCPA exposure

1. Due diligence on third party's background, reputation, experience, connections with local government officials

2. Contractual provisions (FCPA representations, warranties)3. Active oversight to ensure third party's commitment to

FCPA, other laws

Bribery Vs. Extortion

• Bribery involves providing something of value to recipient in exchange for expected benefit

• Extortion involves threat of harm to person or entity if they do not provide something of value or comply with demands

• FCPA and UK Bribery Act provide exemptions in case of extortion – must be legitimate danger and a credible threat

Key Lessons

• Corrupt payments are increasingly made through complex channels – understand common methods and risks, including geographic

• Third parties are a recurring risk, should be one focus of anti-corruption programs

• Understand the FCPA• Who it applies to, including “foreign official definition”• Common risk areas• Compliance best practices

25

Practice Question

Global Widget Co. recently acquired a local company in Benistan, a country with considerable state involvement in the economy and history of corruption. Before the acquisition, Global Widget hired a major international law firm to conduct a due diligence review and uncover any potential violations of anti-corruption laws. When the review came back free of issues, Global Widget completed its acquisition.

Three years later, Global Widget compliance executives were conducting their first anti-corruption training with employees from the Benistan office. During the training, Global Widget was alerted by Benistan-based employees that the distributors used by the company may be bribing local government officials. Global Widget had not conducted a review of the distributors in Benistan. When it looked into the allegations, it found widespread potential Foreign Corrupt Practices Act (FCPA) and UK Bribery Act violations.

What are two weaknesses in Global Widget’s anti-corruption compliance program?

26

Practice Question

A. Global Widget did not include its distributors in Benistan when it conducted its anti-corruption due diligence

B. The due diligence review should have been conducted exclusively by local counsel in Benistan because they would be better versed in the country’s culture and laws.

C. Global Widget should have conducted anti-corruption compliance training as soon as possible after acquiring the company in Benistan.

D. Global Widget failed to reach out directly to government agencies in Benistan to request information on any history of corrupt payments at the company it was acquiring.

27

Practice QuestionA large grocery store company has four stores located in a neighboring country. The company’s chief compliance officer has recently received a tip from an anonymous whistleblower indicating that managers at one of the stores in the neighboring country may be paying bribes to local government officials.

The whistleblower's information is credible, but the compliance officer does not know which of the store managers is involved in the bribery scheme. You are asked to review internal records at each of the four stores for evidence of corrupt payments. Which finding is the strongest indicator that the store managers are paying bribes?

28

Practice Question

A. Sales records from Store A indicate a sharp increase in sales of a line of cereals that was previously unpopular in its market area.

B. Transaction records from Store B show a series of payments to an offshore account held by a well-known international law firm.

C. Invoices from Store C show that the store has hired a consultant whose only prior experience was organizing an event for a political campaign.

D. A document from Store D shows that the managers paid bonuses to sales agents after they secured a major contract to stock groceries for a chain of department stores

Data Security


30

Definition and Overview

• Properly safeguarding, storing and disposing of the financial, personal and other sensitive data of an organization, its employees and its customers

• Data security and financial crime are increasingly interconnected

• Data breaches lead to fraud, identity theft schemes• Organized crime rings turning to cyber financial crime• Internal data theft and malfeasance supports range of

financial crimes

31

What We Will Cover

• These are the primary topics we will cover today

• Types of Cyberattacks

• Preventing Cyberattacks

• Reacting To Cyberattacks

• Data Privacy

32

Common Types of Cyber Financial Crimes• There are two main types of cyberattacks

• Network based attacks• Relatively rare• What most people think of as hacking• Prevented by firewalls and ACLs

• Virtual attacks• Most common• Take many forms• Prevented by security policies

• Today we will focus on Virtual Attacks

33

Common Types of Cyber Financial Crimes

• Types of Virtual Attacks

• Social Engineering

• Malware

• Account Takeover

• Other Attacks

34


• Social engineering

• Deceiving or manipulating target into turning over personal data, confidential information

• Uses similar tactics to “traditional” fraud

• Often involves multiple channels – e-mail, phone, social networks, in-person contact

35

Types of Social Engineering

• These are the common types of Social Engineering Attacks

• Phishing

• SMS Phishing (Smishing)

• Voice Phishing (Vishing)

• Spear Phishing

36


• Phishing

• Using false e-mail or other electronic message to manipulate recipient into providing confidential data

• There are many types of phishing attacks• Data Capture• Nigerian 419 Scam (Often Advance Fee Fraud)• Man-in-the-Middle Attack

• Data captured in phishing furthers identity theft, account takeover schemes

37


• SMS Phishing

• Smishing is achieved by sending SMS messages to people with links to website that will perform a data capture

• Becoming more common

• More successful than email phishing since most people are less cautious about SMS Messages

38


• Voice Phishing (Vishing)

• Vishing is basically using phone calls while posing as someone in authority to elicit sensitive information (like Passwords and logins)

• Most similar to standard confidence frauds from the past

• Far more successful than you would expect

39


• Spear Phishing

• This is very similar to a standard phishing attempt, but more targeted

• Uses some personal information to personalize the communication

• Far more likely to be successful than a standard phishing attack

40


• Malware

• Malicious or intrusive computer code used to obtain and transmit data to a third party

• Typically delivered by a compromised or malicious website, but can be delivered within other software packages

• Designed to run undetected, capture activity on a device (i.e. keystroke loggers) or allow a third-party remote access or control

41


• Malware

• Computer Virus- a computer program that can replicate itself and extend from one computer to another through actions undertaken by the user to proliferate

• Trojan Horse or Trojan- a non-self-replicating type of malware which appears to perform a desirable function of a legitimate software application but instead facilitates unauthorized access to the user’s computer system

• Computer Worm - a standalone malware computer program that replicates for the purposes of spreading to other computers automatically

42


• Account Takeover

• Often the end result of other cybercrime, identity theft schemes

• Occur when attacker obtains login information, credentials for an individual or business financial account, performs unauthorized transactions

• Estimated $350 million to $ 1 billion lost from US commercial accounts in just the past year

43

Case Study: Target Data Breach

• In early January, Target confirmed it was the victim of one of the largest data breaches of all time

• Full credit and debit card information on 40 million customers

• Personal data on additional 70 million customers• Major fallout- civil suits, investigation by US Attorney

general• JPMorgan, other banks limiting transactions

44

Case Study: Target Data Breach

• The Target attack was a multi-tiered attack

• Began with attackers purchasing “crimeware” that steals data from point-of-sale systems

• Attackers compromised Target web server through a third party vendor • Once server was accessed, attackers were able to upload malware to

POS systems• POS systems automatically transmitted information back to computers

controlled by attackers• Card information was uploaded to blank cards for charges, withdrawals

around US • Personal information will likely result in further identity theft,

spearphishing schemes

45

Planning for a Data Security Program

• Assess what needs protection, classify and prioritize data based on risk

• Take into account physical and human aspects of data security, not just technological issues• Physical security is a major vulnerability, a great deal of

security breaches are due to failings of internal security• Must have internal security policies as well as external access

policies

• Consider and plan for potential repercussions from data breaches and theft

46

Data Security Program Best Practices

• Manage log of changes• Multi-tiered access rights, highest levels of

access only from specific internal sources• Change all default, vendor-supplied credentials• Partition networks to isolate sensitive data• Strictly manage your data retention policy• Multi-factor authentication for network access• Data retention/deletion policies and process

47

Data Security Program Best Practices

• Train both your employees and customers to recognize fraud attempts

• Actively monitor your network• Restrict administrative connections to specific

internal sources and do not allow any external connections

• Implement firewalls and ACLs and keep them updated

• Implement internal policies to keep all software updated with automatic systems

48

Ongoing Data Security Monitoring and Testing

• Flagging, monitoring failed login attempts

• Enforcing password, authentication policies

• Password cracking tests

• Routine log monitoring

• Ongoing employee training, monitoring

49

Responding to a Data Breach

• Unfortunately, it is likely a matter of time before a data breach will occur

• An important part of you data security program should include how you react to data breaches

• There are often legal requirements, depending on your jurisdiction, for how to react

• It is far better to be proactive in controlling the narrative rather than to trying to ‘sweep it under the rug’

50

Data Breach Response Best Practices

In addition to closing the vulnerabilities that led to the breach, you should:• Identify the sensitivity of the data lost and the

impact on the subjects and the organization• Establish if the data can be accessed without

special software or techniques• Identify whether the data can be recovered• Notify the crisis management team• Establish a list of affected customers• Draft both public and direct communications• Prepare a PR Strategy

51

Essentials of a Data Privacy ProgramAs custodians of personal data about your customers there are certain responsibilities in keeping that data secure. You should:

• Designate an employee(s) to manage the Information Security Program

• Identify and asses the risk of losing customer data in each area of the company

• Test and monitor on an ongoing basis• Assure service providers with access to the data are

compliant with your data security program• Know how to respond to Law Enforcement requests

for data

52

International Data Privacy LawsEU Data Privacy Directive

• In addition to protecting customer data from data breach, companies have a great deal of regulation as to how and when they can release customer data

• While there are several international laws, and numerous local ones that depend on the jurisdiction, the EU DPD is a strong example

• The EU DPD is very restrictive for protecting data privacy, it requires:• Consent from the customer• Necessary for compliance with a legal issue• Necessary for meeting a legitimate interest

53

Key Lessons

• Securing human side is critical aspect of data security

• Cyberattacks rely heavily on old-fashioned fraud – understand social engineering techniques and challenges

• Data security and privacy policies should focus in part on limiting access to data

Practice Question

Your financial institution has been subject to several social engineering attempts over the last few weeks. While none have been successful, you worry that it might be a matter of time. To keep your network secure, you have decided to update your network security policies.

What is an important step to include in your network security policy?

Practice QuestionA. Educate your online customers to detect phishing attempts and other fraudulent email scams.

B. Disable auto deletion of old data and move them to an archive server.

C. Only permit administrative connections via the Internet through HTTPS or SSH connections.

D. Require confirmation from network engineering before resetting any lost passwords.

Practice QuestionAnswer A is correct as this is a recommended step in all network security policies. While not high tech or glamorous, educating your staff and your customers to recognize phishing and fraudulent emails is a fundamental and highly successful way to prevent fraud.

Answer B is incorrect as this is the opposite of a good data retention policy, and has nothing to do with a network security policy.

Practice QuestionAnswer C is incorrect as a good security policy will not allow any administrative connections through the internet, even via secure connections like HTTPS or SSH. Administrative connections are those that allow you to log into internal devices and make changes to how they function. This task should only be allowed from internal connections.

Answer D is incorrect as it is not very scalable and network engineering is the wrong group to manage this anyway. There are hundreds of password resets that are performed every day by most large financial institutions. There is no way that the network engineering staff would be able to keep up with the requests. They would also have no way to determine if the requests should be approved or denied.

Money and Commodities Flows


59

Financial Crime and Money Transfer Mechanisms

• Mechanisms to move, transfer and employ criminal proceeds are essential to perpetrating financial crimes

• Methods to move money and other financial assets are limited only by imagination of the financial criminal- wire transfers, international trade, informal value transfer systems, prepaid cards, etc.

• As new mechanisms evolve, pre-existing money transfer methods remain, leaving complex and growing network of threats

60

Checks and Bank Statements

• While declining in use, checks in combination with bank statements can still be useful to map flows of money or other assets.

• Financial crime professional should look for:• Payees on checks• Comparison of endorsers to determine consistency• Volume of checks and pattern of account use show in

bank statement• Large checks or others that do not fit general use of

account• Notes and numbers written on the back of a check by

bank employees

61

Wire Transfers

• All-purpose vehicle to move funds in all financial crime scenarios

• Examples of red flags include:• Funds transfers to known tax/secrecy havens• Wire transfers with no legitimate business purpose• Customer with low account balance sending or receiving frequent

wire transfers• Rapid succession of wire transfers in similar or exact amounts• Customers in cash-intensive businesses that send large wire transfers• Unusual funds transfers by correspondent banks• Customers using cash or bearer instruments to purchase wire

transfers

62

Trade Price Manipulation

• Also known as trade-based money laundering, continues to be a popular vehicle to move illicit proceeds

• Requires two or more persons working together to move funds using combinations of over-valued and under-valued imports and exports Parties may understate the price of imported goods or overstate the price

of exported goods.

Parties may overstate the price of imported goods or understate the price of exported goods.

63


Assume Person A wishes to move money from Country X to Person B in Country Y.

• Person B buys 10,000 widgets in Country Y and exports them to Person A in Country X with an invoice for $100 per widget, although he only paid $10 per widget.

• Persons A or B go to a bank to obtain trade financing to finance the exportation or importation of 10,000 widgets at $100 apiece.

• Person A pays Person B the $1 million that is invoiced.

By this transaction, Person A is able to move an excess of $900,000 disguised in international trade.

64


• Why so popular?• Difficult to detect• Lack of accurate, timely data on goods and

commodities pricing in many jurisdictions • Volume of legitimate trade• Able to move funds across borders

• Key concern for institutions engaged in trade finance – letters of credit, factoring, etc.

65


• Red flags for TBML include:• Payments to vendors in cash or wire transfers by

unrelated parties• Packaging inconsistent with commodity or shipping

method• False reporting on type, quantity or quality of

commodities imported/exported• Carousel transactions- repeated importation,

exportation of same high-value commodities• Trading in commodities that do not match business

66

Money Service Businesses

• Like banks and other financial institutions, MSBs are vulnerable for use by financial criminals. Some reasons for this include:

•Simplicity and certainty of transactions

•Global reach of network of MSBs

•Cash nature of initial steps of transactions

•Fewer customer identification rules are imposed

• Because of the high volume of customers, reduced possibilities of verification of customer identification

• Customer relationships sometimes less formal, customers rotate

67

Informal Value Transfer Systems

• System for transferring value through exchange of goods or currency from one person in one country to person in another country

• Not banks in the traditional sense

• Maintain their own financial accounts but do not rely on global financial system to move funds

• Common examples include:• Black market peso exchange• Hawala

68

BMPE

Narcotics proceeds in US dollars sold to

“cambistas” in US or Mexico Cambistas swap

dollars with import/export

businesses that need them

Import/exporters or cambistas purchase goods in US dollars

Goods transported or smuggled

Cambistas pay off narcotics rings in

pesos

Drugs smuggled into US and sold

69

Money Transfer through Securities Trading

• Trade in securities is multi-trillion dollar sector of global economy, can be very difficult to monitor

• Securities trading can be used to launder and move criminal proceeds, also be manipulated to earn illicit proceeds

• More commonly used in layering, integration for money laundering, as in wash trading

• May involve complicity of broker or employee

70

Money Transfer through Securities Trading

• Common indicators of suspicious activity in securities industry include:

•Liquidating what would usually be a long-term investment within a short period

•Using a brokerage account similar to a depository account•Opening multiple accounts or nominee accounts•Changing share ownership when making cross-border transfer•Engaging in transactions involving nominees or third parties

71

Prepaid Cards and Financial Crime Risks

• Also called “stored value cards,” can represent easily transferred, highly portable means to move funds

• Sometimes can be obtained with less due diligence than opening bank account or obtaining credit card

• Prepaid card fraud is sometimes tied to credit/debit card fraud and account takeover schemes- stolen cards and account value is used to purchase prepaid cards

72

Prepaid Cards and Financial Crime Risks

• Ways to mitigate prepaid usage for financial crime include:

• Understanding how and why card will be used• Monitor reload activity, set limits on reloads• Identify source and location of reloads• Monitor number and type of cards issued to any given

customer• Conduct due diligence to understand all parties involved in

issuance of cards

73

Bitcoin and Virtual Currencies

• Digital currencies come in many types

• Many are both a new form of money and a self-contained system

• Two main categories –

• “Crypto” are decentralized, using peer-to-peer transaction systems,

more difficult to control

• “Non-Crypto” are centralized, use proprietary platform for currency

exchange, much easier to control and shut down

• Bitcoin is largest crypto-currency in terms of users, value

• Serves as model for a number of others – NameCoin, PPCoin, etc.

74

Bitcoin and Virtual Currencies

75

Key Lessons

• Channels for illicit transactions are multilayered and increasingly complex

• Professionals should be able to recognize key attributes, red flags in many payment and value transfer systems, including:• TBML• BMPE• Prepaid cards• Bitcoin and other virtual currencies• Hawala

• Understanding “normal” behavior in any given transaction, customer relationship is essential

76

Review Question

You are an investigative professional who has been asked look in to an import/export firm that specializes in tropical fruits, vegetables and other agricultural products. The firm is suspected of involvement in a trade-based money laundering operation.

You gather the following intelligence. What would be the best indicator of TBML, and a lead to focus your investigation?

77

Review Question

A. The firm’s articles of incorporation do not list its beneficial owners

B. The firm has made large numbers of domestic wire transfers

C. The firm has a number of invoices for exports of consumer electronics

D. The firm has received a letter of credit from a major financial institution

78

Practice Question

A young woman who is a national of Country A, works as a caregiver for a family in the U.S. She sends much of her earnings to support her family back in Country A by giving the amount in cash to a local grocer, whose family heritage is also in Country A.

Once the grocer receives the cash, he calls his partner who runs a market in one of the larger cities in Country A. From there, the young woman's family can pick up the money sent.

What is the name commonly used to describe this form of remittance transaction?

79

Practice Question

A. Cash transfer

B. Hawala

C. Referral banking

D. Black Market Peso Exchange (BMPE)

Your Questions

Thank you for attending

Next Session is Friday, August 22, 12:30 PM ET

globa anti-corruption, money and commodities flows, data security 8-19-14

Documents