Episode 103

8th April – 14th April 2024

Sanctions

The sanctions news this week starts with the European Union, with Roman Abramovich, the Russian oligarch and former owner of Chelsea Football Club, who has once again started an action in the European Court of Justice to challenge his EU sanctions designation. Abramovich is no stranger to a challenge to his designation, and while I don’t hold out much hope for this challenge, we’ll certainly keep an eye on this one. In better news for Russian oligarchs, the General Court of the EU has annulled the designation of Mikhail Fridman and Petr Aven. ‘The General Court considered that none of the reasons set out in the initial acts was sufficiently substantiated and that the inclusion of Mr Aven and Mr Fridman on the lists at issue was therefore not justified. As regards the maintaining acts, the General Court held that the Council adduced no additional evidence compared to that on which it had relied in the initial acts.’ Worth mentioning that this decision might just work for Abramovich, but we’ll see.

In the UK, the Office of Financial Sanctions Implementation (‘OFSI’) has amended a General Licence in relation to Active Denizcilik and Beks Ships, the shipping companies, to remove the language prohibiting funds or economic resources from being made available for the benefit of any designated person.

And finally, on sanctions news this week, I have been hesitant on this podcast in the past to pass any comment on the impact of sanctions on the Russian economy. Frankly, there is too much claim and counterclaim made, that it would take a podcast in itself to assess their respective merits. So, while I typically keep to the facts, occasionally I will direct to something which is worth reading as it draws on a range of reliable and verifiable sources. So, to a post on the website of the Center for European Policy Analysis (‘CEPA’) by Stephen Blank who is Senior Fellow at the Foreign Policy Research Institute. The article, ‘Russia Squeezed as Sanctions Bite’, argues that far from being robust, the Russian economy is suffering significant issues, especially as its traditional buyers are forced to limit their trade following the tightening of compliance obligations in banks across India, China, Turkey, and the UAE. Since we’re on the theme of recommending content, there is another blog post on the website of the Carnegie Endowment for International Peace which argues that while sanctions are working, they should be more pragmatic. For example, lifting ‘Western sanctions on exports of consumer goods to Russia could accelerate Russia’s capital outflow without enhancing its ability to wage war. But these sanctions remain in place… [and] the West should open its doors to Russian programmers, scientists, engineers, and other professionals: this would be a win for the economies of Europe and the United States, and a loss for the Russian economy. After all, in a modern economy, a brain drain can be as significant as capital outflow.’

Bribery and Corruption

This week’s bribery and corruption news is a little thin, but the United National Development Programme has facilitated a training programme on corruption risk assessment and mitigation plans for personnel of the Department for Justice and Attorney General. The training was part of the European Union-funded project – ‘Preventing and Countering Corruption in Papua New Guinea’.

Money Laundering

On money laundering news this week, the United Nations Office on Drugs and Crime (‘UNODC’) has hosted the Financial Action Task Force’s (‘FATF’) annual Private Sector Consultative Forum (‘PSCF’). As the press release provides:

‘Participants shared their candid views on the current and evolving ML/TF risk landscape, as well as how the FATF’s strategic priorities align with the risk environment and can strengthen the effectiveness of AML/CFT efforts. There was consensus that the private sector and civil society play a critical role in helping jurisdictions address these risks more effectively.

‘Thematic discussions were held on the contemporary issues of payment transparency, asset recovery, beneficial ownership, and risk-based approach for non-profit organisations. Participants appreciated the recent work undertaken by the FATF on these issues and discussed ways forward to better develop and implement the new requirements. Participants also discussed examples of how the public and private sectors have collaborated through strong public-private partnerships, such as those combating the financial flows of the illegal wildlife trade.

‘The PSCF also touched on the opportunities and risks brought about by digitalization, technology, and innovation. This includes the development of Central Bank Digital Currencies (CBDCs) and the need to stay fully abreast of these developments to effectively address financial crimes risks.’

In other money laundering news this week, US Secretary of the Treasury, Janet L. Yellen, held bilateral meetings with Vice Premier He Lifeng of the People’s Republic of China in Guangzhou, China. In a wide-ranging meeting, it was inevitable that there would be interesting tit-bits for financial crime, and so it proved to be here. ‘The U.S. Department of the Treasury and the People’s Bank of China have agreed to start an exchange under the framework of the Financial Working Group to cooperate on our shared priority of combatting money laundering in our respective financial systems. This exchange will enable economic officials and experts from the U.S. and China to regularly share best practices and updates about our efforts to combat illicit finance, including efforts to close gaps in the U.S. and Chinese financial regulatory systems. This effort will help close off financing avenues for criminal organizations, including drug traffickers, human traffickers, and fraudsters. The first such exchange will be held in the coming weeks during the fourth Financial Working Group meeting.’

Fraud

On fraud news this week, new research indicates that $429bn in retail fraud losses has been made globally in the last year. The report for the fintech platform, Adyen, by the Centre for Economic Business and Research (‘CEBR’), found that on average, ‘enterprises lost $2.98 million to fraudulent attacks, though luxury fashion retailers lost $3.97 million and health and beauty brands $3.94 million each. In total, nearly half of global businesses (45%) fell victim to fraudulent activity, cyber-attacks or data leaks over the last 12 months, which has increased by 32% when comparing to 2022’s numbers.’

Now to the US, and our old friend, that is to say ‘enemy’, Covid-19 fraud. I have soft-pedalled the Covid-19 fraud stories over the last few weeks because they are a distraction when more significant fraud stories are out there. Well, this week, the US has made a significant announcement, so they are back again. First, the Department of Justice has published its Covid-19 Fraud Enforcement Task Force 2024 Report. In terms of stats, the US response has been impressive. Since the Task Force was established in 2021, 3,500 defendants have been charged, and over $1.4bn in fraudulently obtained Covid-19 relief funds have been seized or forfeited. In addition, more than 400 civil lawsuits have been filed which have resulted in court judgements and settlements of over $100m. However, the zeal has not dampened at all, and the Department of Justice has committed to a continuation of its investigation and prosecution of pandemic relief fraud. Indeed, it could not be more timely, since it was also announced this week that new legislation has been introduced in the US Congress to address systemic pandemic fraud and prevent future schemes. The ‘Fraud Prevention and Recovery Act — modeled on President Biden’s Sweeping Pandemic Anti-Fraud Proposal highlighted in the Fiscal Year (FY) 2025 Budget — [is designed] to crack down on systemic pandemic fraud across government programs and help victims of identity theft recover.’

In light of this news from the US, and for old time’s sake, a man from Massachusetts has been arrested for fraud on the Paycheck Protection Program, and a woman from Cincinnati has been sentenced to seven years’ imprisonment for Covid relief fraud having sought $1.2m, but receiving far less, and that which was received is subject to a restitution order.

And finally, on fraud news this week, while prison time for fraud may be the idea some fraudsters have of a punishment, news from Vietnam is a reminder that some jurisdictions go a little further. Truong My Lan, the chair of the developer Van Thinh Phat, has been sentenced to death for her part in a high-value property fraud. In total $12.5bn was embezzled, the equivalent of almost 3% of Vietnamese gross domestic product, but that the true total may have been around $27bn.

Cyber Crime

The cyber-attack news this week starts with a round-up. First, a hacker has released data related to 8.5m users globally from the US Environmental Protection Agency. The breach was revealed earlier this week, and the detail of it has been slow in coming out, so expect more on this over coming weeks. In London, the veterinary services company, CVS Group, has said that it has identified a cyber-attack on its systems. It said in a market announcement, because it is a listed company, that the attack has been isolated in order to prevent wider unauthorised access. The attack was limited to its UK operations. No organisation has yet claimed responsibility for the attack. It is being reported from Czechia that Russian cyber-attackers are attempting to compromise the railway networks of Europe as part of a broader attack on the European Union and its critical infrastructure. This warning comes in the light of cyber-attacks on railway companies in Latvia, Lithuania, Romania, and Estonia.

Now, to the big news this week, first, the International Monetary Fund (‘IMF’) has published its Global Financial Stability Report for 2024 and dedicated a chapter in it to cyber risks and how they are a clear concern for macrofinancial stability. As the report notes, ‘the risk of extreme losses from cyber incidents is increasing. Such losses could potentially cause funding problems for companies and even jeopardize their solvency. The size of these extreme losses has more than quadrupled since 2017 to $2.5 billion. And indirect losses like reputational damage or security upgrades are substantially higher.’ However, a clear warning is reserved for the financial sector which is exposed to unique risks because of the sensitive data controlled, and the transactions handled. They are targeted by cyber-criminals either for financial gain or for the sense of achievement which might come from the disruption caused to such entities by cyber-attacks. This is an important risk to manage because attacks on the financial system could ‘threaten financial and economic stability if they erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions.’ In extreme cases, it could cause market uncertainty, a bank run, or both. While there have been no significant “cyber-runs” – as the report labels them – the analysis in the report suggests ‘modest and somewhat persistent deposit outflows have occurred at smaller US banks after a cyberattack.’ I expect regulators to take interest in this report since the risk is a real and rising one, especially in light of shifting geo-politics.

Secondly, the government in the UK has published its Cyber Security Breaches Survey 2024. As part of the survey, the government asked UK businesses, charities, and educational institutions how ‘they approach cyber security and gain insight into the cyber security issues they face.’ This then informs government policy on cyber security and how government works with industry to build digital resilience. It should come as no surprise that the Survey finds that cyber security breaches and attacks remain a common threat. ‘Half of businesses (50%) and around a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months. This is much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%). By far the most common type of breach or attack is phishing (84% of businesses and 83% of charities). This is followed, to a much lesser extent, by others impersonating organisations in emails or online (35% of businesses and 37% of charities) and then viruses or other malware (17% of businesses and 14% of charities). Among those identifying any breaches or attacks, it is estimated in the Survey responses that the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,205. For medium and large businesses, this was approximately £10,830. For charities, it was approximately £460.’

‘Phishing is by far the most common type of cyber crime in terms of prevalence (90% of businesses and 94% of charities who experienced at least one type of cyber crime). The least commonly identified types of cyber crime are ransomware and denial of service attacks (2% or less of businesses and charities who experienced cyber crime in each case). When removing phishing-related cyber crimes, we estimate that 3% of businesses and 2% of charities have experienced at least one non-phishing cyber crime in the last 12 months. A total of 3% of businesses and 1% of charities have been victims of fraud as a result of cyber crime. The proportion is higher among large businesses (7%).’

On the back of the Survey, the government advises that organisations adopt ‘cyber hygiene’ strategies with ‘malware protection, password policies, cloud back-ups, restricted admin rights and network firewalls.’ In terms of ‘cyber hygiene’ progress made, when compared to 2023 those using up-to-date malware protection increased from 76% to 83%. The restriction of admin rights increased from 67% to 73%. The use of network firewalls increased from 66% to 75%, and agreed processes for phishing emails increased from 48% to 54%.

However, to me, the thing which raised my eyebrow most sharply was the issue of incident response. The Survey found that while ‘a large majority of organisations say that they will take several actions following a cyber incident, in reality a minority have agreed processes already in place to support this. These findings are consistent with previous years. The most common processes, mentioned by around a third of businesses and charities, are having specific roles and responsibilities assigned to individuals, having guidance on external reporting, and guidance on internal reporting. Formal incident response plans are not widespread (22% of businesses and 19% of charities have them). This rises to 55% of medium-sized businesses, 73% of large businesses and 50% of high-income charities. External reporting of breaches remains uncommon. Among those identifying breaches or attacks, 34% of businesses and 37% of charities reported their most disruptive breach outside their organisation. Many of these cases simply involve organisations reporting breaches to their external cyber security or IT providers and no one else.’

And finally, this week, researchers at Carnegie Mellon University are using cognitive AI to get into the mind of the cyber-attacker in order to build stronger defences for future networks.

References

Adyen, Adyen finds the global retail sector lost $429 billion to payments fraud last year.

Carnegie Endowment for International Peace, Western Sanctions on Russia Should Be More Pragmatic and Less Punitive.

Carnegie Mellon University, Leveraging Human Psychology to Thwart Cyber Attacks.

Center for European Policy Analysis, Russia Squeezed as Sanctions Bite.

Court of Justice of the European Union, War in Ukraine: the General Court annuls the inclusion of Petr Aven and Mikhail Fridman on the lists of persons subject to restrictive measures between February 2022 and March 2023 (press release).

Court of Justice of the European Union, Fridman v Council (application and judgment).

Court of Justice of the European Union, Aven v Council (application and judgment).

Department of Justice, COVID-19 Fraud Enforcement Task Force Releases 2024 Report.

Department of Justice, Plymouth Man Arrested for Paycheck Protection Program Fraud.

Department of Justice, Cincinnati woman sentenced to 7 years in prison for crimes related to COVID-19 relief fraud.

Financial Action Task Force, Private Sector Consultative Forum, April 2024.

International Monetary Fund, Global Financial Stability Report, April 2024.

International Monetary Fund, Rising Cyber Threats Pose Serious Concerns for Financial Stability.

Office of Financial Sanctions Implementation, General Licence – Active Denizcilik and Beks Ships Transit to Port and Wind Down INT/2024/4576632.

The White House, FACT SHEET: President Biden’s Sweeping Proposals to Crack Down on Pandemic Fraud and Help Victims Recover Introduced in Congress.

UK Government, Cyber security breaches survey 2024.

US Department of the Treasury, READOUT: Secretary of the Treasury Janet L. Yellen’s Bilateral Meetings with Vice Premier He Lifeng of the People’s Republic of China in Guangzhou, China.

US Department of the Treasury, Statement from Secretary of the Treasury Janet L. Yellen on Announcement of New U.S.-China Initiatives Following Meeting with Vice Premier He Lifeng of the People’s Republic of China.