On September 6, The New Yorker published an exposé, authored by Pulitzer-winning journalist Ronan Farrow, chronicling both the hitherto unknown depth of Jeffrey Epstein’s involvement in fundraising for MIT’s Media Lab and the extent to which a small group of individuals sought to conceal this relationship. Farrow reported that, despite Epstein having been added to MIT’s list of “disqualified” donors following his 2008 conviction for solicitation and procurement of a minor for prostitution, “the Media Lab continued to accept gifts from him, consulted him about the use of the funds, and, by marking his contributions as anonymous, avoided disclosing their full extent, both publicly and within the university.” While Reif had apologized for accepting $800,000 from Epstein in known donations, the director of the MIT Media Lab, Joi Ito, later admitted to secretly accepting $7.5 million secured by Epstein from other donors, including Bill Gates, and over a million dollars from investment funds controlled by Epstein himself. According to Signe Swenson, an MIT fundraising coordinator turned whistleblower, the Media Lab kept donations from the blacklisted financier off-the-books in order to hide the relationship from MIT’s central fundraising office. Ito also hid meetings with Epstein, who would visit the lab accompanied by young female “assistants,” from critical faculty members. The day after the New Yorker article was published, Joi Ito resigned and Reif released another letter, this time promising an independent fact-finding investigation. Reif stated that MIT’s administration is “actively assessing how best to improve our policies, processes and procedures to fully reflect MIT’s values and prevent such mistakes in the future.”

The Epstein scandal has thrown the policy failures of numerous campus fundraising departments into sharp relief. As a September 9, 2019 article from the Associated Press noted, a number of other schools are struggling with how to handle tainted funds from Epstein. Ohio State University is reviewing over $2.5 million in gifts, and Harvard reported that it has already spent over $6.5 million in donations. Meanwhile, both the University of Arizona and the University of British Columbia were reportedly unaware that gifts they received from charitable foundations were linked to Epstein. The article noted that, while more universities “have been crafting policies to guide them when concerns about donors arise” and appointing “ethics boards to screen donors,” few hard and fast guidelines exist to help schools and other nonprofit entities protect their reputations. The case of MIT, wherein the University’s main fundraising office was unaware of the source of the monies solicited by the Media Lab, is a prime example of the need for stronger fundraising policies and oversight structures.

Some Strings Attached
In addition to corporate social responsibility issues deriving from unsavory sources of funding, charities and other not-for-profits must also be aware of unethical incentives and potential legal pitfalls created by reliance on major corporate donors. Such risks are exemplified in an ongoing federal whistle blower suit (United States of America et al v. Davita Health Care Partners et al) in which David Gonzalez, a long-time employee of the American Kidney Fund (AKF), contended that the AKF was providing preferential recommendations to its largest corporate donors, including DaVita Health Care Partners and Fresenius Medical Care. According to the complaint, which was filed in September 2016 and unsealed this August, the advantages that the AKF conferred on its major donors ran afoul of recommendations made by the Department of Health and Human Services’ Office of the Inspector General (OIG) and amounted to “illegal referrals and payments under the Anti-Kickback Statute.”

Allegedly, as part of its 1997 agreement with the OIG, the American Kidney Fund pledged to provide funding to people engaged in end stage renal dialysis based solely upon assessed need, without taking the identity of the referring facility into account as part of the assessment. The OIG’s requirements sought to ensure that donations made by dialysis facilities to the American Kidney Fund would function as gift contributions and would not be used as a means of influencing the AKF’s recommendations when guiding patients in selecting dialysis facilities.

According to the whistleblower’s complaint, the American Kidney Fund’s adherence to the OIG’s stipulations began to break down in 2008 and 2009 as the AKF struggled to maintain adequate funding. Reportedly, the AKF would frequently turn to DaVita and Fresenius, both of whom are major national administrators of outpatient dialysis clinics, when short on funds. According to Gonzalez, “DaVita and Fresenius were asking why the AKF was letting all the [dialysis] providers use the program, when they were the one providing most of the funds” which led Gonzalez’ superiors to begin tracking the identities of its corporate donors in 2009 and linking this information to the individual grants awarded to patients and the facilities where these patients received treatment. Ultimately some patients were labelled as “Free Riders” because their treatment grants exceeded the money brought in to the AKF as donations by their treatment providers. To eliminate the so-called “Free Riders,” the AKF began to restrict grants based upon the patient’s treatment provider, in violation of its agreement with the OIG.

Beginning in 2010, the AKF was allegedly steering patients toward its largest funding providers, including DaVita and Fresenius, and blocking the applications of patients using non-contributing providers, with one of Gonzalez’ superiors specifically referring to the system as “pay to play.” By some time around 2012, the AKF was allegedly conducting weekly “training calls” with non-donating dialysis providers. As the complaint stated, “The substance of the training… was really a quid pro quo solicitation of a donation in exchange for patient support.” Internally the AKF referred to these calls as the “Recoupment Effort.” Patients who transferred from a sanctioned provider to a “blocked” non-donating provider, were also allegedly unable to transfer their AKF coverage, also in violation of the OIG’s stipulations. The complaint contended that the AKF’s efforts to tie patient grants to the contributions made by their providers, coupled with steering patients toward their largest contributors amounted to a kick-back scheme in the guise of a charity, (which received donations to the tune of $275 million in 2015). Additionally, since each AKF grant “triggers vast amounts of payments to the providers” via government programs, the complaint alleged that the Defendants were also acting in violation of the False Claims Act.

The Takeaway
As seen in the above two examples, dependence on charitable donations as a source of funding presents a unique set of risks. On the one hand, the promise of large sums of money can lead to what MIT President Rafael Rief described as a “mistake in judgment” in accepting large sums from controversial donors or from charities or foundations with unknown financial backing. On the other hand, dependence on a few demanding donors may create internal pressure or incentives to bend policy in order to ensure the continued support of these donors. While various organizations will have different levels of tolerance with regard to these risks, all not-for-profit entities should have clearly articulated social responsibility and ethics policies with regard to fundraising in order to provide guidance and structure to the fundraising process and to minimize exposure to unethical or controversial funding sources.

Recent years have seen numerous scandals revolving around high profile philanthropists. This spring, the Guggenheim, the New York Metropolitan Museum of Art, and the Tate Modern Museum in London all returned funds donated by the Sackler family (whose ownership of Purdue Pharma, maker of OxyContin, has proven controversial following growing concern over Purdue’s role in the opioid crisis).  In 2017, the University of Southern California’s School of Cinematic Arts rejected a $5 million endowment for female filmmakers from Harvey Weinstein, following a change.org petition which described the donation as “blood money.” Meanwhile, Harvard has notably bucked the trend by refusing to return funds from Epstein and Sackler, as well as Saudi Prince Mohammed bin Salman, despite public pressure and student consternation. These organizations were forced to make the difficult choice of turning away valuable, and perhaps already spent funds, or keeping the money at the risk of public outrage. As Texas A&M Law Professor Terri Lynn Helge pointed out in The Conversation, returning tainted funds can prove to be a daunting task. By giving back donated funds, charities can run afoul of state regulators; gift agreements, which may include naming rights, e.g. for dedicated buildings, can be legally binding as well. Clearly delineated best practices, including a robust screening process for potential donors, can preempt these no-win situations. In certain circumstances it may be wise to look a gift horse in the mouth. The security of your organization’s hard-earned reputation may depend upon it.

The Kreller Hot Topics Report is a monthly publication dedicated to insights on international issues and incidents.

As outlined in the filing, PrivatBank, which came to be one of the largest banks in Ukraine, was founded in 1992 by oligarchs Igor Kolomoisky and Gennadiy Bogolyubov and former Vice Prime Minister of Ukraine, Serhiy Tihipko; the bank was majority-owned by Kolomoisky and Bogolyubov until its nationalization in 2016. During the period spanning from 2006 until 2016, the oligarchs presided over what the complaint described as a “Shadow Bank,” operating alongside the institution’s licit activities.

Four Steps to Shady Financing
First, the oligarchs’ loyalists within the so-called Shadow Bank would issue business loans to entities controlled by Kolomoisky and Bogolyubov. These loans were typically issued for purported “general corporate financing” and these entities would subsequently deposit the loan money into corporate accounts overseen by PrivatBank’s Cypriot branch.

Then, in step two, with the aid of several Cypriot law firms, the Shadow Bank created dozens of anonymized corporate entities, the “Laundering Entities” (ultimately controlled by Kolomoisky and Bogolyubov) each with numerous PrivatBank Cyprus accounts, through which the various loans could be comingled and moved across the various entities and accounts in a complex shell game, meant to obscure the origin of the funds. As stated in the complaint, although these entities “had billions of dollars moving in and out of their accounts, in reality, the entities had no business, assets, operations, or employees and were shell entities deployed for money laundering purposes.”

In step three the laundered money originally acquired through “general corporate financing” loans, was channeled to a group of related Delaware LLCs and used to purchase commercial assets in the United States (more on this later), contravening the stated purpose of the loans.

Finally, in step four, the bank’s accounting was squared by repeating the first two steps and using the laundered funds from the second round of loans to pay off the first round of loans, in a Ponzi-like process known as “loan recycling.” As a July 17, 2019 article from the Financial Times put it, this scheme continued within PrivatBank until “regulators found a $5.5bn black hole in its balance sheet,” at which time Kolomoisky departed first for Switzerland, and later for Israel (where he also possesses citizenship), in the hope of avoiding possible extradition to the United States.

The Optima Group
While Kolomoisky and Bogolyubov oversaw PrivatBank and its shadow functions from Ukraine, three of the oligarchs’ lieutenants, Uriel Laber, Mordechai Korf, and Korf’s son-in-law Chaim Schochet (also named as Codefendants in the May suit), allegedly oversaw the Delaware LLCs, known as the Optima group of companies, from Optima’s headquarters in Miami. The Optima Group’s primary function was to acquire various commercial and industrial real estate holdings on behalf of Kolomoisky and Bogolyubov. The holdings acquired through the misappropriated funds varied both in geography and use, from Stemmons Tower and the former CompuCon headquarters in Dallas, to the former Motorola manufacturing facility in Harvard, IL, to PNC Plaza in Louisville, to steel manufacturing facilities in Detroit, West Virginia, and Ashland, KY.

Perhaps most notably, according to the complaint, one Optima entity, Optima Ventures LLC (owned equally by Kolomoisky, Bogolyubov, and Korf and managed by Schochet), became “the largest holder of commercial real estate in Cleveland” with major holdings dotting the Cleveland skyline including: One Cleveland Center, 55 Public Square, the Huntington Building, the Crowne Plaza Building, and the AECOM/Penton Media Building. A February 5, 2012 profile of Chaim Schochet in Cleveland’s Plain Dealer, labelled Schochet as “The most important guy you’ve never heard of,” and the man “responsible for roughly 2.8 million square feet of office space” owned by the Miami-based Optima and ultimately controlled by the Privat Group, a “Ukrainian business conglomerate.” While the article described the then-25-year-old as “engaging” when discussing his investment goals in the rebounding city, it also characterized Schochet as “circumspect” in describing Optima’s structure and investors.

Schochet’s reticence to discuss the Optima Group appears clearer in hindsight as subsequent accounts have demonstrated how little Optima cared for its “investment” properties in Cleveland. Following the nationalization of PrivatBank, which put an end to Kolomoisky and Bogolyubov’s control of the bank’s Supervisory Board and access to its lending portfolio, Optima began divesting its assets in Cleveland. As a June 11, 2019 piece in Cleveland Scene described, most of these properties “have fallen into disrepair and suffer from high vacancy rates.” The AECOM Building was purchased by Optima in 2010 with 90% occupancy; it was sold in 2018 “in need of significant renovation” with a mere 57% occupancy at an $8.5 million loss. Reportedly, One Cleveland Center has also suffered from poor tenant retention and diminished valuation. While Optima purchased the property in 2008 for $34 million, it was appraised in 2018 at only $20 million. According to the article, Optima continues to shop the building after a prospective buyer pulled out “calling the project unworkable.”

Fifty-five miles east of Cleveland, the Warren Steel plant may have closed, but its owner, Warren Steel Holdings LLC, continues to haunt Kolomoisky, Bogolyubov, and Mordechai Korf. On June 15, 2015, Warren Steel Holdings LLC’s minority beneficial shareholder, Vadim Shulman, filed suit against the trio and related business entities in the Trumbull County Court of Common Pleas. While the suit was dismissed on jurisdictional grounds, a similar suit was reportedly filed on August 23, 2019 in the Delaware Court of Chancery.

Shulman’s Trumbull County complaint, which includes details which dovetail with those found in the bank’s May 2019 suit, contends that Kolomoisky, Bogolyubov, and Korf sought to gain near-total control over Warren Steel through a “long-running, self-dealing, debt-accumulation scheme.” They did so by moving to restructure Warren Steel’s debt through a new lender. While the total value of Warren Steel’s assets was reported to be $27 million, $25 million in additional loans were advanced by the new lender, the identity of which was only revealed to Shulman after the restructuring was greenlit. The mystery lender? Optima Acquisitions LLC (indirectly owned by Kolomoisky). As the Trumbull County complaint summarized, “If the assets of Warren Steel were valued at only $27 million, Optima Acquisitions (and therefore Kolomoisky alone or together with Bogolubov) would have the benefit of security over almost all of the assets of Warren Steel which, if enforced, would leave approximately $2 million for the other lenders and obviously nothing for the Plaintiffs.”

While Kolomoisky and company were allegedly attempting to wrest full control of the plant away from its minority owner through a self-dealing lending scheme, the complaint contends that the Defendants were knowingly siphoning capital and resources away from the plant through a parallel “undervaluation scheme” in which sweetheart deals were made with other ferroalloy companies controlled by the oligarchs. Allegedly, “as a way to transfer funds away from Warren Steel, [the Defendants] sell goods to Related Parties for less than their true value and purchase goods from Related Parties for more than their true value.” These trading partners: Optima Group entities and their holdings. The Warren Steel plant “continued to operate at a loss” and closed six months after Shulman’s initial complaint was filed. If Shulman’s allegations are to be believed, the official reasons for the closure – a faltering industry and lack of financing – look more like pat excuses, trading on the well-worn economic tropes of the region and obscuring more nefarious causes.

The Purchase of a President
Back in Ukraine things are looking bright for Kolomoisky and Bogolyubov. Both of the oligarchs have returned from their extended stay in Israel following the April 2019 election of comedian Volodymyr Zelensky as President of Ukraine. According to the Financial Times, Zelensky “rose to fame playing a fictional president” on a TV channel owned by Kolomoisky. The oligarch is also believed to be Zelensky’s largest financial backer and Andriy Bogdan, an attorney who has represented Kolomoisky in the PrivatBank litigation, is serving as Zelensky’s Chief of Staff. Kolomoisky himself was reported as boasting, “People come to see me in Israel and say, ‘Congrats! Well done!’ I say, ‘For what? My birthday’s in February.’ They say, ‘Who needs a birthday when you’ve got a whole president.’” Mere days before Zelensky’s electoral “landslide,” a Ukrainian court ruled against the PrivatBank nationalization, raising concerns that Zelensky will return to bank to his political patrons. While in Ukraine the fate of PrivatBank hangs in the balance, Kolomoisky may find his own fortunes still tied to Ohio. As The Daily Beast reported on April 7, 2019, the FBI and the U.S. Attorney’s Office in the Northern District of Ohio have initiated a probe into the oligarch’s possible financial crimes.

The Kreller Hot Topics Report is a monthly publication dedicated to insights on international issues and incidents.

According to the FTC, by August 2013, “Facebook was aware of the privacy risks posed by allowing millions of third-party developers to access and collect Affected Friend data” through the Graph API. Facebook subsequently commissioned an audit of its third party apps and found that “third-party developers were making more than 800 billion calls to the API per month and noted that permissions for Affected Friends’ data were being widely misused” [emphasis in complaint]. According to the complaint, Facebook ultimately decided to discontinue the access third-party developers would have to the data belonging to the app users’ friends and the company announced this decision on April 30, 2014, as part of a campaign to give “people power and control over how they share their data with apps.” However, unbeknownst to its users, Facebook continued to give pre-existing apps access to friend data for a full year following these statements. Reportedly, some so-called “Whitelisted Developers” were provided Graph API access without consumer knowledge through June 2018. According to the FTC’s related complaint against Cambridge Analytica, LLC, University of Cambridge researcher, Aleksandr Kogan controlled one of these whitelisted apps, through his company, Global Science Research, Ltd., which would go on to provide Graph API data to Cambridge Analytica and its UK-based parent group, SCL Group Ltd. Kogan’s app, which was originally developed as part of the University of Cambridge’s Prosociality and Well-Being Lab, operated in conjunction with “an algorithm that could predict an individual’s personality based on the individual’s ‘likes’ of public Facebook pages.” Reportedly, over the course of the project, which ended in May 2015, Kogan’s app harvested data from 250,000-270,000 users and 60-65 million of the users’ friends. The FTC alleged that this data was collected “through false and deceptive means” in violation of the EU-US Privacy Shield framework.

The Federal Trade Commission touted the $5 billion penalty against Facebook as “the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.” Indeed, the FTC fine eclipses a January 2019 fine of €50 million ($57 million), imposed by France’s National Data Protection Commission (CNIL) on Google for similarly opaque data collection practices. In the press release, FTC Chairman Joe Simons stated that the “unprecedented” fine is meant to demonstrate that “The Commission takes consumer privacy seriously.” The fine also coincides with the public’s increasing awareness of both the value of personal identifying information and the precarious control individuals are able to exercise over this information. This awareness has culminated in the General Data Protection Regulation (GDPR) in Europe, the Digital Privacy Act in Canada, and increasingly vociferous calls from tech leaders, including Tim Cook, for similar legislation in the United States. As discussed in a March 29, 2019 post by The National Law Review, members of congress appear increasingly concerned with developing data privacy legislation.

Investigative Challenges and Strategies
As might be expected, the increased focus on digital privacy presents a number of challenges for online open source investigations. On the most general level, individuals have grown more circumspect about the information they provide online, ranging from abiding by the SEC’s advice to limit the amount of biographical and identifying information made public on social media, to a growing interest, perpetuated by tech theorists such as Jaron Lanier, in deleting social media accounts all together. More specifically, privacy concerns have altered some common tools used in open source research. As discussed in a June 10, 2019 Vice article, Facebook has recently disabled a search feature known as “Graph Search,” wherein investigators could construct very specific Facebook searches so as to identify, for example, overlapping check-ins by two Facebook users or all the photos commented on by a user. As noted in the article, while such features have been abused by bad actors, they have also been used by journalists and members of the open source intelligence (OSINT) community to investigate everything from sex trafficking to airstrikes in Yemen. As another example, domain name registration research can also be an invaluable tool for open source research. A record of a domain registrant can provide breadcrumbs linking a known website to an unknown individual or business, thus providing additional insight into a subject entity’s business affiliations. In the past year, many registrars have chosen to redact domain registrant (WHOIS) information, including the registrant’s name, address, telephone, and contact email, in compliance with European GDPR guidelines.

However, such challenges need not pose a serious threat to the viability of open source investigations, particularly in the field of corporate compliance. While some governments are moving to protect consumer privacy, many are simultaneously acting to increase corporate transparency, especially in response to concerns regarding money laundering. These moves toward transparency are a boon to investigations operating beyond the parameters of social media. For example, as noted by the BBC on June 19, 2019, the crown dependencies of Jersey, Guernsey, and the Isle of Man have announced that they will be taking steps to publicize their corporate beneficial ownership registers by 2023. Identifying information regarding the owners and directors of certain types of private companies is already available in many European corporate registries. Land/deed registries and legal filings can also be rich sources of publicly available information, both in the United States and abroad. In the U.S., due diligence research in the service of fraud prevention or detection is allowed under the Drivers’ Privacy Protection Act (DPPA) and Gramm-Leach-Bliley Act (GLBA), providing additional avenues of research to licensed and vetted firms. Finally – and especially in jurisdictions where public information is thin – proper due diligence may call for the human touch, i.e. contacting references, visiting a business to verify its operations, conducting character inquiries, etc. A Facebook profile may tell you what an individual “likes,” but with a few discreet phone calls, a good investigator can get a sense of what an individual is like.

The Kreller Hot Topics Report is a monthly publication dedicated to insights on international issues and incidents.

According to the Statement of Facts outlined in WMT Brasilia’s plea agreement and Walmart Inc.’s Non-Prosecution Agreement, WMT Brasilia’s subsidiary, Walmart Brazil, hired a local construction company (referred to in the filings as “Brazil Construction Company”) to build eight new stores from 2008 through 2012. Despite being aware of corruption risks in Brazil as early as July 2000, Walmart did not perform a due diligence review of the construction entity prior to initiating the contract, and when a preliminary due diligence review was conducted in late 2009, the construction company failed. However, as Walmart Brazil’s Ethics and Compliance Department had no protocol for handling failed contractors, the construction company continued working for Walmart Brazil. Around that time, the construction company was tasked with retaining a third-party intermediary (TPI or “Brazil Intermediary”) to assist in obtaining construction permits for Walmart Brazil. The Brazil Intermediary earned a reputation for his ability to swiftly obtain permits by “sort[ing] things out like magic” and became known within Walmart Brazil as the “genie.”

As the plea agreement noted, Walmart Brazil’s Ethics and Compliance Department ignored a number of red flags regarding its so-called genie. Notably, an employee in Walmart Brazil’s Government Affairs Department warned a compliance official and corporate attorney that he believed the TPI was a government official and was thus barred from contracting with Walmart Brazil. Although Walmart Brazil directly negotiated with the TPI for the “scope of work and fees” Walmart Brazil “amended the contracts with Brazil Construction Company to include a description of Brazil Intermediary’s work and the cost associated with the work” thereby bypassing any direct contract between Walmart Brazil and the TPI. Meanwhile, the Brazil Construction Company provided the TPI with cash with the understanding that this cash would be used for “making improper payments to government employees” in order to obtain the required permits. This activity continued until 2012 when the Ethics and Compliance Department ultimately terminated the relationship with the construction company, citing “cases of corruption.”

As a result of the plea agreement, WMT Brasilia was charged with $725,000 in fines and $3.6 million in criminal forfeitures. The criminal case against WMT Brasilia also figured prominently in the $137 million non-prosecution agreement (NPA) between Walmart Inc. and the Department of Justice as well as the $144 million settlement for the civil suit brought by the Securities and Exchange Commission for Walmart’s FCPA violations in Mexico, Brazil, India, and China. As reported in the June 20, 2019 DOJ press release regarding the NPA, during the period between 2000 and 2011, Walmart failed to enact sufficient compliance safeguards, including controls related to TPI due diligence, specifically with relation to foreign government officials, and neglected to include clear anti-corruption clauses within its TPI contracts. As quoted in the press release, Assistant Attorney General Brian A. Benczkowski remarked that “Walmart profited from rapid international expansion, but in doing so chose not to take necessary steps to avoid corruption…  In numerous instances, senior Walmart employees knew of failures of its anti-corruption-related internal controls involving foreign subsidiaries, and yet Walmart failed for years to implement sufficient controls comporting with U.S. criminal laws.”

As part of the Non-Prosecution Agreement, Walmart Inc. agreed to develop and promulgate a robust international compliance program including an internal accounting system regarding anti-corruption controls and a “rigorous” anti-corruption program. Additionally, Walmart agreed to conduct periodic compliance risk assessments and designate a senior compliance executive with direct reporting channels to independent monitoring bodies, the auditing committee, and the Board of Directors. Finally, Walmart agreed to retain an independent compliance Monitor for a two-year period and comply fully with all of the Monitor’s mandated assessment needs and compliance recommendations.

The case of Walmart Brazil presents several key takeaways for companies looking to expand into territories with high rates of corruption while not risking criminal prosecution, 9-figure fines, and court-appointed monitors. As seen from the details of this case, the mere presence of an Ethics and Compliance Department and a due diligence review process is not enough. First, due diligence is best conducted in a pre-emptive manner, to be initiated prior to onboarding and contracting activities. Post-hoc due diligence is less effective, as it’s harder to take action on an adverse report once a relationship is up and running.

Second, in high-risk jurisdictions and industries, where concerning due diligence reviews are common, it pays to have a secondary (and even tertiary) plan, in the event that a first-choice vendor is found to carry too high of a risk for corruption. Walmart Brazil continued to contract with the construction company, despite warning signs, in part because no protocols were in place for handling failed due diligence reviews.

Third, robust compliance programs are enhanced by effective lines of communication and authority between the Compliance Department and other relevant departments within the company, such as the internal auditing committee and Government Affairs department, thus creating internal systems of checks and balances. In the case of Walmart Brazil, a compliance official and company attorney received the initial tip-off regarding the TPI’s government affiliations from an individual in the Government Affairs office. While the compliance employee agreed that this would pose a risk to Walmart, the attorney and other executives were able to create an end-run around guidelines prohibiting the hire of the TPI by contracting with the individual indirectly through the construction company.

Finally, the compliance mindset requires a healthy dose of skepticism.  A genie who can generate permits as if by magic may seem like a wish come true, but a proper due diligence review would have revealed the FCPA risks associated with the hire, indirect or otherwise, of a government official.

The Kreller Hot Topics Report is a monthly publication dedicated to insights on international issues and incidents.

On the same day in Miami, a US District Judge sentenced Anthony Gignac to 18 years for impersonating the Saudi Arabian Prince, Khalid bin al-Saud, in order to defraud investors of over $8 million dollars after offering them an opportunity to purchase a stake in the Saudi state oil company, Saudi Aramco. According to a DOJ press release, Gignac purchased fake diplomatic license plates, hired body guards outfitted with false diplomatic security badges, dressed in “traditional Saudi garb,” and surrounded himself with “luxury goods consistent with the lavish lifestyle of a Saudi Royal.”

He also developed an Instagram account for his royal persona, under the username “princedubai_07.” The Instagram page included pictures of Saudi royals tagged as family members along with photos of ostentatious jewelry and watches, designer goods, high-end restaurants and hotels, luxury cars, bundles of cash, as well as images of an American Express Business card with the words “Bin Al-Saud” and “Al-Saud Group” on prominent display. As stated in the November 20, 2017 criminal complaint for the above case, in addition to the Aramco scam, Cignac used this assumed identity to “obtain unauthorized credit at retail stores,” receive money from fictitious bank accounts, and make fraudulent attempts to purchase a multi-million dollar hotel in Miami (identified in a November 2018 Vanity Fair article as the Fontainebleau Miami Beach).

In a June 3, 2019 press release describing the Arbab/Proficio Capital case, Richard R. Best, Regional Director of the SEC’s Atlanta Office, stated the alleged scheme is a “reminder that investors… should carefully research investment opportunities and the people offering them.” Today, this research typically begins with typing an individual’s name into a search engine and browsing his or her digital footprint (e.g. corporate bio, website, Facebook page, LinkedIn profile, etc.); we Google them.

A quick survey of a company or individual’s web presence may satisfy casual curiosity. However, without a mindset of healthy skepticism, such a review can serve to reinforce or introduce misinformation about the individual or company in question. Many fraudsters rely on social media as a part of a marketing strategy, in which they sell friends and followers on their purported identities as successful or connected individuals. A trained analyst will be able to see past this salesmanship in order to spot any red flags lurking in those tweets or Facebook feed.

When done correctly, social media research can be used to augment a due diligence or compliance investigation. A thorough examination of an individual’s digital footprint will approach material presented via social media as low-credibility information which should, if possible, be corroborated by additional sources. Additionally, a due diligence investigator will be able to analyze the principal’s social media presence as one element within a broader risk assessment, by viewing posts against the backdrop of corporate filings, legal records, and other relevant documentation.

Using Digital Footprint Research to Enhance Due Diligence        
An examination of the social media presence of the Subject Company’s principal can yield valuable insights into the workings of potential partner entities. A close review of the principal’s LinkedIn profile, digital CV, and corporate biography is a natural starting point for verifying an individual’s business affiliations, possible government affiliations, educational background, and past and former colleagues. Such research is also vital for identifying aliases, previous names, nicknames, and usernames. Attempting to verify this self-reported information is often an early step in deep-dive research regarding the individual’s career trajectory.

When making compliance decisions about a new or low-profile company, getting an accurate sense of the principal’s past business successes or failures can provide actionable information which may otherwise be unavailable for a company without a rich media presence. In a recent example, Kreller was charged with conducting a due diligence review of an airplane engine trading company with a small staff and negligible online presence. However, the corporate bio of the principal individual indicated that he had formerly worked in the securities industry. Subsequent research through FINRA revealed substantial regulatory issues for the principal which would not have been located through a media sweep on the engine trading company alone.

In addition to providing a starting point when searching for business affiliations and conducting employment and education verification, social media sites can fill in the details of the principal’s life and relation to his or her business ventures. While each case involves unique circumstances and challenges, social media research should minimally seek to address the following questions as part of a wider due diligence review:

1. Is the individual’s social media presence commensurate with his or her role in the company? Does the principal appear to have the skills and knowledge appropriate to his or her position?
2. Does the principal appear to be engaged in the day-to-day workings of the company? If not, is the principal acting as a stand-in or paper director, while another hidden stakeholder controls the company’s operations?
3. Does the principal’s lifestyle appear to be coherent? In the case of Anthony Gignac his Instagram page presents a disjointed picture in terms of his assumed identity as a Saudi prince, from the username referencing “Dubai” to the July 12, 2016 photo, gleaned from elsewhere on the internet, of a suitcase filled with cash accompanied by the decidedly un-aristocratic tag “Gettin that chicken.”
4. Does the principal appear to be living within his or her means? Are there any indications of outsized spending, travel, gambling, or addiction? A review of Syed Arbab’s Twitter profile revealed evidence of multiple trips to Vegas casinos during the year of his alleged crimes.
5. Does the individual’s social media presence raise concerns about his or her decision making abilities? Is there any information apparent on the individual’s social media accounts that could lead to legal or regulatory ramifications or a public relations scandal?
6. Are any of the individual’s email addresses linked to any known data breaches and thus potentially compromised for use by nefarious parties?

While often thought of in the context of research on individuals, digital footprint research can also be invaluable in determining potential risk factors for a potential partner or client company. A close review of a company’s website and social media pages can help determine whether a company has adequate resources for a proposed activity. In one example, Kreller was commissioned to conduct a due diligence review of a trucking company, whose website included photos of a purported “fleet” of vehicles. On closer inspection some of the pictured trucks contained US DOT numbers related to other seemingly unaffiliated trucking companies. Several photographs also contained watermarks suggesting they were pulled from other websites. Such details might cause a client to question not only the size of the fleet but the overall trustworthiness of the company when assessing the risk associated with a potential partnership or business deal.

Digital footprint research can expose other warning signs for companies as well, including evidence of plagiarism on the company’s website and discrepancies within the company’s reported activities. In one instance, Kreller was requested to initiate a due diligence review of an entity whose name indicated that the company was involved in IT consulting; however, the company’s webpage revealed that the Subject Company was purportedly involved in defense logistics and sales throughout Africa – a high risk industry in a high risk region!

An archived version of the website indicated that the Subject Company was previously engaged in IT activities, but no information was located to explain the seemingly abrupt turn to defense logistics. A deeper analysis of the current website, including its source code, suggested that much of the material from the site had been lifted from another defense industry website. Research did not reveal adverse media or legal filings for this company; however, the inconsistency in the company’s self-presentation, as well as the apparent plagiarism, would likely give many prospective partners pause.

As seen in the aforementioned examples, digital footprint analysis can, and often does, reveal pertinent information which may not be disclosed in news reports or court records, and thus can be a useful tool in compliance.

The Elements of Compliance
The Framework for OFAC Compliance Commitments outlines the “essential components” of a robust and effective sanctions compliance program (SCP). A successful SCP requires total buy-in from senior leadership within the company, thereby ensuring that the program is granted adequate authority, funding, and resources. The Framework promotes a risk-based approach to developing an SCP. Reportedly, “One of the central tenets of this approach is for organizations to conduct a routine, and if appropriate, ongoing ‘risk assessment’ for the purpose of identifying potential OFAC issues they are likely to encounter.” Such a risk assessment will take into account various factors including the organization’s clients, its products and services, its supply chain and intermediaries, and the locations of its operations, as well as high-risk interactions such as customer on-boarding and merger events.

Once an SCP is backed by management and developed with an eye to mitigating risk, the Framework recommends that a successful SCP should be formalized into a set of internal controls, policies, and procedures to both guide and document activities and transactions with potential relevance to OFAC and other regulatory agencies. These internal controls should be regularly tested and audited in order to identify weaknesses in the organization’s compliance protocol or its application; a robust SCP will be recalibrated and enhanced “to account for a changing risk assessment or sanctions environment.” Finally, relevant personnel within the company should receive training in the SCP’s substance and application on an annual basis. The Framework advises that a thorough compliance training program should “(i) provide job-specific knowledge based on need; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments.”

While companies are not required by OFAC to maintain a formal sanctions compliance program, the new guidelines strongly encourage companies with international engagements to develop not only written compliance protocols, but to hard-bake a “culture of compliance” into their corporate operations. As seen in the below case studies, the extent to which a company makes a good-faith effort at compliance plays a role in OFAC’s assessment of penalties, should a violation come to light.

Risk Factors for Sanctions Violations: Three Case Studies
In addition to providing guidelines for an effective sanctions compliance program, the OFAC Framework also discusses several of the root causes associated with the violation of sanctions regulations. Specifically, the Framework cites (i) the lack of a formal SCP; (ii) failure to understand OFAC’s regulations; (iii) a decentralized or disorganized SCP chain of command; (iv) exporting to OFAC-sanctioned entities; (v) transactions conducted through foreign-based subsidiaries and affiliates; (vi) using US-based banks to process transactions made by OFAC-sanctioned entities; (vii) a reliance on non-standard payment practices; (viii) deficiencies in screening software; and (ix) deficiencies in due diligence regarding customers and clients, as common threads in many OFAC violations. Enforcement action reports for three recent OFAC settlements highlight the interplay of the various aspects of well-crafted compliance program and illustrate several of the aforementioned risk factors.

In an April 11, 2019 enforcement action, the Office of Foreign Asset Control reported that it has reached a settlement of $227,500 with Acteon Group Ltd., its subsidiary, 2H Offshore Engineering Ltd., and several affiliate companies. According to the enforcement action, in November 2008 the Technical Director for 2H became aware of an oil well drilling opportunity in Cuba. When the Technical Director consulted the 2H Global Director about this opportunity, “The Global Director responded by forwarding an October 2007 memorandum from Acteon that specifically prohibited work or trade in Cuba… but with the added statement that he didn’t want to turn away work.” The Global Director “advised finding a way around Acteon’s prohibition on work involving Cuba” and, following the launch of the project, directed an employee to change all references to “Cuba” to references to “Central America” in the Technical Director’s expense reports. Later, the Technical Director similarly doctored the project’s letter of intent and apparently “proceeded with the project without seeking authorization from… Acteon.”

Although OFAC credited Acteon with having a policy regarding Cuba and for voluntarily disclosing the above violation, the breakdown in Acteon’s protocols and the mixed messages delivered by H2’s Global Director suggested that Acteon’s SCP, such as it was, did not have the full support of the organization’s leadership. Further, as the enforcement action notes, the above apparent violation highlights the need for a risk-based approach to sanctions protocols. A more effective SCP would have performed “heightened due diligence; particularly with regard to affiliates, subsidiaries, or counter-parties known to transact with OFAC-sanctioned countries or persons, or that otherwise pose high risks due to their geographic location, customers, or suppliers, or products and services they offer.” An audit of Acteon’s existing protocols may have revealed that the employees of H2 and its subsidiaries were not fully aware of Acteon’s policies prohibiting engagement in Cuba and required further compliance training.

In an April 15, 2019 enforcement action, settled for $553,380,759, OFAC found that UniCredit Bank AG, a German financial institution, “processed 2,158 payments totaling $527,467,001 through financial institutions in the United States” in an apparently egregious violation of numerous OFAC sanctions programs. Notably, OFAC found that UniCredit processed payments for oil-related transactions in Iran and for the Islamic Republic of Iran Shipping Lines (IRISL), an entity included on the Specially Designated Nationals and Blocked Persons (SDN) List for activities surrounding the proliferation of weapons of mass destruction. The enforcement action noted that UniCredit appeared “to have acted with willful intent to circumvent U.S. economic sanctions laws” through the use of a procedural guide which directed bank personnel to structure U.S. based payments in ways which obscured the involvement of sanctioned entities.

The UniCredit case exhibited several of the root causes of sanctions violations as described in the Framework for OFAC Compliance Commitments, including involving US-based intermediary parties to process transactions made by OFAC-sanctioned entities and through the use of non-transparent and non-standard banking practices. Most importantly, not only did UniCredit lack an effective sanctions compliance program, the organization enacted guidelines specifically designed to skirt OFAC’s regulations.

While the UniCredit and Acteon cases exhibited knowing and willful disregard of OFAC guidelines on the parts of several executives, a third recent case demonstrates that ignorance of OFAC sanctions and the lack of a formal sanctions compliance program (SCP) can also cause a company to run afoul of OFAC regulations. As reported in an April 25, 2019 enforcement action, Haverly Systems, Inc., a small New Jersey-based software company, settled with the Office of Foreign Asset Control for $75,375 for two apparent violations of Ukraine Related Sanctions Regulations, following an illicit transaction with JSC Rosneft, a company listed on OFAC’s Sectoral Sanctions Identification List (SSI). Reportedly, in August 2015, Haverly issued two invoices to Rosneft for the purchase of software support services. OFAC stipulations regarding Rosneft required the payment of such invoices to be made within 90 days; however, due to a reported lack of additional documentation, Rosneft did not pay the first invoice until approximately 9 months after it was issued. When Rosneft attempted to remit the second invoice, financial institutions refused the payment, citing the OFAC regulations.

Haverly was reportedly made aware of the banks’ refusals; however, as the enforcement action noted, “at the time of the payment attempts Haverly did not have a sanctions compliance program and did not recognize that delayed collection of payment was prohibited.” Further, the company did not contact OFAC for guidance. Haverly was ultimately able to receive payment from Rosneft only by reissuing the invoice with a new date, following “the suggestion of Rosneft.”

In assessing the violation, OFAC noted that had Haverly consulted with the agency, OFAC would likely have authorized the requested payments from Rosneft. However, the company’s complete lack of awareness regarding its conduct and “reckless disregard” for the warnings it received from the financial institutions, were viewed by OFAC as “aggravating factors.” Haverly’s lack of understanding of OFAC regulations and its failure to develop a sanctions compliance program resulted in an enforcement action, despite the company’s small size and the relatively minor nature of its transgressions.

As the Acteon, UniCredit, and Haverly cases show, OFAC appears to be utilizing both its rubric for constructing an effective SCP and its analysis of the root causes of violations in assessing the aggravating and mitigating factors in compliance violations. Companies engaging in international business would be well-served to keep the OFAC Framework in mind when developing compliance protocols, particularly during what is shaping up to be an aggressive period of enforcement.

Second Act
On March 29, 2019, The National Law Review blog posted part two of an analysis on a trio of bills proposed by the House Financial Services Committee to reform and modernize the Bank Secretary Act (BSA), Anti-Money-Laundering (AML) law, and Combating the Financing of Terrorism (CFT) law. The post focused on the proposed bill for the Corporate Transparency Act of 2019. The Act, which was previously introduced in 2017 with bipartisan support, would reportedly “amend the BSA to compel the Secretary of Treasury to set minimum standards for state incorporation practices” such that all US states would be required to collect beneficial ownership information from LLCs and corporations and report this information to the Financial Crimes Enforcement Network (FinCEN). Reportedly, the goal of the proposed Act is to “bolster the beneficial ownership identification requirements to prevent the use of shell companies for various illicit reasons, including facilitating tax and money laundering schemes as seen in the Panama Papers scandal.”

On March 13, 2019, The Real Deal reported on Congresswoman Carolyn Maloney’s decision to reintroduce the Corporate Transparency Act, which she also championed in its 2017 form. Maloney stated that the Act is meant to empower law enforcement in the investigation of financial crimes: “Law enforcement tells me that whenever they’re following the money in an investigation, they always hit a dead end at an anonymous shell company.” The article noted that this bill follows other regulations designed to reduce anonymous activity in the real estate sector. For example, in November 2018, the Treasury Department expanded the Geographic Targeting Order, which requires that LLCs provide the identities of buyers who spend $300,000 or more in 12 major real estate markets, including the New York City, Miami, Los Angeles, Chicago, and San Francisco metro areas.

Sources:

The National Law Review
The Real Deal

“Rotten Onion”
While the above mentioned study by Transparency International Canada and the proposed Corporate Transparency Act of 2019 address the use of shell companies in hiding the ownership of assets, a recent court filing out of Texas highlights one way in which shell companies can be used to obscure a lack of assets.

On March 28, 2019, The Houston Chronicle reported that a federal jury in Houston awarded $15 million to SED Holdings, who purchased a “pool of nonperforming residential mortgage loans five years ago from a shell company that didn’t actually own the loans.”

As described in the complaint, which was initially filed in a Durham, NC Superior Court, the Defendant, 3 Star Properties LLC, sold over 1,000 non-performing mortgage loans to the Plaintiff, SED Holdings LLC. During negotiations, 3 Star represented itself as the owner of the loans, which it characterized as “in good shape and consistent with appropriate industry standards”. The deal required that SED Holdings use the Defendants TMPS LLC and Mark Hyland as the loan servicer and document custodian for processing the loans in question. As stated in the complaint, following the completion of the deal, SED came to discover that “the loan files were in horrible shape: many of them were missing critical paperwork, many of them were basically empty, and for many of them being offered, there were no loan files whatsoever or the notes had actually been released before the sale to SED”. Furthermore, many of the loans sold to SED by 3 Star were actually owned by TMPS and Hyland.

According to the March 28^th Houston Chronicle article, the jury found that 3 Star was “serving as a pass-through entity to flip the assets for cash, concealing the true owners”. In a press release following the verdict, SED’s trial attorney, Jared Levinthal, described the discovery of the scheme as “like peeling back layers of a rotten onion.”

Sources:

The Houston Chronicle
PR Newswire
SED Holdings, LLC v. 3 Star Properties, LLC, et al. (2017)

The Takeaway
As seen in the above media reports, shell companies can pose a number of problems for prospective investors or partner companies, as opaque ownership structures obscure the true nature of the parties and assets in question. While policy changes may be on the horizon, for now, companies must protect themselves when interacting with unnamed owners.

Due diligence regarding beneficial ownership can assist in overcoming these issues in a number of ways. First, a robust compliance program will often include a questionnaire in which the prospective partner company is asked to supply the names of its beneficial owners. A comprehensive due diligence review can fill in the details regarding these reported beneficial owners, their other business affiliations, possible government or political affiliations, and any unseemly derogatory information in their pasts, providing valuable context for a business engagement.

Even when due diligence is unable to determine a beneficial owner, the investigation may reveal some noteworthy features of the company in question. A comprehensive compliance review of an entity whose ownership is unknown should seek to address the following questions: Does the company appear to function as a part of a larger group of companies? If so, does this group of companies appear to rely on a scaffolding of various shell organizations for the majority of its deals? Is there any media information regarding the group’s other business relationships or investments? What is the overall reputation of the group? Who is the purported management of the shell company? Do these managers have any other noteworthy business affiliations? Does a legal, regulatory, and media review of the managers suggest any compliance issues or other risk factors? The answers to these questions can go a long way in assessing the risks in dealing with “black-box” shell entities.