Also: Legacy €1bn tax liability levied on WestLB ‘bad bank’; ABN and Wells Fargo compensate clients. Data by ORX News
September’s largest operational risk loss was an astonishing $2 billion, in a Securities and Exchange Commission (SEC) lawsuit against former online crypto lending platform BitConnect, its founder Satish Kumbhani and lead US promoter Glenn Arcaro, along with his company Future Money. The SEC says that, from January 2017 to January 2018, the platform embezzled approximately this amount in investor funds in an international Ponzi-type scheme involving digital assets.
BitConnect launched with an initial coin offering (ICO) at the end of 2016 and by mid-December 2017, its eponymous cryptocurrency, BitConnect Coin, or BCC, boasted a market cap of over $2.5 billion and a peak value of $400 a coin. The platform offered BCC in exchange for bitcoin on its exchange and claimed that customers would receive a daily profit, thanks to their trading bot and volatility software, and that returns would be as high as 40% per month “with no risk”. Instead, the SEC found the defendants passed investors' funds through their own digital wallets and siphoned them off for personal profit. Of the approximate 325,000 in bitcoin investors paid to BitConnect, only 8% was invested on any digital-asset trading platform.
In January 2018, the market for BCC crashed after two state-level US securities regulators issued public letters warning investors of the platform’s questionable nature. BitConnect then shut down its BCC exchange, which led to a price collapse and left investors with a near-worthless currency.
The SEC said BitConnect and Kumbhani conducted a Ponzi-like scheme to lure newer investors to satisfy other investor withdrawals and conceal the fact they were deploying investor funds purported to be allocated to the trading bot they had advertised.
A €1 billion ($1.17 billion) tax dispute between the two succeeding entities of the former WestLB – Erste Abwicklungsanstalt (EAA) and Portigon – makes up the second largest loss of the month. The dispute centres on the cum-ex tax debt, for which WestLB was found liable after a 2016 German prosecutor’s investigation. In 2012, when the former German bank was split into two, Portigon took control of the viable financial services, while EAA took on the role of ‘bad bank’ to complete the winding up of non-performing assets.
The cum-ex trades involved buying a share just before the dividend rights expired and then re-selling it, allowing both the buyer and the seller to claim a capital gains tax refund. The transactions took advantage of a loophole in German tax law that closed in 2012. The Frankfurt-am-Main regional court established that EAA had intentionally assumed the disputed tax-risk positions and found EAA liable for the tax debt, a decision EAA said it would appeal. It was given one month to do so.
In September’s third largest loss, ABN Amro has provisioned €250 million ($297 million) to compensate consumers who were charged too much interest on revolving credit. The ruling resulted from a July 2018 client complaint that the bank had extended an interest-only flexible credit with a variable interest rate, which was not reduced despite a fall in the market rate when other lenders lowered their rates. The customer allegedly overpaid €25,000 in interest.
The Dutch financial ombudsman ruled that interest should remain in line with market interest rates and confirmed the interest rate series published by the central bank should be used as the reference rate for credits from 2010. Prior to this date, the Dutch statistical office’s interest rate series adjusted by 0.91 percentage points should apply. ABN Amro said it would voluntarily add 5% to the compensation as a good will gesture.
The fourth largest loss of the month saw Interactive Brokers fined $84.3 million for the incorrect configuration of its oil futures electronic payment system, which failed to function when oil futures prices went negative for the first time ever on April 20, 2020. Interactive Brokers reported its system issues to the US Commodity Futures Trading Commission (CFTC) the next day and cooperated with its investigation. By April 22, the firm had engaged in customer compensation and systems remediation efforts, but these were deemed insufficient and caused losses of $82.6 million to 227 clients.
September’s fifth largest loss of $72.6 million came after a whistleblower informed the US Department of Justice that financially incentivised and poorly supervised Wells Fargo employees had systematically charged small and medium size businesses and financial institutions higher markups on foreign exchange transactions and concealed the overcharges through various misrepresentations and deceptive practices..
In one alleged strategy, dubbed the ‘big figure trick’, if the correct hypothetical price to buy a euro was $1.0123, an FX sales specialist would switch the price to $1.0213. If caught, they would falsely claim the digits had been mistakenly transposed. Members of its San Francisco FX desk would celebrate large sales margins by ringing a bell on the trading floor.
Wells Fargo accepted responsibility and took actions against more than 20 FX employees, including various disciplinary actions and separation of employment, and affirmed it has taken various steps in an effort to comply with industry FX best practices.
Spotlight: Meme-stock misstep means $4m fine for MassMutual
A $4 million fine for MassMutual Investors Services has focused minds on the matter of monitoring employees’ social media activity. The US Securities and Exchange Commission fined the firm for supervisory failures that allowed former employee Keith Gill to misuse social media and carry out excessive trading in his personal account. Under the alias ‘Roaring Kitty’, Gill made hundreds of hours of YouTube videos explaining his trading strategies along with extensive online contributions to Reddit forums, encouraging millions of hobbyist day traders to pump shares into bricks and mortar video game retailer GameStop, among others.
From April 1, 2019, until January 28, 2021, broker-dealer agent Gill worked as product management director on MassMutual’s marketing programme ‘In Good Company’ to attract and retain investors with educational offerings and advice. At the same time – and over various media, using different aliases – Gill garnered thousands of followers as a meme-stock trader. Massive demand from meme-stock traders sparked a dramatic surge in GameStop’s price in January 2020, bringing global attention to the story.
And while the media discovered Gill’s aliases and activities in a day, MassMutual policies and procedures failed to detect his social media activities for almost two years, including over 250 hours of YouTube videos and almost 600 securities-related posts on Twitter alone, but also on other social platforms. Nor did MassMutual detect the 1,700 trades Gill carried out in the accounts of three further individuals. The firm had used a flawed third-party electronic trading surveillance programme that also failed to detect Gill’s trades, which were at twice the firm’s pre-determined per-transaction limit of $250,000.
The SEC found that Gill’s actions contributed to diminished investor confidence in the market and highlighted that MassMutual’s compliance failures, continuing until at least September 15, 2021, were systemic and not uniquely related to Gill.
In focus: Cloud providers float up the list of regulators’ concerns
For some years now, regulators around the world have kept an uneasy eye on financial institutions’ growing use of a handful of service providers, notably cloud computing firms. In the past few months, the Bank of England – usually a pioneer regulator when it comes to non-financial risks – has come out with some of its strongest statements on the dangers of such concentration.
At its September meeting, the bank’s Financial Policy Committee noted the financial system’s growing dependence on cloud service providers and other critical third parties (CTPs).
“The increasing criticality of the services that CTPs provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight,” the FPC said, doubling down on the central bank’s 2019 suggestion that cloud providers should be more tightly regulated.
The committee went on to say that additional policy measures, some requiring legislative change, were likely to be needed to mitigate resulting risks to financial stability. Both comments built on a similar statement contained in the FPC’s July Financial Stability Report.
The cloud service market is indeed dominated by only three providers. In the second quarter of this year, Amazon Web Services held 31% of the market, followed by Microsoft Azure with 22%. Google Cloud was third, accounting for an 8% share, according to estimates by Canalys, a technology research firm.
As bank risk managers are well aware, a service disruption at any one of the three could have severe repercussions for scores of financial firms. Although the major cloud providers have so far proven resilient, two cyber attacks that affected many more institutions this year underscore the risks of relying on a small number of suppliers.
A hack of Accellion, a US software vendor, led to a long string of its customers and their customers reporting data breaches. The victims included Morgan Stanley, which said in July that personal data of some of its corporate clients had been stolen, according to Reuters. The bank said the criminals had accessed the information by exploiting a vulnerability in the software used by one of its vendors, Guidehouse. The software, called FTA, was provided by Accellion.
In January, New Zealand’s central bank reported a data breach through the same Accellion software, which it used to share and store information.
Putting a spotlight on the vendor’s behaviour, the bank’s governor Adrian Orr later commented: “We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the bank for five days that an attack was occurring against its customers around the world and that a patch was available that would have prevented this breach.”
Accellion, for its part, said in January that it had discovered a “vulnerability” in FTA in mid-December, resolved it and released a patch within 72 hours to the fewer than 50 customers affected. A later update stated that the software had been the target of a cyber attack and that Accellion had notified all FTA users of the attack on December 23.
The second incident involved the hacking of Microsoft Exchange email servers, used by businesses around the world. The company said in March the attacks were carried out by a previously unknown Chinese-based “actor” that it dubbed Hafnium. The European Banking Authority, one of the victims, said the attacker might have accessed personal data held by the EBA. It was also reported in March that at least 30,000 organisations across the US had been hacked through their Microsoft Exchange servers.
At least in the UK, regulators are increasingly alarmed by the financial sector’s reliance on a clutch of critical service providers and are planning to publish a joint discussion paper on regulating these firms next year.
For now, the sector’s best defence against the risks CTPs harbour is to closely follow rules on operational resilience – of the kind published by the Bank of England earlier this year. As part of the UK rules, firms must make sure each of their important business services can continue operating in a range of disruptive scenarios. An outage at or an attack on their cloud provider should surely be one of those scenarios.
Editing by Louise Marshall and Olesya Dmitracova
All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.
While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.