Network Security, Compliance, and Out-Sourcing Your Job To China

made in china

You may have heard the story about the computer programmer who outsourced his work duties and sat in is office watching cat videos all day. “Bob” was an “inoffensive and quiet” programmer in his mid-40’s, with “a relatively long tenure with the company” and “someone you wouldn’t look at twice in an elevator.”

His company noticed some “anomalous activity” in their VPN logs and called in a consultant. Unfortunately for Bob, his company was a U.S. critical infrastructure company. That anomalous activity was traced back to a connection in China. Red flags were raised and security alarms went off in people’s minds. The company thought it was being hacked, spied on, or infected with spyware from an unknown force in China, putting US infrastructure at risk.

Two things caused the investigators to scratch their heads: (1) The company had a two-factor authentication for these VPN connection. That means you needed a rotating token RSA key fob for network access. (2) The developer whose credentials were being used was sitting at his desk in the office.  As a result, the VPN logs showed him logged in from China, yet the employee was sitting at his desk. Even worse, the VPN connection to China was shown to go back many months, before the company was even monitoring the VPN.

Fearing that Bob’s computer was infected with a trojan horse or other malware, the investigators cloned Bob’s desktop and searched its contents. Instead of nasty computer viruses, they found hundreds of .pdf invoices from a third party contractor in China.

It turned out that this was Bob’s typical day:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home

Bob had physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials. The contractor worked for a fifth of the cost of his salary. Bob pocketed the difference, surfed the internet, and managed his contractor.

Sources:

Lance Armstrong – A Lying Liar Just Like Madoff

sad lance armstrong

It’s tough to see a hero fall. I didn’t consider Lance Armstrong to be a hero for riding. But what he did for cancer survivors was remarkable.

Until recently, cycling was filthy with doping. Take a look at the podium finishers for the Tour de France. Only two of the podium finishers in the Tour de France from 1996 through 2005 have not been directly tied to likely doping through admission, sanctions, public investigation or exceeding the UCI hematocrit threshold. The sole exceptions are Bobby Julich – third place in 1998 and Fernando Escartin – third place in 1999.

I could forgive Armstrong for doping. It seems clear that everyone was doping. It leaves open the question of whether Armstrong was one of the greatest cyclists or merely one of the greatest dopers. We have no way of knowing whether his regime of doping merely leveled the playing field or elevated him above the level of his also doping competitors. Were his competitors lesser cyclists or merely less capable at doping?

What caught my attention about the Armstrong interview was the window into the mind of a pathological liar. Armstrong had been telling the lie over and over and over. He lied to the public. He lied to the press. He lied to cancer survivors. He lied under oath.

Beyond that, he attacked those who accused him of doping. He ruined the careers of journalists who dared accuse him of doping. He ruined the careers of riders who accused him of doping.

I put Mr. Armstrong in the same group as Bernie Madoff. Two men who lived their lies for decades. They both seem to regret that they got caught, not that they were lying and stealing money. Granted Mr. Armstrong’s theft was a bit more indirect.

I don’t believe most of what Mr. Armstrong told Oprah in the interview. He’s been lying too long to think that he is now telling the whole truth. But there may be bits of truth mixed in his interview. He did clearly admit to doping.

As with most pathological liars, Mr. Armstrong expressed more remorse that he was caught, than for the harm he caused. He found justification for his bad acts.

Sources

Social Media Access by Employers

facebook-monitoring

There was a kerfuffle in the news about employers demanding access to employees’ social media site. The stories stated the employers asked for the employees’ passwords, in addition to their usernames. In response, at least six states have started the legislative process to prevent employers from demanding that access.

As you might expect, the tricky part is defining “social media.” William Carleton put together a collection of the proposed definitions and grades for the legislative definition of social media.

Her is New Jersey’s attempt, as an example:

“’Social networking website’ means an Internet-based service that allows individuals to construct a public or semi-public profile within a bounded system created by the service, create a list of other users with whom they share a connection within the system, and view and navigate their list of connections and those made by others within the system.”

Not surprisingly, the best rated definition was the one that did not have a definition. By defining a social media site, you risk the sites evolving to no longer fit within the definition.

My beef was that the definitions were focused like a laser on Facebook, LinkedIn, and Twitter. They fail to cover web publishing sites like blogs. There is a follow-up post that offers some suggested improvements.

My two cents was that these social media sites should allow employers to monitor employees:

“In the financial services industry, there are regulatory requirements to monitor employees’ interactions with customers. That’s easy to do with platforms controlled by the firm, like email, but difficult with the ever-changing platforms in social media. The solution. The social media platform should allow a company to monitor an employee’s account provided the company pays a monitoring fee. Of course the employee will need to consent to the monitoring. The platform gets a revenue stream and the company gets the monitoring and record-keeping it needs. The employee ends up with ‘big brother’ but only if the company thinks it’s a big enough problem that it is willing to pay the monitoring fee.”

If you charge the company, they will limit the explicit monitoring to those instances when the cost/benefit makes economic sense.

With the constantly evolving privacy settings on the platforms, it’s often hard to be certain who can see what piece of information can be seen by whom. But it should not be hard on the back end for a social media site to create an archive for monitoring purposes.

This will also open up these sites for more prolific use by those who have a regulatory requirement that otherwise limits access.

Sources:

Cash Transactions, Money Laundering, and a CCO Going to Jail

check-cashing

When I see a story about a chief compliance officer going to jail it catches my attention. Judge John F. Walter in the Central District of California sentenced Humberto Sanchez, the compliance officer of G&A Check Cashing to 60 months in prison. Private fund managers rarely have to worry about check cashing and bags of cash. The case is a good reminder that cash transactions have specific limitations.

In this case, G&A Check Cashing was sending customers off with cash in excess of $10,000. Under the Bank Secrecy Act, financial institutions, including private funds, are required to file a Currency Transaction Report with the Department of Treasury for any transaction involving more than $10,000 in currency. As part of the Currency Transaction Report, the financial institution is required to verify and accurately record the name and address of the individual who conducted the currency transaction, the individual on whose behalf the transaction was conducted, as well as the amount and date of the transaction.

G&A was very bad and engaged in multiple transactions involving over $8 million, in which the firm did not file the required Currency Transaction Reports.

Sources:

Crowdfunding and the Ban on General Solicitation

18 Rabbits Bars

While entrepreneurs are looking to create crowdfunding portals under Title III of the JOBS Act, small business owners looking to raise capital should keep an eye on the regulatory changes under Title II of the JOBS Act. That may do a better job of opening the spigot for capital than the avalanche of crowdfunding portals likely to appear.

Look at the case of Alison Bailey Vercruysse, a maker of granola-based foods, and her company 18 Rabbits. According to a story in yesterday’s Washington Post, her products attracted a loyal following, but she could not tap those fans for capital as she tried to grow her firm.

“People would come up to me in different places and say: ‘I’m interested in investing in your company. How can I do that?’ ” Vercruysse said. “I couldn’t say we were trying to raise money. I’d end up saying things like; ‘Buy our granola. That would help us.’ ”

Without the ban on general solicitation, the company could put a message on its packaging or its website for accredited investors interested in investing.

Currently, the Securities and Exchange Commission has a ban on the use of general advertising and solicitation for raising private capital under the most popular exemption, Rule 506. Title II of the JOBS Act requires the SEC to remove that ban for offering where all investors are accredited. The agency tried to rush the rules last summer to meet the Congressional deadline, but investor advocates demanded that the SEC slow down. The SEC is gathering public comment before finalizing the rule.

Two SEC commissioners, Dan Gallagher and Troy Paredes, were in favor of immediately lifting the ban. SEC Commissioner Luis Aguilar did not like the rule, saying it lacked adequate investor protections. The fourth SEC Commissioner, Elise Walter voted for the proposal, but expressed concerns. She has stated the SEC must consider ways to mitigate potential harm to investors. The fifth and presumably deciding Commissioner’s seat is vacant with the departure of Mary Shapiro. Looking into my crystal ball, it would seem that the rule is not going to be finalized anytime soon. At least not until the vacancy is filled.

Sources:

Crowdfunded Companies Won’t Be Here Anytime Soon

Money

When the JOBS Act passed last spring, there was a huge surge on the future of crowdfunding. In pursuit of the riches of startup investing, many ignored the already successful world of Kickstarter, Indie Go Go, and others that already successfully fund projects. Those platforms don’t show the investor a pot of gold at the end of the rainbow. They show the investor the final project and maybe the chance to purchase one or participate.

By switching to equity fundraising, the focus would switch to the potential financial reward and perhaps less on the value of the project. Critics wailed about the onslaught of fraud. Proponents praised the unleashing of entrepreneurial capital. The lawyers and regulators worried about how to implement this new capital raising regime.

Congress didn’t make it easy. They chose do throw out the original crowdfunding law proposed for the JOBS Act and replaced it with a very cumbersome and difficult new piece of legislation. They gave the Securities and Exchange Commission 270 days to come out with the regulations. That’s on top of the huge pile of regulatory mandates passed 2 years ago with Dodd-Frank.

We have seen no inkling that the SEC has come close to proposed regulations. With the departure of Mary Shapiro, the SEC is down to four commissioners. Two of whom have publicly voiced their concerns about crowdfunding. Even if the SEC can gather three out of four of the commissioners to agree on proposed regulations, there will be a lengthy comment period and likely re-writing to get to the final regulations.

In addition to the SEC, FINRA will need to create a regulatory regime for the registration of crowdfunding portals. To get a taste of how difficult this going to be, you can take a look at the first baby steps of regulatory work that came from FINRA.

FINRA is inviting prospective crowdfunding portals to voluntarily file an interim funding portal form. The filing is meant to help FINRA develop rules that reflect the funding portal community and its business. It is not an application and does not get anyone any closer to having a working equity crowdfunding platform.

For a taste of the difficulties take a look at the last question:

Please describe how the [Funding Portal] addresses the requirements for funding portals under the JOBS Act. In particular, please describe how the [Funding Portal] would
(i) address investor education;
(ii) take measures to reduce the risk of fraud with respect to funding portal transactions;
(iii) ensure adherence to the aggregate selling limits; and
(iv) protect the privacy of information collected from investors.

The successful crowfunding portals are going to have to master difficult regulations, successfully court attractive investment opportunities, master the 50 states of privacy legislation, come up with effective investor eduction tools, and successfully attract investors willing to write checks.

I still think crowdfunding will end up being a minor league system for the investment banks. They have the resources to conquer these hurdles. They can use the database of investors to mine for more conventional investment opportunities. They can use the few successful crowdfunded companies to sell bigger opportunities for raising more capital. It seems to me that we are still many, many months away from seeing the first crowdfunding portal under the JOBS Act.

Sources:

Compliance Bricks and Mortar for January 11

bricks 11

These are some of the compliance related stories that recently caught my attention.

On the lighter side there has been a bit attention focused on a presidential appointment. Jack Lew, President Obama’s reported pick to replace outgoing Treasury secretary Tim Geithner, has drawn some unusual scrutiny because of his signature. Jack Lew’s Terrible Signature May Grace Dollar Bills Now by Kevin Roose

A lesser-known but extremely pertinent fact about Lew is that he has the world’s worst signature. And pretty soon, that signature could be on every single one of your dollar bills.

If Lew is confirmed as Treasury secretary, his signature will occupy the lower-right-hand spot on U.S. paper currency. And that signature, which was widely mocked when it surfaced on a September 2011 memorandum, is legitimately crazy.

Fu Manchu and the Wal-Mart FCPA Investigation Water Torture by Tom Fox

I thought of Fu Manchu and his infamous drip, drip, drip water torture when I read the latest news about the ongoing Wal-Mart Foreign Corrupt Practices Act (FCPA) investigation. Yesterday, I read three articles about the most recent revelations in Wal-Mart’s ongoing PR nightmare. Renee Dudley, reporting in Bloomberg, in an article entitled “Wal-Mart CEO Knew of Mexico Bribery, Congressmen Say”, wrote that “Democratic Representatives Henry Waxman of California and Elijah Cummings of Maryland said today in a statement that documents obtained by their staffs show that Duke and senior Wal-Mart officials were informed about allegations of corruption regarding a store in Teotihuacan.”

Year In Review Roundups by the FCPA Professor

Viewing FCPA enforcement in the aggregate is of course also useful and informative and this post begins by aggregating the previous DOJ and SEC FCPA enforcement facts and figures from 2012. After providing various aggregate facts and figures, this post concludes with a roundup of other year in reviews.

‘They Owe It to Me’: FBI Identifies Top Email Phrases Used by Fraudsters by Bruce Carton in Compliance Week

According to research conducted by Ernst & Young in collaboration with the FBI, these phrases are among the top terms used by employees in emails discussing fraud. E&Y has developed software that companies can use to monitor employees’ emails for these phrases and approximately 3,000 other words and phrases that are commonly used in emails by people committing fraud.

Getting Comfortable With an Uncertain World by Matt Kelly in Compliance Week

If you’re going to read one book at the start of this year to improve your understanding of the world and the compliance professional’s role in it, read The Signal and the Noise by Nate Silver. It’s been on the best seller list since its debut last September, and I finally opened a copy the other day. Before I finished even Chapter 1, I could see why the book has been so popular, and why it can be so useful for those of us who make a living in the corporate compliance world.

Ethics and the 75 percent

roger clemens

The 75 percent  number represents the votes needed by the Baseball Writers’ Association of America for a candidate to granted entry to baseball’s Hall of Fame. There were 569 ballots cast. On Wednesday, the BWAA announced that one of the greatest hitters and one of the greatest hitters in the history of baseball were denied entry.

Barry Bonds is the all-time home run leader. Roger Clemens is a seven-time Cy Young Award winner. Each received less than 40% of the votes cast. The BWAA has unequivocally decided that the use of performance enhancing drugs is a disqualifier for induction to baseball’s Hall of Fame.

Last year was the first test when Mark McGwire and Rafael Palmeiro fell short in the vote count.  You could make some argument that they would not have made it into the Hall of Fame even if they didn’t have the stain of performance enhancing drugs.

But Bonds and Clemens would have been first sure bets to be in the Hall of Fame, if it were not for the stain of performance enhancing drugs.  Their exclusion has to be because a large portion of the voting writers believes that taking steroids means you don’t have a bust in Cooperstown.

As early as 1991, Major League Baseball took the position that steroid use was against the rules. But it was not until 2005 that MLB adopted a formal policy, began testing, and issuing penalties.

I have to admit that I’m not a big baseball fan, but I am a Red Sox fan. You have to be if you grow up in Boston. That means my heart was broken in ’86 when the Mets beat the Sox. Roger Clemens was part of that Red Sox team. Ten year later Clemens left the team in what seemed like the twilight of his career.

But then came two incredible years in Toronto. His lights out pitching earned him two more Cy Young awards in Toronto. I look back and wonder this is where Clemens went down the dark path of performance enhancing drugs. When I look at fraud cases I always try find the triggering event for when the perpetrator stepped over the line and what caused him to do so.

Clemens was acquitted of lying about his steroid use. His legal prosecution is likely over. The court of public opinion, or at least the opinions of BWAA voters, stil consider him guilty.

Sometimes It Pays to Be Corrupt

Maxim Mironov
Maxim Mironov

Maxim Mironov of the IE Business School in Spain, has some research showing that corruption can lead to success. At least it appears to be successful in Russia. Mironov devised a method for measuring a Muscovite’s “propensity to corrupt” using data on traffic accidents and traffic violations from 1997 to 2007. He then used this data to analyze the managements of tens of thousands of Russian companies.

According to his research, one standard deviation increase in his “propensity to corrupt” of firms’ management corresponds to an increase in the annual revenue growth rate by 1.9%.

Mironov started with a huge database of traffic violations in Moscow, with 6.7 million violations over a 10 year period. He then mixed that together with the data on 159,000 traffic accidents, drivers license information, and type of automobile. Using the drivers’ license data he tied employment information for the individuals.

An average driver commits 0.115 traffic violations per year and participates in
0.003 traffic accidents per year.  An average driver is 38.9 years old and has a driving experience of 3.3 years.  An average person earns $6,640 per year and travels 15.2 kilometers to
work.

He his calculation on a “propensity to corrupt” is based on variations on the number of reported traffic violations and how that differs from the average. People with similar driving habits, similar demographic characteristics, and  income level should have similar numbers of reported traffic violations. But Moscow is notoriously corrupt and traffic stops can end in an exchange of cash instead of a reported traffic violation. Mironov uses that decreased level of traffic violations as an indication that the person was willing to pay a bribe instead of the reported traffic violation. That measure then becomes his Propensity to Corrupt.

Assuming you agree with Mironov’s propensity to corrupt at a correct measurement you can come to the conclusion that management’s propensity to give bribes leads to improved performance of the company. You can look at it data another way and say that corruption leads to a marked decrease in corporate performance and the economy as whole.

Sources:

Suspicious Activity Reports and Private Funds

fincen logo

Over the years, the Financial Crimes Enforcement Network (FinCEN) has required banks, brokers, and other financial entities to officially report suspicious activities of its customers. Investment advisers and private fund managers have managed to sty outside the requirements. In large part, that’s because a fund’s custodial accounts are already subject to the self-policing. since the account is with a broker subject to the FinCEN requirements.

But changes are coming. James H. Freis, Jr., Director of the FinCEN, let us know that his agency is working on anti-money laundering requirements for investment advisers. At a November 15, 2011 speech at the American Bankers Association/American Bar Association’s Money Laundering Enforcement Conference he raised the issue and mentioned that a new rule is in the works.

Reuters is reporting that a proposed rule is likely to come out in the first half of 2013. The rule would likely address anti-money laundering concerns. Although that may be an issue for some types of funds, it’s not a concern for most private funds. Once you limit redemption rights, you make the investment very unpalatable for drug kingpins and other bad guys trying to hide their money. They are not typically patient investors looking for long term returns.

Hedge funds were thrown into the bucket of “shadow banking” and private equity firms were labeled as “vulture funds” during Romney’s presidential campaign. It looks like the federal government will continue to pile regulatory requirements on private fund managers for the foreseeable future.

Sources: