By Sam Sheen, Financial Crime Adviser, Efficient Frontiers International (EFI)
For several years now, anti-financial crime (AFC) regulations have prohibited the operation of shell banks. A shell bank is a bank that has no physical presence in the jurisdiction where it is incorporated or licensed and no affiliation with a regulated financial group.
But what if the bank you’re dealing with is simply a “ghost”? What if it has all the hallmarks of a bank on the outside, but doesn’t really exist? More seriously, how could anyone be fooled by someone pretending to be a bank?
This summary looks at an actual case that is currently being considered by the courts. I’ve changed some of the details as the case is still pending. But the tactics used by this “disappearing” bank are very real.
Trust Structures and How Some Assets are Held
For those unfamiliar with the idea of a trust, this is a legal arrangement used to hold assets or other interests for the benefit of individuals identified as its beneficiaries.
A trust does not have a “legal personality”. This means it cannot legally own assets. A trust can’t open its own bank account, execute contracts or become a shareholder in a company. This also means that a trust can’t sue anyone to recover their assets if they have been misappropriated.
Instead, a trustee holds and administers the assets on the trust’s behalf. This is normally referred to as the trustee administering the assets for the benefit of the trust. The details of these arrangements are outlined in a Deed. The Deed will also identify the intended beneficiaries i.e. the individuals who are to benefit from the trust’s assets.
For a trust to truly be considered a trust in law and for tax purposes, the trustee must have control over the trust and its assets. So, this means that none of the beneficiaries or other interested parties can retain any control over them.
The trustee is responsible for administering a trust’s bank accounts and facilitating transactions on its behalf. The trustee is also responsible for setting up companies or limited partnerships “owned” by the trust. Sometimes, these arrangements can be very complicated, with the trustee administering a complex structure made up of several different legal entities.
A trust administrator may also provide nominee shareholders and directors for these legal entities. Sometimes, they may be the only directors appointed to an entity.
Finally, if things go wrong for one of these entities, the trustee, acting in the best interests of the trust, is also responsible for commencing legal proceedings to recover any assets that may have been misappropriated.
Now I appreciate this is a very simplified explanation of how a trust works. But my aim here is to lay out some of their relevant aspects as they apply to this case.
A Trustee, a Trust and a Beneficiary
This story first begins with a trust and company services provider i.e. trustee (“TCSP”), who we’ll say operates somewhere in the United Kingdom. The TCSP is licensed by the local regulator and is required to comply with the UK’s AFC regulations.
The TCSP acts as trustee for the Manolo Trust. Not a great deal of information is provided about how the trust came to be created. However, we do know that the Manolo Trust is used to hold business-related assets for its beneficiaries. One of those beneficiaries plays an active role in “recommending” how the TCSP manages those assets. Let’s call him Richard.
Business Acquisition by the Manolo Trust
In 2018, Richard contacts the TCSP. He tells them he’s reached a deal to buy the shares in a new business in India. Richard tells the TCSP that he has received “advice” (most likely legal and tax advice) about how the deal should be structured. He “recommends” that the trustee arranges for a company to be formed in the UAE. The company will be operated as a special purpose vehicle (“SPV”). Richard wants the company incorporated in a free trade zone (“FTZ”).
Once the SPV is set-up, it will need a bank account in the UAE. Proceeds from the Manolo Trust will be transferred to the SPV’s account. The SPV will effectively buy the shares of the business in India. The diagram below illustrates the arrangements Richard requests:
What are SPVs and FTZs?
Let’s take a step back for a moment and explain what SPVs and FTZs are and why they are being used in this case. An SPV is a legal entity created to fulfil narrow, specific or temporary purpose. SPVs are generally used to isolate other legal entities that form a part of a group of companies from financial risk.
FTZs are designated areas within jurisdictions that offer a free trade environment with a minimum level of regulation. FTZs offer incentives and benefits to the companies that operate within them. These include exemptions from duty and taxes and simplified administrative procedures. However, these same features also make them highly attractive for illicit actors who take advantage of the relaxed oversight to launder the proceeds of crime and finance terrorism.  Some of the FTZs in the UAE where you can incorporate a company include:
- Dubai Airport Free Zone
- Fujairah Creative City
- Shajah Airport International Free Zone
- Jebel Ali Free Zone Authority
Let’s assume the advice given to Richard to use an SPV and incorporate it in an FTZ, was intended to reduce any financial risks and reduce tax liabilities associated with acquiring the business in India.
Reaching Out to Middle East TCSP
The TCSP’s regulatory licence that authorised its activities as a trustee did not extend to incorporating companies or administering bank accounts in the UAE. The TCSP therefore needed to engage the services of a regulated trust and corporate services provider in the UAE. We’ll call these folks the UAE Provider.
The TCSP contacted a UAE Provider whose website claimed that it specialised in the incorporation and administration of FTZ companies. The UAE Provider said it could assist with incorporating the SPV and opening a bank account. The TCSP engaged the UAE Provider to also act as the SPV’s sole nominee director and shareholder.
The SPV’s Bank Account
The UAE Provider recommended that the SPV’s bank account be opened with Bank X. It assured the TCSP that this was a reliable and professional bank with whom it had opened accounts for other customers. The TCSP accepted this recommendation. The UAE Provider “reached out” to Bank X about opening a new account for the SPV.
A few days later, the UAE Provider called the TCSP with great news – Bank X had agreed to open the account on short notice, on the condition that funds for the transaction were transferred to it in the next two weeks.
The TCSP, aware of Richard’s desire to complete the deal, instructed the UAE Provider to open the account, and for the account to be operated on behalf of the SPV by the UAE Provider.
The TCSP provided instructions to the UK bank where Manolo Trust’s bank account was held. It instructed the bank to make two transfers totaling £1.3 million to the SPV’s bank account with Bank X.
The TCSP contacted the UAE Provider and asked that it confirms that the funds have been received by Bank X. The UAE Provider contacted Bank X. Bank X sent payment messages to the UAE Provider confirming receipt of the funds.
Happy that all the necessary arrangements were in place, the TCSP instructed the UAE Provider to arrange for the funds to be transferred from Bank X to the business owners in India.
There Must be 50 Ways to Avoid Repaying Funds
Now the story should have ended here. But there was one problem. The business owners in India were never paid.
The TCSP contacted the UAE Provider and demanded it investigate why the payment had not been received by the owners in India. The UAE Provider called and emailed Bank X to try and find out what happened to the money. It received a variety of explanations from Bank X, which were essentially excuses, but still the it remained unclear why the money had not been transferred.
Bank X used many different tactics to deflect, stall or outright lie about both its failure to transfer the funds as requested and the money’s whereabouts. Eventually, after several months, Bank X offered to write a cheque for £1.3 million in reimbursement of the funds transferred to it from the Manolo Trust bank account. But when the cheque was received by the UAE Provider, the cheque itself was drawn from an account with Bank YY and not Bank X.
The UAE Provider could not get a sensible explanation out of Bank X as to why the cheque had been issued by a different Bank. The UAE Provider then attempted to set up a different account with other banks in the UAE in order to deposit the cheque. Amazingly, none of the banks were prepared to accept it.
Finally, completely frustrated with Bank X, both the UAE Provider and the TCSP challenged Bank X to explain why it was trying to return the proceeds with a cheque issued in the name of another bank that no one would accept. Bank X responded in the only way it could – it advised both parties that due to the suspicious nature of the conduct of both the TCSP and the UAE Provider, its compliance department had ordered it to immediately close the SPV’s account.
Outcome – Watch This Space
Sadly, for Richard, the deal fell through due to non-payment. The assets of the Manolo Trust were reduced by £1.3million and to this day they have not been recovered. The TCSP commenced legal proceedings, seeking a court to have the correspondent banks involved disclose the payment instructions they received to process the transaction. It is hoped that these will give the TCSP some idea as to where the £1.3million ended up.
The pleadings in these legal proceeding also attach Bank X’s marketing materials. They also refer to Bank X’s website and its registration as a regulated bank. I’ve googled the website and here’s some of the information found at the bottom of the first page:
Address - Registered office: Comoros Phone: South Africa Email: Skype Correspondence address: Lithuania The benefits of using Bank X listed on its website were rather revealing. They included:
Our staff and management has common sense
Rapid and simple way of opening accounts
Minimum documentation are required (copies can be sent online)
Light KYC and compliance
“Which Banks Do You work with? For legal reasons, we cannot disclose the names of establishments we work with. However, be assured that we only work with first class banks and financial institutions, which are able to offer you all the services you may require (internet banking, anonymous credit and debit cards, payment services, money transfers, company establishments etc.)” I am not sure what “Light KYC” entails, but as soon as I read this, red flags were flying for me.
In desperation, the TCSP wrote to the Embassy where Bank X was allegedly licensed, to try and seek some assistance. This was the Embassy’s response:
Dear Madam, There are several clear indications that you and/or your client may have been subjects of a scam.
There are no “offshore” banks or any such similar service providers in our jurisdiction
Bank X does not appear on our central bank list of licensed entities which is publicly available on its website.
Their contacts page only offers Skype communication.
Their listed numbers are in the UK and South Africa. Nobody answer the UK number and it is diverted to a mobile.
Their KYC is not compliance [with our regulations] as everything is processed via email as we require examination of the physical documents and face to face interviews with potential clients.
The website corresponds with IT address: XXXXX. This address is hosted in Stockholm, Sweden and is known for hosting other dubious websites.
Although the contact person shown on the website has a similar name to an established lawyer here in the jurisdiction, his telephone contact number is in Indonesia.
A bit embarrassing when an Embassy ends up doing due diligence for you. And by the way, I also checked around and did a bit of research of my own. Bank X uses a name very similar to a real licensed Bank. It also turns out that the email address used by Bank X looked almost identical to the real Bank, save for one letter in the email address that was different. And I discovered that the name “Bank X” is recorded as the name of a registered company incorporated in Slovakia, along with an entity using the name of the real Bank YY. Both entities were registered by the same individual.
The TCSP also wrote to the real Bank YY to see why it had agreed to issue a cheque for £1.3million and to clarify its connection to Bank X. This is how Bank Y responded in their email:
Madam, We received your email below with the attached documents regarding Bank Y. We warn you that this is a fraud. All these documents are forgeries. They do not come from Bank Y and its employees. We do not open, and have neither any account to receive funds, since our only business activity is to grant real estate loans. These people illegally used our name to get your money. Please consider any the information they have provided to you concerning Bank Y to be false.
What can we learn from this case?
Normally I would conclude by pointing out all the red flags in a case study, but I hope that in this one those flags are clear. I’ve chosen to summarise this case, however, for a different reason.
The major failing, as I see it in this case, is how the TCSP failed to undertake due diligence on its counterparties – the UAE Provider and Bank X. This is a classic case of forgetting that FC risks also arise from other parties, and not just customers.
Relying on a third party in a different jurisdiction where you have no business experience and no previous business dealings, is not only short-sighted, but is a major fail in terms of having an effective AFC compliance framework.
I used this case in a recent training exercise. Guess how many people spotted the discrepancies on Bank X’s website and marketing material. None of them. Why? Because reviewing this material is not listed as an essential requirement for KYC and CDD. And because we are conditioned as compliance professionals to assume that this material is “fluff” and therefore irrelevant. Because it’s not a CDD-related regulatory requirement, we often don’t look to it for “clues” as to the nature and purpose of a business’ activities.
Sometimes illicit actors like to hide in plain sight. We wrongly assume that because they provide a great deal of information about themselves, there must be a degree of legitimacy around their activities. And I suspect the gentlemen who incorporated these entities in Slovakia, was aware of our tendency to do so. Something to think about the next time you are undertaking due diligence.
I await with great interest to see whether the £1.3million will ever be found.
References: FATF refers to the Financial Action Task Force. The FATF is the global standard-setter in terms of the regulatory frameworks developed in jurisdictions to detect, disrupt and prevent financial crime. See: http://cc.bingj.com/cache.aspx?q=FATF+AND+glossary+AND+free+trade+zone&d=4821029688838153&mkt=en-GB&setlang=en-GB&w=Amw6EYVoitSQWeAnrEAOPijuTsI_bMPo