Anonymous shell companies rising

Criminals have learned, through trial and error, that anonymous shell companies can pass scrutiny. Authorities and entities don’t question them, the fraudsters blend in and they don’t appear to be risky. They represent the next big sale, the new low-cost supplier or the helpful business agent. And organizations are eager to work with them. It’s time to start reversing this trend.

In 2014, Mt. Gox, the top bitcoin exchange at the time, collapsed because scores of customers found they couldn’t withdraw funds. Why? Because hackers had pilfered 650,000 bitcoins, then worth 4.5 billion pounds. Now, according to a BBC article by Geoff White, investigators say almost half of the stolen coins ended up at the rival exchange BTC-e, supposedly run by a British company called Always Efficient LLP.

According to the BBC, Duncan Hames, director of policy for Transparency International (TI), said Always Efficient is likely a shell company.

“People laundering money will set up a network of companies to create layers between the original crime and their attempts to then integrate the proceeds of their crime into the economy,” he said. “They simply enable a series of transactions to take place to create this distance and to obscure the trails of the proceeds of crime.” (See UK company linked to laundered Bitcoin billions, by Geoff White, March 7, BBC News.)

“Fraud is inherently hidden.” This has been a primary lesson for anti-fraud professionals since the inception of the ACFE. The ACFE founders, faculty and members have said it countless times. The message is simple: Concealment is a primary tool of a fraudster. Without concealment, frauds would be easier to identify, and the risk of getting caught would be elevated. Therefore, a search for and awareness of concealment techniques must be components in every fraud examination. The better we are at identifying concealment red flags, the better we’ll become at unravelling complex fraud schemes.

We see concealment all the time. From false documents to forged signatures, doctored emails to destroyed evidence — fraudsters are always looking for ways to make their frauds appear normal, unassuming and routine.

Fraudsters have primarily focused these time-tested techniques to conceal their acts but with less emphasis on disguising their identities. But if they could also become anonymous, how large and complex could they make their fraud schemes? We have our answer in the ever-increasing number of global cases, prosecutions and regulatory penalties involving shell companies. The anonymous shell company has become criminals’ premier vehicle of choice when they conceal frauds and identities.

Concealing identities with anonymous shell companies

Shell companies aren’t necessarily illegal to form or operate. They’re normally legal or incorporated entities that have little to no assets, few to no employees and generally lack physical presences or locations of operations. Companies can use them as holding companies or to secure and safeguard future interests, such as forming a legal entity years before they expect to conduct actual activities.

True owners and decision-makers of a shell entity can lessen third-party risks if they make the entity known and identifiable. However, when they structure an entity within a network of nominee shareholders and directors (shareholders and directors in name only with little to no actual control) from multiple foreign jurisdictions, and the true beneficial owners and operators are unknown, the shell entity begins to take on an anonymous structure and considerably more risk.

From corruption to cybercrime, anonymous shell companies are the premier linchpins in most large-scale international fraud, crime and corruption cases. They not only provide anonymity and concealment but decrease the likelihood of detection from regulators, law enforcement, fraud examiners and auditors.

In a sea of vendors, customers and suppliers, these anonymous third parties blend in and conform so they don’t draw attention while hiding their true purposes from unsuspecting individuals, governments and organizations. Whether we refer to them as “front companies,” “sham companies,” “fictitious entities,” “pass throughs” or “anonymous third parties,” their owners’ motives and purposes are generally the same — to conceal.

Where are owners of anonymous shell companies using them for fraud?

Many anti-fraud professionals might think anonymous shell companies are simply interesting components of a spy movie or sound bites in the nightly news broadcast about some far-off global corruption scheme. However, a closer look into recent U.S. Department of Justice press releases and headlines from major news organizations tells a different story; entities are using anonymous shell companies much more frequently, and more organizations appear to be falling victim to their schemes.

Here are some of the categories of schemes and crimes where entities have used anonymous shell companies in just the last few months:

• Bribery and corruption.
• Money laundering.
• Kickback and payoff schemes.
• Trade-based money laundering.
• Scams (romance and lottery).
• Securities and investment schemes.
• Organized crime.
• Drug trafficking.
• Financial statement fraud.
• Bank and loan fraud.
• Mortgage fraud.
• Tax fraud and evasion schemes.
• Human trafficking.
• Contract fraud.
• Embezzlement.
• Illegally procured and faulty products.
• Terrorism and terrorist financing.
• Weapons proliferation and arms trafficking.
• Health care fraud.
• Sanction evasion.
• Immigration fraud.
• Kleptocracy (theft of state assets by government officials).
• Fictitious supplier schemes.
• Conflict minerals and smuggling.
• Cybercrime.

The volume of losses via anonymous shell companies is staggering. The resulting fines and penalties are even larger. Nearly every type of industry, individual, financial institution and government entity is vulnerable to these shells. Even more alarming is that few systems and controls appear to be able to detect or prevent their usage.

These cases provide glimpses into how widely entities are using anonymous shell companies and why organizations must do more to detect and prevent them:

1. In 2016, China ZTE received a record $1.2 billion fine for breaking U.S. sanctions. ZTE actively deployed an internal scheme to evade sanctions by using shell companies. (See China’s ZTE Set Up Shell Companies to Evade U.S. Trade Rules, Documents Say, by Jeff Sparshott, The Wall Street Journal, March 7, 2016.)
2. In 2017, the owner of a Florida pharmacy pleaded guilty in a $100 million compounding pharmacy fraud scheme. The fraudster forfeited real estate properties, cars and a 50-foot boat. (See the U.S. Department of Justice release, Nov. 6, 2017.)
3. SBM Offshore N.V., a Dutch-based group, which sells systems and services to the offshore oil and gas industry, settled a U.S. bribery case for a penalty of $238 million. SBM also made direct payments to government officials of other countries via bank accounts and to shell companies beneficially owned by those officials or associated intermediaries even though these companies provided no services for SBM. (See the U.S. Department of Justice deferred prosecution agreement.)
4. Former banker Fabien Gaglio confessed to running a $100 million Ponzi scheme and was sentenced to 12 months in jail. But those who’ve been investigating him since his release point to a larger series of crimes and a complex network of shell companies utilized by corrupt politicians and organized crime. (See He Stole $100 Million From His Clients. Now He’s Living in Luxury on the Côte d’Azur, by Liam Vaughan, Dec. 17, 2017.)

Why are anonymous shell companies gaining ground?

Entities are using anonymous shell companies to help facilitate enormous public and private losses. But why are they gaining so much ground? We can’t attribute it to a single failing of a law or to a specific flaw in a particular process. They’re a direct result of several converging and compounding factors that are increasing the ease of using shell companies while decreasing the probability of detection.

Overall lack of awareness

I’ve often said, “If you don’t know what you’re looking for, how will you know when you’ve found it?”

... a simple Google search for offshore incorporation in the United Arab Emirates yields hundreds of service providers willing to help you open up an offshore company quickly and easily.

Every department that interacts with third parties should be aware of the risks and red flags of anonymous companies. However, most employees are completely unacquainted with the risks of shell companies, how fraudsters could deploy them in and against their organizations, and the red flags anonymous shell companies display.

Most organizations are required to vet their possible third-party business relationships against U.S., United Nations, EU and other sanction registers and blacklists. These sanction lists might include specific narcotics or terrorist organizations. The groups issuing the lists might prohibit conducting business with entities associated with Iran, North Korea and certain Russian government officials. Sales personnel, when performing due diligence, should be aware that individuals and organizations on these lists routinely use shell companies to bypass sanction due diligence so they can continue their crimes and schemes.

Overreliance on due diligence activities and controls

Most organizations rely on third-party, due-diligence services and due-diligence questionnaires to help vet new customers, vendors, suppliers and business agents and ensure these new partners aren’t bad actors or sanctioned individuals. However, many due-diligence services focus on negative information hits, registered legal matters and positive hits on sanction list databases. Newly formed shell companies lack many of these red flags, so due-diligence services might approve them for business relationships when they shouldn’t.

Many due-diligence controls might not identify third parties who lie on questionnaires, provide fictitious concealing information, and don’t have negative histories or any reportable histories. These are but a few of the methods of concealment used by shell companies.

Organizations might also be concerned about entities from high-risk countries based on the TI Index. However, the riskiest entities might be incorporated in countries such as Canada, the U.K. or even the U.S. According to numerous media reports, law enforcement officials have found that shell companies formed in these supposedly less-corrupt jurisdictions have been associated with countless crimes.

According to TI researchers, just a handful of shell companies located at a few addresses accounted for more than 52 major corruption cases totaling more than $105 billion. (See Revealed: Britain’s Own Applebys and Mossack Fonsecas at the Heart of 52 Global Corruption Scandals, by Dominic Kavakeb, Transparency International.) Therefore, as an example, an organization might want to consider a U.K.-registered company providing consulting services in South Sudan as a higher risk than a South Sudanese company operating in South Sudan.

Technology is an enabler

Would-be fraudsters who wanted to deploy shell companies 30 years ago as part of complex schemes would be limited to how far they could drive or fly, or whether they could find co-conspirators via phone calls. Now they can develop and create complex anonymous networks quickly and easily.

Faster computers and enhanced software coupled with internet banking, online companies that can quickly incorporate businesses, mail forwarding services, virtual offices and quick website development allow fraudsters to create anonymous shell company networks that appear so legitimate that they can pass due-diligence screening processes without exhibiting a single red flag.

For example, a simple Google search for offshore incorporation in the United Arab Emirates yields hundreds of service providers willing to help you open up an offshore company quickly and easily. Once registered, the new shell company can then incorporate another shell company in Panama through another list of online incorporation providers. Try doing that three decades ago.

Compliance programs built on minimal guidance from regulatory bodies

Most regulations involving anti-corruption compliance, due diligence and internal controls are rooted in the premise of “minimum requirements.” Government regulators work carefully to balance enforcement requirements while also trying to reduce the financial impact of complex controls and countermeasures.

Unfortunately, minimal controls are unable to contain the risks of engaging with anonymous shell companies. Government regulatory requirements around the world haven’t caught up with how fraudsters and criminals are operating. Bad actors know they’re on sanction lists, so they use anonymous shell companies to bypass these lists. Yet regulatory requirements for organizations continue to rely heavily on sanction screening with few mandatory additional verification steps. The result is that many organizations are simply looking for ghosts — sanctioned entities that no longer exist. And due-diligence programs might be providing a false sense of security in reducing interaction with high-risk third parties.

In February, an Iranian airline that was under U.S. sanctions was able to procure U.S. jet parts via shell companies in Turkey. These shell companies, which weren’t on any sanction lists, concealed the ultimate Iranian beneficiary, Mahan Air. (See Iranian Airline, Under Sanctions, Bought U.S. Jet Parts Through Front Firms, by Ian Talley, Feb. 19, The Wall Street Journal.)

Weaknesses in incorporation regulations and beneficial ownership information

Many global jurisdictions knowingly and unknowingly help to create incorporation requirements that facilitate the concealment of the true beneficial owners of a company. In some countries, the only documented linkage to the actual owner of an entity is a “paper-bearer” certificate. (The holder of the certificate owns the company.) Other nations allow listings of nominee directors, agents, proxies and even other shell companies as directors, officers and shareholders while the real beneficial owners can remain anonymous.

Increased use of corruption brokers and professional third parties

Investigative reporting by organizations such as the International Consortium of Investigative Journalists and the Organized Crime and Corruption Reporting Project have helped to show that international fraudsters and criminals are getting a lot of help from third parties, many of which have legitimate business operations.

These third parties help bad actors facilitate the appearance of legitimate operations via shell companies. The investigative journalist report, The Bribe Factory, released by the Huffington Post and Australia’s The Age in 2016, chronicles how one company in the Middle East brokered hundreds of bribery deals around the world. The revelations have spawned numerous investigations globally and have resulted in several convictions to date. (Also see Investigating Common Fraud Schemes in the Middle East, by Emily Primeaux, CFE, Fraud Conference News, March 2.)

The multi-jurisdictional complications for identifying and arresting offenders

The complexity of an anonymous shell company network’s fraud scheme is only rivaled by the international complexity of getting all foreign jurisdictions and law enforcement agencies on the same page to cooperate. This is nearly impossible, and bad actors know this. Proliferation of hops and touchpoints originating in foreign countries further disperses evidence that fraud examiners could use to build a case against any wrongdoers and co-conspirators.

The Unaoil bribery case, which first came to light in the summer of 2016 and is still ongoing, spans from the U.K. to Australia, to the U.S. and the Middle East. Incorporation and financial records, third-party witnesses, electronic information and potential bad actors are spread across the globe. (See The Bribe Factory.)

Which jurisdictions or agencies have standing? What laws take precedent? Who’s in charge? These are just some of the initial complications of investigating a shell company scheme with international touchpoints.

A case becomes even more complex when prosecutors have to prove that those who’ve incorporated shell companies actually intended to engage in bad acts. Intent is one of the premier components for proving any fraud case in court. The use of anonymous companies through multiple jurisdictions helps to create obscurity and ultimately weaken knowledge and intent of the involved parties.

Owners of anonymous shell companies can use them for numerous frauds.

Why should organizations be concerned?

Anonymous shell companies and their associated risks should be a concern for all legal and compliance professionals, internal audit executives, boards of directors and executive management. These proverbial wolves in sheep’s clothing are designed to bypass our internal controls and invalidate our checks and balances. They present an inherent vulnerability to all organizations — across all industries and geographic regions.

At minimum, anti-fraud professionals at all levels, including management, should ask five questions to gauge organizations’ risks to anonymous shell companies:

1. Are the employees in our critical departments aware of this risk? These include legal and compliance, internal audit, procurement and sourcing, accounts payable, trade compliance, treasury and finance, tax and corporate planning, mergers and acquisitions, human resources, and sales and marketing.
   
   
2. Where are we vulnerable to anonymous shell company risks? These include vendors, suppliers, business partners and agents, customers, wholesalers, shipping/receiving companies and vessels, joint ventures and partnerships, mergers and acquisitions, sale and purchase of corporate assets, employees, contractors and beneficiaries..
   
   
3. What are the financial, regulatory, operational, legal and reputational risks of engaging with anonymous shell companies?
• Direct and indirect financial losses and investigatory costs.
• Significant reputational and brand damage for knowingly or unknowingly engaging in business transactions with entities controlled by corrupt politicians, organization crime, drug cartels and terrorist networks.
• Loss of operations and sales activities from conducting business with sanctioned entities via shell companies.
• Shareholder lawsuits over fiduciary responsibility for failing to safeguard an organization’s assets.
• Employee and customer lawsuits derived from poor product quality and defects impacting customer safety and customer sentiment.
• Lack of legal and financial recourse if the third party is a shell company. Who do you sue or audit?
4. What are we doing to prevent and detect anonymous shell companies?
• Are we running any analytics?
• Do we compare where we’re sending and receiving funds with the location and incorporation of the third party?
• Do our auditors and compliance professionals have steps in their responsibilities to identify possible shell companies?
• Do we have any checklists or guidance for our sales and procurement staff to help identify a potential shell company?
5. What improvements can we make to prevent and detect anonymous shell companies and mitigate their impact on the organization? 
• Increase awareness and training for key roles by, for example, internally communicating key government alerts and government cases involving shell companies.
• Enhance processes and procedures to identify red flags of anonymous shell companies, such as identifying companies with offshore bank accounts that can only be contacted via free and anonymous email services with addresses such as @google.com or @yahoo.com.
• Enhance due-diligence questionnaires to ask better questions by, for example, mandating the listing of officers and directors with their contact information and the location of the bank account and the website address, to name a few.
• Implement enhanced due-diligence activities and monitoring of all third parties by deploying high-risk entity analytics that focus on shell-company red flags.
• Deploy data analytics to detect previous and/or current high-risk entities.

Beware the wolves in sheep’s clothing

The headlines are many, and the costs are significant. Fraudsters, criminals and bad actors have found weaknesses in our internal controls. The weaknesses begin with organizations not even knowing the risks are present. Criminals have learned, through trial and error, that anonymous shell companies can pass scrutiny. Fraudsters know authorities and entities won’t question them; they’ll blend in and won’t appear to be risky. They represent the next big sale, the new low-cost supplier or the helpful business agent. And organizations are eager to work with them. It’s time to start reversing this trend.

Governments need to pass beneficial owner legislation. Regulatory bodies need to update compliance standards and expectations for organizations. Compliance and consulting organizations need to develop more tools to identify anonymous shell companies. Law enforcement organizations need to work to aggregate and highlight known facilitators of corruption. Organizations need to improve controls and deploy more analytical tools to detect and prevent high-risk business transactions. And anti-fraud professionals — from compliance counsel to auditors — need to promote awareness and training to help improve internal control environments.

Only together can we help prevent anonymous shell companies from continuing to rise.

Former ACFE Regent Ryan C. Hubbs, CFE, CIA, CCEP, is the global anticorruption and fraud manager for Schlumberger Limited based in Houston, Texas. He’s a member of the ACFE Faculty. Hubbs was the key developer of Ernst & Young’s high-risk entity analytics program. His work in this area predates the Unaoil, Panama Papers and Paradise Papers revelations of 2016 and 2017. Reach him at: rhubbs74@gmail.com.