Non-compliance schemes have varied globally, as businesses (and not only financial institutions) are often the target of fraud, but they all have one thing in common - reputational damage to a business, whether greater or lesser. The latter is clearly influenced by who was behind the scheme: whether the fraud is external, where people outside the company seek to gain financial advantage through illegal activities, or internal, where employees are involved in criminal schemes.
The case of Šarūnas Stepukonis is the latter, and with its savoury gambling details, it is not surprising that this story has had such an impact on society. It is best to learn from other people's mistakes, so let us try.
Everyone suffers from scandals
Scandals, as well as „collapsed“ cases after years of litigation, seem to be found in every sector. For example, the cosmetics giant AVON has been repeatedly punished for bribery, one such example being the bribes to Chinese officials that led AVON to pay 135 million USD in fines. However, the company was later acquitted.
Most of us also probably remember one of the biggest Volkswagen scandals in history, known as 'dieselgate', when the company had to pay EUR 30 billion in fines and compensation and six of its executives were prosecuted for emissions fraud.
Do you love Tesla? Yes, both Elon Musk and Tesla have been fined €20 million. Elon himself has had to step down as chairman of the board and his tweets have to be reviewed by lawyers as ordered by the regulator.
SWIFT, without which correspondent banking, or more simply international money transfers, are unthinkable, has also been caught up in one of the more embarrassing stories of the past: a cyber-attack in which hackers attempted to embezzle almost 1 billion USD from the bank. The Federal Bank of New York "caught" the suspicious transactions by chance, as the name "Jupiter" coincided with a sanctioned shipping company, and "only" 101 million USD was misappropriated and cashed. Guess where? In the casino industry - heard of it somewhere?
In Lithuania, the biggest scandal is probably that of the Snoras bank, where billions were laundered and part of the funds were transferred to the personal Swiss bank accounts of the bank's managers, Raimonds Baranauskas and Vladimir Antonov. The examples are many and varied, but what do they teach us?
Simple recipes for regulatory compliance
Once upon a time, decades ago, reading The Economist, I wondered why AVON had hundreds of compliance officers when it was not a financial institution, but now I am not surprised at all. International trade is just as risky as payment transactions, and even if you invest in internal controls, you cannot be sure that you are doing everything really well. So, what to do? Is there a recipe to protect against external and internal risks?
Every business can and should check its "health" on a regular basis - it's like going to the doctor on a regular basis to ensure that a deep-seated disease doesn't get out of hand and is detected in time. The scope and extent of the check-ups depends very much on the specific business model, the risks inherent in that business model - the sector, the geography of operation, as well as the customer base, the involvement of management, the resources available, etc.
For example, a business engaged in international trade that operates in riskier countries - with links to China, Iran, Saudi Arabia and other similar countries - has a high risk of violating international sanctions. Businesses operating in emerging markets such as Africa are exposed to bribery scandals. The cryptocurrency sector, the real estate sector, the trade in dual-use goods such as lasers, optical devices that can also be used in warfare, art treasures such as diamonds, etc. are also at higher risk. In order to survive, businesses need to equip themselves with the necessary resources and tools and make every effort to comply with various regulations.
Of course, it is impossible to prevent 100% of everything, but effort can save a business from sanctions, so here are the most important areas where it should strengthen its "muscles".
· Assessing operational risks and identifying measures to manage them. A business needs to understand the major risks inherent in its operations and take measures to manage them - focusing management's attention and resources on those areas that are most risky. As an example, if a company is involved in the international trading of dual-use items, it must devote sufficient resources to screening its counterparties. Persons under international sanctions usually operate through intermediary companies, so such companies must understand their counterparties and make sure that dual-use goods do not go where they should not go. Obviously, most businesses do not cope with this, or they do so deliberately, because Russia has a significant amount of Western-made products used in the military.
· Ensuring resources. Businesses (and not only financial service providers) need to put in place a system of so-called three lines of defence appropriate to their size. Trust is a good and empowering thing, but control mechanisms can eliminate human error, malpractice and prevent other non-compliance situations in time.
· Company culture. I am not saying anything new - managers are role models for employees. If managers tolerate or demonstrate by their behaviour that legal requirements are unnecessary, there is a strong incentive for other employees to do the same.
· Continuous identification of "weaknesses". Regular retrospective checks should be carried out, using internal resources or external consultants, to analyse areas of the company's activities, processes, etc., based on the most risky areas identified.
· Sufficient and effective regulation of processes/activities. Non-compliance problems are common in both under- and over-regulated processes and activities, and businesses need to continuously assess their operations and internal processes to balance bureaucracy and freedom of action.
· Open communication about errors, recording and analysis of operational events/incidents. Often managers and employees are afraid to admit when they have made mistakes, which is a systemic problem that prevents them from reacting and reducing the likelihood of future errors. On the contrary, it is an important resource for identifying weaknesses, improving processes and preventing illegal activities.
· Employees training. Nothing is worse than paper-based internal processes in a drawer. Internal regulation must help manage risks and employee training must help cope with a dynamic business environment.
And yet, could Mr Stepukonis' situation have been avoided?
Yes and no. As I said earlier, there have been, are and will be scandals in all sectors, but this story highlights a number of problem areas, and there are lessons to be learnt - what we can do, as a society and as professionals in different fields, to prevent such cases from happening again. I would identify 3 key points:
1. Strengthening the supervision of the gambling sector. It is debatable whether Lithuania's national risk assessment on money laundering and terrorist financing is really correct, because the risk assessment puts banks, lawyers or notaries on a par with gambling activities, and online gambling in general is at the bottom of the assessment, below financial institutions, but it is time to acknowledge that the gambling business is a business like any other, and therefore has to assess its risks. In particular, the risk of money laundering (and terrorist financing) is one of the highest in this sector.
Let us face it, the level of anonymity and the volume of transactions in gambling activities can be much more significant than in the financial system or in the notary's office, where every transaction is recorded in a book, and therefore, in my expert opinion, not enough attention is paid to this market. Particularly in the light of international practice and the position of the European Commission, where gambling is classified as a high-risk sector, because the SWIFT case mentioned earlier and countless others prove that gambling companies do not devote the necessary attention and resources to the prevention of illegal activities.
As a concrete example, according to public sources, the Gambling Supervisory Authority has not received a single report of suspicious transactions from Olympic Casino, while in general, in the last three years, there have been between three and five such reports from gambling companies. There are now searches of gambling companies, and there is talk about the capacity and competence of the Gambling Supervision Authority to supervise gambling companies in both Lithuania and Estonia, but from my personal point of view, in order to have the necessary competences, the supervision of the prevention of money laundering and the prevention of terrorist financing needs to be done in a more centralised way, i.e. with a maximum of several authorities in this field, one for financial institutions and one for the so-called obligated entities.
2. Strengthening cooperation. The most obvious thing in this story is that the whole system did not work - even after financial institutions reported Stepukonis' suspicious transactions to the supervisory authorities and a pre-trial investigation was launched in 2022, the situation was not contained. This reminds me of 11 September, when the entire terrorist operation was financed through financial institutions. In that case, although the operations were reported as suspicious, it was only in retrospect that they were analysed and evaluated. It is a fact that the supervisory authorities do not have the resources to assess all suspicious transactions, but were Mr Stepukoni's transactions really not exceptional and should the entities that were dependent on these transactions not have been interviewed/informed of the suspicions?
3. Responsibility of market participants themselves. Every business is responsible for potential risks and must make every effort to eliminate them in a timely manner. Logically, this is not a good statistic for gambling companies, which under-report suspicious transactions, which signals a lack of focus on preventing criminal activity.
It is also clear that the internal controls were not working in the case of Stepukonis' employer, where high-value transactions were not analysed and evaluated retrospectively (could Stepukonis really have been trading in risky financial instruments in line with his investment strategy, were costs checked, etc.?). This does not necessarily mean that Stepukonis' employer did not do anything - the future will show how much effort was made to control the whole situation and whether it could have been avoided.
Every scandal has consequences and this one is no exception. The Lithuanian capital market is an evolving one, and each case has a negative impact on the financial system as a whole, on attracting investment and on consumer confidence in the market. In this case, €40 million translates into much bigger losses for the Baltic market - institutional investors will be more cautious about investing, supervisors will be more suspicious of market participants (especially alternative managers), and the public will have less confidence in funds. Unfortunately, this story, which started as one man's problem, has turned into a problem for all of us, the consequences of which are yet to be felt, but on the other hand, we have seen that the king is naked - the system is broken at all levels, and we have an opportunity to fix this.