Op risk data: Morgan Stanley, Capital One’s data breach double trouble

- By ORX News
- 11 Feb 2022

January’s largest operational risk loss is the $1.85 billion settlement that US student loan company Navient reached with 39 US states to resolve allegations of deceptive student loan servicing practices. The company was accused of originating costly long-term forbearance plans that caused students to pay more than they should have.

Interest that accrued because of Navient’s forbearance practices was added to the borrowers’ loan balances, pushing borrowers further into debt. Had Navient provided borrowers with the help it promised, repayment plans could have potentially reduced payments to as low as $0 per month, the plaintiffs alleged.

Under the terms of the settlement, Navient was ordered to cancel the remaining balance on $1.7 billion in subprime private student loans owed by more than 66,000 borrowers. Navient was also ordered to pay the plaintiffs $142,500,000.

The settlement comes three months after Navient agreed to pay $42.5 million to investors for making misleading statements in securities offerings.

The second-largest publicly reported loss involves two former managers of Russian bank VEB who embezzled 10 billion rubles ($130.8 million) from their erstwhile employer in a fraudulent business loan scheme.

In 2009, deputy chairman Anatoly Ballo and department head Ilgiz Valitov agreed a loan with Alexander Lepikhov, head of timber-processing mill Arkaim. The bankers altered the contract so that funds would be sent to a separate company with a Swiss bank account. Loans totalling 10 billion rubles were given out between 2009 and 2012, but the timber company went bankrupt and ceased to exist in 2017.

Both Ballo and Lepikhov were in jail as of June 2021. Valitov, who had already spent time in a penal colony in 2016 after a fraud conviction, escaped the investigating authorities in 2020, and was placed on an international wanted list. He was set to be tried in absentia on January 27, 2022, at a court in Moscow.

This month’s third-largest loss involves investment company director Perry Santillo, who was convicted of fraud and ordered to pay $103 million to the US Department of Justice for operating a Ponzi scheme. Santillo’s company, Lucian Development, solicited investments between 2012 and 2018 for unsecured promissory notes and preferred stock issued by various fake entities held by Santillo and co-director Christopher Parris.

Parris was previously convicted for his role in the scheme, and, as of January 14, was awaiting sentencing.

In fourth place is UK lender Shawbrook Bank, which lost £34.7 million ($46.9 million) after the collapse of a corporate borrower due to an alleged accounting fraud. The client, Arena Television, provided equipment and services to the film, sport, music and entertainment industries. According to Arena’s administrators, an agent working for one of Arena’s lenders discovered accounting discrepancies while checking assets in November 2021. This led to the discovery that the company had fraudulently obtained £282 million in asset-backed loans from a range of banks including Shawbrook.

The fifth-largest loss is a HK$348.3 million (US$44.7 million) payment by Citi to Hong Kong authorities for publishing misleading information to potential clients in its cash equity business.

The local regulator found that traders at Citi had mislabelled indications of interest (IOIs), which are a widely used form of representation to clients with an interest in trading. The regulator attributed the misconduct to the commercial pressure faced by Citi traders to solicit more business from clients. A team of traders was dismissed in 2019, Bloomberg reported.

Spotlight: Ones and zeros add up to $9m fine for Credit Suisse

Errors in computer coding can have costly consequences, as Credit Suisse found when a US regulator hit the bank with a $9 million fine in January for failings dating back nearly 25 years.

The Financial Industry Regulatory Authority (Finra) found the Swiss bank had failed to comply with several consumer protection securities laws, including segregation deficiencies in domestic and foreign securities, improperly calculating customer reserves, and for non-disclosure of potential conflicts of interest in some of its research reports.

The first error arose from a Credit Suisse system that caused the incorrect release of prime brokerage customers’ securities. The next was a system erroneously duplicating release instructions on Canadian securities. These two errors occurred 200 times daily, and had an aggregated value ranging from $21 million to $80 million.

Later, after a software update, another error occurred on the system, resulting in securities deficits involving at least 80 Canadian securities worth $388 million. A further error in the firm’s clearance system caused the improper release of Depository Trust Company securities, leading to deficits of $58 million involving 2.3 million shares of 26 DTC securities.

These coding errors led to the firm overstating its reserve debits relating to non-cash borrowing, and understated its reserve credits by $1.1 billion. In addition, Credit Suisse improperly classified certain collateral shares on 20 transactions as free, when they should have been classified as pledged. It also overstated its reserve formula debits in focus reports in amounts ranging from $689 million to $4.7 billion.

Regarding conflicts of interest, Credit Suisse issued more than 20,000 research reports containing inaccurate disclosures about potential conflicts of interest and more than 6,000 research reports that omitted required disclosures. Finra also found that Credit Suisse failed to preserve more than 18.6 billion records in the required non-erasable and non-writable format. These records, dating back to 1997, included trade blotters, asset and liability ledgers, order tickets and trade confirmations.

In focus: Double trouble for data breach miscreants

Data breaches often have a double kick for offending companies: an initial regulatory fine, then a subsequent civil lawsuit with its associated penalties. Two recent cases involving Morgan Stanley and Capital One provide an example.

Last month, Morgan Stanley reached a $60 million settlement with 15 million customers in a class action lawsuit over unsafe data practices and due diligence failures. The problem occurred when a vendor, Triple Crown, failed to properly decommission hardware from Morgan Stanley’s wealth management business data centre before selling the units to unauthorised third parties in 2016. The activity meant that customer data was exposed. A similar situation occurred when the bank decommissioned other network devices in 2019.

The US Treasury’s Office of the Comptroller of the Currency (OCC) investigated the breach, and fined Morgan Stanley $60 million in 2020. In total, the bank has paid out $120 million for the failings.

In the second example, Capital One settled for $190 million with 98 million customers in December 2021, two years after a hack that exposed the personal and financial information of small businesses and individuals that had applied for credit card products between 2005 and 2019.

Between March 12 and July 17, 2019, the hacker gained unauthorised access to customer data by exploiting a firewall misconfiguration vulnerability in the infrastructure of the bank’s cloud-based servers. The complainants alleged that the firm had been negligent with the storage of their sensitive private information.

The OCC had fined the company $80 million in August 2020 for its inadequate cyber risk management processes. Several other class actions were also under way. Capital One reportedly spent $100 million improving its cyber risk management.

Both breaches saw customers’ personally identifiable information exposed. Additionally, both institutions were found to have weak cyber security controls: Morgan Stanley paid the OCC fine because of its poor data management practices, while Capital One paid for its inadequate cyber risk management.

The two cases also illustrate the time lag between the practices and the subsequent penalties, with lawsuits and settlements often rumbling on for several years.

Editing by Alex Krohn

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to print this content. Please contact info@risk.net to find out more.

You are currently unable to copy this content. Please contact info@risk.net to find out more.

As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.

If you would like to purchase additional rights please email info@risk.net

You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.

If you would like to purchase additional rights please email info@risk.net