Organised crime groups are finding ways to use listed companies to support their activities, for example as a way of laundering dirty money or by launching cyber attacks against them. In-House Perspective assesses the risks legal teams need to be aware of and how they can ensure their business is equipped to respond.

In a recent speech, Therese Chambers, Joint Executive Director of Enforcement and Market Oversight at UK regulator the Financial Conduct Authority (FCA), said that organised crime groups (OCGs) ‘represent the most serious threat to our markets’. Chambers explained that around 25 per cent of the Suspicious Transaction and Order Reports (STORs) submitted to the FCA by the entities it regulates, which it then uses to initiate investigations into market abuse, relate to OCGs. She added that the regulator has identified over £1.5bn in OCG profits from suspicious trading since 2022.  

Ben Ticehurst, Senior Vice Chair of the IBA Business Crime Committee, says it’s ‘quite significant’ that 25 per cent of STORs relate to OCGs. ‘What we’re seeing is that there is a priority to tackle OCGs conducting insider dealing and market abuse and [the FCA has] identified it as a real problem,’ he says.

Chambers’ speech follows the launch in March of the FCA’s most recent five-year strategy, a key pillar of which is fighting financial crime. The regulator argues that cleaner markets instil confidence, which will encourage investment, growth and innovation in the UK. Prior to launching its recent strategy, the February 2024 edition of the regulator’s MarketWatch newsletter highlighted the growing issue of trading by OCGs.

According to Imogen Makin, counsel at WilmerHale in London, the FCA’s focus on financial crime and OCGs in its recent statements and strategy ‘suggests that following on from the [2024] MarketWatch, they’re still seeing a rise or at least significant instances of’ OCG-related financial crime. She adds that from her perspective, OCG-related financial crime is a global threat.

The FCA’s Chambers commented in her speech that ‘suspicious behaviour crosses borders with ease’ and added that it’s more important than ever that the FCA cooperates with international regulators and law enforcement.

In Hong Kong, Felix Ng, Secretary of the IBA Business Crime Committee, says the jurisdiction’s regulator, the Securities and Futures Commission (SFC), is also very focused on OCG-related financial crime, particularly ‘ramp and dump’ schemes – a form of market manipulation involving trading of shares – using listed companies.

Filippo Ferri, Co-Chair of the IBA Business Crime Committee, says the use by OCGs of listed companies in Italy is part of a broader tradition of such enterprises infiltrating organisations to run businesses that look legal, but aren’t. He says listed companies can be more attractive to OCGs because they should have higher standards of control and checks by the authorities. Consequently, it’s more difficult to demonstrate that OCGs have infiltrated them. He adds that there are also larger amounts of money linked to listed companies.

Launderers, insiders and infiltrators

Ferri, who’s also a partner at Cagnola & Associati in Milan, says that one way OCGs use listed companies is for money laundering purposes, usually by working with corrupt senior figures inside the business to transfer dirty money into its accounts. From there the money will be moved to other accounts.

Ticehurst, who’s also a partner at HCR Law in London, says in the UK OCGs ‘can use FCA-regulated entities or PLCs [publicly traded companies] as part of [a] money laundering exercise’. This could be by layering and concealing the proceeds of crime from their other activities via investing. ‘It’s a way of cleaning the funds,’ he says.

Ferri says the tactic of OCGs buying shares with laundered money is referred to in Italy as second-level money laundering. He says that this crime is very difficult to prove in court because it requires evidence of the first level of money laundering and how it was escalated to the second level.

In Hong Kong, the hurdles OCGs would have to overcome to launder money through a listed company are too high to make it attractive, says Ng, who’s also a partner at Haldanes in Hong Kong. He says there are requirements to disclose information to the public, which wouldn’t appeal to OCGs – for example, being required to disclose the beneficial owner of any shareholding that represents over five per cent of the total stock.

Meanwhile, ‘insider trading is a specific point that has been flagged recently by the FCA,’ Makin explains. She says a significant number of people are currently awaiting trial for insider trading and market abuse in the UK, which is higher than it might have been in previous years. In May, for example, the FCA issued a press release stating that two individuals had pleaded guilty to insider trading.

Makin adds that sometimes ‘there’s a clear information leak from an individual’. However, finding out who it is or how they’re leaking information can be incredibly difficult because the evidence is often circumstantial.

Infiltration is another threat. Annika Andersson, Vice Chair of the IBA Securities and Capital Markets in M&A Subcommittee, says that historically in Sweden, OCGs have used people on the fringes of society to infiltrate businesses by putting them on the company board. Recently, the Swedish regulator, the Financial Supervisory Authority (FSA), and the financial police have warned they’re seeing more sophisticated people with links to OCGs entering company boards.

Andersson, who’s also Head of Capital Markets and Public M&A at Cirio in Stockholm, says the listing process for Swedish companies includes a criminal background check of the board of directors and senior management to mitigate the risk of compromised individuals holding influential positions. However, the same checks aren’t applied to directors that are appointed once the company is listed. The risk of appointing someone with links to OCGs is compounded by the fact that in Sweden the nominations committee comprises shareholders who propose new board members at the annual general meeting, proposals that are usually accepted. As such, Andersson says, it’s important for nominations committees ‘to become aware of the need to ensure the board members they propose are fit and proper in all senses’.

Market manipulation

According to Ng, many listed companies in Asia are affected by ‘ramp and dump’ schemes, carried out by OCGs in Hong Kong, mainland China, Singapore and Malaysia. He says it’s a particular issue in less mature markets, such as China, which have a higher proportion of retail investors and are therefore more vulnerable to manipulation.

Ng says these schemes require many actors, which means they’re usually carried out by OCGs. While senior employees of the company tend to facilitate the schemes, it’s usually individuals from the OCGs that are prosecuted.

In 2021, the Hong Kong regulator, the SFC, launched a joint initiative with the jurisdiction’s Commercial Crime Bureau (CCB) to tackle ramp and dump schemes. At the time, it said the scams accounted for 20 per cent of the market manipulation cases it was investigating.

In a ramp and dump scam, criminals use deceptive tactics, such as offering stock market tips to retail investors based on false news stories, to ‘ramp’ up the price of shares in that company. They then ‘dump’ their shares on other investors when the price is artificially high. The misinformation that makes these schemes possible is often spread on social media platforms. 

Ng says the OCGs carrying out these schemes in Hong Kong tend to target companies listed on the Growth Enterprise Market (GEM) because they’re more vulnerable to manipulation. These are usually start-up businesses or those with a smaller market capitalisation, which are trading on the basis of predicted revenue from an innovative concept, rather than on achieved revenue based on a long track record. GEM-listed companies are less well-known than those listed on the main market, meaning retail investors are more likely to believe false stories about them.

Andersson says similar schemes – known as ‘pump and dump’ scams in Sweden – have been around for several years. Recently there have been some successful prosecutions against those conducting such activity, sometimes for the crime of market manipulation under the relevant Swedish regulation.

Manavendra Mishra, Asia Pacific Regional Forum Liaison Officer of the IBA Business Crime Committee, says that artificially inflating stock prices is common in India as well. He sees OCGs short selling stocks by creating a false rumour in the market. Short selling involves borrowing shares and selling them, hoping the price will fall. The shares are then bought back at a lower price.

Ferri says the larger Italian OCGs probably won’t conduct market abuse via listed companies because it requires a high level of control over a business, which is difficult for them to achieve.

Cyber worries

The threat of cyberattacks by OCGs against listed companies is growing, and the techniques are becoming more sophisticated. A cyberattack can be incredibly costly for a listed company, in terms of lost sales, the expense of additional advice from lawyers, technical experts and PR personnel, and in terms of reputational damage. ‘Any attack by an OCG costs a listed entity millions,’ says Makin.

OCGs could use the information they obtain from a cyberattack to carry out insider trading or to steal personal data and demand a ransom from the company before it’s returned. According to Makin, a cyberattack is ‘not necessarily always against the listed entity itself; it can be against the listed entity’s customers as well’.

Makin adds that, in the UK, ‘the FCA and other [regulators] would expect systems and controls to be enhanced to the extent they can be to protect against’ a cyberattack. She says that if a listed company became the victim of a cyberattack, the FCA may also look for any breaches of its listing rules.

Pedro Iokoi, Diversity and Inclusion Officer of the IBA Business Crime Committee, says that in Brazil there have been many instances of listed companies suffering cyberattacks. He says the Brazilian financial market has become safer because through responding to a large number of cyberattacks it has developed tools to manage them. He estimates the Brazilian financial system has suffered about US$4bn of losses due to cybercrime – 90 per cent by customers and only 10 per cent by banks or businesses. This is because cyber criminals often use social engineering techniques to target customers directly.

Protecting the business

Ferri says ‘the only tool [with] which you can protect the company is compliance,’ which for in-house counsel usually means the company’s liability as a legal entity. In Italy, he says, compliance in this context specifically refers to organisational models. Legislative Decree 231/2001 prescribes that legal entities must adopt organisational models to constantly check and control the way the company is run. Alongside this organisational model, the company must set up an organismo di vigilanza (ODV). This is an internal surveillance body composed of three people who control the organisational model.

Ticehurst says that in the UK, in-house lawyers at FCA-regulated entities will ‘really need to tighten up on their internal reporting of suspicious transactions’ and ensure that translates into STORs being submitted to the FCA. He says in-house training will be important too, to emphasise to employees their vulnerability to being targeted or coerced by OCGs.

In addition to the existing regulatory obligations of listed companies, from September in the UK there will be a new corporate criminal offence of failure to prevent fraud. Ticehurst says much of the activity carried out by OCGs in relation to listed companies could be considered as a fraud offence. For example, insider dealing could constitute fraud by abuse of position. If the corporate entity didn’t have reasonable policies and procedures in place to prevent that criminal activity happening in the organisation, this could be considered a failure to prevent fraud offence for which the business itself may be criminally liable.

When it comes into effect in the UK, this new corporate criminal offence of failure to prevent fraud will make crimes committed by OCGs using listed companies an issue for the whole business as well as the individuals involved. This should strengthen in-house legal’s position when advocating for a stronger organisational approach.  

Andersson says a big shift in Sweden is that listed companies are not as heavily scrutinised as they used to be, meaning their listed status alone can’t guarantee their trustworthiness. ‘Not even listed companies can be trusted without any further investigation as to whether you should do business with them,’ she says.

Andersson adds that know-your-customer and anti-money laundering requirements can help a lot when deciding who to work with and recommends companies really scrutinise who they’re dealing with. ‘The structures that are taking place all over the world are quite sophisticated,’ she says, and harder to identify. Businesses will require experienced employees who can look beyond standard compliance processes to spot potential red flags.

Makin agrees it’s important for employees working in compliance to have the requisite expertise and be familiar with the specific risks the business faces and how to combat them. Importantly, she says, those risks will depend on the sector – having previous experience in a listed company won’t necessarily be sufficient. Makin adds that junior staff should be trained on the threat of OCGs, the signs to look out for and the importance of not disclosing inside information.

Mishra, who’s also a partner at Khaitan & Co in Mumbai, says it’s important to have trustworthy advisers that can help the in-house legal team assess new business partners or suppliers. He says the Securities and Exchange Board of India’s Listing Obligations and Disclosure Requirements require any material development of the company to be reported to the stock exchange. This makes it possible to investigate a company in more detail to ensure nothing is being concealed. He adds that it’s also important to consider how effectively policies in this area are being implemented. ‘Having a policy is one thing,’ he says, but ‘actually implementing it’ is another.

Iokoi, who’s also Managing Partner of Iokoi Advogados in São Paulo, says supply chain due diligence is also important in Brazil. In-house counsel should be aware of the types of suppliers and contracts they deal with. In Brazil, OCGs control certain parts of the commercial market. In-house counsel should be aware of at-risk areas of the economy, because ‘they could be financing other kinds of crimes [by] dealing with these companies’.

In terms of managing cyber risk, Makin says in-house counsel should ensure their cyber security systems and controls are enhanced on a regular basis to reflect the pace at which technology is advancing. This should be done at least annually if not every quarter, depending on the industry and the specific risks the business faces, and should be the main priority for spending on cyber risk. She says in-house lawyers should also think about how existing cyber monitoring systems are being used, whether the system is up to date and if the people using it are properly trained. ‘All of these steps will assist in mitigating regulatory action from the Information Commissioner’s Office, the FCA or another regulator if a cyberattack were to occur,’ says Makin.