Lithuania: Supervisory Challenges on (Non Bank) PI & EMI Payment Activity in Centrolink

Hang On, Speedy

As highlighted in the previous post, following explosive growth, in 2020 non bank PI & EMI accounted for

• 86% of the number of transactions in Centrolink

• 69% of the total value of all transactions, and

• represented 87% of Centrolink participants.

What are the specific risk characteristics of PI & EMI business that pose challenges for the authorities?

1. Explosive growth in number and aggregate value of transactions

2. Non bank entities predominate

3. Centrolink transactions are now primarily “offshore” business in two senses:

• In the majority of cases, both sides of the payment are “outside” Lithuania, e.g., the by-order party and the beneficiary

• Up to 70% of PI & EMI clients are from offshore centers

4. Customer vetting may be inadequate given “remote” CDD (customer due diligence)

5. Centrolink is an attractive gateway to 36 countries in Europe.

6. Risk issues thus transcend Lithuania’s borders.

I don’t need to say much about the issue of explosive growth.

The more trees in the forest, the harder to find Robin or any other hoods.

As regards non bank FI’s perceived greater risk, some general comments.

The failure of a large bank or group of banks poses a systemic risk to the financial system and economy.

In contrast the failure of a money exchange firm or a payments processor (think PI or EMI) is likely to have much less of an impact.

As a result, banks are more strictly regulated and more strictly monitored than other FIs.

Non-bank FI policies and procedures, internal control systems, etc. are often less rigorous and less rigorously implemented.

Part of this is due to less developed and onerous regulations on them. No need to have as elaborate structures as banks.

Economics and size also have an impact.

The fact that monitoring is often “lighter” can also play a role: no one is watching.

We can use the 2020 Lithuanian National Risk Assessment of Money Laundering and Terrorist Financing (NRA) to assess the risks outlined above.

Page numbers below refer to the NRA unless another document is cited.

Let’s start by looking at potential weaknesses in PI/EMI policies and procedures and implementation thereof.

Weakness in PI and EMI Licensees AML/CFT Risk Assessments and Monitoring

According to the NRA (page 38)

Due to the fact that many of the clients are non-resident or from offshore countries, the companies have difficulties to identify the clients in reliable and independent sources. The due diligence and transaction monitoring systems are less effective than the ones used in the banking sector, as most of the businesses are new and focus on increasing clients’ portfolio instead of AML/CFT regulatory compliance. Most institutions have not yet performed organization-wide risks assessments to identify the risks based on five factors (geographies, customers, products or services, delivery channels, other qualitative risks). Next to that, not all institutions perform the retrospective transaction monitoring.

Wide ranging deficiencies across a critical set of control areas.

“Suspiciously” Low Volumes of Suspicious Transaction Reports (STRs)

The data in the annual reports of the Ministry of Interior’s Financial Crimes Investigate Service Money Laundering and Terrorist Financing Prevention Board (ML&TFPB) is more detailed and current than that in the NRA. So I’ll use that information.

Here is a link to the 2018 Annual Report. Here is the 2019 Annual Report.

And here is the 2020 Annual Report.

The tables below are based on data from these three reports.

If you know anything about STRs, you’ve probably heard that FI’s prepare these primarily for CYA purposes and generate excessive numbers that overwhelm the authorities’ ability to make use of them.

These statements are often correct.

So why am I focused on the number of STRs?

I’m not.

Rather I want to compare 

• STRs from the PI & EMI sector to that from banks and  
• STRs of each sector as percentage of transactions processed by that sector.

When a particular segment of FI’s has a relatively low number of STRs or scores low on the above two metrics, it’s not unreasonable to assume that that segment’s transaction monitoring procedures are less than robust.

If a particular institution scores low on all three measures, that’s also a red flag in most cases.

These metrics are not conclusive. There may be very good reasons for differences.

At first blush the data seems to show definite progress. The PI & EMI sector is filing more reports. Fantastic growth! 2020 is more than 18x 2018.

Their percentage of total STRs is increasing smartly.

But as a percent of the number of transactions not so good.

As a percentage of transaction made, in 2020 banks submitted 3.5x the number of STRs that the PI & EMI institutions did!

As outlined above, the PI & EMI sector certainly appears to be conducting more risky business than the banks.

It’s, therefore, not unreasonable to expect that would have a higher percent than they do.

Their actual performance confirms NRA’s assessment of weakness in the PI/EMI AML/CFT.

Let’s turn to a feature in regulations that poses a risk.

Remote KYC/CDD Allowed for PI and EMI Licensees (page 38)

PI and EMI licensees are allowed to conduct “remote” know your customer/customer due diligence.

That is, the client need not be present in Lithuania. Approval is by review of documents submitted.

This is an even greater KYC issue because PI and EMI entities’ clients are primarily non residents.

And up to 70% of them are from offshore centers. (page 38).

That is a rather large red flag.

Adding to the risk is the fact that 97% of the value of all EMI and PI transactions in 2019 was conducted for legal entities not natural persons. (page 6 of the 2019 PI and EMI Activity Review).

Positively identifying the UBOs of private companies is a difficult endeavour, even more so for those formed in offshore jurisdictions.

In contrast, Lithuanian banks have been de-risking their exposure to foreign clients by reducing foreign client relationships and deposits.

As of 2020, Lithuanian banks had the lowest percentage of foreign corporate and natural person customers’ deposits in the Baltic region at 2.5% compared to Latvia (20,3%) and Estonia (7.3%). (Page 7 and 8).

Risks Associated with SEPA

Based on the average amount of 2020 Centrolink transactions (banks Euros 3,841 and the PI & EMI institutions Euros 1,423) and the ACH/BACS-like nature of Centrolink, you might well wonder if there is a real risk of significant illicit transactions.

To the first point, these are arithmetic averages. There could quite well be some fairly large value transactions among the 95.2 million total transactions processed in 2020.

To the second, while Centrolink processes Direct Debits and Direct Credits—that are likely to be small “ticket” items—it also processes payments similar to typical bank transfers.

There are two types of these transfers:

1. A SEPA Instant Credit Transfer subject to a SEPA system limit of Euros 100,000 for each separate transaction. With promised completion (delivery to the beneficiary’s bank) 10 seconds after release! Note this timing doesn’t apply in all 36 of SEPA countries.

2. A SEPA Credit Transfer subject to a SEPA system limit of Euros 999,999,999,99. These transactions are completed at the earliest next business day after receipt.

Each bank sets its own SICT and SCT limit for each customer both for individual as well as aggregate transactions. That would include Centrolink DP’s for IDP’s they accepted as clients.

SCT limits of Euros 1 billion are likely to be rare indeed. And not just in Lithuania.

SCIT and SCT “straight” payments and likely transactions limits make it possible to move significant amounts through Centrolink into the SEPA.

Monitoring systems to detect suspicious transactions would therefore be in competition with the creativity of illicit actors to disguise them. 

The offshore nature of Lithuania payment activity makes this a harder “race”.

Non Bank “Fintech” Payment Activity in Lithuania’s Centrolink

 

As mentioned in the previous post, the Central Bank of Lithuania (CBOL) allows non bank “fintech” entities holding PI (Payment Institution) or EMI (Electronic Money Institution) license Indirect access to Centrolink.

Access is subject to

1. CBOL approval and

2. the license holder agreeing terms with a Centrolink Direct Participant.

CBOL approval is not automatic. As mentioned in the last post, as of 2019 the CBOL had restricted the activities of 18 of these license holders.

Once approved, a Lithuanian PI or EMI licensee is able to make Euro payments across the SEPA – some 36 countries. Not just the EU (eurozone) but the EU-28 and then beyond!

These licenses also automatically confer the right to offer the licensed services within the EU/EEA without further licensing requirements, including from other countries. Think of it as a “passport”.

The CBOL also requires that local commercial banks inform it whenever they refuse to open an account for a PI or EMI and the reason why. 

This is to ensure that PI and EMI license holders are not denied accounts unless there is a good reason.

Why is this important?

Two reasons.

First, it's hard to conduct business without a bank account.

Second, a local account is needed to access Lithuania's Centrolink.

Most payments in national systems (including transfers to beneficiaries in other countries) are made in “central bank” money so the entity making or receiving a payment must have a settlement account with the local central bank. In this case with CBOL.

Entities like PI or EMI license holders generally would not qualify to hold accounts at a central bank. 

So they would need to have accounts at commercial banks through which they could indirectly access the payment system.

As per Centrolink's operating rules, there are two classes of participants:

• Direct Participants (“DPs”): FIs that have an account with the CBOL and are connected to Centrolink. That means, they are able to directly input payments and receive credits from Centrolink from/to their accounts at the CBOL.

• Indirect Participants (“IDPs”): FIs that do not have an account with the CBOL and are not connected to Centrolink. That means that they must submit their payments to a DP and received credits from the system to their account with the DP. but instead have an account with a Direct Participant. (Paragraph 16 of Operating Rules).

As per the CBOL’s website, there are 19 Direct Participants, including the CBOL. Thus, from the statistics published by the CBOL there would 118 Indirect Participants.

The CBOL has also made Centrolink economically attractive by keeping payment charges low with a reduction as recent as January this year.

You can find the current list of fees at Tab IV Service Fees on the CBOL website.

IDPs no doubt pay fees to the DPs fees for the services provided them.

As demonstrated by the charts below, PI and EMI payment activity through Centrolink dominates that of the commercial bank sector both in number of and euro value of transactions

PI and EMI fintechs are also the overwhelming majority of entities participating in Centrolink. I suspect the difference between the information above and the chart below is due to difference between the dates of the reports, e.g., 2020 versus 2021.

In the next post, we will take a look at the challenges posed to the CBOL and other regulators by this activity.

If you would like more detail on what SEPA is, please see the comment to the first post.

There are No Second Acts in American Lives, Aber in Deutschland Gibt Es? (Teil 2)

 

Governor

Presidential Candidate 

Danced with the Stars

Secretary of Energy

Und jetzt ein C&W Saenger in Deutschland

And perhaps no second acts for some American lives, even in Germany.

Lithuania – Development of the Non-Bank “Fintech” Payments Sector

 

The Fintech Landscape in Lithuania 2020-2021
Invest Lithuania

If you’ve been following the news about Wirecard, you know Munich prosecutors are reportedly investigating a Euro 100 million transfer through UAB Finolita Lithuania on the suspicion that the some or all of the proceeds were transferred to Jan Marsalek, Wirecard’s fugitive Board member and CFO.

You should note and, if you haven’t, I will emphasize that there is apparently an ongoing investigation but no charges have yet been filed, nor judicial judgments issued.

As usual, the FT is keeping a close eye on developments. You are likely to find them a good source of information.

Members of the Bundestag and at least one Lithuanian (opposition) politician have criticized the Central Bank of Lithuania’s alleged “lax enforcement” and “failure to act” against Finolita.

The CBOL have vigorously rebuffed this charge.

At this stage it is premature to pronounce in favor of either of these two positions.

What we can do, however, is take a closer look at Lithuania’s non banks share of payment activity.

To see what sort of activity is taking place and assess regulatory and other risks on a macro basis.

To start, let's set the 'scene". 

As of year end 2020 Lithuania’s population was 2.8 million. As of May the estimate is 2.7 million.

2020 (estimated) GDP is some USD 55 billion which places it 80th in the world.

Per the CBOL’s 2020 annual review of banking activity as of 1 January 2021, there were 11 locally incorporated banks and 6 foreign branches operating in the country.

Despite the number of banks, the market is highly concentrated.

Two locally incorporated Swedish-owned banks (Swedbank and SEB) controlled 64% of banking assets in the country. 

Luminor Bank (DNB/Nordea) was the largest foreign branch.

Total banking sector assets were some Euros 37 billion as of FYE 2020.

According to a 2019 EBF study based on FYE 2018 financials Lithuania ranked 26^th out of the 28 states in the EU-28. In the EU (Euro area), it was 17^th.

So relatively small beer. Not a lot of prospects to expand its commercial banking sector.

A small population, modest-sized economy, and a high level of banking concentration.  

How to grow the economy?.

In 2016 Lithuania decided to aggressively pitch itself as a “fintech” center in Europe, launching a global campaign to build on prior years’ success in attracting fintechs..

It touted its multilingual, talented work force, quality of life, low taxes, low cost of living, and its “fintech friendly regulations and infrastructure”. The latter point was mentioned by 63% of respondents to a 2020 fintech survey.

In conformity with EU laws the CBOL issues Payment Institution (PI), Electronic Money Institution, (EMI) and Specialized Bank (SPB) licenses.

A PI may not hold customer funds on deposit. It makes “instant” payments.

An EMI may hold customer funds (legally not a deposit) but rather in the form of electronic money and make payments similar to a PI or issue payment instruments (prepaid cards, phone apps, etc) that allow a client to make a payment. 

Note an EMI does not issue or transact in virtual or cryptocurrencies.

Another key selling point was that the CBOL allows fintechs with PI and EMI licenses to make and receive payments through Centrolink—the CBOL’s payment system linked to the SEPA (Single Euro Payments Area).

My wiser, elder brother suggested that I not presume that readers know what SEPA payments are.  "Wise" advice. Quick summary.  SEPA is similar to the USA's ACH (Automated Clearing House) and the UK's BACS (Bank Automated Clearing System).   

Note SEPA still provides a channel for illicit activity as I hope my comment makes clear.

This is a major selling point as it gives these non bank entities access to the 36 SEPA countries, that is beyond the EU.

We will look at this topic in more detail in the next post.

By the end of 2020, Lithuania had achieved remarkable success. It has attracted a wide variety of fintechs, including major names.   

For more details download the 2020-2021 The Fintech Landscape in Lithuania from the Invest Lithuania site here.

230 fintech companies were operating in the country.

Roughly 50% have payment licenses.

Prior to Brexit Lithuania ranked #2 in the EU by the number of PI, EMI, and SPB licenses it had issued as per the graphic above.

After Brexit, it is now #1.

Think of that for a moment.

More than Germany (77), France (76), Netherlands (66), and Sweden (49).

And unlike those countries, Lithuania has a preponderance of EMI licenses.

The CBOL’s report on 2020 PI and EMI activity won’t be available until some time in July.

So we’ll have to make-do with the 2019 report.

That report discloses that in 2019 12 PI and 6 EMI licensees were restricted to payments within Lithuania and subject to caps on the amount of permitted transactions.

You will also find details there on income, market share, destination of payments, and the types of payments – cash deposits and withdrawals, automated payments, etc.  

In the next post we'll look at the share of Centrolink activity by the PI/EMI sector.

FT Exposes the “Dirty Secrets” on Infrastructure Cybersecurity

By Day Keeps the Free Market Working
By Night Redeems Children's Teeth for Cash

In this weekend’s FT Myles McCormick and Hannah Murphy wrote: “Pipeline ransom attack exposes vulnerability of American infrastructure to cyber threats”

At first glance this seemed to be “Sun rises in the East, sets in the West” article as the vulnerability of American infrastructure to cyber threats has been repeatedly “exposed”.

The Colonial Pipeline incident is not the first cyberattack rodeo in the USA as the authors note:

Since 2019, US critical infrastructure targets have suffered about 700 ransomware attacks, including 100 this year, according to data from Temple University in Philadelphia.

As I read on, it seemed more properly that the article exposed two key reasons why incidents like these occur and, thus, why infrastructure is insecure. 

Key reasons outlined below in bold. Quotes from the article in the list below each “point”.

Woefully and Criminally Unprepared

1. Just a quarter of companies in traditional infrastructure businesses, including oil and gas, utilities and healthcare, were properly braced for an attack, estimated Matias Katz, chief executive of the cyber security group Byos.

2. The oil and gas sector has been criticised for lax cyber security regulation.

Governments have responsibility for being asleep at the switch on regulation. 

Though as Milton Friedman would tell you, if he could, there is no need for government regulation as the “Free” Market solves problems like this all on its own.

It’s all about the Benjamins.

1. But reconfiguring traditional security systems to account for the ever-changing nature of cyber threats is costly.

2. Pipeline infrastructure is largely operated by private capital, so there is often a drive to cut costs where possible.

Or, in small words, private companies avoid spending the money. 

As evidenced in the first point above, an estimated 75% of infrastructure operators. 

So it’s not the case of a few cases proving the rule about the magical prowess of the “Free” Market correct.  

But rather the overwhelming majority proving Dr. Friedman "dead" wrong.

Two further thoughts.

When the going gets tough, our national rough and tumble highly competitive private companies go running to Uncle Sugar for a handout.

1. You know them. They’re the guys who complain about welfare and how $300 a week unemployment benefits “sap the willingness of the precariat to work”.

2. While extolling how the “free” market delivers the best solutions to problems.

3. Now I’m not adverse to giving aid to those who are truly struggling.

4. Colonial Pipeline’s 2018 FYE audited report shows net profit of some US$ 470 million on total revenues of US $ 1,397 million (a very nice 33.7% net margin) and interim financials for 1Q2019 US$ 137 million in net profit (36% net margin).

5. It’s not possible to calculate a return on equity as CP has negative equity. Perhaps, due in part to a generous dividend program coupled with an earlier decapitalization (Treasury stock purchases in prior years). CP paid US $670 million dividends in 2018!

6. In light of those statistics, I think Uncle Sugar shouldn’t give them more than $299 a week lest we encourage them to slack off.

7. As you’ll note from the dearth of public information on its financials after 1Q19, CP is pretty good with keeping their financial information secure. So it’s pretty clear where their security focus is.

As to the problem being “old operational technology systems, some of which predate the internet,” having “outdated security and being difficult to upgrade”.

1. Old operational systems which predate the internet probably aren’t connected to the internet.

2. Thus, it would seem less likely to be vulnerable to hacking and capture unless miscreants were on the premises to infiltrate PLCs.

3. Analogy: If you only send snail mail, it’s unlikely that hackers are reading your correspondence.

4. In some cases if your “internet” technology or programs are “old” enough, they may be extremely difficult to hack/capture.

This is not intended as a recommendation for a Luddite return to manual or outdated systems. But rather as a counter to the “old systems” defense.

It is to repeat myself “all about the Benjamins”. 

It is a "tried and true" method to motivate folks who focus on money by "threatening" them with large fines and loss of their license to conduct business.

Profoundly Disturbing FT Article on Bitcoin and the Environment

Asleep at the Switch

 

Katie Martin and Billy Nauman had an extremely scary article in the FT on Friday 21 May.

While the main point of the article was about the amount of energy used to mine Bitcoin and its impact on the environment, it was this quote that sent the real chill down my spine. 

Tesla chief executive Elon Musk has highlighted the environmental impact of cryptocurrencies. Amid calls from climate activists for tighter rules, governments and central banks are starting to take notice.

So what the FT seem to be saying is that absent the Technoking’s statement and that of “climate activists” –who by the way have been ignored for years--, governments and central banks would still not have “taken notice”.

Thus, our fate apparently depends on the random tweets of celebrity businessmen, including one who actually thinks cryptocurrencies are investable assets and whose statements have a volatility mirroring that of Bitcoin. 

Did I mention that he has an (indirect) economic interest in a portfolio of some US $1.5 billion (cost) in Bitcoin?

Just the sort of chap one would go to for wise counsel.

What a damning statement on several levels about the official entities whose remit is, as we are told, to look out for us!

Unclear as to whether we should ascribe this sorry state to attitude or aptitude.

Or perhaps more likely to both.

This is not the only example of such behavior.

We’ve seen another just this week.

After the ransomware attack on Colonial Pipeline, the US House of Representatives “sprang” into action. Given the prior somnolence, it must have been quite a “leap”. Olympic at least.

The House Homeland Security Committee—as aptly and ironically named as the House Select Committee on Intelligence—apparently just discovered that cyberattacks and hacking pose a national security threat. 

It has in the words of the Committee’s Chairman brought a “new urgency to our work”.

Given repeated past cyberattack incidents and a manifest failure to act, it may be appropriate to remove the word “new” from the Chairman’s statement.

Otherwise, the unwary reader might be tempted to think that there was some urgency in the past.

Having made this criticism, if you’re the faithful reader of this blog, you know that I try to be fair.

I should, therefore, acknowledge Congress’s achievement in reducing pollution through the prevention of the burning of the USA flag. Achieved without a constitutional amendment or even legislation!

And I think we can be almost certain they will “stand tall” to prevent plant-based substitutes for the hamburger and beer.

So, perhaps, all is not lost.

Just most.

CryptoCurrencies – The Manifest Absurdity of the Stablecoin

 

Just the other day, there was an article in the FT about "stablecoins" describing them as a "link" between traditional curriencies and cryptocurrencies.

There is quite a lot of manifest absurdity in the world these days, economics, politics, and matters financial.

To set the stage for today's exploration, a review of the "logic" for cryptocurrencies.

Proponents argue that:

1. Government-issued currencies are not "backed" by real assets. e.g., gold.

2. Governments can therefore issue as many "fiat" currency notes as they wish. Thus eroding value via inflation.

3. Electronic payments made with "fiat" currencies are subject to (a) surveillance and (b) seizure by pressumably intrusive and untrustworthy governments.

Cryptocurrencies are the "answer" because:

1. They are created by private sector entities and thus free from the "malign" behaviour of governments.

2. A key assumption (delusion) here is that private sector entities' honesty is beyond question.

3. While like fiat currencies cryptocurrencies are not backed by real assets, their value depends on and is obtained through the operation of the market.

4. A key assumtion (delusion) here is that the "market" never misvalues an asset either because of irrational exuberance, manipulation, market failure, etc.

5. Electronic payments made with cryptocurrencies are immune to (a) surveillance and (b) seizure by those presumably malign and untrustworthy governments.

6. A key assumption (delusion) is that movement via a trading platform from "fiat" currencies to "cryptocurrencies" and vice versa is not subject to (a) surveillance and (b) seizure by untrustworthy and malign governments.

7. Elliptic a blockchain/crypto security company claims to have traced Colonial Pipeline's ransom payment to a BTC wallet to which apparently other such payments were directed. And then payments out of that wallet.  Another delusion hits the wall.

So now to the "stablecoin"

1. Having trashed "fiat" currencies as unreliable and potential unstable, some stablecoins offer the investor the proposition of indirectly holding "fiat" currencies, e.g. tether.

2. In such cases, the stablecoin claims to hold one unit of fiat currency for each unit of cryptocurrency. So let's get that straight. It's backing its "currency" with the "real" asset of a "fiat" currency. But with the holder of the stablecoin assuming the risk of the intermediary between the Central Bank issuer of the fiat currency.  

3. Some stablecoins are tied to bitcoin or other sh*tccoins. Exactly how the underlying volatility of those "assets" is managed is no doubt a combination of "naive belief", "magic", and derivatives. The latter being the last (valuation) refuge of scoundrels and conmen.

4. Some stablecoins can in the words of Celsius pay interest 100X what one can earn in the bank market for fiat currencies. As of August 2020, capable of earning up to 16% per annum!

5. A key assumption (delusion) is that such returns make economic sense from investing in a non-productive asset. At least Tesla has a "real" business selling emission credits to third parties, even though that market appears to be shrinking!

So let's look a bit closer at the first class of stablecoins – those "tethered" to a fiat currency.

As background, here's a link to the settlement agreemen effective 18 February 2021 between the NY State Attorney General and iFINEX INC., BFXNA INC., BFXWW INC.,TETHER HOLDINGS LIMITED, TETHER OPERATIONS LIMITED, TETHER LIMITED, TETHER INTERNATIONAL LIMITED.

The pattern of behaviour recorded in the settlement agreement should demonstrate the fallacy of several of the assumptions (delusions) cited above.

It should also demonstrate the additional risk that such entities face in obtaining the services of creditworthy financial institutions.

When one is forced to deal in the “odd and out of the way corners” of financial markets, with undercapitalized institutions in less than ideal jurisdictions, including non banks, one’s business is subject to greater risks.

And those risks ultimately flow to the “wise” investors who have placed their funds with “one”.

Bitfinex is a cryptocurrency trading platform that allows its clients to trade between fiat and cryptocurrencies.

Tether is a stablecoin which claims to hold one US dollar in reserves for each “tether” issued.

It is by most accounts the “largest stablecoin in the cryptospace”!!!!

The companies are related parties.

Initially, Bitfinex and Tether worked through banks in Taiwan that had correspondent relationships with Wells Fargo Bank. In early 2017 WFB stopped processing transactions for Bitfinex and Tether.

In June 2017 Bitfinex opened an account with Noble Bank International Puerto Rico.

NBI was formed under Act 273 of Puerto Rico which provides for the creation of offshore financial entities. Such entities enjoy tax benefits and may not offer services to residents of Puerto Rico. They must have a minimum capital of US $5 million of which US $250 thousand must be paid in, and four employees.

Just the sort of financial “institution” one might think a good place to plunk down US $500 million of one’s “spare” change. Or more precisely one's customers' hard earned money.

Tether for its part kept its US dollar reserves at the Bank of Montreal but the account was in the name of its attorney.

Presumably, that was because BoM didn’t want to “entertain” an account from Tether.

Until September 2017, Tether (or more precisely its attorney) held some USD 61 million in that account. At that point some 442 million tethers (worth US $442 million) were in circulation. 

Even without a calculator you should be able to determine that the "collateral" coverage was less than 1 to 1.

During that time Bitfinex held US $382 million of Tether’s funds in its account.

After 15 September Tether opened an account at NBI and Bitfinex transferred the funds to Tether’s account.

Between 2018 and 2019, Bitfinex had problems finding an FI willing to handle its transactions.

So it turned to Crypto Capital in Panama to hold its funds.

By 2018 CC held some US $ 1 billion of Bitfinex's funds or more accurately its customers' funds.

No doubt it sounded like a great idea to plunk down US $1 billion in a non bank.

What could possibly go wrong?

Bitfinex's contact there was "Oz Yousef" or just "Oz".

I'd hasten to add that it's not clear from the settlement agreement whether Oz was a wizard or not.

Oz responded to Bitfinex's subsequent requests for its funds with a variety of excuses as to why the funds couldn't be moved.

Bitfinex nevertheless continued to direct new clients to remit funds to CC!

Apparently when you've got a guy like Oz handling your money, you can't let a few bumps in the road disturb the relationship.

During the summer of 2018, Bitfinex "borrowed" US $ 400 million from Tether.

Oz still was holdiing on to CC's money.

The two entities relationship with NBI was terminated and funds shifted to Deltec Bank Bahamas.

Bitfinex repaid Tether's initial US $400 million "loan" by redeeming an equal amount of Tethers.

Oz still wasn’t releasing Bitfinex’s funds.

2 November 2018 Tether remitted US $475 million from its account at Deltec Bank to Bitfinex’s account at Deltec bringing the total “loan” to some US $ 625 million.

In February 2019 Tether updated its website to state that “[e]very tether is always 100% backed by our reserves, which include traditional currency and cash equivalents and, from time to time, may include other assets and receivables from loans made by Tether to third parties, which may include affiliated entities (collectively, ‘reserves’).”

Tether did not announce that it had changed its disclosure, and indeed there were no media reports about the change until several weeks later on March 14, 2019.  

It also did not provide a breakdown of its "reserve" holdings which would have shown that the bulk of these were in the form of loans to Bitfinex.

Subsequently, Bitfinex and Tether agreed a “credit” agreement under which Bitfinex could “borrow” up to US 900 million of Tethers funds (the supposed reserves for Tether). This appears to be part of a “regularization” on an existing US $625 million existing loan.

As of the date of the settlement agreement, Oz still hadn’t released any of Bitfinex’s cash or as noted above more precisely Bitfinex’s customers’ cash.