Complaint Review: MUFG Union Bank - Nationwide

[See http://www.viewsender.com/UnionBank/ for more information and to view the attachments]

I am writing to day to ask for your assistance, not for myself, but for my husband, F. Scott Dxxxxx. My husband’s right to speak for himself, his personal freedom, even his right to pursue his career have been placed under threat because he contacted Federal officials to report a crime.

I, on the other hand, am free to speak.

My husband is a well-known computer software engineer specializing in computer security, and has consulted to more than sixty organizations in the past thirty years, including NASA, ExxonMobil, Wal-mart, General Electric, American Airlines, and many others. He has assisted government agencies, including the Federal Bureau of Investigation and the U.S. Commerce Department, in exposing criminal activities and fraud. In accordance with his many assignments, he has been subjected to and passed nearly fifty background investigations. He currently holds numerous U.S. patents, and has had digital security software of national significance under study at The Citadel in Charleston, South Carolina for the past six months. He also has significant expertise in the detection of emotional changes in organization personnel likely to result in negative behaviors (OrgOptics.com). Scott is a veteran, having served our country honorably and voluntarily during the Vietnam War, who enlisted at the age of 17. Scott’s LinkedIn page can be viewed at linkedin.com/in/scottdeaver. You can see a list of Scott’s patents by typing “F. Scott Deaver patents” into Google.

To help support our family, including our two daughters, while that project is in development, in late April of this year Scott accepted a short-term contractual assignment with MUFG Union Bank here in San Diego, to provide networking and security components for communication with the two-decades-old MUFG Union Bank Oasis software system.

Immediately upon arriving onsite at MUFG Union Bank, Scott realized that the quality of the software source code, the security policies and procedures, and the software development practices were of such poor quality as to put all transactions by the bank through that system, the bank’s primary message transport, at severe risk of undetected interception and modification, known in the vernacular as “hacking”. This is Scott’s area of expertise, and one in which he has focused his work for several years.

During Scott’s brief tenure at the bank (during which he earned praise from his superiors for completing tasks quickly and well, tasks failed by previous contractors over much longer periods of time), he also learned that the bank’s culture simply would not permit any effective repairs or replacement of the defective systems. His work coincided with a Federal security audit of the bank, and he became concerned over conversations among co-workers that the intent of their work was not to implement security but to give the appearance of implementing security for the purpose of deceiving the audit. On a more general basis, no expenditure of resources was permitted without direct intervention of Japanese management on Japanese soil, and very little regard was given towards U.S. regulatory requirements.  

The source code Scott was given to work on was among the worst he’d ever seen in thirty years of practice, in terms of both quality and security. This opinion is not one of Scott’s alone – it is one that has been shared by hackers for at least the last several years, and one they have used to their advantage. Even though MUFG Union Bank is one of the smaller banks in this country (currently 21^st in size : aba.com/Tools/Research/Documents/LargestInstitutionsbyAssetSize.pdf, with about 5% of the assets of JPMorgan Chase), it and its sister banks are one of the primary entry points for hackers into the Federal Reserve and SWIFT networking systems – a few examples from my husband’s letter to the Federal Reserve in compliance with a TRO (a copy is attached):

1.bloomberg.com/news/articles/2014-12-17/chinese-criminals-blamed-for-record-japan-bank-cybertheft;

2. anonhq.com/chinese-hackers-drain-japanese-banks-millions/  

3. badbhacker.com/2015/04/bank-hacking-software-how-to-hack-bank-accounts-with-a-free-software/  

4. pymnts.com/news/2014/japanese-business-lost-2-m-in-april-2014-hack-attacks/

5. ktla.com/2016/05/03/union-bank-customers-unable-to-access-funds-process-transactions-amid-ourslong-service-outage/ *

6.bloomberg.com/news/articles/2014-12-23/chinese-hackers-target-japanese-bank-accounts

7. hbloomberg.com/news/articles/2016-05-17/global-lenders-on-edge-as-hacks-embroil-growing-list-of-banks

8. .japantimes.co.jp/news/2014/04/19/national/data-of-894-cardholders-thought-compromised-at-mitsubishi-ufj-nicos/#.V1tC57srJjU 

9.reuters.com/article/us-cyber-heist-swift-banks-idUSKCN0Y82HW 

10.hackmageddon.com/2015/01/05/16-31-december-cyber-attacks-timeline/ 

* What MUFG Union Bank has publicly spun as being “outages” were in fact the result of a well-known hacker technique where the hacker first insinuates a passive piece of malware on the system which doesn’t overtly do anything to the system itself, but instead records all of the system account, I/P address, and connection information passed to components of the system as the system is being restarted after a systemic failure (when system anti-hacker protections are non-existent or not yet launched) . The hacker then sits back and waits for a system failure to occur naturally, or as was done in this case, incites the system failure himself with a seemingly harassment-only attack.

In other words, MUFG Union Bank’s poor-quality source code and sub-standard security practices are an open door through which hackers regularly walk (as described later, with at least partial cooperation from MUFG Union Bank). As explained in later paragraphs of this letter, there are both direct and indirect financial benefits and incentives derived by MUFG Union Bank for allowing hackers pass-through access to their Federal Reserve- and SWIFT-connected accounts.  Because of the poor quality of MUFG Union Bank security and software along with the risk posed to all banking customers everywhere (the arrangement MUFG Union Bank has come to with criminal elements puts non-MUFG-Union-Bank customers, especially internationally, at far more risk than it does their own customers) coupled with the bank’s refusal to engage effective measures to compensate for the deficiencies, Scott was compelled by his own professionalism and responsibilities to contact the Federal Financial Institutions Examination Council, which he did by telephone while still employed at MUFG Union Bank. The Federal Financial Institutions Examination Council acts as a triage unit for five national financial regulatory units. During the conversation with the FFIEC, Scott was asked to send the laptop and the source code to the Federal Reserve Board of Governors, one of those regulatory units, and was given a mailing address.

Before Scott was able to honor that request, MUFG Union Bank discovered the draft letter to the Federal Reserve Board of Governors encapsulating his conversation with the regulatory agency on his work computer (MUFG stringently monitors all digital devices issued to contractors and employees). Because of his stellar work output on the MUFG Union Bank assignment specifically and because Scott enjoys an excellent reputation in the software engineering community generally (especially with respect to software security), MUFG Union Bank began their whistleblower retaliation by attacking Scott’s paychecks, hoping he would simply voluntarily walk away from what was only a short-term contract in the first place. First, MUFG Union Bank denied Scott the opportunity to work the Memorial Day holiday at regular rates, meaning he lost a full day’s pay. Then, the bank made an arrangement with Scott’s recruiter to arbitrarily deduct $1,416.94 from Scott’s already-earned after-tax paycheck, with no notice of any kind to Scott. When neither of those worked, MUFG Union Bank then directly terminated Scott’s contract on June 6, later back-dating the termination date to June 3.

Scott then followed the rules given by MUFG Union Bank’s Contingency Worker Agreement for complying with the FFIEC’s earlier request, which included notifying the bank of the request from a regulatory agency, allowing the bank time (in this case, one calendar week) to obtain an order from the court opposing the request (which the bank failed to do), and then sending the materials to the Federal Reserve by secure means on June 14 (all of this is part of the written e-mail record).

The rules for a contractor’s compliance with the request of a regulatory agency were there as a result of MUFG Union Bank’s (and its sister and associate banks’) long self-admitted history of criminal and ethical lapses before both U.S. and Japanese banking regulators, for which they mitigated some of the punishments by agreeing to put into their employment agreements means for workers to report unethical or illegal conduct.

MUFG Union Bank has been caught by U.S. and Japanese banking regulators and law enforcement agencies engaging in these criminal and unethical activities every three years like clockwork since 2001 (approximately when Japanese nationals gained control of what had previously been a U.S.-based bank, control they retain now). Here are a few examples from my husband’s letter to the Federal Reserve in compliance with a TRO (a copy is attached):

1.       2004 – Money laundering. Union Bank enters agreement to settle money laundering charges from the Board of Governors of the Federal Reserve System to correct “deficiencies relating to compliance with applicable federal and state anti-money laundering laws, rules, and regulations, including the Currency and Foreign Transactions Reporting Act, 31 C. 5311 (the Bank Secrecy Act or the as amended by the USA PATRIOT Act; the rules and regulations issued thereunder by the Department of the Treasury (31 C.F.R. Part 103); and the suspicious activity reporting requirements of Regulation K of the Board of Governors of the Federal Reserve System (the “Board of Governors”) (12 C.F.R. 211.5(k)) – see federalreserve.gov/boarddocs/press/enforcement/2004/20041019/default.htm

2.       2007 – More money laundering. “Union Bank of California, the nation’s 27th biggest bank, said Monday it will pay $31.6 million in penalties and forfeitures to settle government claims that it had been implicated in an elaborate drug money laundering scheme involving Mexican exchange houses known as casas de cambio.” See forbes.com/2007/09/17/banking-money_laundering-biz-wall-cz_nv_0917laundering.html.

3.       2007 – Yakuza crime syndicate. “The FSA in 2007 had cited Mitsubishi UFJ Financial Group Inc.’s banking unit, the nation’s largest lender, for doing business with a criminal enterprise. A subsequent company statement to the Tokyo Stock Exchange pledged to take the penalty seriously and make efforts to restore confidence and ensure compliance” (yeah, right – skip to 2013 entries to see how that worked out): bloomberg.com/news/articles/2013-10-22/yazkuza-mobsters-whacked-by-regulators-freezing-amexs.

4.       2010 – Purchasing another corruption-plagued, ethically-challenged bank doesn’t bother Union Bank. “On April 30, 2010, Union Bank, N.A., acquired certain assets and assumed certain liabilities of Everett, Washington-based Frontier Bank in a purchase and assumption agreement with the Federal Deposit Insurance Corporation (FDIC).[12] Twelve officers and corporate directors of Frontier Bank are facing a $46 million damage lawsuit filed by the FDIC.” Seebizjournals.com/seattle/news/2013/05/03/former-mastro-property-in-redmond.html. Customers loved the change:depositaccounts.com/banks/reviews/union-bank-san-francisco-ca.html

5.       2013 – Money laundering. Former Federal agent and undercover money launderer Robert Mazur calls out Union Bank of California for money-laundering and getting slapped on the wrist: nytimes.com/2013/01/03/opinion/how-bankers-help-drug-traffickers-and-terrorists.html?_r=1

6.       2013 – Yakuza crime syndicate. Enter the yakuza (or more accurately, the discovery of Union Bank’s longtime affiliation with the yakuza), the world’s largest and most profitable organized crime syndicate. Union Bank parent Mitsubishi UFJ was caught loaning millions of dollars to the gangsters via credit card loans:scmp.com/news/asia/article/1349156/mitsubishi-ufj-credit-card-unit-admits-making-loans-yakuza-gangsters. Later, the investigation widened to include general and real estate loans: ibtimes.co.uk/top-12-business-stories-2013-japanese-banks-funding-yakuza-1429671 andthedailybeast.com/articles/2013/11/27/japan-s-mega-banks-have-mega-yakuza-trouble.html. The U.S Treasury then decided to freeze yakuza’s assets here (aren’t you curious as to how those assets wound up here, and who financed their transfer?)sandiegouniontribune.com/news/2015/apr/21/us-treasury-freezes-assets-of-japanese-yakuza/. The Legend strip club in Kearney-Mesa has long been purported to be the Yakuza base of operations for the entire San Diego area, extending into Mexico: yelp.com/biz/legend-club-san-diego.

7.       Examples of yakuza hacking through Japanese banks: chicagotribune.com/sns-wp-japan-hack-ae2c1b22-3d4f-11e6-a66f-aa6c1883b6b1-20160628-story.html, http://businesstech.co.za/news/banking/128602/standard-bank-computer-was-hacked-in-r300-million-atm-fraud-hit/.

All of which leads into the current situation, and the agreement MUFG Union Bank has entered into with criminal elements in order to protect their profits at the expense of other banks’ customers (especially their international clients. To understand how, why, and to what ends this agreement was reached, you need to first understand the impossible position MUFG Union Bank put themselves in, and secondly something about Japanese culture.

As to the first, MUFG Union Bank software and systems are dependent upon technologies that are ancient at best by any modern standards. On the software side, the Oasis software suite upon which MUFG Union Bank is dependent is at least twenty years out-of-date, and on the hardware side, astonishingly enough, they still use mainframe computers… programmed in COBOL. COBOL!!! (in automotive terms, roughly the technical advancement equivalent to a 1972 Ford Pinto).

Since their acquisition by Japanese nationals, MUFG Union Bank has never re-invested anything into their infrastructure, instead returning all their profits back to Japanese shareholders. As a long-standing policy, they expend resources only to the extent necessary to minimally meet regulatory requirements, which are themselves on average a decade behind current technology. As a result, each passing year they slip another year behind the ever-increasing pace of technological advancement.

It was made very clear to Scott while he was there that MUFG fully understands the extreme cost to bring their system up to modern security requirements after twenty years of atrophy and only minimal attention. As a software engineer with thirty years’ experience, Scott guesstimates it would take twenty to forty million dollars over the course of three years’ work to bring the current system to modern standards. The indirect costs would be far greater.

For example, MUFG Union bank is unlikely to do anything to fix their systems unless compelled to do so. They are currently passing any harm from their incompetence and careless disregard on to the customers of other banks though their agreements with various criminal elements to exchange safe hacker passage through their gateways for protection of MUFG Union Bank customers. The civil and criminal prosecutions necessary to force MUFG Union Bank’s compliance, and letters like this one to get public officials to address the problem,  means there will be some kind of public information inevitably released, intentionally or otherwise, which will make hackers’ aware that a systems change has been forced. Once that is known, the vulnerability of the old systems, if not already known, will become low-hanging fruit to previously disinterested malfeasants.

The only way to solve that problem is to take the old system offline, which means leasing another bank’s more-secure transactions system or purchasing a ready-made system, either of which would be unacceptable to MUFG’s parsimonious Japanese minders.

MUFG Union Bank is highly unlikely, therefore, to upgrade their system of their own volition. Because of their longstanding protection agreements with criminal elements in Japan, there is no immediate incentive for MUFG Union Bank to do anything. MUFG Union Bank is both dependent upon, and having not kept their systems up to modern security standards, entrapped by those protections agreements.

That MUFG Union Bank has engaged in, and admitted to for purposes of settlement,  a variety of criminal behaviors involving money laundering, illegal loans to a criminal organization, and various criminal business arrangements over the course of the past two decades is a matter of both Japanese and U.S. government record. That MUFG Union Bank’s source code is of appalling quality and very poor is a matter of fact evident to any qualified software engineer with the required experience who is willing to look deep enough.

The issue of MUFG Union Bank’s protection accommodation with the yakuza is more complicated, and requires an understanding of Japanese culture, the long documented history of yakuza accommodations by both government and business in Japan, and a thorough reading of the material recently made available on the Internet as a result of the latest yakuza bank scandals emanating from Prime Minister Shinzo Abe’s anti-corruption campaign.

After his own research and analysis, Scott has come to the following conclusions:

1.       Since at least the advent of the Internet, MUFG Union Bank, its sister and parent banks, and other Japanese Banks have had a mutually-beneficial accommodation with the yakuza that has evolved with technology itself. Currently the accommodation has the rough form of a protection arrangement whereby in exchange for an agreement not to attack the client bank’s own customers and to keep non-yakuza-aligned hackers from attacking the bank’s systems, MUFG Union Bank has agreed not to voluntarily repair or close any hacker access points in their current source code that the yakuza can use to get to the Federal Reserve and SWIFT international account networks;

2.       Because the MUFG Union Bank management worldview is Japan-centric and there is so much regard for yakuza, there was a naïve expectation that the protection offered by the yakuza would extend to the US and other countries outside Japan;

3.       Believing they were therefore protected from unauthorized attack, MUFG Union Bank made a strategic decision not to invest in upgrading their security and software beyond that required to minimally meet regulatory requirements;

4.       Ultimately a tipping-over point came where the failure to keep systems upgraded to modern security standards meant that it became too expensive to ever bring those systems forward, and the relationship with the yakuza became the only meaningful defense against unauthorized hackers. The software quality and security capabilities (or more accurately, the lack thereof) became what they are today, as Scott discovered them to be when starting his assignment;

5.       However, the wishes of the yakuza one way or another have no meaning to hackers outside Japan and there is no common means other than cultural beliefs by which the yakuza can intimidate, punish, or control independent hackers – the yakuza cannot prevent other hackers from attacking anyone they wish in any manner they choose;

6.       Even in Japan, the power of the yakuza has been diminished significantly by disunity within the yakuza itself, competition from rival criminal organizations, the Japanese anti-corruption push, and the recent public scandal of the yakuza’s involvement with major Japanese banks; and

7.       Massive hacks of Asian banks and their links to the SWIFT international beginning in 2014 have caused regulators, though ten years behind in technology, to up the minimum security requirements in banking, reducing the value of the MUFG Union Bank agreement to the yakuza.

The accommodations provided the yakuza are not proactive in nature; they are in the form of passive denial of resources. In other words, MUFG Union Bank does not actively tell programmers to open up pathways for the yakuza – doing so would require an unmanageable conspiracy which could not have lasted these many decades. There are many programmers with consciences and reputations who would refuse to do that work, and who, like Scott, would turn the offenders in to the authorities. The MUFG Union Bank accommodation is much more subtle, controllable without suspicion from a top-down management hierarchy, and easy to implement. It is executed through a simple denial of resources to make any significant changes in certain key areas (such as security), under cover of budgetary or availability limitations (made justifiable by previously transferring the necessary resources elsewhere). By strict policy, all budgets and expenditures of the U.S. branches of MUFG Union Bank must be approved by Japanese managers operating from Japanese soil.

The reader is welcome to form his or her own opinions, but there can be no doubt as to the depth and duration of the relationship between Japanese banks, including MUFG Union Bank, its parents, and its siblings, and the yakuza if the hundreds of reports by dozens of reputable news organizations coming out of Japan are to be believed. Any logical opinion not including yakuza protection would have to include an explanation of how MFUG Union Bank software quality and security is as poor as it demonstrably is, and what possible benefit, if not protection, could MUFG Union Bank derive from a relationship with a worldwide criminal organization that would justify the considerable risk of getting caught (and they’ve been caught multiple times)?

With these realities, Scott’s analysis certainly explains why MUFG Union Bank has come after my husband with the ferocity and pure meanness with which they have. They could easily have simply paid him his salary as agreed and terminated his contract prematurely, which of course they had every right to do. However, that would not have solved their problem of Scott voicing his legitimate and supportable concerns to banking regulators, which he also had every right to do.  For their purposes, they (foreign nationals with a long criminal history and sordid reputation) needed to censor Scott (a U.S. citizen with no criminal history whatsoever and an excellent reputation) from his expression of his First Amendment rights. They engaged in all the acts necessary to artificially create an environment whereby they could attain the services of a sympathetic judge with little regard for free speech, or service to one’s country, or the greater good, to shut Scott up.

Although I would welcome any help you could provide Scott in the form of whistleblower protection, legal representation, funds or other resources, or even a friend-of-the-court affidavit – that MUFG Union Bank could crush a whistleblower with these kinds of brute-force tactics completely undermines any benefits of a whistleblower program to our government – the greater need is that of the general public.

There is a truly evil element to MUFG Union Bank’s bargain with the devil (whomever you might construe that devil to be) in that it provides easy pathways for hackers but diverts the risks and damages caused by the hackers to the general public (that is, non-MUFG-Union-Bank depositors) via access to the Federal Reserve and SWIFT international banking networks.

Therein lies the real need. Please, propose whatever legislation, invoke whatever law, and/or conduct whatever investigation is necessary to force MUFG Union Bank (and others like it) to provide a safe, secure and honest access to its services and all services to which it has access, without endangering anyone else or their property.

Please.

Because if you don’t, it is just a matter of time until the next major hacking success through MUFG Union Bank’s revolving door, and I never want to have to say to you or anyone else “I told you so.”

Thank you for your time and consideration.