A Brief History of Fraudulent Activity on the EU-ETS

The following blog entry was written while performing research for a Vital Signs report on Carbon Markets. To learn more about Worldwatch’s Vital Signs click here.

The European Union’s Emissions Trading Scheme has been under public scrutiny over the past couple weeks after officials found that cyber-criminals had breached security on its registries to steal and sell $40 million worth of carbon emissions permits. The breaches forced the European Commission to suspend trading on the EU-ETS for two weeks so that it could reexamine its regulatory strategy before finally reopening on February 4th.

The fraudulent activity involving the EU-ETS has primarily economic, rather than environmental, ramifications. The environmental integrity of the cap – the scheme’s ability to contain carbon dioxide emissions – has not been compromised. Only when governments generate more permits or regulators fail to correctly measure emissions from regulated sources is the cap compromised. Rather the effect of the events is to cripple trader confidence and raise transaction costs in a way that undermines the economic efficiency of the market.

Because EU member states wanted to maintain sovereignty over their fundamental institutions when the EU-ETS was implemented in 2005, the European Commission set up an emissions trading scheme with carbon permit registries in each member country, meaning that there are now 30 semi-independent registries (including non-EU member states) across Europe that keep track of trading and ensure the credibility of the carbon permits.

Consequently, the EU-ETS effectively operates as 30 linked carbon markets. As a policy mechanism for establishing a price on greenhouse gas emissions, one of the theoretical advantages of carbon markets is the potential for local and regional schemes to be linked up to form a global, more efficient, market. Well-publicized security breaches do few favors to those hoping to develop such a system.

VAT Fraud and ‘Phishing’ Scams

Despite receiving widespread attention only recently, fraudulent activity has been a problem for the EU-ETS since 2008, initially in the form of Value-Added Tax (VAT) fraud. In some European countries, governments treat carbon permits as a taxable consumptive good, and so those governments place a tax on the transfer of carbon credits called a value-added tax. Criminals found a way to exploit the tax-code variation among countries by opening trading accounts, buying permits in countries without a tax and then selling them in countries with a tax. Through repeatedly buying and selling the permits, criminals generate large amounts of money from the VAT that they then disappear with before the VAT is collected.

As countries have modified their tax codes, trading volume between countries with and without value-added taxes have since dropped as much as ninety percent. The European Law Enforcement Agency (Europol) still estimates that VAT fraud from carbon trading has caused as much as €5 billion worth in damages to European taxpayers, and the problem continues. Most recently, Italian police are investigating a carbon trading volume spike with suspected VAT fraud motives that occurred in November 2010 on Italy’s own energy market. The tax revenue lost due to VAT fraud from carbon trading represents only a small fraction of the tax revenue lost due to VAT fraud in Europe, however. A 2007 report published by the International VAT Association estimated that VAT fraud causes €60 to 100 billion in losses to European taxpayers each year.

Another more recent tactic for swindling money from the market involves “phishing” scams. In a phishing scam, the criminal attempts to obtain an account holder’s user name, password and any other necessary information to steal their identity. Account holders on the German registry were the first to be hit by a major phishing scam in January 2010. BBC News reported that the criminals involved with the scam obtained access codes for registry accounts through emails that led targeted account holders to forged websites asking them to input security codes. The criminals then accessed the registry accounts and sold the permits held in the accounts on Danish and British registries for $4 million.

The German incident triggered the European Commission to explore ways to improve security. In October 2010 the Commission issued a new directive to standardize and secure the system of registries. Ecosystem Marketplace reported that the directive called for long-term policy changes including a more consolidated registry system as well as short-term policy changes for upgrading the security systems on the registries. When hackers broke into the Czech registry this past January, however, the registry was one of 14 out of 30 that had not yet upgraded its security system. It was, in fact, set to upgrade its system within the week that the heist occurred.

Emerging and evolving markets, such as carbon trading, are most at risk to fraudulent tactics as both the implicit and explicit rules for operating those markets are less standardized. The market is maturing, however: $120 billion worth of emissions permits changed hands across the EU-ETS in 2009 according to the World Bank. Establishing rules for the market and implementing strong security measures will be crucial for the carbon market to continue to expand.

Possible Design and Security Improvements

More thorough trader account registration and tracking process

For both VAT fraud and phishing scams, criminals must set up trader accounts on the EU-ETS before executing fraud. The European Commission will no doubt be taking measures to improve the vetting process for creating accounts. Making certain information available to traders regarding the experience and reputation of other traders may also help increase security by empowering buyers and sellers to make safer decisions about who to engage in trading.

Near real time recording on EC’s Community Independent Transaction Log

The current transaction monitoring system setup across registries only allows transaction history to be checked manually on pieces of paper. Because of the trouble involved with such a system, traders rarely take heed of the risk that they may be handling stolen permits. The European Commission’s October 2010 Directive includes in Article 4 to “establish the European Union Transaction Log (EUTL) in the form of a standardised electronic database”.

Stronger IT security for all stakeholders

Among other security measures, the Czech registry was in the process of installing a system that required traders to enter a secondary, randomly-generated, password sent to the trader via mobile phone. The idea is similar to verification codes on the back of credit cards, and registries should adopt other security practices used by the finance industry such as using only registry websites for direct correspondence and trader email addresses only for sending notifications and trade confirmations.

A harmonized tax code dealing with carbon trading

The IEA released a report in 2010 mentioning specific areas that must be harmonized across linked markets including monitoring, reporting, and verification standards; offset provisions; auction floor prices; cost-containment reserves; and banking and borrowing. Tax codes dealing with the treatment of carbon permits could be added to the list.

How Would a Global Carbon Market Be Coordinated?

Tackling these issues requires skillful coordination between the linked markets. But if linked carbon markets grow to encompass more than just the EU, how will they be interconnected? Will these issues continue to be solved by an executive body such as the European Commission, or could they possibly be better solved by a deliberative body creating open standards from which the carbon trading platform is developed? Right now that is a very open-ended question.

Go to Source