Carbon Credits Disappear Into Thin Air
(WAC NJ) Just before lunch one Tuesday in mid-January, the public address system at Jiri Stastny’s office in Prague ordered all employees to evacuate: someone had called in a bomb threat. Police crawled over the building for more than three hours. Officers conducted a sweep of the seventh-floor offices of OTE, the company of which Mr Stastny is director that manages the Czech Republic’s part of the European Union’s greenhouse gas emissions trading system. Nothing seemed amiss. The first indication of trouble came just after 7am the next day. One of OTE’s clients called: thousands of its digitised carbon allowances, which had been stored at the Czech registry run by OTE, had gone missing.
The national registry is a sort of back office, where all the country’s state and commercial ETS allowances are held and trades are logged. Within an hour, Mr Stastny and his fellow executives realised the bomb threat had been an elaborate ruse. Computer hackers had used the distraction to pry into OTE’s registry and pilfer the allowances. With just a few strokes of the keyboard, those allowances could then be sold on the open market for millions of euros before anyone would have noticed.
“People watch thriller movies where diamonds and cash are taken out of the vault,” said Alan Svoboda of CEZ Group, a Czech energy company that lost 700,000 allowances with a market value of roughly €10m. “Here it was the same thing but with a very unlikely asset.”
The thefts at OTE were one of at least six attacks on operators of the EU emissions trading system across eastern and central Europe in the past three months. All told, cyberthieves swiped allowances worth more than €50m before panicked authorities in Brussels were forced to pull the plug and halt spot market trading.
Nominally, those losses may pale in comparison with the billions of dollars swiped by Bernard Madoff through his long-running Ponzi scheme and other swindles that accompanied the global financial crisis. Authorities are also quick to point out that many companies have continued to trade without incident using carbon futures contracts.
Still, more than three weeks after the suspension, only six of the 30 national registries that comprise the system have reopened for business. Traders say the market is now riven with distrust.
More broadly, the thefts have battered the credibility of the EU’s chief instrument in the fight against global warming. The emissions trading system is supposed to prod more than 11,000 industrial installations across the EU’s 27 member states – as well as Norway, Iceland and Liechtenstein – steadily to reduce emissions.
In basic terms, Europe’s cap-and-trade market sets an overall limit for emissions and then forces polluting companies to buy allowances to cover their excess. More efficient ones can sell unused allowances for cash or save them for the future.
European policymakers have touted the market – the world’s largest – as the focal point of a future series of linked international exchanges working to arrest warming. One trader calls it “a European solution to a global problem”.
Yet interviews with regulators, law enforcement officials and corporate executives suggest that – in the rush to prove the fledgling market could work – evidence was overlooked of security flaws enabling a new breed of criminal to mount increasingly audacious and sophisticated heists.
Connie Hedegaard, EU climate change commissioner, insists the market has not been discredited and that repairs are in hand. “You do not say the banking system is not working just because somebody robs a bank.”
She says the Commission wants to slow down the pace of trading in carbon markets in order to make the system less susceptible to cyber-thieves. Authorities believe the spot market’s quick execution aided the heists by allowing criminals to transfer allowances to other accounts and sell them for cash before their owners realised they had gone missing. In some cases, the stolen allowances appear to have passed through several accounts before law enforcement officials were eventually able to track them down. “I’m not a specialist in this, but I can just see that if we had a delay function then it might be less tempting to cheat on the system,” says Ms Hedegaard.
But some politicians and traders are still fuming that regulators failed to secure a market whose stated purpose is nothing less than saving the planet from global warming.
“It is absolutely the right policy for reducing emissions across Europe,” says Louis Redshaw, head of emissions trading at Barclays Capital, the market’s largest trader by volume. “What is frustrating is that bad implementation is allowing criminal elements to infiltrate the spot market. The carbon market is now in danger of seeing irreversible damage and a slide into disorder.”
Until recently, something as ephemeral as a carbon emission would have held little appeal for a thief. That changed in 2005, when the EU launched its carbon market with the goal of putting a price on emissions.
With the market facing criticism from industry and environmentalists alike, European policymakers took a measure of satisfaction when the value of allowances traded reached €90bn in 2009. Stavros Dimas, then environment commissioner, predicted the system would become a model for the US, China and others.
But even as EU leaders heralded the system’s success, criminals were infiltrating. Some of the ruses were simple. In Hungary, for instance, allowances that had already been used mysteriously found their way back into circulation.
Other ploys were more sophisticated. There have been dozens of arrests for elaborate tax fraud schemes involving the carbon market. The most common involved buying allowances in a country that does not impose value added tax and selling them in another with the cost of the VAT included. Rather than handing the tax money to authorities, fraudsters pocketed it and declared bankruptcy or went missing. Interpol has concluded that the carbon market scam cost governments as much as €5bn in lost tax revenue.
Such stunts were made possible, in part, by lax security. In some countries, such as Denmark, opening an account at the registry was easier than opening a bank account, according to traders. “You could open one tomorrow if you applied tonight,” says one.
Some banks, such as Barclays Capital, alerted authorities. They were worried about a proliferation of seemingly unreliable characters in the market, and put in place restrictions on those with whom their own traders could deal.
Still, there was little concern when the first emissions theft occurred in January 2010. It happened in Germany, where a trader fell prey to a “phishing” attack. Essentially, he was fooled – probably by a phoney e-mail – into supplying his login information.
Phishing is a common form of internet theft, and the verdict in the market was that victims were to blame for their carelessness. But the mood changed last November when a Romanian subsidiary of Holcim, a Swiss cement company, reported that someone had stolen 1.6m of its allowances.
“At first people thought it was another phishing attack,” said Olivia Hartridge of Morgan Stanley, who helped create the emissions trading system during a stint at the European Commission in Brussels. However, it soon became clear these criminals were far more sophisticated than that. “It was a whole other ball game,” Ms Hartridge says.
Having gained access to the registry by breaking into Holcim’s computer network, the thieves transferred allowances to accounts in Liechtenstein and Italy. Like an owner in search of a lost pet, Holcim posted the serial numbers of its missing allowances on the internet.
Panic set in as legitimate traders worried about the consequences of ending up with stolen allowances, and the risk of having to forfeit them without compensation. “If you get stuck with them, it’s very likely you will be losing face value,” says Trevor Sikorski of Barclays Capital. Even worse, market participants believed they could be unwittingly exposed to the risk of prosecution for crimes such as money laundering.
Morgan Stanley began demanding legal warrants stating that any allowances that it handled had come from original government auctions – and not third parties – before it would accept them. At Barclays Capital, officials decided in December to abandon the spot market, judging it too risky.
“The market largely stopped trading, even before they shut all the registries down,” Ms Hartridge says, “because no one could be sure they weren’t dealing with stolen goods.”
And yet the thefts kept coming, bolder and more daring. On January 10, a little more than a week before the Czech attack, hackers for the first time managed to break directly into a national registry – this time Austria’s – rather than just the computer of an account holder.
The thieves managed to spirit 488,141 allowances from the registry’s reserve to accounts in Liechtenstein and Sweden before authorities managed to freeze them. The audacity of the attack raised alarm in Brussels. Jos Delbeke, head of the Commission’s climate action directorate, was now convinced the system was under attack not by a lone hacker but by organised criminals.
In theory, the Commission has the best view into the system. It controls a sort of super-registry, known as the community independent trading log, with links to each of the 30 national registries and a record of every allowance by serial number.
Following the Austrian attack, Mr Delbeke set up an emergency group to liaise with member states and provide hourly updates.
But as with many EU matters, officials said there was little Brussels could do even in the unlikely event that they spotted a theft in progress. Without investigative authority of its own, EU officials can only respond to requests to national law enforcement authorities and Interpol. “Sometimes people would come to us and say: ‘My allowances are stolen.’ But they didn’t even have a police report,” one aide complains.
The Commission’s hands are further tied by carbon market rules that force it to keep individual transactions confidential for five years.
. . .
The decision to close the 30 national registries came after BlueNext, one of the market’s biggest exchanges, announced hours earlier that it was halting carbon spot trading across Europe.
The Commission’s impotence has its roots in the trading system’s birth nearly a decade ago, when member states insisted that they – and not the EU’s Brussels bureaucracy – should retain control of the registries.
Beyond the institutional rivalry that prompted this demand, there were practical reasons, too. As signatories to the Kyoto climate treaty, each of the EU’s members had made its own commitment to reduce its greenhouse gas emissions. Thus, some argued, it was sensible to maintain separate registries to log the transactions and manage the allowances that underpinned those commitments.
But the quality of security varied widely – creating weak points where the hackers have focused their attacks. Making matters worse, several cash-strapped governments in central and eastern Europe ignored a plea from Mr Delbeke last year to bolster their defences.
“Member states wanted to make their own decisions about what sort of system they had for users,” says Ms Hartridge. “But it’s clear that they have not kept up with how sophisticated hackers have become.”
It is possible the situation will improve next year when the Commission is set to open a central registry that it will oversee – an overhaul that was in the works even before the crime spree. Thanks to an opt-out clause, some member states may still decide to go it alone.
In the meantime, EU officials say no registry will be allowed to reopen until its security has been verified. “We cannot have the reputation of the emissions trading system damaged by organised crime,” insists Mr Delbeke.
Even a central registry, though, is no guarantee of safety. The best secured registries still fall well below routine bank security standards.
Better security will also not untangle the legal issues still plaguing the market. Back in Prague, for instance, Mr Svoboda says most of CEZ Group’s missing allowances have been tracked down but he suspects they are now held by people who have nothing to do with the initial theft.
His company believes OTE should be held responsible for any losses, although other market participants are unsure how claims of this sort would play out in the courts – particularly in a system that is subject to the laws of the 30 different member states. “Somewhere in the chain,” says Mr Svoboda, “the money is gone.”
View from the trading floor
Stolen certificates and suspended spot trading: the silver lining
Politically, the series of thefts that hit the European emissions trading system in January, along with the near shutdown in spot market trading for two weeks, has dealt a blow to a high-profile initiative, writes Philip Stafford
Markets, however, are able to see at least some positive aspects in the events. The thefts, according to trading houses and exchanges, are sign that the market is fast maturing.
The spot market accounts for about 10 per cent of the total. The rest consists of futures markets – which have remained unaffected and open. At about €14 a metric tonne, the ECX futures contract, the largest market, has changed little over the period.
“There’s no need to rush things,” says Henrik Hasselknippe of GreenX, an exchange owned by CME Group of the US. “The market can cope.”
Nonetheless, the confidence of some investors has been damaged. “Members are reluctant to trade because of the uncertainties caused by the stolen certificates and the registries,” says Toralf Michaelsen of EEX, a German exchange.
The closure of the registries had an unsettling effect. During the shutdown, the European Federation of Energy Traders warned that the suspension of the spot market would have serious effects on derivatives; it risked unbalancing the supply and demand of contracts.
There is general agreement that, in the short term, legal ownership of stolen permits that have crossed borders must be resolved.
In the longer term, the industry is calling for tighter regulation, a more centralised overview of the system and harmonisation of investor protection if permits are to be traded freely across the 30-country bloc.
Under the ETS, which accounts for 80 per cent of the global market, weighted average carbon prices increased by 6.6 per cent, from €13.6 per tonne of carbon dioxide in 2009 to €14.5 per tonne in 2010.
The value of permits traded on the market is forecast to rise this year by 15 per cent to €107bn ($136bn). Carbon permit allocations, which have been free, are expected to fall in 2013 when full auctioning is introduced.
Trading is dispersed between several venues, including ICE Futures Europe in London, owned by Intercontinental Exchange; Paris-based BlueNext, set up by NYSE Euronext; and EEX.