The Vinci code: fake news press releases

It's a familiar pattern to anyone who follows compliance news: a public company announces a financial restatement due to accounting irregularities, fires its CFO, expresses an appropriate level of shock and horror, and issues an internal probe to see what happened, all while riding out the inevitable drop in share price and consideration by authorities over whether the matter merits criminal charges. Except, of course, in the case of French construction firm Vinci (pronounced Vancey), that’s not what happened at all. Itself the victim of a fake news release sent to Bloomberg, the company's resulting (and undeserved) turmoil has instead lead to the Autorité des Marchés Financiers (AMF) investigating the case to determine how other companies can avoid Vinci's fate. Or, as the AMF’s release said with modesty: “at the very least how their market consequences might be limited.”

Recently, the AMF has reported progress on the changes it was recommending following the case of the fake press release. But before we look at that, let’s review the story. On 22 November last year, shares in €35 billion French construction firm Vinci dropped by almost 20 percent after a fake press release was posted on Bloomberg as well as other financial sites claiming that company had sacked its CFO, Christian Labeyrie, and would be restating its profits from 2015 and the first half of 2016. The press release, which claimed to be from Vinci, was released a few minutes after 4.00 p.m. Paris time. The fake release claimed that the restatements had come from an internal audit that had found accounting irregularities. Ironically, the release also said that the company had informed the AMF of the misstatements and that net losses should have been booked for both periods amounting to €3.5 billion.

Vinci officially denies the dismissal of Christian Labeyrie. We express our indignation towards such practices and inform that the group and Christian Labeyrie will file a complaint against the persons responsible for these acts.
Vinci Corporate Communications

Less than half an hour later, Vinci’s actual press office released an official statement, denying the content of the hoax release, adding that it had been sent by a fake member of its communications team. The statement said: “A fake press release was published today by Bloomberg at 4.05 PM. VINCI denies formally all the information contained in this fake press release and is investigating all legal actions in furtherance thereof.” French press reports allege that the hoaxers sent out a denial of the news shortly after the first hoax release came out, making it even harder for officials at Vinci to combat the allegations.

The share price recovered quickly, though not completely, and registered a loss for the day, ending trade down roughly 4 percent, though on the following day shares gained another 1.5 percent early in the morning.

In its reporting of the story, the Financial Times referred to three other similar fake financial news incidents, though these all resulted in the stock price increasing. Early in November last year, Fitbit had to deny an offer to take it over from a Chinese fund. In May last year, Avon Products was targeted with a similar takeover hoax, and back in 2012, a fake news release purported to announce that Google was going to buy wireless internet provider ICOA. Then again, if the FT can only come up with three other examples in the last five years, fake financial news is not common, but Vinci proved that it can be damaging.

AMF spokeswoman Florence Gaubert said, in response to requests about further investigations and whether the perpetrator or perpetrators had been identified, that the AMF does not comment on current investigations. So, no culprit has been found yet.

As well as trying to determine responsibility for the incident, the AMF focused potential reforms on:

the various mechanisms used by issuers to disseminate information (primary information providers authorised by the AMF, the press, other channels, etc.) and certain arrangements put in place in other countries to study the tightening of best practice by issuers

checks carried out on information disseminated and, in particular, those carried out by Euronext and by the various media (information providers, etc.)

the calibration of “safety mechanisms” designed to automatically halt trading in a share if its price varies excessively

Discussions took place with: “news agencies, SBF 120 companies, and their representatives (CLIFF, the French association of financial communication professionals), information providers authorised by the AMF, the market operator Euronext, and a number of European regulators.” Safety plans’ robustness and action plans were of particular interest.

AMF best practice recommendations for issuers

raise awareness internally, among staff involved in managing the dissemination of regulated information, of a potential reoccurrence
simultaneously send all press releases issued to news agencies to primary information providers
communicate as far as possible outside trading hours, though without ruling out any communication during trading hours that might be essential in light of the Market Abuse Regulation
put in place reliable procedures that ensure secure transmission and access, notably via an information provider (subject to strict management of the access codes used to send press releases to that information provider), and tighten security for electronic transmissions for those issuers who wish to retain an additional communication channel for certain players (analysts, investors, the media, journalists, etc.)
put in place monitoring arrangements to identify domain names similar to that of the issuer, detect bogus websites, prevent their websites from being duplicated, etc.
draw up and maintain an up-to-date emergency procedure allowing for a rapid response (individuals involved, decision process, ‘standard’ denial press release, familiarity with contacts at the AMF and Euronext, etc.)
keep abreast of new methods of hacking, identity theft, etc., and adapt their arrangements accordingly
Source: AMF

The AMF also initiated discussions with each of the primary information providers authorised by it to assess the robustness of their safety systems and, where it deemed necessary, to ask them to put in place action plans.  

The AMF notes that financial communications are covered by two EU regulations, the Transparency Directive and MAR, the regulation on market abuse. The Transparency Directive says: “Regulated information shall be communicated to the media in a manner which ensures the security of the communication, minimises the risk of data corruption and unauthorised access, and provides certainty as to the source of the regulated information.” MAR says: "Inside information is communicated, directly or through a third party, to the media which are reasonably relied upon by the public to ensure its effective dissemination. That communication shall be transmitted using electronic means that ensure that the completeness, integrity, and confidentiality of the information is maintained during the transmission […].”

It recommended that companies, news agencies ,and journalists all tighten up best practices, to include:

keeping abreast of all new possible methods of identity theft and hacking and adapting their organisational structures accordingly

checking the domain name and syntax of the e-mail address from which the information is sent

checking for certification of the issuer’s e-mail, where such a procedure has been put in place by the issuer

checking the information with information providers authorised by the AMF

A list was published on AMF’s website of the primary information providers used by companies on Euronext. It’s a short list, with only five news services. 

The AMF also asked Euronext whether changes to its safety mechanisms could help limit the impact on the French market of such incidents, focusing discussion on the current level of static thresholds used in “circuit breakers”(when a stock halts trading) and the resumption procedure. Gaubert confirmed this, saying: “Euronext is currently considering making changes and has submitted proposals to the College of regulators (Paris, Brussels, Amsterdam, Lisbon). Those changes might include a review of the level of the static threshold for the CAC 40 stocks and a sufficient minimum reservation period for French shares to allow stakeholders to assess the situation.”

It was noted that the current circuit breaker for companies in the CAC 40 is set by Euronext at 10 percent and that it worked as expected when the Vinci incident occurred. “During the trading session on 22 November,” noted the release, “Vinci shares were subject to three reservations: twice when the share price fell and once when it rose after the issuer released its denial.”