Compliance Essentials News - December 2019
This month's round-up of key compliance news includes GDPR & property, data privacy, Apple sanctions violations, SM&CR preparation, bribery, HMRC budgets, bank IT shutdowns & more
Our pick of the most informative compliance news this month
- Alarm bells ring for property firms after huge €14.5m GDPR fine
- When FOMO can lead to uh-oh...
- Taking a $467k bite out of Apple for sanctions violations
- Ericsson €1bn fine for bribery
- Something is fishy...corruption in Namibia's fishing industry
- CISI warns advisers are not ready for SM&CR
- Swamped HMRC struggles to follow up tip-offs
- NatWest: How the glitch (nearly) stole Christmas
Alarm bells ring for property firms after huge €14.5m GDPR fine
The UK's National Association of Estate Agents is warning firms to check their data collection, retention and disposal procedures after a huge fine was handed out for GDPR violations in Germany.
In a statement, it said, "Unfortunately, in supervisory practice we often encounter data cemeteries such as those found at Deutsche Wohnen SE. The explosive nature of such misconduct is unfortunately only made aware to us when it has come to improper access to the mass hoarded data, for example in case of cyber-attacks. But even without such serious consequences, we are dealing with a blatant infringement of the principles of data protection."
According to the NAEA's website, it's the first ever GDPR fine relating to a company's data retention schedule and the highest penalty yet for a property company. The association is warning UK agents that the Information Commissioner's Office may use this landmark case to set future fines.
Earlier this year, the ICO fined Parliament View £80k for failing to secure the personal and financial data of landlords and tenants. It looks like firms can expect stiffer fines post-GDPR.
- Aim for "privacy by design" from the start - by ensuring all policies and procedures deliver GDPR compliance and support the data protection principles.
- Train your team to comply with the storage limitation, data minimisation and other principles - which require us to keep personal data for 'no longer than is necessary for the purposes for which the personal data are processed', and ensure personal data is adequate, relevant and limited to what is necessary
- Arrange refreshers and reminders - to keep our data protection obligations "top of mind"
- Make appropriate disclosures - so people know what personal information we hold, how long for and they can check it is lawful
- Check your data retention policy is fit for purpose - e.g. are there different retention schedules for different categories of data, do you review the policy regularly, is it flexible allowing you to delete personal information early if it is no longer required, is personal data anonymised to safeguard it, etc?
- Put systems in place to oversee data retention schedules and archiving - to ensure that any redundant personal data is removed promptly (This may be part of your ‘information asset register’ or IAR.)
- Learn from others' mistakes - keep up-to-date with latest cases and fines, wherever possible incorporating this into your GDPR training
When FOMO can lead to uh-oh...
A former social services assistant has been prosecuted for looking at personal information without authorisation.
Michelle Shipsey who worked for Dorset County Council was ordered to pay £700 costs, with £20 victim surcharge, and sentenced to a 6-month conditional discharge for accessing the social care records of four individuals without a business reason.
Hazel Padmore, Head of Investigations at the ICO, said: "Although new to the role, [the worker] had undertaken both data protection and cyber security training and therefore was acutely aware of the responsibilities she had towards maintaining client confidentiality. Our successful prosecution of this individual sends a clear message, that we will take action against individuals who take it upon themselves to abuse their position of trust."
Curiosity or a Fear Of Missing Out (FOMO) could spell disaster for anyone who breaks the rules.
- Set the tone from the top - train your team to respect and comply with the data protection principles and individuals' rights whenever they handle people's personal data. Data privacy matters to us all, right?
- Raise awareness with your team - warn them of the dangers of accessing unauthorised information without a business reason so they know the risks and consequences
- Make it clear that individuals, as well as companies, can face sanctions for data protection violations - including fines, disciplinary action and dismissal
- Remember Curiosity or Fear Of Missing Out (FOMO) is no excuse for accessing personal information without a business reason
- Regularly check authorisations and permissions of your employees - to ensure that only those who require specific personal information to do their job have access; encourage your team to report any access they no longer need
- Act quickly when people switch jobs, go on maternity leave, take a career break or exit your company altogether - to remove their access to your systems and information; this is vital to protect personal and also commercially-sensitive information
Taking a $467k bite out of Apple for sanctions violations
Apple Inc has agreed to pay $467,000 for violating US sanctions by dealing with a blacklisted entity.
In 2008, Apple entered into an app development with SIS, d.o.o. (the Slovenian suffix for a limited company), whose owner Savo Stjepanovic was added to the List of Specially Designated Nationals and Blocked Persons List (the SDN List) in February 2015 after suspected involvement in steroid trafficking.
On the same day, Apple ran its screening software against the list of app developer names but it failed to flag the blacklisted entity and continued hosting SIS apps in the App Store, even though the address matched that on the OFAC list. Why?
- Remarkably due to inconsistent use of punctuation and upper and lower case letters across the two lists (the Apple system listed the firm as SIS, DOO instead of SIS, d.o.o. in OFAC's list).
- Apple Inc's screening also failed to flag Stjepanovic, who was down as an "account administrator" rather than a "developer". (Only developers were screened at that time.)
The error came to light two years later in 2017 when Apple's sanctions software tool was upgraded.
By that time, Apple had made 47 payments in relation to SIS apps and collected $1.2 million from customers who downloaded them over the 54-month period.
The size of the fine is paltry for the $1 trillion tech firm, but this case illustrates how even companies with presumably the latest tech can be tripped up by basic admin errors.
Could this be the start of the predicted rise in sanctions from 2020?
- Keep your knowledge of US, EU and UK sanctions up-to-date - by regularly checking guidance issued by the Office of Foreign Assets Control (OFAC), the EU and UK government
- Understand the sanctions landscape - sanctions don't just apply to financial transactions and the freezing of assets. There can also be restrictions on the supply of services (such as giving advice) and trade (such as the supply of arms, diamonds, etc). New sanctions regimes - including Chemical Weapons and Cyber Attacks have also recently been introduced.
- Conduct due diligence on third parties - in particular, agents, distributors, customers and suppliers that trade with or border sanctioned countries to assess exposure. Ignorance is no excuse. Don't just look at your customer but also your customer's customer when carrying out risk assessments. Who are the beneficial owners?
- Get a holistic view of your company's entire risk exposure - while most of your team should easily identify jurisdictions where sanctions apply, do they appreciate the risks of dealing with non-sanctioned countries that trade directly with them (such as China with North Korea) or share a border with them (such as Turkey and Iran)? Countries such as Iraq and UAE can also be used by entities to bypass sanctions. Do your front-line staff know how to manage this kind of exposure?
- Learn lessons from published violations and enforcement action - to better understand your compliance obligations, how violations occur (in this case, upper/lower case differences), how regulators will interpret your actions, and what remedial action to take
Ericsson €1bn fine for bribery
Swedish telecoms company Ericsson had agreed to pay two US regulators over €1bn for a "years-long corruption campaign" and numerous bribes, slush funds and gifts across its operations.
It will pay the Securities and Exchange Commission (SEC) $540 million - the second biggest FCPA fine after Petrobras - and the US Department of Justice over $520 million, after paying bribes across five countries "to solidify its grip on the telecommunications business".
The Justice Department said, "Ericsson’s corrupt conduct involved high-level executives and spanned 17 years and at least five countries, all in a misguided effort to increase profits."
It had slush funds which were used to pay corrupt officials in Djibouti, China, Vietnam, Indonesia and Kuwait. Payments were made via agents, intermediaries, using fake invoices for non-existent consulting services.
In addition, the firm did not receive full credit for cooperating with the DOJ, having failed to disclose allegations of corruption regarding two matters. It was also late providing information requested by the regulator and failed to "take adequate disciplinary measures" against those involved.
U.S. Attorney Geoffrey S. Berman of the Southern District of New York said, "Ericsson conducted telecom business with the guiding principle that ‘money talks.’ Today’s guilty plea and surrender of over a billion dollars in combined penalties should communicate clearly to all corporate actors that doing business this way will not be tolerated."
He could so easily be talking about this next case too...
Something is fishy...corruption in Namibia's fishing industry
If you've ever wondered why dealing with foreign government officials is so risky, then the answer surely lies in this "deep dive into the world of corruption".
Two Namibian government ministers - Bernhard Esau and Sacky Shanghala - have resigned after allegedly receiving millions of pounds in kickbacks from Icelandic fishing company Samherji in exchange for lucrative horse mackerel fishing rights.
It follows an investigation by Al Jazeera and RUV (Icelandic state TV) into corruption in Namibia's fishing industry after a cache of WikiLeaks documents dubbed the #FishRot Files was obtained from a whistleblower, former MD of operations for the Icelandic company.
He claims that around US $10m was paid via Norwegian DNB accounts to shell companies in tax havens - and to African officials and politicians masquerading as "consultancy fees".
The CEO of Samherji Thorsteinn Már Baldvinsson and Mike Nghipunya, CEO of Namibia's state-owned fishing company Fishcor, have both been suspended following the allegations.
All of those involved deny wrongdoing. *sigh*
- The "tone from the top" matters - it's imperative that senior managers are good role models and never undermine our anti-bribery and anti-corruption (ABAC) agenda
- Don't offer cash or anything of value to a foreign public official or anyone closely related to them - in this example, donations were made to a political campaigns, an official received an iPhone, and cash payments were made in a sports bag. Development money and payments were also made via trusts and shell companies managed by close relatives and family members.
- Don't put profits before principles - don't buy the line that "We have to do it to compete" or "because our competitors will". Evidence shows that firms with poor anti-corruption ratings have just 5% higher sales growth and lower profitability. There is also a 28% higher chance of facing a scandal in the media. That boat has, er, already sailed for those implicated here.
- Don't ignore red flags - in this case, payments were made to third parties, shell companies and a number of intermediaries were involved, and payments were invoiced as "consultancy fees" although those involved appeared to perform no particular service
- Insist on difficult decisions being made in teams - this can reduce the impact of "bad apples", promote honest discussions, and create a better culture so our company's reputation does not hang on the choices made by one person acting alone in a difficult situation. Remember though that groupthink works best when there are positive role models and strong leaders around!
- Make no mistake, corruption is not a victim-less crime - although it's a relatively affluent country, Namibia has the third highest level of income inequality with 500,000 citizens facing food insecurity and water shortages and a fifth of the population living in poverty.
- Champion your initiatives - and raise awareness on International Anti-corruption Day. It's every 9th December - did you miss it?
- Protect whistleblowers and provide safe channels for them to speak out - are you confident that employees would speak up if they witness wrongdoing? Would they be believed and supported, or discredited? Don't shoot the messenger; there can be a high price to pay for those who speak out so give them adequate protection when they make disclosures. They're on your side.
CISI warns advisers are not ready for SM&CR
Done all of your Christmas shopping yet? If you're struggling to get everything ready for the festivities, then spare a thought for those who have also been preparing for the roll-out of the Senior Managers Certification Regime (SM&CR) on 9 December. Bit of a double whammy!
The regime which has already been implemented in the banking and insurance sectors is now being extended to solo-regulated firms.
But Jacqueline Lockie, the head of financial planning at the Chartered Institute for Securities and Investments (CISI) has warned that many firms are not prepared for SM&CR.
She said, "Advisers are still underestimating the logistical issues in training staff under the new rules, the training must be individual for different groups of staff. It needs to be very specific and there are so many nuances", anticipating that some would still be grappling with the new rules beyond the deadline.
Commenting on its rollout in the banking sector, the FCA observed that many firms struggled to explain what a conduct risk looked like for their business and had not tailored the conduct rules to specific job roles.
Showing no sign of Christmas spirit, the regulator will also extend the SM&CR rules to benchmark administrators following successive manipulation scandals which has so far seen fines of over £2bn.
If you need to turbocharge your SM&CR implementation, then we've got you covered.
Alas we can't offer you the same help with your Christmas shopping!
Swamped HMRC struggles to follow up tip-offs
The HMRC must feel like Santa. It's facing a deluge of 5.7 million pieces of information relating to the offshore bank accounts of three million British citizens and the HMRC doesn't have the resources to investigate tip-offs.
So instead, it's writing to UK investors named in those reports for financial information hoping to "nudge" them to do the right thing, according to tax consultancy BDO.
Following the Panama Papers scandal, the Common Reporting Standard was introduced by the Organisation for Economic Cooperation and Development (OECD) across the G20 to help jurisdictions see what assets citizens hold overseas in order to prevent tax evasion and avoidance.
The UK tax office issued 540 requests about UK taxpayers to offshore authorities last year, up 24% on the previous year, and has also sent letters to non-resident corporate landlords.
The clampdown is consistent with the "No Safe Havens" strategy - launched in March 2019 - which promises a more robust approach to offshore tax compliance.
In 2016/17 the cost of tax avoidance and evasion was £1.7bn and £5.3bn respectively.
Glad tidings we bring, to coin a phrase. The CRS is working. According to the OECD, it has led to a 24% drop in foreign-owned deposits being put in international financial centres.
OECD Secretary-General Angel Gurría said, "Thanks to international cooperation, tax authorities now have access to a huge trove of information that was previously beyond reach. Tax authorities are talking to each other and taxpayers are starting to understand that there's nowhere left to hide. The benefits to the tax system's fairness are enormous."
While any efforts to combat this are welcome, let's also hope the next government gets serious about tackling abuses by formation agents following further reports in the media about Formations House, 29 Harley Street where over 400,000 dodgy companies are registered. It's not going away anytime soon.
A global web of businesses, banks and tax havens used by international crime gangs and fraudsters has been created by a family-owned company in Britain, an investigation has revealed on Twtter— The Times (@thetimes) December 4, 2019
- Provide information and regular training to all staff - ensure they know the rules and what they must do to comply (e.g. watching for red flags, conducting due diligence, and raising concerns)
- Know who poses a high risk of tax evasion - including entities with complex tax planning structures, difficulties establishing beneficial owners, customers with unsubstantiated sources of funds or wealth, and companies based (predominantly offshore) in jurisdictions with high levels of secrecy (e.g. Switzerland, Cayman Islands, and the US - e.g. South Dakota and Delaware). Tax advisory, legal and financial service firms are also considered high risk, along with those offering private wealth management.
- Conduct adequate due diligence and risk assessments - to ensure you are not conducting business with anyone who may be involved in tax evasion. This should be proportionate to the level of risk face.
- Implement monitoring and screening processes to check customers' tax compliance status - remember, tax evasion doesn't just apply to companies or customers with links to offshore tax havens. Non-US financial institutions are also obliged to check the tax status of US citizens under FATCA and foreign assets may be reported under the Common Reporting Standard.
- Know the difference between tax evasion and tax avoidance - The line may be blurred, but one is legal and the other is not. Tax avoidance is when a person or company legally exploits the tax system to reduce tax liabilities, such as ISA investments, whereas tax evasion is when a person or company escapes paying taxes illegally (e.g. by concealing the true state of their affairs to tax authorities).
- Report it - encourage your employees to report any knowledge or suspicion of tax evasion or other financial crime via your company's whistle-blowing hotline or any other reporting channels you may have.
NatWest: How the glitch (nearly) stole Christmas
Picture the scene. It's Black Friday. You've braved the traffic jams/queues/carol singers* (*delete as appropriate)… argh, only to be hit by an outage with your bank's online and mobile banking services.
Customers took to social media to complain about Black Friday being "ruined" after NatWest experienced an outage on one of the busiest shopping days of the year.
The bank apologised for the "intermittent problems" but, in fact, it could have happened to any one of us.
Just last month, research released by consumer group Which?, based on FCA data, found that major banks notched up 265 IT shutdowns between them from September 2018 to October 2019 - an average of 5 a week:
- 133 incidents related to internet banking, 111 to mobile banking and 90 telephone banking issues
- RBS and Santander bank customers were worst affected, with 18 failures each
Suppose it's one way to avoid overspending on presents!
Which? is less understanding about people being locked out from their money and warns that with such fragile online systems, we're simply not ready to move to a cashless society yet.
Are you still here? While our always-on culture frequently admires and celebrates those who work excessive hours, burnouts and meltdowns are real. According to the Labour Force survey over 12.8 million working days are lost due to work-related stress, depression or anxiety.
So kick back, grab a beer, read a book, go to panto, binge a box set, whatever… All this will still be waiting when you get back. We all need a little downtime now and again. Taking time out is necessary and valuable.
Just watch what you say at those parties…
Happy New Year
Twelve months ago, we were consumed by some very specific compliance challenges.
What's on your compliance horizon for 2020? Will you be smitten with SMCR? Wrapped up with the new whistleblowing rules? Business planning post-Brexit?
Whatever your compliance plans and goals for 2020, we wish you all a happy and prosperous New Year.
Yours in compliance,
The Skillcast Team
Looking for more compliance insights?
Why not subscribe to our Compliance Bulletin which delivers a round-up email of all of this month's best practices, expert opinions, industry insights, key trends in regulatory compliance training, digital learning, EdTech and RegTech news.
Skillcast has partnered with YouGov to conduct primary research into compliance issues, attitudes and risk perceptions in the UK workplace to produce a series of Insights Blogs.
We also have 50+ free compliance training aids, including a selection of desk-aids, eBooks, guides, handouts, posters, training presentations and even free e-learning modules!