This month's round-up of key compliance news including Airbus bribery, Fender Europe and NBCUniversal competition fines, coronavirus, tax evasion, data breaches and more...
Our pick of compliance news this month
- Coronavirus (COVID19) and its impact on compliance
- More long lens blunders in Downing Street
- Airbus pays €3.6bn to settle bribery case
- Police warn of threat from "sleepers" in contract companies
- H&M apologises for "intimate" data breach
- 90% of all data breaches due to human error
- Fender Europe faces the music for RPM
- Millions for Minions: NBCUniversal fined €14.3m for anti-competitive behaviour
- HMRC crackdown on tax evasion
Coronavirus (COVID19) and its impact on compliance
Who'd have thought that the coronavirus - now officially declared a global health emergency by the World Health Organisation - would have such a far-reaching impact on businesses, especially on compliance? And this is just the beginning.
If you haven't done so yet, now is the time to consider what this means for your own organisation, to check through your policies and ensure preparedness, to roadtest any contingency plans that are designed to cope with these types of risks and make last-minute plans if you need to.
Top tips to help you prepare:
- Review all international business travel - what measures are currently in place to deal with employees travelling abroad (whether for business or personal trips)? Do you need to update them? Might you impose a ban on all travel to China or other affected areas?
- Prevent indirect discrimination - if you decide to impose a ban on all travel to China, how will you ensure those measures are legal, proportionate, and do not indirectly discriminate against people of Chinese origin, particularly anyone making personal trips?
- Think about how you'll manage returning travellers - will anyone returning from business trips abroad, especially in affected regions, need to be in quarantine (self-isolate)? If so, how will you manage this? For example, will you allow remote working? How will you ensure those returning from high-risk areas stay away from work so you can protect other employees and customers? What checks can you make on visitors who might have been in affected areas?
- Reinforce our zero-tolerance approach to harassment and discrimination - with reports of an increase in harassment and discrimination on the grounds of race, regularly remind everyone that unacceptable behaviour will not be tolerated and violations will be dealt with in line with our disciplinary policy.
- Look for vulnerabilities in our supply chain - e.g. are certain goods or services sourced from affected areas? Are you able to find alternatives? How might you handle any post received from affected areas?
- Keep up-to-date with official travel-related advice - e.g. by visiting the FCO website and checking advice of any specialist third parties. This will help you adequately prepare contingency plans and safeguard your team.
With hackers also exploiting fear of the coronavirus to send scam phishing emails supposedly from the Center for Disease Control and Prevention (CDC) and the World Health Organisation, vigilance isn't restricted to monitoring for symptoms. It's about so much more.
Our recent blog has a timeline and action points for employers and their employees.
Oops I did it again: More long lens blunders in Downing Street
A Government plan - this time for "permanent equivalence" - has been leaked, thanks to the long camera lens of a reporter in Downing Street who snapped a photo of a government briefing paper.
Haven't we been here before? Over the years, how many government dossiers have been carelessly allowed to be photographed this way? Some commentators claim that the leak in this case was intentional!
Yet again, this highlights the importance of information security on the move and in public places.
- Think about the security of paper as well as electronic records - don't leave documents unattended; shield them from view with a folder to prevent unauthorised access, collect them from printers and copiers promptly, etc
- Take extra care with information security on the move - check over your shoulder to see who else can see your screen, avoid discussing anything confidential on your mobile in public spaces (e.g. a train, café, etc), don't use unsecured WiFi to access our internal servers, etc.
- Protect personal as well as commercially-sensitive information - as there may be legal repercussions (e.g. data protection and market abuse).
Airbus pays €3.6bn to settle bribery case
Airbus has confirmed it will pay €3.6bn to settle a long-running investigation by French, UK and US authorities into bribery and corruption. This case was unprecedented in its scale and chutzpah. It is also controversial in Airbus being let off with a DPA.
In 2012, a whistleblower alleged that Airbus's GPT subsidiary used gifts and bribes of over £14m to secure a contract to upgrade military communications in Saudi Arabia. In 2017, the French-based planemaker was also investigated over its use of middlemen and third-party consultants to secure airline sales. The subsidiary at the centre of the allegations has cease trading.
- The case shines a spotlight on section 7 of the UKBA - Headquartered in France, registered in the Netherlands, Airbus admitted bribery and corruption outside of the UK and its "failure to put in place appropriate measures to prevent bribery". Would your own company meet the threshold? What control do you have over overseas subsidiaries? Do they get the same training as workers onshore?
- Conduct proportionate due diligence - What due diligence checks do you make on consultants, intermediaries and third parties? Are they adequate?
- Train employees to spot red flags - For example, gifts, hospitality, expenses, donations, etc? A consultant with no proven track record in the industry? Payments being made via a company registered in Brunei? The signs were all there once the authorities started looking. Or, as someone close to the investigation put it, "It's not sophisticated once found. It was in plain sight". (see next point)
- Don't try to bypass the rules - In this case, Airbus organised a 30-minute marketing or business presentation before hitting the golf course in order to get around hospitality rules.
- When you're in a hole, stop digging - Internal emails reveal the inner conflict employees faced in coming clean, "We know the truth I suspect, but is that what we are intending to inform UKEF?”. It shouldn't be difficult to do the right thing.
- Compliance matters and needs to be integrated fully in all business processes - It must not be seen as something that merely stands in the way of making a profit. Dodgy payments flagged by compliance were brushed aside. An internal audit of the subsidiary at the centre of the corruption found "significant breaches of compliance policies" and projects that "performed poorly". Take note.
- It's about deeds, not words - Airbus had compliance programs, policies, committees, and astonishingly was even awarded a certificate for the design of its anti-bribery compliance program. But it was still not enough. Why? Was there a philosophy to get the business "at any cost"? Were senior managers setting a different example? It seems so.
- Ensure adequate oversight - Some committee members were involved in misconduct and concealed material facts about business partners' remuneration, beneficial owners, and the process by which intermediaries were found. Essentially, the unit was marking its own homework.
- "Tone from the top" matters - 63 of its top or senior management have left the company (31 were dismissed) in just five years. It looks like those good role models were in short supply.
Police warn of threat from "sleepers" in contract companies
Businesses are being warned by police to strengthen their internal controls, following a spike in physical security breaches.
As firms do everything in their power to make their IT networks impenetrable, organised crime gangs are turning their attention to low-tech methods. Contract cleaning firms. Painting and decorating companies. Anyone in fact with out-of-hours access to a corporate building.
Somewhere to plant "sleepers" and infiltrate networks.
- Conduct due diligence and vetting - before granting any third party access to your premises.
- Encourage your team to wear a security pass or ID at all times - so people can see at a glance who is authorised and who is not.
- Be vigilant - watch out for tailgaters, take extra care when entering access codes to a door or building in public areas, and don't assume that someone walking in with a colleague is necessarily with them.
- Create a challenge culture for unaccompanied visitors or unfamiliar faces - sure, it may be embarrassing and you may be reluctant to do this due to the bystander effect, but it's essential to safeguard the company.
- Conduct penetration testing - with red, blue and purple teams to assess any weaknesses in your defences and help mitigate the risk.
H&M apologises for "intimate" data breach
Swedish fashion brand H&M has apologised and is cooperating with Hamburg's data protection supervisory authority following rumours of a data protection breach by its H&M Customer Care Centre for Germany and Austria.
Managers allegedly sounded out employees about their intimate and private lives - everything from health issues (bladder problems, cancer diagnoses) to family disputes, bereavements, divorce, and holiday memories - logging the details as "comprehensive records of employees", which were then made available to all managers.
The likely fine will be announced in the coming weeks. Anyone care to guess what it will be?
- Meet the data protection principles, especially on data minimisation - what checks are made to ensure that personal information you process about customers and employees is adequate, necessary and limited to what is necessary?
- Take extra care with special category data - H&M can expect a significant fine for its cavalier treatment of extremely sensitive personal information (e.g. health data)
- Watch out for informal notes and records - raise awareness with your team so they know what personal information they can and cannot record, even in informal notes
- Check data retention policies and ensure oversight - consider how long personal information needs to be kept for and implement policies so anything beyond that date is automatically flagged; encourage your team to report anything that is no longer necessary
90% of all data breaches due to human error
People are still the weakest link when it comes to data breaches, according to an analysis by CybSafe of 2,376 cyberbreaches reported to the Information Commissioner's Office in 2019.
90% of reported breaches were caused by human error - an increase on the previous two years.
What were the main issues? Phishing was the most common cause, accounting for almost half (45%) of all breaches, following by unauthorised access. Malware, ransomware, hardware and software misconfiguration, and brute force password attacks were also up there on the list.
While it's important not to get into a blame game, CEO Oz Alashe points out, "Staff can make a variety of mistakes that put their company's data or systems at risk, often because they lack the knowledge or motivation to act securely, or simply because they accidentally slip up."
- Assess the level of risk in your company - have you analysed the data on cyber breaches or near-misses? For example, do you know whether certain individuals, teams or business units are especially high-risk or more susceptible?
- Mitigate the risk - what measures should you implement to manage or reduce the risk? Consider training, awareness raising, etc.
- Keep security "top of mind" - do you provide regular reminders of data protection and security in team chats? Do you discuss recent cases in the news and any lessons to be learned?
- Create the right culture and "tone from the top" - do managers role-model and reinforce appropriate behaviours in relation to data security? Is the culture right - for example, is it reassuring and supportive towards anyone who makes a mistake, or is there a blame culture which may prevent people from admitting errors and speaking out in future?
- Appoint champions - do you provide 24/7 local support in teams through data champions or mentors, someone for individuals to reach out to for informal "on-the-spot" advice who'll stop them making accidental slip-ups and help improve their basic knowledge?
If you need to reboot your training, check out our GDPR course library.
Fender Europe faces the music for RPM
From Jimi Hendrix and Eric Clapton. To Taylor Swift, Nile Rodgers and Oasis' Noel Gallagher. Fender is the guitar of choice for some of the world's most famous musicians, with limited edition models costing around £45,000.
But, the firm has recently found itself in a "jam" of a different kind. The UK arm of the legendary guitar manufacturer Fender Europe has been fined £4.5m by the UK's Competition and Markets Authority for illegal price fixing.
Between 2013 and 2018, Fender prevented online discounting of its guitars - meaning customers who shopped around online to find the best deal struggled as prices were roughly the same.
- Fender also pressurised retailers to raise online prices, when tip-offs were received about others not holding the line.
- Some employees deliberately concealed misconduct by recording as little as possible in writing. The company was fined £25,000 when a senior manager at its head office hid notebooks during a CMA inspection.
Andrea Coscelli, the CMA's chief executive, said, "Quite simply, this behaviour is against the law. The fact the CMA has imposed large fines on major musical instrument firms Casio and Fender in a matter of months should be a lesson to this industry and any other company considering illegal behaviour."
It's one of the largest fine ever imposed for resale price maintenance (RPM) and would have been £14.2m, had the firm not admitted the offence under the CMA's leniency rules.
With three other cases ongoing at the CMA and prosecutions for Philips, Pioneer and other sound system manufacturers by the European Commission, the music industry is on notice to comply or face the music.
- Encourage your team to spot red flags and report potential misconduct quickly - as the first company to report the existence of a cartel or anti-competitive behaviour can escape prosecution under leniency rules. If you don't speak out, a rival will be only too happy for you to "take the rap".
- Prepare for dawn raids - are you confident that employees will know what to do and do the right thing in a CMA investigation? That there will be no shredding of evidence. No entering sealed rooms…
- Get the "tone from the top" right - here, a senior manager not only lied about the existence of notebooks, but also made a junior colleague take them home. Just one bad apple can undermine your entire compliance regime.
- Don't underestimate the far-reaching powers of the regulator - the CMA recovered emails and texts from IT servers to prove illegal behaviour. There is simply no place to hide.
Millions for Minions: NBCUniversal fined €14.3m for anti-competitive behaviour
NBCUniversal and other Comcast companies have been fined €14.3 million by the European Commission for illegally restricting traders from selling licensed merchandise within the EEA beyond those customers and territories allocated to them.
The investigation found, for example, that a department store in Spain couldn't sell ET pyjamas from a Belgian manufacturer because that manufacturer was banned from selling into Spain.
The restrictions affected hundreds of merchandising products from Minion school bags, to Shrek mugs, Jurassic Park toys and sweets, beginning in 2013 when NBCUniversal ramped up its licensing activities in Europe. It abruptly ended in September 2019 when, faced with the EC's investigation, it informed all its European licensees that the anti-competitive restrictions ceased to apply.
Since May 2017, firms including Guess, Nike and Sanrio have been fined €187 million for imposing similar cross-border trade barriers.
- Don't restrict consumer choice by engaging in anti-competitive behaviour - internet shopping should give consumers more choice, not less, to buy products cross-border.
- If you make a mistake, own it - NBCUniversal was granted a 30% reduction in the fine for cooperating fully, admitting the breach and providing evidence early on.
- Never discuss price, strategy, market share, territory or other commercially-sensitive information with rivals - as this is illegal.
- Be proactive - speak out if you witness any anti-competitive behaviour in meetings.
9. HMRC crackdown on tax evasion
The HMRC has confirmed that it is investigating nine businesses - some of them major corporations - for failing to prevent tax evasion across many business sectors, including financial services, oil, construction and software development, with another 21 cases under review.
The HMRC is stepping up its use of Corporate Criminal Offences (CCO) powers and has confirmed its intention to publish the number of live cases twice a year. CCO powers were introduced as part of the Criminal Finances Act 2017 and include two offences:
- Section 45: Failure to prevent facilitation of UK tax evasion
- Section 46: Failure to prevent facilitation of foreign tax evasion offences
So far, there have been no convictions under the legislation but HMRC's spokesman Simon York confirmed that the investigations are "ground-breaking", with prosecutions expected within two years. Companies may face unlimited fines, asset seizures, recovery of unpaid tax, and imprisonment for individuals, if found guilty.
Andrew Sackey from Pinsent Masons said, "HMRC has been quick out of the blocks, making extremely rapid progress in using these powers". He urged companies to check they have reasonable measures in place to prevent facilitation of tax evasion.
The announcement follows a global day of action into "suspected facilitation of offshore tax evasion" by the Joint Chiefs of Global Tax Reinforcement or J5, across the UK, Canada, the US, Australia and the Netherlands.
Looking for more compliance insights?
If you'd like to stay up to date with best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape we have collated searchable glossaries of key terms and definitions across complex topics including GDPR, Equality, Financial Crime and SMCR. We also track the biggest compliance fines, explaining what drives them and how to avoid them.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!