In this first update of the year, we have for you an analysis of Google's GDPR fine as well as several other compliance developments and points to ponder.
This blog is dedicated to bringing you the news that touches the people dimension of regulatory compliance. It's not only about regulations, policies, procedures, and systems. We're trying to understand what leads individuals and companies to make errors of judgement, and in some cases, to act in brazen disregard of the rules - resulting in harsh consequences.
Here's the selection of news stories that we've found most informative. Select the links or scroll down for more details.
- Google fined €50 million for GDPR infringements. Which rule did it break?
- Lawyer jailed for money laundering
- Lawyer fined for failing to identify PEP
- Fed gets involved in the Danske Bank money laundering scandal
- Is whistleblowing the antidote to internal fraud?
- Santander branch closures spell bad news for everyone
- Divine intervention
Google fined €50 million for GDPR infringements. Which rule did it break?
Let's start with the big news of the month. On 21 January 2019, Commission nationale de l'informatique et des libertés (CNIL), France's data protection regulatory authority, fined Google a record fifty million (50,000,000) euros - the largest and most high-profile fine for violation of the General Data Protection Regulation (GDPR).
Although the size of this fine is eye-catching, what's more interesting for us is what exactly it is for and what can other companies learn from this for their own GDPR compliance.
The fine was purportedly for Google's lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation. The CNIL pointed out three key breaches:
1. Breach of the Right to be informed
The GDPR specifies eight individual rights of which the first is the data subjects' right to be informed about the essential details of the data processing.
The CNIL noted that Google had dispersed essential information, such as the categories of personal data, the purpose of the processing, and the data storage periods for data used for ads personalisation across several web pages such that a user would have to click around several links to be able to get all the information. On this basis, CNIL concluded that the information was not easily accessible.
2. Lack of transparency
The first of the six principles of the GDPR is Lawfulness, Fairness and Transparency. Companies need to be clear, open, and honest with people about how you will use their personal data.
But the CNIL found that the information Google provided was not always clear or comprehensive, making it difficult or impossible for users to understand the content.
3. Invalid consent
Under the GDPR, Consent, if chosen as a lawful basis, must be 'informed', 'freely given, 'unambiguous', and 'specific'.
Google states that it relies on consent as the lawful basis for ads personalisation, but the consent it had obtained was neither “specific” or “unambiguous”, nor was it sufficiently 'informed'. For instance, the “I agree with Google’s terms of service” tick-box was presented to users ahead of boxes with more detailed options.
Lawyer jailed for money laundering
Solicitor Ross McKay has been jailed for seven years for three money laundering offences.
An investigation by Greater Manchester Police's Economic Crime Unit (Operation Isidor) found he helped a criminal group launder the proceeds of crime, including tax evasion and mortgage fraud, by providing conveyancing for at least 80 property transactions, disguising the true source of funds and wildly exaggerating income to secure the loans.
Adrian Ladkin of GMP's Economic Crime Unit said, "McKay was fully aware that the purpose of the transactions was to launder criminal proceeds and he was deliberately dishonest in facilitating them. As a solicitor, McKay was in a position of trust, but he spectacularly failed in his legal duties through his corrupt and unlawful actions."
Lawyer fined for failing to identify PEP
Khalid Mohammed Sharif, a lawyer and partner at Child & Child, has been fined £45,000 by the Solicitors Disciplinary Tribunal (SDT) for failing to conduct adequate due diligence on wealthy clients and not identifying politically exposed persons (PEPs) in accordance with the Money Laundering Regulations.
The Solicitors Regulation Authority said Sharif, who was also a Money Laundering Reporting Officer, didn't do anything to establish whether clients were politically exposed persons, despite being instructed in the purchase of flats in Knightsbridge worth £60m on his clients' behalf.
Clients' PEP status continued to go unnoticed despite source of funds checks on deposits of £14m. And again, when Child & Child allegedly assisted the same clients - thought to be related to the president of Azerbaijan - by instructing Mossack Fonseca, the law firm at the centre of the Panama Papers breach, to set up a company in the British Virgin Islands on their behalf.
Sharif was also ordered to pay £40,000 in costs but has not been struck off.
Fed gets involved in the Danske Bank money laundering scandal
As the investigation into suspected $230 billion of money laundering at Danske Bank intensifies, the US Federal Reserve has started probing Deutsche Bank's role in this scandal. The regulator is looking at whether the bank's US operations did enough to scrutinise clients and transactions from Danske's Estonian branch after the Danske whistleblower implicated the German bank in evidence.
Meanwhile, Deutsche Bank's CEO Christian Sewing confirmed it was re-examining the bank's role as a correspondent bank for Danske, but has found no evidence of wrongdoing yet. Yet the probe illustrates the compliance risks in an interconnected world of financial services.
Is whistleblowing the antidote to internal fraud?
- Patisserie Valerie is left battling after uncovering £40m internal fraud.
- DJI, one of the world's biggest drone makers has confirmed it faces a loss of $150m after it unearthed fraud involving up to 45 workers who overinflated parts costs for personal gain.
Internal fraud is a widespread problem as the two cases above illustrate. One prevention measure that is gaining popularity to fight internal fraud is whistleblowing, i.e. channels for employees to submit confidential and anonymous reports of misconduct. Research shows that whistleblowing is far more effective at uncovering fraud than audits. "While professional auditors were only able to detect 19% of the frauds on private corporations, whistleblowers exposed 43%."
Santander branch closures spell bad news for everyone
Santander has announced that it is closing a fifth of its UK branches, citing changes in the way we bank as the reason for the closures. Over the last three years, digital transactions have risen 99% while in-branch transactions have dropped 23%. However, this news is bad not only for staff but also for vulnerable consumers. According to the UK Government's Digital Inclusion Strategy, 10% of adults have never used the internet and the same number (10%) have no internet access.
While there is no doubt about the benefits of 24/7 flexibility of technology, the Financial Conduct Authority requires financial institutions to continue to meet the needs of people who are vulnerable in line with the Treating Customers Fairly principle.
Money laundering at domestic and foreign banks were also weighing heavy on Felix Hufeld, the president of German regulator BaFin when he made his New Year address.
As he urged financial institutions to ensure that they had appropriate systems to combat money laundering in a speech in Frankfurt, he said, "Money laundering prevention is an urgent priority, and I would like it to be evident from the way that all institutions conduct business that it is a very high priority for them, too. True to the phrase in the Bible: "You will know them by what they do."