Our pick of the most informative compliance news stories this month:
This month's round-up of key compliance news includes record data breach fines, ING money laundering, Microsoft bribery, vicarious liability and more...
- ICO gets tough: BA record £183m fine
- Hacked off? Marriott £100m fine
- Motor industry worker to pay £25k from data theft proceeds
- ING fined €350k for money laundering violations
- Seized supercars to go under hammer
- ESMA fines Regis-TR €56,000 for access failings
- Whisper it: FCA boss admits rules 'hard to understand'
- Chips are down: Qualcomm gets second EU antitrust fine
- Supermarket vicariously liable for sexual harassment
- Microsoft to pay $25.3 million to settle bribery case
Jetting off for summer? We're jealous, of course. But the past couple of weeks have shown that the holiday period is not always good news for airlines or travellers.
The Information Commissioner's Office has signalled its intention to fine British Airways a record £183 million (around 1.5% of its global turnover) over its data breach in 2018. This dwarfs the previous record fine of £500k handed to Facebook under the DPA by a considerable margin (367 times higher).
Last summer, when customers booked flights via the BA app or website, they were instead redirected to a fake website which harvested their personal data. It was reported by BA in September 2018.
As the Oxford University cyber-security expert, Andrew Dwyer, explains "The ICO fine shows how serious some of BA’s failings were with its payment processing both on its website and its app."
- BA had not updated critical software since 2012 long after flaws were discovered
- The time it took to discover the vulnerability (3 months) indicates a more fundamental IT governance failure
- The number of people affected and the impact of the breach also likely determined the size of the fine
In another first, the ICO acted as the lead supervisory authority on behalf of other EU data protection authorities whose citizens were also affected by the hack.
Elizabeth Denham, the Information Commissioner, said, "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
BA plans to appeal.
- Keep software up-to-date and download any patches immediately
- Cost-cutting is counterproductive - experts point out that instead of costing a few million to implement the right security, BA will now pay a nine-figure sum instead
- Ensure there is sufficient oversight and monitoring of the data landscape - any breaches must be notified within 72 hours
- Make sure there are appropriate technical or organisational measures in place to safeguard personal data
- Remember the ICO has the power to impose fines of up to 4% of global annual turnover -so maybe that fine is lenient after all!
Does this herald the start of a new era? A tougher stance from the UK regulator? Perhaps so.
Just a few days later, the ICO flexed its muscles again. This time by announcing that it intends to fine the hotel group Marriott International nearly £100m. The hotel group which owns W, Sheraton and Le Méridien experienced a 'colossal' hack in November 2018, resulting in the personal data of around 339 million guests being stolen:
- Around 30 million belonged to residents in 31 countries of the EEA
- 7 million related to UK residents
- The breach was discovered in September 2018 but investigations revealed the Starwood guest database had been compromised as far back as 2014
The ICO insisted that Marriott should have taken more action to secure its systems when it acquired Starwood in 2016.
The Information Commissioner said, "The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."
Marriott plans to appeal.
- What vulnerabilities do your own legacy systems conceal? Do you even know?
- Have you carried out sufficient due diligence on any acquisitions?
- Do you know what personal data you have acquired and where it is stored?
- Have you checked that it is still relevant?
- Are you relying on consent or some other lawful basis? Is it valid?
- Are you confident that personal data held by acquisition companies is adequately protected?
- Is there sufficient monitoring and oversight to detect any breaches?
- Can data subjects easily exercise their rights over this data? Are they even aware that you have it?
If you thought the UK data regulator was only interested in big business, think again.
A former employee of Nationwide Accident Repair Services (NARS) - an accident repair firm - has been ordered to pay £25,500 from the proceeds of data theft.
Back in November 2018, the worker was sentenced to six months' imprisonment for using his colleagues' login details to access customer data on vehicle repairs, despite moving to a new job at a different company.
At a court hearing, the judge said he benefited financially from the data theft and ordered him to hand over the proceeds.
- Check that there are adequate procedures in your firm to immediately remove leavers' login and access rights, securing any personal data assets
- Make sure company procedures are implemented right away when people leave your company or change jobs
- Review access frequently and keep it to a minimum, based on the 'need to know'
- Remind colleagues to never share logins with other people - they will be held accountable for what happens on their account
- Ensure adequate monitoring and oversight - so unauthorised access is quickly detected (remember that 72-hour deadline to report serious breaches!)
- If you detect unauthorised access on your system, investigate it fully
- Only access personal information if there is a legitimate 'need to know'
- Act responsibly - report any concerns you have
ING's Belgian unit has admitted money laundering violations and has been fined €350k by the National Bank of Belgium.
Between 2000 and 2013, the bank failed to follow money laundering rules and raise suspicious activity reports about a Russian customer, despite obvious red flags.
The unnamed client was allowed to make transactions of "hundreds of thousands of dollars" unchecked and the bank failed to carry out adequate due diligence.
Elsewhere, Nordic banks have joined forces in an attempt to combat money laundering, following successive scandals. Six banks - including Danske Bank, Swedbank, SEB, Handelsbanken, Nordea and DNB - are creating a new KYC Utility checking centre to pool knowledge and restore their battered reputations.
A seized collection of 25 supercars is being offered for auction without reserve by the State of Geneva, according to Bonhams.
The auction which is expected to raise €13 million is an impressive "roll-call of prestige and international marques" which includes Aston Martin, Bentley, Bugatti, Ferrari, Koenigsegg, Lamborghini, Maserati, Mercedes and Porsche.
Less impressive is the story behind them. They belonged to the Vice President and son of the President of Equatorial Guinea Teodoro (Teddy) Nguema Obiang Mangue and were seized in Switzerland in 2016.
The kleptocrat who was convicted in France of embezzling public money in 2017 has also been ordered by French and US authorities to hand over:
- High-end art
- $30 million mansion in Malibu
- Michael Jackson memorabilia
- Watches worth $15 million
- $10.3 million in cash
In 2014, the Department of Justice said the VP had used his position and influence to amass a personal fortune of $300 million despite being on a government salary of less than $100,000.
US Director of Immigration and Customs and Enforcement said at the time, "ICE remains steadfast in its resolve to combat foreign corruption when the spoils of these crimes come to our shores and we are committed to seeking justice and compensation for the often impoverished victims."
The Swiss court has ordered that the proceeds of the supercar sale be used for social programs in Equatorial Guinea, where 76% of its population live in poverty.
The European Securities and Markets Authority (ESMA) has fined Regis-TR, one of Europe's biggest trade repositories, €56,000 for failing to provide 'direct and immediate' access to details of derivatives contracts.
Regis-TR - a joint venture between Deutsche Boerse and the Madrid Bourse - was criticised for negligence in not implementing systems in time to meet the EMIR reporting obligation between February 2014 to October 2016, covering:
- 5% of its data on trade terminations
- 6% of its data on trade modifications
- 100% of its data on trade valuations
- 100% of its data on collateral updates
ESMA said, "This is a key requirement to improve transparency and facilitate the monitoring of systemic risks in the derivatives markets."
The investment rules are so complex that even the FCA's own staff sometimes have trouble understanding them.
That's not our belief. Rather, the surprising claim made by Charles Randell - the FCA's own chairman - at an bad-tempered APM on Wednesday when he responded to an investor challenging him about the regulatory perimeter.
The complex rules had led to investors being wrongly advised. Despite being authorised by the FCA, London Capital & Finance mini-bond products were in fact not covered by the Financial Services Compensation Scheme, leaving investors £235 million out of pocket.
The FCA also faced a grilling over its handling of other scandals, including:
- RBS's Global Restructuring Group
- Compensation for HSBC's credit card customers
- Complaints about Lloyds Bank's business support unit in Bristol
Andrew Bailey, the FCA's CEO, also accused Neil Woodford's fund of "following the letter, but not the spirit" of the rules in preventing investors from accessing their cash.
- The Senior Manager and Certification Regime (SMCR) was introduced in 2016 to hold individuals to account for misconduct but the FCA declined to say whether the new rules would have resulted in a better outcome in these cases
- The SMCR cannot be applied retrospectively to past misconduct
- Under the rules set out in the Client Assets Sourcebook firms have a duty to keep client money and assets safe
If you need help training staff, why not sign up for a demo of our FCA Compliance library.
The European Commission has fined chipmaker Qualcomm €242 million for its predatory pricing practices.
The case dates back to 2009 when Qualcomm held a dominant position in the market and enjoyed a market share of almost 60%.
While this is not illegal under EU antitrust rules, the European Commission said it abused that dominance by selling three of its chipsets at below cost to ZTE and Huawei in order to drive its closest competitor, Icera, out of the market.
EU Competition Commissioner Margrethe Vestager said, "Qualcomm's strategic behaviour prevented competition and innovation in this market, and limited the choice available to consumers in a sector with a huge demand and potential for innovative technologies."
The fine represents 1.27% of Qualcomm's 2018 turnover, according to a statement by the European Commission.
Qualcomm plans to appeal. The firm has also faced antitrust fines in the US, China, Korea and of the course previously in the EU.
- Never discuss commercially-sensitive information on prices, strategies, customers, territories, production or anything else with any of your competitors
- Make sure colleagues know what action to take at meetings and other industry events where rivals are present, to safeguard your reputation
- Encourage staff to report concerns or suspected collusion promptly - under leniency rules, the first to report a cartel can avoid prosecution
The supermarket chain J Sainsbury's had been found vicariously liable for the sexual harassment of one of its sales assistants by a colleague.
An employment tribunal in Leicester said that the retailer had not done enough to protect the employee from explicit sexual comments, including a threat of rape, made by a co-worker at work.
Judge Ahmed found that Sainsbury's had failed to provide training in respect of equality and harassment issues for its staff or managers and it was therefore liable.
The Judge said, "It is clear that those in managerial positions do not recognise the importance of referring inappropriate comments and behaviour through the correct channels where necessary."
The case follows an earlier incident last month where a Tesco supermarket worker was unfairly dismissed and managers were accused of not keeping an open mind. These cases illustrate the inherent challenges getting it right.
- What equality and harassment training do you arrange for workers and managers?
- Do you arrange refreshers? How often is this done?
- Do colleagues and managers feel confident about calling out harassment and know how to report concerns?
- What measures should you introduce - e.g. in relation to younger workers, social media, etc - to mitigate risk?
- How seriously do you take predatory managers in the wake of the #MeToo scandal? What more should you do to protect workers from potentially predatory managers?
The US Securities and Exchange Commission has confirmed that Microsoft has agreed to pay $25.3 million to settle claims that officials in four of its subsidiaries paid bribes to foreign government officials in Hungary and elsewhere to secure business.
The SEC disclosed that in Hungary bribes were funded using discounts on software licences, yielding $14.6 million in illegal profits from 2013 to 2015. A Turkish subsidiary also provided excessive discounts without recording the transaction and used them to fund further bribes. Meanwhile, in Thailand and Saudi Arabia a slush fund was used to fund illegal gifts and travel for government officials.
Microsoft President Brad Smith said, "We were deeply disappointed and embarrassed when we first learned about these events several years ago, and we hope that all of the steps we’ve since taken, including today’s settlement, send a strong message."