Compliance Essentials News - June 2020
This month's key compliance news includes UK AML, an easyJet lawsuit, Covid frauds, the Monzo lockout, the Lundbeck appeal, a Honda cyberattack, a Lloyds fine, FS slavery awareness and more...
Our pick of the most informative compliance news this month
- AML checks evaded by 400,000 British companies
- EasyJet facing £18bn customer data breach lawsuit
- Honda global operations hit by cyberattack
- Covid-19 causes a spike in push payment fraud
- HMRC receives nearly 1,900 reports of furlough fraud
- Data breaches cost the US $1.2 trillion in 2019
- Monzo clients locked out of accounts during lockdown
- €94m fine for pay-for-delay deals backed by EU magistrate
- Half of working mums say lockdown childcare harmed career
- Financial sector modern slavery awareness 'worryingly low'
- Lloyds fined £64m for treating mortgage customers unfairly
- Working from home prompts a surge in whistleblowing
AML checks evaded by 400,00 British companies
New research, conducted by OpenDemocracy, has revealed that just under 400,000 British firms cannot, do not or will not say who controls them.
This comes after all UK companies were ordered to identify who controls them back in 2016, in an attempt to crackdown on money laundering through anonymously owned shell structures.
However, an independent analysis of filings at the UK's corporate registry, Companies House, shows that almost 10% of British companies are still not declaring who their beneficiaries are. This is often due to what many believe is a legal loophole which could facilitate corruption and tax evasion, and other crimes.
Introduced by David Cameron in 2013, all beneficiaries with a company stake of 25% or higher need to be named as "persons of significant control", in an attempt to tackle the "small minority" of firms that had "hidden their business dealings behind a complicated web of shell companies".
Unfortunately, it is precisely this 25% threshold, which is allowing almost 400,000 UK firms to leave their beneficiaries unidentified with no explanation, perfectly legally. A good number of British companies were also found to be illegally ignoring these requirements, and have faced little to no consequences as a result.
EasyJet facing £18bn customer data breach lawsuit
In May 2020, easyJet admitted that they had experienced a data breach back in January 2020 in which the personal data of approximately nine million global customers had been exposed. As soon as the breach occurred, the airline notified the UK’s Information Commissioner’s Office in a timely manner; however, they failed to inform any of their customers until four months later.
The personal data contained in the breach included full names, email addresses and travel data including booking dates, departure dates and arrival dates. The nature of this data breach is not only a gross invasion of privacy but may pose security risks to individuals involved.
International law firm PGMBM has now brought a class-action claim against easyJet which could see affected customers being awarded £2,000 each. Considering that the breach affected nine million people worldwide, easyJet could be facing a maximum pay-out of £18 billion.
- Don't conceal or cover up data losses or breaches - report mistakes and violations promptly, so that you can limit the damage caused as a result
- Notify all affected individuals when there is a high risk to their rights and freedoms - e.g. the possibility of identity theft or emotional distress
- Report any security concerns or breaches immediately - the longer you leave it, the worse the consequences could be!
Honda global operations hit by cyberattack
Honda has publicly announced that it is dealing with the impact of a cyberattack which has affected its global operations, interfering with its employees' ability to send emails, access computer servers, and make use of internal systems.
The Japanese car-maker claimed that one of its internal servers was attacked externally, and that "the virus had spread" throughout its network.
As a result, work at the UK Honda plant has come to a standstill, while operations in Japan, Turkey, Italy and North America have been suspended.
While Honda failed to provide any further details about the attack, cybersecurity experts have said that this looks a lot like a ransomware attack. This means that attackers may have locked Honda out of some of its IT systems, encrypted company data, or both.
According to Morgan Wright, chief security advisor at security company Sentinel One, "It looks like a case of Ekans ransomware being used... designed to attack industrial control systems networks. The fact that Honda has put production on hold and sent factory workers home points to disruption of their manufacturing systems."
Honda, which employs almost 220,000 people, is insisting that no data has been breached and has stated that "at this point, we see minimal business impact".
- Always be vigilant - remember that having access to corporate networks and data makes you a target for cyber-criminals
- Treat all unsolicited or unexpected requests with caution - make sure that you challenge anything that is unusual or suspicious
- Build strong relationships with the people around you to support each other and instill positive cybersecurity habits
- Be constantly aware and think about cybersecurity in everything that you do - a single lapse of judgement can have disastrous consequences
Covid-19 causes a spike in push payment fraud
The Covid-19 pandemic has presented opportunistic fraudsters with an inviting opportunity to defraud firms at a time when money is tight, resources and attention are focused elsewhere, key staff are working remotely, and financial controls are under tremendous pressure.
One of the most straightforward yet highly effective methods currently being exploited by financial criminals during this crisis is push payment fraud. To take place, fraudsters need to conduct research which will enable them to identify two companies that have a current trading relationship. They will then be able to use the information obtained to convince an employee from one company to transfer funds to their account, under the guise of the second company.
Once transferred, the funds are immediately spread out via a series of separate transactions into multiple separate accounts, which will be withdrawn by the fraudsters soon after. Once that happens, it will be highly unlikely that these funds will ever be recovered. With a number of multi-million-dollar push payment frauds taking place during the pandemic, it is no secret how devastating the results can be.
HMRC receives nearly 1,900 reports of furlough fraud
According to HMRC's most recent figures, there have been close to 1,900 reports to its digital reporting service of fraudulent use of its furlough scheme.
The total number of employees placed on furlough since HMRC's scheme began is now round 8.7 million, spanning around 1.1 million UK employers, according to Treasury statistics.
A HMRC spokesperson stated that employers who make fraudulent claims for furlough limit the government’s “ability to support people and deprive public services of essential funding”.
“We’d ask anyone concerned their employer might be abusing the scheme to please contact us. It could be that you’re not being paid what you’re entitled to, they might be asking you to work while you’re on furlough, or they may have claimed for times when you were working.”
“These reports are just one way that HMRC identifies fraud. Claims are checked and payments may be withheld or need to be repaid if the claim is based on dishonest or inaccurate information. We won’t hesitate to take criminal action against the most serious cases.”
Anyone who needs to make a report should do so via HMRC's anonymous online reporting service, since they have had to temporarily stop taking reports over the phone.
Data breaches cost the US $1.2 trillion in 2019
According to the latest research from ForgeRock, over five billion records were exposed by cybercriminals in 2019, costing US firms over $1.2 trillion, a steep rise from $654 million in 2018.
ForgeRock's research shows that healthcare was the industry most frequently targeted in 2019, with 382 breaches costing a total of $2.45 billion. However, it was tech firms which lost the most personal data, with breaches exposing 1.37 billion records at a cost of over $250 billion.
Unauthorized access was by far the most common type of attack (40%), followed by malware such as ransomware (15%) and phishing (14%). 98% of these attacks were targeted at personally identifiable information (PII), with social security numbers being the most commonly targeted type of data.
So far in 2020, the number of records breached is once again on the rise, however the total number of data breaches has fallen significantly.
Monzo clients locked out of accounts during lockdown
Hundreds of Monzo customers, the UK's fastest growing bank, say that the online bank has inexplicably frozen their accounts, leaving them unable to access their money at the height of the Covid-19 lockdown. Some victims are claiming that they are unable to afford rent and basic human needs, while those who had their business account frozen say they are currently unable to pay their suppliers.
Alarmingly, this is not the first time that Monzo has been criticised for its brutal account freezing practices. In January 2020, there was an unusually high number of Monzo customers reporting being locked out of their accounts for no reason, but this issue has increased dramatically since the start of the Covid-19 pandemic.
Monzo makes use of automated systems to track its 4.3 million customers’ transactions, and claims it has "returned millions of pounds to victims of fraud" through investigating suspicious account activity. However, many customers caught by Monzo's automated systems have claimed the only unusual activity they are aware of were desperately needed payments sent to the self-employed by HMRC, or universal credit claims.
€94m fine for pay-for-delay deals backed by EU magistrate
An adviser to the European Court of Justice, Juliane Kokott, has stated that the ECJ should reject a pharmaceutical company’s challenge to a €94m fine for paying to delay the sale of generic drugs, claiming that this is an outright violation of EU competition law.
The fine was handed out to Danish pharmaceutical company, Lundbeck, after they were caught paying other drug manufacturers to hold back from releasing generic versions of citalopram, a popular antidepressant.
Kokott explained to the court that by suppressing the potentially competitive nature of the companies involved, they were all in direct violation of EU competition regulations. “The fact that a generic manufacturer does not yet have [a marketing authorization] for its product in a given state does not preclude the existence of potential competition,” she wrote.
Lundbeck already lost an appeal to the penalty in the EU’s lower court back in 2016, which is why it has now been brought before the ECJ.
- Never act in a way that restricts competition in any market where your Company has a dominant position - such as through pay-for-delay deals
- Never discuss future pricing plans and promotions with competitors or suppliers, or discuss RRPs with retailers
- Don't discuss or enter agreements with competitors regarding prices, margins, market shares or production volumes
- Report any suspicion or violation of competition law immediately - this is vital as under leniency rules the first to report to the authorities can escape prosecution
Half of working mums say lockdown childcare harmed career
Over 50% of working mums believe that increased childcare responsibilities during the Covid-19 pandemic have damaged their career prospects or are very likely to tarnish them in future, according to the latest reports. These results come from a poll of nearly 3,700 pregnant women and mothers, which also revealed that almost 80% of them found it hard to keep up with both childcare and paid work during the lockdown.
An additional 25% claimed that their employers hadn't offered them enough flexibility to carry out their jobs while providing childcare. And as nurseries and schools began to reopen, nearly 50% admitted that they felt forced to send their children back, just so that they would be able to focus on their career.
This poll comes, however, as the UK government announced it is dropping its original plan for primary schools to reopen before the end of the term. While this move was widely applauded by teachers around the UK, many are raising serious concerns about the additional pressures this will cause for working mums.
“Women are more likely than men to lose their jobs in the impending recession, and yet, for a quarter of working mothers, their employer has refused to give them the flexibility they need,” said Joeli Brearley, founder of the charity, Pregnant Then Screwed. “This has resulted in women being pushed into unpaid leave, sick pay or furloughed as a direct result of having children. It’s no wonder working mothers aren’t thinking positively about their future careers.”
Financial sector modern slavery awareness 'worryingly low'
A poll of UK financial sector workers found “worryingly low levels of awareness of the risks relating to modern slavery”. In fact, 39% of the senior staff polled did not even believe that modern slavery takes place in the UK.
A mere 39% of employees thought their company had a policy in place to manage modern slavery risks, while 33% did not know whether there was one, and 29% believed their firm did not have one at all.
According to the latest statistics, forced labour turns over approximately $150bn each year for organised criminals, with a good deal of these profits flowing through the UK's financial institutions. In 2019 alone, the National Referral Mechanism recorded a total of 10,627 potential modern slavery victims.
Under the UK's Modern Slavery Act, companies which turn over more than £36 million are required to report what steps they have taken to eliminate the risk of modern slavery from their supply chains. However, these results show that more needs to be done to drive change throughout the financial sector.
- Implement a transparent modern slavery policy - and ensure that all staff are aware of it
- Raise awareness of modern slavery among suppliers and third parties - encourage them to sign up to your Code of Conduct and insist on clauses in their contracts
- Conduct due diligence checks on all workers, agencies, suppliers and third parties before engagement - it's vital you know exactly who you are dealing with
Lloyds fined £64m for treating mortgage customers unfairly
Lloyds Banking Group has been handed a fine of £64m by the City watchdog for its unfair treatment of mortgage customers who fell into financial difficulty.
The penalty relates to Lloyds’ mishandling of over 526,000 mortgage customers between 2011 and 2015, who have since received £300m in reimbursements. The FCA reached the conclusion that while Lloyds identified the problem as early as 2011, it ultimately “failed to fully rectify the issues”.
Problems were traced back to the way in which Lloyds collected information about mortgage customers who were finding payments challenging or were falling behind. This collection process was found to provide call handlers with too little information to appropriately assess customers’ circumstances.
What's more, call handlers had the ability to approve particular payment arrangements which would have been better signed off by more senior employees. This all led to a less than flexible environment, where call handlers could have failed to negotiate suitable payment arrangements for the bank's customers.
Working from home prompts a surge in whistleblowing
When it comes to Covid-19, it seems it's not all bad news, since the pandemic has brought with it a significant increase in whistleblowing reports.
The Wall Street Journal (WSJ) reports Steve Pekin, co-director of the US Securities and Exchange Commission (SEC) enforcement division saying that the SEC received around 4,000 tips and complaints about possible corporate wrongdoings between March and May 2020, which was 35% higher than in the same period in 2019. Many of the tip offs were COVID-19 related, but many others were related to traditional areas of compliance.
A lawyer advising whistleblower clients opined to the WSJ that since employees have more time, and they don’t have to go see their bosses, they may feel a bit more emboldened to blow the whistle.
The economic downturn following the COVID-19 pandemic is also likely a factor in the increase in calls and reports to whistleblowing hotlines. Worries about business survival or company failures can often lead to wrongdoing, and anti-corruption organisations are warning that the current economic climate is ripe for bribery.
However, this surge in whistleblowing reports may also be due to the SEC giving out a record number of whistleblowing awards – over $64 million was paid out to whistleblowers since the fiscal year which began in October 2019.
Looking for more compliance insights?
Skillcast has partnered with YouGov to conduct primary research into compliance issues, attitudes and risk perceptions in the UK workplace to produce a series of Insights Blogs.
We also have 50+ free compliance training aids, including a selection of desk-aids, eBooks, guides, handouts, posters, training presentations and even free e-learning modules!
And why not subscribe to our Compliance Bulletin which delivers a round-up email of all of this month's best practices, expert opinions, industry insights, key trends in regulatory compliance training, digital learning, EdTech and RegTech news.