Compliance Essentials News - May 2020
This month's round-up of key compliance news includes easyJet data breach, Covid-19, tax evasion, pharma price-fixing, SwedBank money laundering, Commerzbank and more.
Our pick of the most informative compliance news this month
- Cyberattack exposes details of 9m easyJet customers
- Covid-19 causes spike in compliance risks
- 867 expats admit unpaid taxes in HMRC crackdown
- Apotex and Teva in the spotlight over price-fixing
- Scandi drama: Former SwedBank employees charged with money laundering
- £6.4m of illicit wealth recovered after a tip-off
- Report finds serious shortcomings with Europe's data regulators
Cyberattack exposes details of 9m easyJet customers
Budget airline easyJet has confirmed that there has been a "highly sophisticated" cyberattack on its systems, which compromised the personal details (emails and travel information, since you ask) of around 9m customers. Of those, 2,208 customers also had their credit card details stolen, including the CVV number on the back of the card.
Customers whose financial details were "accessed" have been informed and easyJet has said it will notify anyone else affected by 28 May. Declining to say how the breach happened, the airline confirmed that the breach was discovered in January.
Its CEO Johan Lundgren said, "We would like to apologise to those customers who have been affected by this incident. Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams."
"As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications."
No doubt, in time, it will face a steep financial penalty. This comes soon after the data watchdog granted British Airways a reprieve, as the airline industry battles headwinds due to the pandemic. Customers, however, may be left wondering why it took so long to be warned about that phishing risk. No frills, indeed.
- Report breaches promptly within the required timescale - breaches where there is a significant risk to people's rights and freedoms must be notified to the ICO within 72 hours; don't delay, not even to gather more information
- Do not underestimate the distress that can be caused to individuals by a data breach
- Make sure there are appropriate technical or organisational measures in place to safeguard personal data - both to prevent an attack and minimise its impact (e.g. by storing CVV codes separate from other card information)
- What vulnerabilities do your own systems conceal? Do you know? - now might be a good time to beef up security, secure the parameter and conduct penetration testing, especially there's some slack or respite from "business as usual" tasks. Sounds a good investment?
- Remember the ICO has the power to impose fines of up to 4% of global annual turnover - surely no business can afford the burden of unnecessary expenditure in the current climate
Covid-19 causes spike in compliance risks
Covid-19 is certainly testing corporate compliance to the max:
- There are a staggering 18 million coronavirus phishing emails a day
- Not only that, there have been bogus alerts for contact tracing apps
- An estimated £1.5 billion could be lost to fraudulent benefit claims...
- ... with organised crime groups profiteering from government bailouts and loans.
- It's predicted that modern slavery will rise - as travel restrictions make it harder for companies to monitor their supply chains
- The risk of insider trading is growing, as internal documents are shared outside the secure parameters of companies
- And anti-trust risks are rising, caused by price-gouging or a temporary relaxation of the rules on cooperation
As criminals seek to exploit the gaps and vulnerabilities caused by different work routines, even a softening of lending controls and due diligence, we need to be more vigilant than ever. As with other crises (9/11, the financial crash), more regulation is on the way.
But, on a positive note, without question the pandemic has boosted the profile of compliance. The real work starts now, ensuring we "build back better" for a stronger, more resilient future.
867 expats admit unpaid taxes in HMRC crackdown
The HMRC crackdown on overseas tax evasion has seen a 12-fold increase in the numbers of expats admitting tax dodging in 2018/2019.
867 British expats admitted failing to pay taxes in 2018/2019 compared with just 66 in 2017/2018, according to figures obtained in response to a Freedom of Information request. Of those, over 40% live in the Channel Islands, 10% in the Isle of Man and 6% in Switzerland.
Experts are predicting that the HMRC will likely be given new powers to crack down further on tax evasion and avoidance, in a bid to plug the shortfall caused by the pandemic. Excuse me? So taxes pay for important stuff like healthcare and tax evasion is not a victimless crime, after all.
Jason Collins from Pinsent Masons had this warning, "Penalties can be very harsh, and HMRC is likely to have the data now to carry out checks. Any UK asset that is held through an offshore entity is a red flag for HMRC."
Are you confident that you have done enough to prevent your business or people associated with it from facilitating tax evasion?
- Know who poses a high risk of tax evasion - including entities with complex tax planning structures, difficulties establishing beneficial owners, customers with unsubstantiated sources of funds or wealth, and those based in jurisdictions with high levels of secrecy (e.g. Cayman Islands, Switzerland, and South Dakota and Delaware in the US).
- Are you vulnerable to facilitation offences? - Tax advisory, legal, financial service firms and other professional enablers may be vulnerable, along with firms offering private wealth management.
- Conduct adequate due diligence and risk assessment - to ensure you are not conducting business with anyone who may be involved in tax evasion.
- Beware of any unusual payment arrangements – payment requests to offshore jurisdictions or to unrelated accounts should be investigated.
- Use criteria, monitoring and screening to check customers' tax compliance status - remember, tax evasion doesn't just apply to companies or customers with links offshore. Non-US financial institutions are also obliged to check the tax status of US citizens under FATCA, and foreign assets may be reported under the Common Reporting Standard.
- Know the difference between tax evasion and tax avoidance - One is legal, the other not.
- Report it - encourage your team to report tax evasion or other financial crime via your company's whistle-blowing hotline and other reporting channels.
Apotex and Teva in the spotlight over price-fixing
Drug company Apotex has admitted price-fixing and agreed to pay $24.1 million following a Department of Justice (DoJ) investigation.
The US regulator said Apotex fixed the price of Pravastatin, a generic cholesterol medication, between May 2013 and December 2015 and worked with others to keep the price of the drug artificially high.
As part of the agreement, it has also agreed to "cooperate fully" with the DoJ's ongoing antitrust investigations into some of the generics market leaders. The regulator has already reached agreements with Heritage Pharmaceuticals, Rising Pharmaceuticals and a former Novartis executive.
Meanwhile, Teva Pharmaceuticals has walked away from talks with the prosecutor, despite - according to the lawsuit - playing a central role in the "largest cartel case in the history of the United States". Perhaps it's hoping its role in the Covid-19 pandemic will give it some immunity from the Justice Department.
- Don't discuss prices, markets, territories, strategies or anything that is commercially sensitive with competitors - as it is illegal.
- Be proactive - speak out if you witness anti-competitive behaviour or collusion in meetings. If you don't, others will.
- Promptly report to Compliance or Legal if you witness anything suspicious - as, under the leniency rules, the first to report the cartel may escape punishment.
- If you make a mistake, it may be best to own it and move on - cooperation with the regulator can substantially reduce the size of the fine.
- Check out the latest CMA guidance - some of the rules on coordinated action by businesses have been relaxed due to the crisis, but others most definitely have not.
Scandi drama: Former SwedBank employees charged with money laundering
Actions have consequences. Little wonder then that Latvian prosecutors have confirmed that 11 people, including SwedBank's former employees, will be charged with money laundering.
For years, employees ignored AML procedures and failed to raise suspicious activity reports, allowing "individual customers to make large-scale cash currency exchanges without recording their identities in banking systems and without obtaining information on the origin of the funds used in the transaction", according to the bank.
The transactions were reported to the financial authorities after they were revealed by the bank's internal systems and a media exposé by Swedish TV and OCCRP.
Between 2010 and 2016, US$40bn of risky transactions were processed by the bank which wooed high-risk customers as part of its strategy, according to an audit by Clifford Chance - hired by the bank following the AML allegations.
- Employees failed to implement Know Your Customer principles and protected high-risk non-resident (HRNR) clients from tax authorities.
- The Senior Management Team failed to acknowledge AML weaknesses in the Baltic region, despite concerns raised by the Swedish regulator.
- The CEO failed to educate the board of the risks linked to non-resident customers and share relevant information.
- While its Estonian branch had a New Customer Committee, new clients were approved despite red flags and inadequate documentation on beneficial owners, source of funds, etc.
Already fined $386m by its regulator, the bank can now expect significant fines in the US and Estonia. Meanwhile, compliance professionals might benefit from reading about the case and learning lessons before it's too late.
£6.4m of illicit wealth recovered after a tip-off
This month's "feelgood" story comes courtesy of Commerzbank and the National Crime Agency who worked together to seize £6.4m of illicit wealth.
Commerzbank AG London tipped off the National Crime Agency about the account - which it had inherited in a takeover. It was set up in the 1970s in the name of Liberian company The Albatross Ltd, purportedly operating container ships for an international shipping company.
Commerzbank launched an internal investigation when an individual tried to open a new account and move the money, supposedly to charities. An Account Freezing Order was granted in October 2019.
After sifting 10 years of data, the NCA investigation found the shipping company had no knowledge of the Liberian company. There was a raft of fake IDs and the account was linked to tax evasion, money laundering, bribery and corruption.
Praised by the NCA for acting on the red flags, Commerzbank's Robert McMillan said, "At Commerzbank we have a strong compliance culture and have invested significant resources in our AML policies and controls, so we are pleased to have worked with the NCA to achieve this result."
- Be vigilant about red flags - including unusual behaviour, unusual transactions, high-risk customers, high-risk jurisdictions or explanations that just don't add up.
- Review your own AML policies and controls - are they similarly impressive? What checks are made on dormant and inherited accounts, and how frequently are they carried out?
- Avoid tipping off anyone suspected of money laundering or terrorist financing - there's a two-year penalty if you break the rules.
- Immediately report any concerns, knowledge or suspicions to your MLRO.
Report finds serious shortcomings with Europe's data regulators
It's claimed that data watchdogs - both in the UK and Europe - lack "teeth" and are too soft, especially with tech firms that flagrantly break the rules. That may or may not be true. But, worryingly a recent report found many of Europe's data protection authorities (DPAs) are poorly equipped and deprived of the tools they need to enforce the GDPR - a requirement of Article 52(4).
- Half of the watchdogs have budgets of less than €5m
- Only five of the 28 EU DPAs have more than 10 tech specialists
- Seven DPAs have only two tech specialists
- Just 3% of the ICO's staff are tech specialists, even though it has the largest budget (€61m)
Clearly, this is no match for tech firms with deep pockets who have much to gain. If we're really serious about protecting people's privacy and enforcing the GDPR, surely this needs a rethink soon.
Looking for more compliance insights?
Skillcast has partnered with YouGov to conduct primary research into compliance issues, attitudes and risk perceptions in the UK workplace to produce a series of Insights Blogs.
We also have 50+ free compliance training aids, including a selection of desk-aids, eBooks, guides, handouts, posters, training presentations and even free e-learning modules!
And why not subscribe to our Compliance Bulletin which delivers a round-up email of all of this month's best practices, expert opinions, industry insights, key trends in regulatory compliance training, digital learning, EdTech and RegTech news.