Compliance Essentials News - November 2019
This month's round-up of key compliance news includes art corruption, FCA misbehaviour, Apple Card bias, McDonald's harassment, Equal Pay Day, Google Fitbit, PCI DSS decline and more...
Our pick of the most informative compliance news this month
- Paint it black: Corruption in the art world
- FCA orders staff to clean up their act
- Goldman Sachs rejects Apple Card gender bias claim
- Lovin' it? Not so much...
- Purple shame: Retailers must do more to improve digital accessibility
- Feel like working for free until January?
- Customers run scared of Google's Fitbit acquisition
- PCI DSS in decline, warns Verizon
Paint it black: Corruption in the art world
In November 2017 the painting Salvator Mundi by Leonardo da Vinci was sold for $450.3 million, making it the world's most expensive of all time. Now there's no suggestion that this was bought with dirty money. Let's get that straight.
But while images of fast cars, mansions and super yachts readily come to mind when you think of money laundering, the somewhat genteel settings of an art gallery, auction house or museum seem a world away, right?
Wrong! Transparency International's investigation into laundromat payments has uncovered surprising links between the art world and corruption. Here's what they found.
Out of 422 payments made to 118 UK luxury goods outlets:
- 13 transactions were categorised as "art" (value over £1m)
- 7 transactions were labelled "auction" (total value £350,000)
- 11 transactions were classed as "antiques" (total value £100,000)
Elsewhere, Jho Low, the Malaysian businessman accused of misappropriating £3.5bn between 2009 and 2015, bought art with the proceeds and is now forfeiting a Picasso, Monet and Van Gogh as part of a settlement with the Department of Justice.
Reports like this up the pressure on art dealers and auction houses who'll need to carry out Know Your Customer checks and report suspicious activity from January 2020 under the Fifth Money Laundering Directive (5MLD).
- Conduct risk-based due diligence - on all customers, associates, consultants and third parties. (The higher the risk, the higher the level of due diligence is required.)
- Make sure you know when to carry out standard versus enhanced due diligence - there are different rules for UK versus non-UK residents, as well as individuals versus private and public entities, PEPs etc.
- Watch out for red flags - i.e. anything that's unusual or suspicious. Pay particular attention to unusual behaviour (e.g. the purchaser of a high-value work of art not asking questions you would expect), unusual transactions (e.g. electronic currency transfers), high-risk customers (e.g. Politically-Exposed Persons) and high-risk jurisdictions (i.e. countries linked to corruption or subject to sanctions). Check locations using Transparency International's Corruption Index.
- Confirm their identity by obtaining and independently verifying documentary evidence - keep certified copies as proof that adequate checks were carried out. (Don't assume these checks have already been made unless you have clear evidence.)
- Remember that Know Your Customer checks must also be carried out for a series of smaller transactions with the same person which together exceed €10,000
- Never use your knowledge of our systems or controls to bypass checks - collude with or otherwise assist anyone involved in money laundering or terrorist financing.
- Avoid tipping off anyone suspected of money laundering or terrorist financing that an investigation has been launched - there's a two-year penalty if you break the rules.
- Immediately report any concerns, knowledge or suspicions immediately - relating to money laundering, terrorist financing, and Politically Exposed Persons (PEPs) to our MLRO.
Get up-to-speed with the new money laundering directive with the help of our free training aid.
FCA orders staff to clean up their act
Stealing plants, urinating on the floor, abusing catering and security staff. No, it's not the office Christmas party but, incredibly, examples of the bad behaviour that Georgina Philippou, the Chief Operating Officer, has criticised at the FCA's new £60m HQ.
It's not the kind of behaviour you'd expect to see from the very people tasked with overseeing the conduct of over 59,000 financial firms and protecting the integrity of financial markets.
Yet, in an open letter on its intranet and seen by the Evening Standard, the COO berated colleagues for "Leaving cutlery and crockery in the kitchen areas, overflowing bins, stealing plants and charging cables from desks, catering and security teams being subject to verbal abuse, colleagues defecating on the floor in toilet cubicles on a particular floor, urinating on the floor in the men’s toilets and leaving alcohol bottles in sanitary bins."
The same letter reveals the real dilemma Philippou faced in raising her concerns, "I did think long and hard about whether to disclose all these behaviours because they are so distasteful and shameful but keeping quiet has not got us far in terms of changing behaviours. This kind of behaviour is unacceptable and will not be tolerated here."
All credit to Philippou for having the guts to speak out. What would you do in this situation? Keep it quiet in the certain knowledge that nothing will change, or pull up staff for Code violations potentially risking your reputation? It's never an easy decision.
We know the FCA is not alone in wrestling with these kinds of conduct issues.
- Raise awareness of the Code regularly to keep it "front of mind" - this tells everyone that the Code matters and should guide every action and decision they make
- Reinforce "what good looks like" - by providing good role models, providing examples of good behaviour in action, talking through the dilemmas they may face and what you expect of them, etc
- More carrot, less stick - don't over focus on what goes wrong; instead, exemplify good practice by recognising and rewarding those who "do the right thing" (whether it's a face in the company magazine, a bonus scheme, treat day etc); remember, positive reinforcement often works better than punishment
- Know your business areas and teams - and which compliance persona describes each of them. Who is wilfully non-compliant, who is accidentally non-compliant, and who is habitually compliant? What action is most appropriate (proportionate) for each persona when they violate the Code?
- Don't be tempted to ignore minor transgressions or make exceptions for "star players" and senior managers - either the Code of Conduct matters or it doesn't. If there are no sanctions for doing the wrong thing, why should anybody care? Non-compliance becomes inevitable. (See also Lovin' it? Not so much...)
Goldman Sachs rejects Apple Card gender bias claim
Heralded as a model of simplicity, Apple's new credit card was meant to shake up the industry. But it's not taken long for problems to emerge.
It all started when tech entrepreneur David Heinemeier Hansson complained on social media about possible gender bias by the famously fragile card after he was granted 20 times more credit than his spouse. His post went viral - with Apple's co-founder Steve Wozniak confirming he too had experienced the same issue, despite a joint account and joint tax returns.
Its overseer Goldman Sachs denies any suggestion that it intentionally discriminates against women. Its CEO said, "We have not and never will make decisions based on factors like gender", but the New York Department of Financial Services is investigating.
The case again raises concerns about how algorithms are used in lending decisions. Critics claim that instead of eradicating discrimination, models have simply made it more covert and entrenched.
Goldman Sachs has promised aggrieved customers that it will take another look at their decisions but US senator Elizabeth Warren stressed that the onus is on the company to explain how the algorithm is designed and its impact. "If they can't do it, then they need to pull it down."
According to a 2016 study by Experian, women often struggle to get credit, despite higher credit scores, having less debt and being less likely to make late mortgage repayments.
- Watch out for indirect discrimination - check that our policies and procedures do not inadvertently discriminate against individuals on the basis of the nine protected characteristics (eg age, disability, sex, religion or belief, and so on).
- To comply with the GDPR, pay extra attention to solely automated decisions made without human involvement - especially where decisions might have a legal or other significant effect, such as credit decisions, aptitude or recruitment tests, etc. Under Article 22, individuals have the right to request human intervention or challenge decisions.
- Carry out a Data Protection Impact Assessment (DPIA) - to assess the risks and impact. We must also check systems for accuracy and bias, and use this information to improve the model. You can find further guidance in the ICO Big Data report.
- Remember to tell individuals about any automated decision making you carry out - to ensure transparency
Lovin' it? Not so much...
The chips are down this month at McDonald's.
First came news that the fast-food chain has fired its CEO Steve Easterbrook for a consensual relationship with an employee, a clear violation of company policy. An overreaction, some wondered, given the impressive results under his tenure which saw a doubling of its share price?
Then, just one week later came news of a class action lawsuit in Michigan by at least 50 of its workers alleging a "systemic problem" of harassment at the company - including by restaurant managers and with under-aged staff also targeted.
An attorney said the cases were "emblematic of a systemic problem of sexual harassment at McDonald's across the nation". As well as $5 million in compensation, workers want better policies with anti-harassment measures and a confidential channel for reporting complaints.
Now the firing makes sense. Sharyn Tejani of Time's Up Legal Defense Fund explains, "The fact that their own CEO is violating their polices gives you an idea of how un-seriously McDonald's take workplace sex harassment."
- Get the tone from the top right - For policies and procedures to be meaningful, it's vital that managers "walk the talk". McDonald's has no choice but to fire Easterbrook for breaking the rules. Sanctions have to be applied consistently or this would undermine the policy. (For the same reason, star performers who engage in bribery must also be sanctioned. If there's no penalty, there's no incentive for anyone else to comply.)
- Arrange training for workers - so they are clear about what is and is not harassment, and can spot policy breaches
- Don't be too narrowly focused - harassment is not only a "guy thing". Women can harass direct reports too, and it can take place between colleagues of the same sex.
- Raise any concerns you have - don't cover it up if you or your colleagues experience or witness harassment.
- Be especially vigilant wherever there is a power imbalance - eg between a manager and direct reports. Arrange effective oversight of those in management positions to ensure they don't abuse their position by giving unfair benefits and favours to some, while threatening to destroy the careers of others.
- Undertake crisis management planning - ask yourself whether you would detect a predatory manager and how you'd respond.
- Empower your team to call it out - sometimes those experiencing harassment may feel unable to speak out, worried about losing their job, shame or embarrassment, even wondering if they were somehow to blame. If you witness inappropriate behaviour, say so or report it.
- Provide adequate channels for reporting - including both face-to-face (manager, HR, Board) and confidential channels. Remember, reports of harassment may be more difficult to make - for example, due to embarrassment or if a manager is implicated, so offer alternatives.
Purple shame: Retailers must do more to improve digital accessibility
Organisations aren't doing nearly enough to support people with disabilities and are losing million out as a result, according to the disability charity Purple.
The poll - carried out to mark Purple Tuesday which celebrates UK companies that improve the experience of disabled customers - found:
- Over three-quarters of young disabled people (age 16-24) had found it difficult to buy goods online or in person on more than one occasion due to their disability
- This supports a previous study where 75% of respondents had left a website or store unable to complete their purchase because of their disability
- Yet, 56% said greater staff understanding would make them more likely to spend their disposable income
CEO Mike Adams said, "This is a huge mistake, not least because by turning their backs on disabled shoppers, they are losing out on millions of pounds of revenue every year. It should simply not be the case that one in two disabled people struggle to make purchases online or in person. Small changes can make a big difference to the customer experience; we want to help organisations have the confidence to improve their services for disabled people."
"This is a huge mistake, not least because by turning their backs on disabled shoppers, they are losing out on millions of pounds of revenue every year. It should simply not be the case that one in two disabled people struggle to make purchases online or in person. Small changes can make a big difference to the customer experience; we want to help organisations have the confidence to improve their services for disabled people."
Of almost 14 million people in the UK with a disability, 80% have a hidden impairment.
"With 1 in 5 potential UK consumers having a disability the opportunities for companies that embrace accessibility are huge. It is also important to consider that a disability can be temporary and situational – ever tried using a shopping app with one hand while holding a baby in the other? Companies that get this right are not only doing the right thing, they are also improving their bottom line."
Do you know how accessible your own organisation is and what improvements you should make to improve digital accessibility?
- Avoid lazy stereotypes and oversimplifications - not everyone with a disability uses a screen reader! Remember disabilities can be permanent, temporary or situational so aim to cater for different needs.
- Conduct testing on websites and apps - to find out how accessible they really are for people with disabilities
- Train your staff to recognise examples of good and bad UX design on websites - e.g. excessive animation, complex layouts, inaccessible tables, poor colour contrast, etc.
- Provide audio descriptions and alt-text for images - to improve user experiences and to help people understand what is happening onscreen
- Remember accessibility is not just a "nice to have" - the Domino's lawsuit, brought after a blind man was unable to order a pizza on its website and app, suggests it may not be long before accessibility is a legal requirement. There are over 2,200 similar suits according to UsableNet, the accessibility technology firm.
- Accessibility is good for business - the Purple pound is worth an estimated £249 billion a year. But, improving accessibility is the right thing to do. Many of the changes can help all of us, not just people with disabilities.
Feel like working for free until January?
14 November was Equal Pay Day, symbolically the last day that UK women will be paid until January, meaning they effectively work for free because of the gender pay gap.
Despite the introduction of the Equal Pay Act almost 50 years ago, men continue to be paid more than women for doing the same work of equivalent value - in supermarkets, in journalism, in catering and in the City.
With gender pay gaps remaining stubbornly wide, the Fawcett Society is now calling for greater pay transparency with "an enforceable right to know" what colleagues earn. The initiative, which claims to have 79% support among a poll of both men and women, would restore trust and, according to Moya Greene - former executive at Royal Mail - alleviate the need for expensive tribunals. You can follow the conversation on the hashtag #RightToKnow.
- Benchmark progress - What is the gender pay gap where you work? What does it say about the company? How do we measure up compared with comparable organisations operating in the same sector? How might you explain any differences?
- Establish the facts - Are we confident of the reasons for any discrepancies in pay or other terms and conditions? Can they be justified? If so, what data or evidence is available?
- What lessons can we learn and apply in other areas? - inequality and discrimination may exist in other areas, e.g. disability, race, sexual orientation, etc. How can we develop a more inclusive environment for everyone?
- Review and improve - How does your company deliver equality in your own policies and procedures? How often do you review to ensure they are still "fit for purpose"? What other progressive policies might you introduce - e.g. flexible working, shared parental leave, better awareness and training, etc. - to ensure everyone is treated fairly?
Customers run scared of Google's Fitbit acquisition
News of Google's $2.1 billion acquisition of Fitbit hasn't gone down well with everyone.
Customers have expressed alarm that their personal data - contact details, height, weight, DOB, gender, location data, health and fitness goals - tracked on the fitness wearable will soon be acquired by the tech giant and many of them have already, well, run.
Sounding like he'd just come straight from a GDPR refresher course, Google SVP Rick Osterloh recounted the many ways the company would endeavour to meet the data protection principles. Transparency? Check. Privacy and security? Check. Yup, even the right to erasure and data portability for anyone who still wasn't happy. His press release had it all.
The problem was, the grand words and aspirations didn't match the behaviour and reality. Ah sadly a sentiment many of us in compliance can relate to. Google's reputation on privacy is legendary and best summed up by one user's tweet. Hammer time...
True to form, just over a week later, its "Project Nightingale" partnership with Ascension was raising eyebrows with the revelation that around 150 Google staff have access to the health data of tens of millions of patients.
So Mr Osterloh, we will judge you not by your words but by what you do.
PCI DSS in decline, warns Verizon
According to Verizon's 2019 Payment Security report, global compliance with the Payment Card Industry Data Security Standard (PCI DSS) has dropped to 36.7%. The standard, which was designed by card companies and financial firms to guard against data theft and breaches, appears to be in decline.
Rodolphe Simonetti, Verizon's global MD for security consulting, said, "After witnessing a gradual increase in compliance from 2010 to 2016, we are now seeing a worrying downward trend and increasing geographical differences."
- 18% of organisations have no defined compliance program
- Just 20.4% of organisations in the Americas were compliant, compared with 48% in Europe, the Middle East and Africa (EMEA), and 69.6% in the Asia-Pacific (APAC) region
The launch of PCI DSS 4.0 gives companies an opportunity to address deficiencies, said Simonetti, adding that non-compliance made organisations more vulnerable to cyberattack. "Our data shows that we have never investigated a payment card security data breach for a PCI DSS-compliant organisation. Compliance works."
Looking for more Compliance news?
We also publish our pick of the biggest news in Financial Services compliance every month in FCA Compliance News.
Why not subscribe to our Compliance Bulletin which delivers a round-up email of all of this month's best practices, expert opinions, industry insights, key trends in regulatory compliance training, digital learning, EdTech and RegTech news.