Compliance Essentials News - September 2019
This month's key compliance news round-up includes Unicef's data breach, ICO historical personal information warning, NHS fraud, digital disruption and more...
Our pick of the most informative compliance news stories this month:
- Lawyers & accountants ignoring the risks of money laundering
- ICO warns about historical personal data
- How to respond to a data breach
- Cybersecurity tops business risks in internal auditor survey
- RMG escapes anti-competitive behaviour fine by speaking up
- Bitter pill: NHS loses £1.29bn to fraud annually
- AI and digital disruption hits wealth management
Lawyers & accountants ignoring money laundering risk
Lawyers and accountants are 'complicit' and 'complacent' of the risks of money laundering, says Karen Baxter, the police national lead on economic crime, and this could undermine public trust in the professions.
Organised crime gangs are known to target professionals in the accountancy, legal and property services primarily because their expertise often gives illicit cash a cloak of legitimacy and respectability. But Baxter has expressed alarm at the paltry number of suspicious reports filed by these professionals considering "at some point [proceeds of crime] probably go through them."
Out of 470,000 suspicious reports made to the National Crime Agency last year, reports by accountants and lawyers accounted for just 1.06% and 0.58% of the total. While recognising that not all businesses are complicit or act as professional enablers, Baxter has urged firms not to be complacent and to improve their systems and controls.
ICO warns about historical personal data
The Information Commissioner's Office is warning people of the risks of holding on to sensitive personal data when they change jobs or leave a company.
It follows an investigation into the actions of two former Metropolitan Police officers who - having retained their notebooks - subsequently leaked information about a case in the media.
Although the ICO decided not to take action on this occasion (perhaps because the matter was investigated under 1998 legislation), it stressed that under the tougher Data Protection Act 2018 there is a new obligation not to "knowingly or recklessly retain personal data without the consent of the data controller".
The ICO says that anyone who uses personal information in the course of their job - from teachers, health workers, police officers to those in private business - should be aware of this law change.
- Implement procedures for when people leave your company, retire or switch jobs - ensure their access to personal information continues to be appropriate (i.e. there is a 'need to know' or any extra permissions are promptly removed)
- Promptly remove access permissions when people switch jobs - even unintentional leaks can violate privacy and damage your company's reputation
- Evaluate the data landscape - what electronic or physical access to personal information might someone retain (for example, in diaries, notebooks, calendars, etc) when they leave?
- Protect against curious or prying employees - remind everyone that the ICO takes data privacy seriously and has taken action against many individuals (for example, for forwarding personal information to personal emails, for selling personal data on, or simply accessing personal information without a valid business reason). Share cases of violations to keep data protection 'top of mind'.
How to respond to a data breach
Not gonna lie, our hearts sank when we read about Unicef's data breach.
When Unicef suffered a data leak linked to its online learning platform Agora on 26th August (an employee accidentally disclosed the personal details of 8,253 people) it dealt with it in a way that has drawn praise and criticism from diverse quarters.
Unicef's Head of Media came forward to say, "This inadvertent data leak was caused by an error when an internal user ran a report. Our technical teams promptly disabled the Agora functionality … These measures will prevent such an incident from reoccurring." Unicef apologised to all those affected by the breach.
Unusually, cyber-security experts praised the non-profit for its willingness to 'lean in' and 'limit the damage', noting its relatively low-level impact. Others were not so, well, charitable and stressed that with any breach there are important lessons for us all.
Others were not so, well, charitable and stressed that with any breach there are important lessons for us all. We're listening…
- Remember, small actions can have big consequences - simple human error can result in personal data being exposed. Think about the best ways of preventing that.
- Implement controls and safeguards to mitigate the risks - for example, by promoting a security culture, providing training, adopting extra precautions with databases, raising awareness of types of risks via refresher training, encouraging people to double-check recipients' email addresses, and so on.
- Report data violations promptly in line with data protection laws - interestingly, this breach did not need to be reported as UN agencies are exempt from legal process. Experts argue however, that there should be accountability and data security should be a priority.
- Create the right culture - make it clear to your team that any security breach (however minor) matters. Customers have entrusted us with their personal information so we must instil confidence and reassure them that we're doing our utmost to safeguard it.
- Don't be complacent - ICO statistics show charity data breaches doubled in 2017/2018 with 148 reported incidents. 22% of charities also experienced a cyberbreach in the last 12 months, according the government's Cyber Security Breaches Survey 2019, with 39% experiencing at least one breach or attack a month.
- Slow down - rushing and performing semi-automated activities (eg mail mergers, automated report processing) can make us more prone to mistakes. Stop and check exactly what is being sent and to whom.
- Look for continuous improvements - download the ICO's top tips for charity and learn from others.
Cybersecurity tops business risks in internal auditor survey
Cybersecurity, regulatory change and digitalisation are the top three business risks facing firms today, according to a survey conducted by the Chartered Institute of Internal Auditors.
The survey, widely considered to be a barometer of organisations' risk priorities, canvassed the views of 528 chief internal auditors (CIA) in different sectors across eight European countries.
- 78% of respondents cited cybersecurity as the top business risk (an increase of 18% on last year), with 59% and 58% citing regulatory change and digitalisation respectively.
"Cybersecurity is a problem we regularly see on the news from the theft of 500 million Marriott hotel guests' personal information, to the security breach which exposed 50m Facebook user identities", said Ian Peters of the Chartered Institute of Internal Auditors. Quoting DLA Piper, there were an estimated 59,000 personal data breaches reported across Europe in the first eight months after GDPR was introduced.
The second spot - regulatory change - should surprise no-one. 2018 was, after all, a mammoth year for European regulation with GDPR, MiFID II and PSD2.
30% of respondents cited concerns about AML, anti-bribery and corruption and antitrust compliance. Here's how one internal auditor at a Swedish bank saw it:
"If we look at the number of hours we allocate for mandatory regulatory and compliance audits, it amounts to about 20% of the total number of hours and it is increasing every year. But our resources are not increasing in line with that. That's a real challenge."
With further regulatory change almost inevitable with Brexit, what's the likelihood of this taking the top spot next year?
You can download the report from the IIA website.
RMG escapes anti-competitive behaviour fine by speaking up
Royal Mail Group has acknowledged its role in an illegal anti-competitive agreement with Salegroup, a reseller of its parcel delivery services.
For four years, Salegroup and RMG's Parcelforce division exchanged customer data and agreed not to approach each other's customers, violating competition law.
"Anti-competitive agreements like the one between Royal Mail and the SaleGroup are designed to restrict competition, and they often lead to customers paying higher prices as a result", said Ofcom's director of investigations and enforcement.
- Instil good practice - make sure your team knows how to respond in risky situations so they do the right thing (e.g. having their objections to risky conversations noted, leaving immediately, etc.) and protect your company's reputation
- Train your team to promptly report any anti-competitive conversation or approach, not cover it up - remember, the first to inform the regulator can avoid prosecution under leniency rules. In this case, Royal Mail escaped the fine for reporting the collusion, whereas Salegroup were fined £40,000.
Bitter pill: NHS loses £1.29bn to fraud annually
An NHS England strategy document into fraud, bribery and corruption claims that "£1.29 billion could be lost due to economic crime from the NHS in England on an annual basis".
Of the £750m losses in primary care, almost half (£341.7m) relate to patient fraud, with patients falsely claiming exemptions from prescriptions, dental and optical charges. The report also uncovered 'phantom' appointments, and fraudulent registrations of patients by dental contractors and GP practices.
In 2018, a Counter Fraud Specialist team was set up internally by NHS England to tackle the problem. In separate incidents, two GP practice managers were jailed for defrauding their surgeries of six-figures sums.
The report notes, "These high trust environments present considerable scope for manipulation and sharp practice. … Fraud, bribery and corruption are complex, hidden crimes that represent losses to NHS England and therefore impact the care which can be provided to patients. Whilst the nature and extent of the losses are not fully understood, it is clear that any loss as a result of dishonesty is too much."
Use Cressey's fraud triangle - to better understand fraud and your risk exposure:
- There is a motivation behind every act of fraud - motivations are red flags that can help in the early detection and prevention of fraud.
- Along with the motivation, people often require a rationalisation to justify actions that are criminal or unethical.
- The motivation and justification are still insufficient for committing fraud. Perpetrators must have the opportunity (access or authority) to commit the fraud and believe they have a reasonable chance of getting away with it.
- Watch out for red flags - such as people spending beyond their means without justification, lifestyle risk factors (e.g. addiction, debts, etc), and more
- Implement a fraud detection and fraud training strategy - covering Prevent, Detect and Respond
AI and digital disruption hits wealth management
3 in 5 of millennials are unhappy with their current wealth management services and are increasingly exploring Fintech alternatives to manage their money, according to a study by marketing consultancy Simon-Kucher.
In a survey of 645 High Net Worth millennials (born 1981-1996) in six countries, it found that traditional banks were not doing enough to wow their younger customers.
Millennials were planning to shift 56% of their investable assets to Fintechs and are urging private banks to do more to improve the customer experience or face the consequences.
"To capture the attention of this high-net-worth generation, private banks have to significantly upgrade their customer experience", said Silvio Struebi, Head of Banking at Simon-Kucher.
The authors recommend that banks look to the innovative practices of brands like Netflix and Apple for inspiration, which are so admired by the generation.
They also identified a number of wow factors for banks to hook millennials including greater personalisation, transparency, exclusive offerings, and 24/7 immediacy. It seems these millennials value quality and brand, more than price.
Having already witnessed digital disruption courtesy of Netflix, Uber, and Airbnb, no company can afford to ignore the threat.
Looking for more compliance insights?
Why not subscribe to our Compliance Bulletin which delivers a round-up email of all of this month's best practices, expert opinions, industry insights, key trends in regulatory compliance training, digital learning, EdTech and RegTech news.
Skillcast has partnered with YouGov to conduct primary research into compliance issues, attitudes and risk perceptions in the UK workplace to produce a series of Insights Blogs.
We also have 50+ free compliance training aids, including a selection of desk-aids, eBooks, guides, handouts, posters, training presentations and even free e-learning modules!