Our pick of key compliance stories in 2019
- Google €1.5bn EU competition fine
- Record £183m ICO fine for BA for data breach
- Unicredit $1.3 billion sanctions penalty
- Ericsson €1bn fine for bribery
- Biggest ever Account Freezing Orders granted
- Crown dependencies introduce public registers
- Betfred fined £322k for AML failures
- Systemic harassment uncovered at McDonald's
- Standard Chartered £100m financial crime fine
- Google fined €50m for GDPR infringements
Key compliance news stories in detail
1. Google €1.5 bn EU competition fine
For the third time in two years, Google was fined €1.5 billion by the European Commission for anti-competitive practices.
Prosecutors accused Google of abusing its dominant position (it enjoys more than 90% of the search market) by preventing its rivals from placing online adverts on its search results pages.
EC commissioner Margrethe Vestager said, "Google has cemented its dominance in online search adverts and shielded itself from competitive pressure by imposing anti-competitive contractual restrictions on third-party websites. This is illegal under EU antitrust rules."
This latest fine brings Google's total fines to €9 billion since 2017. However, critics argue that these fines have actually done little to change the tech giant's dominance. Instead, they suggest that behavioural remedies - such as being forced to divest DoubleClick or Waze might have more of an impact.
2. Record £183m ICO fine for BA for data breach
The UK Information Commissioner's Office signalled its intention to fine British Airways a record £183 million (around 1.5% of its global turnover) over its data breach in 2018. This dwarfed the previous record fine of £500k handed to Facebook under the DPA by a considerable margin (367 times higher).
In summer 2018, when customers booked flights via the BA app or website, they were instead redirected to a fake website that harvested their personal data. It was only reported by BA in September 2018.
Andrew Dwyer, an Oxford University cyber-security expert, explained: "The ICO fine shows how serious some of BA's failings were with its payment processing both on its website and its app."
- BA had not updated critical software since 2012, long after flaws were discovered.
- The time it took to discover the vulnerability (3 months) indicates a more fundamental IT governance failure.
- The number of people affected and the impact of the breach also likely determined the size of the fine.
In another first, the ICO acted as the lead supervisory authority on behalf of other EU data protection authorities whose citizens were also affected by the hack.
"People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
- Keep software up-to-date and download any patches immediately
- Cost-cutting is counterproductive - experts point out that instead of costing a few million to implement the right security, BA will now pay a nine-figure sum instead
- Ensure there is sufficient oversight and monitoring of the data landscape - any breaches must be notified within 72 hours
- Make sure there are appropriate technical or organisational measures in place to safeguard personal data
- Remember, the ICO has the power to impose fines of up to 4% of global annual turnover -so maybe that fine is lenient after all!
3. Unicredit $1.3 billion sanctions penalty
UniCredit Bank is to pay $1.3 billion in penalties after it admitted processing "hundreds of millions of dollars of transactions" on behalf of sanctioned Iranian entities through the US financial system. For ten years, the bank moved $393 million through the US financial system and also conspired to conceal restrictions.
When the bank introduced an automated 'embargo tool' to flag transactions likely to violate sanctions, its compliance department issued an instructional guide - effectively providing a workaround to enable employees to dodge red flags and process transactions in an "OFAC-neutral" way, according to the regulator.
- Keep your knowledge of US, EU and UK sanctions up-to-date - by regularly checking guidance issued by the Office of Foreign Assets Control (OFAC), the EU and the UK government.
- Understand the sanctions landscape - sanctions don't just apply to financial transactions and the freezing of assets. There can also be restrictions on the supply of services (such as giving advice) and trade (such as the supply of arms, diamonds, etc.). New sanctions regimes - including Chemical Weapons and Cyber Attacks have also recently been introduced.
- Conduct due diligence on third parties - in particular, agents, distributors, customers and suppliers that trade with or border sanctioned countries to assess exposure. Ignorance is no excuse. Don't just look at your customer but also your customer's customer when carrying out risk assessments. Who are the beneficial owners?
- Get a holistic view of your company's entire risk exposure - while most of your team should easily identify jurisdictions where sanctions apply, do they appreciate the risks of dealing with non-sanctioned countries that trade directly with them (such as China with North Korea) or share a border with them (such as Turkey and Iran)? Countries such as Iraq and UAE can also be used by entities to bypass sanctions. Do your front-line staff know how to manage this kind of exposure?
- Learn lessons from published violations and enforcement action - to better understand your compliance obligations, how violations occur (in this case, upper/lower case differences), how regulators will interpret your actions, and what remedial action to take
4. Ericsson €1bn fine for bribery
Swedish telecoms company Ericsson had agreed to pay two US regulators over €1bn for a "years-long corruption campaign" and numerous bribes, slush funds and gifts across its operations.
It will pay the Securities and Exchange Commission (SEC) $540 million - the second biggest FCPA fine after Petrobras - and the US Department of Justice over $520 million, after paying bribes across five countries "to solidify its grip on the telecommunications business".
The Justice Department said, "Ericsson's corrupt conduct involved high-level executives and spanned 17 years and at least five countries, all in a misguided effort to increase profits."
It had slush funds that were used to pay corrupt officials in Djibouti, China, Vietnam, Indonesia and Kuwait. Payments were made via agents intermediaries, using fake invoices for non-existent consulting services.
In addition, the firm did not receive full credit for cooperating with the DOJ, having failed to disclose allegations of corruption regarding two matters. It was also late providing information requested by the regulator and failed to "take adequate disciplinary measures" against those involved.
"Ericsson conducted telecom business with the guiding principle that 'money talks.' Today's guilty plea and surrender of over a billion dollars in combined penalties should communicate clearly to all corporate actors that doing business this way will not be tolerated."
5. Biggest ever Account Freezing Orders granted
The National Crime Agency (NCA) successfully froze over £100m after being granted Account Freezing Orders (AFOs) on eight bank accounts.
The money - thought to be the proceeds of overseas bribery and corruption - is the largest amount ever frozen since the powers were introduced under the Criminal Finances Act 2017. The NCA now needs to establish whether the funds are derived from unlawful conduct.
It was not the first time these powers had been used. Around £20m was similarly frozen in December 2018. And, separately, seizures were made from the son of Moldova's prime minister and the niece of the Syrian President, Bashar al Assad.
A spokesman said, "…the NCA has used new powers such as Unexplained Wealth Orders and Account Freezing Orders to target suspected illicit assets, and we are already seeing some far-reaching impact of this activity".
6. Crown dependencies introduce public registers
Crown dependencies of Jersey, Guernsey and the Isle of Man finally agreed to introduce public registers, establishing the real owners of faceless shell companies registered in their jurisdictions ... albeit by 2023!
While there is some concern about why it will take so long, the U-turn is being heralded as an important victory for transparency and a boost to efforts to combat tax evasion and money laundering.
It estimates that globally, around $500 billion in corporation tax is ducked each year by multinationals which - it also points out - is 20 times more than the UN's entire annual humanitarian aid budget.
"The era of secrecy is a thing of the past and other tax havens must now make their own moves to bring the real people behind anonymously owned companies out of the shadows. Any state failing to do so will be left behind"
7. Betfred fined £322k for AML failures
The UK Gambling Commission (UKGC) has fined Petfre Ltd (operating as Betfred) £322,000 for failing to carry out sufficient Source Of Funds (SOF) checks on one of its customers.
The customer deposited £210,000 and lost £140,000 over a 12-day period in November 2017. This led to a request to provide SOF, which the customer ignored, raising "significant concerns regarding the effectiveness of [its] policies and procedures" according to the UKGC.
In fact, the money that the customer spent with Betfred (and other operators) was stolen, and they have since been convicted of a £2m fraud.
Online and land-based operators need to ensure they are complying with their AML obligations.
Last month, the UKGC also fined Silverbond Enterprises £1.8m for social responsibility and AML failings at its Park Lane Club.
8. Systemic harassment uncovered at McDonald's
In November 2019 came news that the fast-food chain had fired its CEO, Steve Easterbrook, for a consensual relationship with an employee, a clear violation of company policy. An overreaction, some wondered, given the impressive results under his tenure, which saw a doubling of its share price?
Then, just one week later came news of a class-action lawsuit in Michigan by at least 50 of its workers alleging a "systemic problem" of harassment at the company - including by restaurant managers and with under-aged staff also targeted.
An attorney said the cases were "emblematic of a systemic problem of sexual harassment at McDonald's across the nation". As well as $5 million in compensation, workers want better policies with anti-harassment measures and a confidential channel for reporting complaints.
Now the firing makes sense. Sharyn Tejani of Time's Up Legal Defense Fund explains, "The fact that their own CEO is violating their policies gives you an idea of how un-seriously McDonald's take workplace sexual harassment."
- Get the tone from the top right - For policies and procedures to be meaningful, it's vital that managers "walk the talk". McDonald's has no choice but to fire Easterbrook for breaking the rules. Sanctions have to be applied consistently or this would undermine the policy. (For the same reason, star performers who engage in bribery must also be sanctioned. If there's no penalty, there's no incentive for anyone else to comply.)
- Arrange training for workers to be clear about what is and is not harassment and can spot policy breaches.
- Don't be too narrowly focused - harassment is not only a "guy thing". Women can harass direct reports too, and it can take place between colleagues of the same sex.
- Raise any concerns you have - don't cover it up if you or your colleagues experience or witness harassment.
- Be especially vigilant wherever there is a power imbalance - eg between a manager and direct reports. Arrange effective oversight of those in management positions to ensure they don't abuse their position by giving unfair benefits and favours to some while threatening to destroy the careers of others.
- Undertake crisis management planning - ask yourself whether you would detect a predatory manager and how you'd respond.
- Empower your team to call it out - sometimes those experiencing harassment may feel unable to speak out, worried about losing their job, shame or embarrassment, even wondering if they were somehow to blame. If you witness inappropriate behaviour, say so or report it.
- Provide adequate channels for reporting - including both face-to-face (manager, HR, Board) and confidential channels. Remember, reports of harassment may be more difficult to make - for example, due to embarrassment or if a manager is implicated, so offer alternatives.
9. Standard Chartered £100m financial crime fine
The Financial Conduct Authority has fined Standard Chartered £102.2m for poor financial crime controls.
The bank had to set aside $900m further to cover US and UK probes into US sanctions violations and currency trading issues, effectively wiping out its profits for the last half of 2018.
10. Google fined €50m for GDPR infringements
Let's start with the big news of the month. On 21 January 2019, Commission Nationale de l'Informatique et des libertés (CNIL), France's data protection regulatory authority, fined Google a record fifty million (50,000,000) euros - the largest and most high-profile fine for violation of the General Data Protection Regulation (GDPR).
Although the size of this fine is eye-catching, what was more interesting for us is what exactly it is for and what can other companies learn from this for their own GDPR compliance.
The fine was purportedly for Google's lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation. The CNIL pointed out three key breaches:
a. Breach of the Right to be informed
The GDPR specifies eight individual rights, of which the first is the data subjects' right to be informed about the essential details of the data processing.
The CNIL noted that Google had dispersed essential information, such as the categories of personal data, the purpose of the processing, and the data storage periods for data used for ads personalisation across several web pages such that a user would have to click around several links to be able to get all the information. On this basis, CNIL concluded that the information was not easily accessible.
b. Lack of transparency
The first of the six principles of the GDPR is Lawfulness, Fairness and Transparency. Companies need to be clear, open, and honest with people about how they will use their personal data.
But the CNIL found that the information Google provided was not always clear or comprehensive, making it difficult or impossible for users to understand the content.
c. Invalid consent
Under the GDPR, Consent, if chosen as a lawful basis, must be 'informed', 'freely given, 'unambiguous', and 'specific'.
Google states that it relies on consent as the lawful basis for ads personalisation, but the consent it had obtained was neither "specific" nor "unambiguous", nor was it sufficiently 'informed'. For instance, the "I agree with Google's terms of service" tick-box was presented to users ahead of boxes with more detailed options.
Looking for more compliance insights?
If you'd like to stay up to date with best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech, and RegTech news, subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also track the biggest compliance fines, explaining what drives them and how to avoid them.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!