We've examined the top 10 compliance news stories in 2020, from major data breaches and discrimination awards to billion-dollar fines.
Our pick of the top 10 compliance stories in 2020
- Google $150m anti-competitive behaviour fine
- Airbus pays €3.6bn to settle bribery case
- Apple fined €1.1bn over French sales
- Marriott data breach affects 5.2m guests
- Aerospace engineer's £175k discrimination award
- BlueCrest $170m settlement over SEC claims
- Amazon $135k US sanction breach fine
- BooHoo modern slavery claim sees stock plummet
- Morgan Stanley $60m data centre oversight payment
- Deutsche Bank fined €13.5m in Danske probe
Don't forget to read our summary of key compliance fines in 2020 too!
Google $150m anti-competitive behaviour fine
In January 2020, the French competition watchdog fined Google $150m for abusing its dominant position in the online search advertising market.
It criticised the tech giant for its "brutal and unjustified" suspension of accounts, "opaque and difficult to understand operating rules" relating to Google Ads and for applying them in "an unfair and random manner" after complaints by firms that had their accounts suspended without warning.
Google planned to appeal, insisting that "People expect to be protected from exploitative and abusive ads, and this is what our advertising policies are for".
But, while agreeing that customer protection is "perfectly legitimate", the watchdog cautioned, "Google cannot suspend the account of an advertiser on the grounds that it would offer services that it considers contrary to the interests of the consumer while agreeing to reference and accompany on its advertising platform sites that sell similar services".
Google previously received a €1.5bn EU competition fine in March 2019.
Airbus pays €3.6bn to settle bribery case
In February 2020, Airbus confirmed it would pay €3.6bn to settle a long-running investigation by French, UK and US authorities into bribery and corruption. This case was unprecedented in its scale and chutzpah. It is also controversial that Airbus was let off with a DPA.
In 2012, a whistleblower alleged that Airbus's GPT subsidiary used gifts and bribes of over £14m to secure a contract to upgrade military communications in Saudi Arabia. In 2017, the French-based planemaker was also investigated over its use of middlemen and third-party consultants to secure airline sales. The subsidiary at the centre of the allegations has ceased trading.
- The case shines a spotlight on section 7 of the UKBA - Headquartered in France, registered in the Netherlands, Airbus admitted bribery and corruption outside of the UK and its "failure to put in place appropriate measures to prevent bribery". Would your own company meet the threshold? What control do you have over overseas subsidiaries? Do they get the same training as workers onshore?
- Conduct proportionate due diligence - What due diligence checks do you make on consultants, intermediaries and third parties? Are they adequate?
- Train employees to spot red flags - For example, gifts, hospitality, expenses, donations, etc.? A consultant with no proven track record in the industry? Payments being made via a company registered in Brunei? The signs were all there once the authorities started looking. Or, as someone close to the investigation put it, "It's not sophisticated once found. It was in plain sight". (see next point)
- Don't try to bypass the rules - In this case, Airbus organised 30-minute marketing or business presentations before hitting the golf course to get around hospitality rules.
- When you're in a hole, stop digging - Internal emails reveal the inner conflict employees faced in coming clean, "We know the truth I suspect but is that what we are intending to inform UKEF?”. It shouldn't be difficult to do the right thing.
- Compliance matters and needs to be integrated fully in all business processes - It must not be seen as something that merely stands in the way of making a profit. Dodgy payments flagged by compliance were brushed aside. An internal audit of the subsidiary at the centre of the corruption found "significant breaches of compliance policies" and projects that "performed poorly". Take note.
- It's about deeds, not words - Airbus had compliance programs, policies, committees and astonishingly was even awarded a certificate for the design of its anti-bribery compliance program. But it was still not enough. Why? Was there a philosophy to get the business "at any cost"? Were senior managers setting a different example? It seems so.
- Ensure adequate oversight - Some committee members were involved in misconduct and concealed material facts about business partners' remuneration, beneficial owners, and the process by which intermediaries were found. Essentially, the unit was marking its own homework.
- "Tone from the top" matters- 63 of its top or senior management have left the company (31 were dismissed) in just five years. It looks like those good role models were in short supply.
Apple fined €1.1bn over French sales
In March 2020, the French antitrust regulator handed Apple a record €1.1bn fine for anti-competitive selling practices relating to its non-iPhone products in France.
France's Autorité de la Concurrence accused Apple of colluding with two wholesalers, Tech Data and Ingram Micro, effectively preventing competition for its Apple Mac computers and other non-iPhone products.
The investigation was prompted after a complaint by eBizcuss, an Apple premium reseller. Antitrust officials say Apple forced premium resellers to match prices on the Apple Store, and contracts restricted them to almost only selling Apple products despite the stock being withheld.
Apple planned to appeal. The two firms - Tech Data and Ingram Micro - were also fined €76.1m and €63m, respectively.
Marriott data breach affects 5.2m guests
In March 2020, Marriott International reported a second data breach that exposed the personal information of around 5.2 million guests.
In a statement, it said:
"At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests."
The incident was reported on 31 March. Marriott appeared to play it down, explaining that the impact would not be materially significant due to its cyber insurance policy (savvy learners will immediately recognise the 4T model there, with the risk being transferred to an insurance company).
However, security experts were noticeably less confident, pointing out that NSA, CIA, FBI intelligence officials, and diplomats frequent Marriott hotels. This is the latest in a series of breaches targeting US officials.
Casey Ellis of Bugcrowd said, "This attack emphasizes the need for the hospitality industry to take security seriously. Hotels collect more private personal information than most enterprises (birthdays, passport numbers, email and mailing addresses, and phone numbers). Cybercriminals know what types of organizations collect troves of sensitive data, and given the amount of valuable information at hand, hospitality businesses can no longer afford to ignore their vulnerabilities."
Aerospace engineer's £175k discrimination award
In April 2020, aerospace engineer Peter Allen was awarded £175,000 for harassment and discrimination on the grounds of sexual orientation at work.
The Manchester Employment Tribunal upheld his claim of harassment and direct discrimination on the grounds of sexual orientation against Paradigm Precision and agreed he was victimised and faced detrimental treatment when he requested adoption leave. Allen had faced homophobic insults and was passed over for promotion after he enquired about adoption leave.
The tribunal awarded Allen £175,000, which included £24k for unfair dismissal, £26k for injury to feelings, £70k for loss of earnings and £18k for failing to follow ACAS Code of Practice on Disciplinary and Grievance Procedures.
- Don't tolerate unacceptable behaviour in your team - or dismiss it as banter, be vigilant, so you quickly identify policy breaches in verbal exchanges, emails, social media, etc.
- Keep equality laws "top of mind" - by holding regular discussions with your team about what is and is not acceptable.
- Train your team to be self-aware and call out unacceptable behaviour - empower your team to create psychological safety and a more respectful workplace for everyone
- Regularly check policies (e.g. adoption policies, etc.) and be sure to audit key decisions (e.g. training, promotion, recruitment) - to ensure they do not inadvertently disadvantage anyone with protected characteristics.
- Remember, it's not just a "nice to have" - research consistently shows that companies that value diversity are more productive and profitable.
BlueCrest $170m settlement over SEC claims
BlueCrest Capital Management Ltd. has agreed to a settlement to the tune of $170 million over allegations that it had been systematically misleading clients. The allegations relate to a fund that invested its traders' own money via an underperforming algorithm.
Back in its heyday, BlueCrest was among Europe's largest hedge-fund managers. However, the firm ceased managing money for outside clients in 2015 after a run of poor returns from its flagship macro fund and a sharp drop in assets. Yet, it carried on trading in its employees' own money.
According to SEC investigators, BlueCrest established the proprietary fund, BSMA Limited, back in 2011 before moving most of its best traders to work on it. Their work selecting assets for BlueCrest’s flagship fund was then replaced by an algorithm meant to replicate human decisions but ended up performing poorly.
Commenting on the case, SEC enforcement director Stephanie Avakian said, "BlueCrest repeatedly failed to act in the best interests of its investors, including by not disclosing that it was transferring its highest-performing traders to a fund that benefited its own personnel to the detriment of its fund investors."
Amazon $135k US sanction breach fine
The US Treasury Department has released a statement announcing that Amazon has agreed to pay a $134,523 fine over alleged sanctions violations. The charges in question relate to goods and services sent to Syria, Iran and Crimea between 2011 and 2018. All three of these countries are covered by Office of Foreign Assets Control (OFAC) sanctions.
This settlement is relatively insubstantial compared to Amazon's enormous market cap. However, the sales were for fairly low-level retail goods and services. In fact, the total amount of the goods and services which breached US sanctions only totalled just over $250,000 - peanuts for a firm like Amazon!
The Treasury Department does not believe that these sales were made with malicious intent, but that they relate to issues with Amazon's online systems, which failed to flag shipments to sanctioned countries. There seem to be several reasons why this occurred. One specific example involves the Amazon site failing to note when a sale was made to an Iranian embassy outside of Iran.
This event only highlights the importance of reforming sanctions infrastructure for cross-border transactions, which has scarcely changed since 1977. As of 2021, ISO 20022 is set to streamline cross-border payments, creating a flexible infrastructure to facilitate information exchange and aid in harmonizing the payments language between old and new technologies. The ultimate aim of ISO 20022 is to remove the barriers to sanctions compliance and get the global financial community on the same page.
- Be vigilant and proactive - don't just rely solely on automated screening software to flag up name or target matches.
- Keep up to date with any changes to global sanction lists and compliance technologies.
- Watch out for attempts to add, alter, delete or omit payment information in instruction lines to evade sanctions.
- Report any concerns, including actual or potential sanctions violations, to the relevant authorities immediately.
BooHoo modern slavery claim sees stock plummet
A damning report, released in July 2020, found that up to 10,000 people may be working in slave-like conditions in textile factories in Leicester.
Leicester MP Andrew Bridgen claimed that a "conspiracy of silence" permitted such factories to exploit people over many years and said that "you've got a systemic failure of all the protections in Leicester that would prevent this from happening."
The factories supply garments to several UK retailers, most notably Boohoo, which also owns Nasty Gal and Pretty Little Thing.
Despite the UK's minimum wage being set at £8.72 an hour for over 25's, an undercover reporter found employees paid a mere £3.50 per hour instead. Additionally, no protection was provided to workers to protect against Covid-19, putting their health at serious risk.
As a result of the modern slavery investigation, a staggering £2 billion was wiped off of Boohoo's value on the AIM market in London, reducing it to £2.7 billion - further hindering its chances of reaching its £7.55 billion target by 2023.
Boohoo faced a massive backlash, as retail giants including ASOS and Next both stopped stocking Boohoo garments in their shops in retaliation. Likewise, Very.co.uk and Zalando both temporarily suspended the sale of any items associated with Boohoo, as quite a few Instagram influencers cut ties with them.
- Conduct due diligence checks on all workers, agencies, suppliers and third parties before engagement - it's vital you know exactly whom you are dealing with.
- Raise awareness of modern slavery among suppliers and third parties - encourage them to sign up to your Code of Conduct and insist on clauses in their contracts.
- Ensure that you follow all legal requirements when setting employee wages - remember that the minimum wage varies by age in the UK.
- Ensure you provide all staff with adequate protection during health crises like Covid-19.
Morgan Stanley $60m data centre oversight payment
In October 2020, Morgan Stanley agreed to pay $60 million over claims that they failed to decommission data centres connected to their wealth-management operations correctly.
According to the Office of the Comptroller of the Currency (OCC), Morgan Stanley "failed to effectively assess or address risks associated with decommissioning its hardware".
This includes failing to keep tabs on client data contained within obsolete devices and the improper assessment of the risks posed by subcontractors.
"We have continuously monitored the situation, and we do not believe that any of our clients’ information has been accessed or misused," Morgan Stanley said in response.
"Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information."
Earlier in the same month, the firm announced its intention to expand its wealth-management operations through a $7 billion acquisition of Eaton Vance Corp. The Federal Reserve later approved them to acquire E*Trade Financial Corp in a deal that added a new retail customer base to its brokerage business.
Deutsche Bank fined €13.5m in Danske probe
In October 2020, Deutsche Bank AG was issued a €13.5m fine by Frankfurt prosecutors due to money-laundering violations connected with Danske Bank A/S. According to prosecutors, Deutsche Bank failed to alert authorities about suspicious transactions in a timely manner on more than 600 different occasions.
Deutsche Banks's case was directly connected to another scandal which saw over $200bn in suspicious payments pass through Danske Bank’s Estonian unit. It was revealed that most of this money was also routed through Deutsche Bank, which processed US dollar payments for the Estonian business at the time.
Commenting on the scandal, Deutsche Bank said that it had stopped being Danske Bank Estonia's so-called correspondence in 2015. According to Stefan Simon, a member of Deutsche Bank’s management board, "with the closure of these proceedings, it is clear that there was no evidence of criminal misconduct either on the part of Deutsche Bank or its employees."
Chris Vogelzang, Dankse Bank's CEO, has stated that they expected to wrap up their internal investigation into the matter by the end of 2020. Danske Bank was also looking to come to a global agreement with authorities to close the case.
Looking for more compliance insights?
If you'd like to stay up to date with best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also track the biggest compliance fines, explaining what drives them and how to avoid them.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 70+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!