This month's key compliance news including data breach costs, record Amazon fine, Pfizer illegal pricing, climate legislation, Afghan sanctions and more.
Our pick of key compliance stories this month
- UK first of G7 to effect climate change legislation
- Pfizer & Flynn accused of price hike on critical anti-epilepsy drug
- Companies to pay back £2.5m over bribery offences
- Foreign Secretary: UK may impose Afghan sanctions
- FCA imposes £1.2m financial penalty on director
- IBM: Data breaches cost companies £3m per incident
- Record £637m fine for Amazon breaching EU GDPR
UK first of G7 to effect climate change legislation
The UK is set to become the first G7 country to bring climate change legislation into effect. The UK Government expects to proceed with the recommendations of the Taskforce on Climate-related Financial Disclosure (TCFD) across the financial sector over the coming months. The UK Minister for Pensions and Financial Inclusion explained that:
"Trustees of pension schemes [will be] statutorily required to consider, assess and report on the financial risks of climate change within their portfolios. By October 2022, we will have captured more than 70% of assets under management and over 80% of members."
While the legislation will be debated in UK Parliament in the coming months, the TCFD has established recommendations supported by over 1,440 organisations and representing a market capitalisation of over $12.6 trillion.
- Firms will need to assess whether the TCFD regulatory procedures apply to their business once they are legislated.
- As the consequences of climate change become more apparent, industries will need to implement robust policies to safeguard their business models and client interests.
Pfizer & Flynn accused of price hike on critical anti-epilepsy drug
The Competition and Markets Authority (CMA) has accused pharmaceutical firms Pfizer and Flynn of illegal pricing. The dispute has been ongoing since 2012, when it came to light that the drug in question, known as Epanutin before September 2012, was de-branded. De-branding this critical anti-epilepsy drug placed it outside the scope of pricing legislation. This meant the two firms could drastically increase the drug's price overnight.
This apparent abuse of a dominant market position led to a price hike that cost the NHS tens of millions of pounds over the years. In December 2016, the CMA fined the two firms for breaking competition law for charging unfair, high prices. An appeal by Flynn was not approved, and the CMA re-opened investigations in June 2020. The case is now pending a response from the two pharmaceuticals, which CMA will consider before deciding whether the two companies breached the law.
Companies to pay back £2.5m over bribery offences
The Serious Fraud Office (SFO) has issued a £2.5m penalty and a two-year Deferred Prosecution Agreement (DPA) to two companies over bribery cases involving multi-million UK contracts. The Director of the SFO noted that the companies in question used rolling bribes to win contracts in an unfair way and that their actions "undermined the fundamental principles of fairness and the rule of law."
An NDA is in place, meaning that the companies in question were not named.
The DPAs require the firms' parent companies to establish a comprehensive compliance programme and healthy conduct culture at the workplace. They are also obliged to report to the SFO on compliance matters at frequent intervals throughout the DPA term. If the companies do not follow through on these requirements, the SFO will prosecute.
- Never give or accept cash or in-kind gifts above the allowed thresholds from business partners.
- Look out for any red flags that might indicate bribery or improper behaviour in your company.
- Report any knowledge or suspicion of active bribery via your company's whistleblowing channels.
Foreign Secretary: UK may impose Afghan sanctions
In light of the Taliban's takeover of Afghanistan's capital city, Kabul, the British Foreign Secretary implied the UK might impose sanctions on Afghanistan. He also stated that putting a stop to Official Development Assistance (ODA) was also an option, depending on the political situation that unfolds over the coming days and weeks.
World leaders are waiting to see what type of reform and government the Taliban will form. The US has frozen billions of dollars of government reserves held in US bank accounts and institutions as a precautionary measure in a bid to limit the Taliban's access to cash. This cut-off is the first of what could potentially be many financial restrictions on Afghan accounts and businesses.
FCA imposes £1.2m financial penalty on director
The Financial Conduct Authority (FCA) has fined the Director of Retirement and Pension Planning Services Limited, currently in liquidation, over £1.2m for incompetence and breaching the SMCR rules.
Geoffrey Edward Armin advised over 400 customers concerning the transfer of their defined-benefit pensions into alternative pensions arrangements. He carried out the transfers without due consideration of his clients' financial situations, their expected income requirements throughout their retirement or whether the plan was best suited to their needs. This means that he failed to divulge crucial information to the clients' detriment throughout the advice process.
The Director also received significant remuneration for each transfer, suggesting that it was in his best interests to proceed with the recommendation and transactions, even if it did not benefit his clients. In addition to the fine, the FCA has barred him from taking up any senior management or advisory function in relation to all regulated activities in the financial industry.
IBM: Data breaches cost companies £3m per incident
The shift to online and remote working has resulted in the costliest year on record for data breach incidents. An IBM report found that of the 500 surveyed companies, each one shelled out an average of £3m to cover costs related to data breach damages.
The study found that stolen user credentials were the most significant cause of breaches. Once acquired, the information could then be used to access systems with customer or company data, escalating the severity of the breach.
Businesses that invested in secure systems and platforms, such as using a hybrid cloud for data storage, were less susceptible to breaches. However, behavioural policies also made a key difference. These include adopting a zero-trust approach and enforcing a 'need to know' basis with all data types.
- Safeguard data when working remotely - never connect to unsecured networks, and only use devices that your company has approved.
- Take extra care to prevent personal information from being compromised - for example, be alert to phishing emails or unusual activity on your computer that suggests that it may be infected by malware.
- Be vigilant to cybercrime - including hacking, identity theft or fraud attempts at your company and escalate any suspicions that you might have.
Record £637m fine for Amazon breaching EU GDPR
EU-appointed regulator CNPD has fined Amazon over £637m for breaching EU Data Protection rules. Amazon is expected to appeal the case. If the fine is upheld, it would be the largest penalty ever charged relating to the breach of data protection rules.
Since the EU General Data Protection Rules (GDPR) came into effect in May 2018, companies may be fined as much as 4% of their annual turnover. To date, the largest GDPR breach fine ever assigned was £42m - issued to Google in 2019.
Analysts have noted how Amazon's approach to data collection opens it to GDPR non-compliance. In particular, the EU Commission noted potential regulatory problems with voice assistants, including Amazon's 'Alexa'. The nature of the data collected from these devices includes user details, behaviours and other types of special category data - which must only be collected and stored in specific situations.
- UK GDPR rules are almost identical to those of the EU - the fact that regulators are taking a hard-line stance against companies who breach GDPR rules means you should be aware of how data protection rules apply to your industry and company.
- Data breaches may be accidental or deliberate - regardless of their nature, they must be reported or escalated to your compliance team to take remedial action.
- Never collect special category data or use data for different purposes - without first checking with your Data Protection Officer.
Looking for more compliance insights?
If you'd like to stay up to date with best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech, and RegTech news, subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also track the biggest compliance fines, explaining what drives them and how to avoid them.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 70+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!