This month's key compliance news includes the Premier League ticketing scams, Birthlink's heart-breaking data breach, Shein's 'greenwashing' fine in Italy, Lidl's sexual harassment agreement, and more.
It's been a quiet summer. For football fans, at least. Apart from THAT victory by the Lionesses in the Euros. But the wait is over.
As the new season kicks off, fans are being reminded to watch out for fraudsters.
At least 12,000 supporters have lost money to scammers over the last two years, according to a report by Lloyds Bank. Its own customers have lost around £500,000. When extrapolated nationwide and across other banks, the real figure is thought to be around £2.5 million.
"We're pleased to join forces with Stop! Think Fraud ahead of the big kick-off to help raise awareness of ticket scams and ensure supporters know how to spot them. Social media is the main breeding ground for ticket scams and it's time these firms cracked down on the fraudsters lurking on their platforms. Consumers should feel empowered to shop safely online. The best way to avoid ticket scams is to buy directly from clubs or their official partners – and steer clear of deals that look too good to be true."
"Fraud is a ruthless crime that preys on our passions, our trust, and our excitement. As the nation gears up for the new football season, so too do fraudsters, waiting to take advantage of loyal fans searching for tickets. More than three quarters of football ticket scams last season started on social media, with what seem like genuine 'first come, first served' offers all too often designed to rip off desperate fans."
-Liz Ziegler, Fraud Prevention Director, Lloyds Bank
-Lord Hanson, the Minister for Fraud
The Premier League is introducing new rules from next season, requiring 70% of tickets to be digital. The move is designed to tackle touting and enhance security.New measures under the Economic Crime and Corporate Transparency Act (ECCTA) are designed to tackle the increased sophistication of fraud head-on. The new corporate offence of "failure to prevent fraud" comes into force from 1 September 2025.
Under this regime, large UK companies can also be held criminally liable if an "associated person" (employee, agent, subsidiary, or similar) commits fraud to benefit the organisation unless we can demonstrate we have reasonable fraud prevention procedures in place.
The UK data watchdog has fined the adoption charity Birthlink £18,000 after around 4,800 personal records were destroyed, many of them irreplaceable, due to a lack of storage space.
In January 2021, Birthlink considered whether 'linked records' could be destroyed. These are records where people had been linked to the person they were looking for and included handwritten letters from parents, photographs and copies of birth certificates.
At a Board meeting, it was agreed that there were no barriers to the records destruction, provided only replaceable records were destroyed. But, in August 2023, as part of an audit, the Board discovered that irreplaceable items had also been destroyed.
The ICO said the charity had limited knowledge of its data protection obligations and lacked policies that could have prevented the destruction. Despite concerns being raised at the time about shredding personal photographs and cards, nothing was done to stop it. Poor record keeping also meant Birthlink was unable to notify those personally affected by the breach.
"Data protection is about people and how a data breach can have far-reaching ripple effects that continue to affect people's lives long after it occurs. The destroyed records had the potential to be an unknown memory, an identity, a sense of belonging, answers – all deeply personal pieces in the jigsaw of a person's history - some now lost for eternity."
-Sally Anne Poole, Head of Investigations, ICO
Last year, the ICO launched its Ripple Effect campaign, highlighting the far-reaching effects and human impact that data breaches have on people. It is urging all organisations to step up, do better and recognise the critical importance data protection has in protecting people's lives.
The charity has since implemented improvements, including digital record storage and staff training.
Fast fashion is in the spotlight again.
The Italian Competition Authority (AGCM) has imposed a fine of €1 million on Infinite Styles Services Co. Ltd., the company responsible for managing Shein's product trading websites in Europe.
It accused the fast fashion brand of "misleading and/or deceptive environmental messages and claims (so-called green claims) in the promotion and sale of Shein-branded clothing products".
The competition watchdog said that, through its website https://it.shein.com and other promotion and informational online pages, the company shared environmental claims within the sections #SHEINTHEKNOW, evoluSHEIN, and Social Responsibility.
These were considered, "in some instances, vague, generic, and/or overly emphatic, and in others, misleading or omissive", said the AGCM.
The regulator said Shein's intentions to cut greenhouse gas emissions by 25% and achieve zero emissions by 2050, in the Social Responsibility section, were vague and generic - and, in fact, there was an increase in Shein's greenhouse gas emissions in 2023 and 2024.
The Authority said that Shein's conduct was unfair and said that the firm had:
"a heightened duty of care, given the sector it belongs and the business practices through which it operates, such as the so-called 'disposable fashion' (fast and ultra-fast fashion) are highly polluting."
- AGCM
On LinkedIn, Shein's new Global Head of Sustainability said:
"As one of the world's largest fashion and retail platforms, and a pioneer in on-demand fashion, SHEIN represents a disruptive model with the potential to drive sustainability at an unparalleled scale."
-Mustan Lalani, Shein's Global Head of Sustainability
Separately, in June, the French Senate approved plans to regulate ultra-fast fashion and mitigate the environmental and social consequences. This includes:
Supermarket chain Lidl has signed a legal undertaking with the Equality and Human Rights Commission (EHRC) to prevent sexual harassment in the workplace.
The agreement has been reached after an employment tribunal found that Lidl GB failed to take all reasonable steps to prevent sexual harassment of a young female employee between 2019 and 2021 and the way Lidl dealt with the case.
Ms Hunter, who was a teenager at the time, brought the claim following comments by a deputy manager.
Deputy manager Mr Harding initiated frequent conversations about Hunter's sex life, saying that he wanted to sleep with her, that she would "look good" in a pair of knickers being sold in the store and she was "distracting" in her uniform.
When another colleague on the next till made regular sexual advances, Hunter complained. But the store manager told her "she should take [the comments] as a compliment".
Hunter complained verbally and requested a transfer to a store with a female manager, but this was ignored. The tribunal said her concerns should have indicated there were problems with the store's culture.
The tribunal also found that managers at the store where Hunter worked were unaware of Lidl's anti-harassment policy and employees had to submit complaints before any action was taken. Hunter was awarded £50k in damages.
Since then, the Worker Protection Act has been introduced, meaning employers have a proactive duty and can be held liable if they fail to take reasonable steps to prevent sexual harassment.
Lidl GB has improved its protections following the tribunal judgment, by providing additional training to the managers involved and will roll out extra training across the business.
Other measures have been agreed in consultation with the EHRC. By signing the agreement, Lidl GB will:
"Every employer has a legal duty to prevent sexual harassment and they must be able to prove they've taken reasonable steps to do so. Sexual harassment is never acceptable in the workplace. All employers should take note of what the law requires of them under the preventative duty. We will continue to use our unique powers as Britain's equality regulator to ensure everyone can work without fear of sexual harassment."
-Baroness Kishwer Falkner, EHRC
"No person should be subject to harassment in the workplace, so providing our colleagues with a safe and respectful environment is an absolute priority for us. That's why we have robust policies and procedures in place, which we've taken steps to further strengthen over the past few years. We continually look for opportunities to drive improvements to our processes and ways of working and, therefore, value the opportunity to work voluntarily with the EHRC, to see where we could define actions that will further support our values and colleague experience."
-Lidl spokesperson
The financial services sector is looking increasingly like the next target of the ShinyHunters hacking group, according to security experts.
The warning follows a series of recent high-profile data breaches targeting Salesforce customers, including LVMH, Chanel, Adidas, Workday, and Air France-KLM. Victims are targeted by vishing to obtain logins and duped into downloading malware to gain unauthorised access.
ReliaQuest's analysis of 700 newly-registered phishing domain names indicates a shift in targets, according to InfoSecurity magazine.
"Since July 2025, domain registrations targeting financial companies have increased by 12%. This shift suggests that financially motivated groups like ShinyHunters are now prioritizing banks, insurance companies and financial services, though technology and professional services remain at high risk due to the value of the data and access they provide."
ReliaQuest is urging security teams to focus on tactics, techniques and procedures (TTPs) to avoid becoming the next victim.
"For security leaders, understanding this fluid and persistent threat landscape is critical to anticipating future attacks and making informed decisions about security strategy and resource allocation."
This news will add to the growing concerns about the security and resilience of cloud-based systems across the financial services sector.
What happened to "tone from the top" and "role-modelling the right behaviour"?
The Financial Conduct Authority's latest multi-firm review into off-channel communications breaches - in other words, those that take place outside of monitored or recorded channels permitted by the firm - has a few surprises.
The survey, which included 11 wholesale banks, found 178 breaches of internal policies involving the use of unmonitored channels, such as WhatsApp and Signal over the last 12 months. Worryingly, over 41% of those breaches involved senior staff (director level and above).
Rather than setting a good example, some senior staff appear to be engaging in the sorts of conduct they are supposed to prevent.
Internal policy breaches aren't necessarily the same as a breach of SYSC 10A but the findings should still concern firms.
Although the FCA has (so far) resisted doling out some of the eye-watering fines that we've seen across Wall Street banks, the message is unequivocal. Record-keeping and monitoring of communications are essential to detect misconduct. It can also protect firms in client disputes and litigation.
Besides the typical controls we've seen in the past - such as banning personal devices or issuing "brightly coloured devices" to traders for easy identification, the FCA found that firms are now also:
"When we do a separate investigation, we seize phones and we look through these things clearly, if we find off channel communications that matter and are designed to evade surveillance, there's a much bigger problem with serious integrity consequences."
"We need to recognise that with the most nefarious conversations, people will be actively seeking to avoid those sorts of channels and may be savvy to the source of monitoring that's taking place. So there's no room for complacency."
-Simon Walls, FCA's Executive Director of Markets
Hospitality and leisure (HAL) businesses are facing a spike in employment tribunal claims, according to recent research.
According to the report, The Birketts View: Employment Tribunals in the Hospitality and Leisure Sector Impact Report 2025, this is driven by high staff turnover, casual working arrangements, and challenges in managing grievances.
The hospitality sector received 44.53 tribunal claims over the last two years, which is 12% higher than other sectors.
Here are some of the key findings:
"The hospitality and leisure sector is particularly vulnerable to employment claims due to its reliance on casual and seasonal staff. The introduction of 'day one' rights under the Employment Rights Bill will likely increase the volume of claims, especially in areas like harassment and discrimination."
"Employers must act now to strengthen their internal processes, provide robust training to line managers, and ensure grievances are handled effectively. Failure to do so could result in costly and time-consuming tribunal proceedings."
-Catherine Johnson, Birketts
Ten workers received 12-month community orders and were ordered to carry out community work.
Among its AML failings, ProgressPlay failed to:
Its social responsibilities failings included:
It's the second time that ProgressPlay has faced similar action. It was fined £175,718 for similar offences in 2022.
"Operators should be in no doubt: repeated regulatory breaches will result in increasingly severe enforcement action. We urge all operators to examine the failings identified in this case and take proactive steps to strengthen their own systems and controls."
- John Pierce, UK Gambling Commission
The gambling firm - which runs 134 websites - will need to undergo an independent third-party audit once its licence has been reviewed.
The UK's Prudential Regulation Authority (PRA) has fined Barents Reinsurance SA £1.8m for failings in its controls, governance and reporting. It's the first time the PRA has imposed a fine on a firm operating wholly as a reinsurer.
The Luxembourg-based reinsurer has operated in the UK since 2017 under the EU's Passporting arrangements, entering the PRA's Temporary Permission Regime (TPR) in December 2020 following the Brexit transition period.
When the TPR commenced, all parts of the Fundamental Rules and Third Country Branch Rules applied. Firms were reminded of their obligations by the PRA at that time to confirm they were operationally ready and understood expectations.
However, between July 2021 and October 2023, Barents failed to:
The PRA found that Barents had breached Fundamental Rule 6, along with Rules 2.1 and 2.5 (Reporting) and Rules 2.3 and 2.6 of the PRA Handbook.
"The PRA welcomes international participation in the UK insurance (including reinsurance) market, subject to safeguards to ensure that this is accompanied by financial and operational resilience. The PRA terms this 'responsible openness"
"Third country branches operating in the UK should therefore ensure that they fully engage and comply with the UK regulatory framework."
Shoib Khan, Prudential Regulation Authority
We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.