Compliance News | Dec 2021

Posted by

David Mangion

on 16 Dec 2021

This month's key compliance news includes a NatWest AML fine, an NHS trust data breach, possible EU sanctions against Russia, and more.

Compliance News December

Our pick of key compliance stories this month

NatWest fined £264.8m for AML failures

National Westminster Bank Plc (NatWest) has received a huge £264.8m fine after being convicted for three separate offences relating to anti-money laundering failures. This fine marks the FCA's first criminal charges against a firm for AML failures.

According to the sentencing judge, Mrs Justice Cockerill, "although in no way complicit in the money laundering which took place, the Bank was functionally vital. Without the Bank – and the Bank's failures - the money could not be effectively laundered."

Between November 8th, 2012, and June 23rd, 2016, NatWest failed to adequately monitor the activity of a commercial customer, Fowler Oldfield, a jewellery firm in Bradford. NatWest initially assumed it would not handle cash from the Fowler Oldfield firm when it took on the account. However, around £365 million was placed with the Bank throughout the customer relationship, with around £264 million in cash.

Some of the Bank's workers in charge of handling these cash deposits reported their suspicions to the Bank's money-laundering investigators, but they took no action. The reported red flags included depositing large amounts of Scottish banknotes around England, suspicious behaviour when individuals were depositing cash at NatWest branches, and deposits of notes with a strong, musty odour.

Furthermore, the Bank's automatic transaction monitoring system misidentified some cash deposits as cheques. Because cheques carry a lower risk of money laundering than cash, the Bank's monitoring of many cash depositors, including Fowler Oldfield, was severely lacking.

Key takeaways:

  • Conduct initial and ongoing customer due diligence using a risk-based approach
  • Look out for anything suspicious, paying particular attention to high-risk customers and jurisdictions
  • Report any knowledge or suspicion of money laundering or terrorist financing immediately
  • Exercise extreme care to avoid tipping off anyone who has been reported for money laundering or terrorist financing
    Free 6AMLD Training Presentation

Westpac to pay $113m for treating customers poorly

Australian banking giant, Westpac, has admitted to breaking the law and is to pay out over $113m (£85.3m). The Australian Securities and Investments Commission (ASIC) brought forward six lawsuits relating to the Bank's poor treatment of its customers and an overall "poor compliance culture".

Over and above this penalty, Westpac will also be required to pay out $80m (£60.5m) to affected customers in remediation. According to ASIC's finding, tens of thousands of customers were improperly charged tens of millions of dollars due to Westpac's malpractice.

The accusations against Westpac include charging more than $10 million in fees to more than 11,000 dead people and charging 7,000 people for two insurance policies over the same property. Furthermore, Westpac allegedly collected $12 million in illegal commissions from 8,000 people and failed to properly disclose $7 million in fees charged to 25,000 customers. Finally, the company is accused of keeping 21,000 accounts open for companies that no longer exist and on-selling debts to collectors at rates higher than it was allowed to charge.

ASIC's commissioner, Sarah Court, said, "the conduct and breaches alleged in these proceedings caused widespread consumer harm and ranged across Westpac's everyday banking, financial advice, superannuation and insurance businesses. A common aspect across these matters has been poor systems, processes, and governance, which suggests an overall poor compliance culture within Westpac at the relevant time. Westpac must urgently improve its systems and culture to ensure these systemic failures do not continue."

Key takeaways:

  • Always give customers the confidence that fair treatment is central to your corporate culture
  • Ensure that products and services perform at the level that customers expect
  • Ensure you provide consumers with clear information before, during and after the point of sale
  • Eliminate unreasonable post-sale barriers for customers
  • Ensure that any advice you give is suitable and takes account of customers' circumstances

Free Compliance Culture eBook

NHS trust says sorry for Covid-19 trial data breach

An NHS Trust, the Midlands Partnership NHS Trust, has been involved in a data breach that exposed several people's email addresses taking part in a Covid-19 vaccine trial.

The breach in question occurred when the trust sent an email to many participants using the 'carbon copy' - or cc - field instead of a 'blind carbon copy' to anonymise the recipients.

The Stafford-based trust said it reviewed the event and determined human error was the cause. The Information Commissioner's Office, which oversees data privacy, has been notified of the situation (ICO).

The trust attempted to recall the email but conceded in a message to recipients that it couldn't be certain no one had opened it. Their team's working style has been altered, and a manager has received further training.

According to a representative, the NHS trust sincerely apologised for the error, and the ICO accepted the actions they made. After evaluating the trust's information, the ICO said it gave them data protection advice and concluded the investigation with no further action.

Key takeaways:

  • Don't share personal data with third parties without checking that there's a valid 'need to know' and a data processing agreement in place
  • Don't conceal or cover up data losses or breaches - report mistakes and violations promptly so that you can limit the damage to everyone involved.
  • Protect personal data to ensure appropriate security and safeguard it against unauthorised or unlawful processing, accidental loss, destruction or damage
  • Implement robust procedures to ensure that personal data is kept accurate and retained for the correct amount of time
    Free GDPR Personal Data Awareness Poster

Russia face "unprecedented" sanctions from the EU

The EU is prepared to upscale its sanctions and take "unprecedented measures" against Russia if it shows more aggression towards Ukraine, according to European Commission President Ursula von der Leyen.

Speaking in the European Parliament, von der Leyen said the EU had worked together with the US to develop new options going beyond existing sanctions targeting Russia's financial and energy sectors, defence and dual-use goods.

"Our response to any further aggression may take the form of a robust scaling-up and expansion of these existing sanctions regimes," she told EU lawmakers.

"And, of course, we are ready to take additional, unprecedented measures with serious consequences for Russia."

Key takeaways:

  • Keep your knowledge of changes to country sanctions current as new sanctions can appear at any time
  • Don't rely solely on sanctions screening conducted by another company or department
  • Be vigilant and proactive - don't just rely on automated screening software to flag up name or target matches
  • Never encourage, help or advise clients to bypass sanctions screening
  • Report any concerns, including actual or potential sanctions violations, immediately

Free Sanctions Training Presentation

The Norwegian DPA fined Grindr LLC €6.3m

The dating app, Grindor, has been on the receiving end of a fine of €6.3 (£5.3m) for illegally sharing users' data with third parties for marketing purposes.  This data includes GPS location, IP address, cell phone advertising ID, age and gender. 

The Norwegian Data Protection Agency (DPA) found a lack of clear information provided to the user since users are required to accept the privacy policy to be able to use the app but not explicitly asked to approve the use of their data.

"Our conclusion is that Grindr has disclosed user data to third parties for behavioural advertisement without a legal basis," said Tobias Judin, head of the Norwegian Data Protection Authority's (DPA) international department.

This GDPR violation is considered a huge infringement since personal data contains sensitive information such as sexual orientation. The fine amount reflects the severity of the violation since it is the largest one issued by the DPA to date.

Key takeaways: 

  • Provide users with clarity - explicitly ask users whether they consent to the use of their data
  • Make sure information is easily accessible - provide users with a way to view details on the disclosure of personal data
  • Be aware of the special categories of personal data - this type of data is subject to a particularly high level of protection

GDPR Hero Compliance Course

Purplebricks to pay up to £9m over lettings mistakes

Purplebricks, a popular online estate agency, will be required to set aside up to £9m after discovering that its lettings business had breached laws protecting tenants' deposits.

The firm said that it intended to delay the publication of its results for six months to October 31st to uncover how much the mistake would cost them. In response to Purplebricks' admission, their share price fell by 20% to a new all-time low of 25p.

Purplebricks described the issue as a "process issue in how it has been communicating with tenants on behalf of its landlords concerning deposit registrations" in a statement to the stock market.

Purplebricks, which is on the Alternative Investment Market in London, said on Monday that it needed to cover "possible future claims that may emerge under the Housing Act in regard to this regulatory process issue."

Landlords have 30 days under the Housing Act to educate their tenants about how their deposits are secured under government-backed initiatives. A court could force a landlord to pay tenants up to three times the initial sum if the landlord does not adequately protect the deposit.

The government implemented deposit protection systems in 2007 to prevent shady landlords from withholding renters' deposits, which can be worth a month's rent or more.

Key takeaways:

  • Be aware that any compliance failure can have a major impact on share prices
  • Ensure that tenants are fully aware of how their deposits are protected
  • Also, make sure that landlords are aware of their responsibilities under the Housing Act

Compliance Culture eBook

Want to learn more about compliance?

Our comprehensive compliance roadmaps help you navigate compliance. We also have searchable compliance glossaries for those new to the topic, and we regularly report on key compliance fines.

If you'd like to stay up to date with compliance best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.

You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.

For a one-stop compliance training solution, try our best-selling Compliance Essentials Course Library and award-winning LMS.

Last but not least, we have 80+ free compliance training aids, including best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations, webinars and even e-learning modules!

If you've any questions or concerns about compliance or e-learning, please get in touch.

We are happy to help!

Compliance Essentials

Compliance Essentials Library is our best-selling comprehensive corporate training solution.

100+ e-learning and microlearning courses that help companies from SMEs to multinationals achieve compliance success.

Start a Free Trial