Compliance News | February 2023

Our pick of key compliance stories this month

• Russian cybercriminals face sanctions in a coordinated action
• Ex-Samsung employees jailed after chip secrets leak
• Sexual exploitation uncovered on tea plantations
• Amigo censured but avoids £73m fine
• McDonald’s pledges action with equality watchdog
• Fake ‘psychiatrist’ nets £1m
• Repeat offender ITG fined £6.1m for failings
• Fund managers get 12 years for $8.45m fraud
• Revolut warning over SMS scam
• HSBC’s divestment costs $300m

Russian cybercriminals face sanctions

Seven Russian nationals have been sanctioned for their involvement in ransomware attacks. The UK's Foreign Office – in partnership with the US – has frozen their assets and imposed travel bans on the men, who are suspected members of the hacking group Trickbot.

An estimated £27m in ransoms has been extorted from 149 UK victims and businesses. Conti and Ryuk ransomware strains were behind recent attacks on hospitals, schools, businesses, and local authorities (including the Scottish Environment Protection Agency).

Ransomware is classed as a tier-one national security threat by the UK government. In 2021 alone, the group behind Conti extorted $180 million in ransomware, according to Chainalysis.

“This is a hugely significant moment for the UK and our collaborative efforts with the US to disrupt international cyber criminals. The sanctions are the first of their kind for the UK and signal the continuing campaign targeting those responsible for some of the most sophisticated and damaging ransomware that has impacted the UK and our allies."

Key takeaways:

• Train your team to recognise the signs and methods used by cybercriminals - arrange targeted training based on the specific risks they face
• Be clear about the threat - who exactly may target you and why? What is vulnerable?
• Encourage your team to speak up if they make a mistake - this enables prompt action to be taken
• Develop a cyber response strategy - identify key personnel, specialist expertise, set out the key steps, liaise with the data protection supervisory authorities (remember, a report must be made within 72 hours if personal data is involved), handle media enquiries, restore business-as-usual, etc
• Benchmark your progress using recognised frameworks - such as NIST Cybersecurity Framework, ISO27001/2, NCSC's NIS Directive Cyber Assessment Framework, or CyberEssentials
  

Ex-Samsung employees jailed after chip secrets leak

Seven former Samsung employees have been jailed in South Korea for illegally stealing semiconductor-related technology and sharing it with overseas companies.

The employees - who worked for Samsung’s subsidiary SEMES, South Korea’s biggest semiconductor manufacturer – stole equipment design blueprints and components lists over a two-year period.

One in the group, identified as Nam, used the information to set up a rival company making semiconductor cleaning equipment. In total, 14 cleaning machines were manufactured and sold to Chinese companies, netting Nam’s company $59.8 million. Nam also entered a joint venture and signed over the technology, including 24 equipment cleaning blueprints.

Nam was sentenced to four years imprisonment, while each of his accomplices face up to two-and-a-half-year jail terms. Nam’s company was fined $768,000.

Sexual exploitation uncovered on tea plantations

A BBC investigation has found evidence of sexual exploitation at tea farms in Kenya. More than 70 women said they had experienced sexual abuse or harassment by their supervisors on farms supplying some of the UK’s biggest brands, such as Lipton, PG Tips and Sainsbury’s Red Label. One woman claimed that she had been infected with HIV by her supervisor.

Secret filming at a plantation owned by James Finlay & Co showed a manager pressuring the undercover reporter for sex.

At another plantation owned by Unilever, at a job induction, a manager talked of the company’s zero-tolerance approach to sexual harassment. However, the same reporter was later invited by him to a hotel bar, where she was again pressured for sex. When she was later assigned to the weeding team, the reporter was offered an easier assignment in exchange for sex.

James Finlay & Co confirmed that its employee had been suspended and reported to the police. The company - which supplies Tesco, Sainsbury’s and Starbucks - also said it was investigating whether there was “an endemic issue with sexual violence” at its Kenyan operations.

Responding to the allegations, Sainsbury’s said, “These horrific allegations have no place in our supply chain.” Tesco said it was taking the matter “extremely seriously”. In a statement, Starbucks said it was “deeply concerned” and had suspended purchases from James Finlay.

It’s not the first time that Unilever has faced allegations of sexual harassment. Concerns were raised 10 years ago which resulted in the company launching a ‘zero-tolerance approach’ and a new reporting system.

Yet, the women claim that their allegations are being ignored. Unilever sold the plantation as filming took place but said it was “deeply shocked and saddened” by the matter. Its new owners have suspended those responsible and is investigating.

Key takeaways:

• Conduct due diligence checks - on all workers, agencies, suppliers and third parties prior to engagement, so you know exactly who you are dealing with
• Consult online sources (such as KnowTheChain) - to better understand your supply chain and benchmark your progress
• Use sector-specific tools, resources and industry Codes of Practice - such as the Staff Wanted Initiative, and COMBAT Human Trafficking - to unite against modern slavery, forced labour and other unacceptable practices
• Raise awareness with your suppliers and third parties - encourage them to sign up to your Code of Conduct and insist on clauses in all contracts
• Provide appropriate reporting mechanisms – so staff can speak up if they see anything suspicious or have concerns about suppliers
• Ensure adequate monitoring and oversight – it’s not enough to claim you didn't know. Scrutinise any company with links to your own, conduct due diligence, including on senior managers, give employees a voice and listen to concerns that are raised

Amigo censured but avoids £73m fine

Sub-prime lender Amigo has been censured by the Financial Conduct Authority for failing to conduct adequate affordability checks on its customers and guarantors.

The regulator claimed that between November 2018 and March 2020, the company did not have adequate processes to assess the borrower and guarantor’s circumstances before approving loans. The company relied too heavily on automated IT systems and had inadequate controls in place. Staff also failed to conduct proper checks when the system flagged up concerns.

This resulted in a high risk of consumer harm, particularly for vulnerable customers. It also meant that guarantors were more likely to have to step in, with one in four guarantors being expected to repay the loan.

The company was accused of “prioritising [its] commercial interests over the obligation to comply with the rules and safeguard customers from unaffordable loans”.

The FCA had planned to impose a fine of £72.9 million, but the penalty was waived after Amigo demonstrated it would cause “serious financial hardship” and threaten its ability to fulfil a High Court compensation scheme to repay unfairly treated customers.

McDonald’s pledges action with equality watchdog

McDonald’s has entered a legally binding agreement with the Equality and Human Rights Commission (EHRC). It follows reports about sexual harassment by workers in its restaurants and concerns about how the fast-food giant has managed allegations in the past.

Under the Section 23 agreement (so-called after the relevant section of the Equality Act), McDonald’s has agreed to:

• Communicate a zero-tolerance approach to sexual harassment
• Conduct an anonymous survey of workers about workplace safety
• Enforce policies and procedures to prevent sexual harassment and improve responses to complaints
• Deliver anti-harassment training
• Introduce specific training and materials to help managers identify areas of risk and take steps to prevent harassment
• Support the uptake of the policy and training materials by franchisees
• Monitor progress towards a safe, respectful, and inclusive working environment

“We are pleased that McDonald’s has signed this agreement to signal their intent to make their restaurants safe places to work. The improvements they put in place can set an example for others to follow, whether in the hospitality industry or elsewhere. There should be zero tolerance of sexual harassment in every organisation. It can devastate people’s lives and create a toxic working environment for all.”

According to the Bakers, Food and Allied Workers Union (BFAWU), which has received over 1,000 complaints from its staff, McDonald’s has used non-disclosure agreements (NDAs) to conceal cases.

The new Workers Protection Bill outlaws NDAs and will also introduce a new duty on employers to protect workers from sexual harassment.

Fake ‘psychiatrist’ nets £1m

An NHS ‘psychiatrist’ has been convicted of a “deliberate and wicked deception”. The court heard that Zholia Alemi forged her medical degree certificate, allowing her to practise in the NHS for twenty years.

In 1995, Alemi sent a forged certificate to the General Medical Council claiming that she had qualified at the University of Auckland in New Zealand. In fact, she had repeatedly failed her exams there and was asked to leave the course after failing resits.

Between 1998 and 2017, Alemi practised all over the country, working in hospitals with “potentially very vulnerable people over a long period of time”. She is thought to have earned over £1m from the NHS over twenty years.

The court also heard that in 2018, Alemi was found guilty of forging an 84-year woman’s will and sentenced to five years. The prosecution described her as “a most accomplished forger and fraudster”. She will be sentenced on 28 February and now faces a prison term “of some substantial length”.

Repeat offender ITG fined £6.1m for failings

The UK Gambling Commission (UKGC) has fined an online gaming operator £6.1m for social responsibility and money laundering failings.

In Touch Games – which operates 11 online gaming platforms in the UK – failed to interact with a customer for seven weeks, although erratic play patterns and extended play periods were flagged. It also accepted a customer’s claim that they earned £6,000 a month without seeking evidence, even when red flags were raised.

Its anti-money laundering failings included:

• Not managing the risk of customers with links to high-risk jurisdictions, being a politically-exposed person (PEP), a family member or known close associate of one
• Not putting policies, procedures, and controls in place to address risk factors
• Not considering the Commission’s money laundering or terrorist financing risk assessment or guidance
• Not following its own policies – for example, getting source of funds information when customers deposited or lost £10,000 in a 12-month period
  
  It’s the third time the operator has faced action. It paid a £2.2m settlement in 2019 and was fined £3.4m in 2021. The Gambling Commission had warned of escalating fines for repeat offenders. 

“Considering this operator’s history of failings, we expected to see significant improvement when we carried out our planned compliance assessment. Disappointingly, although many improvements had been made, there was still more to do. This £6.1m fine shows that we will take escalating enforcement action where failures are repeated, and all licensees should be acutely aware of this.”

Fund managers get 12 years for $8.45m fraud

Three ex-bankers have been found guilty of fraud by abuse of position and received jail sentences for their role in an $8.45 million fraud.

Two French nationals, Marino and Bessot set up an investment company FM Capital Partners (FMCP), in order to invest the funds of the Libyan Sovereign Wealth Fund. But, instead of managing the investment, the pair - with the help of Ohmura - sought investments that maximised their own returns to the fund’s detriment.

Finder fees were laundered by Marino and Bessot through shell companies in the Seychelles and the Cayman Islands. This resulted in losses of $8.45 million between 2009 and 2014.

Concerns were raised in 2014 by Libyan board members of FMCP, who brought in auditors. Marino walked out of his formal interview with auditors and escaped to Norway. “These sentences send a clear message to anyone in the financial sector about the consequences of abusing their position. The NCA is committed to tackling fraud and those who abuse the UK’s financial centre to facilitate their crimes,” said Richard Harrison of the NCA

“These three fraudsters were calculating and opportunistic in committing offences that left the people of Libya out of pocket by approximately $8.45 million for purely selfish and greedy purposes to fund their lavish lifestyles. They showed a complete disregard for the important position they held to make investments work for their clients who were looking to diversify away from solely oil revenues.”

All three were found guilty of fraud by abuse of position. Frederic Marino, Yoshiki Ohmura and Aurelien Bessot were sentenced to 7.5 years, 3.5 years and 15 months, respectively. An arrest warrant has been issued for Marino, the ex-JP Morgan fugitive.

Key takeaways:

• Watch out for the three main offences - i.e. fraud by representation, fraud by failing to disclose information, and fraud by abuse of position
• Know what fraud risks we are exposed to, who may perpetrate them, and then minimise our exposure – remember fraud may be committed by employees, customers, suppliers, and even corporations, as the current high-profile case against Wirecard suggests
• Be a good role model and make sure you are honest in all your disclosures – e.g. expense claims, your qualifications and experience
• Consider the fraud triangle – according to Donald Cressey; three elements are present in those who commit fraud, ie Motivation, Opportunity, and Rationalisation
• Look out for red flags indicating potential fraud – such as lavish lifestyle, debt problems, suspected addiction or relationship problems, and more. They can provide a motive or incentive to commit fraud
• Never abuse your position for personal gain, to cause a loss or risk of a loss for others - you will be caught
• Don’t bypass our systems or controls, or encourage others to do so – follow our policies, such as four-eyes checks, double sign-off of accounts and invoices, job rotation, audits etc, which are designed to prevent fraud
• Speak up if you have any concerns or witness wrongdoing

Revolut warning over SMS scam

Fintech Revolut is warning its customers to be vigilant after hundreds complained of scam text messages. Customers were asked to verify their details or risk having their accounts frozen. They were then redirected to a fake Revolut site where they were asked to confirm their pin. Money was then transferred to a crypto account.

“It’s important to be aware of how to spot suspicious online activity. […] These text messages can appear genuine and often come from an existing business number. They can even appear within existing message threads.”

Revolut, described by its co-founder Nikolay Storonsky as the “Amazon of banking”, has yet to secure a banking licence in the UK since applying more than two years ago.

The regulator’s delays may be justified. Revolut has faced a host of challenges, including late filing of accounts, EU fines and breaches, concerns about its corporate culture, money laundering failings, and more. The Financial Times reports that the fintech will finally sign off its overdue accounts for 2021 next week.

HSBC’s divestment costs $300m

HSBC has confirmed that it will sell its assets in Russia to Expobank in the first half of 2023, subject to regulatory approval. Its corporate banking division provides loans and investment banking services to domestic and international clients.

According to HSBC’s annual report, the divestment of its Russian business will result in a $300m loss.

However, it’s unclear whether the deal will be approved as its Deputy Finance Minister Alexei Moiseyev has said that the sale of assets by foreign banks is paused and applications will be rejected.

Many corporations have exited or curtailed their operations in Russia following the invasion of Ukraine, but banks have faced uncertainty.

Want to learn more about compliance?

Our comprehensive compliance roadmaps help you navigate compliance. We also have searchable compliance glossaries for those new to the topic, and we regularly report on key compliance fines.

If you'd like to stay up to date with compliance best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.

You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.

For a one-stop compliance training solution, try our best-selling Compliance Essentials Course Library and award-winning LMS.

Last but not least, we have 100+ free compliance training aids, including best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations, webinars and even e-learning modules!

If you've any questions or concerns about compliance or e-learning, please get in touch.

We are happy to help!