Compliance News | January 2023

Posted by

Lynne Callister

on 31 Jan 2023

This month’s key compliance news includes McDonald's misleading statements, social media misuse, AML failings, DNV's ransomware attack, Meta's fines, and more.

Compliance News January 2023

Our pick of key compliance stories this month

McDonald's ex-CEO pays £400k for false statements

McDonald's former CEO Steve Easterbrook has been charged with making false and misleading statements to investors about the circumstances of his 2019 dismissal.
The fast-food chain fired Easterbrook after a consensual relationship with an employee, which is against company policy.

However, US Securities and Exchange Commission claimed that he knew or had recklessly failed to disclose other improper and inappropriate relationships which would have influenced McDonald's disclosures to investors about his exit.

Easterbrook received a five-year director ban and a $400k civil penalty. McDonald's was charged with "shortcomings" over its public disclosures but escaped fines due to its "substantial cooperation". It's since clawed back Easterbrook's $105m separation agreement.

"When corporate officers corrupt internal processes to manage their personal reputations or line their own pockets, they breach their fundamental duties to shareholders. By allegedly concealing the extent of his misconduct during the company’s internal investigation, Easterbrook broke that trust with – and ultimately misled – shareholders."

Gurbir Grewal, The SEC's enforcement director

Key takeaways:

  • Promptly disclose conflicts of interest - so they can be managed properly and in order to minimise the risks to our business and reputation
  • Make it easy for people to review and update their CoI disclosures - the easier it is to do this, the less chance there will be for inadvertent slips
  • Don't forget about employees in senior positions - their exposure will often be greater, with a potentially bigger impact if things go wrong
  • Encourage trust, openness and understanding - remember, many people meet their spouses and partners at work. Conflicts of interest aren't 'wrong', but they need to be managed carefully to protect our reputation
    Code of Conduct E-learning Course

Last Tango? Businessmen guilty of sanctions evasion

UK businessman, Richard Masters, and Russian national Vladislav Osipov have been charged with sanctions evasion and money laundering in relation to the ownership and use of superyacht Tango. The luxury yacht was owned by sanctioned Russian oligarch Viktor Vekselberg.

According to the US Department of Justice, the pair devised a complex structure of shell companies to conceal Vekselberg's ownership of the vessel and used a false name (Fanta) to conceal the beneficiaries of payments from US banks.

It's also claimed they used workarounds (eg payments in other currencies and via third parties) so Tango employees could keep doing business. This resulted in US products and services being supplied to the yacht.

Tango was seized by Spanish authorities in April 2022 following a warrant by the DoJ.
"The FBI will hold accountable those who assist Russian Oligarchs in their efforts to hide assets and violate sanctions", said Special Agent in Charge Alvin M. Winston of the FBI Minneapolis Field Office.

Free Sanctions Training Presentation

Driver dismissed unfairly despite offensive tweets

A train driver who posted "offensive, insulting, discriminatory and derogatory" tweets was dismissed unfairly by his employer, according to a tribunal.

Between 2018 and 2020, Paul Weller - who had an unblemished record - posted over 3,700 Brexit and anti-immigration-related tweets, "chasing popularity" online. His employer First MTR South Western Trains (SWR) became aware of his tweets after receiving an anonymous tip-off.

Initially, Weller claimed he'd been hacked. When confronted with screenshots, he said he'd been drinking, and "denied being racist" but agreed that he shouldn't have used derogatory language. He was dismissed.

In 2018, Weller was given a tablet, along with policy documents on harassment, social media, and IT use. But, a critical record showing that he'd been briefed was "unsigned". That cast doubt over whether he'd been briefed or agreed to SWR's social media policy.

As there were no "reasonable grounds" to suggest the briefing had ever taken place, Judge Cox found Weller had been unfairly dismissed. However, it reduced Weller's basic and compensation award by 100%, saying his actions were "culpable and blameworthy" and the "offending material" could damage multicultural relationships.

Alan Lewis from Constantine Law said, "Employers can learn from this case that there is no substitute for not only evidencing the fact that employees have received relevant policies by making sure they sign for them, but also ensuring that employees are trained on the polices."

Key takeaways:

  • Provide training and frequent refreshers for your team - so they know what behaviour is and is not permitted, and are aware of company values and expectations
  • Create a fair and inclusive environment for everyone - research shows diverse workplaces are often more innovative, productive, and profitable
  • Be clear about the distinction between acceptable use (ie misuse of equipment) and social media policies before any disciplinary hearing
  • Use automated affirmations to provide vital evidence - by automating compliance, you can be more efficient, responsive, and adapt quickly to emerging risks
  • Continually improve risk management processes - using process maturity models to benchmark your progress

Risk Management Roadmap

BMW fined over CMA information request

Bayerische Motoren Werke AG (BMW) has been given a maximum £30k fine, plus daily penalties of £15k, by the UK's Competition and Markets Authority (CMA) after it refused to comply with its information request.

The request for information was made as part of the CMA's investigations into end-of-life vehicles (ELVs), including the arrangements for recycling old or written-off vehicles. The CMA suspects BMW of anti-competitive practices abroad and believes its parent company or non-UK subsidiaries could have material information.

However, the carmaker has appealed, challenging the extraterritorial reach of the regulator.
By making the case public, the CMA is reminding all non-UK companies of their obligations to respond to Section 26 requests.

Key takeaways:

  • Avoid anti-competitive behaviour - such as cartels, inappropriate conversations or information sharing, and collusion with competitors
  • Be proactive - if you're in a meeting where commercially-sensitive topics are discussed, have your objection noted and leave immediately
  • Encourage your team to speak out fast - remember, the first company to disclose the existence of a cartel may qualify for leniency
  • Cooperate fully with any information requests from competition regulators - to avoid penalties

Tips to Avoid Anti-competitive Behaviour

Two banks fined £11.6m for AML failings

The UK's Financial Conduct Authority has fined two banks a total of £11.6m for anti-money laundering failings.

Guaranty Trust Bank UK Ltd was fined £7.6 million for serious weaknesses in its AML systems and controls. Among other things, it failed to conduct adequate customer risk assessments and due diligence on high-risk customers, or establish the source of funds and wealth. Since it was not a first-time offence for the bank, the fine was substantially increased.

Separately, the UK's biggest Islamic bank was fined £4m for failing to conduct adequate checks on high-risk customers' wealth. Al Rayan Bank didn't keep due diligence records up-to-date or have proper processes for handling large cash deposits. There was also a lack of AML training. Despite being warned of shortcomings by its Second Line of Defence, problems hadn't been addressed.

“Maintaining strong defences against the evolving threats of financial crime is an essential part of our business plan and is being led by the new board and executive team.”

- Giles Cunningham, CEO Al Rayan Bank

AML Risk Assessment Tips

Brothers in a unique crypto insider trading case

Nikhil Wahi has been jailed for 10 months for insider trading. It's the first-ever case of its kind involving insider trading of cryptocurrency assets.

Prosecutors said that Nikhil Wahi made trades based on tip-offs of confidential information from his brother Ishan, Coinbase's product manager at the time. Ishan passed on tips to Nikhil and friend Sameer Ramani, disclosing which crypto assets were about to be listed on Coinbase's exchanges. Illegal trades made ahead of 40 official announcements, netted profits of $900,000. Ishan Wahi denies the allegations and is due in court in March. Ramani is at large.

"At a time when the cryptocurrency markets have been plagued by fear, uncertainty, and doubt, insider trading creates the impression that everything is rigged and that only people with secret advantages can make a real buck. Today’s sentence makes clear that the cryptocurrency markets are not lawless. There are real consequences to illegal insider trading, wherever and whenever it occurs."

- Damian Williams, US attorney

Cryptocurrency AML Risks

1,000 ships affected by a ransomware attack

Norwegian software supplier DNV has confirmed that 1,000 ships were affected by a ransomware attack on its ShipManager system.

The Oslo-based company shut down its servers when its fleet management software was hit by malware. 70 customers which ran the vessels were advised to switch to its onboard, offline functionalities instead. A DNV spokesperson confirmed the cyberattack did not impact the vessel's ability to operate, but wouldn't say whether data was compromised, or if ships or cargo would be delayed.

The ransomware attack isn't the only one. In recent weeks, the Port of Lisbon, the Guardian newspaper and Royal Mail's international shipping have all been targeted.

Data Security Tips on the Move

Meta agrees to pay £600m over data scandal

Meta has agreed to pay $725m (£600m) to settle a long-running legal action following the Cambridge Analytica scandal.

Facebook gave third parties (including Cambridge Analytica) access to users' personal data, which was harvested without their knowledge or consent.

The class action was filed on behalf of Facebook's 250-280 million users in the United States. The sum is thought to be the highest yet in a US data privacy class action.
Without admitting wrongdoing, Meta said it had "revamped" its privacy policies and processes.

Facebook paid $5b in 2019 to resolve privacy issues and continues to face intense scrutiny over its practices. Earlier this month, WhatsApp, Instagram and Facebook were fined €5.5 million, €180 million and €210 million respectively by the Irish data regulator for GDPR violations. Its parent Meta plans to appeal.

Key takeaways:

  • Comply with the UK GDPR principles - there are seven of them
  • Make sure your data processing is lawful, fair and transparent - be honest with people about what we plan to do with their data, our lawful basis for this, and who else we'll share it with via privacy notices
  • Give people access to their personal data - so they can see how we use their personal data, check that it's accurate and that our processing is lawful
  • Make sure our consent is unambiguous, and there's clear affirmative action - don't assume we have consent, bundle it with standard terms and conditions, or make it a precondition of using our services
  • Manage third-party risks - conduct an assessment to determine your risk exposure when working with third parties and implement controls to manage them
  • Take extra care when sharing personal data with third parties – implement contracts to clarify expectations, and ensure everyone recognises their mutual obligations and liabilities
    6 Tips for Personal Data Compliance

BitConnect victims to share $17m

A US court has ordered restitution of $17m to be paid to around 800 victims of the fraudulent BitConnect cryptocurrency scheme based in 40 countries.

The cryptocurrency scheme, which netted around $6bn or 325,000 BTC, lured investors with the promise of high returns. However, it was part of an elaborate plot where early investors were paid out using the funds of newer ones. 15% of funds were used as a slush fund by owners and promoters, with one of them - Glenn Arcaro - trousering $24m of investors' money.

The restitution is considerably less than the $56m figure trailed by the Department of Justice in November 2021, perhaps reflecting the recent turbulence in the crypto space.
Its founder Satish Kumbhani disappeared shortly before being charged with the fraudulent Ponzi scheme. The platform was shut down in 2018.

Free Fraud Prevention Good Practice Guide

Kier Group fined £4.4m for safety incidents

Construction and infrastructure company Kier Group has been fined £4.4m after its workers struck overhead power lines twice whilst working on the M6 motorway.

According to the Health and Safety Executive, the first incident occurred when workers were clearing the tarmac using a digger to fill a truck. An 11-kilovolt power cable was severed, landing in the motorway and a nearby field. Yet, the firm failed to immediately notify Scottish Power, resulting in the cable being re-energised close to passing traffic.

In the second incident, a team was removing a motorway barrier when a crane arm struck an 11-kilovolt power cable. It was hit and snapped by an oncoming lorry. Workers hadn't known about the overhead hazard.

The HSE said there was inadequate planning, with no task risk assessment. The vehicle used was unsuitable, even though other more suitable alternatives were available at the time. Kier Group was fined £4.4m, with £88k costs.

“This is a significant fine reflecting the seriousness of the failures here. The company’s failure to plan the work properly and provide an adequate risk assessment put its workers and those using the motorway in significant danger.”

- Mike Lisle, HSE inspector

Compliance Culture eBook

Want to learn more about compliance?

Our comprehensive compliance roadmaps help you navigate compliance. We also have searchable compliance glossaries for those new to the topic, and we regularly report on key compliance fines.

If you'd like to stay up to date with compliance best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.

You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.

For a one-stop compliance training solution, try our best-selling Compliance Essentials Course Library and award-winning LMS.

Last but not least, we have 100+ free compliance training aids, including best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations, webinars and even e-learning modules!

If you've any questions or concerns about compliance or e-learning, please get in touch.

We are happy to help!

Compliance Bulletin

Compliance Bulletin

Our monthly email provides best practices, expert opinions, industry insights, news and key trends in regulatory compliance training, digital learning, EdTech and RegTech.