Compliance News | January 2026

This month's key compliance news includes Iran's suspected sanctions evasion, Rakuten's AML fine, an automotive cartel, Paddy Power Betfair's fine, and more.

Our pick of compliance stories this month

• Iran used UK-registered crypto exchanges to evade sanctions, TRM Labs claims
• Rakuten fined €185k for AML/CTF failings
• Automotive starter battery companies fined €72m for cartel
• Spin again? Recidivist Paddy Power Betfair fined for social responsibility failings
• JD Sports employee awarded £65k in sexual harassment case
• Bank of America breached insider trading rules, India regulator claims
• Singapore jails businessmen for falsifying documents for Wirecard
• Former Carillion directors fined over misleading statements
• French prosecutors seek maximum fine for Lafarge for financing terrorism
• Cyberattack and tariffs hit Jaguar Land Rover sales

Iran used UK-registered crypto exchanges to evade sanctions, TRM Labs claims

Iran's security forces have moved around $1 billion through two UK-registered cryptocurrency exchanges since 2023, according to a TRM Labs report.

The exchanges have enabled Iran's Islamic Revolutionary Guard Corps (IRGC) to move large sums across borders, despite the wide-ranging sanctions imposed by the United States and other nations over concerns about nuclear weapons.

These sanctions prevent organisations linked to the Iranian government from transferring money across borders – something it needs to do to support other military groups, such as Hamas in Gaza and Hezbollah in Lebanon.

Cryptocurrency provides anonymity, enabling the IRGC to conceal the source, destination, and purpose of transactions.
This isn't new. In September 2025, the US Treasury revealed that Iran's backers were using "shadow banking" networks to facilitate oil sales.

Zedcex and Zedxion, two UK-registered cryptocurrency exchanges, processed transactions for IRGC between 2023 and 2025. According to the report:

• Corporate filings show the use of a virtual office address and repeated disclosures of dormancy – but this does not match the scale of activity observed on-chain.
• Zedxion was incorporated in May 2021, with Babak Morteza named as the person with significant control, despite having been sanctioned by the US and EU in 2013 for funnelling money to the IRGC.
• Zedcex and Zedxion are registered as two separate entities but appear to work as a single exchange.
• Both are linked to the Iranian businessman Babak Zanjani, who was previously sanctioned for laundering oil revenue for the regime. Indeed, Zedxion's former director shares Zanjani's first name and date of birth.

As part of their investigation, TRM Labs made small deposits and withdrawals through the exchange to trace where funds went and understand the exchange's infrastructure. They also searched money transfers involving a list of 187 "wallet addresses" that were designated as controlled by the IRGC.

As a result, TRM Labs said that wallets associated with both exchanges were essentially the same operation and routed funds through IRGC wallets, offshore intermediaries and Iranian crypto companies.

Most transactions were conducted using the Tether (USDT) token on the Tron network.

Zedxion was integrated with Zedpay, a mobile payment processor in Turkey. Zedpay also had links with Turkish financial firms, including:

• Fintech Vepara, which was suspended over money-laundering concerns
• Vakif Katilim, a state-owned Islamic bank, which was also investigated for Iran-linked financial activity.

The UK's Office of Financial Sanctions Implementation (OFSI) declined to comment.

Key takeaways:

• Conduct adequate sanctions screening - before entering new business relationships and on existing customers, especially those in high-risk places with known links to sanctioned countries
• Conduct proportionate due diligence checks - including enhanced due diligence on high-risk customers and activities, and document the results as an audit trail
• Don't use 'workarounds' or 'creative means' to bypass controls or evade sanctions restrictions - eg accepting payments via third parties
• Check for adverse media - if you see adverse media reports about anyone with links to your company (eg a supplier, customer or partner), report it to Compliance
• Don't put profit before principles - this can damage your reputation and facilitate financial crime.
  
  See our Financial Crime Training Package

Rakuten fined €185k for AML/CTF failings

Rakuten Europe Bank has been fined €185,000 by Luxembourg's financial regulator, the Commission de Surveillance du Secteur Financier (CSSF).

The fine, which was imposed in May last year but has just been made public, was for breaches of anti-money laundering and counter-terrorism financing rules.

The inspection was carried out by the regulator in 2023 to examine what corrective actions the bank had taken after shortcomings were found by "another European national competent authority".

However, a number of gaps remained four years later, including the failure to implement an adequate transaction monitoring system.

• Scenarios were outdated and couldn't be configured correctly due to staff departures in IT and compliance.
• An old version of its monitoring tool was still in use, which was no longer supported by the supplier.
• There were significant delays in processing alerts, with thousands of customer screening alerts – including those linked to sanctions, politically-exposed persons and terrorism – still awaiting review.
• Suspicious activity reports (SARs) were filed later than required, despite potential AML/CTF risks in dozens of customer files. The bank didn't submit any SAR at all for a customer who was previously subject to asset freezes in France for terrorism-related reasons.
• There were failures to take into account the country of residence of beneficial owners when assessing customer risk.

"While our ongoing efforts reflect a strong determination to achieve full compliance with legal requirements, it has become evident that our measures had not yet met these standards at the time of the CSSF's investigation. Consequently, we fully accept and understand the sanctions imposed by the CSSF, and we are diligently working to implement and thoroughly verify all necessary measures."

Automotive starter battery companies fined €72m for cartel

Three automotive starter battery manufacturers have been fined a total of €72 million for taking part in a long-running cartel, in breach of competition rules.

For over 12 years, Exide, FET (and its predecessor Elettra), Rombat, Clarios, and the trade association EUROBAT entered into anti-competitive agreements and engaged in concerted practices relating to the sale of automotive starter batteries to automotive original equipment manufacturers (OEMs).

The four manufacturers created and published premiums based on their purchasing price of lead (known as EUROBAT premiums) in Metal Bulletin, an industry publication. Then, they secretly agreed to use these premiums in their price negotiations with vehicle manufacturers in order to introduce a surcharge across the industry, keeping prices artificially high.

Each company was fined as follows:

• FET (including Resonac) - €6.11 million
• Elettra (FET's predecessor) - €15.594 million
• Rombat (including Metair) - €20.218 million
• Exide - €30 million
• EUROBAT - €125,000

Under the leniency rules, Clarios was not fined because it disclosed the cartel to the regulator.

Starter batteries provide electric current to the motor in combustion engines and supply power for the vehicle's electrical equipment.

"We have zero tolerance for price fixing or any type of cartel. It is our duty to ensure that our citizens and businesses, including European auto manufacturers can depend on suppliers that play fair and respect competition rules. With this decision, we also remind trade associations that they should not use their position as representatives of the industry to facilitate collusion among their members."

Key takeaways:

• Never enter anti-competitive agreements or exchange commercially-sensitive information with competitors - including on pricing, markets, strategies, products, or anything else
• Take extra care at events or meetings where competitors come together - including trade associations
• If risky topics start to be discussed in the front of competitors - leave at once and have your objection noted
• If you're given commercially-sensitive information - for example, by a customer trying to get a better price, then document where and how it was received as evidence
• Encourage your team to speak up if they make a mistake or witness anti-competitive behaviour - remember, under leniency rules, the first to speak up about illegal practice and cooperate with the authorities may escape penalties, as Clarios did here
• Cooperate fully with the authorities in an investigation or dawn raid - remember, they are entitled to search paper and electronic company records, even your personal phone messages. Never conceal or destroy evidence.

Spin again? Recidivist Paddy Power Betfair fined for social responsibility failings

Paddy Power Betfair has agreed to pay £2 million for social responsibility failings relating to customer interaction.
During an investigation, the Gambling Commission found a number of social responsibility failings, including:

• Systems that were not sensitive enough to flag indicators of harm – for example, one customer deposited £12,000 over 15 days before being identified for review and another deposited £25,000 over 25 days before any interaction.
• A customer who lost £12,300 in five weeks before any interaction.
• A customer who staked £86,000 in a 16-day period losing £6,000. Despite the high velocity spending, there was no manual review of the account.
• A customer showing intense spikes (with their longest session lasting 7 hours and 46 minutes when they placed over 300 bets worth £20,000) – yet, their behaviour was only flagged when they hit a loss trigger.

It's the second time that Paddy Power Betfair has been fined, having paid £490,000 in 2023.

"This £2 million settlement reflects the seriousness of the failings identified and the importance of meeting social responsibility and customer interaction standards. Operators must ensure systems to identify and address harm work effectively and at the right time. Over-reliance on automation and failure to intervene when clear harm indicators are present exposes consumers to unnecessary risk. Where we find failings, we will act decisively to protect players."

Four remote operators, which trade under the names Paddy Power and Betfair, will pay the current fine.

Key takeaways:

• Educate employees on AI-related scams: Staff should be trained to recognise phishing, social engineering, and malware disguised as trusted AI tools.
• Verify instructions before acting: Employees must confirm the legitimacy of commands or downloads, especially when prompted by unfamiliar links or messages.
• Implement strong endpoint security: Ensure devices have malware detection, anti-virus, and monitoring tools to prevent unauthorised software installations.
• Monitor for suspicious activity: Regularly review system logs and unusual behaviour to detect potential data breaches quickly.
• Maintain robust data protection policies: Sensitive information like passwords, financial data, and digital wallets should be safeguarded and access limited.
• Promote a culture of caution: Encourage staff to report suspicious links or messages without fear of reprisal.
• Review third-party interactions: Ensure external communications, ads, and AI tools used by the firm are vetted and secure.

JD Sports employee awarded £65k in sexual harassment case

A student who worked part-time at JD Sports Fashion PLC has been awarded £65,000 to settle her sexual harassment case.

Jayla Boyd worked at the retailer's Belfast store, while studying for A levels. During a shift, she was slapped on the bottom by a male supervisor.

Ms Boyd informed her manager about the incident the next day and was told that the incident was captured on CCTV. But she had to continue working alongside the supervisor for the rest of the shift. During this time, the supervisor approached her twice to talk about it.

Although Ms Boyd made a formal complaint and gave a written statement, she was never formally interviewed about the incident. Her employer also failed to provide adequate support, leading to her taking time off as annual leave instead.

On her return, there was no return-to-work meeting and Ms Boyd was not keep informed about the investigation or the outcome of her complaint. She also said that personal information on her manager's computer about the incident was seen by other colleagues.

Ms Boyd experienced further embarrassment at a training session when an example was discussed involving a woman being slapped on the bottom by a supervisor. She felt that this referred to her own case.

Ms Boyd resigned from the job. She said, "The initial incident was embarrassing, but it was made worse because I felt like they were trying to ignore what had happened to me instead of dealing with it properly. I had to remain working with this male supervisor after he had sexually harassed me. Everyone deserves to feel safe and supported at work."

"A zero-tolerance approach by employers to sexual harassment in the workplace will remind everyone how seriously it will be dealt with should any instances arise. In order to prevent it, employers must ensure that all staff know what behaviour is acceptable, and unacceptable, in the workplace.

Employers must have clear policies and procedures in place to deal with harassment, and managers must be trained to use them appropriately. This type of behaviour must be investigated thoroughly, with the complaint dealt with sensitively and in a timely manner"

JD Sports "acknowledged and apologised for the significant upset, distress, and injury to feelings experienced by Ms Boyd".

"We work hard to create an environment where all colleagues are treated with dignity and respect in the workplace and whilst we have already made some changes to our processes, we welcome the opportunity to liaise with the Equality Commission to further review our policies, practices and procedures."

Bank of America breached insider trading rules, India regulator claims

Bank of America breached insider trading rules and unlawfully disclosed information, the Securities and Exchange Board of India (SEBI) claims.

It follows an investigation by SEBI into Bank of America's securities unit, when managing the stock sale of Aditya Birla Sun Life Asset Management (ABSL AMC) in March 2024.

According to Reuters, SEBI claims the deal team disclosed unpublished material non-public information before the formal announcement of the share sale to potential investors.

"The conduct highlights the failure of (the bank's) deal team to maintain Chinese walls with broking/research arms, impacting safekeeping of confidential information and internal controls."

The notice mentions the bank's interactions with HDFC Life, Norges Bank, and Enam Holdings. It gives one example where the bank's deal team asked the broking arm to provide a valuation report for ABSL AMC to Enam Holdings, a potential investor.
Broking, research and syndicate teams acted on behalf of the deal team.

"As such, information related to dealings with ABSL AMC was not handled by (the bank) on a 'need-to-know' basis."

During SEBI's investigation, Bank of America then concealed material facts and made false statements to the regulator, initially denying that any meetings or communications took place. This resulted in an internal investigation and the departure of three investment bankers.

Singapore jails businessmen for falsifying documents for Wirecard

Two businessmen have been jailed for falsifying documents relating to the Wirecard scandal.

Singaporean R Shanmugaratnam and British national James Henry O'Sullivan were jailed for 10 and six-and-a-half years, respectively. These are the longest sentences imposed so far following the collapse of Wirecard, one of Europe's biggest accounting frauds.

The pair falsified documents to trick the auditor EY into believing that Wirecard held millions of euros in bank accounts overseen by Shanmugaratnam's Citadelle Corporate Services.

But, in June 2020, Wirecard admitted that €1.9 billion supposedly booked in its accounts in the Philippines did not exist, leading to its collapse.

In earlier proceedings, the court said that between 2016 and 2018, Shanmugaratnam issued 13 balance confirmation letters. O'Sullivan was convicted of five counts of falsification after abetting Shanmugaratnam to issue five letters in March 2017.

O'Sullivan was a close friend of Jan Marsalek, the former chief operating officer of Wirecard AG, and ran businesses in Asia that were linked to the fintech. O'Sullivan engaged Shanmugaratnam's Citadelle to set up companies in Singapore.

When Shanmugaratnam received a request from EY in February 2016 to confirm the balances of Wirecard AG and its subsidiaries, Marsalek sent him a document that "contained draft wordings to be put into balance confirmation letters".
Shanmugaratnam obliged, sending emails back to EY containing the wording on communications with Citadelle's letterhead.

Both men plan to appeal against their sentences.

Markus Braun, Wirecard's former CEO, is currently on trial in Germany. An Interpol Red Notice has been issued for Marsalek, who fled to Russia.

Former Carillion directors fined over misleading statements

Two former finance directors have been fined for their role in misleading statements being issued by Carillion plc.

The UK regulator said that Richard Adam and Zafar Khan knew that Carillion's construction business was in serious financial trouble but they didn't make investors, the Board and audit committee aware of this, resulting in poor oversight.

They were fined £232,800 and £138,900, respectively.

As finance directors, Adam and Khan were responsible for Carillion's procedures, systems and controls relating to financial reporting. The FCA said that both had acted recklessly and were knowingly concerned in breaches of the Market Abuse Regulation and the Listing Rules by Carillion.

"Those in positions of responsibility have a duty to keep the market accurately and adequately informed. With Carillion, we have seen the serious impact it can have when they don't. The action taken against Mr Adam and Mr Khan demonstrates our commitment to preventing market abuse and upholding the standards we expect."

The fine comes eight years after the collapse of Carillion plc, which was one of the biggest construction and facilities management companies in the UK. The firm entered liquidation in January 2018, resulting in 3,000 job losses and delays to hundreds of major construction projects, including new hospitals in Liverpool and Sandwell, and Liverpool Football Club's stadium expansion.

KPMG was fined £21m in 2023 for "exceptional" failures in its audits of Carillion.

Key takeaways:

• Don't disseminate information that gives false or misleading signals to the market – for example, over the value of its shares, where you know that the information is false or misleading (Article 15 of MAR, prohibition of market manipulation)
• Take reasonable care to ensure announcements are not misleading, false or deceptive – eg do not omit anything that is likely to affect the import of the information (Listing Rule 1.3.3R)
• Take reasonable steps to establish and maintain adequate procedures, systems and controls - to enable the firm to comply with its obligations (Listing Principle 1)
• Act with integrity – towards holders and potential holders of its listed securities (Listing Principle 4)

French prosecutors seek maximum fine for Lafarge for financing terrorism

French prosecutors are seeking prison sentences of up to eight years for executives, a record fine of €1.2 million, and the confiscation of €30 million of assets on one of its "flagship" industries.

Lafarge is accused of making payments to armed groups in Syria, including the Islamic State, between 2012 and 2014.

Prosecutors claim that the cement maker paid "at least" €4.6 million to terrorist groups to keep its Jalabiya plant in Northern Syria operational. Describing the sum was "unprecedented" and "shocking", one prosecutor said:

"Four million euros represents more than 4,000 Kalashnikovs or the salaries of between 3,500 and 6,600 Islamic State fighters for a year."

Describing the figure as "dizzying", the prosecution claimed Lafarge had treated the groups as "economic partners and commercial interlocutors", rather than enemies.

In a closing speech, the prosecution accused the company of pursuing "business at all costs" and described their role as "the story of the total failure of individuals who could have chosen to leave" and "the story of the distortion of a flagship of a French industry that ended up financing terrorist organisations for a purely mercantile objective".

The trial is closing after six weeks of hearings.

Cyberattack and tariffs hit Jaguar Land Rover sales

As expected, the major cyberattack that Jaguar Land Rover (JLR) experienced in August 2025 significantly disrupted its operations in Q3 last year.

Financial statements released by its owner, Tata Motors, show that there was a 25% decline in sales, with just 79,600 vehicles sold.

Shipments to car dealers were also severely affected, with only 59,200 units shipped, representing a 43% drop.

Tate Motors said that the cyber incident had "significantly disrupted operations", forcing a production shutdown across all its factories. While output was restored in November, the incident caused severe delays and hit sales.

In addition, incremental US tariffs weakened demand, resulting in a 37.7% drop in sales to North America. The wind-down of older Jaguar models ahead of its latest electric vehicles also hit sales.

Looking for more compliance insights?

We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.