Our pick of key compliance stories this month
- FCA to launch a permanent Digital Sandbox
- Leicester City FC issued £880k price-fixing penalty
- Behavioural advertising puts Meta in hot water
- Revolut's payment system flaws result in $20m loss
- Bank of America receives its largest penalty in years
- Decade-long SARs filing failure fine for Merrill Lynch
- Microsoft take the path of cyber threat resistance
- Illumina hit with a record-breaking $476m fine
- HR worker loses age discrimination case
FCA to launch a permanent Digital Sandbox
The UK's Financial Conduct Authority (FCA) has announced that on 1 August 2023, it will launch a permanent Digital Sandbox. This comes off the back of two successful piolets, which saw more than half of the participating small and medium-sized enterprises (SMEs) make positive developments.
The Digital Sandbox will provide fintech participants with access to high-quality datasets, robust data security protection, a collaborative platform to share learnings, and an observation deck for regulators and other interested parties to observe in-flight testing.
The Digital Sandbox is a valuable resource for industry players who are looking to innovate and grow their businesses. The launch of the permanent Digital Sandbox is a significant milestone for the UK financial services industry and will help to foster much-needed innovation and growth in this sector.
Leicester City FC issued £880k price-fixing penalty
Leicester City FC has been fined £880,000 by the Competition and Markets Authority (CMA) for colluding with JD Sports to restrict competition in the sales of Leicester City-branded clothing, including replica kits, in the UK.
The CMA found that Leicester City and JD Sports had an agreement in place from 2018 to 2021 that limited the sale of Leicester City-branded clothing online. This meant that fans could have ended up paying more for goods as a result.
JD Sports was granted leniency by the CMA for reporting the illegal conduct and admitting its participation. This means that JD Sports did not have to pay a fine.
The fine against Leicester City is the largest ever imposed by the CMA for a breach of competition law in the sportswear sector. The CMA said that the fine sends a clear message that anti-competitive collusion will not be tolerated.
The fine is a significant blow to Leicester City, who are already facing financial difficulties. The club was relegated from the Premier League last season and is currently in the Championship. The fine will add to the club's financial problems and could make it more difficult for them to compete in the Championship.
Key takeaways:
- Be aware of the risks of collusion – have procedures in place which outline these risks to help to guard against anti-competitive behaviour
- Ensure you have a whistleblowing policy - this allows employees who suspect anti-competitive behaviour to report it without fear of retaliation
- Conduct audits - these audits should be carried out by an independent third party and can help expose potential signs of collusion
Behavioural advertising puts Meta in hot water
Meta has been temporarily banned from behavioural advertising on Facebook and Instagram in Norway because the Norwegian Data Protection Authority (Datatilsynet) found that Meta was not complying with the General Data Protection Regulation (GDPR).
Datatilsynet found that Meta was not transparent about how it was using behavioural advertising to target users with ads. They also found that Meta had not obtained valid consent from users to process their data for this purpose.
Specifically, Datatilsynet found that Meta was using a variety of data points to track users' behaviour, including their browsing history, their interactions with Facebook and Instagram, and their location data. Meta was then using this data to target users with ads that were relevant to their interests.
This ban on Meta's behavioural ads in Norway is a significant development, and it could have implications for the company's use of behavioural advertising in other countries as well.
Key takeaways:
- Be transparent about how you use personal data for behavioural advertising - it's important to be clear about the types of data that are being collected, how the data is being used, and how users can control their privacy settings.
- Get valid consent from users before processing their data - users need to be given a clear and concise explanation of how their data will be used and have the opportunity to opt out of behavioural advertising
- Be aware of the latest data privacy laws and regulations - this includes the GDPR is a complex regulation requiring attention to detail
- Use behavioural advertising in a way that is lawful - ensure that you are not using behavioural advertising in a way that doesn't discriminate against uses or exploit their personal data
Revolut's payment system flaws result in $20m loss
A flaw in Revolut's payment system in the US allowed criminals to steal more than $20 million by exploiting differences between the company's US and European payment systems.
The flaw stemmed from the fact that Revolut's US system would automatically refund transactions that were declined, while its European system would not. This meant if a criminal made a large purchase that was declined in the US, they would be refunded the money, even though the purchase had never actually gone through.
Criminals were able to do this because Revolut's systems did not communicate with each other, so the US system did not know that the transactions had been declined in Europe. Although this flaw was identified in 2021, Revolut was only able to close this down in 2022. In this time, the net loss is for Revolut is $20m.
The fintech is still waiting for its banking licence in the UK, more than two years after announcing its application. This incident is set to add pressure on the bank.
Bank of America receives its largest penalty in years
Bank of America was smacked with $250 million in fines and refunds for "double-dipping" fees and fake accounts. The Consumer Financial Protection Bureau (CFPB) found that Bank of America had charged customers overdraft fees even when they had enough money in their accounts to cover the transaction.
The CFPB also found that Bank of America had created fake accounts in customers' names without their knowledge or consent. The Bank of America was fined $100 million for the "double-dipping" fees, which will go directly to affected customers and $150 million for the fake accounts.
The $250 million fine is the largest ever imposed by the CFPB for a single violation of the CFPA. This fine is also significant because it sends a message to other banks that they will be held accountable for unfair and deceptive practices.
Key takeaways:
- Be transparent about how fees are charged - customers should know exactly how much they will be charged for overdrafts and other fees
- Have a robust compliance programme in place - this includes having clear policies and procedures, and a system for monitoring and enforcing compliance
- Train employees on compliance policies and procedures - staff need to be aware of the risks of engaging in non-compliant behavior
- Be responsive to complaints - if a customer complains, the company needs to investigate the complaint and take appropriate action
Decade-long SARs filing failure fine for Merrill Lynch
Merrill Lynch has paid $12 million in fines to the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA)for failing to file Suspicious Activity Reports (SARs) for over a decade.
These reports are essential for flagging if a customer is suspected of engaging in suspicious activity such as money laundering.
The SEC found that Merrill Lynch failed to file almost 1500 SARs between 2009 and 2019. Upon investigation, the SEC found that the suspicious activities that went unreported included alleged unauthorised debit card withdrawals, forged or altered checks, account intrusions, identity theft, and internet scams.
This failure is rooted in Merrill Lynch's parent company, BAC North America Holding Co. (BACNAH), assuming responsibility for filing Merrill Lynch's SARs and using the incorrect threshold of $25 000 instead of the required $5000 for reporting suspicious transactions or attempted transactions.
“Broker-dealers have a critical obligation to report suspicious activity in their accounts. Merrill Lynch and BACNAH did not file hundreds of Merrill Lynch SARs because they failed to comply with one of the most basic requirements for a SAR program.”
Microsoft take the path of cyber threat resistance
Microsoft announced that it will make some cloud security tools free from September 2023 following recent major hacks. Sophisticated hackers compromised the email accounts of 25 organisations and government agencies.
Microsoft will make 31 of its important security logs available to its customers using cheaper cloud service packages. This is a significant move by Microsoft, as these tools are typically only available as part of paid subscriptions. In addition, the default retention period for security logs will be extended from 90 to 180 days.
Some of the security tools that will be made available include:
- Microsoft Defender for Cloud: This tool provides cloud security posture management and threat protection for Azure resources.
- Microsoft Defender for Office 365: This allows email and collaboration security for Microsoft 365 users.
- Microsoft Cloud App Security: This tool provides cloud application security for organisations that use a variety of cloud applications.
Illumina hit with a record-breaking $476m fine
Illumina, a leading provider of DNA sequencing technology, has been hit with a record $476 million EU antitrust fine over its acquisition of Grail. The fine is the largest ever imposed by the EC for anti-competitive behaviour in the life sciences industry.
The European Commission (EC) found that Illumina had violated EU antitrust rules by acquiring Grail, a cancer detection company, in order to prevent competition in the market for liquid biopsy cancer tests.
The EC's investigation found that Illumina had entered into exclusive agreements with Grail's suppliers, which prevented other companies from accessing key components of liquid biopsy cancer tests. It was also found that Illumina acquired Grail in order to prevent them from developing and commercialising its own tests.
HR worker loses age discrimination case
Claudia Morel-Zifonte Palladino, a 45-year-old HR advisor, has lost her lawsuit against her employer, Reed In Partnership. The lawsuit was based on her suggestion of a family-friendly venue for the company's Christmas party in 2021, which was rejected in favour of a more "entertaining" option.
Palladino claimed that her younger colleagues were "negative to derisive" in response to her suggestion and that she was treated unfavourably because of her age. However, employment judge, Robin Lewis, dismissed her claims, ruling that she did not suffer a "detriment" simply because her co-workers disagreed with her suggestions.
The judge also commented that Palladino's conduct when discussing the festive plans might have contributed to her poor working relationship with her younger colleagues. Other claims raised by Palladino regarding victimisation and constructive dismissal will be heard at a separate employment tribunal.
Looking for more compliance insights?
We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.
