This month’s key compliance news includes a record-breaking fine for Illumina, Microsoft's cybersecurity freebies, Leicester City FC's penalty and more.
The UK's Financial Conduct Authority (FCA) has announced that on 1 August 2023, it will launch a permanent Digital Sandbox. This comes off the back of two successful piolets, which saw more than half of the participating small and medium-sized enterprises (SMEs) make positive developments.
The Digital Sandbox will provide fintech participants with access to high-quality datasets, robust data security protection, a collaborative platform to share learnings, and an observation deck for regulators and other interested parties to observe in-flight testing.
The Digital Sandbox is a valuable resource for industry players who are looking to innovate and grow their businesses. The launch of the permanent Digital Sandbox is a significant milestone for the UK financial services industry and will help to foster much-needed innovation and growth in this sector.
Leicester City FC has been fined £880,000 by the Competition and Markets Authority (CMA) for colluding with JD Sports to restrict competition in the sales of Leicester City-branded clothing, including replica kits, in the UK.
The CMA found that Leicester City and JD Sports had an agreement in place from 2018 to 2021 that limited the sale of Leicester City-branded clothing online. This meant that fans could have ended up paying more for goods as a result.
JD Sports was granted leniency by the CMA for reporting the illegal conduct and admitting its participation. This means that JD Sports did not have to pay a fine.
The fine against Leicester City is the largest ever imposed by the CMA for a breach of competition law in the sportswear sector. The CMA said that the fine sends a clear message that anti-competitive collusion will not be tolerated.
The fine is a significant blow to Leicester City, who are already facing financial difficulties. The club was relegated from the Premier League last season and is currently in the Championship. The fine will add to the club's financial problems and could make it more difficult for them to compete in the Championship.
Meta has been temporarily banned from behavioural advertising on Facebook and Instagram in Norway because the Norwegian Data Protection Authority (Datatilsynet) found that Meta was not complying with the General Data Protection Regulation (GDPR).
Datatilsynet found that Meta was not transparent about how it was using behavioural advertising to target users with ads. They also found that Meta had not obtained valid consent from users to process their data for this purpose.
Specifically, Datatilsynet found that Meta was using a variety of data points to track users' behaviour, including their browsing history, their interactions with Facebook and Instagram, and their location data. Meta was then using this data to target users with ads that were relevant to their interests.
This ban on Meta's behavioural ads in Norway is a significant development, and it could have implications for the company's use of behavioural advertising in other countries as well.
A flaw in Revolut's payment system in the US allowed criminals to steal more than $20 million by exploiting differences between the company's US and European payment systems.
The flaw stemmed from the fact that Revolut's US system would automatically refund transactions that were declined, while its European system would not. This meant if a criminal made a large purchase that was declined in the US, they would be refunded the money, even though the purchase had never actually gone through.
Criminals were able to do this because Revolut's systems did not communicate with each other, so the US system did not know that the transactions had been declined in Europe. Although this flaw was identified in 2021, Revolut was only able to close this down in 2022. In this time, the net loss is for Revolut is $20m.
The fintech is still waiting for its banking licence in the UK, more than two years after announcing its application. This incident is set to add pressure on the bank.
Bank of America was smacked with $250 million in fines and refunds for "double-dipping" fees and fake accounts. The Consumer Financial Protection Bureau (CFPB) found that Bank of America had charged customers overdraft fees even when they had enough money in their accounts to cover the transaction.
The CFPB also found that Bank of America had created fake accounts in customers' names without their knowledge or consent. The Bank of America was fined $100 million for the "double-dipping" fees, which will go directly to affected customers and $150 million for the fake accounts.
The $250 million fine is the largest ever imposed by the CFPB for a single violation of the CFPA. This fine is also significant because it sends a message to other banks that they will be held accountable for unfair and deceptive practices.
Merrill Lynch has paid $12 million in fines to the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA)for failing to file Suspicious Activity Reports (SARs) for over a decade.
These reports are essential for flagging if a customer is suspected of engaging in suspicious activity such as money laundering.
The SEC found that Merrill Lynch failed to file almost 1500 SARs between 2009 and 2019. Upon investigation, the SEC found that the suspicious activities that went unreported included alleged unauthorised debit card withdrawals, forged or altered checks, account intrusions, identity theft, and internet scams.
This failure is rooted in Merrill Lynch's parent company, BAC North America Holding Co. (BACNAH), assuming responsibility for filing Merrill Lynch's SARs and using the incorrect threshold of $25 000 instead of the required $5000 for reporting suspicious transactions or attempted transactions.
“Broker-dealers have a critical obligation to report suspicious activity in their accounts. Merrill Lynch and BACNAH did not file hundreds of Merrill Lynch SARs because they failed to comply with one of the most basic requirements for a SAR program.”
- Katharine E. Zoladz, Co-Acting Regional Director , SEC
Microsoft announced that it will make some cloud security tools free from September 2023 following recent major hacks. Sophisticated hackers compromised the email accounts of 25 organisations and government agencies.
Microsoft will make 31 of its important security logs available to its customers using cheaper cloud service packages. This is a significant move by Microsoft, as these tools are typically only available as part of paid subscriptions. In addition, the default retention period for security logs will be extended from 90 to 180 days.
Some of the security tools that will be made available include:
Illumina, a leading provider of DNA sequencing technology, has been hit with a record $476 million EU antitrust fine over its acquisition of Grail. The fine is the largest ever imposed by the EC for anti-competitive behaviour in the life sciences industry.
The European Commission (EC) found that Illumina had violated EU antitrust rules by acquiring Grail, a cancer detection company, in order to prevent competition in the market for liquid biopsy cancer tests.
The EC's investigation found that Illumina had entered into exclusive agreements with Grail's suppliers, which prevented other companies from accessing key components of liquid biopsy cancer tests. It was also found that Illumina acquired Grail in order to prevent them from developing and commercialising its own tests.
Claudia Morel-Zifonte Palladino, a 45-year-old HR advisor, has lost her lawsuit against her employer, Reed In Partnership. The lawsuit was based on her suggestion of a family-friendly venue for the company's Christmas party in 2021, which was rejected in favour of a more "entertaining" option.
Palladino claimed that her younger colleagues were "negative to derisive" in response to her suggestion and that she was treated unfavourably because of her age. However, employment judge, Robin Lewis, dismissed her claims, ruling that she did not suffer a "detriment" simply because her co-workers disagreed with her suggestions.
The judge also commented that Palladino's conduct when discussing the festive plans might have contributed to her poor working relationship with her younger colleagues. Other claims raised by Palladino regarding victimisation and constructive dismissal will be heard at a separate employment tribunal.
We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.