Our pick of key compliance stories this month
- JP Morgan pays $4m over deleted emails
- Ex-Goldman Sachs banker convicted of insider trading
- FTC charges Amazon over ‘sludge’ practices
- High-street names failed to pay the minimum wage
- Facing the music? Spotify fined €5m for GDPR breach
- Odey loses ‘fit and proper’ status
- The HSE’s hot weather advice
- 53% of UK banks exposing customers to email fraud
- Co-op launches campaign to tackle ‘class ceiling’
- FATF adds to AML/CTF watchlist
JP Morgan pays $4m over deleted emails
JP Morgan Chase has agreed to pay $4m after around 47 million emails were deleted in error. According to the Securities and Exchange Commission, the emails were exchanged between January and April 2018 - involving 8,700 mailboxes - and were permanently deleted by mistake in June 2019.
The error occurred after employees began working with a third-party vendor to delete old communications dating back to the 1970s and 1980s that were no longer needed.
Following this, employees deleted emails from early 2018, believing that these could not be permanently deleted because of the way they were coded. However, the vendor had not applied the default retention settings, meaning all the exchanges were permanently lost.
Emails are business records that the bank is required to keep for three years. The SEC claimed that JP Morgan had been unable to comply with subpoenas in at least 12 probes as a result.
“Because the deleted records are unrecoverable, it is unknown - and unknowable - how the lost records may have affected the regulatory investigations,” the order said.
Key takeaways:
- Be clear about our retention policies and protect our information – to ensure we meet our regulatory obligations.
- Control access to systems and information – so permissions (including deletion) are only granted to those who need it.
- Arrange proper supervision and oversight of third parties – to ensure they are clear about their responsibilities, limits, and fulfil the contract.
Ex-Goldman Sachs banker guilty of insider trading
Former Goldman Sachs vice president Brijesh Goel has been convicted of insider trading in New York after passing tips to his squash buddy, a long-standing friend from business school.
Goel obtained information on potential mergers from Goldman Sachs’ internal emails on at least six occasions - including on Spirit Airlines, Patheon, and Kuraray’s acquisition of Calgon Carbon Corp.
After games of squash and drinks, he then tipped off his friend Akshay Niranjan, a former Barclays foreign exchange trader, who made trades on his brother’s account. The two bankers split $280,000 in profits.
The jury heard that Akshay Niranjan had lost his entire book in one day, had broken up with his fiancé and had been thinking of leaving New York. The tips from Goel had been good news.
“But today, sitting here, it’s terrible news. It’s one of the worst days,” he testified.
Niranjan entered a non-prosecution agreement after agreeing to cooperate with prosecutors and wore a wire to record Goel asking him to destroy any evidence.
Goel was found guilty of four counts of securities fraud, conspiracy and obstruction of justice. He will be sentenced in October.
Key takeaways:
- Create a culture of compliance to help reduce insider trading risks – limiting information sharing, having preclearance for trades, scrutiny of individuals with access to inside information, etc.
- Be clear about what is classed as material non-public information (MNPI) – remember, it includes but is not limited to information on takeovers, mergers, earnings, profit warnings, litigation, or security offerings.
- Take extra care outside of the office –and remove yourself from conversations that are high-risk.
- Be cautious in social or informal settings with friends and relatives – such as casual conversations at the squash court, over golf, at weddings, or other social events.
- Watch out for overlapping work relationships – where staff socialise with former colleagues or friends from other firms; it creates a risk of improper sharing of information.
- Look out for irregular trading patterns – such as trades outside normal buying patterns, which may indicate suspicious activity.
- Don’t use relatives’ accounts to place illegal trades – you will be caught!
FTC charges Amazon over ‘sludge’ practices
For years, Amazon knowingly duped customers into enrolling for its Prime program without their consent (nonconsensual enrolment) and then made it difficult for them to cancel their subscription, the Federal Trade Commission has claimed.
The US regulator has accused the online retailer of using “manipulative, coercive, or deceptive" user-interface designs known as 'dark patterns' to "trick consumers into enrolling” for Prime subscriptions.
It then deliberately complicated the cancellation process to thwart those wanting to end their membership. Its project, which was codenamed ‘Iliad’ – homage to Homer’s epic poem set out in 24 books – was ultimately driven by a desire to stop subscribers from cancelling.
The FTC accused Amazon’s leadership of holding up or rejecting interface changes that were designed to make it easier for customers to cancel Prime, knowing this would impact its bottom line.
At checkout, Amazon's customers faced numerous messages to subscribe to Prime, and the option to purchase without subscribing was hard to find.
“Amazon tricked and trapped people into recurring subscriptions without their consent, not only frustrating users but also costing them significant money. These manipulative tactics harm consumers and law-abiding businesses alike. The FTC will continue to vigorously protect Americans from “dark patterns” and other unfair or deceptive practices in digital markets.”
In the Consumer Duty, the UK’s FCA consistently warns firms about engaging in so-called ‘sludge’ practices, defined as “excessive friction that hinders consumers from making decisions in their interests’.
Facing the music? Spotify fined €5m for data breach
Music streaming service Spotify has been fined €5m by the Swedish regulator for breaches of Article 15 of the GDPR. The ruling comes four years after a complaint was first made by privacy campaigners noyb about how the streaming giant responds to data subject’s subject access requests (SAR).
It accused Spotify of failing to provide adequate information in response to EU users’ requests on the purposes of processing, recipients, and international transfers, and more.
The complaint was originally filed in Austria but passed to Sweden where Spotify is headquartered under the GDPR’s one-stop-shop mechanism. It is one of a series of complaints made against video and music platforms, including Amazon, AppleMusic, Netflix, SoundCloud and YouTube.
noyb said that such violations of users’ data access rights were commonplace across many platforms, which often relied on automated systems to respond to SARs and failed to include all the information that we are entitled to obtain.
Spotify plans to appeal.
Key takeaways:
- Familiarise yourself with the new rules on subject access requests– including email chains, tribunals, CCTV footage, information from personal email or social media accounts, etc.
- Train your employees so they recognise SARs – and know how to respond to them.
- Be clear about what exemptions apply – for example, covering whistleblowing reports, confidential references, witness statements, crime and taxation, communications covered by legal professional privilege, and “mixed personal data” (where personal information relating to third parties is ‘mixed in’ with the data subject’s own information).
- Don’t use non-disclosure agreements as an excuse for inaction – Subject access rights cannot be overridden by “signed disclosure agreements or settlements”. The ICO is clear, “If a settlement agreement you have made with a worker limits their right of access, then it is likely this part of the settlement agreement will be unenforceable under data protection legislation. Signing a settlement or non-disclosure agreement does not waive a worker’s information rights.”
- Automated processing – if you use automated systems or responses to respond to SARs, be sure to introduce simple ways for users to request human intervention or challenge a decision.
Co-op launches campaign to tackle ‘class ceiling’
Co-op has launched a campaign to tackle the ‘class ceiling’ - with a nine-point plan - and is calling on other businesses to adopt similar social mobility measures. It is also campaigning for socio-economic background to become the tenth protected characteristic under the Equality Act.
Working in partnership with social mobility charity Making the Leap, Co-op conducted research to capture the views and experiences of Lower Socio-Economic Background (LSEB) individuals across the UK.
The key findings were:
- Around a fifth of people believed they had missed out on a job due to their background, accent or social status.
- 10% had been teased because of their accent, with 11% changing the way they speak at work.
- 26% had changed the way they look for a job interview.
- 41% believed that what they achieve in life is determined by socio-economic background, with 29% agreeing that their accent and the way they talked reduced opportunities open to them.
- 72% would support a change in the law, making it illegal to discriminate against someone because of their socio-economic background.
These findings are replicated in the City, where just over a third (36%) from non-professional backgrounds progress to senior roles in financial services and where those from non-professional backgrounds are paid £17,500 less per year.
In December 2022, Progress Together – a government-backed “socio-economic diversity taskforce” – set targets for financial firms to improve socio-economic diversity at senior levels. It wants 50% of senior leaders in UK financial and professional services to come from a working-class or intermediate background by 2030.
“Too often our life chances are defined by things outside of our control – be that gender, ethnicity, disability or socio-economic background. It cannot be right that those from less advantaged backgrounds are almost twice as likely to end up in working class jobs than others from more privileged backgrounds. It’s a question of fairness."
High-street names failed to pay the minimum wage
Over 200 companies have been named and collectively fined £7m for failing to pay the legal minimum wage.
Businesses were also forced to repay workers who were left out of pocket due to violations of the rules, which ranged from paying the incorrect apprenticeship levy to underpayments for uniform.
The list of 200 companies includes major high-street retailers like WH Smith, Lloyds Pharmacy, Marks & Spencer, Argos, as well as hotels and construction companies.
The breaches were uncovered following investigations by HMRC between 2017 and 2019. It was acknowledged that some of the breaches were unintentional.
“There is no excuse for underpaying workers. Paying the legal minimum wage is non-negotiable and all businesses, whatever their size, should know better than to shortchange hard-working staff.”
Odey loses ‘fit and proper’ status
Odey Asset Management (OAM) is disbanding and has been forced to suspend two hedge funds after a surge of redemption requests. It follows a report published by the Financial Times and Tortoise Media, where multiple allegations of sexual misconduct were made against its founder Crispin Odey.
OAM’s prime brokers - including Goldman Sachs, JP Morgan, Exane, and Morgan Stanley – moved quickly, reviewing their relationship with the firm and subsequent cut ties in light of the allegations. Now investors are also demanding their money back.
According to the FT, the Financial Conduct Authority (FCA) is continuing to investigate claims of non-financial misconduct against Odey, having begun an investigation in 2021 after a court case in which Odey was acquitted of indecent assault.
OAM has confirmed that it is disbanding, and Crispin Odey’s ‘fit and proper’ status has since been removed from the FCA website. Odey ‘strenuously disputed’ all the allegations, claiming his relationships with the women were ‘consensual’ and that the FT report was a ‘rehash’ and politically motivated.
The FT also claimed senior executives at OAM knew of the allegations up to 16 years before launching their own investigation.
The HSE's hot weather advice
Firms should relax their dress codes to protect workers during the extremely hot weather, according to the Health and Safety Executive. The warning comes as authorities issued a heat-health alert across parts of the country.
While there is no legal maximum temperature, the regulator is urging companies to implement simple but effective measures to protect those working inside and out and manage the heat risk.
Among other things, the HSE suggests:
- Ensuring windows can be opened or closed to prevent hot air from building up
- Using blinds and reflective film on windows to shield workers from the sun
- Moving workstations away from direct sunlight
- Offering flexible working so people can work at cooler times of the day (e.g. 5am-1pm)
- Providing free access to drinking water
Providing weather-appropriate personal protective equipment - Relaxing dress codes, where possible
- Raising awareness of the symptoms of heat stress, how to manage and prevent it
“Last summer should have been a wakeup call for all employers. Climate change means we’re likely to get hotter summers and that could have a big impact on the workforce of this country, affecting everything from health of workers to productivity on construction sites. We know all employers are under pressure, and we don’t want to add to their burden, but it’s vital they think hard now about simple and cheap measures they can put in place to support workers should we see extreme heat again this summer.”
53% of UK banks expose customers to email fraud
More than half of UK banks are exposing customers to impersonation fraud, according to Proofpoint. The finding comes after it analysed the DMARC implementation strategies of 150 banks.
DMARC – the Domain-based Message Authentication, Reporting and Conformance protocol – authenticates the sender’s identity before emails are delivered, thereby helping to prevent impersonation attempts. There are three levels of protection – monitor, quarantine and reject.
Proofpoint found that:
- 30% had no DMARC protection in place at all, making them vulnerable to cybercriminals impersonating their domain and target customers.
- Only 47% of UK banks had implemented the highest and recommended level of protection (reject).
“With continuous digitalisation in the banking sector and increased usage of mobile apps by customers, it is crucial for these institutions to prioritise cybersecurity measures to safeguard against potential cyber threats. It is imperative for firms to remain vigilant and stay ahead of the evolving threat landscape to protect their customers’ data and money"
FATF adds to AML/CTF watchlist
The Financial Action Task Force (FATF) has added Cameroon, Croatia and Vietnam to its AML/CTF watchlist of jurisdictions under increased monitoring.
The latest additions mean that 26 jurisdictions are currently working with the FATF to resolve deficiencies in their regimes to combat financial crime. All three countries have made high-level commitments to strengthen their regimes and address shortcomings.
The FATF stopped short of imposing enhanced due diligence on the countries but suggests a risk-based approach be applied in all dealings with those regions.
Looking for more compliance insights?
We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.