We've examined the top 10 compliance news stories in 2023, from major data breaches and fraud awards to million-dollar fines.
Our pick of the top 10 compliance stories of 2024
- HSBC fined £57.4m for serious failings
- Employee wins £426k in legal right to be boring
- Crackdown on AI in recruitment by Big Four
- Bet365 fined £582k for customer inadequacies
- Citigroup fined for £1.1 bn' fat finger' error
- Over a dozen fired by Wells Fargo
- HealthEquity data breach exposes sensitive data
- HS2 pays a £6.2m settlement to HMRC
- Deere executives bribed officials with improper gifts
- TD Bank hit with a record $3bn AML fine
- NatWest blocks WhatsApp in crackdown
- McKinsey to pay $122m for bribery in South Africa
Take a look at our summary of key compliance fines in 2023 too!
HSBC fined £57.4m for serious failings
HSBC Bank has been fined £57.4m by Britain's Prudential Regulation Authority (PRA) for failing to accurately identify customer deposits eligible for protection under the Financial Services Compensation Scheme (FSCS) between 2015 and 2022.
The scheme safeguards customer deposits up to £85,000. The PRA revealed that 99% of HSBC's eligible beneficiary deposits were incorrectly marked as "ineligible" for FSCS protection. The bank also provided inaccurate evidence regarding its compliance with deposit protection rules.
The PRA imposed the second-highest fine ever, emphasising the severity of the shortcomings. Despite HSBC's cooperation in admitting rule violations, a 15% reduction was applied to the penalty.
"The serious failings in this case go to the heart of the PRA's safety and soundness objective. It is vital that all banks comply fully with our requirements around preparedness for resolution,"
Key takeaways:
- Comply with the UK GDPR principles - there are seven of them
- Make sure your data processing is lawful, fair and transparent - be honest with people about what we plan to do with their data, our lawful basis for this, and who else we'll share it with via privacy notices
- Give people access to their personal data - so they can see how we use their personal data, check that it's accurate and that our processing is lawful
- Make sure our consent is unambiguous, and there's clear affirmative action - don't assume we have consent, bundle it with standard terms and conditions, or make it a precondition of using our services
- Manage third-party risks - conduct an assessment to determine your risk exposure when working with third parties and implement controls to manage them
- Take extra care when sharing personal data with third parties – implement contracts to clarify expectations, and ensure everyone recognises their mutual obligations and liabilities
Employee wins £426k in legal right to be boring
An employee, referred to as Mr. T, was terminated from his position at consulting firm Cubik Partners. The grounds for dismissal were that he refused to participate in the company's team-building activities, which primarily involved partying and drinking after work hours.
The company cited his lack of participation as being "insufficient professionally." However, Mr T challenged his dismissal in court, arguing that he had the right to reject company policies that encouraged excessive behaviour. The court, during an employment hearing in France in late 2022, ruled in favour of Mr T, awarding him nearly half a million Euros in compensation.
The court documents revealed that the company events fostered an environment of excessive alcohol consumption, promiscuity, bullying, and other inappropriate behaviours, which Mr T objected to. This legal victory was dubbed the 'legal right to be boring', emphasising the importance of respecting employees' choices regarding participation in company activities.
Crackdown on AI in recruitment by Big Four
Deloitte, EY, KPMG and PwC are trying to eliminate the use of AI by job applicants in the recruitment process. There are concerns that the use of generative AI tools (such as ChatGPT) may give some candidates an unfair advantage.
"While AI, including GenAI, can be useful in research, we tell candidates they should not use these tools during any assessment."
Firms are using technology to detect plagiarism and AI, monitoring for 'exceptional' scores in tests.
But there's a danger of employers missing out on key talent as a result. Research by Arctic Shores and Opinium into attitudes to AI in the hiring process found:
- 72% of students and applicants regularly used some kind of generative AI
- 32% said they would not want to work for an employer who said they couldn't use generative AI in the application process
- With 30% believing that the employer wasn't very progressive
The stakes are high. Research by Arctic Shores, in collaboration with UCL researchers, found that ChatGPT consistently outperformed human candidates in verbal reasoning and helped place candidates in the top 70 percentile in Situational Judgment tests. ChatGPT also provides answers for personality-based assessments matched specifically to job descriptions.
"Given Generative AI's rapid adoption, the obvious and logical answer is not simply to deter or detect AI usage, but to refocus hiring strategies to incorporate Chat-GPT-proof assessments if they want to see a candidate's true ability"
Bet365 fined £582k for customer inadequacies
The UK Gambling Commission (UKGC) has fined Bet365, one of the UK's biggest online gambling operators, £582,000 for customer inadequacies. The regulator said it had found weaknesses in Bet365's processes in terms of its anti-money laundering and social responsibility obligations.
Among UKGC's concerns were:
- Bet365's inadequate customer due diligence, including verifying the source of funds used for gambling
- Failure to conduct sanctions screening checks on new customers before the first deposits were made
- An overreliance on customers' self-verification of Know Your Customer (KYC) information (e.g. ID documents)
- Weak transaction monitoring, with poor systems of identifying suspicious activity, enabling potential laundering
- Bet365's systems for detecting and preventing problem gambling, including failure to flag concerning patterns of play and not offering support
"We expect high standards from operators in terms of keeping gambling safe, fair and crime-free, and will always take action to correct any failings. This operator is very aware that a repeat of these failings will result in escalating regulatory action,"
All of the £582k will be directed towards socially responsible causes. Bet365's revenue grew to £3.39 billion last year.
Citigroup fined for £1.1 bn' fat finger' error
Citigroup has been fined £62m by UK regulators after a 'fat finger' error by one of its traders working on the London Delta 1 desk caused a 'flash crash'. On 2 May 2022, the trader had intended to sell a basket of equities to the value of $58m. But, due to an inputting error when entering the basket in the order management system, a basket for $444bn was created instead.
Citigroup's controls blocked $225bn of the basket, but the remaining $189bn was sent to a trading algorithm designed to sell the remaining shares over the rest of the day. A total of $1.4bn equities were sold across European exchanges before the trader cancelled the trade 15 minutes later. This coincided with a significant short-term drop in European markets of a few minutes.
Regulators said the order generated 711 alerts, but the trader could manually override them by clicking through. Only the first 18 lines of this were visible, and there was no need to scroll down to view them all.
Some primary controls were absent or deficient. There was no hard block to reject the entire order and stop it from reaching the market. In addition, the bank's real-time monitoring was 'ineffective', meaning it was 'too slow' to escalate alerts.
The FCA's final notice also mentions understaffing. It happened on a bank holiday when those usually monitoring trades on CitiSmart, the bank's algorithmic trading system, were on leave. Responsibility for monitoring was passed to the Electronic Execution (EE) desk, which did not recognise the seriousness of the mistake.
The post-trade monitoring team, the E-Trading Risk and Controls Team (ETRC) team, initially failed to escalate the error because their monitoring system filtered out all but eight of the alerts. Nobody responded when the ETRC team flagged it to the EE desk 20 minutes after the trader cancelled the order. A follow-up email was sent four hours later.
In addition, the bank had compliance shortages. One of its roles had remained unfilled for a year, resulting in "insufficient staffing levels within EMEA with the requisite skills and experience that was performing that monitoring".
"We are pleased to resolve this matter from more than two years ago, which arose from an individual error identified and corrected within minutes. We immediately took steps to strengthen our systems and controls and remain committed to ensuring full regulatory compliance," said a Citi spokeswoman.
However, far from being a one-off incident, the PRA noted that "the Firm's breaches persisted over a period of 4 years". Worryingly, equities derivatives traders made 985 changes to Citi's pre-trade validation checks between January 2020 and February 2021 without risk and compliance council (RCC) approval.
Imposing a £28m fine, the FCA said, "The FCA expects firms engaged in trading activities, including those using algorithmic trading, to have effective systems and controls in place to stop errors like this occurring."
"These failings led to over a billion pounds of erroneous orders being executed and risked creating a disorderly market. We expect firms to look at their own controls and ensure that they are appropriate given the speed and complexity of financial markets."
The Prudential Regulation Authority (PRA) also imposed a £34m fine. The fines qualified for a 30% discount because the bank did not dispute the findings and agreed to settle. Citigroup lost $48m as a result of the error.
Over a dozen fired by Wells Fargo
Wells Fargo has fired more than a dozen employees for faking keyboard activity as part of a crackdown on hybrid workers' non-compliance.
The Wall Street bank made the disclosure in broker filings with the Financial Industry Regulatory Authority (FINRA). It confirmed that workers had been dismissed or resigned "after review of allegations involving simulation of keyboard activity creating impression of active work".
"Wells Fargo holds employees to the highest standards and does not tolerate unethical behaviour," said spokesperson Laurie Kight.
All those dismissed worked in its investment and wealth divisions, with at least one individual having seven years of service.
The bank did not say how the alleged issue was discovered or what techniques workers had used to trick bosses into thinking they were working. But during the pandemic, there was a boom in devices like "mouse jigglers", which simulate somebody working.
Since then, firms have rolled out increasingly sophisticated tools to monitor work activity, including eye movements, screenshots and website logs.
This month, FINRA reinstated workplace rules in the US requiring offices used by brokers to work from home to be inspected every three years, straining hybrid working arrangements.
Barclays and Citigroup told staff last month that under the new rules, they would need to go to the office five days a week, and it would be harder to keep remote workers as a result of FINRA's crackdown.
It remains to be seen whether evidence of workers gaming the system like this, combined with newly reinstated rules, will accelerate a return to the daily commute. But hey, there's always free fruit…
HealthEquity data breach exposes sensitive data
Healthcare fintech firm HealthEquity reported a data breach after a partner's account was compromised, allowing hackers to access the company's systems and steal protected health information.
The breach was detected through unusual behaviour from a partner's device, prompting an investigation. This revealed that the compromised account was used to exfiltrate sensitive health data, including personally identifiable information of some members.
HealthEquity is a major provider of health savings accounts (HSAs) and other benefits. It has started notifying affected individuals and is offering free credit monitoring and identity restoration services. Despite the breach, no malware was found on its systems, and business operations remain unaffected.
The company is assessing the incident's impact and response costs but does not anticipate significant effects on its business or financial results.
HS2 pays a £6.2m settlement to HMRC
High Speed Two (HS2), the UK body responsible for developing the high-speed rail network, paid £6.2 million to HM Revenue & Customs (HMRC) to settle a breach of the IR35 tax avoidance rules. Originally, HS2 had set aside £10.2 million for this settlement, but the final amount was significantly lower.
The issue arose from a review of HS2's compliance with IR35, which began in May 2022. The review focused on how the organisation adapted to the public sector IR35 reforms introduced in April 2017.
HS2's 2023–24 annual report confirms the review is now complete, and no further provisions are needed. During the last financial year, HS2 employed 339 off-payroll workers, with 94% classified as working within the IR35 rules.
Key takeaways:
- Regular compliance reviews: organisations should conduct regular compliance reviews, especially when adapting to new regulations, like the public sector IR35 reforms introduced in 2017. Early identification of issues can prevent penalties.
- Accurate classification: properly classifying workers under IR35 is crucial. HS2's experience highlights the importance of assessing each off-payroll worker's status to ensure compliance with tax regulations.
- Proactive provisioning: setting aside funds for potential liabilities, as HS2 did with the £10.2 million provision, is a prudent measure. Even if the final settlement is lower, being prepared helps manage financial risk.
- Clear documentation: maintaining clear and detailed records of compliance efforts and worker classifications is essential. HS2's successful conclusion of the review indicates the value of thorough documentation.
Deere executives bribed officials with improper gifts
The Illinois-based tractor and heavy machinery manufacturer John Deere has agreed to pay $9.93 million to settle a bribery probe.
According to the SEC, its Thailand subsidiary offered improper gifts to officials at the Royal Thai Air Force, Thailand's Department of Highways and its Department of Rural Roads to secure multiple government contracts.
Between 2017 and 2020, managers and employees at its Wirtgen unit offered bribes in the form of cash, meals, sham consulting fees, and trips to massage parlours. International travel and sightseeing trips to European countries were disguised as "factory visits".
The improper payments were all recorded as legitimate business expenses. The unit made a $4.3mn profit as a result of the bribes. Despite acquiring Wirtgen Thailand in 2017, Deere had failed to integrate it into its compliance and controls environment.
“This action is a reminder for corporations to promptly ensure newly acquired subsidiaries have all the necessary internal accounting control processes in place,”
Its actions had violated the recordkeeping and internal accounting controls provisions of the Foreign Corrupt Practices Act. However, the regulator acknowledged Deere's cooperation, the termination of those involved in misconduct, and its strengthening of compliance procedures and anti-bribery training.
In a statement, Deere said, "These allegations represent a clear violation of our company policies and ethical standards. They are in direct conflict with our core values - particularly our commitment to integrity--and we strongly condemn such practices."
Key takeaways:
- Arrange monitoring and oversight of all subsidiaries or associated persons (including agents) acting on our behalf - ensure they sign up to your policies
- Arrange training - so everyone can spot red flags and is aware of the different forms that bribery can take
- When acquisitions are made, protect your company's reputation - check for historical breaches and confirm they have the necessary accounting controls and processes in place
- Get the "tone at the top" right - remember, senior executives are accountable and bear responsibility for setting a good example and role modelling the right behaviour
- Don't offer anything of value to public officials - including gifts and hospitality. If this is unavoidable, then get approval first from Compliance
- Keep accurate and proper records - don't try to disguise improper payments as legitimate business expenses. You will be caught!
- Remember, many anti-bribery laws have extra-territorial reach - meaning we can be prosecuted for bribes paid anywhere in the world.
Read our Bribery & Prevention Roadmap
TD Bank hit with a record $3bn AML fine
TD Bank has agreed to pay $3 billion to settle charges for failing to monitor money laundering activities linked to drug cartels. This includes a record-breaking $1.3 billion penalty to the US Treasury’s Financial Crimes Enforcement Network and an additional $1.8 billion to the US Justice Department.
As part of the settlement, TD Bank will also plead guilty to violations of the Bank Secrecy Act. The Department of Justice highlighted TD's "systemic deficiencies" in transaction monitoring, with over 90% of transactions going unreviewed from January 2018 to April 2024. This oversight enabled money laundering networks to transfer more than $670 million through TD accounts.
By making its services convenient for criminals, it became one. I want to be clear, these systemic failures did not just create hypothetical vulnerabilities, but they resulted in actual, material harm to American citizens and communities. Time and again, unlike its peers, TD Bank prioritised growth and profit over complying with the law.
TD Bank is strengthening its anti-money laundering efforts by hiring over 700 specialists with expertise in financial crime prevention and implementing enhanced processes to improve detection and risk assessment.
Additionally, the bank will undergo four years of monitoring by the US Financial Crimes Enforcement Network (FinCEN) to ensure compliance with the new measures.
Key takeaways:
- Implement multi-year compliance overhaul: Invest in monitoring, reporting, and preventative measures to ensure compliance with AML regulations.
- Expand Anti-Money Laundering (AML) staffing and resources: TD Bank's failure to detect and prevent money laundering highlights the need for a stronger AML programme with adequate staff training and expertise in compliance.
- Assume accountability and cooperate with investigations: Cooperation demonstrates a commitment to transparency and regulatory compliance moving forward.
UK-US partner to strengthen online child safety
The UK and US governments have announced a joint commitment to tackle online child sexual abuse by enhancing international cooperation to remove harmful content and prevent exploitation.
This partnership will establish a joint working group on children’s online safety, encouraging online platforms to accelerate protective measures, especially for end-to-end encrypted services, and address the growing issue of AI-generated child abuse content.
The Internet Watch Foundation (IWF) supports this collaboration, emphasising the importance of including civil society expertise in developing strategies to safeguard children online.
The IWF, which has worked with tech providers since the 1990s, stresses that global online safety initiatives—such as the UK’s Online Safety Act and similar EU legislation—are essential for holding platforms accountable in combating harmful and illegal content. This coordinated effort signals a strong, shared resolve to prioritise children’s online safety worldwide.
NatWest blocks WhatsApp in crackdown
NatWest has banned staff from using WhatsApp, Skype and other 'off-channel' communications and blocked access to those apps on company devices in the UK.
"Like many organisations, we only permit the use of approved channels for communicating about business matters, whether internally or externally,"
Banks are required to keep records of all communications to prevent market abuse and misconduct. However, record-keeping is impossible if messages are sent via unauthorised or ephemeral messaging apps, which prevents proper scrutiny.
Since 2021, the Securities and Exchange Commission has fined Wall Street banks, including Wells Fargo, Citigroup, and Goldman Sachs, over $2 billion.
In the UK, Ofgem fined Morgan Stanley £5.4 million after energy traders used WhatsApp to discuss deals, and the PRA also censured Wyelands Bank for "poor retention of WhatsApp messages".
WhatsApp and informal messaging apps can blur the line between work and social communications. This can facilitate inappropriate exchanges, bullying, and the unauthorised sharing of sensitive information.
Key takeaways:
- Only use approved apps when communicating with clients and colleagues - to ensure robust record-keeping
- Know company expectations - for example, are integrated third-party monitoring tools (e.g., Movius, Symphony, Smarsh) used? What messaging apps are approved by your company? What alternatives does your company recommend (e.g., messaging functions on the Bloomberg Terminal, email, etc)?
- Be proactive - if someone messages you on LinkedIn, Signal or another unauthorised channel, always move the conversation back to an approved channel
- Live your company values - it is never acceptable to share offensive or inappropriate content via WhatsApp
- Follow the 'need to know' principle - never share commercially sensitive information in group chats or via unauthorised channels.
McKinsey to pay $122m for bribery in South Africa
Christmas is a time for giving, but sometimes gifts are not appropriate…
A McKinsey subsidiary will pay over $122 million to settle claims that bribes were paid to officials at two state-owned companies in South Africa between 2012 and 2016 in return for lucrative consulting contracts.
Former senior partner of McKinsey's South Africa office, Vikas Sagar, previously pleaded guilty to conspiracy to violate the FCPA. McKinsey Africa paid bribes to officials at Transnet SOC Ltd, the state-owned custodian of South Africa's ports, rails and pipelines, and Eskom Holdings SOC Ltd, a state-owned energy company.
In return, McKinsey Africa obtained sensitive, confidential and non-public information about consulting contracts from Transnet and Eskom. It also submitted proposals for engagement, knowing that the firm with which it was partnering was using a percentage of its fees to bribe officials.
McKinsey and its subsidiary McKinsey Africa made profits of $85 million. McKinsey said it had investigated and terminated Sagar's employment over seven years ago, adding that it was "deeply remorseful" and had "zero tolerance" for bribery. It had also repaid the fees in full to the state-owned companies.
Key takeaways:
- Know our gifts and hospitality rules - be sure to comply with the limits and thresholds
- Ensure adequate supervision and oversight of anyone working directly with government officials - especially those working remotely, off-site, or through agents
- Arrange training for your team - so they can identify red flags and practise appropriate responses in advance
- Put systems and controls in place - so that gifts and hospitality with government officials require extra approval from Compliance or Legal
Looking for more compliance insights?
We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.
We also have additional free resources such as e-learning modules, microlearning modules, and more.
Explore our collectionWritten by: David Mangion
David Mangion is an e-learning consultant at Skillcast. Since completing his MA in English at the University of Malta, David has been writing marketing, lifestyle and educational content as well as teaching English. He now helps Skillcast clients to develop bespoke e-learning courses.
