This month's key compliance news includes one of the largest password leaks of all time, financial service's Big Four favouring AI over graduates, British Virgin Islands added to FATF's updated grey list and more.
Researchers have uncovered what could be the largest-ever password leak: 16 billion login credentials from social media, VPNs, developer portals, and major vendors like Apple, Facebook, and Google. These credentials, collected from multiple info-stealing attacks, represent fresh and weaponisable data, not recycled breaches, and pose a massive risk for phishing and account takeovers.
The leak is so vast and new that it hasn’t been reported before, signaling a shift in how cybercriminals store and share stolen data - moving from informal channels like Telegram to massive centralised databases. While there was no direct breach of companies like Apple or Google, the stolen credentials include login details for their services, making reused passwords across accounts extremely dangerous.
This massive exposure highlights why stronger security measures, like passkeys, and vigilance against phishing attempts are more critical than ever.
A former wealth manager at Swiss private bank Pictet has received a six-month suspended prison sentence, and the bank itself has been fined 2 million Swiss francs ($2.5 million) for failing to prevent money laundering tied to Brazil's Petrobras corruption scandal, the Swiss government announced.
The case involved over $4.1 million in suspicious transfers between 2010 and 2013 from an offshore account linked to a Petrobras employee. Swiss prosecutors said Pictet failed to take necessary precautions to stop funds with criminal origins from being moved, citing internal organisational failings.
The former manager was convicted of aggravated money laundering. Pictet said the resolution does not imply guilt or liability and does not affect its core business lines. This is part of Switzerland’s wider investigation into the sprawling Petrobras-related “Operation Car Wash” probe, Brazil’s largest-ever corruption case.
The UK’s Big Four accountancy firms—KPMG, Deloitte, EY, and PwC—have significantly cut graduate job roles as they increasingly adopt artificial intelligence (AI) to automate junior-level tasks. KPMG made the largest reduction, slashing its 2023 graduate intake by 29%, with others following suit. The shift marks a major change in the traditional entry-level career route for young professionals.
Alongside automation, firms are offshoring more work to low-cost hubs overseas, further reducing domestic hiring. Graduate job ads in the accountancy sector have dropped 44% year-on-year.
However, critics argue this could be a strategic misstep.
"The claim that AI will replace half of entry-level white-collar jobs is most likely based on speculation than reality. While AI is certainly changing how we work, particularly in automating repetitive tasks, the idea of widespread replacement is greatly exaggerated."
- Ronni Zehavi, CEO and co-founder, HiBob
Firms should focus on upskilling employees to work alongside AI, rather than replacing them entirely.
Interestingly, while entry-level roles are shrinking, the Big Four are investing in AI assurance, a new growth area focused on auditing AI systems for safety, fairness, and accuracy. This move suggests that new types of careers may emerge within the profession, raising questions about how firms will develop talent pipelines to fill them.
Four years after Brexit, the UK and EU have launched a wide-ranging “reset” deal aimed at reducing trade barriers and boosting cooperation. It eliminates routine checks on agri-food exports, harmonises carbon trading rules, extends fishing rights, restores e-gate access for UK travellers, and eases youth and business mobility.
Additional agreements include linking carbon markets, joining EU defence initiatives, restoring pre-2026 steel quotas, and strengthening law enforcement and energy cooperation. While the rules are still being finalised, the reset signals a shift toward practical collaboration. Prime Minister Keir Starmer characterised it as a fresh start: "time to move past stale debates with common-sense solutions".
The Financial Action Task Force (FATF) has added Bolivia and the British Virgin Islands (UK) (BVI) to its "grey list" of jurisdictions under increased monitoring. The move highlights strategic deficiencies in the BVI’s anti-money laundering and counter-terrorist financing framework, particularly gaps in beneficial ownership transparency, financial supervision, and suspicious activity reporting.
The BVI government has committed to corrective actions, including strengthening oversight of trust and corporate service providers, improving beneficial ownership data access, ensuring high-quality suspicious activity reports, increasing money-laundering investigations, and enhancing asset seizure capabilities.
Immediate compliance actions firms should take include:
Ireland’s Data Protection Commission (DPC) has fined the Department of Social Protection (DSP) €550,000 for unlawfully processing biometric data through its Public Services Card (PSC) SAFE 2 registration scheme. The DPC found multiple breaches of the GDPR, highlighting that the department failed to establish a sufficiently clear legal basis for collecting and storing sensitive facial biometric data from around 70% of Ireland's population.
The DPC also issued a formal reprimand and ordered the DSP to stop processing this data within nine months unless it can meet GDPR standards. While the DSP defended its legal justification, it acknowledged the Commission's concerns about lack of clarity. This case signals increasing regulatory scrutiny across Europe of biometric data usage in public digital identity systems.
We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.