Compliance news - March 2019
Here's our selection of the most informative compliance news stories this month - stories about lapses, errors of judgement and downright disregard of laws, regulations and standards of integrity. You'll also find links here to free resources for you to use in your compliance programme. Select the links or scroll down for more details.
- FOI request uncovers dire reporting pre-GDPR
- 80% rise in modern slavery
- WhatsApp, etc upgrade to FCPA Policy
- From the red carpet to red flag: Bribery in Hollywood
- Carphone Warehouse fined £29m for mis-selling insurance
- ING banned from taking on new clients in Italy
- EU updates tax haven blacklist
- Secret garden: the UK's £100bn secret properties
- Bricks and mortar laundering
- Norsk Hydro: Cyberattack impacts operations
- Danske Bank execs lose bonuses
- Google fined (again) by EU
FOI request uncovers dire reporting pre-GDPR
How long would it take you to spot a data breach? How soon would it take you to inform the Information Commissioner about it?
Under GDPR, companies have just 72 hours to notify the supervisory authority of data breaches. But it wasn't always like this.
- Pre-GDPR, companies took - on average - 60 days to uncover data breaches (with one taking a mind-boggling 1,320 days before realising there was a problem).
- Typically, companies might then take around three weeks to notify the ICO.
- Some even left it to the end of the week to file their report - surely not damage limitation to avoid negative publicity?
These surprising findings were uncovered by cybersecurity provider Redscan, following a FOI request made to the ICO and analysis of 182 data breach reports.
Mark Nicholls - director of cyber security at Redscan - said, "The fact that so many businesses failed to provide critical details in their initiative reports … says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises."
There was some good news though. Financial services and legal services performed slightly better, taking on average 16 and 20 days to report incidents.
For more cybersecurity insights in the financial services sector, check out the FCA's report.
Do your staff know everything they need to about GDPR? Skillcast provides a complete digital training solution for GDPR compliance with a library of 20+ e-learning courses.
80% rise in modern slavery
There has been an increase of over 80% in the number of modern slavery cases, according to the latest figures released by the National Crime Agency.
- In 2018, there were 6,993 reported victims (compared with 5,142 in 2017)
- Victims came from 130 countries -although British citizens made up the largest group (with Albanians and Vietnamese second and third)
- The number of minors referred had increased by 48% - attributed to gangs exploiting a loophole in the Modern Slavery Act
- Half of all referrals involved labour exploitation
From 29 April 2019, the Home Office will become the single competent authority for handling all referrals.
NCA Deputy Director Roy McComb said, "We cannot stop modern slavery alone, we need support and assistance from across the public and private sectors, NGOs and most of all the public themselves."
Do you know what signs to look for? Do you have a Modern Slavery statement? Download a free template and get in touch with us if you need help to conduct staff training for prevention of modern slavery.
WhatsApp, etc upgrade to FCPA Policy
Countless scandals, including the LIBOR rate-rigging and multiple insider trading cases, illustrate the challenges many companies face in managing unofficial chat platforms - such as WhatsApp, Viber, Signal and WeChat. But the US Department of Justice (DOJ) has offered a concession.
It has amended the FCPA Corporate Enforcement Policy and will now allow companies to use 'ephemeral messaging platforms' on condition that appropriate business records are kept of those communications.
This is something of a double-edged sword for businesses. While it better reflects the reality - that many people use their personal devices for both work and personal use, companies should now review their policies to ensure there are adequate controls in place.
There is no official guidance but companies should:
- Identify potential conflicts of interest - between our legal obligations and typical employee behaviour
- Assess whether messaging apps should be restricted to company-owned devices or whether there are BYOD policies in place
- Consider whether there is a need to buy enterprise versions of messaging apps which enable communications to be stored
- Decide whether to continue to enforce a complete ban if records cannot be kept
- Think about what controls and safeguards are most appropriate, based on the level of risk
- Determine whether messaging apps are high risk (e.g. for those in specific roles) and whether they provide the required protection (e.g. legal purposes)
- Review and update existing IT, data protection and privacy policies
Skillcast offers e-learning module on the Responsible Use of Social Media as a part our Compliance Essentials library.
From the red carpet to red flag: Bribery in Hollywood
Hollywood stars Lori Loughlin and Felicity Huffman are among 50 people charged with paying bribes to secure places for their children at elite US colleges. An FBI investigation - aptly codenamed Operation Varsity Blues - uncovered the $25m admissions scandal in which coaches were bribed to declare the offspring of the wealthy as elite athletes, insiders were paid to ensure entrance exams were passed and - in some cases - people were hired to sit entrance exams for candidates.
Since 2011, William Singer had conspired with parents to get their children into many of the US's prestigious colleges - including Yale, Stanford, Georgetown and the University of Southern California. The scam was uncovered after a tip-off given to investigators who were looking into a securities fraud.
Loughlin has since been dropped by Hallmark Channel and Netflix.
Carphone Warehouse fined £29m for mis-selling insurance
The Financial Conduct Authority has fined Carphone Warehouse £29 million for mis-selling its Geek Squad insurance service.
Over a seven-year period, the firm made £444.7 million from regulated sales of its Geek Squad policies. However, sales staff were not trained to assess customer needs or whether the policy was suitable, often recommending them when customers already had cover. 35% of policies were cancelled in the first three months.
While high cancellation rates are a red flag indicating potential mis-selling, management failed to act or properly investigate complaints.
The investigation took place after whistleblowers raised the alarm. The FCA found the company breached Principles 3, 6 and 9 of the Principles for Businesses.
"Without whistleblowers coming forward these practices may never have come to light", a FCA spokesman confirmed.
Take a look at Skillcast's FCA compliance e-learning library, with over 60 modules covering everything staff in financial services businesses need to know about FCA regulations.
ING banned from taking on new clients in Italy
Following concerns about its AML processes, Italy's central bank Banca d'Italia has ordered Dutch lender ING to stop taking on new customers until it improves its client screening programme.
ING was fined €775 million by the Dutch regulator last year for shortcomings in its due diligence processes and for failing to report suspicious or unusual transactions over a six-year period.
Prosecutors have now launched an official investigation in Italy alleging ING did not do enough to prevent financial crime. Existing customers remain unaffected.
Skillcast offers Anti-Money Laundering e-learning courses for UK and Global staff. Take a look here.
EU updates tax haven blacklist
The European Union has updated its list of jurisdictions considered non-cooperative for tax purposes, otherwise known as the tax haven blacklist.
Five countries that were originally on the list - the US Virgin Islands, Samoa, Trinidad and Tobago, American Samoa and Guam - have now been joined by ten new names - including Aruba, Barbados, Belize, Bermuda, Fiji, and the United Arab Emirates.
Countries such as the UAE have expressed 'regret' at the decision and, along with Bermuda, insist they do cooperate with the EU for tax purposes.
Ministers maintain that its purpose is not to 'name and shame' but instead to prevent tax fraud and evasion and to encourage cooperation and positive action. A decision is expected on whether to include beneficial ownership transparency to the current criteria applied to the list.
A similar money laundering blacklist was spiked after objections from the US, Saudi Arabia and Panama.
Secret garden: the UK's £100bn secret properties
Over £100 billion of property in England and Wales is owned anonymously, according to analysis by anti-corruption campaigners Global Witness.
Their investigations have revealed that:
- Over 87,000 properties are owned by anonymous companies registered in tax havens
- 40% of properties owned anonymously are in London - with 134 of them in exclusive Cadogan Square, Knightsbridge
- There are 10,000 secretly-owned properties in Westminster, right under the nose of the UK Government
Despite promises to create a register of UK property ownership, there has been little progress so far.
Ava Lee, Senior Anti-Corruption Campaigner at Global Witness, said, "It's increasingly clear that UK property is one of the favourite tools of the criminal and corrupt for stashing and laundering stolen cash. This analysis reveals the alarming scale of the UK's secret property scandal".
This is yet another challenge for estate agents who are already under pressure, following HMRC's crackdown on money laundering.
Bricks and mortar laundering
Estate agents Countrywide has been fined £215k for failing to implement proper AML controls and keep adequate records to prevent money laundering.
So far, around 50 estate agents have been visited by HMRC inspectors after a crackdown on money laundering in the property sector, with Tepilo also fined almost £68k.
All estate agents need to register with HMRC and have a legal duty to report suspicious or unusual transactions.
Simon York, Director of HMRC's Fraud Investigation Service, said, "Estate agents need to understand that criminals prey on weaknesses, so it's vital they take all steps to protect themselves. The money laundering regulations are key to that, but there's still a minority of agents who ignore their legal obligations."
Here's a reminder of the key obligations:
- Implement Know Your Customer policies and procedures
- Conduct risk-based due diligence on customers
- Identify the Source of Funds / Source of Wealth
- Take extra care with high-risk jurisdictions or Politically Exposed Persons (PEPs)
- Keep proper records of transactions and customers
Norsk Hydro: Cyberattack impacts operations
Global aluminium producer Norsk Hydro has confirmed that its operations in Europe and the US have been disrupted following a cyberattack.
Norway's National Security Authority reported that Hydro experienced a ransomware attack (thought to be LockerGoga) on Monday night.
Hydro announced it has switched production lines to manual mode so it can keep running 24/7. Its global communications have also been impacted. Aluminium hit a three-month high on the London Metal Exchange following news of the attack.
It's the latest breach affecting commodities. In January, IT correspondence was shut down after an attack on zinc smelter Nyrstar. Oil producers Aramco and Rosneft PJSC have also experienced cyberattacks.
Preparedness is vital for both preventing and managing cybersecurity incidents. Some of the key points are:
- Train your people to recognise signs and to speak up if they make a mistake or see anything suspicious - arrange targeted training based on the specific risks they face
- Be clear about the threat - who exactly may target you and why? what is vulnerable?
- Have a presence on social media so you can provide information promptly
- Develop a cyber response strategy - identifying key personnel, specialist expertise, setting out the key steps, liaising with data protection supervisory authorities (remember, a report must be made within 72 hours if personal data is involved), handling media enquiries, restoring business-as-usual, etc
- Benchmark your progress and plan the next steps using recognised frameworks - such as NIST Cybersecurity Framework, ISO27001/2, NCSC's NIS Directive Cyber Assessment Framework, or CyberEssentials
Are your employees aware of how to reduce the threat of cyber security? Download our free cyber security training presentation here.
Danske Bank execs lose bonuses
As the fallout from the €200 billion money laundering scandal continues, Danske Bank has confirmed to shareholders that all its executives would be waiving their bonuses for 2018.
In a 5-hour meeting, shareholders vented their frustration at being dragged into the scandal, with some calling for the bank to be split up and for senior managers to be held personally accountable.
One shareholder - Nanna Bonde - summed up the general mood as follows, "The bank has made a fool out of shareholders, customers and the entire Danish population".
With Danske also facing potential lawsuits from institutional investors, missing out on a yearly bonus could well be the very least of their worries.
Google fined (again) by EU
For the third time in two years, Google has been fined €1.5 billion by the European Commission for anti-competitive practices.
Prosecutors accused Google of abusing its dominant position (it enjoys more than 90% of the search market) by preventing its rivals placing online adverts on its search results pages.
EC commissioner Margrethe Vestager said, "Google has cemented its dominance in online search adverts and shielded itself from competitive pressure by imposing anti-competitive contractual restrictions on third-party websites. This is illegal under EU anti-trust rules."
This latest fine brings Google's total fines to €9 billion since 2017. However, critics argue that these fines have actually done little to change the tech giant's dominance. Instead, they suggest that behavioural remedies - such as being forced to divest DoubleClick or Waze might have more of an impact.
Download our free and interactive Competition Law training presentation and get your staff up to speed on their responsibilities.