Compliance News | March 2023

Posted by

Lynne Callister

on 30 Mar 2023

This month’s key compliance news includes WH Smith’s cyberattack, FTSE 350 gender balance success, Commerzbank’s discrimination case, Red Bull’s raid, Ericsson’s extra FCPA penalty, and more.

Compliance News | March 2023

Our pick of key compliance stories this month

WH Smith targeted in cyberattack

WH Smith has confirmed that it has experienced a cyberattack. Hackers illegally accessed company information, including the personal data of its current and former employees.

The company confirmed that the attack did not affect its trading systems or customer data, which is stored on separate systems. In a statement to London’s Stock Exchange, it said: “Upon becoming aware of the incident, we immediately launched an investigation, engaged specialist support services and implemented our incident response plans, which included notifying the relevant authorities.”

The high-street retailer, which employs over 10,000 people across the UK, declined to say how many people had been affected. But it confirmed that data, including names, addresses, National Insurance numbers, and dates of birth, had been breached. It is now notifying all those affected and has informed the Information Commissioner’s Office.

WH Smith’s Funky Pigeon website was targeted in April 2022, preventing it from taking orders for a week. There have been several high-profile incidents already this year, including on Yum! Brands (closing KFC and Pizza Hut), JD Sports, the Guardian, and Royal Mail.

Free Cyber Security Training Presentation

FTSE 350 firms meet the 40% gender balance target

According to new data, 40.2% of FTSE 350 Board positions are now held by women. The news is seen as a ‘defining moment’, particularly since the target was met three years early, using a voluntary approach rather than mandatory targets.

According to a report by the FTSE Women Leaders Review:

  • Women’s Board representation increased by 3% in 2022 across the FTSE 350 companies
  • Women now hold a third (33.5%) of all Leadership positions in FTSE 350 companies and 34.3% in 50 private companies

The next step is to ensure that the 40% target is met in Leadership teams by 2025.
Many businesses - including Greggs Plc, Severn Trent Plc, and Vodaphone Plc – now have more women on their boards. J Sainsburys Plc and Haleon Plc have also made progress with Women in Leadership roles.

Yet, while the news is positive, Laura Sanderson from Russell Reynolds Associates urges firms to do more to address the lack of diversity at the CEO level. She believes that the diversity at the top is still limited despite the progress in opening up non-executive director roles to women.

To put it in perspective, at the current rate of change, it will be around 70 years before there is an equal number of male and female FTSE 100 CEOs.

“While the rapidly growing number of women in Chair, Senior Independent Director and CFO roles is an important part of the solution, it won’t fix the problem alone. Businesses must be more courageous and imaginative in backing talented women to take the next step. The belief that the CEOs of the future must look, sound and behave like those from the past is holding all of us back.”

- Laura Sanderson, Russell Reynolds Associates

DEI Data Analysis Tips

Commerzbank executive gets £300k payout

A Commerzbank compliance executive has been awarded £300,684 in compensation at a UK employment tribunal. It follows a seven-year battle with the bank, which Jagruti Rajput accused of sex and maternity discrimination.

Rajput claimed that she was denied a promotion opportunity because she was a woman on maternity leave. “Substantial” parts of her role were assigned to a colleague while she was on maternity leave.

Rajput was accused of having “an unhealthy obsession with work”, of being “controlling”, and discouraged from attending a review during her leave “because of assumptions made about what a woman should do whilst on maternity leave”.

The panel of judges found that there would be a 60% chance of her securing a head of markets role had she not faced unlawful discrimination. The tribunal ruled in her favour on six complaints, and Rajput was awarded £201,650 for loss of salary, bonuses and pension, with £25,000 for injury to feelings, plus interest.

The case “represented a very significant setback for the claimant in her career”, said employment judge Natasha Joffe, being a “very significant detriment to a woman newly back from maternity leave of finding that much of her role had been handed over to a more junior employee and not returned to her”.

Commerzbank is appealing.

Key takeaways:

  • Treat people fairly and consistently apply our equality policies - in all day-to-day activities and work-related decisions (recruitment, training, promotion, allocating work, pay, etc.)
  • Be proactive - don’t slavishly follow our rules if you think they are wrong, if they create unintentional bias, or lead to some groups being treated less favourably than others. Instead, work to get them changed. Remember, diverse companies are often more productive, innovative and profitable too!
  • Mind your language - check that all communications are free of discriminatory and sexist language. Careless language and stereotyping, however unintentional, can create a perception of inequality and make people feel vulnerable.
  • Use objective criteria when making decisions on recruitment, training and promotion - this ensures appointments are always made on merit
  • Watch out for indirect discrimination - make sure that our company policies don’t inadvertently put certain groups at a disadvantage
  • Collect data and benchmark your progress - assess “the current state”, monitor progress, and learn from others

Free Sexual Harassment Training Module

CBI’s director general facing misconduct allegations

The director general of the Confederation for British Industry (CBI), Tony Danker, has stepped aside pending an investigation after allegations of misconduct.

A formal complaint was made by a female employee alleging unwanted conduct, which was considered to be sexual harassment, back in January. But the CBI decided that it did not warrant escalation through its disciplinary process.

However, since then, additional concerns have been raised about Danker’s behaviour, including that he’d viewed employees’ personal Instagram accounts and sent unwanted messages containing suggestive language.

The CBI has now appointed a law firm to conduct an independent investigation, and Danker has agreed to step aside while this takes place.

A statement by the group said: “The CBI takes all matters of workplace conduct extremely seriously, but it is important to stress that until this investigation is complete, any new allegations remain unproven, and it would be inappropriate to comment further at this stage.”

Update: following the investigation, CBI has officially dismissed Danker with immediate effect.

Workplace Gender Equality Tips

Antitrust regulators raid Red Bull & fragrance firms

The European Commission has raided Austrian energy drink maker Red Bull as part of an investigation into possible cartels, restricted practices, and abuse of dominance in the energy drinks sector.

The regulator refused to name the company targeted by its unannounced visits but said inspections had been carried out “at the premises of a company active in the energy drinks sector in various member states”.

Red Bull confirmed that its premises had been visited by officials but has declined to comment further.

Separately, the UK Competition and Markets Authority is investigating anti-competitive behaviour relating to the supply of fragrances and fragrance ingredients used in manufacturing consumer products, such as personal care and household products.

The raids were coordinated cross-border, working with authorities in the EU, UK, US and Switzerland. The companies being investigated are Firmenich International SA, Givaudan SA, International Flavours & Fragrances Inc, and Symrise AG.

Firms face fines of up to 10% of global annual turnover for competition breaches.

Key takeaways:

  • Encourage your team to report red flags and potential misconduct quickly - as the first company to report the existence of a cartel or anti-competitive behaviour can escape prosecution under leniency rules.
  • Prepare for dawn raids - are you confident that employees know what to do and will do the right thing in an investigation? They must not shred or conceal evidence, enter sealed rooms, etc.
  • Get the “tone from the top” right - ensure that managers set a good example by competing energetically but fairly. Just one bad apple can undermine your entire compliance regime.
  • Don’t underestimate the far-reaching powers of the authorities - they are entitled to seize documents, including electronic messages and phones, if illegal behaviour is suspected.

Free Market Abuse Training Presentation

Ericsson breaches FCPA settlement agreement

Ericsson has admitted to breaching its 2019 FCPA settlement agreement with US regulators.

Four years ago, the Swedish telecoms company paid two US regulators over $1 billion for a “years-long corruption campaign” where it used slush funds to pay corrupt officials in Djibouti, China, Vietnam, Indonesia and Kuwait. Payments were made via agents' intermediaries, using fake invoices for non-existent consulting services.

As part of the settlement, it entered a Deferred Prosecution Agreement (DPA). However, the Department of Justice accused Ericsson of violating that agreement by failing to disclose “all factual information and evidence” relating to its schemes in Djibouti and China for up to six years.

According to the International Consortium of Investigative Journalists (ICIJ), Ericsson also concealed evidence of a similar scheme in Iraq, where it is claimed it had secret dealings with ISIS and made possible pay-offs to smuggle equipment into ISIS-controlled areas.

“When the Department afforded Ericsson the opportunity to enter into a DPA to resolve an investigation into serious FCPA violations, the company agreed to comply with all provisions of that agreement. Instead of honouring that commitment, Ericsson repeatedly failed to fully cooperate and failed to disclose evidence and allegations of misconduct in breach of the agreement.”

- Kenneth Polite, Assistant Attorney General, ICIJ

It looks like the DOJ is keeping its promise to get tough on corporate repeat offenders. Ericsson will now pay a further $206.7 million penalty, bringing the total settlement to $1.27 billion - one of the highest in the FCPA’s history.

Free Anti-Bribery Training Tips

Vonovia brings in Deloitte over suspected bribery

Vonovia, one of Germany’s biggest housing groups, has brought in Deloitte to investigate claims of bribery, corruption and fraud. It follows police raids on the property firm’s headquarters and 40 private homes across Germany.

Prosecutors say Vonovia employees allegedly gave preferential treatment to contractors in return for kickbacks, and key documents were manipulated to conceal excessive invoices.

Four of Vonovia’s employees, former employees and business partners have been arrested so far, with many more expected.

“We are shocked. It appears that individual employees at our subsidiaries have accepted bribes to the detriment of Vonovia – that is not acceptable.”

- Rolf Buch, CEO, Vonovia

However, critics have little sympathy with Vonovia, which owns around 565,000 apartments in Germany, Sweden and Austria and took over Deutsche Wohnen in 2021. They accuse it of fleecing tenants with aggressive rent rises.

An investigation by Der Spiegel found evidence of 1,900% rises in ‘erroneous’ and ‘dubious’ winter service and cleaning costs collected through subsidiary companies.

According to Westdeutscher Rundfunk and Süddeutsche Zeitung, at least two Vonovia employees have allegedly received up to half a million in bribes over a 10-year period.

Shares dropped over 5% following the news. Vonovia has said it is “cooperating fully” and has brought in Deloitte to conduct an internal audit.

Key takeaways:

  • Train employees to spot red flags - for example, gifts, hospitality, excessive invoices, above-market rates, payments being made via subsidiaries, etc.
  • Conduct proportionate due diligence - ensure due diligence checks are made on employees, partners, consultants, intermediaries and third parties.
  • Ensure adequate supervision and oversight - so there is scrutiny of documentation, and changes can only be made with executive approval. Don’t allow teams to ‘mark their own homework’.
  • Get the tone from the top right - a ‘profit before principles’ philosophy can send the wrong message to employees, i.e. that they need to win business at any cost. There can be unintended consequences.
  • Remember, bribery is not a victimless crime - the real victims are the tenants who ultimately suffer because of bribery, according to the German Tenants Association. The costs of the bribes will be met by them via exorbitant service charges.

Bribery Prevention Training Presentation

Volkswagen’s Russian assets are frozen

Volkswagen’s plans to wind down its operations in Russia have been dealt a blow after a Russian court froze all of its assets there. Like other carmakers, Volkswagen had suspended its Russian operations when sanctions were imposed following the invasion of Ukraine.

For the last year, the carmaker has furloughed operations at its flagship plant in Kaluga, where 4,000 employees are still being paid.

The Russian automotive manufacturer GAZ, which runs an assembly plant in Nizhny Novgorod with Volkswagen, is trying to halt the sale. It claims VW has put its own interests at risk and is seeking damages of $201.3 million.

Skoda Auto, the Czech carmaker owned by Volkswagen Group, confirmed that it, too, was seeking to sell its Russian assets. Other carmakers have exited the market. In 2022, Renault sold its stake in Avtovaz, which was once valued at $2.35 billion, for a nominal fee of one rouble.

Car production in Russia fell by a record 67% last year.
Free UK Sanctions List

UK Government seeks to reform GDPR

The UK Government is seeking to reform its data protection regime following the UK’s withdrawal from the EU. It has now introduced an amended Bill to Parliament – in the form of the new Data Protection and Digital Information (No. 2) Bill.

It is promising a “new system of data protection”, which is simpler for business with the promise of £4.7bn in savings.

Good news! Companies that already comply with the UK GDPR won’t need to make any fundamental changes. A lot of the structure, obligations and principles are still the same. But there are some clarifications and tweaks.
Assuming the Bill goes through, what are the key changes?

  • Scientific research - an update of the definition of scientific research allowing businesses to use personal data if they are engaged in research and development
  • Legitimate interest and cookies – an explanation of the legitimate interest definition with examples and a reduction in repetitive cookie popups, giving companies greater certainty over processing personal data without consent
  • Record keeping - an exemption for any controller or processor to complete records unless they carry out in high-risk processing (although critics point out that this will make it harder for companies to fulfil subject access requests)
  • Direct marketing - new obligations on the providers of electronic communications networks requiring them to notify the ICO about anyone suspected of breaching direct marketing rules
  • Higher fines for nuisance callers and texts - up from £500,000 to 4% of global turnover or £17.5 million (whichever is highest)
  • Automated decision making and AI - clarification of the right to request a human review where decisions are “inaccurate or harmful”
  • International transfers - confirmation that existing arrangements entered into before the Bill will still be valid
  • ICO reforms - strengthening the ICO with a statutory board (although concerns have been raised about its future independence, which may potentially impact the UK’s adequacy status with the EU)

GDPR Compliance Roadmap

Swedbank fined $81.52 million after IT outage

Swedbank has been fined $81.52 million by the Swedish Financial Supervisory Authority (SFSA) following its failure to implement adequate internal controls.

Swedbank deviated from its own internal procedures when its IT systems were updated in April last year. Transactions were halted, up to a million customers were shown incorrect account balances, and many of them could not make payments.

In a statement, the company said, “Swedbank regrets and has apologised to customers for the problems that the IT incident caused. The bank has taken forceful measures to prevent this type of incident from happening again.”

“We take the SFSA’s remark seriously that Swedbank made a change to an IT system without following the bank´s internal procedures and processes. We will now analyse the decision.”
- Jens Henriksson, president & CEO, Swedbank

Operational Resilience Implementation Checklist

William Hill fined a record £19.2m for AML failures

William Hill and its sister brand Mr Green have been fined a record £19.2m fine for “widespread and alarming” social responsibility and anti-money laundering failures.

Extreme examples of failings included allowing a customer to open an account and spend £23,000 in 20 minutes without any checks. Other customers were allowed to spend £18,000 over 24 hours and £32,500 over two days, respectively, again without any income evidence and AML checks.

Customers were allowed to deposit high sums of £70,134, £38,000 and £36,000 - which they subsequently lost - without appropriate anti-money laundering checks.

331 self-excluded players of Mr Green were able to gamble with William Hill because of “ineffective controls”.

Many of the extreme examples occurred during lockdown, despite companies being warned by the Gambling Commission not to exploit vulnerable people during this time.

“When we launched this investigation, the failings we uncovered were so widespread and alarming, serious consideration was given to licence suspension. However, because the operator immediately recognised their failings and worked with us to swiftly implement improvements, we instead opted for the largest enforcement payment in our history.”

- said Andrew Rhodes of the Gambling Commission.

The online casino company 888 Holdings, which acquired William Hill in 2021, said, “The settlement relates to the period when William Hill was under the previous ownership and management. After William Hill was acquired, the company quickly addressed the identified issues with the implementation of a rigorous action plan.”

Critics argue that internet betting should be better regulated, reflecting the real harm caused by problem gambling. The fine comes days before the UK’s new gambling laws are finalised.

AML Risk Assessment Tips

SVB & Signature Bank investigated for misconduct

The post-mortems have begun following the collapse of Silicon Valley Bank and Signature Bank in the US. Regulators are now investigating whether there was potential misconduct, what executives knew and whether they made accurate disclosures about its problems.

SVB’s problems snowballed quickly after the bank failed to secure emergency funding. This sparked online rumours about its health, spooked customers who withdrew $42bn in one day and caused a bank run leading to SVB’s collapse, the fastest since Barings in the 1990s. Two days later, Signature Bank also failed.

“SVB failed because the bank’s management did not effectively manage its interest-rate and liquidity risk, and the bank then suffered a devastating and unexpected run by its uninsured depositors.”

said Michael Barr, the Federal Reserve’s vice chairman for supervision.

Later, it emerged that SVB executives had sold $84 million of stock since 2021, prompting questions about insider stock sales. Executives also received their annual bonuses hours before the government takeover of the bank.

SVB’s UK subsidiary was bought by HSBC for £1 in a rescue deal arranged by the Treasury and the Bank of England, protecting UK tech startups from losses.

Compliance Culture eBook

Want to learn more about compliance?

Our comprehensive compliance roadmaps help you navigate compliance. We also have searchable compliance glossaries for those new to the topic, and we regularly report on key compliance fines.

If you'd like to stay up to date with compliance best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.

You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.

For a one-stop compliance training solution, try our best-selling Compliance Essentials Course Library and award-winning LMS.

Last but not least, we have 100+ free compliance training aids, including best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations, webinars and even e-learning modules!

If you've any questions or concerns about compliance or e-learning, please get in touch.

We are happy to help!

Compliance Bulletin

Compliance Bulletin

Our monthly email provides best practices, expert opinions, industry insights, news and key trends in regulatory compliance training, digital learning, EdTech and RegTech.