Compliance News | March 2024

Our pick of key compliance stories this month

• Crackdown on AI in recruitment by Big Four
• Investment advisers fined $400k for alleged "AI washing"
• "Off the wall": Vans warns customers of fraud risk after data breach
• Duvel beer production halted by cyberattack
• Payments watchdog investigates retail IT outages
• Swiss bank pays $3.7m for possible sanctions violations
• Flashing lights on the dashboard
• Banks to be given more time to hold up payments to prevent scams
• Efforts to tackle sexism in the City moving at a "snail's pace"
• Pay later? Klarna ordered to pay $733k for GDPR failings

Crackdown on AI in recruitment by Big Four

Deloitte, EY, KPMG and PwC are trying to eliminate the use of AI by job applicants in the recruitment process. There are concerns that the use of generative AI tools (such as ChatGPT) may give some candidates an unfair advantage.

"While AI, including GenAI, can be useful in research, we tell candidates they should not use these tools during any assessment."

Firms are using technology to detect plagiarism and AI, monitoring for 'exceptional' scores in tests.

But there's a danger of employers missing out on key talent as a result. Research by Arctic Shores and Opinium into attitudes to AI in the hiring process found:

• 72% of students and applicants regularly used some kind of generative AI
• 32% said they would not want to work for an employer who said they couldn't use generative AI in the application process
• With 30% believing that the employer wasn't very progressive

The stakes are high. Research by Arctic Shores, in collaboration with UCL researchers, found that ChatGPT consistently outperformed human candidates in verbal reasoning and helped place candidates in the top 70 percentile in Situational Judgment tests. ChatGPT also provides answers for personality-based assessments matched specifically to job descriptions.

"Given Generative AI's rapid adoption, the obvious and logical answer is not simply to deter or detect AI usage, but to refocus hiring strategies to incorporate Chat-GPT-proof assessments if they want to see a candidate's true ability"

Investment advisers fined $400k for "AI washing"

The Securities and Exchange Commission has fined two investment advisers after they allegedly made "false and misleading claims" about their use of AI technology.

Delphia (USA) and Global Predictions will pay a total of $400,000 without admitting or denying the allegations.

Firms were warned against so-called "AI washing" - making false or unfounded claims about AI or machine learning to mislead the public - by Gary Gensler, the SEC's Chair last year.

The regulator said that, between 2019 and 2023, Toronto-based Delphia allegedly made false statements in filings with the SEC, press releases and on its website about its use of AI and machine learning, which claimed to use client data.

The SEC said Dephia's claims to "put[s] collective data to work to make our artificial intelligence smarter so it can predict which companies and trends are about to make it big and invest in them before everyone else" lacked substance. In fact, the firm did not have AI or machine learning capabilities but kept making false claims in its adverts until 2023.

The regulator also found that Delphia failed to have appropriate policies to ensure advertisements did not include misleading or false claims, and there were no policies regarding the use of social media.

Similarly, Global Predictions made false claims about its use of AI on its website and social media, where it claimed to be the "first regulated AI financial advisor" and provided "expert AI-driven forecasts". The San Francisco-based firm also falsely claimed that it offered tax-loss harvesting services and failed to disclose material conflicts of interest and relationships with those giving testimonials.

"We find that Delphia and Global Predictions marketed to their clients and prospective clients that they were using AI in certain ways when, in fact, they were not," said SEC Chair Gary Gensler. "We've seen time and again that when new technologies come along, they can create buzz from investors as well as false claims by those purporting to use those new technologies. Investment advisers should not mislead the public by saying they are using an AI model when they are not. Such AI washing hurts investors."

"As more and more investors consider using AI tools in making their investment decisions or deciding to invest in companies claiming to harness its transformational power, we are committed to protecting them against those engaged in 'AI washing'. As today's enforcement actions make clear to the investment industry – if you claim to use AI in your investment processes, you need to ensure that your representations are not false or misleading. And public issuers making claims about their AI adoption must also remain vigilant about similar misstatements that may be material to individuals' investing decisions."

Key takeaways:

• Introduce a company-wide AI policy and know its risk appetite - so everyone is clear about our expectations and act within any limits
• Implement appropriate policies and procedures - to ensure the information and claims in advertisements, on websites or on social media are signed off and are not false or misleading
• Never make false or misleading claims relating to AI, machine learning, sustainability, etc - relating to our products, offering, strategy, or anything else
• Make sure you have proof and can evidence any claims you make - record this thoroughly to help rebut any claims of misleading information
• Consider how best to exploit the opportunities presented by emerging technology, while also mitigating the risks - whether you're thinking about AI or machine learning in relation to recruitment, investment advice, content generation, and more.

"Off the wall": Vans warns customers of fraud risk

Customers of footwear giant Vans are being warned to be vigilant after a data breach at its parent company, VF Corporation. VF Corporation - the owner of famous brands like Vans, Supreme, Timberland and The North Face - detected "unauthorised activities" on its systems in December 2023.

While no detailed financial information or passwords were taken, it is warning 35.5 million customers that they may face an increased risk of identity theft, phishing or fraud.

The company confirmed that it "immediately took steps" when the breach was detected on 13 December, shutting down its affected systems and hiring cybersecurity experts. This resulted in hackers being ejected by 15 December.

"Our investigation revealed that the incident has affected some personal information of our customers, that we normally store and process in order to manage online purchases, such as email address, full name, phone number, billing address, shipping address," Vans said in an email.

It added, "VF never collects or retains any detailed payment or financial information, such as bank account or credit card information, so no such information was exposed to the threat actors. Furthermore, no consumers' passwords were compromised."

However, customers are being warned to watch out for suspicious emails, texts and phone calls, especially if personal information is requested.

Duvel beer production halted by cyberattack

Operations at Belgian beer maker Duvel have been disrupted following a cyberattack. The brewer - which produces La Chouffe, Maredsous and Vedett - confirmed the attack in a statement:

"The built-in command systems and alarms in the IT-system worked well, so our IT department was immediately informed of the attack. The servers were immediately shut down, which also shut down production at the four Belgian production sites and the production site in Kansas City."

The announcement sparked concern among customers online, who called it a "national emergency" and worried that prices might rise due to shortages. But spokesperson Ellen Aarts reassured them that there was "more than enough beer". Distribution would not be impacted and its warehouses were well-stocked.

The company confirmed that it was a ransomware attack. Hacking group Stormous has since claimed responsibility and says it will release data if a ransom isn't paid by 25 March. It is unclear whether this includes recipes for its beers or other sensitive information.

Manufacturers are often an easy target as any downtime can be extremely costly and disruptive to operations. This can pressure them into paying ransoms. 40% of manufacturing organisations paid a ransom between $100,000 and $999,999 in 2023, according to Sophos.

Key takeaways:

• Strengthen your defences - use recognised security tools to defend against common attack vectors, including endpoint protection to prevent exploitation of vulnerabilities and Zero Trust Network Access (ZTNA) to combat the abuse of compromised credentials
• Explore the use of adaptive technologies that respond automatically to attack - as this can buy you more time to respond
• Be clear about the threat - who exactly may target you and why? What is vulnerable (eg trade secrets such as recipes for beers, commercially sensitive information, as well as our operations)?
• Encourage your team to speak up if they make a mistake - this enables prompt action to be taken
• Develop a cyber response strategy - identifying key personnel, specialist expertise, setting out the key steps, liaising with data protection supervisory authorities (remember, a report must be made within 72 hours if personal data is involved), handling media enquiries, restoring business-as-usual, etc
• Implement 24/7 threat detection, investigation and response - note that Duvel was attacked at 1.30 am
• Be prepared - make regular backup copies, update software vulnerabilities promptly, don't let stocks run too low (Duvel had "more than enough beer" which minimised disruption), and test your ability to recover with an incident response plan
• Benchmark your progress using recognised frameworks - such as NIST Cybersecurity Framework, ISO27001/2, NCSC's NIS Directive Cyber Assessment Framework, or CyberEssentials.

Payments watchdog investigates retail outages

The Payment Systems Regulator (PSR) has confirmed it is reviewing the situation after IT outages caused chaos for high-street retailers over the last week.

Bakery chain Greggs was the latest to experience payment problems, forcing it to close many of its stores or only accept cash. The outage follows problems at Sainsbury's, Tesco and McDonald's, leaving them unable to take payments.

McDonald's confirmed that it had experienced a global technology outage affecting stores in the UK, Australia and Japan.

"Notably, this issue was not directly caused by a cybersecurity event - rather, it was caused by a third-party provider during a configuration change."

Online deliveries and contactless payments in-store at Sainsbury's were similarly affected by an overnight software update, with a "small number of orders" cancelled by Tesco.

Experts believe that the cases may be linked because they occurred close together. The disruption is costly, with retailers losing millions of pounds. "This highlights that digital disruption is a principal risk for many retailers. Ensuring contingency planning is in place is vital," said Alan Stephenson-Brown, CEO of IT firm Evolve.

The payments watchdog said, "The PSR is aware of the recent payment issues and is assessing their nature to determine whether any further action is needed." Any issues with the resilience of the payments infrastructure may now be escalated to the Bank of England.

Swiss bank pays $3.7m for sanctions violations

EFG International has agreed to pay $3.7 million to settle allegations that it violated US sanctions.

According to the US Treasury's Office of Foreign Assets Control (OFAC), over a four-year period, the Swiss private bank processed almost 900 securities transactions on behalf of customers in Cuba and a Chinese national who was listed for narcotics trafficking. It also processed five dividend payments in 2023 for someone blocked under the Russian sanctions regime. The combined value of unlawful transactions was worth $30.4 million.

"The settlement amount reflects OFAC's determination that EFG's apparent violations were voluntarily self-disclosed and not egregious, and also reflects EFG's significant remedial measures," the OFAC said.

It also clarified that the transactions were processed through omnibus accounts in the name of EFG, where individuals pooled their money and invested as one entity. This meant EFG was potentially unaware that it was processing transactions for sanctioned individuals.

OFAC also noted that EFG imposed internal restrictions preventing them from gaining financially from those transactions. The case highlights the risks of inadvertent sanctions violations by banks with global clients holding omnibus accounts in the US.

"EFG substantially cooperated during OFAC's investigation of the Apparent Violations by conducting an internal investigation to identify exposure to clients under OFAC sanctions, providing well-organised and timely responses to OFAC's requests for information, and entering into tolling agreements"

Flashing lights on the dashboard

Analysis by Sky News suggests British carmakers are continuing to sell millions of pounds worth of luxury vehicles to Russia despite the sanctions that are in place.

While direct car exports to Russia dropped to zero after the invasion of Ukraine, official statistics show spectacular rises in car exports to neighbouring countries, notably Azerbaijan.

The UK exported £273m worth of vehicles to Azerbaijan, a staggering 1,860% rise on the five years before the invasion. This increase matches annual car exports of £330m to Russia before sanctions were introduced.

Over the same period of soaring British exports, Azerbaijan recorded a record increase in car exports to Russia, according to UN international trade data. There are similar surges in car sales to Kazakhstan, Armenia and Georgia.

British carmakers are adamant that they no longer sell to Russia. Of course, it is difficult to track the consignments once they arrive at third countries. However, there are concerns that Russia is exploiting former Soviet states to evade sanctions.

Cars are banned under the "dual use" sanctions regime, with a specific ban on selling luxury cars worth over £42,000 to Russia. However, official statistics also show that the average value per car was over £100,000, implying luxury or high-end cars.

"UK vehicle manufacturers are committed to full compliance with all current and future trade sanctions. While trade flows can vary and, indeed, be quite volatile with growing economies, there is no available evidence to indicate a lack of compliance with existing sanctions, but manufacturers will remain vigilant, and would condemn any party that puts their commitment to compliance at risk."

Key takeaways:

• Conduct adequate screening and due diligence – before entering new business relationships and on existing customers, especially those in high-risk places with known links to sanctioned countries
• Watch out for red flags – including transactions that make no commercial sense. Why would a country with a GDP comparable to Ghana become the 16th biggest export destination for the UK's car industry, ahead of Austria, Portugal and Spain? Does it make sense or could there be another reason for this?
• Check for adverse media – if you see adverse media reports about anyone with links to our company (eg a supplier, customer or partner), report it to Compliance

Banks set to delay payments to prevent scams

Banks will be able to delay payments for up to 72 hours, giving them extra time to investigate potential fraud and scams under new proposals announced by the government.

Currently, payments must be processed by banks by the end of the following working day, even if fraud is suspected. This limits banks' ability to intervene - for example, by contacting customers to confirm whether payments are genuine. It also makes it harder to liaise with the intelligence agencies or the police to shut down infrastructure and target fraudsters.

The new measures are designed to combat authorised push payment (APP) fraud, where someone is tricked into initiating or authorising payments. This may be done by getting customers to pay for goods online that never arrive, impersonating a bank and getting someone to transfer money, or via romance or investment scams.

Official figures show that customers lost £239.3 million to APP scams in the first half of 2023, with £152.8 million returned to victims.

"Fraudsters spin whole webs of lies and fabricate all sorts of things to convince people to send them money. This legislation will give banks, other payment service providers and law enforcement more time to get in touch with victims and break the fraudster's spell before money is sent."

The announcement was made at a global fraud summit hosted by London and will come into effect on 7 October. It coincides with the Payment Systems Regulator's requirement to reimburse customers affected by APP fraud to a maximum of £415,000 from October.

Efforts to tackle sexism moving at a "snail's pace"

Firms must do more to end the "era of impunity", according to the Treasury Committee, which found "shocking" levels of sexual harassment and bullying and a culture that is "holding women back" in the City.

The Committee published its Sexism in the City report to coincide with International Women's Day. It explores the barriers to women entering and having careers across the financial services industry, the impact of the Treasury's Women in Finance Charter, removing gender pay gaps, and combatting sexual harassment and misogyny and sexual harassment in the City.

The Committee made a number of recommendations, including:

• Legislation banning non-disclosure agreements (NDAs) in sexual harassment cases
• Stronger protections for whistleblowers in sexual harassment cases
• A legal requirement to include salary bands on job adverts
• Reducing the threshold for gender pay gap reporting from 250+ to 50+ employees in the financial services sector.

Pay later? Klarna to pay $733k for GDPR failings

Swedish fintech Klarna must pay a fine of SEK 7.5 million ($733k) for non-compliance with the EU's General Data Protection Regulation (GDPR), a Swedish Court of Appeal has ruled.

Klarna - the Buy Now, Pay Later (BNPL) provider - was originally fined in March 2022 for failing to provide customers with sufficient information about how it stores their personal data, which credit information companies it shares personal data with, and the countries it transfers information to.

The case focuses on the privacy notice that was used by Klarna between March and June 2020.

But in a 2022 blog post, Klarna said, "We have made significant improvements to our privacy notice since the version the SDPA reviewed was live, and therefore, this decision is no longer relevant. We have made improvements based on customer input to ensure our Privacy Notice is fit for purpose, and this is an area we continue to seek input on to make sure it's clear and transparent to users."

The fine was reduced to SEK 6 million when Klarna appealed the decision. But a Court of Appeal has now raised it back to SEK 7.5 million. Klarna says it is "too early to comment" on the ruling.

Looking for more compliance insights?

We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.