Compliance News | May 2025

This month's key compliance news includes Temu's data breach fine, the EU and UK's security and defence partnership, a new legal duty for sanctions screening, the FCA's simplification of complaints reporting and more.

Our pick of compliance stories this month

• South Korea fines Temu $978k for data breaches
• USB set to pay $511m settlement in tax fraud case
• Letting agents face new legal duty to screen clients for sanctions
• Council fined £6m over Guided Busway failures
• Complaints reporting to be simplified by the FCA
• HSBC to tie office attendance to pay
• EU-UK security and defence partnership confirmed

South Korea fines Temu $978k

South Korea's data protection regulator has fined Chinese e-commerce giant Temu KRW 1.386 billion ($978,000) for violating the country's Personal Information Protection Act (PIPA). The fine follows an investigation by the Personal Information Protection Commission (PIPC) into the platform's handling of Korean user data.

The probe revealed that Temu failed to disclose the transfer of personal data to businesses in multiple countries—including China, Singapore, Japan, and South Korea—for product delivery and processing, in violation of PIPA requirements. The company also lacked a mandatory local representative in Korea and forced users through a burdensome seven-step process to delete their accounts.

The regulator highlighted concerns over Temu’s failure to inform users about data sharing in its privacy policy, and said these practices made it difficult for users to exercise their data rights. The company has since taken corrective actions, including updating its privacy disclosures and appointing a local agent.

Temu’s data processor, Whaleco Technology, was fined KRW 879 million ($630,000), while Elementary Innovation, which handles seller data, received a KRW 490 million ($350,000) penalty.

In a statement, Temu said it respects the PIPC’s decision, cooperated with the investigation, and has made changes to comply with Korean regulations.

The PIPC has also fined AliExpress - a Temu rival - KRW 1.978 billion ($1.4 million) in 2024 for similar violations. To help foreign businesses meet compliance standards, the regulator has released a Chinese-language version of its PIPA guidance.

Key takeaways:

• Always disclose overseas data transfers: clearly inform users when personal data is transferred internationally and to whom.
• Appoint a local representative where required: ensure compliance by designating a domestic agent in countries that mandate it.
• Make user rights easy to exercise: processes like account deletion should be simple, accessible, and not overly burdensome.
• Oversee third-party data handling: implement strong oversight and controls over external vendors that process user data.
• Respond proactively to investigations: cooperating fully and making prompt improvements can help mitigate enforcement action.
• Localise data practices to meet legal requirements: adapt privacy policies and operational processes to comply with each jurisdiction’s specific laws.

USB to pay $511m settlement

UBS Group AG has agreed to pay $511 million to settle a long-running U.S. investigation into tax evasion schemes orchestrated by Credit Suisse, the Swiss bank it acquired in 2023. The probe revealed that Credit Suisse continued helping wealthy Americans hide money offshore even after a 2014 plea deal promising to stop such conduct.

A Credit Suisse unit pleaded guilty to conspiring with clients to conceal over $4 billion in assets from the Internal Revenue Service across at least 475 secret accounts, violating U.S. tax laws. The U.S. Justice Department also filed a criminal charge related to Credit Suisse accounts in Singapore, which it will dismiss if the bank fully cooperates.

Despite prior settlements, Credit Suisse maintained undeclared accounts for U.S. taxpayers — including a European billionaire who lived openly in the U.S. — and failed to report them. The Justice Department said the bank's actions violated its 2014 plea agreement.

The case also detailed Credit Suisse's role in tax evasion by Dan Horsky, a former U.S. business professor who hid over $200 million, and a U.S.-Colombian family that concealed nearly $100 million. Whistleblowers helped expose the misconduct, leading to criminal convictions.

UBS, which was not involved in the original misconduct, said it has zero tolerance for tax evasion and is cooperating with U.S. authorities. The settlement follows a 2023 Senate Finance Committee report that found major violations of Credit Suisse's past plea deal and highlighted undeclared accounts worth over $1.3 billion.

Key takeaways:

• Avoid assuming immunity from past settlements: recognise that entering into plea agreements or settlements does not prevent future liability if similar misconduct occurs again.
• Conduct thorough due diligence in acquisitions: investigate compliance histories and integrate strong oversight mechanisms when acquiring companies to manage inherited risks.
• Disclose transparently to regulators: ensure full and honest communication with enforcement agencies to mitigate penalties and preserve credibility.
• Establish and protect whistleblower channels: encourage internal reporting and safeguard whistleblowers, as they are often crucial to uncovering compliance failures.
• Verify client identities and tax statuses rigorously: implement strong Know Your Customer (KYC) procedures to identify, classify, and monitor clients — especially high-net-worth individuals — for tax obligations.
• Monitor and revisit resolved issues regularly: reassess past compliance matters periodically to ensure sustained correction and prevent recurring violations.
• Cooperate fully with enforcement actions: engage proactively with authorities to demonstrate good faith, which can influence outcomes such as reduced charges or dropped cases.
• Implement regular internal audits and controls: use audits to detect and correct compliance gaps, especially in global operations and high-risk jurisdictions.
• Safeguard regulatory approvals through compliance: understand that misconduct can jeopardize operational licenses or exemptions and take preventive measures to maintain eligibility.
• Protect your reputation by prioritising ethics: act with integrity to avoid the reputational fallout that often accompanies legal and regulatory breaches.

Letting agents face new legal duty

From 14 May 2025, all UK letting agents are legally required to check tenants, landlords, and other clients against the UK’s official financial sanctions list. This marks a major regulatory change, as sanctions screening becomes a standalone legal obligation for the entire sector - not just those registered under Anti-Money Laundering (AML) supervision.

Letting agents will now be classified as “relevant firms” under UK sanctions regulations, placing them under the same legal responsibilities as estate agents, law firms, and financial institutions. If an individual or company appears - or is even suspected to appear — on the sanctions list, agents must freeze any assets or property and report the case immediately to the Office of Financial Sanctions Implementation (OFSI). Failure to comply may result in civil penalties or criminal prosecution.

This move is part of the UK government's broader efforts to prevent individuals involved in money laundering, terrorism financing, organised crime, or human rights violations from conducting financial or legal transactions within the country. It also ensures that tenancy agreements and other property-related contracts are not misused for illicit activity.

Key steps for letting agents:

• Screen all landlords and tenants against the UK sanctions list
• Report any matches or suspicions to OFSI immediately
• Freeze any related assets or property if a designated person is identified
• Keep clear records of checks and actions taken
• Update compliance policies, train staff, and consider automated tools to streamline checks

For more details, agents are advised to consult the government’s General Guidance to UK Sanctions.

Council fined £6m for Guided Busway failures

Cambridgeshire County Council has been fined £6 million after pleading guilty to serious safety breaches on its Guided Busway network, following a decade marked by fatal accidents and injuries. The Health and Safety Executive (HSE) brought the prosecution after a prolonged investigation, which revealed that key safety measures were missing or delayed despite repeated incidents and regulatory warnings.

The busway, which opened in 2011, has been linked to three deaths and multiple injuries. Jennifer Taylor, 81, was killed at an unlit pedestrian crossing in 2015. In 2018, Steve Moir, 50, lost his life after falling from his bike into the path of a bus travelling at 56mph. Kathleen Pitts, 52, died in 2021, and just weeks later, a 16-year-old cyclist suffered life-changing injuries at a designated crossing. Despite these tragedies, the council failed to conduct its first risk assessment until 2016—five years after the busway began operating.

The HSE found a range of critical failings, including unlit crossings, the absence of appropriate speed restrictions, poor segregation between buses and other users such as cyclists and pedestrians, and inadequate warning signs. Following Mr Moir's death, the council reduced the speed limit in that section to 30mph, but the measure proved insufficient to prevent further tragedy.

The council pleaded guilty to two charges under section 3(1) of the Health and Safety at Work etc. Act 1974, for failing to ensure public safety both at crossing points and along the busway path. In addition to the £6 million fine, the council was ordered to pay £292,460.90 in legal costs.

Families of the victims expressed their grief and called for lasting safety improvements. Mrs Taylor’s family thanked the HSE for its persistence, while Mr Moir’s relatives described the devastating loss of a vibrant, community-minded man. The case has renewed scrutiny of public infrastructure safety and the consequences of delayed risk management.

"This is a truly tragic case where three people lost their lives and others suffered serious injuries in incidents that were completely preventable. Had Cambridgeshire County Council properly assessed and managed the risks on the Guided Busway from the outset, these deaths simply would not have happened. Even after the first fatality in 2015, the council failed to take adequate action to protect the public."

Complaints reporting to be simplified by FCA

The Financial Conduct Authority (FCA) has announced plans to simplify its complaints data reporting process in a bid to reduce administrative burdens on firms and enhance regulatory efficiency.

As outlined in its consultation paper Improving the Complaints Reporting Process, the FCA proposes consolidating five existing reporting returns into a single form. This change will affect around 10,000 firms and is expected to make complaint submissions simpler and improve the quality of data collected.

FCA executive director Sarah Pritchard emphasised that the reforms are part of the regulator’s broader commitment to "smarter, more effective regulation." She noted that better-quality data will enable the FCA to identify consumer harm more quickly and respond proactively.

In addition to simplifying the format, the FCA plans to standardise the frequency of data return requests. This will make submission timelines more predictable for firms, allowing them to plan ahead and improve consistency in how the FCA processes the information. The move will also help the regulator use its resources more efficiently.

Industry experts have welcomed the move. Dom House, lead consultant at Simplify Consulting, described the changes as a "step forward" that will reduce reporting complexity and lower the risk of errors. He also noted that enhanced data quality will allow firms to benchmark their performance more accurately in the context of consumer duty.

The FCA is inviting feedback on the proposals until 24 July 2025.

HSBC to tie office attendance to pay

HSBC has warned 24,000 employees across its commercial and retail banking divisions that failure to meet office attendance expectations could affect their pay. In a memo, the bank stated that employees who don’t meet the 60% in-office requirement - roughly three days per week - may see their performance ratings and variable compensation impacted. From September, the bank plans to give managers increased oversight and attendance data to enforce the policy more strictly.

Critics argue this approach conflates physical presence with productivity. Gemma Dale, a senior HR lecturer, noted that penalising workers for remote work could reduce engagement and worsen retention. Instead of rigid enforcement, she suggested employers should understand why staff aren’t coming in - whether it's a lack of purpose in the office or an environment not conducive to their work.

Debbie Mitchell, HR transformation manager at Lace Partners, urged senior HR leaders to guide executives toward more nuanced, data-informed decisions. She highlighted the potential to attract and retain talent through flexible work policies, especially amid ongoing skills shortages.

Supporting this, new research by King’s College London shows growing resistance to full-time office mandates. Only 42% of UK workers now support a five-day office week, down from 54% in 2022, while the percentage of those who would quit under such conditions has doubled to 10%.

Experts emphasise that companies should focus on making office attendance meaningful. Creating engaging spaces, fostering collaboration, and offering valuable in-person experiences may prove more effective than enforcing rigid return-to-office rules.

Key takeaways:

• Define clear expectations: ensure workplace policies, such as attendance or hybrid work rules, are clearly communicated and consistently enforced.
• Link performance measures appropriately: avoid tying performance evaluations or pay to factors that may not directly reflect productivity or job output, such as physical presence alone.
• Use data to inform decisions: collect and analyse attendance, productivity, and employee feedback data to make evidence-based policy decisions.
• Assess legal and reputational risks: consider the potential legal, cultural, and reputational consequences of enforcing rigid workplace mandates.
• Engage HR in policy shaping: involve HR leaders in designing workplace policies to ensure they balance business goals with employee needs and broader workforce trends.
• Encourage compliance through incentives, not penalties: Focus on making the office experience compelling and valuable rather than relying on punitive enforcement.
• Monitor evolving workforce sentiment: stay informed about employee attitudes toward flexible work to adapt policies that support retention and morale.

EU-UK security and defence partnership confirmed

On 19 May 2025, the UK and EU signed a new Security and Defence Partnership, hailed by both sides as the beginning of a new era in cooperation. The agreement sets a formal structure for ongoing dialogue and collaboration across areas like cybersecurity, defence innovation, and military training. It includes regular policy discussions and participation in key security forums, like the Schuman Security and Defence Forum.

While this agreement marks a political reset in UK-EU defence relations, it stops short of providing the UK access to the EU’s €150 billion SAFE fund (Security Action for Europe). SAFE is part of the EU's broader ReARM initiative, aimed at strengthening defence investment across the continent through pooled procurement and infrastructure funding.

Despite being seen as a first step toward eventual UK participation in SAFE, no access or funding is guaranteed under the current deal. European Commission President, Ursula von der Leyen, described potential UK involvement as a "second step" - but provided no timeline or firm commitments.

Industry observers and commentators remain cautious. While the agreement introduces new diplomatic and strategic mechanisms, some argue it offers little in the way of concrete outcomes - especially for UK defence businesses hoping for meaningful access to EU funding and contracts.

For now, the Partnership lays the groundwork for future cooperation but falls short of unlocking the level of integration or financial support many had anticipated. The real test will be whether future negotiations lead to tangible UK participation in SAFE and broader EU defence initiatives.

Key takeaways:

• Monitor evolving UK-EU defence cooperation: stay updated on policy changes and new agreements stemming from the Partnership, especially those that may affect market access or regulatory expectations.
• Assess cross-border data and cybersecurity requirements: as the Partnership includes cybersecurity collaboration, review internal controls and ensure alignment with both UK and EU cyber and data protection standards.
• Track future funding access developments: keep a close eye on negotiations around the EU's SAFE programme, which could eventually provide procurement and investment opportunities for UK defence-related businesses.
• Prepare for participation in EU-aligned forums: consider the implications of UK participation in EU-led defence forums and policy dialogues — this may include sharing of sensitive data or aligning reporting standards with EU expectations.
• Engage proactively with regulatory updates: anticipate the potential for increased regulatory harmonisation in defence, procurement, and emerging technologies between the UK and EU, and adjust compliance frameworks accordingly.
• Review export controls and supply chain risks: enhanced collaboration may lead to changes in dual-use technology regulations or defence export rules — reassess compliance with both UK and EU regimes.
• Plan for indirect compliance obligations: even without direct access to SAFE, UK businesses partnering with EU firms may need to meet EU funding and procurement compliance conditions as part of joint ventures or subcontracting arrangements.

Looking for more compliance insights?

We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.