This month's key compliance news includes BA, H&M and MS data fines, DB AML fine, ARCM transparency, cartels, sanctions jailing, IFA bans, homeworker monitoring and much more.
Our pick of key compliance stories this month
- H&M to pay the 2nd-highest GDPR fine ever issued
- British Airways fined £20m for data breach
- Morgan Stanley agrees to pay $60m over data centre oversights
- Deutsche Bank fined €13.5m in Danske probe
- Car part suppliers fined €18m for forming cartels
- ARCM fined almost £900k for short selling disclosure breaches
- FCA says homeworking city traders must be monitored
- Former Unaoil executive jailed over Iraq bribery
- Two IFA directors banned over misleading Sipp declarations
H&M to pay the 2nd-highest GDPR fine ever issued
Retailer H&M has been fined €35.3m for the illegal surveillance of hundreds of employees at its Nuremberg service centre, making this the second-highest fine a firm has faced for GDPR breaches since it first came into effect.
The privacy violations staff were subjected to include surveys containing diagnoses for illnesses, medical symptoms, and details of time spent on vacation. What's more, a number of managers were found to have also sought details including religious beliefs and family matters, which they then retained to be used in performance reviews and future employment decisions.
H&M issued an "unreserved apology" to its employees, stating that "All currently employed at the service centre, and all who have been employed for at least one month since May 2018, when GDPR came into force, will receive financial compensation. The retailer also claimed to have "forceful measures" to rectify any related shortcomings.
British Airways fined £20m for data breach
British Airways has been fined £20m by the ICO after suffering a data breach which affected over 400,000 customers. The ICO discovered that the airline had been processing personal data " without adequate security measures in place", and was therefore in breach of data protection law. As a result, BA fell victim to a serious cyberattack in 2018, which it failed to detect for over two months. You couldn't hope for better timing than during Cyber Security Awareness Month 2020! The "Do Your Part. #BeCyberSmart" must sting at the moment?
Investigators found that BA "ought to have identified weaknesses in its security and resolved them with security measures that were available at the time." The investigation also discovered that BA had not even been aware of the data breach until it was brought to their attention by a third party. The cyberattack is believed to have exposed the personal data of 429,612 customers and employees, including names, addresses, credit card details and CVV numbers.
Information Commissioner Elizabeth Denham said "People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure." Furthermore, "Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date."
- Don't conceal or cover up data losses or breaches - report mistakes and violations promptly, so you can limit the damage to the data subject and your company.
- Password-protect or encrypt all personal data before sending it by electronic transfer.
- Shred any documentation that contains personal data or place it in secure confidential waste bins - don't put it in recycling.
- Don't start collecting personal data or using it for different purposes without being absolutely sure that it is legal for you to do so.
Morgan Stanley agrees to pay $60m over data centre oversights
Morgan Stanley is to pay $60 million over claims that they failed to correctly decommission data centres connected to their wealth-management operations. According to the Office of the Comptroller of the Currency (OCC), Morgan Stanley "failed to effectively assess or address risks associated with decommissioning its hardware". This includes failing to keep tabs on client data contained within obsolete devices, as well as the improper assessment of the risks posed by subcontractors.
"We have continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused," Morgan Stanley said in response. "Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information."
Earlier this month, the firm announced its intention to expand its wealth-management operations through a $7 billion acquisition of Eaton Vance Corp. They have since been approved by the Federal Reserve to acquire E*Trade Financial Corp in a deal which will add a new base of retail customers to its brokerage business.
Deutsche Bank fined €13.5m in Danske probe
Deutsche Bank AG has been issued a €13.5m fine by Frankfurt prosecutors due to money-laundering violations connected with Danske Bank A/S. According to prosecutors, Deutsche Bank failed to alert authorities about suspicious transactions in a timely manner on more than 600 different occasions.
Deutsche Banks's case is directly connected to another scandal which saw over $200bn in suspicious payments pass through Danske Bank’s Estonian unit. It has since been revealed that most of this money was also routed through Deutsche Bank, which processed US dollar payments for the Estonian business at the time.
Commenting on the scandal, Deutsche Bank said that it had stopped being Danske Bank Estonia's so-called correspondence in 2015. According to Stefan Simon, a member of Deutsche Bank’s management board, "with the closure of these proceedings it is clear that there was no evidence of criminal misconduct either on the part of Deutsche Bank or its employees."
Chris Vogelzang, Dankse Bank's CEO has stated that they expect to wrap up their internal investigation into the matter by the end of 2020. Danske Bank is also looking to come to a global agreement with authorities to close the case.
Car part suppliers fined €18m for forming cartels
Car part suppliers Kiekert and Brose have been fined a total of €18m by the European Commission for their involvement in two cartels concerning the supply of closure systems for vehicles in the European Economic Area. A third firm, Magna, was also involved, but was spared a fine as they were to ones who revealed the cartels to the EC.
Magna, based in Canada, and Kiekert, based in Germany, took part in a bilateral cartel concerning the supply of strikers and latches to Daimler group and BMW group. At the same time, Magna was part of a separate cartel with the German firm Brose, which concerned the supply of window regulators and door modules for a car model owned by Daimler group. All three firms owned up to being part of the respective cartels and agreed to settle the case.
The EC's executive vice-president, Margrethe Vestager, said "Components such as door modules, window regulators and latching systems are essential for the proper functioning of cars, they provide protection against injury and ensure safety and comfort. The three suppliers colluded to increase their profits from the sale of these components. These cartels ultimately hurt European consumers and adversely impacted the competitiveness of the European automotive sector."
- Always be aware of anti-competitive risks - these include having competitors who are also your customers and staff that regularly move between businesses in the same sector.
- Understand which conversations are off limits when meeting competitors - this means no discussing prices or fees, discussing (carving up) customers or territories, or colluding to work together to agree rules not in the interests of consumers
- Spot and react to price-fixing red flags - If you find yourself in a trade meeting where anti-competitive practices are discussed, have your objections minuted (if possible). Make your excuses and leave promptly, then report it immediately.
- Don't abuse a dominant market position - never deliberately make losses to squeeze smaller businesses out of the market, stop supplying existing customers or prevent them buying from competitors, or impose unfair terms in contracts.
- Report anti-competitive concerns to the CMA cartel hotline - the CMA's latest cartel awareness campaign, Do What's Right, provides useful information for reporting cartels. If you've been directly involved, you can call +44 (0)20 3738 6833 for confidential guidance. If you speak up first, you may avoid sanctions. If you've seen price fixing take place, you can also report it on +44 (0)20 3738 6888.
ARCM fined almost £900k for short selling disclosure breaches
The FCA has handed a £873,118 fine to Asia Research and Capital Management (ARCM) for transparency failures. This happened after ARCM failed to disclose to the public and notify the FCA about its net short position in Premier Oil between 2017 and 2019.
The Short Selling Regulation 2012 (SSR) outlines explicit thresholds regarding when companies are obliged to make a public disclosure and to notify the FCA about net short positions held. Since the introduction of SSR, this is the first time the FCA has issued as fine in response to a breach.
From February 2017 to July 2019, ARCM failed to make 153 disclosures to the public and 155 notifications to the FCA, by which time they had constructed a short net position equivalent to 16.85% of the issued share capital in Premier Oil. The firm then waited a further 106 days before finally notifying the FCA and the public. The total amount of the penalty would have exceeded £1.2m had ARCM not benefitted from a 30% discount under the FCA's executive settlement procedures.
According to Mark Steward, Executive Director of Enforcement and Market Oversight, "Failure to report disclosable short positions undermines the integrity and efficiency of financial markets. ARCM repeatedly breached reporting rules and failed to provide important information to us and to the market. This fine reflects the seriousness of these breaches."
FCA says homeworking city traders must be monitored
The FCA has issued a warning to financial services companies that it expects them to have refreshed their training, updated their policies, and implemented new checks as traders routinely work remotely. In particular, the FCA pointed out the heightened risk around privately owned devices which employees could use for personal trades based on inside information, something which is far more challenging to carry out on a physical trading floor where phone calls and computer activity are often monitored.
According to Julia Hoggett, director of market oversight at the FCA, "We expect firms to have updated their policies, refreshed their training and put in place rigorous oversight reflecting the new environment – particularly regarding the risk of use of privately owned devices. These policies should be demonstrable to us and to your audit teams. It should go without saying that policies should prevent the use of privately owned devices for relevant activities where recording is not possible. New communication mechanisms, before they are used, should have controls in place where required and their use be approved by firm management."
Hoggett also stressed the importance that self-policing amongst front-office staff plays, in addition to having a good culture within financial firms, saying that "Having a culture that minimises the risk of poor conduct taking place in the first place remains critical. It is important that staff are conscious of the role they play as the first line of defence."
Former Unaoil executive jailed over Iraq bribery
A British former Unaoil executive has been jailed for three years and four months after being found guilty of bribing public officials to clinch $1.7bn worth of oil projects in post-occupation Iraq. Iraqi-born Basil al-Jarah paid around $17m worth of bribes to secure contracts to build oil pipelines, offshore mooring buoys, and oil platforms as Iraq tried to reconcile its shattered economy after the fall of Saddam Hussein.
This is the third sentence handed down by a London judge after an investigation by the Serious Fraud Office (SFO) and US authorities into how Unaoil secured energy contracts for Western blue-chip clients in Central Asia Africa and the Middle East. Former Unaoil managers 45-year-old Ziad Akle and 55-year-old Stephen Whiteley have already been jailed for five and three years respectively after a London trial.
"This was a classic case of corruption, where powerful men took advantage of the desperation and vulnerability of others to line their own pockets," commented SFO head Lisa Osofsky.
- Never give or offer any inducement, nor request or accept one from others - keep in mind that bribery is a criminal offence and a predicate offence to money laundering
- Make sure that any gift or hospitality you give or accept is proportionate and in line with industry-standard policies and thresholds
- Conduct due diligence on all third parties and make your company's stance on bribery clear
- Never attempt to disguise a bribe as something legitimate, for instance as a 'scholarship' or 'loan repayment'
Two IFA directors banned over misleading Sipp declarations
The FCA has banned John Butterfield and Peter Howson, two IFA directors, from performing any regulated activity as a result of their roles in the submission of false and misleading information to Sipp provider James Hay regarding high net worth clients.
Investigators found that Howson had submitted fabricated information about six high net worth clients, as well as submitting 27 high net worth declarations in which he lied about seeing evidence of the clients' net worth. What's more, on two occasions Howson even submitted false information regarding his own financial circumstances to Hay. Butterfield, on the other hand, has been found guilty of submitting 48 high net worth declarations without seeing evidence of the customers' net worth.
FCA Executive Director of Enforcement and Market Oversight Mark Steward said "Both advisers knew, or should have known, that what they were doing lacked integrity and betrayed the high standards expected by the FCA. They have no place in the financial services industry."
Looking for more compliance insights?
If you'd like to stay up to date with best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape we have collated searchable glossaries of key terms and definitions across complex topics including GDPR, Equality, Financial Crime and SMCR. We also track the biggest compliance fines, explaining what drives them and how to avoid them.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!