Compliance News | October 2025

This month's key compliance news includes Biffa's health and safety fine, price fixing at high-end fashion brands, Capita's data protection failings, and more.

Our pick of compliance stories this month

• Biffa fined nearly £2.5m after waste site fatality
• Fashion faux-pas: Luxury brands fined €157m for price fixing
• Capita's £14m fine for data protection failures
• Jaguar Land Rover cyberattack costs UK economy £1.9bn
• Amazon Web Services outage exposes UK's overreliance on US big tech
• Bedroom fraudster jailed for £1.3m Ponzi scheme
• UK consumers lose £629m to fraud in first half of 2025
• Advisor is fined £100k and banned for insider dealing
• Two-thirds of firms are failing to meet money laundering rules, says FCA
• Supervision switch: FCA becomes the UK's sole AML regulator

Biffa fined nearly £2.5m after waste site fatality

Waste management company Biffa Waste Services Ltd has been fined £2.48 million after one of its workers was crushed by a reversing wagon at its waste site in Bradford.

The 57-year-old worker was struck by the reversing skip wagon as he walked to the site office. He died from his injuries.
An investigation by the Health and Safety Executive (HSE) revealed that Biffa failed to effectively review and monitor the control measures that were put in place to protect pedestrians and segregate them from vehicles.

The HSE found that it was common practice for people on the site to bypass pedestrian routes. Footage captured on CCTV in the week before the accident showed pedestrians ignoring safe routes and climbing over the barriers that were designed to keep them safe.

"This incident was easily avoidable. Control measures were in place to allow pedestrians and vehicles to move safely, but a lack of monitoring and supervision allowed poor working practices to develop between the workers on site. Our investigation found a casual attitude to health and safety with workers treating a high hazard site like a playground. This tragic incident should be a reminder […] not to become complacent with the risks workplace transport poses, and that even where control measures are in place to segregate pedestrians and vehicles, robust monitoring and supervision of their correct usage need to be in place."

- Elliot Archer, HSE inspector

Almost a quarter of all deaths involving workplace transport occur during reversing manoeuvres.

Key takeaways:

• Comply with HSE guidance on site layout - be sure to segregate pedestrians and vehicles as far as possible by using barriers and walkways. Consider whether any changes to the layout could improve overall safety - in this example, perhaps the site office could have been relocated?
• Carry out a risk assessment - to identify areas of risk where pedestrians and transport share the same space. Pay extra attention to high-risk activities, such as loading, unloading, drop-off and parking areas
• Follow the 5Ts framework - ie Terminate, Treat, Transfer, Tolerate, and Take the opportunity, to help you manage the risks
• Implement controls to keep people and vehicles separate - for example:
  • Where possible, have completely separate routes to reduce the risks, eg footbridges and subways
  • Clearly mark and sign vehicle and pedestrian areas and crossing points
  • If the risks cannot be easily managed, reduce or limit access to areas for pedestrians
  • Involve employees in setting the rules, as this increases buy-in and ownership

• Assess any other safety risks that may arise in the area - eg loads falling from vehicles, fumes, noise, and how best to manage them
• Communicate the rules to everyone and provide regular reminders and refreshers:
  • Tell drivers and pedestrians about approved routes, including visitors and new hires
  • Erect signs to act as visual reminders of the rules and established safe routes
  • Provide information in different languages and formats to promote understanding
  • Remind everyone of the dangers of using of mobile phone in shared areas.
• Regularly monitor and review the control measures - to ensure they are fully understood, work correctly and the rules are followed:

• • Arrange effective oversight and supervision, to check whether the rules are being followed
  • Address non-compliance - eg ignore poor working practices. For example, the footage shows a football being kicked on the site
  • Remember, "non-compliance leads to more non-compliance" - if you tolerate people ignoring safe routes, cases of non-compliance can escalate (eg "Everyone does it so it's not that important"!)
  • Make compliance and 'doing the right thing' easy - people will always try to find shortcuts if the rules seem hard to follow or are unworkable - it's human nature.

Fashion faux-pas: Luxury brands fined €157m for price fixing

Fashion brands Gucci, Chloé and Loewe have been fined €157 million for fixing resale prices, according to the European Commission.

The three companies restricted the ability of independent third-party retailers to set their own online and offline prices for high-end fashion products designed and sold by Gucci, Chloé and Loewe, violating EU competition rules.

All three engaged in retail price maintenance (RPM), that prevented online and offline retailers - who are all independent - to set their own prices for almost the entire range of products. This included apparel, leather goods, shoes and accessories.

An investigation was launched after the regulator made unannounced visits to premises in April 2023.

The regulator said that Gucci, Chloé and Loewe interfered with retailers' commercial strategies by requiring them to stick to:

• Recommended retail prices (RRP)
• Maximum discount rates
• Specific periods for sales.

In some cases, they prevented retailers from offering any discounts at all, instead making them apply the same prices and sales conditions as their own direct sales channels. This protected their own sales from any competition.

Retailers were monitored by the fashion brands and there were follow-ups for those deviating from fixed prices. Most retailers complied with the imposed pricing policies from the start or after being asked to do so. The competition watchdog said that this deprived them of pricing independence and reduced competition between them, ultimately resulting in higher prices for consumers.

Although Gucci, Chloé and Loewe acted independently of each other, retailers often sold products by all three brands.
Taking into account their cooperation, the regulator fined Gucci almost €120 million. Chloé was fined almost €20 million, while Loewe was fined almost €19 million.

"In Europe, all consumers, whatever they buy, and wherever they buy it, online or offline, deserve the benefits of genuine price competition. This decision sends a strong signal to the fashion industry and beyond that we will not tolerate this kind of practices in Europe, and that fair competition and consumer protection apply to everyone, equally."

The Commission has set up a tool to make it easier for individuals and companies to report cartels and other anti-competitive behaviour. You can access it here.

Key takeaways:

• Don't discuss pricing strategies, impose fixed or minimum prices on retailers, or restrict their pricing freedom - for example, by insisting that they meet recommended retail prices. Maximum resale prices are allowed.
• Never act in a way that restricts competition in any market, especially where we have a dominant position - for example, by refusing to supply, prohibiting discounting, imposing exclusive obligations, or entering "pay-for-delay" deals.
• Remember, RPM is a hardcore restriction - because it leads to less choice and increased prices for consumers.
• Take extra care with any horizontal agreements - i.e. where retailers are competing at the same level as suppliers or manufacturers.
• Report any suspicion or violation of competition law immediately to your manager or Legal - this is vital as under leniency rules, the first to report to the authorities can escape prosecution.
• Remember, anti-competitive behaviour is costly - the Antitrust Damages Directive makes it easier for those affected by anti-competitive behaviour to obtain damages
• Cooperate fully with the authorities in an investigation or dawn raid – remember, they are entitled to search paper and electronic company records, even your personal phone messages. Never conceal or destroy evidence. By cooperating fully, fines may be reduced. In this case, Gucci and Loewe's fines were reduced by 50%.

Capita's £14m fine for data protection failures

Capita plc and Capita Pension Solutions Ltd have been fined a total of £14 million for data protection failures, including failing to ensure the security of personal data.

Hackers stole personal information belonging to 6.6 million people in a cyberattack in March 2023, from pension records and employee records, as well as customer details. This included sensitive information, such as financial data, details of criminal records, and special category data.

Hackers gained access when a malicious file was accidentally downloaded to an employee's device, the UK's data protection regulator revealed. Although a high-priority alert was raised within 10 minutes, Capita did not quarantine the device for 58 hours (against a target response time of one hour), allowing the attacker to exploit its systems. This enabled the hacker to stay in the system, gain administrator permissions, and access other parts of the network. Almost one terabyte of data was removed.

Ransomware was then deployed, resetting user passwords and preventing staff from accessing their systems and network.
The data watchdog said that Capita had left personal data at risk by failing to ensure security of processing, and it lacked appropriate technical and organisational measures to effectively respond to the attack.

Capita Pension Solutions Ltd processes personal data on behalf of 600 organisations providing pension schemes. 325 of these organisations were affected by the breach.

"Capita failed in its duty to protect the data entrusted to it by millions of people. The scale of this breach and its impact could have been prevented had sufficient security measures been in place. When a company of Capita's size falls short, the consequences can be significant. Not only for those whose data is compromised – many of whom have told us of the anxiety and stress they have suffered - but for wider trust amongst the public and for our future prosperity. As our fine shows, no organisation is too big to ignore its responsibilities. With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people's data secure. Cyber criminals don't wait, so businesses can't afford to wait either - taking action today could prevent the worst from happening tomorrow."

Key takeaways:

• Follow the NCSC's guidance on preventing lateral movement - ensure that the "principle of least privilege" is applied across your organisation, with a tiering model for administrative accounts
• Share the findings from penetration testing across the entire company - this ensures risks are addressed universally and not siloed in individual business units
• Be vigilant - monitor for suspicious activity and respond to early warnings
• Encourage your team to speak up if they make a mistake - this enables prompt action to be taken. And, crucially, when alerts are raised, act promptly
• Invest in key controls and provide adequate resourcing - so teams are able to react within target response times
  
  See our Data Protection Training Package

Jaguar Land Rover cyberattack costs UK economy £1.9bn

The cyberattack on Jaguar Land Rover has been declared a Category 3 Systemic Event, according to the Cyber Monitoring Centre (CMC). Category 5 is the most severe.

The non-profit, that analyses and categorises cyber incidents in the UK, has estimated that the overall financial cost of the hack to the UK economy is around £1.9 billion and it has impacted over 5,000 UK organisations. The figure may rise if there are any unexpected delays in getting production back to pre-event levels.

The CMC described the incident as the most economically-damaging cyber event to ever hit the UK. Most of the financial cost was due to the loss of manufacturing output at JLR and its suppliers. But other factors included IT rebuild costs, reduced vehicle sales, and losses to downstream organisations and local businesses.

"That should make us all pause and think. Every organisation needs to identify the networks that matter to them, and how to protect them better, and then plan for how they'd cope if the network gets disrupted."

CMC chief executive Will Mayes said:

"We tend to think of systemic cyber risk as something that spreads through shared IT infrastructure: the cloud, a common software platform, or self-propagating malware. What this incident demonstrates is how a cyber attack on a single major manufacturer can cascade through thousands of businesses, disrupting suppliers, transport and local economies, and triggering billions in losses across the UK economy."

He continued, "No single organisation can manage these risks alone. Industry, insurers and government each have a role in strengthening the UK's operational resilience. The CMC's purpose is to create a shared, trusted evidence base that supports better decisions following major cyber events."

The CMC categorised the cyberattacks on M&S, the Coop and Harrods as Category 2 events.

Separately, the National Cyber Security Centre warned that the number of nationally significant cyberattacks have doubled this year. It is urging all businesses to draw up plans if "your IT infrastructure was crippled tomorrow and all your screens went blank".

"Don't be an easy target. Prioritise cyber risk management, embed it into your governance and lead from the top."

"We do see our attackers improving their ability to cause real impact, to inflict pain on the organisations they have breached and those who rely on them. They don't care who they hit or how they hurt them. That is why we need all organisations to act."

He also stressed the emotional impact of the current wave of cyberattacks:

"I've sat now in too many rooms with individuals who have been deeply affected by cyber-attacks against their organisations … I know the impact the disruption has on their staff, suppliers and customers, the worry, the sleepless nights. And the impact it has on the teams who work round the clock for weeks and months trying to put the pieces back together."

Key takeaways:

The CMC's Technical Committee has this advice for boards, manufacturers, insurers and other organisations:

• Operational disruption is the biggest cyber risk for most companies - consider this when prioritising risk. Design corporate governance and systems to build resilient operations, which also deliver data security

• Strengthen IT/OT resilience - identify critical digital assets that are required to deliver business value, challenge systems compromise scenarios, and put recovery plans in place to contain losses. Ensure the board and leaders understand dependencies between IT and OT systems.

• Map supply chain dependencies - vulnerability is increased if a high proportion of revenue is reliant on a single ultimate customer, and they stop operating. Tier 0.5, 1 and 2 suppliers must assess revenue concentrations, maintain liquidity buffers or use other strategies to mitigate risk for prolonged periods
• Assess cyber insurance coverage - assess your company's insurance needs based on supply chain dependencies, exposure to disruption and the need for immediate liquidity after an event. For insurers, ensure products contain adequate protection for supply chain events. Consider extending protection to cover critical buyers and customers.

Learn more about CyberFocus

Amazon Web Services (AWS) outage exposes UK's overreliance on US big tech

The UK is overreliant on a handful of US big technology companies, according to experts.

The warning comes after an IT issue took Amazon's cloud computing services offline, bringing down thousands of websites and apps across the world.

Over 2,000 companies were impacted by the AWS outage, along with multiple platforms, including Snapchat, Roblox, Pokémon Go, Signal, Slack, Duolingo, Epic Games and PlayStation Network.

In the UK, banking services like Lloyds Banking Group, Halifax and Bank of Scotland experienced problems. Customers struggled to access trading and financial apps, such as Hargreaves Lansdown and Robinhood, as well as media websites. Even Amazon's own e-commerce site was impacted. Problems were also seen on the HM Revenue and Customers website.

The issue - which was thought to be an IT glitch rather than a malicious cyberattack - was resolved after a few hours, but problems continued throughout the day.

The outage highlights our reliance on a handful of tech companies, such as Amazon, Google and Microsoft who dominate cloud computing, experts warned.

"The UK can't keep leaving its critical infrastructure at the mercy of US tech giants. With Amazon Web Services down, we've seen the lights go out across the modern economy - from banking to communications."

-Cori Crider, the executive director of the Future of Technology Institute

Yet, there are benefits to working with big players:

"The counter-argument is that it's these large hyper-scaling companies that have the financial resources to provide a secure, global and resilient service. But most people outside those companies would argue that is a risky position for the world to be in."

The UK government confirmed that it was in contact with Amazon.
Questions are now being asked about why Amazon has not yet been designated a "critical third party," given that it works closely with the financial services sector and they want to see additional regulatory oversight.

See our Cybersecurity Training Package

Bedroom fraudster jailed for £1.3m Ponzi scheme

A fraudster, who operated a Ponzi scheme from his bedroom in Devon, has been jailed for seven-and-a-half years, said the Financial Conduct Authority (FCA).

Daniel Pugh, 35, set up a fraudulent investment scheme - the Imperial Investment Fund (IIF) with another individual. He targeted investors through Facebook adverts, promising impossibly high returns of 1.4% a day, 7% a week or 350% a year.
You'd think that would raise alarm bells, but it didn't for everyone. The scheme attracted 238 investors and took over £1.3 million in investments.

But it was all a sham, and the promises made to investors were not kept. In reality, Pugh took the money to fund a lavish lifestyle, purchasing designer clothes and withdrawing £18,000 in cash.

Even when the scheme was collapsing, Pugh tried to attract more investors.

"Pugh made outlandish claims to hook in victims but in reality this was nothing more than a massive fraud. Fighting financial crime is a priority for the FCA. We will take action to ensure criminals face repercussions for their actions, including being denied access to any ill-gotten gains. People's online personas are often at odds with reality, as was the case with Pugh. Claims that sound too good to be true, are usually just that."

He advised people to check the FCA Firm Checker before investing.

Judge Weekes said that Pugh had shown little remorse, adding, "The consequences for them [the victims] are marked and apart from financial loss they feel embarrassment".

Confiscation proceedings are ongoing to deprive Pugh of the proceeds of his crime and compensate his victims. His accomplice is still being sought for the same offence.

See our Fraud Prevention Training Package

UK consumers lose £629m to fraud in first half of 2025

UK consumers lost £629 million to fraudsters in the first half of 2025, according to official banking data released by UK Finance. This represents a 3% increase on the previous year.

Investment scams were up 55%, compared to the same period last year.

£97.7m was stolen by criminals who duped people into moving their money into a fictitious fund or a fake investment, often with the promise of unrealistic returns. This type of fraud often involves larger amounts of money (sometimes someone's life savings) and it can be some time before individuals realise they have been scammed.

Here are some of the other key findings:

• There was a worrying increase (up 35%) in romance scams, where people are tricked into believing there are in a genuine relationship
• Losses from purchase scams, where people pay for goods and services that never materialise, were the most common type of Authorised Push Payment fraud, accounting for 72% of all APP fraud
• There was a 27% increase in contactless card fraud
• 66% if all APP fraud cases started online, eg on social media or ecommerce sites

Of course, the figures may be much higher as victims are often reluctant to report these crimes because they feel embarrassed or ashamed.

The banking body, UK Finance, wants the government to make fraud prevention a central part of its planned Fraud Strategy.
Banks prevented £870m from being lost, which was an increase of 20% compared to the same period last year. But, UK Finance says that the financial services sector cannot fight fraud alone.

It is calling for all sectors to be held accountable and share expertise, particularly the technology and telecommunications sectors.

Speaking to the Guardian, the Payments Association said that successive governments had, "failed to address the main issue: blocking fraud at source, preventing crime from happening and mandating responsibility for social media".

"Phone companies and social media platforms must urgently act to cut scam content off at source."

Key takeaways:

• Follow the Take Five to Stop Fraud campaign:

  • Stop: Take a moment to stop and think before parting with your money or information. It could keep you safe.

  • Challenge: Ask yourself, could it be fake? It's ok to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.

  • Protect: Contact your bank immediately if you think you’ve been scammed and report it to Action Fraud.

• Check out the Type Don't Tap campaign:

• • Avoid clicking on links in emails, messages or on social media - you never know where it could take you.

• • Type don't tap - go old school and type the web address in full and only use trusted sites.

• • Protect one-time passcodes - treat them as carefully as you would your PIN. Read messages in full to check what you're approving.

• Turn on your bank alerts - and check your accounts regularly. If you see spending you don't recognise, contact your bank immediately.

See our Failure to Prevent Fraud Training Package

Advisor is fined £100k and banned for insider dealing

The financial watchdog, the FCA, has fined an advisor £100,281 and banned him from the UK financial services sector.
Neil Sedgwick Dwane was an advisor at ITM Power Plc (ITM) in 2022. In his role, he was given information about a pending announcement that ITM was planning to make to the market.

However, the day before the announcement was made, Mr Dwane sold his own and a family member's 125,000 shares worth £124,287.

When the announcement was made to the market on 27 October, ITM's share price fell by 37%. Taking advantage of the fall, Dwane bought 180,000 shares worth £140,700, gaining £26,575 from the price difference.

In his role, Dwane was supposed to get ITM's permission before dealing in its shares, but he did not do so. He abused his position of trust and his conduct amounted to insider dealing, said the regulator.

"As an experienced financial professional, Mr Dwane's dishonesty and greed fell way short of the standards we expect. Trading on inside information while in a position of trust rigs the system and undermines the integrity of the market."

Two-thirds of firms are failing to meet money laundering rules, says FCA

The Financial Conduct Authority (FCA) has warned that there are significant financial crime gaps in oversight by finance firms. It said that two-thirds of those finance firms not required to submit financial crime returns are failing to meet money laundering rules.

Findings from a recent survey revealed that:

• 11% of firms had no documented firm-wide risk assessment, despite being a requirement under the Money Laundering Regulations
• 10% did not retain documented evidence of customer due diligence
• 29% did not conduct financial crime risk assessments for appointed representatives
• 6% did not monitor appointed representatives' compliance with financial crime regulations or conduct on-site visits or audits

There was some good news, however. 97% of those surveyed claimed to regular report financial crime concerns to senior management.

"Corporate finance firms play a vital role in the UK's capital markets. Their exposure to money laundering risks means it is essential that they have strong, proactive controls in place. While some firms may be meeting expectations, many may be falling short of minimum regulatory requirements. We are sharing our findings so firms can address any gaps in their control frameworks."

Supervision switch: FCA becomes the UK's sole AML regulator

The Solicitors Regulation Authority (SRA) has had its money laundering responsibilities removed.

It is part of the government's major reform of AML and CTF supervision, which will create a Single Professional Services Supervisor (SPSS). The FCA will now become the UK's sole AML regulator and take over the supervision of law, accountancy and trust firms.

"These changes will simplify the supervision of professional services, ensure more consistent oversight and help us identify and disrupt crime."

However, not everyone is happy. The Law Society has expressed concern about the loss of legal expertise.

"The government must carefully manage the cost implications of implementing an SPSS model and avoid increasing regulatory burdens that could undermine the competitiveness of our world-beating legal services sector, especially given the extensive changes required."

See our Financial Crime Training Package

Looking for more compliance insights?

We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.