Our pick of key compliance stories this month
- Morgan Stanley fined $35m for data protection breaches
- Online gambling site fined £400k for marketing on children's webpages
- Disabled former policewoman wins legal challenge
- Optus suffers cyberattack and data breach
- Modern slavery increases due to the global surge in poverty
- Citigroup fined £12.6m for market abuse
- The UK announces new sanctions against Russia
- BeReal app could get you fired
- 'Fake FCA' scammers' penthouse raided by the NCA
Morgan Stanley issued a $35m data protection fine
American multinational wealth and financial management firm Morgan Stanley has been fined $35m (£32.7m) by US regulators for breaching data protection regulations.
The firm failed to dispose of devices containing clients' personal data adequately. Morgan Stanley engaged a third-party moving company to disable thousands of company servers and hard drivers containing personal customer data, even though the company did not specialise in discarding data.
The company then sold thousands of the firm's devices, some of which still contained customer data, to another third-party company. The latter company then went on to auction off the devices online.
US regulators estimate that 15 million customers have been affected over five years. Since the breach came to light, the firm has only managed to recover some of the devices in question.
The director of the SEC's enforcement division noted that the failings by Morgan Stanley were "astonishing" and that the large fine "sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data."
Key takeaways:
- Managing legal and compliance risk involves identifying and assessing how various types of risk, in this case, data risk, third-party risk and process risk interact with one another and implementing appropriate risk controls where necessary.
- Companies are responsible for key activities they are liable for, even if they outsource them to a third party.
- Companies should conduct adequate due diligence on all third parties to ensure they have the necessary expertise and resources to carry out the activities.
Gambling firm fined for marketing to children
Betway Limited, an online gambling business, has been issued a £400k fine by the UK Gambling Commission (UKGC) for marketing its products on West Ham United Football Club website pages aimed at child viewership.
The website pages allow users to download a teddy bear print-out for children to colour in. Betway's logo, which linked to its website when clicked, was advertised on this page as well as another page on West Ham's "Young Hammers at Home" webpage.
The UKGC found that both advertisements breached rules all operators must follow, which state that gambling advertising must be socially responsible and not target underage people.
"Although there is no suggestion that the operator was deliberately targeting children, or that children had been allowed to gamble, we take the breach of any rules aimed at protecting children extremely seriously."
Disabled former policewoman wins legal challenge
A disabled former policewoman sued the Department for Work & Pensions (DWP) over an automatic benefit deduction of her monthly benefit income. The automatic deduction allowed utility firms to draw down up to 25% of her benefits at the source without checking with the claimant.
It is estimated that hundreds of thousands of disability claimants have been subject to these deductions.
The high court ruled in favour of the claimant, noting that the DWP's operation of the scheme was unlawful because it failed to give claimants the chance to challenge the utility firms' requests, thus breaching "the obligation of fairness".
In practice, claimants could not give DWP officials evidence on whether the automatic deduction was affordable, whether the amount drawn down was justified, or whether there were more favourable payment methods. Following the ruling, the DWP is expected to revise its processes in due course.
Optus suffers cyberattack and data breach
Australia's second-largest telecommunications company has suffered a serious cyber attack resulting in a massive data breach, potentially affecting millions of customers.
The cyber attackers, believed to be from a criminal or state-sponsored organisation, have gained access to customers' personal details, including their names, dates of birth, phone numbers and email addresses.
Some customers also compromised their home addresses, driving licence details and passport numbers. Once the breach was confirmed, Optus began contacting customers at high risk of being defrauded of their identity.
Identity fraud can have devastating consequences as it can result in criminals using another individual's identity to open a bank account, obtain a credit card or apply for a passport.
Optus has also advised customers to protect their account and identity, including changing their account passwords and remaining vigilant for scammers who might use personal information to phish for further personal data via text, email or a call.
Key takeaways:
- Every company must implement good governance and testing practices in place for all new technologies (especially AI-related) to limit exposure to cyber risk.
- All companies need to have a plan of action in place should a cyber breach materialise, particularly the steps that need to be taken to notify affected customers of the breach and safeguard their interests.
Modern slavery increases as global poverty surges
The UN International Labour Organisation (ILO) stated that modern slavery has increased by a fifth in the past few years. It is estimated that there are currently 50 million people who are victims of modern slavery and forced labour.
The ILO said around half the people were forced to work against their will. At the same time, the other half were forced into marriage. Both situations and contexts fall under the ILO's definition of modern slavery, where a person "cannot refuse or cannot leave because of threats, violence, deception, abuse of power or other forms of coercion."
The overall situation has worsened with increasing poverty rates due to crises like the COVID-19 pandemic, armed conflicts, climate change, global instability and decreased supply of essential goods like staple foodstuffs and construction/manufacturing materials. 
Citigroup fined £12.6m for market abuse
The FCA has fined Citigroup Global Markets £12.6m for failing to implement adequate trade surveillance to prevent insider dealing and market manipulation.
According to the FCA, Citigroup was not monitoring trades and orders for market abuse and took a year and a half to detect particular risks that its business may have been exposed to.
Citigroup has qualified for a 30% discount by agreeing to settle the case. Without the discount, the fine would have been £17.9m.
"The framework for market integrity depends on the partnership between the FCA and market participants using data to detect suspicious trading. By not fully implementing the new provisions when required, Citigroup Global Markets did not carry its full weight in this partnership, impacting market integrity and the overall detection of market abuse."
The UK announces new sanctions against Russia
The UK has announced a round of sanctions in response to Russia's illegal referendums in Ukraine. The 92 sanctions is aimed at those responsible for the sham votes across the four Ukrainian regions and various persons that continue to support Russia's war.
Among the 33 officials sanctioned over the referendums are Ivan Kusov, the minister of education and science in the so-called Luhansk People's Republic, Sergei Yeliseyev, the head of the recently-installed government in Kherson, and Yevhen Balytskyi, the supposed head of government in Russian-occupied Zaporizhzhia.
Sanctions have also been placed on oligarchs, including the "kings of Russian real estate" Zarakh Iliev and God Nisanov, with a shared net worth totalling £6.3bn, and board members from government organisations.
"Sham referendums held at the barrel of a gun cannot be free or fair, and we will never recognise their results. They follow a clear pattern of violence, intimidation, torture, and forced deportations in the areas of Ukraine Russia has seized."
Key takeaways:
- Always keep yourself up to date with the latest embargoes and sanctions - failing to do so could land you in hot water.
- Don't rely solely on automated screening software to flag up potential or actual matches - be vigilant and proactive in reporting any suspicions.
- Never rely on the sanctions screening conducted by another company or department.
The BeReal app could get you fired
BeReal, the social media app that randomly gives users two minutes to take and upload a photo of themselves each day, might seem harmless fun, but when it goes off during office hours, it could land users in hot water.
According to data protection experts, anyone who takes photos of their work screens could be breaching data protection laws if there's any personal data on them.
Apart from being illegal, it could go against your work contract too, and could even lead to an employee's dismissal in serious cases. Remember, "I didn't realise" or "I wasn't aware" is not a defence. If you must use BeReal, keep it on mute during work hours.
'Fake FCA' scammers' penthouse raided by the NCA
Fraudsters who pretended to be the FCA had their Bucharest penthouse raided by the UK's NCA. The scam they used was particularly nasty as they pretended to help victims get their money back from a trading scam before defrauding them again.
"Working closely with Romanian Law Enforcement has been invaluable in bringing about the disruption of this suspected organised crime group. Victims have potentially lost huge sums to this fraud, and we will be working to trace these stolen funds as we continue the investigation."
The NCA and Romanian authorities show that they can disrupt fraudsters even when they base themselves in countries far away from their victims.
Looking for more compliance insights?
We have created a series of comprehensive roadmaps to help you plan and execute compliance in your organisation.
Our best-selling Compliance Essentials Library and award-winning LMS provide a one-stop compliance training solution, including compliance refresher courses.
And our searchable compliance glossaries explain key terms and regularly report on learnings from the largest compliance fines resulting from regulatory breaches.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
If you'd like to stay up to date with compliance learning best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
Last but not least, you can interact in person with thought leaders and your peers at one of our popular live webinars and face-to-face events.
If you've any questions or concerns about compliance or e-learning, please get in touch.
We're happy to help!
