Businesses of all sizes can rack up hefty fines by falling short on compliance issues, often unintentionally. These fines are most crippling to smaller businesses, many of whom can sadly end in liquidation because of it.
Impact of fines on smaller businesses
The disparity in the impact on small and large businesses was highlighted when we examined data from 75 fines imposed between 2020 and 2023 by the UK Information Commissioner's Office (ICO) and the Financial Conduct Authority (FCA).
Over a quarter (26%) of micro and small businesses fined by either governing body are now in liquidation. Of these, a third (33%) is compulsory liquidation. A further 2% subsequently fell into administration.
Comparing this with medium to large businesses that have much higher turnovers, just 6% ended in liquidation, all of whom were voluntary. The average fine suffered by businesses of all sizes was £130,000.
How small businesses can avoid fines
Even companies with well-trained staff and thorough compliance processes may get caught off guard. Compliance is an ongoing process, and proactive measures can significantly reduce the risk of fines and legal issues.
A. Stay informed
Compliance guidelines regularly change, which can catch businesses out. This is why industry regulations and changes in policy need to be regularly monitored. You could subscribe to newsletters, watch webinars, attend workshops or engage with peers to stay in the loop.
B. Conduct regular audits & assessments
Conduct regular internal compliance audits to identify potential issues. Then, any issues can be addressed promptly, and necessary adjustments to processes and procedures can be made to prevent breaches.
C. Harness regulatory compliance technology
Larger businesses may struggle with the volume of activity needed. Equally, smaller businesses may lack dedicated resources. Compliance management software can automate and streamline processes. This can help reduce human errors and ensure consistent adherence to regulations.
D. Document & report on key activities
Keeping detailed records of your compliance efforts is important as it can serve as evidence in case of a regulatory audit. Implementing a system for employees to report potential compliance issues without fear of retaliation is also important, as it will allow for a prompt resolution before anything escalates.
E. Invest in training / consult with experts
Educate your employees about compliance requirements relevant to your industry, and encourage any potential non-compliances to be reported so that you can act upon them. Compliance training can help employees understand their roles and responsibilities in maintaining compliance.
Key learnings from small business fines
- Be careful of creating conflicts of interest, and always act in customers' best interests, particularly those that may be vulnerable.
- Watch out for red flags of financial crime, especially money laundering.
- Always check data against Telephone Preference Service (TPS) lists. If someone is there more than 28 days, you are lining up a fine. It only takes a few complaints for the ICO to react.
- If you use third-party data, make sure you know where it came from, that it is TPS checked and that you have adequate ways for people to opt-out.
- Ensure those you call are informed which company is calling.
Small business fines in detail
- Bastion Capital London Ltd (FCA fine £2.4m)
- Pembrokeshire Mortgage Centre (fined £2.4m)
- TJM Partnership (fined £2m)
- TFS Loans Limited (fined £812k)
- Bank House Investment Management (fined £311k)
- Home2Sense (fined £200k)
- Zuwyco (fined £160k)
- Posh Windows UK (fined £150k)
- Crosfill and Archer Claims (fined £110k)
- Hall and Hanley Limited (fined £91k)
- Finance Giant (fined £60k)
- Bizfella (fined £30k)
You can gain some simple learnings from the FCA and ICO fines to help avoid making similar mistakes and risk fines that could threaten business survival.
1. Bastion Capital London Ltd (FCA fine £2.4m)
Breaches of PRIN 2 & PRIN 3
The FCA fined Bastion Capital London Ltd £2,452,700 for serious financial crime control failings relating to cum-ex trading. Upon investigation, the FCA found that the company failed to manage any risk of being used for fraudulent trading and money laundering.
Bastion, now in liquidation, facilitated over £70 billion in "cum-ex trades" of Belgian and Danish stock on behalf of the hedge fund Solo Group's clients. Upon investigation, the FCA found that between January 2014 and September 2015, Bastion executed trades that were highly suggestive of financial crime.
Bastion failed to take note of or ignored the red flags regarding these trades, which appeared to have no economic purpose other than to transfer funds from the Solo Group's controller to their business associates. The FCA stated that the company should have considered financial crime risks when onboarding the Solo Group clients and executing the trades.
2. Pembrokeshire Mortgage Centre (FCA fine £2.4m)
Breaches of Principles 3, 7 & 9
The FCA fined Pembrokeshire Mortgage Centre Limited (PMC) £2.4m for unsuitable advice to consumers to transfer out of the British Steel Pension Scheme (BSPS) and other defined benefit (DB) pension schemes.
The FCA's official stance is that most consumers should retain the guaranteed income a DB pension provides. However, it was found that PMC advised almost 400 persons, almost two-thirds of whom were BSPS members, to transfer out of their DB scheme.
Many of the customers advised were in a vulnerable position due to the uncertainty surrounding the future of BSPS and the short period they had to make a decision. However, they did not receive the quality of advice required to make an informed decision. PMC was found to have pocketed over £2m in transfer and ongoing advice fees.
3. TJM Partnership (FCA fine £2m)
Breaches of PRIN 2 & PRIN 3
The FCA fined The TJM Partnership Limited (in liquidation) £2m for financial crime control failings. TJM did not have adequate systems and controls to identify and mitigate the risk of being used to facilitate fraudulent trading and money laundering. In addition to this, TJM failed to apply its anti-money laundering policies properly.
Trading executed on behalf of Solo Group's clients was conducted in a circular pattern characteristic of financial crime. The firm failed to identify any financial crime concerns or money laundering risks related to Solo Group.
4. TFS Loans Limited (FCA fine £812k)
Breaches of PRIN 6 & 3
FCA fined TFS Loans Limited (in administration) £812k for deficient affordability checks on over 3k guarantors in its consumer credit business. In addition to this fine, the FCA has required TFS to redress the harmed guarantors.
TFS' failure to gather appropriate information on guarantors' financial circumstances led to some guarantors being unable to afford the guarantees they had entered into. Upon investigation, the FCA found that TFS failed to treat their customers fairly or to take reasonable action in organising their affairs responsibly.
"Friends and family members who agree to act as a guarantor for a loved one should feel confident that the lender will treat them fairly. The FCA’s affordability rules protects both consumer credit borrowers and guarantors from unaffordable risks. These requirements are high priority areas for the FCA especially as families face overall increases to their cost of living."
5. Bank House Investment Management (FCA fine £311k)
Breaches of PRIN 1 & Section 20
The regulator found that the company had breached Principle 1 of the FCA Principles for Business regarding integrity by acting dishonestly and recklessly concerning pension advice. Further, the firm breached Section 20 by advising on Pension Transfers without the relevant permission.
The firm's reckless actions involved adopting and using a Pension Review and Advice Process, which outsourced functions without adequate supervision.
It was judged obvious that the involvement of a third party (Hennessy Jones), which had a material financial interest in the bond within which customer funds would be invested, created a clear conflict of interest.
6. Home2Sense (ICO fine £200k)
Breach of regulations 21 & 24 of the PECR
The ICO fined Lampeter-based Home2Sense £200,000 for making over half a million unsolicited marketing calls.
The home improvement firm made 675,478 nuisance calls between June 2020 and March 2021, offering insulation services to people registered with the Telephone Preference Service (TPS).
It is against the law to make marketing calls to phone numbers registered with the TPS for more than 28 days unless the recipient notified the company they do not object to receiving such calls.
The ICO was told customer data was acquired from an 'unknown source' and blamed its staff for not screening the phone numbers against the TPS.
Following more than 60 complaints, the ICO's investigation found that the company identified itself using different trading names when calling, including 'Cozy Loft', 'Warmer Homes' and 'Comfier Homes'. This is also illegal.
7. Zuwyco (ICO fine £160k)
Breach of regulations 21 & 24 of the PECR
During 2021, Zuwyco used a public telecommunications service to make 93,558 unsolicited calls for direct marketing purposes to subscribers/data subjects who had been listed on the ICO's 'no call' register, contrary to Regulation 21(1)(b) of the PECR, which resulted in seven complaints being made to the Telephone Preference Service and the ICO.
More specifically, the ICO found that Zuwyco's use of a public electronic communications service to make unsolicited calls for direct marketing to numbers which were listed on the 'no-call' register kept by the ICO under Regulation 26 of the PECR was contrary to Regulation 21(1)(b) of the PECR.
Zuwyco failed, as Regulation 24 of the PECR required, to provide the call recipients with the particulars specified in Regulation 24(2) of the PECR. Where Zuwyco provided the caller's name, it was seemingly interchangeable and could not be readily identified as Zuwyco or its clients.
8. Posh Windows UK (ICO fine £150k)
Breach of regulation 21 of the PECR
Between 1 August 2020 and 30 April 2021, Posh Windows UK (PWUK) used a public telecommunications service to make, on the balance of probabilities, 461,062 unsolicited calls for direct marketing purposes to those already listed on the TPS.
This resulted in 21 complaints being made to the TPS and the
Commissioner between 1 August 2020 and 30 April 2021 and further
complaints outside this period.
The ICO noted the following aggravating features of this case:
- Calls persisted even after suppression requests had been received.
- The potential adverse effects of the calls on recipients; some complaints refer to individuals being subjected to persistent, aggressive calls.
- In some cases, PWUK has provided highly questionable evidence of consent, with complainants strongly disputing having provided the same.
- PWUK's record-keeping was poor, including the age of data and the
lack of evidence of consent. - There is no evidence of adequate training for PWUK's staff.
- Complaints have continued to be received outside the material
period, as recently as April 2022.
Taking into account all of the above, the ICO decided that a penalty of £150,000 was reasonable and proportionate given the particular facts of the case and the underlying objective of imposing the penalty.
PWUK entered into a Creditors' Voluntary Liquidation on 10 August 2022.
9. Crosfill and Archer Claims (FCA fine £110k)
Breach of CAPR 12
Claims management company Crosfill & Archer Claims was fined for making unsolicited telemarketing calls to people who registered not to receive this type of sales call, where the firm had no evidence they had consented to receive the call or was unable to confirm what consent had been obtained on customer data purchased from third party data providers.
"Cold-calling customers who elected not to receive sales calls is an example of the type of cavalier behaviour claims management firms should not be engaging in. Firms need to ensure they have the right governance and due diligence in place, and we will take action when we see behaviour that threatens legitimate consumer rights and interests."
10. Hall and Hanley Limited (FCA fine £91k)
H&H was a claims management company (CMC) whose business focused on claims for mis-sold payment protection insurance (PPI).
A £91,000 fine was imposed by the CMR under the previous regulatory regime for CMCs due to data breaches and unauthorised copying of client signatures.
In 2019, the CMR found that Hall & Hanley had breached rules requiring CMCs to take all reasonable steps to ensure that any referrals, leads or data purchased from third parties had been obtained following applicable laws.
Marketing text messages concerning PPI claims were sent to consumers' mobile telephone numbers without Hall & Hanley taking sufficient steps to check that affected consumers had consented to receive such messages.
In addition, when reviewing a sample of 16 of Hall & Hanley's client files, the CMR found that in 8 of the files, the clients' signatures on claim documentation (including letters of authority) had been copied without authorisation.
11. Finance Giant (ICO fine £60k)
Breach of regulations 22 & 23 of the PECR
London-based Finance Giant acted as a loan broker for individuals looking for car finance. During 2020, it instigated sending a confirmed total of 505,759 unsolicited direct marketing messages received by subscribers contrary to regulation 22 of PECR.
The ICO received 97 complaints through the 7726 reporting system that SMS messages were sent without consent. Further investigation uncovered almost half a million emails had been sent without an opt-out.
Ironically, the privacy policy on the firm's website detailed the need for valid consent. As they ignored available guidance, the ICO felt the breaches were deliberate and driven by a pursuit of profit, which led to a fine.
12. Bizfella (ICO fine £30k)
Breach of regulation 22 of the PECR
Bizfella is an FCA-registered credit broker that trades under various
names, including Cash Carrot and Pixie Loans. As part of its business,
Bizfella operated several websites, including Cash Carrot and Pixie Loans.
Between 15 November 2019 and 15 July 2020, Bizfella Limited instigated sending 224,550 unsolicited direct marketing SMS messages received by subscribers contrary to regulation 22 of PECR. The ICO issued a £30,000 penalty.
Bizfella came to the ICO's attention from complaints to the 7726 spam text reporting service. 904 complaints were submitted through the 7726 service, and the ICO received two further complaints directly.
The ICO found that between 15 November 2019 and 15 July 2020, Bizfella instigated the sending of 224,550 unsolicited direct marketing SMS messages that were received by subscribers contrary to regulation 22 of PECR.
Bizfella needed to ensure that it complied with regulation 22 of PECR and that valid consent had been obtained or that those soft opt-in requirements were met to send those messages.
Need help with SME compliance?
Small business best practice tips for data protection, employment law, money laundering, taxation, and health and safety can be found in our blog.
Our comprehensive roadmaps help you navigate the compliance landscape and are supported by e-learning courses in our Basic Plan.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
