We've examined the top compliance news stories in 2018, from money laundering scandals and celebrity tax evasion to IT failures in financial services.
In the minds of many, money laundering conjures up images of drug barons from Latin America, blood diamond smugglers from Africa, and arms dealers from Asia. Well, prepare to be disabused of such notions. Possibly the largest ever money-laundering scandal in history is unfolding here in the European Union!
It turns out that the Estonian branch of the Danske Bank from Denmark had thousands of suspicious customers and may have laundered up to €200bn over a nine-year period.
The scandal - which involved over 32 currencies and companies in Cyprus, Seychelles, British Virgin Islands and the UK - lead to the resignation of its CEO Thomas Borgen. However, he has protested that he did everything he was legally required to do.
Incidentally, Denmark is ranked the second-best country globally on Transparency International's Corruption Perceptions Index 2017. Yet, it has no whistleblowing legislation, which may have brought the Danske case to light earlier. And in 2013, the OECD pointed out that it had "serious concerns about the lack of enforcement" of bribery paid by Danish companies abroad.
As part of an ongoing investigation into the Danske Bank money laundering scandal, ten of the bank's former employees were arrested in Estonia.
Yet, spare a thought for its current employees who have done nothing wrong but are still tainted by the scandal. Research shows this can lead to bias and even harm their future mobility.
The Financial Act Task Force published its assessment of the UK's anti-money laundering and counter-terrorist financing measures.
There was much to be admired in the existing regime. The assessment roundly praised the UK's understanding of ML/TF risks and given it the top rating for its controls and measures, the highest of 60 countries assessed so far.
But, it's not all good news. Concern was expressed about its links to offshore jurisdictions - such as the British Virgin Islands and the Cayman Islands - territories linked to the Panama Papers scandal.
The FATF report pointed out that the UK faced:
"… significant ML risks from overseas jurisdictions, in particular from other financial centres (including some of its Overseas Territories and Crown Dependencies) due to its position as a major global financial centre and the world's largest centre for cross-border banking."
Although the FATF welcomed the UK's robust approach to tackling money laundering - singling out its 7,900 investigations and 1,400 convictions, it noted that:
"The main ML risks include high-end ML, cash-based ML and the laundering of proceeds from fraud and tax offences, drug offending and human trafficking, and organised crime."
Echoing alarms raised by Transparency International, it also highlights the significant risks "from laundering the proceeds of foreign predicate crimes, including transnational organised crime and overseas corruption".
Unsurprisingly, the FATF report also acknowledged the lack of oversight in respect of trust registers - again, a flaw that garnered attention in the Dankse Bank scandal.
The National Crime Agency's role in the fight against illicit finance didn't go unnoticed in the FATF report, with praise for its innovative approaches in maximising intelligence "including intelligence sharing with the private sector through the Joint Money Laundering Intelligence Taskforce".
The agency, which handles around 500,000 Suspicious Activity Reports (SARs), is already responding to its recommendations.
It announced new measures to tackle the misuse of Scottish limited partnerships (SLPs) and increase transparency.
Reforms included requirements on firms to:
In addition, Companies House was granted new powers to strike off dissolved limited partnerships and dormant firms.
The crackdown aimed to prevent Scottish firms from being used to launder dirty cash, but the problem could just move elsewhere. It was notable that there was a surge in Northern Irish Limited Partnerships.
Two Glasgow-based shell companies were at the centre of the Azerbaijan laundromat. The agency has also frozen a bank account believed to be linked to the Azerbaijani scheme.
Popstar Shakira faced charges of tax evasion by Spanish prosecutors. According to the charges, she allegedly failed to pay $16.3m in taxes after listing the Bahamas as her official residence between 2012 and 2014. Prosecutors claim she was in fact living in Spain with her partner, Barcelona's Gerard Piqué during that time.
Shakira denies wrongdoing and says the authorities - which has also pursued successful cases against Lionel Messi and Cristiano Ronaldo - are using her "as a scapegoat". She was named in the Paradise Papers, with Madonna and Bono.
Maybe she can take inspiration from the Beatles, who turned their tax woes into a musical anthem in 1966? Taxman provided the opener for the Revolver album.
Plans were announced by the European Commission to combat tax fraud.
They aimed to improve cooperation between tax authorities and Payment Service Providers (credit and debit card providers). Since over 90% of online transactions involve Payment Service Providers, better data sharing would enable tax authorities to have oversight of the VAT obligations in relation to cross-border sales. It would also help combat fraud across the e-commerce sector.
Following successive money laundering scandals across the EU at Danske Bank, Latvia's ABLV Bank and Pilatus Bank in Malta, European Member States agreed to strengthen supervision by the European Banking Authority (EBA).
Under the plans, the EBA would have the power to force banks to implement anti-money laundering controls and collect information, even if national authorities failed to act.
The measures would ensure the rules are applied equally and authorities cooperate closely with each other, according to the Council of Europe statement.
It was also recommended a 'post-mortem' of recent cases at EU banks to understand how they happened and shape future policy.
However, the plans did nothing to tackle uncooperative States who fail to impose or publicise sanctions for fear of reputational damage, despite this being one of the best deterrents.
Katanga Mining Ltd, a subsidiary of Glencore PLC, and former executives agreed to pay $22 million to the Ontario Securities Commission (OSC) for failing to disclose risks after doing business with Dan Gertler, an Israeli billionaire who was subject to US sanctions.
The US Department of the Treasury, who investigated at the time, said:
"Gertler has used his close friendship with DRC (Democratic Republic of Congo) President Joseph Kabila to act as a middleman for mining asset sales in the DRC, requiring some multinational companies to go through Gertler to do business with the Congolese state."
In addition, Katanga understated its mining costs and overstated its copper production. A number of executives stepped down.
The UK National Crime Agency developed a taste for unexplained wealth orders in 2018.
Zamira Hajiyeva - the wife of jailed Azerbaijani banker who spent £16m at Harrods and owns luxury properties, including an £11.5m Knightsbridge home - was forced to explain the source of her wealth.
UWOs came into force in January as part of the Criminal Finances Act 2017. They require targets to account for their source of funds. If they cannot prove a legitimate source - and crucially, the burden is on them to do so - then their assets and property can be seized.
Still, there's a lot further for the authorities to go. Transparency International has claimed that £4.4bn worth of property in London bought with suspicious wealth is linked to politically exposed persons and criminals.
Carlos Ghosn is a true legend in the global car industry for the way he saved Nissan from bankruptcy in 1999 and nursed it back to rude health. And he's the only person to simultaneously run two Fortune Global 500 companies (Renault and Nissan). For years, he was one of the top five most respected business leaders in the world.
So, it came as a shock to many when he was dismissed by Nissan and arrested in Japan for alleged financial misconduct.
An investigation was launched following a tip-off by a whistleblower, who accused Ghosn of misappropriating funds for personal use. Allegedly Nissan spent millions of dollars purchasing and renovating luxury homes in Brazil, Lebanon, France and the Netherlands without legitimate business justifications. This could open Ghosn up to charges of professional embezzlement and tax evasion for not reporting this benefit in his income tax returns.
Prosecutors claimed that Ghosn arranged for himself future compensation to the tune of 8 billion yen ($70.5 million) that was not reported on Nissan's annual report - in contravention of Japanese securities regulations.
Ghosn is also facing corruption charges for dubious consultation fees paid by Nissan to his older sister. However, the company cannot confirm whether she has actually performed any work for which she was paid.
All of the above were allegations and charges needing to be proven. Still, they rang a warning bell for top executives, no matter how illustrious, against using their companies as a piggy bank to fund their lifestyle.
The ICO released new guidance on passwords and encryption - two of the key technical measures for personal data security under the GDPR.
The ICO has reminded companies that they are expected to use encryption when storing or transmitting personal data, given the availability of low-cost encryption solutions. If it is important that you have an encryption policy, be sure to train your staff in its use and importance, but remember that the residual risks to the data remain even after encryption.
Although there is no specific mention of passwords in GDPR, the security principle requires organisations to implement appropriate measures to prevent the unauthorised processing of personal data. The guidance has advice on authentication schemes, good practice and defending against brute force and other attacks. Again, there's a need to train your employees to embed good practice in your operations.
The FCA published its review of whistleblowing arrangements by firms in the UK financial services sector.
It claimed that new rules introduced in 2017 spurred firms into implementing whistleblowing arrangements and managing concerns fairly, consistently, and in a way that protects the individual whistleblower. Non-exec directors (NEDs) provide independent oversight and accountability and help to raise the profile of whistleblowing.
However, the report has also identified key areas requiring improvement, most notably in the provision of whistleblowing training to staff, preparation of whistleblowing annual reports, and the need for better documentation, plus practical arrangements for protecting whistleblowers against victimisation.
More protection for whistleblowers was expected in the form of a Whistleblowing Directive from the European Commission and the European Parliament.
Interestingly, both the FCA and PRA announced retrospective regulatory enforcement actions against Senior Managers over a year after taking enforcement actions against the regulated firms.
The FCA published a decision notice confirming that it had fined Mohammad Prodhan, the former Chief Executive Officer of Sonali Bank (SBUK), £76,400 for a breach by the bank of its obligations to maintain effective anti-money laundering systems. The FCA took enforcement action against the bank and its former Money Laundering Reporting Officer (MLRO) in 2016 and has announced the fine against the CEO more than two years later.
The FCA took action against SBUK in October 2016, when the bank was fined £3.3m and banned from accepting deposits from new customers for five months. At the same time Steven Smith, the former MLRO was fined £17,900 and banned from taking on future compliance oversight roles.
Mr Prodhan was the senior manager at SBUK with responsibility for the establishment and maintenance of effective AML systems and controls. The FCA found that Mr Prodhan failed to take reasonable steps to assess and mitigate the AML risks arising from a culture of non-compliance among SBUK’s staff. This led to systemic failures in SBUK’s AML systems and controls throughout the business. Mr Prodhan has referred the FCA’s Decision Notice to the Upper Tribunal.
The PRA announced that it had fined the former chair and non-executive director (NED) of The Bank of Tokyo-Mitsubishi (BTMU) for breaching PRA’s Statement of Principle 4 by failing to disclose information to the regulator.
The requirement to disclose appropriately any information of which the regulator would reasonably expect notice is set out in Senior Manager Conduct Rule 4. The PRA's decision notice acts as a reminder to Senior Managers that the duty imposed by that rule includes the requirement to make disclosures in the absence of any request or enquiry from the PRA (or FCA).
The action against the former board members was taken some time after the enforcement action against the respective regulated firms. The PRA fined The Bank of Tokyo-Mitsubishi (BTMU) £17.85m and MUFG Securities EMEA plc £8.925m on 9 February 2017. The PRA commented at that time that where senior managers have roles and responsibilities in more than one entity within a group they must ensure that they consider the regulatory responsibilities of each firm, as well as their own responsibilities to the UK regulators.
The PRA confirmed that Mr Kamiya, former Chair of Mitsubishi UFJ Securities International plc has been fined £22,700 and Mr Takami Onodera, former NED was fined £14,945. Both individuals failed to disclose to the PRA the possibility Mr Kamiya would be restricted from conducting US banking activities because of action by the New York Department of Financial Services against the Bank.
The FCA set out proposals to overhaul overdraft charges. It reported that in some cases unarranged overdraft fees may be more than ten times as high as fees for payday loans and that people living in deprived areas are more likely to be impacted by these. In 2017, firms made over £2.4bn from overdrafts alone, with around 30% from unarranged overdrafts.
The plans were announced in a package of measures introduced by the FCA’s high-cost credit review.
The FCA proposes the following changes to the overdraft market:
Banks would still have to do more to identify overdraft customers who are showing signs of financial strain or are in financial difficulty and to help them to reduce their overdraft use.
The FCA also proposed changes in May 2018 to tackle harm to consumers in the home collected credit, catalogue credit and store card sectors. In CP18/43, the FCA published final rules and guidance on home-collected credit, catalogue credit and storecards, and finalised guidance for registered social landlords (RSLs).
The FCA also proposed additional protections on buy now pay later offers, including stopping backdated interest for repayments made during the offer period, which will save consumers around £40-60 million. It proposed to extend two measures, that already apply to catalogue credit and store cards to point of sale retail finance providers.
Both consultations were open until 18 March 2019. The FCA considered feedback before planned policy statements on overdrafts and buy now pay later offers in June 2019.
On a positive note, the FCA’s thematic review of how mortgage lenders treated customers who have long-term mortgage arrears found that firms generally were treating these customers appropriately.
It did comment that it was disappointed to find some inconsistencies in firms’ arrears management practices that may result in a poor customer experience and have the potential to cause harm.
The review highlighted some poor practices:
Firms that offer or administer mortgages should review their mortgage lending practices against the review findings and FCA rules, guidance and examples of good and poor practice.
The FCA surveyed 296 firms to assess their technology and cyber capabilities.
They found that nearly half of firms were not upgrading or retiring old IT systems in time and only 56% of firms were able to measure the effectiveness of their information asset controls. A lack of Board understanding of cyber risks was highlighted too.
It is interesting to note that those firms which are subject to the Senior Managers Regime often reported a clearer structuring of roles and responsibilities and ownership of a cyber security strategy.
The FCA reminds firms that effective governance at senior levels is essential for effective resilience throughout an organisation, whatever its size.
Commenting on the findings, Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists at the FCA said: “We see no immediate end in sight to the escalation in tech and cyber incidents that are affecting UK financial services”.
The FCA’s publication and Megan Butler's speech on this topic were issued just a few days after the announcement that the Treasury Committee is undertaking an inquiry into IT failures in the financial services sector. The Committee will examine the ability of financial services institutions to guard against service disruptions and to put things right should disruptions do occur.
Launching the inquiry, Rt Hon. Nicky Morgan MP, Chair of the Treasury Committee, said: “The number of IT failures at banks and other financial institutions in recent years is astonishing. Since becoming Chair of the Committee 16 months ago, there have been problems at Equifax, TSB, Visa, Barclays, Cashplus and RBS, to name a few.
“Millions of customers have been affected by the uncertainty and disruption caused by failures of banking IT systems. Measly apologies and hollow words from financial services institutions will not suffice when consumers aren’t able to access their own money and face delays in paying bills.”
Regulated firms should be aware that the FCA is proposing to more than double the amount of compensation the ombudsman service can require firms to pay when it upholds a complaint. Currently, the Ombudsman can force firms to pay compensation of up to £150,000 and it can recommend firms pay more to the complainant if it believes that is appropriate. However, any amounts above the limit are voluntary for the firm.
The FCA’s consultation, which closes on 21/12/18, proposes:
For any complaints referred to the ombudsman service before 1 April 2019, the limit will remain at £150,000. The FCA intends to publish its final rules in a Policy Statement in early March 2019.
Senior Managers of regulated firms that outsource processes to third parties, and particularly those that manage those processes, should take note that the management and oversight of outsourcing in the financial services sector continue to be a firm focus for the FCA. On 30 October 2018, the FCA fined Liberty Mutual Insurance £5.2m, over failures in its oversight of mobile phone insurance claims and complaints handling. The final notice explains that Liberty breached Principle 3 (Management and Control) and Principle 6 (Customers’ interests) of the FCA’s Principles for Businesses in the oversight of its mobile phone insurance claims and complaints handling processes administered through a third party. In 2013, the FCA published a Thematic Review setting out its expectations for the mobile phone insurance market and it followed this up with a further publication in December 2015. The regulator also produced a Thematic Review reiterating insurers’ regulatory obligation for overseeing outsourcing arrangements in 2015.
The FCA introduced new rules aimed at improving the advice people receive when they are considering transferring their safeguarded benefits. The new rules and guidance (detailed in Policy Statement 18/20) included:
When two advisers work together on the pension transfer they need to work together to collect the necessary information, undertake risk profiling, and consider the impact of the loss of any safeguarded benefits has on the client’s ability to take on investment risk. Firms using this advice model should ensure they have robust arrangements and processes in place so the responsibilities and liabilities of the different advisers are clear.
Firms need to manage the implementation of these new requirements. The guidance on two advisers working together and assessing attitude to transfer risk and the requirement to prepare a suitability report in all circumstances come into force immediately. The perimeter guidance on triage comes into force on 1 January 2019. The changes to the pension increase assumptions come into force on 6 April 2019. The remaining changes, which cover the pension transfer specialist qualifications and appropriate exam standards, will come into force on 1 October 2020.
If you'd like to stay up to date with best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape we have collated searchable glossaries of key terms and definitions across complex topics including GDPR, Equality, Financial Crime and SMCR. We also track the biggest compliance fines, explaining what drives them and how to avoid them.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!