This month's key compliance news includes AIA's $2.9m AML fine, the new EU AI act taking effect, the first FCA fine issued to an audit company and more.
X, Elon Musk's social media platform, is facing a series of privacy complaints due to the use of EU users' data to train AI models without their consent. The issue came to light when a user discovered a setting indicating X's use of post data for its Grok AI chatbot. The Irish Data Protection Commission (DPC) expressed "surprise" at this, as GDPR requires explicit consent for such data processing.
Nine complaints have been filed across various EU countries, arguing that X violated GDPR by processing data without a valid legal basis. The DPC has taken legal action against X, but privacy group noyb, who is supporting the complaints, believes these measures are insufficient.
“Companies that interact directly with users simply need to show them a yes/no prompt before using their data. They do this regularly for lots of other things, so it would definitely be possible for AI training as well,”- Max Schrems, Chairman, noyb
They emphasise that users weren't informed about the data usage, making it impossible to opt out initially. The situation highlights concerns over the misuse of personal data under the guise of "legitimate interest" and the broader challenges in ensuring compliance with GDPR for AI systems.
High Speed Two (HS2), the UK body responsible for developing the high-speed rail network, paid £6.2 million to HM Revenue & Customs (HMRC) to settle a breach of the IR35 tax avoidance rules. Originally, HS2 had set aside £10.2 million for this settlement, but the final amount was significantly lower.
The issue arose from a review of HS2's compliance with IR35, which began in May 2022. The review focused on how the organisation adapted to the public sector IR35 reforms introduced in April 2017.
HS2's 2023–24 annual report confirms the review is now complete, and no further provisions are needed. During the last financial year, HS2 employed 339 off-payroll workers, with 94% classified as working within the IR35 rules.
Twelve London businesses were collectively fined £14,012,500 for breaching data protection laws between 2023-2024, highlighting the serious financial and reputational risks of non-compliance.
Hayes Connor, data breach experts, analysed recent Information Commissioner's Office (ICO) data to assess the impact on local businesses.
The fines resulted from 17,366 complaints, revealing major lapses in handling sensitive customer data. The ICO's actions emphasise the importance of robust data protection measures and serve as a warning to London businesses to take GDPR compliance seriously.
“High fines deter businesses from neglecting their data protection obligations. The ICO’s actions demonstrate that non-compliance can lead to substantial financial consequences, encouraging other businesses to prioritise data security...Beyond fines, businesses might face lawsuits from affected individuals, leading to further financial liabilities and legal expenses.”
- Richard Forrest, Legal Director, Hayes Connor
Glencore has been ordered by Swiss authorities to pay approximately $152 million, concluding a four-year investigation into alleged bribery involving a Congolese public official by one of its business partners in 2011.
The settlement includes a $2.4 million fine and a $150 million compensation for the financial gain from the misconduct.
The Swiss Office of the Attorney General closed the investigation, marking the end of publicly known corruption probes into Glencore, which have affected the company's reputation for years. A related Dutch case was also dismissed.
The bribery involved payments made by Glencore's partner to acquire undervalued stakes in two Congolese mining companies.
Although Glencore was held criminally liable for failing to prevent the bribery, the company stated that no employees were aware of the misconduct, and it did not benefit financially. Glencore did not admit to the findings but chose not to appeal the penalty.
The European Union’s AI Act, which took effect on August 1, 2024, is the world’s first comprehensive regulatory framework for artificial intelligence (AI), setting new compliance standards for businesses globally.
“Banks utilising AI technologies categorised as high-risk must now adhere to stringent regulations focusing on system accuracy, robustness and cybersecurity, including registering in an EU database and comprehensive documentation to demonstrate adherence to the AI Act,”
- Shaun Hurst, Principal Regulatory Advisor, Smarsh,
The law is expected to impact industries across the board, requiring companies to reassess and potentially redesign AI products to meet these stringent new standards.
The Act's influence extends beyond the EU, affecting any organisation operating within or selling to the EU market. This has led to increased costs in research, development, and compliance but also presents opportunities for innovation in responsible AI development.
Notably, the financial sector is particularly impacted, as high-risk AI technologies used by banks must now adhere to these strict regulations. Companies, including Unilever, are already implementing frameworks to ensure compliance, recognising the potential for legal risks in rapidly evolving AI technology.
The law's extraterritorial reach underscores its potential to set a global benchmark for AI governance, influencing regulatory approaches in other jurisdictions. Companies must comply by 2026, with some provisions, like those affecting AI models such as ChatGPT, taking effect sooner.
Non-compliance could result in fines of up to 7% of global annual revenue, emphasising the need for organisations to prioritise AI compliance. The AI Act is expected to drive investment in compliance technologies and shape global AI development practices.
PwC has been fined £15 million by the Financial Conduct Authority (FCA) for failing to report suspicions of fraudulent activity at London Capital & Finance (LCF) during its 2016 audit. This marks the first time the FCA has fined an audit firm.
The FCA noted that PwC encountered significant difficulties during the audit, as LCF provided "inaccurate and misleading information," and a senior LCF executive was aggressive towards the auditors.
The complexity of the audit led PwC to suspect possible fraud at LCF, but despite these concerns, the firm did not report them to the FCA as required. Although PwC ultimately deemed LCF's 2016 accounts accurate, the FCA emphasised that PwC was still obligated to report its earlier suspicions.
LCF later went into administration in January 2019 after being ordered by the FCA to withdraw misleading promotional material, leading to substantial losses for investors. The Serious Fraud Office continues to investigate the case.
The FCA acknowledged that PwC's failure to report was not reckless or deliberate and that the firm was not involved in LCF's misconduct. However, by not reporting its concerns, PwC deprived the FCA of potentially critical information. PwC has since settled with the FCA, describing the breach as unintentional.
AIA Group Ltd. has been fined a record HK$23 million ($2.9 million) by Hong Kong's Insurance Authority for shortcomings in its anti-money laundering (AML) processes.
The fine, the largest since the regulator began overseeing insurance companies in 2017, follows an inspection that revealed technical issues with AIA's AML system and algorithm.
These issues led to some "politically exposed persons" not being flagged during the screening process, delaying the identification of their financial sources. However, the regulator noted that no inappropriate policies were sold.
This fine comes amid increased scrutiny of the insurance industry in Hong Kong, especially as business with mainland Chinese clients has surged. Recent regulatory actions also included raids on a licensed broker and a referral company suspected of using unlicensed referrers.
AIA’s shares fell approximately 2.5% in response to the news. The company stated that while the issues identified were technical and no evidence of money laundering or improper client onboarding was found, it is cooperating with the regulator and will submit a report from an independent advisor on the effectiveness of its remedial measures.
We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.