Compliance News | January 2025

Our pick of key compliance stories this month

• American Express to pay $230 million for aggressive sales tactics
• Outages and regulatory action hit Capital One
• British Museum closes after security incident by ex-contractor
• Headache? Pfizer pays $60m to resolve kickback and false claim allegations
• Keltbray ordered to pay £18m cover bidding fine after unsuccessful appeal
• Toyota's Hino Motors settles emissions scandal
• Whistleblower accuses Visa and Mastercard of "turning a blind eye to flows of illicit revenue"
• Experts call for greater transparency as AI projects dropped by the Department of Work and Pensions
• FTC bans General Motors from sharing driver location and behaviour data
• Broker fined £289k for money laundering failures

American Express to pay $230 million

American Express has agreed to pay $230 million to settle claims of aggressive sales tactics relating to sales of credit card and wire transfer services to small business customers.

According to the US Justice Department, from 2014 to 2017, Amex misrepresented the card rewards and fees, whether credit checks would be done without a customer's consent, and submitted falsified financial information for prospective customers, including overstating their business income.

Amex also deceived its federally insured financial institution by allowing small business customers to acquire its credit cards without the required Employer Identification Numbers (EINs), using "dummy" EINs such as "123456788" when opening small business credit cards in 2015 and early 2016.

These fake EINs were allowed to remain on customer accounts for up to two years. Finally, between 2018 and 2021, Amex employees made false claims about tax benefits when marketing its wire transfer products known as Payroll Rewards and Premium Wire to small business customers, the Justice Department said.

"When financial companies engage in deceptive sales tactics or falsify information to cover up a failure to follow applicable regulations, they threaten the integrity of our financial system. Today’s settlement makes clear that the department will hold accountable those who violate the trust placed in them to follow the rules governing our financial institutions and to be truthful about their business practices."

Key takeaways:

• Follow the rules - and make sure that disclosures to customers are clear, fair and not misleading.
• Arrange training for your team - so they understand your products, the key features and benefits and the target audience (i.e. who they are designed for), to prevent mis-selling.
• Put systems and controls in place - so abusive or aggressive sales practices are quickly identified and prevented.
• Create the right culture and reinforce your values - so vulnerable customers are not exploited and your team feels able to speak out if they witness wrongdoing or inappropriate behaviour.

Outages & regulatory action hit Capital One

Capital One has restored its services after an outage locked thousands of its customers out of their accounts. The disruption started on 16 January and was the result of a power outage at FIS Global, a third-party vendor responsible for payment processing and deposits.

Posting on social media, it confirmed, "We've made substantial progress resolving our third-party vendor issue. Full account functionality has been restored for most customers, and are completing work to restore full service to all customers as soon as possible. We recognise the frustration this issue has caused, and we sincerely apologise to our valued customers."

Capital One confirmed that all its services were fully restored on 19 January. It apologised for the frustrating experience and asked customers to check their accounts online.

The outage caused serious disruption for Capital One customers, who could not access vital account services, such as deposits and payment processing. Some took to social media to share their frustration at being unable to pay bills or access their money.

Capital One wasn't the only bank with technical problems. The same week, Citibank experienced an outage with its mobile app, with technical issues around fraud alerts, lengthy wait times for calls to its fraud department, and access to the app.

These incidents highlight the vulnerabilities of banks' infrastructure and the increasingly critical role that many third-party vendors play in delivering and maintaining services. Service interruptions cost Global 2000 companies around $400 billion a year, according to PYMNTS Intelligence.

"Outages are not rare in the financial industry. Banks and payment processors use complicated computer systems, and sometimes they break down. They most often occur due to a bungled software update or a failure in a critical part of the infrastructure. Most institutions have backup plans to minimise disruptions, but sometimes outages still occur. Longer disruptions could very well be caused by hacking attempts meant to crash a bank’s systems."

Separately, Capital One is being sued by the Consumer Financial Protection Bureau (CFPB), amid claims that it promoted a savings account with one of the nation's "highest" interest rates while offering accounts with rates 14 times higher.

"The CFPB is suing Capital One for cheating families out of billions of dollars on their savings accounts. Banks should not be baiting people with promises they can't live up to."

Key takeaways:

• Conduct an audit of the current landscape - to identify critical third parties. This may include technology or outsourcing services (such as cloud providers, IT infrastructure firms, or data analytics services).
• Be sure to communicate the expected standards to third parties - including on ICT risk management, incident reporting and cybersecurity. Firms need to demonstrate robust security and resilience mechanisms and comply with service level agreements (SLAs).
• Check your obligations under the new 'Critical Third Parties' (CTPs) regime and the final rules on operational resilience - effective from January and March 2025, respectively. These align with the EU's Digital Operational Resilience Act (DORA) and are designed to manage systemic risks posed by certain third parties to the UK financial sector. Among other things, it requires technology providers to notify regulators of planned technology change projects, resourcing challenges, cyber incidents and outages.
• Review all contracts with third parties - to ensure compliance with DORA, including provisions for incident response, data protection and operational continuity.
• Check cross-border implications - establishing resilience and cybersecurity measures that comply with DORA and meet the regulatory requirements across the entire region.
• Arrange adequate monitoring and oversight - to ensure third parties meet the stringent operational resilience requirements of DORA and associated regulations.

British Museum closes after security incident

The British Museum was forced to close some of its galleries last week after a security incident disrupted some of its core IT systems.

The museum's ticketing systems were taken offline, resulting in the closure of special exhibitions on the history of the Silk Road trading network connecting Asia and Europe and Pablo Picasso's prints.

A spokesperson for the British Museum said, "An IT contractor who was dismissed last week trespassed into the museum and shut down several of our systems. Police attended, and he was arrested at the scene."

"We are working hard to get the museum back to being fully operational but with regret our temporary exhibitions have been closed today (January 25) and will remain so over the weekend – ticket holders have been alerted and refunds offered."

All of its exhibitions and facilities have since reopened, and a man in his fifties was arrested on suspicion of burglary and criminal damage. Last year, the British Museum was warned to tighten security after hundreds of artefacts were stolen and offered for sale online allegedly by a former senior curator.

Computer Weekly is warning businesses to be alert to the threat posed by insiders, whose actions can have a wide-ranging impact and be costly. According to IBM's 2024 Cost of a Data Breach report, attacks by malicious insiders often have higher recovery costs, typically around £4 million.

Key takeaways:

• Conduct robust due diligence on all prospects and partners, including employees, contractors and third-party vendors - prior to engagement, following up on any references.
• Assess the security threats posed by insiders - including identifying when your company may be most vulnerable (e.g., when contractors are let go, at the end of a contract, or are disgruntled about a grievance) and how to mitigate them (i.e., by limiting or withdrawing access quickly).
• Be vigilant - remember, the insider threat can be harder to detect than other forms of cyberattack, as bad actors may behave just like any other user until they strike. Look out for unusual behaviour (e.g., being overprotective of personal space), mood changes, signs of stress, etc.
• Only grant access to systems, networks, data and proprietary information on a 'need to know' basis - limit access strictly to what is required to do the job, and no more.
• Ensure access to critical systems and information is promptly terminated when someone leaves or changes roles - to protect your systems and data from malicious attack or sabotage.

Headache? Pfizer pays $60m to resolve allegations

Pfizer has been ordered to pay $60 million to resolve allegations that, before its acquisition, its subsidiary Biohaven paid kickbacks to healthcare providers to prescribe Biohaven's drug, Nurtec ODT. This resulted in false claims to Medicare and other federal healthcare programmes.

The US Department of Justice said that between March 2020 and September 2022, Biohaven paid improper remuneration, such as meals at high-end restaurants and offered speaker opportunities to healthcare professionals in order to induce them to prescribe the migraine medication Nurtec ODT.

Some prescribers attended multiple programmes on the same topic where there was no benefit in doing so, and some Biohaven speaker programmes were attended by those with no educational need to attend, such as speakers' spouses, family members, friends or colleagues from the same practice.

This continued until October 2022, when Biohaven was acquired by Pfizer, and the speaker programme was terminated.

"Patients deserve to know that their doctor is prescribing medications based on their doctor's medical judgment, and not as a result of financial incentives from pharmaceutical companies. This settlement reflects our commitment to hold those who violate the laws accountable, regardless of their status or prestige."

Key takeaways:

• Bribes can take different forms - so train employees to spot red flags, including lavish or frequent gifts, hospitality at high-end restaurants, kickbacks, etc.
• Conduct proportionate due diligence - ensure checks are made on employees, partners, consultants, intermediaries and third parties, especially prior to acquisition, so there are no nasty surprises!
• Arrange adequate supervision and oversight - so there is scrutiny of documentation and sign-off of payments at an executive level.
• Remember, bribery is not a victimless crime - the real victims are patients and taxpayers who ultimately end up paying more because of bribery. The costs of bribes are often met by them, via exorbitant prices.

Keltbray ordered to pay £18m cover bidding fine

Keltbray has been ordered to pay £18m for its role in a demolition bid-rigging scandal, after an unsuccessful appeal.

It follows an earlier investigation by the Competition and Markets Authority (CMA), where penalties were imposed on Keltbray and nine other construction firms totalling £60 million for illegally colluding to rig bids for demolition and asbestos removal contracts between 2013 and 2018.

Those contracts related to both public and private sector projects, including Bow Street Magistrates Court, the Metropolitan Police training centre in Hendon, Selfridges (London), properties belonging to Oxford and Coventry Universities, as well as shopping centres in Reading and Taplow.

Keltbray admitted eight infringements at the time but appealed, claiming the CMA's penalty was not appropriate on three grounds:

1. It made an error calculating Keltbray's revenue and should have used tender values instead
2. It did not distinguish between "highly complex demolition services" from "general demolition services" in its penalty calculation
3. The £20m figure was excessive.
   
   Its original £20m penalty was reduced to £16m due to Keltbray's cooperation with the regulator but the full amount was reinstated following its appeal.

"We are pleased that the Competition Appeal Tribunal has increased the penalty Keltbray has to pay from £16 million to £18 million for their part in illegal bid-rigging in the form of cover bidding. The CAT agreed that, having appealed, Keltbray should lose the discount it received for settling. The CAT's judgment confirms that companies will be held to their agreements – companies which settle cannot take the CMA to court and expect to retain their discounts. Today's decision should act as a reminder that the CMA will not tolerate unlawful conduct which harms competition and can keep prices up at the expense of businesses and taxpayers."

Separately, three of Keltbray's former site managers are accused of receiving thousands of pounds in bribes linked to construction projects. Arben Hysa, owner of Tony Demolition Workers (TDW) Ltd, faces six counts of bribery.

The court heard that Keltbray paid TDW over £15m over ten years for supplying workers on projects, including the redevelopment of Battersea Power Station. The prosecution claims that Hysa made payments to ensure TDW workers were selected for various projects.

"These were bribes, paid to influence the site managers in their involvement in the process of choosing and keeping workers so that TDW workers would be chosen and kept in preference to the workers of other agencies. You should not be making secret payments of large sums of money to the employees of the company they supply."

All of them deny the charges, and the case is expected to last until mid-February.

Toyota's Hino Motors settles emissions scandal

Toyota subsidiary Hino Motors has pleaded guilty to deceiving regulators and the public about excess diesel engine emissions and has agreed to pay $1.6 billion. It is also banned from exporting its diesel engines to the US for five years. Hino was charged with selling 105,000 illegal engines in the US between 2010 and 2022.

"Hino Motors engaged in a years-long scheme to alter and fabricate emissions data in order to get a leg up over its competitors and boost their bottom line. To further this fraudulent scheme, Hino violated laws and regulations intended to protect American's health and the environment."

The US Environmental Protection Agency said that Hino admitted submitting false applications for engine certification approvals, altering emission test data, conducting tests improperly and fabricating the data without any tests at all between 2010 and 2019.

The settlement, which includes a criminal penalty of $521.76 million, $442.5 million in civil penalties to U.S. authorities and $236.5 million to California, is still awaiting approval.

"We deeply apologise for the inconvenience caused to our customers and stakeholders. In order to prevent a recurrence of this kind of issue, we have implemented company-wide reforms, including meaningful improvements to our internal culture, oversight, and compliance practices."

Numerous carmakers, including Volkswagen and Daimler, have paid billions in fines following the dieselgate emissions scandal and have admitted falsifying emissions tests using "cheat devices" and software in vehicles worldwide.

Visa & Mastercard accused of "turning a blind eye"

Visa and Mastercard aren't doing enough to stop their payment networks from laundering the proceeds from child sexual abuse and sex trafficking. This is according to a whistleblower complaint filed with the US Treasury Department's Financial Crimes Enforcement Unit (FINCEN) and reported in Reuters.

The complaint, filed by a senior compliance expert in the credit card and banking industry, said Mastercard and Visa were aware that their networks were being used to pay for illegal content on the OnlyFans website since 2021 but accused the payment card companies of "turning a blind eye to flows of illicit revenue".

In the complaint, which was filed in 2023, the whistleblower and anti-trafficking experts said they'd alerted the card companies to unlawful content on the OnlyFans website in 2021 and 2022.

It also pointed out that a "high volume" of OnlyFans accounts had "common indicators" of child sexual abuse and sex trafficking.

The complaint accused the card companies of "directly handling the proceeds of these illicit transactions" when payments are processed and said they had "wilfully failed" to maintain effective anti-money laundering programmes despite having "the power to turn off the switch".

The whistleblower is now urging the federal agencies to act. Visa said, "We explicitly and unequivocally prohibit illegal activity on our network and condemn all forms of sexual abuse. We maintain robust compliance requirements for the financial institutions and merchants who submit transactions to the Visa network. Those unable to comply with our requirements will be terminated from our network."

In an email, Mastercard said that it had a "zero tolerance for illegal activity on our network" but "no evidence of current illegal activity has been provided to us".
OnlyFans previously announced a ban on sexual content in 2021 following requests from banking partners and companies handling financial transactions.

But this decision was reversed after objections by some creators and users, in a move that was widely condemned by those tackling exploitation.

"OnlyFans has chosen to continue its exploitation despite knowing that it will face increasing criminal scrutiny over reports of filmed child sexual abuse, sex trafficking and other non-consensually recorded sex acts being sold on its website."

Experts call for transparency as AI projects dropped

At least half a dozen AI prototypes aimed at increasing the efficiency of the welfare system have been dropped or shut down, according to freedom of information (FoI) requests.

AI pilots to enhance staff training, improve service in jobcentres, speed up disability benefit payments and modernise communications have not been progressed.

• A-cubed was designed to help staff support jobseekers into work.
• While Aigent was expected to accelerate personal independence payments to people with disabilities.
  
  Officials admit that there are challenges in ensuring AI systems are "scalable, reliable [and] thoroughly tested", and there have been "frustrations and false starts".

"Unsuccessful pilots and trials aren't necessarily a cause for concern, as they offer an opportunity to improve, but these failures raise important questions for the government's approach to AI in the public sector. Are the right lessons being learned and acted upon, and does the reality of AI match the rhetoric?"

To date, no information on the AI used in the DWP's welfare system has been disclosed on the government algorithm transparency register, despite this being a requirement for almost a year.

"It's encouraging that the public sector isn't taking a rigid or dogmatic approach to AI, particularly in welfare, where the risks of amplifying inequalities and causing real injustice are significant," continued Parker. "Yet a lack of transparency remains a critical issue … [It] should not depend on journalistic investigation – openness, evaluation, and learning must be central to the government's strategy."

Concerns have grown, following last month's reports of bias based on people's age, disability, marital status and nationality in an AI system being used to detect UK benefits fraud. A machine learning program being used to vet claims for universal credit applications incorrectly selected people from certain groups more than others when deciding who to investigate for possible fraud.

"It is clear that in a vast majority of cases the DWP did not assess whether their automated processes risked unfairly targeting marginalised groups. DWP must put an end to this 'hurt first, fix later' approach and stop rolling out tools when it is not able to properly understand the risk of harm they represent."

There's also concern about mass biometric surveillance following a disclosure that the Home Office is seeking bids for a £20m facial recognition software contract.
Peter Kyle, the Secretary of State for Science and Technology, said the public sector "hasn't taken seriously enough the need to be transparent in the way that the government uses algorithms".

Currently, around 55 automated tools are being used by public authorities but, despite this, only nine are listed on the government's official register.

"Our AI tool does not replace human judgment, and a caseworker will always look at all available information to make a decision. We are taking bold and decisive action to tackle benefit fraud – our fraud and error bill will enable more efficient and effective investigations to identify criminals exploiting the benefits system faster,"

Elsewhere, Apple has suspended its AI-generated news alerts after repeated mistakes in its summaries of news headlines. The alert feature inaccurately summarised news reports from the BBC, Sky News, New York Times and Washington Post. In one case, it falsely claimed that Luigi Mangione, the man accused of killing UnitedHealthcare CEO Brian Thompson, had shot himself.

Whilst there are kudos for being the first to release new features, Jonathan Bright, head of AI for public services at the Alan Turing Institute, cautions:

"Hallucinations - where an AI model makes things up - are a real concern and as yet firms don't have a way of systematically guaranteeing that AI models will never hallucinate, apart from human oversight. As well as misinforming the public, such hallucinations have the potential to further damage trust in the news media."

Key takeaways:

• Don't accept AI-generated content at face value - verify it using reliable, trusted sources.
• Be clear about the risks - for example, of bias, hallucination, misinformation, privacy and security concerns, and so on.
• Ensure proper human oversight of AI-driven decisions - so certain groups are not treated unfairly or discriminated against.
• Be transparent about your use of AI - label all AI-generated content and notify people when decisions are made using AI so they can make informed choices.

FTC bans GM from sharing driver location & data

General Motors (GM) and OnStar LLC have been banned from disclosing customers' sensitive geolocation and driver behaviour data to consumer reporting agencies for five years, under an order by the Federal Trade Commission.

GM and OnStar must also give consumers greater transparency and choice over how their connected vehicle data is used. It's the FTC's first action related to connected vehicle data.

The FTC acted after allegations that GM and OnStar collected, used and sold geolocation data and driver behaviour information from millions of vehicles - potentially affecting insurance rates - without notifying consumers or obtaining affirmative consent.

When customers bought a GM vehicle, they were encouraged to sign up for OnStar and its Smart Driver feature to assess their driving habits. But the enrolment process was confusing, resulting in some customers being unaware that they had even signed up.

The FTC also claimed that GM failed to disclose what information was collected through the Smart Driver feature, or that their geolocation and driver behaviour data - such as instances of hard braking, late night driving and speeding - would be shared with consumer reporting agencies.

This sensitive information was then used by insurance companies to set rates and deny insurance.

"GM monitored and sold people's precise geolocation data and driver behavior information, sometimes as often as every three seconds. With this action, the FTC is safeguarding Americans' privacy and protecting people from unchecked surveillance."

Geolocation data can reveal intimate details about someone's life, including whether they visited hospital, and their daily routine.

Under the proposed order, GM and OnStar must not disclose driver data to consumer reporting agencies. They must obtain affirmative consent prior to data collection, allow consumers to obtain and delete their data, and to opt out and limit data collection from their vehicles.

Broker fined £289k for money laundering failures

Inter dealer broker Arian Financial LLP has been fined £289k by the UK regulator for financial crime failings.

The FCA said that Arian had failed to implement adequate systems and controls to combat financial crime, putting it at risk of being used to support fraudulent trading and money laundering on behalf of clients of the Solo Group.

Arian executed purported over-the-counter equity trades of around £37 billion and £15 billion in Danish and Belgian equities on behalf of the Solo Group's clients, receiving commission of over £500k.

However, according to the FCA, this trading was circular and highly suggestive of financial crime, appearing to have been carried out to allow the arranging of withholding tax reclaims in Denmark and Belgium.

Solo clients were offshore companies including British Virgin Islands and Caymen Islands incorporated entities with a number of individual US 401(k) Pension Plans, previously unknown to Arian but introduced to Arian by the Solo Group.

In 2014 and 2015, the Solo Group made withholding tax reclaims of £899.27m and £188 to Danish and Belgium authorities, with £845.9m and £42.33m paid, respectively.

The regulator said Arian's actions breached Principles 2 and 3 of the FCA's Principles for Business.

"Arian failed to identify red flags which ought to have been obvious. The controls… are an important line of defence against our financial system being abused for criminal ends. Arian's fell short of what we expect. We are pleased that the Tribunal recognised the seriousness of Arian's misconduct."

It's the seventh case brought by the UK regulator in relation to cum-ex trading and withholding tax schemes. So far, it has imposed fines of over £22m.

Looking for more compliance insights?

We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!