Compliance News | July 2024

Posted by

Emmeline de Chazal

on 30 Jul 2024


This month's key compliance news includes HealthEquity's data breach, a $37m whistleblower payout, Citibank's longstanding failures catching up with them, and more.

compliance news july 2024

Our pick of key compliance stories this month

HealthEquity data breach exposes sensitive data

Healthcare fintech firm HealthEquity reported a data breach after a partner's account was compromised, allowing hackers to access the company's systems and steal protected health information.

The breach was detected through unusual behaviour from a partner's device, prompting an investigation. This revealed that the compromised account was used to exfiltrate sensitive health data, including personally identifiable information of some members.

HealthEquity is a major provider of health savings accounts (HSAs) and other benefits. It has started notifying affected individuals and is offering free credit monitoring and identity restoration services. Despite the breach, no malware was found on its systems, and business operations remain unaffected.

The company is assessing the incident's impact and response costs but does not anticipate significant effects on its business or financial results.

Data Protection E-learning Course

The CFTC to receive $120m in crypto fraud case

An Illinois district judge ruled in favour of the U.S. Commodity Futures Trading Commission (CFTC), ordering Sam Ikkurty and his company, Jafia, LLC, to pay over $120 million for operating a Ponzi-like scheme.

Judge Mary Rowland's decision found that Ikkurty and Jafia committed fraud and made material misrepresentations without proper registration. Notably, the ruling classified cryptocurrencies OHM and Klima as commodities, expanding the CFTC's jurisdiction.

The case, initiated by CFTC charges in 2022, involved Ikkurty and Ravishankar Avadhanam soliciting $44 million from at least 170 investors, promising high returns from digital assets but using new investments to pay earlier investors. Avadhanam's case was dismissed in 2023 as part of an agreement with the CFTC.

Key takeaways:

  • Ensure proper registration with regulatory bodies: it is vital to register with regulatory bodies like the CFTC when engaging in activities involving commodities, derivatives, or other regulated financial instruments.
  • Avoid fraudulent practices: it is crucial to avoid any form of misrepresentation or fraudulent activities. Transparency and honesty in communications with investors are mandatory.
  • Understand regulatory classification: the classification of cryptocurrencies as commodities, in this case, highlights the importance of understanding regulatory definitions and ensuring compliance with the relevant jurisdiction's requirements.
  • Adhere to legal and ethical standards: regulatory bodies are actively monitoring and enforcing actions to protect investors from fraudulent schemes so it is best practice to strictly comply with regulations and adhere to standards that protect individuals.

Fraud Prevention Training Course

When it pays $37m to blow the whistle

The Securities and Exchange Commission (SEC) has awarded $37 million to a whistleblower for providing critical information that led to a successful enforcement action. This individual was the initial source who alerted the SEC to previously unknown violations and continued to assist throughout the investigation by supplying valuable supplemental information.

The SEC did not disclose the identity of the whistleblower or the firm involved, maintaining confidentiality. Since the inception of the whistleblower programme, the SEC has awarded nearly $2 billion to whistleblowers, significantly aiding in the detection and prevention of securities violations such as insider trading, accounting fraud, and bribery.

In May 2023, the SEC awarded its largest-ever payout of $279 million, following a tip that led to the recovery of over $4 billion. Established under the Dodd-Frank Act in 2010, the whistleblower programme offers financial incentives to those who report securities law violations, with awards ranging from 10% to 30% of the monetary sanctions collected. The award amount is based on the significance of the information and the level of assistance provided.

About SMCR 360 Compliance Toolkit

TikTok can't reverse the EU's 'gatekeeper' decision

ByteDance, the owner of TikTok, has lost a legal challenge against a European Union (EU) decision that prevents the company from favouring its own service over competitors. The EU General Court has dismissed ByteDance's attempt to avoid being labelled a ''gatekeeper" under the Digital Markets Act (DMA), which took effect in March.

The gatekeeper designation, which also applies to tech giants like Google, Meta, Apple, Amazon, Microsoft, and Booking.com, prohibits practices such as self-preferencing, combining personal data across services without consent, and preventing users from uninstalling pre-installed applications.

The European Commission estimates compliance will cost 1.41 million euros (US$1.5 million) per platform annually, with potential fines for breaches reaching up to 10% of global turnover or 20% for repeated violations.

TikTok’s monthly active users in the EU increased to 134 million between February and July 2023, up from 125 million. ByteDance, a privately owned company, does not regularly disclose its financials but reported a pre-tax profit growth of 60% to US$40 billion last year.

ByteDance and TikTok have not commented on the ruling but can appeal to the European Court of Justice.

“Although the new rules apply only within the 27-member EU, other democracies could follow suit and write the next chapter of the vaunted ‘Brussels effect’, turning the DMA into a global standard,”

- Bill Echikson, a senior fellow, Centre for European Policy Analysis

The EU maintains strict antitrust laws for Big Tech. Recently, it accused Apple of DMA violations and fined them 1.8 billion euros for impeding other music streaming services, a decision Apple is challenging. Additionally, the EU announced an investigation into TikTok's child-protection measures in February.

Information Security E-learning Course

Citibank to pay for longstanding compliance issues

US banking giant Citigroup will pay $135.6 million in fines to regulators for failing to address longstanding issues in risk management, compliance, data handling, and internal controls.

The Federal Reserve and the Office of the Comptroller of the Currency (OCC) imposed the fines due to Citigroup's insufficient progress on deficiencies identified in two 2020 enforcement actions. Despite agreeing to remediate these issues, a recent review found that the bank has not made adequate improvements.

Regulators emphasised the need for Citibank to fully address its longstanding deficiencies, particularly regarding data. While acknowledging some progress by the bank's board and management, the Fed warned of further penalties and formal actions if violations continue.

Key takeaways:

  • Commit to remediation: it is important to fully commit to remediation efforts agreed upon in enforcement actions. Simply agreeing to corrective measures is not sufficient; active and timely implementation is essential.
  • Address core deficiencies: persistent issues, especially in critical areas like risk management, compliance, data handling, and internal controls, must be adequately addressed. Failure to do so can result in significant penalties.
  • Employ effective data governance: this is crucial. Regulators highlighted Citibank’s particular weaknesses in data management, underscoring the importance of robust data governance frameworks.

Risk Assessment E-learning Course

Major employment law changes are on the horizon

In the King's Speech, the new government confirmed plans to ban exploitative work practices through a new Employment Rights Bill. Prime Minister Keir Starmer's administration aims to improve employment rights and make work more rewarding. The bill will likely include:

  • Day one rights for unfair dismissal, with a probation period
  • Default flexible working rights from day one
  • Enhanced redundancy protections for those on maternity leave
  • A ban on 'fire and rehire' tactics
  • A ban on exploitative zero-hours contracts
  • Improvements to statutory sick pay and minimum wage
  • Reform on collective redundancy consultations
  • Greater protection for whistleblowers
  • Repeal of the Strikes (Minimum Service Levels) Act
  • Changes to trade union engagement and electronic balloting

    Additionally, the government plans to introduce an Equality (Race and Disability) Bill to ensure equal pay and mandate pay gap reporting for larger employers. They will establish Skills England to partner with employers and reform the apprenticeship levy.

Neil Carberry of the Recruitment and Employment Confederation warned against rushed reforms that could harm workers and businesses, advocating for a collaborative approach.

Matt Wrack of the Fire Brigades Union emphasised the need for substantial legislation to deliver on Labour's promises for working people.

TUC General Secretary Paul Nowak expressed hope that the Bill would be transformative for workers, stating that eliminating zero-hours contracts and the practice of firing and rehiring would help level the playing field.Equality & Diversity in the Workplace Course

Green Dot fined by Fed for deceptive practices

The Federal Reserve Board has fined Green Dot $44 million for deceptive practices and inadequate risk management. The allegations include violations in the marketing and servicing of prepaid debit cards and inadequate disclosure of tax refund processing fees from 2017 to 2022.

Green Dot's CEO, George Gresham, emphasised that the company has taken significant steps to address these past issues, including updates to processes, product packaging, marketing, and compliance programmes. Gresham stated that the company is committed to working with regulators to ensure compliance and protect customers.

The Fed's consent order highlighted Green Dot's misrepresentation of fees on reloadable debit cards and blocking access to accounts for customers receiving unemployment benefits in 2020.

In accordance with the consent order, Green Dot must now hire a third party to review its transaction monitoring, improve board oversight of its compliance risk management, and revise its Bank Secrecy Act/Anti-Money Laundering compliance programme.

This order follows a lawsuit by former employee Dino DiBlasio, who claimed that company leaders misrepresented business performance and were aware of issues leading to the Fed's consent order. Green Dot declined to comment on the lawsuit.

Key takeaways:

  • Manage risk adequately: the deficiency in Green Dot's risk management programme underscores the need for robust internal controls and risk management processes. Regular assessments and updates to these programmes are essential.
  • Ensure regulatory compliance and cooperation: Green Dot's commitment to working closely with regulators demonstrates the importance of cooperation and proactive compliance efforts to address and rectify deficiencies.
  • Account for third-party review requirements: the mandate to hire a third party to review transaction monitoring highlights the importance of independent assessments in identifying and addressing compliance issues.
  • Don't underestimate the power of board oversight: strengthening board oversight of compliance risk management programmes is critical for ensuring effective governance and regulatory compliance.

New call-to-action

Looking for more compliance insights?

We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.

Compliance Bulletin

Compliance Bulletin

Our monthly email provides best practices, expert opinions, industry insights, news and key trends in regulatory compliance training, digital learning, EdTech and RegTech.