This month's key compliance news includes HealthEquity's data breach, a $37m whistleblower payout, Citibank's longstanding failures catching up with them, and more.
Healthcare fintech firm HealthEquity reported a data breach after a partner's account was compromised, allowing hackers to access the company's systems and steal protected health information.
The breach was detected through unusual behaviour from a partner's device, prompting an investigation. This revealed that the compromised account was used to exfiltrate sensitive health data, including personally identifiable information of some members.
HealthEquity is a major provider of health savings accounts (HSAs) and other benefits. It has started notifying affected individuals and is offering free credit monitoring and identity restoration services. Despite the breach, no malware was found on its systems, and business operations remain unaffected.
The company is assessing the incident's impact and response costs but does not anticipate significant effects on its business or financial results.
An Illinois district judge ruled in favour of the U.S. Commodity Futures Trading Commission (CFTC), ordering Sam Ikkurty and his company, Jafia, LLC, to pay over $120 million for operating a Ponzi-like scheme.
Judge Mary Rowland's decision found that Ikkurty and Jafia committed fraud and made material misrepresentations without proper registration. Notably, the ruling classified cryptocurrencies OHM and Klima as commodities, expanding the CFTC's jurisdiction.
The case, initiated by CFTC charges in 2022, involved Ikkurty and Ravishankar Avadhanam soliciting $44 million from at least 170 investors, promising high returns from digital assets but using new investments to pay earlier investors. Avadhanam's case was dismissed in 2023 as part of an agreement with the CFTC.
The Securities and Exchange Commission (SEC) has awarded $37 million to a whistleblower for providing critical information that led to a successful enforcement action. This individual was the initial source who alerted the SEC to previously unknown violations and continued to assist throughout the investigation by supplying valuable supplemental information.
The SEC did not disclose the identity of the whistleblower or the firm involved, maintaining confidentiality. Since the inception of the whistleblower programme, the SEC has awarded nearly $2 billion to whistleblowers, significantly aiding in the detection and prevention of securities violations such as insider trading, accounting fraud, and bribery.
In May 2023, the SEC awarded its largest-ever payout of $279 million, following a tip that led to the recovery of over $4 billion. Established under the Dodd-Frank Act in 2010, the whistleblower programme offers financial incentives to those who report securities law violations, with awards ranging from 10% to 30% of the monetary sanctions collected. The award amount is based on the significance of the information and the level of assistance provided.
ByteDance, the owner of TikTok, has lost a legal challenge against a European Union (EU) decision that prevents the company from favouring its own service over competitors. The EU General Court has dismissed ByteDance's attempt to avoid being labelled a ''gatekeeper" under the Digital Markets Act (DMA), which took effect in March.
The gatekeeper designation, which also applies to tech giants like Google, Meta, Apple, Amazon, Microsoft, and Booking.com, prohibits practices such as self-preferencing, combining personal data across services without consent, and preventing users from uninstalling pre-installed applications.
The European Commission estimates compliance will cost 1.41 million euros (US$1.5 million) per platform annually, with potential fines for breaches reaching up to 10% of global turnover or 20% for repeated violations.
TikTok’s monthly active users in the EU increased to 134 million between February and July 2023, up from 125 million. ByteDance, a privately owned company, does not regularly disclose its financials but reported a pre-tax profit growth of 60% to US$40 billion last year.
ByteDance and TikTok have not commented on the ruling but can appeal to the European Court of Justice.
“Although the new rules apply only within the 27-member EU, other democracies could follow suit and write the next chapter of the vaunted ‘Brussels effect’, turning the DMA into a global standard,”
- Bill Echikson, a senior fellow, Centre for European Policy Analysis
The EU maintains strict antitrust laws for Big Tech. Recently, it accused Apple of DMA violations and fined them 1.8 billion euros for impeding other music streaming services, a decision Apple is challenging. Additionally, the EU announced an investigation into TikTok's child-protection measures in February.
US banking giant Citigroup will pay $135.6 million in fines to regulators for failing to address longstanding issues in risk management, compliance, data handling, and internal controls.
The Federal Reserve and the Office of the Comptroller of the Currency (OCC) imposed the fines due to Citigroup's insufficient progress on deficiencies identified in two 2020 enforcement actions. Despite agreeing to remediate these issues, a recent review found that the bank has not made adequate improvements.
Regulators emphasised the need for Citibank to fully address its longstanding deficiencies, particularly regarding data. While acknowledging some progress by the bank's board and management, the Fed warned of further penalties and formal actions if violations continue.
In the King's Speech, the new government confirmed plans to ban exploitative work practices through a new Employment Rights Bill. Prime Minister Keir Starmer's administration aims to improve employment rights and make work more rewarding. The bill will likely include:
Neil Carberry of the Recruitment and Employment Confederation warned against rushed reforms that could harm workers and businesses, advocating for a collaborative approach.
Matt Wrack of the Fire Brigades Union emphasised the need for substantial legislation to deliver on Labour's promises for working people.
TUC General Secretary Paul Nowak expressed hope that the Bill would be transformative for workers, stating that eliminating zero-hours contracts and the practice of firing and rehiring would help level the playing field.
The Federal Reserve Board has fined Green Dot $44 million for deceptive practices and inadequate risk management. The allegations include violations in the marketing and servicing of prepaid debit cards and inadequate disclosure of tax refund processing fees from 2017 to 2022.
Green Dot's CEO, George Gresham, emphasised that the company has taken significant steps to address these past issues, including updates to processes, product packaging, marketing, and compliance programmes. Gresham stated that the company is committed to working with regulators to ensure compliance and protect customers.
The Fed's consent order highlighted Green Dot's misrepresentation of fees on reloadable debit cards and blocking access to accounts for customers receiving unemployment benefits in 2020.
In accordance with the consent order, Green Dot must now hire a third party to review its transaction monitoring, improve board oversight of its compliance risk management, and revise its Bank Secrecy Act/Anti-Money Laundering compliance programme.
This order follows a lawsuit by former employee Dino DiBlasio, who claimed that company leaders misrepresented business performance and were aware of issues leading to the Fed's consent order. Green Dot declined to comment on the lawsuit.
We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.