Compliance News | September 2024

Our pick of key compliance stories this month

• Deere executives bribed officials with improper gifts & massage parlour trips in Thailand
• Recidivist Clearview AI bags a fresh €30.5 million fine for image data scraping
• Slack hack forces Disney to change track
• Cost of compliance: Nordea to pay NY regulator $35 million for AML failures
• Danske Bank reaches final settlement over Estonian AML breaches
• Shock as former Swedbank CEO faces jail for money laundering scandal
• Trouble at the top: TD Bank announces CEO's retirement
• Pregnant worker is awarded £350k compensation
• Endangered sea snake threatens $30bn offshore project
• JPMorgan appoints 'wellness' advocate to oversee junior bankers

Deere executives bribed officials with improper gifts

The Illinois-based tractor and heavy machinery manufacturer John Deere has agreed to pay $9.93 million to settle a bribery probe.

According to the SEC, its Thailand subsidiary offered improper gifts to officials at the Royal Thai Air Force, Thailand's Department of Highways and its Department of Rural Roads to secure multiple government contracts.

Between 2017 and 2020, managers and employees at its Wirtgen unit offered bribes in the form of cash, meals, sham consulting fees, and trips to massage parlours. International travel and sightseeing trips to European countries were disguised as "factory visits".

The improper payments were all recorded as legitimate business expenses. The unit made a $4.3mn profit as a result of the bribes. Despite acquiring Wirtgen Thailand in 2017, Deere had failed to integrate it into its compliance and controls environment.

“This action is a reminder for corporations to promptly ensure newly acquired subsidiaries have all the necessary internal accounting control processes in place,”

Its actions had violated the recordkeeping and internal accounting controls provisions of the Foreign Corrupt Practices Act. However, the regulator acknowledged Deere's cooperation, the termination of those involved in misconduct, and its strengthening of compliance procedures and anti-bribery training.

In a statement, Deere said, "These allegations represent a clear violation of our company policies and ethical standards. They are in direct conflict with our core values - particularly our commitment to integrity--and we strongly condemn such practices."

Key takeaways:

• Arrange monitoring and oversight of all subsidiaries or associated persons (including agents) acting on our behalf - ensure they sign up to your policies
• Arrange training - so everyone can spot red flags and is aware of the different forms that bribery can take
• When acquisitions are made, protect your company's reputation - check for historical breaches and confirm they have the necessary accounting controls and processes in place
• Get the "tone at the top" right - remember, senior executives are accountable and bear responsibility for setting a good example and role modelling the right behaviour
• Don't offer anything of value to public officials - including gifts and hospitality. If this is unavoidable, then get approval first from Compliance
• Keep accurate and proper records - don't try to disguise improper payments as legitimate business expenses. You will be caught!
• Remember, many anti-bribery laws have extra-territorial reach - meaning we can be prosecuted for bribes paid anywhere in the world.

Recidivist Clearview AI bags a fresh €30.5m fine

US software company Clearview AI has been fined again. This time, it's been handed a €30.5 million fine by the Dutch Data Protection Authority.

Clearview AI shares its facial recognition tools with law enforcement agencies. The Dutch data watchdog accused the company of scraping the internet for images of citizens in the Netherlands and using it to build an "illegal database" without their consent, violating the General Data Protection Regulation (GDPR).

It also claimed that the firm assigned biometric identifiers to faces, which can be used by intelligence agencies in the US.

However, Clearview has hit back, insisting it only operates outside the EU. Its chief legal officer, Jack Mulcaire, argues the penalty is "unlawful, devoid of due process" and "unenforceable".

Clearview has been warned that it faces additional fines of €5 million if it fails to comply. But we have been here before. The company was charged with similar violations in France, Greece, Italy and Austria. Its total unpaid fines in the EU currently stand at €80 million.

Chairman of the Dutch DPA Aleid Wolfsen acknowledged the value of facial recognition technology in fighting crime. But he would prefer this was done by "competent authorities in highly exceptional cases only" rather than commercial companies.

"Facial recognition is a highly intrusive technology, that you cannot simply unleash on anyone in the world. If there is a photo of you on the Internet then you can end up in the database of Clearview and be tracked. This is not a doom scenario from a scary film."

Key takeaways:

• Be transparent - establish processes to inform individuals what personal data is collected and why.
• Meet the data protection principles - ensure there is a valid reason for data processing, and data is not kept for longer than is necessary.
• Allow individuals to exercise their fundamental rights - for example, the right to access their personal data. So far, Clearview has not cooperated with access requests.
• Take extra care when processing sensitive data, such as biometric information - as extra provisions and safeguards apply to this kind of data.
• Be clear about the data protection rules governing privacy by design and international personal data transfers - train your team so they know what is and is not allowed before collection and processing.
• Check data retention policies and ensure appropriate oversight – for example, is personal data currently processed or stored on servers outside the UK or EU? How long is personal data stored, and what procedures are in place to minimise this? What other options could be explored?
• If your company strategy does not meet legal obligations, then perhaps it's the wrong strategy?

Slack hack forces Disney to change track

Disney is planning to transition its internal communications from the messaging platform Slack to Microsoft Teams, according to an email sent by its CFO Hugh Johnston.

News of the transition is not surprising. The hacking group called NullBulge breached Disney's internal messages over the summer, gaining access to over 1.1 TB of messages and files. The leaked files were then posted online.

This included data about unreleased projects, code, images, login credentials, links to internal websites and APIs from around 10,000 channels. The NullBulge group is a "hacktivist group protecting artists' rights and ensuring fair compensation for their work".

It claimed that the data came from an insider and subsequently published details of that employee, thought to be in retaliation for cutting off access and communication. It's unclear whether the person actually collaborated or their account was compromised.

Security experts have long warned about the dangers of cloud and software-as-a-service platforms. 

"It is just easier for attackers and holds bigger rewards", Roei Sherman of Mitiga Security told Wired magazine. "Disney will probably be targeted a lot more now by opportunistic threat actors."

News of the transition has sparked discontent among some workers at Disney, who are worried about losing integrations and archived content, and the subsequent impact on productivity.

Slack is owned by Salesforce and popular with many organisations, including Capital One, IBM, Paramount, and Uber.

Nordea to pay NY regulator $35m for AML failures

Nordea Bank will pay $35 million to settle its probe into compliance failures linked to the 2016 Panama Papers leak, according to New York's Department of Financial Services (NYDFS).

It said the bank had failed to tackle deficiencies in its AML regime and conduct proper due diligence on its customers and partners.

Its investigation revealed links between Nordea and illicit money from Russia and Azerbaijan and said that high-risk transactions worth billions of dollars were carried out between 2008 and 2019.

"Deficient AML controls, an unsophisticated transaction monitoring apparatus, and a decentralized global compliance program created a set of circumstances that exposed Nordea's financial channels to a high risk of criminal abuse. Nordea's relationships with U.S. banks imported those risks to the New York financial system," the NYDFS said in a statement.

"International financial entities such as Nordea must
safeguard against criminal activity in the global financial system,
and for years Nordea failed in these respects."

Jamie Graham, Nordea's chief compliance officer, acknowledged that historically, the bank had underestimated the complexity and resources needed to tackle financial crime but said €1.5 billion had been invested in AML controls since 2015.

Danske Bank reaches final AML breach settlement

Following investigations in multiple countries over suspected money laundering in its Estonian unit, Danske Bank has now reached a final settlement with French authorities.

The bank will pay €6.3 million, considerably less than the $2 billion it paid in the United States.

In 2018, Danske Bank found itself at the centre of one of the European Union's biggest money laundering scandals. Thousands of suspicious customers were found to have laundered around €200 billion through its now-closed Estonian unit.

In a statement, the lender's senior general counsel, Niels Heering, noted that it marked the end of all investigations related to the non-resident portfolio at its former Estonian unit, adding, "We are pleased to have reached this resolution with the French National Financial Prosecutor."

But as the case concludes for Danske Bank, it was just beginning for another player in the story…

Shock as former Swedbank CEO faces jail

Commentators have expressed shock after Swedbank's former CEO was convicted of "gross swindling" by the Svea Court of Appeal, overturning her previous acquittal in January 2023.

Birgitte Bonnesen was sentenced to 15 months for spreading misleading and financially damaging information about the bank's anti-money laundering operations in the Baltic region.

One expert described the news as "unprecedented". It would make Bonnesen the highest-ranking banker to be jailed for her role in the scandal.

Bonnesen was previously in charge of the bank's Baltic operations. When the scandal at Danske Bank surfaced in 2018, Bonnesen was asked whether Swedbank had problems which were tied to it.

"The court concluded that two of the answers were incorrect or misrepresented facts in a way that they were misleading," said the Presiding Judge Sven Johannisson.

Indeed, Bonnesen had said there were "no suspected money laundering ties to Danske Bank's operations in Estonia" and Swedbank "had gone through everything".

The judge said that these misleading statements had caused financial damage. When Swedish Television published a leaked internal Swedbank report that showed €80 billion passed through its Baltic business from Russia, Swedbank's shares plummeted, causing losses for investors.

The bank was fined SEK 4 billion in 2020 by the Swedish regulator. Bonnesen's severance pay was also cancelled after a report by Clifford Chance found around a high risk of money laundering linked to €37 billion of its transactions.

Swedbank's clients included Russian oligarchs, and some of the money could be traced to the notorious Magnitsky fraud.

"This is an important decision to deter other bank executives from lying and
manipulating information. In the past, it was banks that were fined, but the CEOs always walked free. Now every CEO will have to consider their own
personal liability before doing something similar."

"In my experience, this is an unprecedented outcome and one which should serve as a wake-up call to all senior managers and c-suite executives in regulated firms. Accountability is not just about some words written on a policy document or risk appetite statement but something real, tangible and which carries significant penalties if not delivered responsibly and effectively."

Bonnesen has denied the charges and plans to appeal.

TD Bank announces CEO's retirement

Toronto-Dominion Bank has announced the retirement of its CEO, Bharat Masrani, and confirmed the name of his successor - Raymond Chun, its head of Canadian personal and commercial banking.

It's widely believed that the succession has been expedited as the bank battles several probes by US authorities.

A few weeks ago, TD Bank confirmed that it had set aside $2.6 billion to cover expected AML fines and penalties in its US division. Regulators also suspect Chinese crime groups and drug traffickers used the bank to launder the proceeds of US fentanyl sales, with some employees receiving bribes.

In a statement published by the bank, Masrani said:

"The anti-money laundering challenges we face took place on my watch as CEO and I take full responsibility. We have a strong bench of senior leaders and will execute a smooth and seamless CEO transition."

Separately, TD Bank also agreed to pay a $28 million penalty for credit reporting issues. The Consumer Financial Protection Bureau (CFPB) said the bank intentionally mishandled consumers' credit information, provided false information to consumer reporting companies and had subsequently failed to rectify its failings.

"Rather than treating its customers fairly and following the law,
TD Bank's management clearly cared more about growth
and expanding its empire through mergers."

Key takeaways:

• Be clear about your obligations under the SMCR regime and the four Senior Manager Conduct Rules.
• Take reasonable steps to ensure effective control of your business area - if your business strategy is to enter high-risk areas, then the degree of control and strength of monitoring should also be high.
• Be sure to assess the impact of that strategy on UK operations if business strategy is determined away from the UK.
• For Senior Management Functions, ensure an orderly transition and a comprehensive handover to a successor when someone moves on or ceases to perform a function.
• Comply with regulatory requirements - and avoid giving misleading statements to the media.
• Ensure delegation of responsibilities is effective and its discharge is overseen effectively - do not accept implausible or unsatisfactory explanations.
• Be honest and transparent in your disclosures - including to regulators and investors.
• Ultimately, you will be held accountable for what happens on your watch.

Pregnant worker is awarded £350k compensation

A pregnant worker who was criticised by her boss and referred to as "very emotional and tearful" has had her total compensation increased from £37k to £350k by an employment tribunal.

Nicola Hinds, an account director for Mitie, notified the company of her pregnancy in July 2020. But Mitie failed to carry out a risk assessment. The tribunal said her manager, Nav Kalley, had "limited knowledge or awareness of HR issues, including responsibilities towards their pregnant employees".

In October 2020, Hinds informed account director Nav Kalley and head of operations Karla Harper in an email that she had experienced panic attacks, her sleep was disrupted, and she was "really struggling" with parts of her role. In particular, she was concerned about work-related stress and anxiety and wanted to resolve the situation.

However, in an email to HR, Kalley said Hinds had become "very emotional and tearful", adding that she "is certainly not overworked".

Mitie was already aware of Hinds' work-related stress due to a challenging client relationship. But the situation was handled "ineptly" despite an "obvious and pressing need" for a risk assessment.

Among other things, her manager:

• Failed to support her use of keeping in touch (KIT) days, in line with its own maternity procedures
• Failed to deal with the pregnancy in a satisfactory manner due to a lack of communication
• Did not alter her working conditions or hours of work, redeploy her to a suitable alternative role or suspend her on full pay
• Failed to complete an adequate 'return to work plan' or check whether additional support would be required.
  
  Hinds resigned in September 2021 and was assessed as unfit for work in January 2022. Employment Judge Tynan said Kalley's comments were "dismissive and belittling" and that he "was stereotyping the claimant as an emotional, hormonal pregnant woman".

Tynan added that by not carrying out a risk assessment, Mitie was "in breach of its duty of care to the claimant, in breach of its statutory obligations in the matter and in contravention of its own documented policy, procedure and guidance".
Hinds was found to be unfairly constructively dismissed.

In its final judgment, the tribunal recommended increasing the award from £37k to £350k after receiving more information from Mitie and factoring in Hinds' loss of earnings.

"Employers should ensure that they not only provide equality and diversity training, but that the training they provide covers the use of stereotypical language. The sum of compensation awarded in this case shows that failing to provide such training could be very costly."

Endangered sea snake threatens $30bn project

A $30 billion offshore energy project is under threat after Australia's Department of Climate Change, Energy, the Environment and Water (DCCEEW) added the dusky sea snake to its endangered list.

The newly protected species is unique to the Scott Reef and Browse Basin in Western Australia, where energy giant Woodside is leading a $30 billion project to boost energy security.

However, conservationists are calling on the government to "urgently review all activities for the fossil fuel industry across the Browse Basin", highlighting "known and potential impacts". This also includes threats to Green Turtles and Pygmy Blue Whales.

The question is how to balance the need for energy security with recognised environmental impacts.

“Browse would be an important part of not only WA’s gas supply
but making sure we can assist our south-east Asian and north Asian partners
to decarbonise their economies through the ongoing supply of gas.”

JPMorgan appoints 'wellness' advocate

JPMorgan has appointed Ryland McClendon, its head of diversity and inclusion, to oversee the "wellbeing and success" of its junior bankers.

The news comes just one week after it and Bank of America announced it was capping junior bankers' hours to 80 hours a week amid concerns about overworking across the sector. However, an exception has been made for those working on live deals.

The sector's high-pressure, long-hours culture has been a concern for some time. But, banks are facing renewed scrutiny following the tragic deaths of two BoA junior bankers earlier this year. JPMorgan's CEO Jamie Dimon has set out three priorities:

1. Tracking hours and ensuring they are reported accurately
2. Educating senior bankers to hand over assignments earlier in the week so junior bankers don't have to work over the weekends to get it done
3. Consequences for senior bankers who violate the new policies, potentially hitting their bonuses

Time will tell whether these measures actually move the dial or, as cynics say, are merely "surface-level" HR measures to protect banks from the backlash.
Separately, Dimon has also been a high-profile champion of workers returning to the office despite the widely reported benefits of hybrid working.

Dimon's not alone. Amazon has also issued a five-day return-to-office (RTO) mandate, which some employees describe as "going backwards".

Looking for more compliance insights?

We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.