Fines impact more on smaller businesses. We've examined FCA & ICO penalties that led to business liquidations to help you avoid the same mistakes.
Businesses of all sizes can rack up hefty fines by falling short on compliance issues, often unintentionally. These fines are most crippling to smaller businesses, many of whom can sadly end in liquidation because of it.
The disparity in the impact on small and large businesses was highlighted when we examined data from 75 fines imposed between 2020 and 2023 by the UK Information Commissioner's Office (ICO) and the Financial Conduct Authority (FCA).
Over a quarter (26%) of micro and small businesses fined by either governing body are now in liquidation. Of these, a third (33%) is compulsory liquidation. A further 2% subsequently fell into administration.
Comparing this with medium to large businesses that have much higher turnovers, just 6% ended in liquidation, all of whom were voluntary. The average fine suffered by businesses of all sizes was £130,000.
Even companies with well-trained staff and thorough compliance processes may get caught off guard. Compliance is an ongoing process, and proactive measures can significantly reduce the risk of fines and legal issues.
Compliance guidelines regularly change, which can catch businesses out.
Government websites and industry associations are good resources for keeping up to date with industry regulations and policy changes.
You could also subscribe to newsletters, watch webinars, attend workshops or engage with peers.
Prevention is always better than cure. Conduct regular internal compliance audits to identify potential issues. Then, they can be addressed promptly, and necessary adjustments to processes and procedures can be made to prevent breaches.
Keeping detailed records of your compliance efforts is important as it can serve as evidence in case of a regulatory audit. Implementing a system for employees to report potential compliance issues without fear of retaliation is also important, as it will allow for a prompt resolution before anything escalates.
Educate your employees about compliance requirements most relevant to your industry, which can help prevent accidental breaches. It shows regulators that you have tried to address potential issues should the worst happen.
Formal compliance training also ensures consistency and helps eradicate misperceptions perpetuated by existing employees to newer members of staff.
Encourage staff to report potential non-compliance so that you can act upon them.
Even larger businesses may struggle with the volume of activity needed to maintain compliance, whilst smaller businesses may lack dedicated resources.
Compliance management software can help automate repetitive tasks and streamline processes. In that way, fewer issues fall through the cracks, and human errors are reduced to ensure consistent adherence to regulations.
The FCA and ICO fines offer some simple lessons that can help you avoid making similar mistakes and risk fines that could threaten your business's survival.
Breaches of PRIN 2 & PRIN 3
The FCA fined Bastion Capital London Ltd £2,452,700 for serious financial crime control failings relating to cum-ex trading. Upon investigation, the FCA found that the company failed to manage any risk of being used for fraudulent trading and money laundering.
Bastion, now in liquidation, facilitated over £70 billion in "cum-ex trades" of Belgian and Danish stock on behalf of the hedge fund Solo Group's clients. Upon investigation, the FCA found that between January 2014 and September 2015, Bastion executed trades that were highly suggestive of financial crime.
Bastion failed to take note of or ignored the red flags regarding these trades, which appeared to have no economic purpose other than to transfer funds from the Solo Group's controller to their business associates. The FCA stated that the company should have considered financial crime risks when onboarding the Solo Group clients and executing the trades.
Breaches of Principles 3, 7 & 9
The FCA fined Pembrokeshire Mortgage Centre Limited (PMC) £2.4m for unsuitable advice to consumers to transfer out of the British Steel Pension Scheme (BSPS) and other defined benefit (DB) pension schemes.
The FCA's official stance is that most consumers should retain the guaranteed income a DB pension provides. However, it was found that PMC advised almost 400 persons, almost two-thirds of whom were BSPS members, to transfer out of their DB scheme.
Many of the customers advised were in a vulnerable position due to the uncertainty surrounding the future of BSPS and the short period they had to make a decision. However, they did not receive the quality of advice required to make an informed decision. PMC was found to have pocketed over £2m in transfer and ongoing advice fees.
Breaches of PRIN 2 & PRIN 3
The FCA fined The TJM Partnership Limited £2m for financial crime control failings. TJM did not have adequate systems and controls to identify and mitigate the risk of being used to facilitate fraudulent trading and money laundering. In addition to this, TJM failed to apply its anti-money laundering policies properly.
Trading executed on behalf of Solo Group's clients was conducted in a circular pattern characteristic of financial crime. The firm failed to identify any financial crime concerns or money laundering risks related to Solo Group.
Breaches of PRIN 6 & 3
FCA fined TFS Loans Limited (in administration) £812k for deficient affordability checks on over 3k guarantors in its consumer credit business. In addition to this fine, the FCA has required TFS to redress the harmed guarantors.
TFS' failure to gather appropriate information on guarantors' financial circumstances led to some guarantors being unable to afford the guarantees they had entered into. Upon investigation, the FCA found that TFS failed to treat their customers fairly or to take reasonable action in organising their affairs responsibly.
"Friends and family members who agree to act as a guarantor for a loved one should feel confident that the lender will treat them fairly. The FCA’s affordability rules protects both consumer credit borrowers and guarantors from unaffordable risks. These requirements are high priority areas for the FCA especially as families face overall increases to their cost of living."-Mark Steward, Enforcement and Market Oversight, FCA
Breaches of PRIN 1 & Section 20
The regulator found that the company had breached Principle 1 of the FCA Principles for Business regarding integrity by acting dishonestly and recklessly concerning pension advice. Further, the firm breached Section 20 by advising on Pension Transfers without the relevant permission.
The firm's reckless actions involved adopting and using a Pension Review and Advice Process, which outsourced functions without adequate supervision.
It was judged obvious that the involvement of a third party (Hennessy Jones), which had a material financial interest in the bond within which customer funds would be invested, created a clear conflict of interest.
Breach of regulations 21 & 24 of the PECR
The ICO fined Lampeter-based Home2Sense £200,000 for making over half a million unsolicited marketing calls.
The home improvement firm made 675,478 nuisance calls between June 2020 and March 2021, offering insulation services to people registered with the Telephone Preference Service (TPS).
It is against the law to make marketing calls to phone numbers registered with the TPS for more than 28 days unless the recipient notified the company they do not object to receiving such calls.
The ICO was told customer data was acquired from an 'unknown source' and blamed its staff for not screening the phone numbers against the TPS.
Following more than 60 complaints, the ICO's investigation found that the company identified itself using different trading names when calling, including 'Cozy Loft', 'Warmer Homes' and 'Comfier Homes'. This is also illegal.
Breach of regulations 21 & 24 of the PECR
During 2021, Zuwyco used a public telecommunications service to make 93,558 unsolicited calls for direct marketing purposes to subscribers/data subjects who had been listed on the ICO's 'no call' register, contrary to Regulation 21(1)(b) of the PECR, which resulted in seven complaints being made to the Telephone Preference Service and the ICO.
More specifically, the ICO found that Zuwyco's use of a public electronic communications service to make unsolicited calls for direct marketing to numbers which were listed on the 'no-call' register kept by the ICO under Regulation 26 of the PECR was contrary to Regulation 21(1)(b) of the PECR.
Zuwyco failed, as Regulation 24 of the PECR required, to provide the call recipients with the particulars specified in Regulation 24(2) of the PECR. Where Zuwyco provided the caller's name, it was seemingly interchangeable and could not be readily identified as Zuwyco or its clients.
Breach of regulation 21 of the PECR
Between 1 August 2020 and 30 April 2021, Posh Windows UK (PWUK) used a public telecommunications service to make, on the balance of probabilities, 461,062 unsolicited calls for direct marketing purposes to those already listed on the TPS.
This resulted in 21 complaints being made to the TPS and the
Commissioner between 1 August 2020 and 30 April 2021 and further
complaints outside this period.
The ICO noted the following aggravating features of this case:
Taking into account all of the above, the ICO decided that a penalty of £150,000 was reasonable and proportionate given the particular facts of the case and the underlying objective of imposing the penalty.
PWUK entered into a Creditors' Voluntary Liquidation on 10 August 2022.
Breach of CAPR 12
Claims management company Crosfill & Archer Claims was fined for making unsolicited telemarketing calls to people who registered not to receive this type of sales call, where the firm had no evidence they had consented to receive the call or was unable to confirm what consent had been obtained on customer data purchased from third party data providers.
"Cold-calling customers who elected not to receive sales calls is an example of the type of cavalier behaviour claims management firms should not be engaging in. Firms need to ensure they have the right governance and due diligence in place, and we will take action when we see behaviour that threatens legitimate consumer rights and interests."-Mark Steward, Executive Director of Enforcement & Market Oversight
H&H was a claims management company (CMC) whose business focused on claims for mis-sold payment protection insurance (PPI).
A £91,000 fine was imposed by the CMR under the previous regulatory regime for CMCs due to data breaches and unauthorised copying of client signatures.
In 2019, the CMR found that Hall & Hanley had breached rules requiring CMCs to take all reasonable steps to ensure that any referrals, leads or data purchased from third parties had been obtained following applicable laws.
Marketing text messages concerning PPI claims were sent to consumers' mobile telephone numbers without Hall & Hanley taking sufficient steps to check that affected consumers had consented to receive such messages.
In addition, when reviewing a sample of 16 of Hall & Hanley's client files, the CMR found that in 8 of the files, the clients' signatures on claim documentation (including letters of authority) had been copied without authorisation.
Breach of regulations 22 & 23 of the PECR
London-based Finance Giant acted as a loan broker for individuals looking for car finance. During 2020, it instigated sending a confirmed total of 505,759 unsolicited direct marketing messages received by subscribers contrary to regulation 22 of PECR.
The ICO received 97 complaints through the 7726 reporting system that SMS messages were sent without consent. Further investigation uncovered almost half a million emails had been sent without an opt-out.
Ironically, the privacy policy on the firm's website detailed the need for valid consent. As they ignored available guidance, the ICO felt the breaches were deliberate and driven by a pursuit of profit, which led to a fine.
Breach of regulation 22 of the PECR
Bizfella is an FCA-registered credit broker that trades under various
names, including Cash Carrot and Pixie Loans. As part of its business,
Bizfella operated several websites, including Cash Carrot and Pixie Loans.
Between 15 November 2019 and 15 July 2020, Bizfella Limited instigated sending 224,550 unsolicited direct marketing SMS messages received by subscribers contrary to regulation 22 of PECR. The ICO issued a £30,000 penalty.
Bizfella came to the ICO's attention from complaints to the 7726 spam text reporting service. 904 complaints were submitted through the 7726 service, and the ICO received two further complaints directly.
The ICO found that between 15 November 2019 and 15 July 2020, Bizfella instigated the sending of 224,550 unsolicited direct marketing SMS messages that were received by subscribers contrary to regulation 22 of PECR.
Bizfella needed to ensure that it complied with regulation 22 of PECR and that valid consent had been obtained or that those soft opt-in requirements were met to send those messages.
Our blog offers small business best practice tips on data protection, employment law, money laundering, taxation, and health and safety can be found in our blog.
Our comprehensive roadmaps help you navigate the compliance landscape. They are supported by e-learning courses in our Skillcast CoreCompliance plan, which is designed and priced specifically for small businesses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!