This month’s key compliance news includes the ICO's cookie compliance warning, Morgan Stanley's £249m fraud settlement, Credit Suisse's $3m fine, and more.
The Monetary Authority of Singapore (MAS) has fined Credit Suisse $3.9 million for its failure to prevent or detect misconduct by relationship managers at its Singapore branch. Credit Suisse paid the penalty immediately and also compensated affected clients as part of the settlement.
The misconduct involved inaccurate or incomplete post-trade disclosures by relationship managers, leading to clients being charged spreads above agreed rates in 39 over-the-counter bond transactions.
Enforcement action followed MAS's review of pricing and disclosure practices in the private banking industry, revealing that Credit Suisse lacked adequate controls to prevent or detect such misconduct.
HSBC Bank has been fined £57.4m by Britain's Prudential Regulation Authority (PRA) for failing to accurately identify customer deposits eligible for protection under the Financial Services Compensation Scheme (FSCS) between 2015 and 2022.
The scheme safeguards customer deposits up to £85,000. The PRA revealed that 99% of HSBC's eligible beneficiary deposits were incorrectly marked as "ineligible" for FSCS protection. The bank also provided inaccurate evidence regarding its compliance with deposit protection rules.
The PRA imposed the second-highest fine ever, emphasising the severity of the shortcomings. Despite HSBC's cooperation in admitting rule violations, a 15% reduction was applied to the penalty.
"The serious failings in this case go to the heart of the PRA's safety and soundness objective. It is vital that all banks comply fully with our requirements around preparedness for resolution,"
- Sam Woods, CEO, PRA
The ICO recently conducted an assessment of the top 100 UK websites and identified that 53 seemed to be violating cookie rules outlined in the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR.
After a freedom of information (FOI) request, the ICO published warning letters sent to these non-compliant organisations. The letters have emphasised improper consent procedures for non-essential cookies, the lack of user-friendly options for rejection, and instances of sites ignoring cookie refusals.
GDPR specifies that consent must be freely given, specific, informed, and unambiguous, requiring a clear affirmative action from users to opt-in. However, workarounds, such as relying on "legitimate interest" or labelling certain cookies as "essential" without proper justification, have been employed by websites.
Despite weak enforcement of data protection laws, the ICO's warning letters indicate a shift in their approach, signalling a heightened seriousness regarding cookie compliance.
“[The letters represent a] warning shot for organisations still playing fast and loose with the UK’s rules on cookies. It offers organisations a chance to put things right, rather than imposing immediate enforcement action, but it is the firmest action that the ICO has taken on cookies to date.”
- Neil Brown, technology lawyer, decoded.legal
Money laundering poses a significant threat to the UK economy, estimated at £100 billion annually. In response, the government has introduced a £400 million three-year Economic Crime Plan to address gaps in fraud, anti-money laundering (AML), and related areas. London has earned the nickname 'The Laundromat' due to the pervasive nature of money laundering in the capital.
Weaknesses in AML and Counter-Terrorist Financing (CTF) processes have been identified, particularly in supervising the professional services sector, which contributes 8.3% to the country's total economic output. The 2018 Financial Action Task Force (FATF) highlighted these vulnerabilities.
To enhance protection against money laundering and terrorist financing, the UK government is exploring new regulatory frameworks through a consultation process. Compliance teams must stay informed about evolving AML legislation, recognising their crucial role in preserving the system's integrity. Decisions stemming from this consultation will shape compliance obligations in the UK for the foreseeable future.
The Bank of England has imposed a fine of £118,808 ($151,338) on former Wyelands Bank CEO Iain Hunter for negligence in ensuring the bank had sufficient systems and controls.
Wyelands Bank, which has been associated with the Gupta Family Group (GFG) Alliance, has since closed down and was a major client of Greensill Capital, which collapsed in 2021.
The Bank of England's Prudential Regulation Authority (PRA) fined Hunter for violating regulations that hold senior managers accountable for overseeing significant exposures. Hunter, currently engaged in a governance role at GFG Alliance, has not responded to requests for comment.
Morgan Stanley has agreed to a $249 million settlement with the Justice Department and Securities and Exchange Commission for false statements related to block-trading practices from June 2018 to August 2021.
The bank avoids criminal charges by adhering to a nonprosecution agreement for three years. Former executive Pawan Passi reached a deferred prosecution agreement, admitting to misleading clients about confidentiality during the same period.
Passi faces a one-year ban from the securities industry and a $250,000 SEC fine but can seek readmission afterwards. Morgan Stanley expressed confidence in improved controls, enhanced training, and clearer policies for block trading.
The Information Commissioner's Office (ICO) is facing criticism from conservative figures for advising staff to consider transgender colleagues as the gender they identify with.
The workplace guidance from the data watchdog emphasizes supporting transgender and non-binary staff, providing guidance for managers and staff handling protected information. Critics, including Toby Young from the Free Speech Union, question the ICO's legitimacy in data privacy protection, calling the guidance reminiscent of thought policing.
Conservative MP Lia Nici argues that existing workplace protection under the Equality Act makes such guidance unnecessary. The ICO defends its stance, stating that promoting inclusivity and respect is integral to its commitment to upholding information rights.
The UK's financial services regulator, the Financial Conduct Authority (FCA), is investigating how investment banks and commercial insurers handle sexual harassment, bullying, and other non-financial misconduct. This initiative follows complaints from victims who feel silenced or compelled to leave their jobs.
The FCA's executive director, Sarah Pritchard, informed lawmakers that a survey would be conducted in the wholesale banking and insurance sector to assess the prevalence of such misconduct and examine detection and resolution methods. The survey aims to inform the supervisory program when new rule sets are implemented.
The inquiry coincided with the conclusion of a parliamentary investigation into "Sexism in the City," addressing sexual harassment and a pervasive "old boys' club" culture in the financial industry.
The FCA's survey, set to be completed by mid-year, will also explore how employers assess the fitness and propriety of finance professionals. During the investigation, 40 women from various financial services companies shared anonymous experiences of sexism and misogyny, revealing that reporting misconduct was hindered by high barriers, often leading victims to change teams, leave the company, or exit the industry.
The use of non-disclosure agreements (NDAs) in sexual harassment cases was highlighted, with recommendations from attendees including credible penalties for those perpetuating misconduct, mandatory reporting of NDAs, and the inclusion of non-financial conduct in the "fit and proper" standards for working in finance.
A JPMorgan Chase subsidiary is set to pay an $18 million fine to the Securities and Exchange Commission (SEC) for violating whistleblower protection rules, marking one of the largest fines under these regulations.
The SEC alleged that J.P. Morgan Securities obstructed clients with disputes from reporting potential securities law violations by having them sign confidentiality agreements. These agreements allowed clients to respond to regulator inquiries but prohibited them from voluntarily contacting the SEC, violating whistleblower protection rules established by the 2010 Dodd-Frank Act.
J.P. Morgan Securities, without admitting or denying the SEC's findings, agreed to be censured, cease violations, and pay the $18 million civil penalty. The SEC highlighted that the firm revised its confidentiality release section after being notified of the violation, assuring clients they are not prohibited from reporting to regulators.
The enforcement of whistleblower protection rules has become a focus for the SEC, resulting in actions against companies with contracts impeding employees from reporting misconduct. This settlement with J.P. Morgan is among the first cases related to a firm's settlement agreements with clients under the whistleblower rule.
The former president of MGM Grand Casino, Scott Sibella, has pleaded guilty to a federal charge for not reporting suspicious transactions required by the Bank Secrecy Act.
The Justice Department revealed that during his tenure from August 2017 to February 2019, Sibella knowingly allowed a casino patron, Wayne Nix, who operated an illegal bookmaking business, to gamble with illicit proceeds without informing the casino's compliance department.
In related settlements, MGM Grand and The Cosmopolitan of Las Vegas will pay a combined $7.45 million, undergo external reviews, and enhance their anti-money laundering programs to address alleged violations of money laundering laws and the Bank Secrecy Act (BSA). Sibella not only permitted Nix to gamble but also provided him with complimentary benefits to encourage his patronage, failing to report Nix's illegal activities to compliance personnel, resulting in the casino's failure to file required suspicious activity reports.
Essex County Council has acknowledged a lack of full compliance with internal policies in payments totalling around £500,000 for a community campaign during the COVID-19 pandemic.
The admission follows an extensive investigation into the use of taxpayer funds. The council paid local prankster Simon Harris for "community engagement," and documents released two weeks after the initial report revealed that between April 2019 and March 2024, Harris received £536,775 in payments, with £388,475 coming from specific external funding.
The council claims the funds originated from various sources, mainly central government grants, with a minority from general council funds funded by council tax. Of the £500,000 received by Harris, at least £163,190 was distributed to others involved in the campaign. There was no legal requirement for Harris to disclose information about those recipients.
ECC has no record of why this occurred but suggests it was to expedite payments. The council, having an established relationship with Harris as a contractor for digital consultancy, states he played a role in the Essex Coronavirus Action community campaign during the pandemic.
"We have identified that there was not full compliance with the declaration of interest process, but we are unable to disclose details of who should have declared or what. This is because it would amount to a breach of the first data protection principle, which requires that data should be processed fairly and lawfully."
- Spokesperson, ECC
We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.