Risk and Compliance update - December

Risk and Compliance update - December

Crime prevention

AML & counter-terrorist financing

GDPR and data protection

Information management & security

Crime prevention

Anti-bribery & corruption

Alstom Network UK Ltd has been fined £15m and ordered to pay a further £1.4m in costs after being convicted for conspiracy to corrupt, relating to a contract to supply trams in Tunisia. The company paid an intermediary, Construction et Gestion Nevco Inc (Nevco), €2.4m to secure a €79.9m contract with Transtu—the operator of the Tunis Metro. The contract between Alstom and Nevco was made to appear legitimate and pass internal compliance checks, however, in reality, it was only designed to facilitate bribes. See: LNB News 26/11/2019 34.

A jury found former Alstom SA executive Lawrence Hoskins guilty of a scheme to bribe Indonesian officials on Friday, 8 November 2019, convicting on all but one count in the long-awaited Foreign Corrupt Practices Act (FCPA) trial. See News Analysis: Ex-Alstom executive found guilty on 11 counts in bribery trial.

Samsung Heavy Industries Company Limited has agreed to pay total penalties of $75,481,600 to resolve the US government’s investigation into violations of the FCPA relating to bribery in Brazil. According to admissions by Samsung Heavy Industries, between 2000 and 2013, the company conspired to violate the FCPA by providing approximately $20m in payments to a Brazilian intermediary, knowing portions of the money would be paid as bribes to officials at Petrobras, the Brazilian state-owned oil and state-controlled energy company. See: LNB News 25/11/2019 17.

TRACE, the world’s leading anti-bribery standard setting organisation, has released the 2019 TRACE bribery risk matrix (TRACE Matrix), which measures business bribery risk across 200 jurisdictions. The overall risk score is a combined and weighted score of business interactions with government, anti-bribery deterrence and enforcement, government and civil service transparency, and capacity for civil society oversight, including the role of the media. See: LNB News 13/11/2019 42.

The Serious Fraud Office (SFO) faces further pressure to prove it can hold companies to account for wrongdoing after data released on Wednesday 20 November 2019 showed the crime-fighting agency has secured just seven corporate convictions in seven years. See News Analysis: SFO criticised for 'startingly low' corporate conviction rate.

The US Department of Justice (DOJ) has tweaked its policy offering companies leniency under the FCPA, clarifying what companies need to disclose and when. See News Analysis: US Department of Justice tweaks FCPA corporate enforcement policy for clarity.

Sanctions & export controls

Apple Incorporated will pay nearly US $467,000 to the US Department of the Treasury for allegedly hosting a sanctioned Slovenian software developer on its platform and processing more than US $1m in payments to the company. See News Analysis: Apple strikes deal with US Treasury over sanctions lapse.

Modern slavery

The 2018–2019 Consumer Harm Report has identified the rise in modern slavery in criminal activities and of online fraud in social media, search engine adverts and websites as emerging threats. In the past year, these investigations have, among other things, focused on doorstep criminals, online fraud and dangerous consumer products. See: LNB News 27/11/2019 64.

AML & counter-terrorist financing


The National Crime Agency (NCA) has released a booklet ‘Suspicious Activity Report (SAR) Glossary Codes and Reporting Routes—November 2019’. The booklet is designed to provide guidance on the use of SAR glossary codes and reporting routes. See: LNB News 11/11/2019 57.

The NCA has published its annual UK financial intelligence unit (UKFIU) report into SARs. The UKFIU reports that it received and processed 478,437 SARs between April 2018 and March 2019, including 34,543 requests for a defence against money laundering (representing a 52.72% increase) with refusals of a defence numbering a small 1372. These refused requests related to a total of £131,667,477 in funds which were restrained, seized, forfeited or recovered as a result (more than double on the previous year). 459 cases involved no previous or existing law enforcement investigation. See: LNB News 06/11/2019 31.



The Financial Action Task Force (FATF) has published a speech by its executive secretary, David Lewis, on global developments in digital identity, and FATF’s work developing guidance to clarify how digital ID systems can be used by banks and others to identify and verify a person’s identity. See: LNB News 22/11/2019 34.

David Lewis, the executive secretary of the FATF, also delivered a speech at the Royal United Services Institute, outlining the context for the forthcoming FATF strategic review. Lewis stated that FATF has identified some positive results among its member states, but that most countries are failing in terms of effectiveness and many are also failing when it comes to technical compliance. Lewis also stated that the current challenge is the implementation of the FATF standards, not the standards themselves, and that the strategic review will focus on how FATF’s evaluation of countries can better promote and enable more effective anti-money laundering (AML) measures and measures to counter financing of terrorism. See: LNB News 19/11/2019 31.

On 11-12 November 2019, in Sanya, China, the FATF held its first Supervisors’ Forum on improving the effectiveness of supervision. Approximately 100 senior financial and professional supervisors, from over 40 countries, took part in the event, chaired by FATF president Xiangmin Liu. The meeting identified a number of areas that require further actions, which will be taken forward at the FATF plenary and at further meetings of the Supervisors’ Forum, to be held in May 2020. See: LNB News 13/11/2019 51.

PSC register

A joint working party of the Law Society and City of London Law Society (CLLS) Company Law Committees (the committees) has drafted a Q&A document which highlights practitioner experience on certain areas of complexity not specifically covered by the people with significant control (PSC) register primary and secondary legislation or the related Department for Business, Energy and Industrial Strategy (BEIS) guidance. See: LNB News 08/11/2019 63.

GDPR and data protection

Regulatory regime

The Information Commissioner’s Office (ICO) has submitted the final version of the Age Appropriate Design Code of Practice to the Secretary of State. The code reflects the results of a consultation carried out by the ICO and follows the General Data Protection Regulation (EU) 2016/679 (GDPR) and Data Protection Act 2018 (DPA 2018). As the code needs to be laid in Parliament, the general election will delay this until after a new government has formed. See: LNB News 25/11/2019 18.

The ICO has called for views on it being granted access to investigation and other associated powers under the Proceeds of Crime Act 2002 (POCA 2002). Although the GDPR introduced increased financial penalties for civil breaches of the DPA 2018, the only sanction available to the courts in criminal cases is a fine which is often less than the financial gain of the offender. Courts can make POCA 2002 confiscation orders and the ICO submits that POCA 2002 investigations and other associated powers would enable the ICO to assist the court in the identification of assets and to determine the value of a criminal’s proceeds from crime and stop offenders from retaining significant criminal proceeds. Responses are welcome until 6 December 2019. See: LNB News 15/11/2019 44.

On 5 November 2019, the Berlin Commissioner for Data Protection and Freedom of Information announced that it had imposed a fine of €14.5m on Deutsche Wohnen SE, a prominent real estate company. This is the highest fine issued in Germany since the GDPR became applicable. Anna Pateraki of Hunton Andrews Kurth LLP explains the action. See News Analysis: Berlin Commissioner issues Germany’s largest ever GDPR fine.

Lawful processing & transfer of data

The European Data Protection Board (EDPB) has adopted the report on the third annual joint review of the EU–US privacy shield. The EDPB welcomes the US’ efforts to implement the privacy shield, especially ex officio oversight and enforcement actions. The EDPB also approves of the appointment of the permanent ombudsperson and the filling of the final two vacancies on the Privacy and Civil Liberties Oversight Board (PCLOB). See: LNB News 19/11/2019 21.

The European Commission (Commission) has issued a report on its findings from the third annual Privacy Shield review, which took place in September 2019. In its report, the Commission confirmed that the EU-US Privacy Shield framework continues to ensure an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the United States. In concluding its report, the Commission provided additional action items necessary to ensure the continued functioning of Privacy Shield, including time limits for re-certifications and encouraging US authorities to expand their substantive review of Privacy Shield compliance spot-checks. Brian Hengesbaugh, Partner at Baker McKenzie LLP, explains the report’s findings. See News Analysis: Third annual Privacy Shield review confirms commission’s adequacy decision.

Banks, insurers, airlines and other companies may soon have new EU-approved model clauses for the transfer of personal data as regulators work on a review of the clauses. See News Analysis: EU’s model data-transfer clauses under review after company input, Commission official says.

The EDPB has released its final version of the Guidelines on Territorial Scope following a public consultation on the subject. The guidelines endeavour ‘to provide a common interpretation of the GDPR for EEA Data Protection Authorities when assessing whether a particular processing by a controller or a processor falls within the territorial scope of the legal framework’. Indeed, they intend to clarify GDPR’s application in various situations. Feedback from the earlier consultation has been taken into account by the EDPB and has led to updates to the guidance’s wording and legal reasoning. See: LNB News 14/11/2019 59.

Special category data

The ICO has published new detailed guidance on special category data, aimed at data protection officers and those with specific data responsibilities in larger organisations, as well as updated its guide to data protection regarding special category data. Ian Hulme, director for regulatory assurance at the ICO, describes special category data as the most sensitive personal data and highlights that the ICO expects controllers to take all necessary precautions to protect this data. A template appropriate policy document is also available. See: LNB News 15/11/2019 17.

Information management & security


UK Finance has published a blog post on the need to ensure that security measures evolve in order to defeat cyber threats of various forms, including from organised criminals, ‘lone wolves’ as well as ‘disgruntled employees’ and ‘nation-state-sponsored actors’. See: LNB News 26/11/2019 47.

The National Cyber Security Centre (NCSC) has published the first full cybersecurity body of knowledge (CyBOK), which codifies foundational information in 19 knowledge areas and should be used as a tool to address the means and objectives of cybersecurity, understand failures and incidents and limit risk. The work covers principles of sound thinking and good practice to be applied across knowledge areas as well as crosscutting themes such as security economics, verification and formal methods and security architecture and lifestyle. See: LNB News 06/11/2019 51.

The Department for Digital, Culture, Media & Sport (DCMS) has issued a call for evidence, seeking views and advice on how the government can help improve cybersecurity across the UK economy. DCMS says it wants to understand the barriers which prevent organisations from improving their cybersecurity, and hear views on the effectiveness of existing interventions, including regulations like GDPR and the NIS Directive, and other guidance and support. Feedback is sought by 20 December 2019. See: LNB News 04/11/2019 70.

Europol has published a strategic report on spear phishing, one of the most prevalent cyber threats, detailing recommendations on prevention, response and investigation. Europol, presenting a law enforcement and private industry perspective, outlines case studies, common modi operandi, technical solutions, prevention guidance and attributional and operational responses to provide an overview. See: LNB News 04/11/2019 30.

Related Articles:
Latest Articles:
About the author:
Allison is a former partner of Shoosmiths, with extensive experience of legal management and practice compliance.