By Aaron Nicodemus, 22 January 2024
A virtual currency exchange that tried to confuse and mislead regulators, banks failing after ignoring obvious risks, and a manufacturer that sold millions of its products in violation of US export controls. Some of 2023’s most notable compliance missteps might lead to regulatory changes that will affect everyone in their respective industries.
If there is a theme to Compliance Week's annual list of ethics and compliance failures for 2023, it is this: firms ignore regulators – and regulations – at their peril.
Binance
Binance was assessed $4.3 billion in penalties [1] by a handful of US government agencies in November and forced to cut ties with its founder and chief executive officer for numerous anti money laundering (AML), sanctions, and Bank Secrecy Act failures.
The world’s largest virtual currency exchange did not register with the US Treasury Department’s Financial Crimes Enforcement Network (until 2019) and never with the Commodity Futures Trading Commission (CFTC) as required. Since 2017, regulators said the company facilitated hundreds of millions of dollars in transactions that supported fraud, terrorist groups, and sanctions violations.
Regulators concluded company leaders, including former CEO Changpeng Zhao and former Chief Compliance Officer Samuel Lim, created an intentionally weak compliance programme,[2] then engaged in fraud and deception to help the exchange’s biggest US-based customers continue trading.
Like its crypto competitor FTX – which earned a spot on our 2022 compliance fails list [3] – before it, Binance paid a huge price for wilful non-compliance with US laws. And Binance must still address a separate lawsuit [4] filed by the Securities and Exchange Commission (SEC) in June 2023.
Bank failures
Before 2023, the United States had just one failure of a bank with at least $100 billion in assets: Washington Mutual in 2008.
In a span of three days in March 2023, that number became three: Silicon Valley Bank ($209 billion in assets) [5] and Signature Bank ($110 billion) [6].
In May, First Republic Bank ($229 billion) [7] joined them as number four.
Each bank was shuttered by its respective federal and state regulators after shaky finances led customers to withdraw their deposits in a frenzy. The banks failed because they did not properly manage risks related to rising interest rates and customer concentration, despite repeated warnings from their supervising agencies.
Another domino to fall in March was Switzerland’s Credit Suisse, which suffered a ‘crisis of confidence’ [8] and was forced by Swiss regulators to fold into its larger competitor, UBS.
In response to the collapses, US banking regulators are expected to require banks with more than $100 billion in assets to hold more funds aside and readjust their risk appetites.[9]
British American Tobacco
British American Tobacco (BAT) was found to have used a complex, years-long scheme to export tobacco products into North Korea in violation of US sanctions.
In April 2023, the company agreed to pay more than $635 million [10] to settle charges brought by the US Department of Justice (DOJ) and Treasury Department’s Office of Foreign Assets Control (OFAC).
BAT ‘purposefully obscured’ its relationship with a Singapore-based subsidiary in order to profit from the sale of its products in North Korea, with funds transmitted through two sanctioned banks, according to the DOJ and OFAC. The alleged arrangement was approved by company management and a standing committee of its board.
BAT did not voluntarily self-report the matter, which was judged by OFAC to be ‘egregious.’ The case marked the Treasury’s largest settlement with a non-financial institution.
NatWest
London-based bank NatWest found itself in a heap of trouble this summer after Group Chief Executive Alison Rose told a BBC journalist that Coutts, a wealth management subsidiary, closed the account of Brexit champion and controversial UK politician Nigel Farage because he didn’t meet its wealth criteria.
Farage successfully obtained his banking records, which indicated the bank actually closed his account over his political views.
The incident raised questions [11] about whether other UK banks had closed accounts of politically undesirable customers – the answer was ‘no,’ according to the Financial Conduct Authority (FCA) – as well as whether Farage had his right to privacy under the General Data Protection Regulation (GDPR) violated. An independent review [12] NatWest commissioned into the matter determined there likely was a breach of personal data.
In the aftermath, Rose and the head of Coutts lost their jobs.
The whole mess might lead to new regulations in the UK on how banks handle politically exposed persons (PEPs), as the issue remains under review [13] by the FCA.
Illumina
US-based biotechnology company Illumina failed to obtain permission from the European Commission for its August 2021 merger with cancer detection company Grail.
In July 2023, it paid the price [14]: an imposed fine of €432 million (then-US $476 million), worth a maximum 10% of its worldwide annual turnover.
The commission said the company’s actions in merging with Grail before receiving approval represented an ‘unprecedented and very serious infringement’ of the European Union’s merger control system, and that it ‘knowingly and intentionally’ breached EU rules in favour of completing the merger quickly.
In October, Illumina announced [15] it received an order from the European Commission to divest Grail. The company maintains the Commission does not have jurisdiction over the acquisition, which it is challenging in court.
The compliance lesson here? Just because a merger appears to be legal in one region, doesn’t mean other international agencies won’t have a say. And they’ll have no tolerance for that say being ignored.
Seagate
Data storage company Seagate thought it saw opportunity where others saw risk.
The company decided to sell more than 7.4 million hard drives to Chinese telecommunications giant Huawei in 2020 and 2021, despite US export controls that barred such sales.
In April 2023, the US Commerce Department’s Bureau of Industry and Security (BIS) slapped Seagate with its largest fine ($300 million)[16] ever issued.
Despite Seagate leaders continuing to believe they had the legal right to make the sales, red flags were evident.[17] Two of the company’s biggest competitors stopped selling similar components to Huawei, and multiple investment firms noted the sales and questioned the activity. Seagate also faced a US Senate investigation [18] into the matter.
Seagate paid dearly for its mistake of thinking it knew better than the BIS, its competitors, analysts, and lawmakers about how to interpret US export controls.
Dishonourable mentions
It’s unlikely the compliance team at Goldman Sachs will look back on 2023 fondly, particularly after CFTC Commissioner Christy Goldsmith Romero lambasted the firm [19] in September 2023 for its ‘culture of non-compliance.’
Her statement came after Goldman was fined $30 million [20] by the CFTC for an unprecedented number of alleged swap reporting failures. The firm allegedly violated CFTC rules four times in an 18-month span. Further, Goldman was penalised twice in less than a year by the SEC, once for data inaccuracies [21] and the other for environmental, social, and governance investment lapses.[22]
‘Instead of creating a culture where Goldman invests in stronger controls and supervision, and then regularly reviews those controls and supervision to ensure that it is not violating the law, Goldman has created a culture of being a repeat federal defendant,’ Romero said.
In July 2023, Deutsche Bank was fined $186 million [23] by the US Federal Reserve Board for violating previous consent orders related to sanctions and AML weaknesses and control failures.
The Fed determined Deutsche Bank made ‘insufficient progress’ in addressing its concerns, and that the bank’s US operations ‘have remained exposed to heightened levels of compliance risk without sufficient internal controls’ to detect AML and sanctions violations.
That by itself would be enough to merit inclusion on our compliance fails list. But Deutsche Bank also ran afoul of German regulator BaFin [24] for not filing suspicious activity reports in a timely manner, was fined $25 million [25] by the SEC for a subsidiary’s misleading disclosures and AML failures, and paid $75 million [26] to settle a class-action lawsuit filed by sexual assault victims of Jeffrey Epstein.
All in all, Deutsche Bank did little in 2023 to improve its checkered compliance track record.
T-Mobile contended with at least three cybersecurity-related incidents in 2023, with the largest exposing approximately 37 million customer records.[27]
Data breaches aren’t anything new [28] at T-Mobile, including a 2021 breach [29] that exposed more than 76 million customer records, as the telecommunications company has earned a reputation for playing fast and loose with its customers’ personal information.
Each time the company is breached, it promises to do better, implements more safeguards and controls, and then gets exposed again. It’s as much an information technology failure as a compliance failure, but either way, it’s a mess that needs to be cleaned up.
This article has been republished with permission from Compliance Week, a US-based information service on corporate governance, risk, and compliance. Compliance Week is a sister company to the International Compliance Association. Both organisations are under the umbrella of Wilmington plc. To read more visit www.complianceweek.com