Month: September 2020

British Airways Anticipates 90% Discount on GDPR Fine

British Airways Anticipates 90% Discount on GDPR Fine

When the ICO announced their intention to fine British Airways £183million, it was seen as one of the landmark penalties in GDPR. It was a shot across the bow for any company handling personal data, that the ICO intended to make full use of its powers under the new data protection act. Now though, the airline says it expects to pay only 10% of the total fine. So does this mean the regulator is taking a lighter touch?

What happened at British Airways?

In July, the ICO announced that it had fined British Airways £183million after a computer hack which compromised the personal data of half a million people. At the time, the airline said it had been the victim of a ‘highly sophisticated attack’ which compromised the bank information of half a million people who had booked flights through its website.

However, the ICO took the view that information had been compromised by poor security arrangements and took action accordingly. The £183million fine represents an enormous 1.5% of the firm’s annual turnover and is also the largest fine that the ICO has handed out. Furthermore, it was the first fine it made public since the new rules came into force. Under the rules of GDPR, the ICO could have decided to levy a higher fine, amounting to 4% of the annual turnover, should they have deemed necessary.

A reduced fine?

From that perspective, BA could have been said to have got off lightly. However, they immediately announced their intention to defend their position and make any necessary appeals.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Willie Walsh, head of British Airways’ parent company (International Airlines Group) at the time

BA announced its intentions to make representations to the ICO and these appear to have had an effect. In its July 31st statement the company said it had put aside only £20 million to cover the fine. This, it said, represented their “best estimate of the amount of any penalty issued by the ICO”.

If they are correct, the final penalty would represent a 90% reduction and the news has concerned a number of privacy campaigners. Your Lawyers, a consumer action law firm that has been appointed in a Steering Committee position by the High Court of Justice against British Airways in the GDPR case, have condemned the move.

The firm’s director Aman Johal, said that the indication of a vastly reduced fine “is an affront to data protection and the GDPR.”

He went on to say:

“The ICO’s decision last year to issue a record provisional intention to fine was a landmark decision that could set the standard for organisations and act as the candid warning that is so desperately needed in today’s age of continual breaches. Such a substantial reduction could seriously undermine the purpose of GDPR, which was to act as a credible deterrent for organisations to ensure that they protect the information they store and process.”

In a statement the ICO said, “The regulatory process is ongoing, and we will not be commenting until it has concluded.” However, it is unlikely that BA’s management will have plucked this figure from thin air. The chances are, it represents their best guess based on the ongoing negotiations between the airline and the regulator.

What does it mean?

The ICO is remaining tight lipped about the proposed fine, which leaves us to speculate on their possible reasoning. It may be that BA has been highly convincing in its representations to the regulator. If they can show that there were mitigating circumstances or that they had taken measures to safeguard data, the regulator might have been persuaded to take a more lenient stance.

Equally, though, this reduced fine may also be down to the ongoing pandemic – the ICO has already announced that it would take a lighter touch on GDPR enforcement during the pandemic, and will take into account whether an organisation’s financial difficulties have stemmed from the pandemic.

BA, like other airlines, has suffered during lockdown. Passenger numbers fell by 98% in the second quarter of 2020 as lockdown devastated business in various sectors. IAG, the owner of BA, was forced to raise £2.49bn to strengthen its balance sheet after reporting record losses. Over 10,000 jobs have already been cut in an effort to lower costs.

The fine, then, comes at a time that BA’s ability to absorb such a fine would have been compromised. Time will tell on the reasoning, however, with the ICO thus far having not followed through on its intention to fine Marriot Hotels under GDPR, the episode will raise questions about how and what stance the regulator intends to take over GDPR.

Firms are Failing to Learn From AML Mistakes

Firms are Failing to Learn From AML Mistakes

Anti-money laundering (AML) fines have already surpassed the total for 2019 in the first half of the year. Are firms failing to learn from their mistakes?

Anti-money laundering fines surged to $706 million in the first half of this year, compared to $444 million for the whole of 2019. That’s the finding of the seventh annual Global Enforcement Review from Duff & Phelps.

The figure shows a reversal of the trends from previous years which showed a steady decline, ($3,297 million for 2018 and 2017 for $2,136 million). However, according to Nick Bayley, Head of Regulatory Consultancy at Duff & Phelps, this new uptick doesn’t necessarily mean firms have stopped paying attention to AML issues.

“Despite the uptick in AML fine amounts in 2020 we are still seeing fewer massive fines being imposed in the United States. This is very unlikely to reflect regulators attaching any less importance to AML compliance, it may simply be that the very largest financial institutions may be beginning to get their AML compliance in order, at last.”

“Although we do see some big institutions repeatedly receiving major fines for their AML failings, the sheer size of the fines that have been imposed for these failings and the associated huge cost of remediation means many have seemingly now learned their lesson.”

Nick Bayley

Even so, he does acknowledge that the report showed multiple fines for the same offenses and that they have been cropping up time and time again.

“Interestingly, looking at the key AML failings that are identified by regulators, we see the same areas being sanctioned again and again. This is consistent for regulators across the globe and also over the past five years.”

Handling AML regulation has been one of the major challenges for most banks for quite some time now. Banks can face massive fines for breaches, up to approximately £4,5 million, or 10% of their total turnover.


The USA saw a significant reduction in the value of fines. In 2018, regulators in the USA accounted for 58% of the total fines issued. This time around it was down to just 12%. However, the total number of fines remained the same, suggesting the US regulator had simply not issued some of the mega fines seen last year.


Here in the UK, though, fines appear to have been down on last year to £36.6 million compared to £98.2 million for the whole of last year.

Regulatory intelligence

The ultimate support for banks and financial services firms, RegTech and regulatory intelligence has been developing at rapid speeds over recent years and has helped to moderate financial crime through various means, including process automation, real-time payments monitoring, predictive analytics, scrutinising enormous amounts of data sets and revealing patterns within them. These are just some of the areas in which regulatory intelligence assists the financial services industry, helping to ensure compliance and mitigating risk.

Waymark Tech’s software has been developed to offer all of this and more. The implementation of artificial intelligence and natural language processing (NLP) has already saved large amounts of man hours and has alleviated serious risk. Moving away from the traditional approaches within the financial services sphere has seen Waymark grow since it was founded in 2016. Preparation for regulatory compliance is crucial in the avoidance of fines. If you feel that regulatory intelligence could be valuable for your organisation, please do email us for a complimentary and no-obligation demo of our innovative software at

Lessons not learned

The figures are certainly mixed. They are well up on 2019 but still down on 2018 and 2017. As Bayley says, it’s perfectly possible that these simply show firms are finally beginning to get the message. However, the familiar nature of the failings suggests those firms who have not, are making the same mistakes time and time again.

In a year marked by the global pandemic, in which the challenges of maintaining compliance are higher and in which fraudsters are presented with a wealth of opportunities, those firms not paying close attention are playing with fire. This was demonstrated rather clearly with the $47 million fine for Commerzbank which was found to have failed to put right problems despite repeated warnings from the regulator. (See our article on this here).

These failings occurred at a time when defending against fraudsters and money launderers was comparatively straightforward compared to the world under lockdown. Any firm carrying over the same deficiencies through this year is putting themselves at serious risk.

According to most experts, Commerzbank’s failure to address shortcomings was down to an issue of resources. So this may be one of the tools in avoiding the same fate and where Waymark’s technology comes in. Making sure compliance teams have the resources they need and that they are up to date with the latest requirements, will be crucial to break the cycle, and ensure those important lessons finally hit home.

Pension Provider Sees Compensation Claim Soar by 2,000%

Pension Provider Sees Compensation Claim Soar by 2,000%

Pension provider, James Hay, was hit with some surprise news this month as an appeal saw its payout over a pension delay soar by 2,000%. The case should serve as a reminder to any pension firm to stamp out any delays in the pension process.

What happened?

James Hay had initially been ordered to pay £2,000 in compensation to one of its customers, known as “Mr T” for this case, after the firm caused a delay in a pension transfer, causing him to miss out on what he hoped would be a valuable investment opportunity.

Mr T had been looking to transfer his small self-administered pension into a self-invested personal pension plan. As well as £220,000 in cash, he had cash and stocks with Barclays Stockbrokers (BSB) in his SSAS. However, after BSB notified him it would be closing its pension trader accounts after 30th June 2016, he emailed James Hay asking them to begin the transfer.

Mr T requested the transfer to go through before the Brexit referendum on 23rd June 2016, however this did not happen and it wasn’t until 19th August 2016 that £250,000 in cash made its way from James Hay to Mr T’s new SSIP with Hargreaves Lansdown. A week after that, six out of seven lines of stock were transferred to the new provider with the last line being processed on 3rd October 2016.

Because of these delays, Mr T argued that he had lost the opportunity to invest in stock markets after the referendum result which could, he believes, have represented an excellent investment opportunity. Remember, this was the morning which, as one investor described it, had ‘gold in its mouth’. Mr T had hoped he would have been one of those to benefit.

James Hay argued that it had carried out its duties in a satisfactory manner, although it admitted there had been two exceptions caused by miscommunication. The Ombudsman found that while there had been maladministration on the part of James Hay, the compensation should be set at only £2,000.

In explaining this figure, the Ombudsman said that the exact level of loss claimed by Mr T was not measurable. Mr T appealed, claiming that the compensation was not enough and that the Ombudsman should have taken into consideration how much money could have been made had the transfer happened in a more timely manner.

The court sent the decision back to the ombudsman saying it should identify when the money would have arrived without maladministration from James Hay. It should then consider what Mr T would have done with the money.

In this second finding, the Ombudsman found that the money should have arrived by 23rd June 2016, just in time for the referendum, and that Mr T would have invested the full amount in the FTSE 100 Index immediately after the leave vote. As such, it concluded the losses would have been much higher than originally thought.

Although it is impossible to say for certain what he would have done with the money or which stocks he would have invested in, the Ombudsman still determined that it was possible to make a reasonable estimate.

“If £250,000 had been invested when the FTSE Index level fell to 5,788, a profit of about £43,700 would have arisen when that Index rose to 6,800 in August 2016.”

Ombudsman, Anthony Arter

He therefore added, more than £41,000 onto the compensation in recognition of this lost investment opportunity. James Hay for its part has accepted the revised ruling and says it is “in the process of arranging the settlement with the scheme.”

Lessons to be learned

The ruling might have been a shock for the firm, but as with every penalty notice issued, it provides an opportunity for firms to learn from their mistakes. It shows that, not only can they be found culpable for delays in the transaction, but the ombudsman is willing to make an estimate of the likely losses the client would have incurred. For other companies, the lesson is simple. Don’t drag your heels on transactions. The results could be more damaging than you think.

Powered by WordPress & Theme by Anders Norén