Tag: Fines

British Airways Anticipates 90% Discount on GDPR Fine

British Airways Anticipates 90% Discount on GDPR Fine

When the ICO announced their intention to fine British Airways £183million, it was seen as one of the landmark penalties in GDPR. It was a shot across the bow for any company handling personal data, that the ICO intended to make full use of its powers under the new data protection act. Now though, the airline says it expects to pay only 10% of the total fine. So does this mean the regulator is taking a lighter touch?

What happened at British Airways?

In July, the ICO announced that it had fined British Airways £183million after a computer hack which compromised the personal data of half a million people. At the time, the airline said it had been the victim of a ‘highly sophisticated attack’ which compromised the bank information of half a million people who had booked flights through its website.

However, the ICO took the view that information had been compromised by poor security arrangements and took action accordingly. The £183million fine represents an enormous 1.5% of the firm’s annual turnover and is also the largest fine that the ICO has handed out. Furthermore, it was the first fine it made public since the new rules came into force. Under the rules of GDPR, the ICO could have decided to levy a higher fine, amounting to 4% of the annual turnover, should they have deemed necessary.

A reduced fine?

From that perspective, BA could have been said to have got off lightly. However, they immediately announced their intention to defend their position and make any necessary appeals.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Willie Walsh, head of British Airways’ parent company (International Airlines Group) at the time

BA announced its intentions to make representations to the ICO and these appear to have had an effect. In its July 31st statement the company said it had put aside only £20 million to cover the fine. This, it said, represented their “best estimate of the amount of any penalty issued by the ICO”.


If they are correct, the final penalty would represent a 90% reduction and the news has concerned a number of privacy campaigners. Your Lawyers, a consumer action law firm that has been appointed in a Steering Committee position by the High Court of Justice against British Airways in the GDPR case, have condemned the move.

The firm’s director Aman Johal, said that the indication of a vastly reduced fine “is an affront to data protection and the GDPR.”

He went on to say:

“The ICO’s decision last year to issue a record provisional intention to fine was a landmark decision that could set the standard for organisations and act as the candid warning that is so desperately needed in today’s age of continual breaches. Such a substantial reduction could seriously undermine the purpose of GDPR, which was to act as a credible deterrent for organisations to ensure that they protect the information they store and process.”

In a statement the ICO said, “The regulatory process is ongoing, and we will not be commenting until it has concluded.” However, it is unlikely that BA’s management will have plucked this figure from thin air. The chances are, it represents their best guess based on the ongoing negotiations between the airline and the regulator.

What does it mean?

The ICO is remaining tight lipped about the proposed fine, which leaves us to speculate on their possible reasoning. It may be that BA has been highly convincing in its representations to the regulator. If they can show that there were mitigating circumstances or that they had taken measures to safeguard data, the regulator might have been persuaded to take a more lenient stance.

Equally, though, this reduced fine may also be down to the ongoing pandemic – the ICO has already announced that it would take a lighter touch on GDPR enforcement during the pandemic, and will take into account whether an organisation’s financial difficulties have stemmed from the pandemic.

BA, like other airlines, has suffered during lockdown. Passenger numbers fell by 98% in the second quarter of 2020 as lockdown devastated business in various sectors. IAG, the owner of BA, was forced to raise £2.49bn to strengthen its balance sheet after reporting record losses. Over 10,000 jobs have already been cut in an effort to lower costs.

The fine, then, comes at a time that BA’s ability to absorb such a fine would have been compromised. Time will tell on the reasoning, however, with the ICO thus far having not followed through on its intention to fine Marriot Hotels under GDPR, the episode will raise questions about how and what stance the regulator intends to take over GDPR.

Pension Provider Sees Compensation Claim Soar by 2,000%

Pension Provider Sees Compensation Claim Soar by 2,000%

Pension provider, James Hay, was hit with some surprise news this month as an appeal saw its payout over a pension delay soar by 2,000%. The case should serve as a reminder to any pension firm to stamp out any delays in the pension process.

What happened?

James Hay had initially been ordered to pay £2,000 in compensation to one of its customers, known as “Mr T” for this case, after the firm caused a delay in a pension transfer, causing him to miss out on what he hoped would be a valuable investment opportunity.

Mr T had been looking to transfer his small self-administered pension into a self-invested personal pension plan. As well as £220,000 in cash, he had cash and stocks with Barclays Stockbrokers (BSB) in his SSAS. However, after BSB notified him it would be closing its pension trader accounts after 30th June 2016, he emailed James Hay asking them to begin the transfer.

Mr T requested the transfer to go through before the Brexit referendum on 23rd June 2016, however this did not happen and it wasn’t until 19th August 2016 that £250,000 in cash made its way from James Hay to Mr T’s new SSIP with Hargreaves Lansdown. A week after that, six out of seven lines of stock were transferred to the new provider with the last line being processed on 3rd October 2016.

Because of these delays, Mr T argued that he had lost the opportunity to invest in stock markets after the referendum result which could, he believes, have represented an excellent investment opportunity. Remember, this was the morning which, as one investor described it, had ‘gold in its mouth’. Mr T had hoped he would have been one of those to benefit.

James Hay argued that it had carried out its duties in a satisfactory manner, although it admitted there had been two exceptions caused by miscommunication. The Ombudsman found that while there had been maladministration on the part of James Hay, the compensation should be set at only £2,000.

In explaining this figure, the Ombudsman said that the exact level of loss claimed by Mr T was not measurable. Mr T appealed, claiming that the compensation was not enough and that the Ombudsman should have taken into consideration how much money could have been made had the transfer happened in a more timely manner.

The court sent the decision back to the ombudsman saying it should identify when the money would have arrived without maladministration from James Hay. It should then consider what Mr T would have done with the money.

In this second finding, the Ombudsman found that the money should have arrived by 23rd June 2016, just in time for the referendum, and that Mr T would have invested the full amount in the FTSE 100 Index immediately after the leave vote. As such, it concluded the losses would have been much higher than originally thought.

Although it is impossible to say for certain what he would have done with the money or which stocks he would have invested in, the Ombudsman still determined that it was possible to make a reasonable estimate.

“If £250,000 had been invested when the FTSE Index level fell to 5,788, a profit of about £43,700 would have arisen when that Index rose to 6,800 in August 2016.”

Ombudsman, Anthony Arter

He therefore added, more than £41,000 onto the compensation in recognition of this lost investment opportunity. James Hay for its part has accepted the revised ruling and says it is “in the process of arranging the settlement with the scheme.”

Lessons to be learned

The ruling might have been a shock for the firm, but as with every penalty notice issued, it provides an opportunity for firms to learn from their mistakes. It shows that, not only can they be found culpable for delays in the transaction, but the ombudsman is willing to make an estimate of the likely losses the client would have incurred. For other companies, the lesson is simple. Don’t drag your heels on transactions. The results could be more damaging than you think.

DSG Retail Fine - Lessons to Learn

DSG Retail Fine: Lessons to Learn

The ICO’s decision to issue DSG Retail Ltd with the maximum penalty possible highlights how seriously they take data security and what factors influence their decisions.

The ICO’s decision to issue a £500,000 penalty notice against DSG Retail Ltd, under the old data protection act should serve as a warning shot across the bows of the industry. DSG, meanwhile, should be heaving a sigh of relief that the breach happened just before GDPR came into force.

What happened?

The scale of the fine comes thanks to a litany of errors which on their own could have constituted a breach, but taken together amounted to a serious and multifaceted breach of the data protection act.

It started in May 2017 when an assessment of DSG’s point of sale payment terminals across their stores in Curry’s PC World and Dixons Travel found that they were not compliant with PCI DSS standards. Even so, DSG were slow to make changes.

Almost a year later, they discovered that the payment terminals had been compromised. Over the course of night months, a cyber attacker had taken control of a number of domain administrator accounts and installed malware onto the POS system. This accessed payment card details of around 5.6 million customers, although an investigation later found that only a total of 85 cards had been potentially used fraudulently.

The fraudsters had also accessed non financial data belonging to about 14 million customers including credit checks, contact details and failed credit checks. The company was inundated with nearly 3,300 customer complaints about the breach and the regulator received 158 complaints.

  • The ICO’s investigations listed numerous systemic failures including
  • Lack of firewall on the POS terminals
  • Inadequate patching of software
  • A poor response system
  • Insufficient network segregation
  • Mismanagement of the application white listing


These amounted to multiple breaches of the Data Protection Act, but a number of aggravating factors made this even worse. The firm were already aware of the vulnerabilities but failed to take action quickly enough. They took a whole nine months to identify the breach and that Carphone Warehouse which belongs to the same group as DSG had previously been fined £400,000 for the same breach.

The regulator also took into account the volume of the data and the resources that the retailer should have had at their disposal. The scale of the operation and the nature of the breach had the potential to cause significant distress to customers.

Moreover as a major retailer, handling large quantities of sensitive customer data, DSG, should have been able to lead by example. They had plenty of resources at their disposal and should have been able to offer better protection to their customers.

The only mitigating factor is that DSG had taken steps to notify its customers and cooperated with investigators. Even so the regulator deemed the maximum penalty appropriate.

Lessons to be learned

The scale of this fine, should serve as a warning about how serious the ICO is taking data security. Had the breach occurred under GDPR the fine could have potentially been in the millions. It shows the factors the regulator takes into account when deciding including the volume of the data exposed, the nature of the breach, resources of the firm and how the company responded to known breaches.

It’s a reminder for businesses to maintain and proactively monitor their security systems and any deficiencies should be fixed as soon as possible. Cyber crime is becoming so widespread that if a company does identify a weakness, there’s a very good chance an attack will come sooner or later. While firms might be reluctant to spend the time and money fixing issues, if they don’t they run a high risk of finding themselves before the ISO and, with GDPR in full swing, the consequences could be catastrophic.

What Can We Learn From the Commerzbank Fine? - Waymark Tech Blog

What Can We Learn From the Commerzbank Fine?

The Watchdog’s second biggest fine for failing to have proper financial controls in place should serve as a warning to the rest of the sector.

The FCA has made anti money laundering one of its key focuses for 2020 and this month it showed it means business with a £37, 805,400.00 fine to Commerzbank London for failing to implement proper controls over a five year period. It’s the second biggest fine of its kind and offers some key lessons for the wider sector.

Listen to the regulator

The scale of the fine is partly down to the fact that the Bank was aware of the problem, had been warned by the regulator but failed to take action. The FCA said it had warned Commerzbank on three separate occasions about the risk of financial crime going undetected but had “failed to take reasonable and effective steps to fix them.”

Maintaining due diligence

The regulator found that the bank failed to undertake effective due diligence checks on clients. As of March 1st 2017, checks were overdue on 1,772 customers. In the meantime, many of these customers were able to continue doing business with their London branch through their Exceptional Control Scheme which the FCA argues got out of hand.

The rules apply to you

AML requirements have toughened up in recent years, and regulators have very publicly stated this is a priority. However, many financial institutions, for one reason or another, haven’t fully understood the implications of the changes or that these rules apply to them. With the EU’s sixth anti money laundering directive coming into force in December, firms will have to continually update and review their measures to maintain compliance.

Getting the technology right

Companies are increasingly leaning on automated compliance monitoring systems. However, these are only effective if functioning properly. The FCA noted a failure to address known weaknesses with the automated tool for monitoring money laundering risks. In 2015, the bank noticed that 40 high risk countries were missing from its tool and 1,110 high risk clients had not been added.

Enhanced due diligence

Companies will be coming under increasing pressure to ensure their due diligence processes are as good as they possibly can be. This means enhanced ongoing monitoring of any situation which by its nature presents a high risk of money laundering or terrorist financing and maintaining up to date data and documentation.

Prompt action

One area where the bank performed well was in promptly agreeing to resolve the issue. The FCA says that the lender agreed to make changes at an early stage of the investigation, earning itself a considerable reduction of the fine. Without these changes, the FCA says the fine would have been £50 million.

Cooperation is seen in a positive light by the regulator. They are looking to use fines to encourage change rather than as a blunt tool of punishment. Those firms that can demonstrate an understanding of the problem and a willingness to change, will receive kinder treatment.

Most importantly, this fine, coming quickly on the heels of Standard Charter’s £1.1bn fine for violating sanctions and anti money laundering rules, shows regulators are upping their games. The UK is continuing to align itself with the more aggressive approach taken towards anti money laundering within the EU in recent years. Although we do not know how closely the UK will continue to be aligned with the EU after Brexit, their actions do nothing to suggest their approach will weaken.

FCA Issues First Fine Against Claims Management Firm - Waymark Tech Blog

FCA Issues First Fine Against Claims Management Firm

The FCA has issued its first fine against a claims management company since it took over regulation of the sector eight months ago. It’s a finding which should signal the need for financial institutions to maintain the highest standards of transparency when communicating to customers.

Essex-based Professional Personal Claims (PPC) was fined £70,000 by the regulator for misleading branding and for submitting inaccurate or misleading claims to banks.

The FCA also believed that the firm was attempting to give customers the impression that they were making claims direct to those banks, when this of course, was not the case. PPC operated websites with the logos of five banks which contained their domains. The FCA said that this muddied the water of what customers might expect.

Customers could easily have been confused that the claims were being submitted directly to the banks rather than through a claims management firm in return for a fee.

“PPC’s misleading website and marketing material suggested PPC was associated with the five banks when this was not the case,” said Mark Steward, Executive Director of Enforcement. “Claims management firms must ensure their advertising is accurate. Not only in terms of what they say about themselves and their services but also in terms of what is represented.”

A lack of detail

The second charge is arguably just as damaging. People use claims management firms because they either don’t want the hassle of making the claim themselves or they aren’t confident they will fill out the forms correctly.

However, according to the FCA, PPC submitted claim forms to the banks which were either misleading or contained the wrong information.

The claims had already been made by the former regulator before the FCA took over, which had received 14 complaints about the company. PPC had originally challenged the finding in court, before withdrawing their claim in September leaving the FCA to adjudicate the penalty.

What can we learn?

This fine comes at a difficult time for claims management firms. The end of the PPI deadline leaves many people wondering what the future will bring for them. The FCA has only around 350 firms registering with them, compared to 700 during the height of the claims process.

The reputation of the sector is also extremely shaky. It has been blamed for misleading customers and also creating a compensation culture which has cost the banks billions.

If claims management firms are to go forward, the FCA, has served notice that it expects it to adhere to the highest standards of accountability and transparency. Advertising must be scrupulously accurate, communication must be clear and they will need to ensure all documentation is accurate, complete and correct. That might be something of an adjustment to a sector which has often thrived on ambiguity.

Before the deadline, the FCA had launched a high-profile marketing campaign to inform people about their rights and ensure they understood that they could make the claim themselves without using a claims firm.

Going forward they will have to ensure they are whiter than white, being clear about what they offer, how much they charge and that they are not affiliated with any bank or financial institution.

Powered by WordPress & Theme by Anders Norén