Every Thursday, Compliance Week puts a snarky spotlight on individuals, companies, and governments that “Failed It” in the areas of ethics and compliance during the week and gives out kudos to those that “Nailed It.” If we missed any or if you have any nominations for next week, let us know on Twitter (@ComplianceWeek) or in the comments section below.

Nailed It


JPMorgan Chase: The biggest issuer of Paycheck Protection Program (PPP) loans issued an all-company memo earlier this week encouraging employees to be “vigilant” regarding potential fraud under the program. That includes toward their peers, as the memo said the bank would be investigating cases where its employees could have been involved in fraud. “We’ve also seen conduct that does not live up to our business and ethical principles—and may even be illegal,” the memo reads. “This includes instances of customers misusing Paycheck Protection Program loans, unemployment benefits and other government programs. Some employees have fallen short, too.” While it wouldn’t be a good look if it comes out that a JPMorgan employee was involved in PPP fraud, the bank deserves a nod for getting ahead of such a situation and transparently acknowledging the potential misconduct. —Kyle Brasseur

Danske Bank: Denmark’s largest bank has taken its fair share of hits in recent years—most notably the money laundering saga that blew up in 2018—but it gets a thumbs-up this week for its compliance-focused efforts to curtail potential instances of conflict of interest. The bank shared a job posting on LinkedIn seeking a conflict management compliance officer as part of a new team “to ensure that we stay on top of regulatory requirements and to enable the bank to identify, prevent and manage potential Conflicts of Interest.” The group will “have a big impact on ethical standards of the bank and will continue to promote a strong compliance culture within the bank,” the posting states. Danske has a lot of work to do to restore its image; anything to reinforce a strong compliance culture is a good place to start. —Kyle Brasseur

Student whistleblowers: Colleges are encouraging returning students to report when their fellow classmates break coronavirus-related rules when they host parties and gatherings, with some schools even setting up hotlines. Many students are alerting school officials about rule-breakers. It’s got to be awkward to blow the whistle on your fellow classmates, but think of it as a good lesson on doing the right thing to protect others. Meanwhile, college administrators deserve some of the blame, because they chose, for financial reasons, not to implement a fully remote learning environment during a pandemic. Is anyone surprised that students gathered in huge crowds over Labor Day weekend, without masks and without social distancing? What did you think would happen when you bring thousands of teenagers and young adults back to campus? That they’d enjoy the solitude of their dorm rooms? —Aaron Nicodemus

Irish Data Protection Commission: We’ve called out the Irish in this space for being gun shy when it comes to data privacy violations of U.S. technology giants that have their European headquarters in Ireland, so it’s only fair to give them a nod when they take some action. We learned this week that the Irish DPA ordered Facebook to suspend the transfer of European citizens’ personal data to the United States following concerns the social media giant was breaching the terms of a key European court ruling from July that said U.S. surveillance laws were incompatible with EU privacy rights. It is the first significant step an EU regulator has taken to enforce the Court of Justice of the European Union’s July ruling that invalidated the EU-U.S. Privacy Shield, which protected trans-Atlantic data transfers. Now, we wait for Facebook’s response to what could be a precedent-setting action. —Dave Lefort

BlackBerry: Even though the General Data Protection Regulation took effect in May 2018, it feels like many are still trying to wrap their heads around it. As such, BlackBerry announced Wednesday it will be providing dedicated instances of its AtHoc emergency communication service that are designed to comply with the GDPR and a new EU directive mandating that each member state establish a public warning system by 2022. The AtHoc instances will localize EU data in new data centers located in the Netherlands and France, in addition to an existing center in the United Kingdom. GDPR concerns are top of mind for many in the European Union, including member state governments, so it’s a shrewd move by BlackBerry to reinforce its product as privacy-focused. —Kyle Brasseur


Failed It


Cyber-security … in space!: There is good reason for the Trump administration to release guidance for the country to protect its space systems from cyber-threats, but the fact that we have this while a bill with bipartisan support to establish a no-brainer position of National Cyber Director is still sitting in the House is a mismanagement of priorities. A recent study showed the United States has had more than triple the number of significant cyber-attacks over the last 14 years than any other country, and yet little urgency has been shown by the government to get the most basic national cyber-security controls in order. Space guidance is important, but is it too much to get that kind of attention down here? Oh, and let’s not forget there’s an election coming up that foreign powers are trying to influence and potentially infiltrate. —Kyle Brasseur

Deutsche Bank Trust Company Americas:  The Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a settlement with Deutsche Bank Trust Company Americas (DBTCA) for a pair of apparent violations of Ukraine-related sanctions, one of which related to a nearly $29 million payment that involved a property interest of an oil company in Cyprus that was on OFAC’s sanctioned list. Senior compliance staff apparently flagged the payment initially (smart move), but ultimately approved it based solely on verbal assurances from the U.S. counsel of a “non-accountholder party” that the transfer didn’t violate sanctions (it actually did). No further due diligence was performed by DBTCA. Whatever happened to “trust, but verify?” —Dave Lefort

Bank of America: Executives at the nation’s second-largest bank have a history of insulting, belittling, disciplining, demoting, and even firing sales employees who didn’t meet rigorous sales quotas connected to new credit card accounts, according to a story this week in American Banker. What’s particularly insidious about BoA’s actions, if true, is that executives pressured employees to generate new credit card accounts while being investigated by two regulatory agencies about the bank’s pressure tactics. The Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau each eventually concluded that BoA did not violate banking rules by opening up accounts without customers’ permission, a la BoA competitor Wells Fargo. But the toxic corporate culture at BoA as described by American Banker certainly made breaking the rules tempting, not something to avoid. —Aaron Nicodemus

Trader Joe’s: Current and former employees of the grocery store chain are speaking out about a corporate culture that allegedly turns a blind eye to sexual harassment. It all started with one Trader Joe’s worker who reported inappropriate conduct to her supervisor this summer, only to be told it was a “he said, she said” situation that warranted no disciplinary action. So, the worker started an online petition to encourage the company to take a stronger stance on sexual harassment. The petition garnered 7,000 signatures and unearthed other stories of sexual harassment from Trader Joe’s employees across various states. Don’t mess with millennials and gen-Zers … they came of age in the social media era. They will take you down faster than you can say “the keystroke is mightier than the sword.” —Aly McDevitt