Systemic risk management lapses at a financial services firm, allegations of toxic culture at a video game giant, and more of the same baffling behavior from one of the world’s largest tech companies. Compliance Week’s annual list of ethics and compliance failures featured no shortage of standouts in 2021.

Credit Suisse


Significant compliance failures are not always the result of intentional misconduct. Sometimes, poor corporate governance and risk management deficiencies are at fault. Swiss banking firm Credit Suisse makes our list for those exact reasons, following the collapse of two of its high-risk clients.

U.S. hedge fund Archegos Capital Management suffered a meltdown in March, reportedly losing $8 billion in less than two weeks after entering several high-risk derivatives transactions that ultimately backfired. A consequential massive stock sell-off caused $5.5 billion in losses for Credit Suisse as one of its largest lenders.

The bank had an additional $10 billion in funds tied to U.K.-based Greensill Capital, which filed for bankruptcy protection in March after investors walked away from the supply chain financing firm over concerns about risky loans that soured.

Swiss authorities announced in April an examination into the bank’s activities and its exposure to both the Archegos and Greensill collapses.

An independent report into Archegos commissioned by Credit Suisse exposed “significant” risk management deficiencies, including a lack of accountability for risk failures; acute risks that were systematically ignored; and a cultural unwillingness to engage in challenging discussions or escalate matters posing grave economic and reputational risk.

The bank continues to reorganize its senior leadership team. Chief Risk and Compliance Officer Lara Warner stepped down, and her position was split into two. Rafael Lopez Lorenzo was appointed chief compliance officer in September, while Goldman Sachs veteran David Wildermuth was hired to take over as chief risk officer by February 2022.

Credit Suisse further plans to exit prime services, the area of its Investment Bank most notably linked to its Archegos losses.




In June 2020, Alexander Kearns committed suicide believing he had racked up more than $700,000 in losses by trading options using Robinhood’s investing app.

“How was a 20-year-old with no income able to get assigned almost a million dollars’ worth of leverage?” a note left by Kearns to his family read. “There was no intention to be assigned this much and take this much risk, and I only thought that I was risking the money that I actually owned.”

A tragedy like this one should be a wake-up call for the entire fintech industry as to the weight of its ethical responsibility to ensure trading platforms are operating responsibly. Robinhood Co-Founders and Co-CEOs Vlad Tenev and Baiju Bhatt acknowledged this issue, though the company found itself in regulatory hot water on several occasions in 2021.

Most notably, Robinhood was at the center of January’s “meme stocks” craze, where amateur investors, egging each other on via social media, inflated the price of previously flat stocks like GameStop and AMC Entertainment Holdings. During the height of the craze, Robinhood restricted purchases of the stocks on its app, citing market volatility and regulatory restrictions. The decision drew the ire of investors and politicians alike, prompting a larger Securities and Exchange Commission (SEC) investigation into digital engagement practices.

In June, the Financial Industry Regulatory Authority (FINRA) ordered Robinhood Financial to pay a record $70 million in penalties for “systemic supervisory failures in several critical parts of its business.” FINRA said it considered the “widespread and significant harm” Robinhood customers suffered for receiving “false or misleading information” from the firm, in addition to the effects of systems outages in March 2020 that prevented placing trades.

In November, Robinhood’s rough year continued in the form of a data breach that exposed the email addresses or names of approximately seven million of its customers when a customer support employee fell victim to a social engineering attack.




In January, Toyota was hit with a record $180 million civil penalty for “systemically” violating the U.S. Environmental Protection Agency’s (EPA) emission-reporting requirements under the Clean Air Act from approximately 2005 until at least late 2015 by delaying the filing of “hundreds of reports” concerning approximately 78 emission-related defects in millions of its vehicles.

What makes Toyota’s actions especially egregious is that managers of the company and Toyota’s U.S. unit responsible for submitting the reports to the EPA allegedly turned a blind eye to the misconduct. The violations were also occurring at the same time numerous other automakers were facing related investigations for allegedly engaging in emissions-cheating conduct of their own. Toyota managed to slip under the radar.

Nor was this the first time Toyota was caught misleading regulators. In 2014, the Justice Department ordered the company to pay a $1.2 billion criminal penalty —a record within the auto industry at the time—for repeatedly and intentionally misleading the public, regulators, and Congressional members about widespread incidents of unintended vehicle acceleration in 2009 and 2010.


Activision Blizzard


During a year when diversity, equity, and inclusion is as hot and sensitive a topic as it has ever been, it is inexcusable for any company to respond to allegations of sexual harassment and discrimination in the workplace with an attitude of disregard toward victims. Yet, this is the tone gaming giant Activision Blizzard set in its original response to a complaint filed in July by the California Department of Fair Employment and Housing.

The complaint followed a two-year investigation into allegations describing a “frat boy culture” that subjected female employees to everything from “constant sexual harassment” to “unwanted physical touching.” The lawsuit also alleged sex discrimination related to compensation, job assignment, promotions, and retaliation.

Dishonorable mentions

Wells Fargo: Five years after its fake account scandal surfaced, followed by a thrashing in Congress, Wells Fargo still can’t get out of its own way. In September, the Office of the Comptroller of the Currency (OCC) hit the bank with an additional $250 million civil penalty, in part for violating a 2018 consent order mandating Wells Fargo to improve its enterprise-wide risk management program, which the OCC said it still has not done. Sen. Elizabeth Warren (D-Mass.) is now urging federal banking regulators to break up Wells Fargo, arguing that “every new report of scandal and ongoing noncompliance” proves the bank is “ungovernable.”


Vodafone: The Spanish Data Protection Agency (AEPD) fined telecommunications company Vodafone a record €8.15 million (then-U.S. $9.72 million) in March for aggressive telemarketing tactics and numerous data protection violations. Vodafone’s total disregard for protecting consumer privacy is demonstrated by its repeat offenses: Between January 2018 and February 2020, the company received more than 50 fines or warnings for data privacy breaches, the AEPD said. Among them, the AEPD held, Vodafone used third-party contact lists without data subjects’ informed consent, and its Spanish arm does not have “real, continuous, permanent and audited control” over how it treats customer data and “does not know” what guarantees its subcontractors have in place to protect customers.


KPMG: Another year, another cheating scandal for the Big Four audit firm. KPMG Australia was fined $450,000 by the Public Company Accounting Oversight Board in September to resolve allegations of widespread cheating on personnel training tests at the firm. In 2019, the Securities and Exchange Commission highlighted similar misconduct as part of a larger $50 million settlement with KPMG related to stolen inspection information.

An email sent to employees in response to the allegations stated the lawsuit painted “a distorted and untrue picture” of the company’s culture. Although Activision Blizzard CCO Frances Townsend sent the controversial message—which infuriated hundreds of employees and resulted in the staging of a walkout in protest—CEO Bobby Kotick later admitted to having drafted it.

Further evidence uncovered by the Wall Street Journal claimed Kotick knew about the sexual misconduct allegations for years but chose to leave the board in the dark. Those allegations could prove critical in an ongoing investigation by the SEC.

Despite Kotick’s efforts to punt responsibility onto others, and despite his alleged deceitful acts, the board stated Nov. 16 it “remains confident that Bobby Kotick appropriately addressed workplace issues brought to his attention.” More employee protests have occurred since.

In a public gesture, Kotick asked Activision Blizzard’s board to reduce his total compensation to the “lowest amount California law will allow,” until the company achieves its cultural commitments. If approved, he would be paid a salary of $62,500, as opposed to his current $155 million pay package.

In November, Activision Blizzard announced the creation of a “Workplace Responsibility Committee” that will, in part, “require management to develop key performance indicators and/or other means to measure progress and ensure accountability.”


Meta Platforms (formerly Facebook)

A company that is no stranger to ethics and compliance failures, Meta’s troubles continued when whistleblower Frances Haugen went public in October after sharing a trove of sensitive internal documents regarding its Facebook platform with regulators and journalists.

The documents tell the tale of a company that prioritizes profits over people; uses its algorithms to foster social discord; negatively affects the mental health of young girls through its photo app Instagram; and enables drug cartels and human traffickers to openly conduct business on its platform.


In addition to Meta’s questionable ethical practices, Haugen’s freedom to walk away with the documents shows its internal controls are still plagued by data security weaknesses. Haugen said once she decided to blow the whistle, she spent months accessing internal documents she had no professional reason to access.

Clearly, Meta has no effective system to issue alerts when someone without proper credentials accesses sensitive documents—which is especially concerning as a company that essentially operates a blackhole of personal consumer data and already was fined $5 billion by the Federal Trade Commission in 2019 for privacy violations.

Having (finally!) hired its first-ever chief compliance officer in January, Meta is either signaling it’s ready to make some smart governance changes or is simply adding window dressing, depending on how much independence and authority is given to the CCO.

Only time will tell. But, for now, Meta remains on our list.