A virtual currency exchange that tried to confuse and mislead regulators, banks failing after ignoring obvious risks, and a manufacturer that sold millions of its products in violation of U.S. export controls. Some of this year’s most notable compliance missteps might lead to regulatory changes that will affect everyone in their respective industries.
If there is a theme to Compliance Week’s annual list of ethics and compliance failures for 2023, it is this: Firms ignore regulators—and regulations—at their peril.
Binance was assessed $4.3 billion in penalties by a handful of U.S. government agencies in November and forced to cut ties with its founder and chief executive officer for numerous anti-money laundering (AML), sanctions, and Bank Secrecy Act failures.
The world’s largest virtual currency exchange did not register with the Treasury Department’s Financial Crimes Enforcement Network (until 2019) and the Commodity Futures Trading Commission (never) as required. Since 2017, regulators said the company facilitated hundreds of millions of dollars in transactions that supported fraud, terrorist groups, and sanctions violations.
Regulators concluded company leaders, including former CEO Changpeng Zhao and former Chief Compliance Officer Samuel Lim, created an intentionally weak compliance program, then engaged in fraud and deception to help the exchange’s biggest U.S.-based customers continue trading.
Like its crypto competitor FTX—which earned a spot on our 2022 compliance fails list—before it, Binance paid a huge price for willful noncompliance with U.S. laws. And Binance must still address a separate lawsuit filed by the Securities and Exchange Commission (SEC) in June.
Before this year, the United States had just one failure of a bank with at least $100 billion in assets: Washington Mutual in 2008.
In May, First Republic Bank ($229 billion) joined them as No. 4.
Each bank was shuttered by its respective federal and state regulators after shaky finances led customers to withdraw their deposits in a frenzy. The banks failed because they did not properly manage risks related to rising interest rates and customer concentration, despite repeated warnings from their supervising agencies.
Another domino to fall in March was Switzerland’s Credit Suisse, which suffered a “crisis of confidence” and was forced by Swiss regulators to fold into its larger competitor, UBS.
In response to the collapses, U.S. banking regulators are expected to require banks with more than $100 billion in assets to hold more funds aside and readjust their risk appetites.
British American Tobacco
British American Tobacco (BAT) was found to have used a complex, yearslong scheme to export tobacco products into North Korea in violation of U.S. sanctions.
In April, the company agreed to pay more than $635 million to settle charges brought by the Department of Justice (DOJ) and Treasury Department’s Office of Foreign Assets Control (OFAC).
BAT “purposefully obscured” its relationship with a Singapore-based subsidiary in order to profit from the sale of its products in North Korea, with funds transmitted through two sanctioned banks, according to the DOJ and OFAC. The alleged arrangement was approved by company management and a standing committee of its board.
BAT did not voluntarily self-report the matter, which was judged by OFAC to be “egregious.” The case marked the Treasury’s largest settlement with a nonfinancial institution.
London-based bank NatWest found itself in a heap of trouble this summer after Group Chief Executive Alison Rose told a BBC journalist that Coutts, a wealth management subsidiary, closed the account of Brexit champion and controversial U.K. politician Nigel Farage because he didn’t meet its wealth criteria.
Farage successfully obtained his banking records, which indicated the bank actually closed his account over his political views.
The incident raised questions about whether other U.K. banks had closed accounts of politically undesirable customers—the answer was “no,” according to the Financial Conduct Authority (FCA)—as well as whether Farage had his right to privacy under the General Data Protection Regulation violated. An independent review NatWest commissioned into the matter determined there likely was a breach of personal data.
In the aftermath, Rose and the head of Coutts lost their jobs.
The whole mess might lead to new regulations in the United Kingdom on how banks handle politically exposed persons, as the issue remains under review by the FCA.
U.S.-based biotechnology company Illumina failed to obtain permission from the European Commission for its August 2021 merger with cancer detection company Grail.
In July, it paid the price: an imposed fine of 432 million euros (then-U.S. $476 million), worth a maximum 10 percent of its worldwide annual turnover.
The commission said the company’s actions in merging with Grail before receiving approval represented an “unprecedented and very serious infringement” of the European Union’s merger control system, and that it “knowingly and intentionally” breached EU rules in favor of completing the merger quickly.
In October, Illumina announced it received an order from the European Commission to divest Grail. The company maintains the commission does not have jurisdiction over the acquisition, which it is challenging in court.
The compliance lesson here? Just because a merger appears to be legal in one region doesn’t mean other international agencies won’t have a say. And they’ll have no tolerance for that say being ignored.
Data storage company Seagate thought it saw opportunity where others saw risk.
The company decided to sell more than 7.4 million hard drives to Chinese telecommunications giant Huawei in 2020 and 2021, despite U.S. export controls that barred such sales.
In April, the Commerce Department’s Bureau of Industry and Security (BIS) slapped Seagate with its largest fine ($300 million) ever issued.
Despite Seagate leaders continuing to believe they had the legal right to make the sales, red flags were evident. Two of the company’s biggest competitors stopped selling similar components to Huawei, and multiple investment firms noted the sales and questioned the activity. Seagate also faced a Senate investigation into the matter.
Seagate paid dearly for its mistake of thinking it knew better than the BIS, its competitors, analysts, and lawmakers about how to interpret U.S. export controls.
The compliance team at Goldman Sachs won’t likely look back on 2023 fondly, particularly after CFTC Commissioner Christy Goldsmith Romero lambasted the firm in September for its “culture of noncompliance.”
Her statement came after Goldman was fined $30 million by the CFTC for an unprecedented number of alleged swap reporting failures. The firm allegedly violated CFTC rules four times in an 18-month span. Further, Goldman was penalized twice in less than a year by the SEC, once for data inaccuracies and the other for environmental, social, and governance investment lapses.
“Instead of creating a culture where Goldman invests in stronger controls and supervision, and then regularly reviews those controls and supervision to ensure that it is not violating the law, Goldman has created a culture of being a repeat federal defendant,” Romero said.
“Instead of creating a culture where Goldman invests in stronger controls and supervision, and then regularly reviews those controls and supervision to ensure that it is not violating the law, Goldman has created a culture of being a repeat federal defendant.”
CFTC Commissioner Christy Goldsmith Romero
In July, Deutsche Bank was fined $186 million by the Federal Reserve Board for violating previous consent orders related to sanctions and AML weaknesses and control failures.
The Fed determined Deutsche Bank made “insufficient progress” in addressing its concerns, and that the bank’s U.S. operations “have remained exposed to heightened levels of compliance risk without sufficient internal controls” to detect AML and sanctions violations.
That by itself would be enough to merit inclusion on our compliance fails list. But Deutsche Bank also ran afoul of German regulator BaFin for not filing suspicious activity reports in a timely manner, was fined $25 million by the SEC for a subsidiary’s misleading disclosures and AML failures, and paid $75 million to settle a class-action lawsuit filed by sexual assault victims of Jeffrey Epstein.
All in all, Deutsche Bank did little in 2023 to improve its checkered compliance track record.
T-Mobile contended with at least three cybersecurity-related incidents in 2023, with the largest exposing approximately 37 million customer records.
Data breaches aren’t anything new at T-Mobile, including a 2021 breach that exposed more than 76 million customer records, as the telecommunications company has earned a reputation for playing fast and loose with its customers’ personal information.
Each time the company is breached, it promises to do better, implements more safeguards and controls, and then gets exposed again. It’s as much an information technology failure as a compliance failure, but either way, it’s a mess that needs to be cleaned up.
- Alison Rose
- bad compliance
- British American Tobacco
- Changpeng Zhao
- compliance fails
- Credit Suisse
- Data Privacy
- Deutsche Bank
- Ethics & Culture
- Financial Services
- First Republic Bank
- Goldman Sachs
- Nigel Farage
- Regulatory Enforcement
- Risk Management
- Samuel Lim
- Signature Bank
- Silicon Valley Bank
- Surveys & Benchmarking
- United Kingdom
- United States