Crackdown against financial misdeeds during lockdown leads to worldwide enforcement actions

Fines levied against financial firms for data breaches and compliance failures have rocketed over the last year.

Research by digital transformation firm Fenergo found that 198 fines were imposed in 2020, 141 per cent up on last year, with penalties totalling $10.4 billion.

“2015 was a record year for enforcement actions, but 2020 has the potential to match or top that year’s total if significant investigations are concluded by the end of the calendar year,” says Rachel Woolley, Fenergo’s global director of financial crime.

In terms of data privacy, GDPR fines this year were much the same as in 2019, tapping out at $1.7 million.

Catch up on the latest GDPR news and data breaches

The biggest fine for a data privacy breach – $80 million – was imposed on Capital One by the US regulator for its 2019 cloud data-related breach.

The issue – which exposed the social security numbers of hundreds of thousands and the bank details of tens of thousands – was later blamed on a rogue former AWS employee and misconfiguration of the (Capital One-designed) web application.

The US and Europe have long been the twin centres of data breach enforcement actions but this seems to be changing, in part because of the rise of China and India as economic powerhouses in the global economy.

The number of data privacy fines issued in the APAC region increased significantly over the last year, with a $529,027 fine issued in India and seven fines issued in China totalling $6.4 million.

There have been two big shifts over the last year, says Woolley.

“APAC has overtaken the US in terms of the value of enforcement actions for the first time since 2015 – driven by recent FATF activity and the repercussions of the 1MDB scandal - and there has been an increased focus on individuals being penalised than we have seen in previous years,” she says.

YOU MAY ALSO LIKE More than half of GDPR fines issued by UK data privacy watchdog remain unpaid

“In addition to imposing penalties on financial institutions, regulators and authorities in China, the UK and the US have held individuals accountable for compliance failings.”

The figures include a $6.8 billion action against Goldman Sachs for its involvement in the 1MBD scandal, which saw Malaysia’s then-prime minister Najib Razak accused of channelling funds from 1Malaysia Development Berhad, a government-run strategic development company, to his personal bank accounts.

Other major fines include a $1 billion penalty against an Australian bank for money laundering and a $25.4 million fine from the US Office of Financial Sanctions Implementation (OFSI) to a UK bank for contravening financial sanctions against Russia imposed in the wake of the conflict in Ukraine.

The US issued the biggest collection of fines – $4.35 billion – followed by Malaysia with $3.9 billion and Australia with $900 million.

There has also been a trend to hold individuals, as well as organisations, responsible for compliance failings.

“While banks may hold reserves explicitly to settle enforcement actions, individuals will suffer a far greater personal impact,” says Woolley.

“This, along with greater whistleblowing protection and incentives, will make a difference in tackling the industry-wide issue of financial crime.”

RELATED Australia proposes Privacy Act 1988 reforms inspired by EU’s GDPR