Bank of England fines Citigroup £44m Over Poor Financial Information

Bank of England fines Citigroup £44m Over Poor Financial Information

Learn more

The Bank of England has fined the UK branch of the US bank, Citigroup, a record £44m because the bank submitted incomplete and fallacious regulatory information to the Bank between 2014 and 2018.

According to the Bank of England, Citigroup didn’t come up to the expected standards between the above mentioned years and the problems were ‘serious and widespread in nature and the bank hadn’t presented an authentic picture of its monetary position. 

The Bank’s Prudential Regulatory Authority (PRA) fined the Citibank, which is responsible for monitoring the financial stability of about 1500 banks, building societies, credit unions, large investment firms and insurers in the UK. This is the biggest fine ever imposed by the Bank of England. 

According to the PRA, the bank’s systems were incompetent and Citi didn’t have enough people working for the regulatory accuracy, there was no proper documentation and that Citi’s failure and governance fell significantly below the standards expected’. The errors and oversights included ‘six substantive matters’, which is the reason for notable errors.

Citibank is a New-York based bank and is the third biggest bank in the US which has $2tn in assets and operations in 100 countries. It is considered as a global systematically important bank’

According to the PRA, 

“The pervasiveness of the errors and misstatements identified in the firm’s returns raised fundamental concerns about the effectiveness of Citi’s UK regulatory reporting control framework.”

Citibank would have faced a fine of £62.7m but since the bank cooperated with the PRA, it was given a 30% discount. It should be pointed out that Citi has better liquidity and capital requirements than the Bank demands at all times. 

Sam Woods, deputy governor for prudential regulation and chief executive of the PRA said,

“Accurate regulatory returns from firms are vital for the PRA in fulfilling our role. Citi failed to deliver accurate returns and failed to meet the standards of governance and oversight of regulatory reporting which we expect of a systemically important bank.”

Citibank has been extremely compliant with the PRA and the spokeswoman for Citi said, 

“Citi has fully remediated the past regulatory reporting issues identified by the PRA and settled this matter at the earliest possible opportunity.” 

Initial CCPA Compliance Costs Could Hit $55 Billion: Report

Initial CCPA Compliance Costs Could Hit $55 Billion: Report

Learn more

According to an economic impact assessment prepared for the state attorney general’s office by an independent research firm, California’s new privacy law could cost companies a total of $55 billion to get in compliance. Total CCPA compliance costs are likely to vary considerably based on the type of company, the maturity of the businesses’ current privacy compliance system, the number of California consumers they provide goods and services to, and how personal information is currently used in the business.

CCPA provides sweeping privacy protection to California’s residents. It includes a provision that will allow consumers to know what data companies are collecting on them. The bill grants rights to California residents to be informed about how companies collect and use their data, and allows them to request their personal data be deleted, among other protections. It represents the start of a new era of privacy laws designed to protect personal data, says Kelsey Finch of the Future of Privacy Forum. CCPA’s section gives consumers the right to delete personal information from the company’s database. 

CCPA Affecting Businesses :

CCPA will affect three types of businesses based in California:

  • Companies that have gross revenue of at least $25 million.
  • Companies that buy, sell and share the personal information of 50,000 or more consumers, households or devices.
  • Companies that get 50 percent or more of their annual revenue from selling consumers’ personal information.

By estimates, companies with less than 20 employees have to pay $50,000 for compliance. Large companies having more than 500 employees will have to pay an average amount of $42 million. This will make up for 1.8% of California Gross State Product. According to a report, total compliance costs for the companies subject to the law could range from $467 million to more than $16 billion over the next decade.  Researchers estimated that as many as 75% of California businesses earning less than $25 million in revenue would be impacted by the legislation. States have begun to take efforts for privacy legislation. Facebook CEO Mark Zuckerberg advocated for creating a nationwide policy in this regard. Cost and complications will be lessened by setting one legal standard for tech firms than a piecemeal approach to compliance. 

Since many businesses in California that operate in Europe had to make changes to comply with the GDPR which went into effect last year, CCPA has taken some elements from GDPR. The research suggests that the compliance costs for California’s law will be reduced this way. The EU estimated average incremental compliance costs for the GDPR would total about 5,700 Euros a year (nearly $6,300), according to the report, though there is also evident that the regulation lost productivity in sectors that rely heavily on data. Smaller firms are likely to take on a disproportionately larger share of compliance costs compared to larger firms with GDPR.

CCPA- An Inherit Part of GDPR:

Over a year after the introduction of the GDPR, concerns regarding its impact on larger firms appear to have been overstated, while many smaller firms have struggled to meet compliance costs. Resources explain this dichotomy as large technology companies are often several steps ahead of both competitors and regulators. In the long term, however, it is believed that the differential impact will likely shrink, driven in part by competition among third-party services that will help small businesses comply with the legislation. 

Economic Impact on Companies:

Companies are going to face an economic impact due to CCPA. As smaller companies with less than 20 employees are expected to spend about $50,000 in initial CCPA compliance costs, while mid-sized firms with between 20 and 100 employees could incur costs of $100,000 to start, according to the study.

The expenses come at a time when companies are reaping big rewards from the buying and selling of personal consumer data. The use of personal data in online advertising is a $12 billion annual business in California. When combined with the buying and selling of information from data brokers, the number rises to $20 billion annually.

California businesses could spend an additional $16 billion over the next decade after initial compliance expenses to keep up with changes and other expenses, according to the report. Those expenses could include hefty fines for those who violate the law.

A recent report from the International Association of Privacy Professionals found that as of this summer, only 2 percent of affected businesses were fully compliant with the law.

Meanwhile, some other state legislators are using California law as a model. In Nevada, for instance, a new privacy law went into effect on Oct. 1. That law, known as Senate Bill 220, will give consumers more ways to keep websites from selling personal data.

 Businesses that need to comply with CCPA:

Following are some businesses that have huge private data that needs to be protected by CCPA:


  • E-Commerce:


Online businesses have a huge private date of which they are taking advantage. The user surfing through the internet is analyzed by AI-based products and products of their interest are shown to get him attracted. This means that user data is being used to get more sales of their desired products by advertising it. So CCPA will enhance the privacy policies of businesses across the globe. The so-called rights over consumer data will be exploited by CCPA.


  • AI-based Verification Services:


As the regulations regarding KYC and AML are becoming more stringent businesses are adopting identity verification services for their customers and for other businesses. For this, they have huge data of clients that they have to verify. Identity verification service providers have the most confidential data on hand, hence they must follow the provisions of the California Consumer Privacy Act.


  • Social media:


Social media plays a vital role in their shopping decisions. Its a platform to target audience of interest. According to a study, 87% of shoppers are satisfied with the shopping experience through social media. There are many social media marketing tools that are employed to get to the audience of interest and to improve the sales of a particular product. Businesses are aware of these tools and deploying them well. The use of these marketing products employe available information on social media platforms. Social media sites have to change their practices of selling the personal information of users to third parties. The consent of the user must be required for selling this data to a third party business.

So, businesses need to comply with CCPA for the protection of private data of consumers. Since many California businesses had to comply with Europe’s General Data Protection Regulation last year, some of the compliance costs for the new state law will likely be reduced, according to the report’s authors. Many businesses need to comply with CCPA to mitigate the risk of a data breach. The law will go into effect on Jan. 1, 2020.

Enhanced Due Diligence: Ensuring KYC and Regulatory Scrutiny

Enhanced Due Diligence: Ensuring KYC and Regulatory Scrutiny

Learn more

Enhanced Due Diligence: The adoption of innovative solutions in businesses today, should not have the sole purpose of making profits. A broader vision is required that could abstractly look into the secondary dependencies that can impact a business. These dependencies vary from the third-party services and businesses to associated regulations and compliance requirements. Instead of limiting the focus on business revenue generation, knowledge of local regulations and guidelines should also be ensured. 

Customer identification and verification become a crucial step for businesses to meet the Know Your Customer (KYC) guidelines. While partnering with third parties and businesses, especially the financial institutions and banking industry who has a lot to deal with multiple other industries should ultimately comply with the need of knowing them fully. This serves as the primary step to curb the risks of harsh penalties and local regulatory fines.

A recent study shows that In the EU, regulatory fines can reach up to €20 million. This could be estimated to be 4% of the business annual revenue. Per violation, it costs about $1,000,000 in countries like Australia and Brazil. KYC compliance is the step that can deter the risks of such huge monetary loss. The banks when open new accounts for users need to conduct the Customer Due Diligence (CDD) process. This process ensures the identity of the user under certain KYC parametres. It includes the Anti-money Laundering (AML) background checks, terrorist financing, and checks for Politically Exposed People (PEPs) to ensure that any forbidden entity does not dare to be the part of the legitimate business.

Enhanced Due Diligence (EDD) is an advanced concept of CDD, the security perspectives and guidelines that are CDD do not cover are wrapped up by EDD. It ensures a high-level security potential that could impact the business directly or indirectly. The hidden security challenges, identity assurance, risk assessments, and evaluation are part of EDD. The high-risk privacy and security concerns are eliminated with EDD compliance at an organizational level. The monitoring and screening of entities and transactions reduce the chances of online fraud and payment scams. Also, introduce soundness and reliability in the business.

The intersection of Enhanced Due Diligence and KYC

EDD and KYC both fulfill the purpose of customer authentication. EDD policies intersect with KYC ensuring the rigorous onboarding process for the end-users. The data should be collected, examined and processed with responsibility and detailed auditing should be performed to keep track of the activities been performed in the system. Controlled data access should be done in order to limit the number of users accessing sensitive user data. In this way, there will be fewer chances of integrity interruption within the data. EDD requirements also assure KYC risks associated with each verification process, with individual risks calculation and assurance before further processing. Also, Identities should be verified against money laundering and counterterrorism checks that make sure the honest traffic on board. 

Under the hood of local regulatory compliances, EDD ensures the data privacy and protection rights associated with the user. User data privacy rights include the intentions for which data are collected, analyzed and processed. The time span to which data will be saved in the database and the tasks in which data will be used is also answered. The organizations that fail to comply with these laws are subjected to heavy lawsuits.

Regulatory Penalties Around the World

The comparison of data protection regulations around the globe is done, among which it is discovered that about 65% of countries have made amendments into their policies or have adopted the GDPR requirements when it was announced. Penalties can be demonstrated on the basis of local regulatory compliance by the countries and how they see it. This alignment of lawsuits can extend in case of non-compliance accordingly. The fines are not only applicable to the ones who undergo some cyberattack or data breach but it doles out to each individual business who does not comply with local regulators. Below are some of the countries and companies who are recently fined:

Germany: first fine Germany faced back in July 2018. A German social media network named Knuddles got hacked which compromised the information of more than 330,000 users which includes 808,000 email addresses and relevant passwords. The reason, this information got hacked was that Knuddles has stored the user information in plain text which is entirely against the GDPR law. The company this breach in September and blocked all the affected user accounts and informed those users. Due to this data breach, Knuddles was subjected to a small fine of €20,000, which was under debate by many people. Although local regulators find it totally proportional to the loss the company has made due to data breach. After this, the company put strong security measures to protect their system from similar and further incidents of a data breach.

Poland: Poland’s DPA subjected to a fine of €220,000 on April 1, 2019. A digital marketing agency, Bisnode failed to dole up with the requirements of GDPR. Bisnode scraps the data and process it, but without notifying the data subjects, which leads them to a heavy fine. As it is the GDPR law, that without the permission of subjects, user data cannot be used. Additionally, Bisnode was supposed to mail 6 million people in the next three months which cost them an extra €8 million. If this company has notified its end-users previously could avoid this heavy risk. 

Google: In January 2019, Google subjected to a heavy fine of €50 million. The violation of the requirements of GDPR was taken in notice when data subjects complaint about the inappropriate method of Google for asking consent from them. The lack of transparency is one of the key points of GDPR which was not fulfilled. According to GDPR, consent should be freely given, must be informed, must be granular and should involve affirmative action. But, Google failed to comply with all these specifications as the boxes for consent were pre-ticked which is not considered as valid consent.

How Enhanced Due Diligence help avoid Penalties?

One of the major challenges with EDD is to know how much information is required from a customer to verify the identity. Electronic checks are implemented by financial institutions that automate the tasks of verifying identities against money laundering and terrorist financing. These tasks are audited automatically which keeps the track of entities entering and leaving the system while screening them against multiple checks. Their activities are constantly monitored to avoid the chances of malicious actors being part of the system.

Online Identity Verification

Verify the onboarding customers using a bunch of necessary information which includes personal information i.e. name, date of birth, address, age, etc. (varies with the niche of businesses accordingly). This can reduce the risks of online fraud that take place every now and then with multiple faces.

Avoid Financial Crime

With EDD, dirty money can be prevented which includes the money from PEPs, terrorists, and money launderers. The necessary security precautions are covered by EDD due to which soundness and transparency in the system are ensured that deters the risks of financial crimes.

Clear Compliance Details

The compliance details of the company should be obvious. It is not necessary that a data breach explicitly shows how secure your software is, but the key step is complying with local regulators and privacy programs. In the business’ policies, all the compliant documentation should clearly mention the laws that are required by your specific business niche.

Fintech Compliance – Boogeyman for Trillion Dollar Industry?

Fintech Compliance – Boogeyman for Trillion Dollar Industry?

Learn more

Fintech industry is flexing its muscle by bringing onboard more and more customers and innovating their way to higher valuation and larger transaction volumes. Only in the US alone, the year 2018 saw $11.89 Billion funding go into Fintech ventures and more than $ 100 Billion was invested globally in Fintech Ventures. Right now there are 39 Fintech Unicorns in the world with a total estimated worth of $147.37 Billion. Digital payments through Fintech products surpassed $3.5 Trillion in 2018 and are expected to hit the benchmark of $6.6 Trillion in the next 5 years. Fintech companies have ventured into diverse business categories and financial services such as mobile payments, crowdfunding, P2P lending, online transaction platforms, and some Fintech are now even developing products for asset management as well. But this innovative brother of the conventional financial industry has had his own share of problems, with Fintech Compliance being the most prominent one among the rest.

It was recently declared on a Fintech forum that by 2030, the biggest bank of the world will be a tech company, but without properly introducing a tech-friendly regulatory landscape and investing substantial resources in regulatory compliance, this seems to be a distant dream.

The Cost of Non-Compliance

Several Fintech companies have been fined millions of dollars for one reason or another because of their inability to comply with specific user-centric regulatory guidelines. Dwolla was slapped a $100,000 fine by Consumer Financial Protection Bureau (CFPB) for misrepresenting its data security practices. Ripple Labs was made to pay $700,000 by FinCen for their inability to identify their business model as Money Service Business (MSB). One Fintech company had to pay $6 million after CFPB declared that the lending practices of the platform violated the consumer protection guidelines of the regulator. There are many other instances where Fintech companies were fined substantial penalties either for their inability to adopt consumer security compliance or because of lack of satisfactory safety net for user data protection.

Why Fintech Compliance is so complicated?

The idea behind Fintech was to use the latest technology, mobile phone leading the roost in the current decade, to create a streamlined user experience when it comes to the financial services industry. Small businesses and the common users were particularly sick of brick-and-mortar branch model and aspired for a service delivery model that was swift and efficient at the same time. Enter the Fintech products that championed the cause of “lightning fast transactions” and “minimal to no paperwork” business model.

But regulators were more concerned with the relative anonymity attached with Fintech products, transactions processed through these channels and susceptibility for these innovative solutions to be exploited by criminal elements to transfer funds for illegal activities. Money laundering and terror financing were even bigger concerns that called for strict financial technology compliance. But as one can assume, this was totally against the basic working principles of Fintech.

The Fog around Fintech Compliance

The complication of Fintech compliance is aggravated by the fact that the majority of regulators overseeing the financial service industry lack the specific guidelines to govern unique and innovative business models adopted by multiple Fintech companies. With the fluid and amorphous nature of Fintech companies, the brilliant minds behind such a booming tech industry also find it hard to pin down a single regulator that single-handedly deals with the kind of services that they have to offer.

And even when there is clarity about the regulator or the specific guidelines that a Fintech has to follow, it creates friction for user-experience. For example, if a Fintech startup is operating as a digital wallet, mobile payment system or peer-to-peer funds transfer service within US, they have to comply with Bank Secrecy Act’s (BSA) and will be designated as “Money Service Business”. As a result of this, the Fintech platform will have to develop an AML Compliance solution, perform KYC for every incoming user, report transactions beyond $10,000 and even have to file suspicious activity reports and if you are thinking that is it, then you are wrong. As a Fintech based in the USA, companies can fall under the purview of OFAC, FinCEN and SEC. For Canada, there is FinTRAC, UK has its FCA and Fintech companies Down Under have to follow the guidelines from Austrac.

But the hardest cooky of all was launched last year in the European Union, by the name of General Data Protection Regulation, a.k.a. GDPR that takes data security and user privacy to a whole new level even for the companies that are not based in EU but want to serve the clients based in its jurisdiction.

Recommended For You: 3 Reasons why RegTech is the Future of Innovation?

The Economics of Fintech Compliance

The cost of having a KYC utility or implementing an AML compliance solution can be really tricky for Fintech businesses. Not to forget the importance of a GDPR checklist for businesses to ensure that no provision of this EU data privacy law is left out in their business or service delivery practices. Now for conventional financial services companies such as banks or insurance industry, it is easy to bear the cost of compliance related expenses because of their large coffers of revenue, but for Fintech companies that are in their nascent stage of existence, it is important to scale the operations and balance their budgets accordingly. Fintech startups, like all other startups, are already limited in terms of resources and such huge regulatory fines can cripple the backbone of such early stage startups.

Another economic factor linked with Fintech compliance is that whenever a company, especially in their pre-valuation days, is fined by a regulator for non-compliance, it attracts a lot of bad press that is going to hit any future prospects of VC funding or pledge of investment from even a private equity as well.


It is not hard to guess that the future of the global financial system is dependent on Fintech products and even sovereign states and economic powers such as Germany has publicly admitted this fact in the recent G20 summit. But complying with regulatory guidelines will be crucial to sustaining the growth and trust in these products.

Regtech seems to be the right solution to counter the needs and demands of the Financial industry in general and Fintech companies in particular. There are several third-party service providers that are offering KYC services, AML compliance, and other tech products to comply with official guidelines of regulators. With a common technical background and hunger to disrupt conventional service delivery models, Fintech and Regtech can change the future of personal as well as institutional finance forever.

Find more relevant resources:

Fintech Compliance