Author: Neil Miller

Managing the Risks of Crypto Assets for Buyers

In this article, Will Charlesworth at Saunders Law discusses with Neil Miller, founder at crypto due diligence firm TenIntelligence, the risks associated with purchasing crypto assets and how they may be mitigated and managed.

Fear of Missing Out

We are in the midst of a crypto asset-goldrush, with cryptocurrencies and NFTs being the must-have investment crypto assets.

However, cryptocurrencies and NFTs are so new, and the fear of missing out is so great, that many purchasers are not carrying out what might be termed ‘sensible’ or even ‘essential’ due diligence before buying. The result is an increased risk of loss (and in some cases, litigation); as we will explore in this article, the purchasers of crypto assets cannot rely solely on government regulation or lawyers (as good as they may be) to be their only protection or risk mitigation.

What is the Risk?

In the UK, unlike other forms of investments, crypto assets are currently largely unregulated. The press is reporting an increasing number of cases of fraud: from investment scams involving the mis-selling of cryptocurrencies at the Initial Coin Offering stage, to copyright infringing NFTs (leading to liability and loss for the purchaser), to the theft of tokens from crypto coin exchanges and wallets.

Whilst fraud can be reported to the Police/Action Fraud (and we would always suggest it should be in any event), the authorities often do not have sufficient resource to allocate to investigate and prosecute wrongdoers.

It is therefore left to specialist commercial litigators in many cases, to seek to enforce individual rights and recover assets.

The number of cases being brought in the English courts against coin exchanges, cryptocurrency and NFT creators (and traders) has increased exponentially over the last few months, keeping specialist lawyers in the crypto field, extremely busy.

Risk cannot be eliminated, and we therefore need to consider some practical ways in which to mitigate and manage the risks associated with purchasing crypto assets.

Is Regulation the answer to Risk Mitigation and Management?

In short, the answer is no, currently.

The UK government has plans to strengthen the rules on crypto asset advertisements and protect consumers from misleading claims, by bringing the promotion of crypto assets within the scope of financial promotions legislation. However, at the time of writing, such plans are yet to be implemented. The government says that it does not wish to stifle innovation in the crypto sector, however it wants to ensure greater safeguards are in place.

In respect of certain crypto assets, such as NFTs, they may fall within regulation if they match the criteria of either ‘electronic money’ (under the UK Electronic Money Regulations 2011) or a ‘security token’ (as a specific investment under the UK Financial Services and Markets Act 2000 (Regulated Activities) Order 2001). However, outside of those specific token definitions, there is little to no regulation or safeguards.

The Financial Conduct Authority (FCA) has taken steps to bring those carrying out crypto business in the UK within the existing Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) regulations that cover other regulated businesses, however that may in practice do little to protect purchasers.

Those having to register with the FCA under the AML and CTF regulations include: Crypto asset exchange providers (including Crypto asset Automated Teller Machine (ATM), Peer to Peer Providers, those issuing new crypto assets, e.g Initial Coin Offering (ICO) or Initial Exchange Offerings), and wallet custodians.

The FCA’s responsibility under this regime is however limited to AML/CTF registration supervision and enforcement only. Registration under the MLRs does not mean that consumers will benefit from the protections of the Financial Ombudsman Service or the Financial Services Compensation Scheme (FSCS). Further, as most crypto assets are not “specified investments” it is unlikely that customers will have access to the Financial Ombudsman Service or FSCS.

The risk for purchasers of crypto assets here is also that if the business with which you are dealing is not registered when it should be, and is then subject to investigation and enforcement, it can have negative impact on your assets, leading to loss if those assets are seized.

It should be noted also that the HMRC are also now taking an active interest in crypto assets with their potential seizure: for example, HMRC has recently seized three NFTs as part of a probe into a suspected VAT fraud involving 250 alleged fake companies. See the article here.

In summary, one cannot rely solely on regulation at this time for risk management for a purchaser of crypto assets.

Are Lawyers the answer to Risk Management?

The answer is “yes, in part.”

Lawyers are often thought about too late in a transaction i.e. after the asset has been purchased. For example, if a crypto asset has been mis-sold or stolen, and the seizure and recovery of the assets or funds paid for the assets are sought, a legal action can be brought as a means of recovery however this is all after the event.

Legal actions in respect of crypto assets can be expensive and the costs are front-loaded, as the first steps in any such action are often to:

    • trace the location of the crypto assets/funds;
    • identify the perpetrators; and
    • seek a proprietary injunction either over the assets themselves, or a freezing order over the assets of the perpetrators (or both).

There can be good chances of success in a legal action, however litigation always carries an element of risk.

Are lawyers only relevant after a purchase, when it goes wrong? Well, as we are discussing managing the risks of crypto assets, we would suggest that specialist crypto lawyers are retained to advise as to the risks of a particular purchase before it is made. For example, with an NFT it is necessary to consider the nature of intellectual property rights accompanying the token, and the relevant rights (including how the smart contract is drafted (purporting to grant those rights)). Due diligence on the asset and the rights accompanying it, is something we would recommend.

Lawyers do play a part in risk management from a due diligence standpoint, but they are not the only available resource or the sole answer to the question.

Is Practical Due Diligence the answer to Risk Management?

The answer to the above is ‘yes, in part’.

It is often true that ‘prevention is better than cure’ and that certainty applies in the case of crypto assets. It is interesting that due diligence is always carried out in corporate transactions involving the sale and purchase of companies or other high-value assets, and similarly in the art world where provenance of a work is key. However, it is often not the case with crypto assets, which can cost as much, or more than ‘traditional’ investment assets such as property, businesses, and physical artworks.

Due diligence should apply as much in crypto, as it does elsewhere. If we consider the example of an Initial Coin Offering (ICO), which is relatively common in the crypto world, the cryptocurrency will release a ‘white paper’ as a first step, which is a marketing tool that’s used to persuade and influence investors.

There is no standard template for a crypto white paper, however it will typically include a project outline, the solution it purports to provide, an overview of the team behind the offering, information regarding the token release and marketplace considerations (typically the value, the number of tokens to be in circulation, and the platform on which they are to be issued), and a project roadmap.

The information about the team may include photographs, short biographies, links to LinkedIn and Twitter profiles; it is designed to establish trust. An investor should be confident that the team proposed is capable of delivering on the project’s promises (the solution). A whitepaper is just a marketing tool however, and it’s vital to see and trust the information it represents. So, why not undertake some due diligence on the people and other companies behind the offering before investing?

Further, a whitepaper is a living document, updated and edited as the project continues, therefore due diligence is something that is likely to be required to be updated as the whitepaper is updated.

Will applying existing Financial Crime compliance measures work?

Yes, applying compliance measures is a proven technique to help mitigate risk”,

Neil Miller outlines below how TenIntelligence can assist with practical due diligence, which has become essential in the current market.

Good financial crime compliance and anti-money laundering directives all require organisations to introduce a risk-based approach to enhanced due diligence and fraud prevention measures.  When assessing the risks of money laundering and terrorist financing, organisations should check whether any high-risk factors apply.

The biggest risk currently facing investors and crypto currency platforms is the anonymity and ambiguity of customers as well as some of the individuals and developers that are behind the companies offering crypto currency services themselves.

Although, Crypto currencies are not currently measured by Financial Action Task Force (“FATF”) as a high risk, they do recognise that compliance processes are required in relation to Virtual Assets (“VA”) and Virtual Asset Service Providers (“VASPs”), in particular with regard to:

      • supervision or monitoring of VA, ICOs and their VASPs for anti-money laundering and counter finance terrorism purposes
      • licensing or registration of VA, ICOs and VASPs
      • fraud prevention measures, crypto due diligence, suspicious activity and transaction reporting
      • enforcement and sanction measures for offenders

Customer Due Diligence – a risk based approach

Let’s start with customer due diligence. When dealing with individuals or investors established in high-risk jurisdictions, or are exposed to other cases of high risk, it is imperative that  crypto companies identify the areas of risk and apply enhanced due diligence measures to manage and mitigate those risks appropriately.  Specifically, to question:

      • whether their customers are operating in geographical areas of higher risk, including areas of non AML/CTF legislation, significant levels of corruption, countries subject to UN sanctions and/or countries harbouring designated terrorist organisations
      • are ownership structures of larger investors appear unusual or excessively complex given the nature of their business
      • whether your organisation has received funds from unknown parties
      • what information you collect from your customers? Can you demonstrate sound “KYC – know your customer” compliance? How do you verify the information gathered?
      • whether any business relationships are conducted in unusual circumstances

ICOs, are they who they say they are?

Large and small investors will want to know who they are investing their assets with and the assurance that the ICOs are appropriate.  Will talked earlier about ICO due diligence and although there is no required template for the ICO organisation to complete, investors can still perform background checks on the management and developers who are behind the ICO platform.

The fundamentals of background checks remain the same regardless of the industry, it is just applied differently.  In the ICO example, our team would determine the ICO’s integrity, ability, reputation by performing open source intelligence and background checks on the senior management, board directors, relevant executives and shareholders of the ICO.

We would specifically be looking for adverse information and risk, including undisclosed red flags, conflicting findings, false or exaggerated statements and report these findings to the investor.

Background checks will include but not limited to verifying their qualifications and employment history, analysing their financial status, examining their record as a board director, identify whether there are any litigation, insolvency or court cases filed, as well as digging deeper via archived media and press articles, as well as possible exposure to sanctions lists and politically exposed persons.

If the required, an additional level of enhanced due diligence can be applied by providing investors with an independent analysis and assessment of the appropriateness of directors and developers’ professional background by speaking with former colleagues, clients and senior management that had previously worked with the individual.

All of these crypto due diligence measures, enhanced due diligence, industry insight interviews and regulatory references, allows investors to invest with more assurance, confidence and compliance.

Conclusion

In summary, the answer to mitigation and management of risk when buying crypto assets is a combined approach of legal advice, and practical due diligence.

The disputes arising out of crypto assets and the risk of such investments, is cause for a pause, and an active, informed, consideration of the steps that can be taken to understand and manage risk before proceeding with a purchase of a crypto asset.

The current crypto asset market is volatile and immature, presenting an elevated risk of loss, liability and in some cases, litigation. Due diligence before a purchase, that includes legal and practical investigation in our view is an essential step for any purchaser in managing their risk.

If you would like to discuss the issues raised in this article or require specific advice as to a crypto asset purchase or sale, please contact Will Charlesworth at will.charlesworth@saunders.co.uk and Neil Miller at TenIntelligence on neil.miller@tenintel.com.

Data Protection News | September 2022

International Data Transfers

Turning to our previous August Newsletter, you may recall we have previously talked about the upcoming requirement of Transfer Risk Assessments (“TRA’s”) in addition to the supporting International Data Transfer Agreements (“IDTA”).

When transferring personal data to a ‘restricted country’ an International Data Transfer Agreement and supporting Transfer Risk Assessment is required. This a regulatory obligation organisations must meet to remain complaint with the ICO’s guidelines and regulations from this month, the 21st of September 2022.

Hint: Having a Data Map, which I know some have already made a start on, is a great tool to visualize and plan where you may be transferring personal data, which should now include ‘restricted countries’ which requires TRA’s & IDTA post sharing, consider future foreign data projects here too. It may be that you also review and update internal supporting processes and procedures that could be used during this type of exercise.

Children’s Code

Children’s Code Self-Assessment Tool. With many children recently returning to their classrooms, it is a time where many parents may be educating their children on online harms and threats and how they can protect their own personal data.

With this in mind, it is a good time to remind you this tool is available to you and what some of the key challenges are, shown below:

  • Providing child friendly privacy information
  • Assessing the online service appeal to children of different ages and whether children use the service
  • Applying appropriate age assurance measures
  • Implementing new controls to existing services or products

You can find the assessment tool on the ICO’s website https://ico.org.uk/for-organisations/childrens-code-hub/children-s-code-self-assessment-risk-tool/.

ICO Complaint Handling

The ICO have recently published guidance on how small businesses handle Data Protection related complaints.

You may find even with the correct policies and procedures in place, people including staff may not be happy with how their personal data has been handled.

How you manage a compliant right from the moment you receive it, to the moment you provide a final response matters, as not only does effective complaint handling show the complainant you take their expression of dissatisfaction seriously, but it protects company reputation and can improves service levels.

The ICO’s guidance on how to handle complaints is made up of 6 stages:

Step 1- Acknowledge Receipt- Provide the subject with information explaining next steps, provide them a point of contact and reassure them you are investigating their complaint. Having a customer friendly Complaints Procedure is a great way of doing exactly this.

Step 2- Find Out What’s Gone Wrong/Source of dissatisfaction- Obtaining as much accurate information as possible is essential when carrying out root cause analysis. If you don’t know what has gone wrong, how are you going to know how to put it right, prevent it happening again, and identify if the complaint is one that is reportable to the ICO!

Step 3- Provide Regular Updates- Providing regular updates on where you are with the subject’s complaint, provides reassurance you take their complaints seriously, helps minimise any frustration the subject may feel. And in many cases makes working with the complainant a smoother and nicer process for all. It is quite often companies’ customer facing Complaints Procedure outlines at which stages of the complaints procedure the subject can expect an update from you.

Should you want further guidance on customer facing Complaints Procedures and/or how often you should contact complainants please contact our DPO, who will provide advice on ‘best practise’ and review any regulatory obligations you may have such as those under the FCA.

Step 4- Record Your Actions- Make a record of the date you received the data protection complaint and the date your response is due. Keep details of any related conversations and copies of all relevant documents from start to finish, including the reasons for the decisions you’ve made, and any action taken, or not taken. It will also provide evidence of what you’ve done, which the ICO or industry bodies may need in the future.

Step 5- Respond to Complainant- Having completed your investigation, let the person know the outcome. Clearly explain what you’ve done to resolve the data protection complaint and any actions you’ve taken as a result. Include enough information to help them understand how you’ve reached your conclusion. It can be useful to bullet point the complaint areas and respond to each point, providing appropriate evidence where possible.  You should also let the complainant know they have the right to complain to the ICO.

Step 6- Review Lesson Learned- Once you’ve responded to the complainant, take the opportunity to review what happened, review any ‘root cause’ you have identified. Consider if there’s anything you can learn or improve on to prevent future complaints, and what remedial or preventative measures could you take.

Hint: Keep an eye out for trends, if you routinely see a lot of complaints in similar areas, an appropriate change can make all the difference.

Should you wish to find out more on how to handle complaints, including tone and pace when handling complaints over the phone, please do not hesitate to reach out.

Regulatory Prosecutions

The Irish Data Protection Commission has fined Meta-owned social media platform Instagram €405 million for violations of the General Data Protection Regulation.  The fine, which is the second largest GDPR penalty to ever be handed down, covers alleged violations stemming from Instagram’s default account settings for children ages 13-17 that exposed email addresses and phone numbers associated with child-operated accounts.

It is the third fine for a Meta-owned company handed down by the Irish regulator, after a 225 million euro fine for WhatsApp and a 17 million euro fine for Facebook. A Meta spokesperson said:

“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision”

For further information, guidance and advice on any of the subjects that have been mentioned in this month’s TenIntelligence Newsletter, please contact me at lynsey.hanson@tenintel.com

 

Kind regards,

Lynsey Hanson | DPO

TenIntelligence

www.tenintel.com/data-protection-privacy

Crypto due Diligence | Will applying existing Financial Crime compliance measures work?

Why performing Crypto Due Diligence is a reliable fraud prevention tool.

Good financial crime compliance and anti-money laundering directives all require organisations to introduce a risk-based approach to enhanced due diligence and fraud prevention measures.  When assessing the risks of money laundering and terrorist financing, organisations should check whether any high-risk factors apply.

The biggest risk currently facing investors and crypto currency platforms is the anonymity and ambiguity of customers as well as some of the individuals and developers that are behind the companies offering crypto currency services themselves.

Although, crypto currencies are not currently measured by Financial Action Task Force (“FATF”) as a high risk, they do recognise that compliance processes are required in relation to Virtual Assets (“VA”) and Virtual Asset Service Providers (“VASPs”), in particular with regard to:

      • supervision or monitoring of VA, ICOs and their VASPs for anti-money laundering and counter finance terrorism purposes
      • licensing or registration of VA, ICOs and VASPs
      • fraud prevention measures, crypto due diligence, suspicious activity and transaction reporting
      • enforcement and sanction measures for offenders

Customer Due Diligence – a risk based approach

Let’s start with customer due diligence. When dealing with individuals or investors established in high-risk jurisdictions, or are exposed to other cases of high risk, it is imperative that  crypto companies identify the areas of risk and apply enhanced due diligence measures to manage and mitigate those risks appropriately.  Specifically, to question:

      • whether their customers are operating in geographical areas of higher risk, including areas of non AML/CTF legislation, significant levels of corruption, countries subject to UN sanctions and/or countries harbouring designated terrorist organisations
      • are ownership structures of larger investors appear unusual or excessively complex given the nature of their business
      • whether your organisation has received funds from unknown parties
      • what information you collect from your customers? Can you demonstrate sound “KYC – know your customer” compliance? How do you verify the information gathered?
      • whether any business relationships are conducted in unusual circumstances

ICOs, are they who they say they are?

Large and small investors will want to know who they are investing their assets with and the assurance that the ICOs are appropriate.  Will talked earlier about ICO due diligence and although there is no required template for the ICO organisation to complete, investors can still perform background checks on the management and developers who are behind the ICO platform.

The fundamentals of background checks remain the same regardless of the industry, it is just applied differently.  In the ICO example, our team would determine the ICO’s integrity, ability, reputation by performing open source intelligence and background checks on the senior management, board directors, relevant executives and shareholders of the ICO.

We would specifically be looking for adverse information and risk, including undisclosed red flags, conflicting findings, false or exaggerated statements and report these findings to the investor.

Background checks will include but not limited to verifying their qualifications and employment history, analysing their financial status, examining their record as a board director, identify whether there are any litigation, insolvency or court cases filed, as well as digging deeper via archived media and press articles, as well as possible exposure to sanctions lists and politically exposed persons.

If the required, an additional level of enhanced due diligence can be applied by providing investors with an independent analysis and assessment of the appropriateness of directors and developers’ professional background by speaking with former colleagues, clients and senior management that had previously worked with the individual.

All of these crypto due diligence measures, enhanced due diligence, industry insight interviews and regulatory references, allows investors to invest with more assurance, confidence and compliance.

AIM Director Due Diligence

AIM Director Due Diligence

Neil Miller, Founder at TenIntelligence was recently quoted in the Daily Telegraph Business section outlining the importance of director due diligence for AIM listed companies.

The firm Purplebricks has been forced to delay the appointment of its new boss as advisers examine the implications of a previous personal insolvency that has not been disclosed to shareholders. The online estate agent announced that Helena Marston was unable to take charge as chief executive on Monday as planned because due diligence checks are not yet finished.

It did not disclose the reasons for the hold-up, but sources said that concerns are focused on the fact Mrs Marston was declared bankrupt under her maiden name of Epplestone in September 2014.

As a company listed on the AIM junior stock market, Purplebricks must get board appointments vetted by its nominated adviser, Zeus.

The former personal insolvency was declared to Zeus as part of a questionnaire that Mrs Marston filled in when she was appointed. Her bankruptcy has been discharged.

Sources said there was an internal discussion about whether it should also be revealed to investors in a stock market notice on March 10 that announced her appointment. The details were included in a draft version of this announcement but then removed.

Neil Miller, chief executive of due diligence firm TenIntelligence, said that Mrs Marston’s credentials would have to be checked carefully as part of the appointment process.

He said: “Before any individual can be appointed to the board of an AIM listed company, the nominated advisor will need to complete their director due diligence. As part of this process the individual will need to submit, answer and disclose a Directors Questionnaire.

“Questions will give the individual the opportunity to include whether the individual has ever been subject to court cases, litigation, criminal records, disciplinary investigations and insolvency.

“Any adverse findings, unexplained gaps in their history or other red flags, have to be challenged as part of the judgement process before appointing the individual.”

Mrs Marston had served as chief operating officer under previous chief executive Vic Darvey, who resigned in March for personal reasons. She was not on the board in this role.

It is not the first time that Purplebricks has faced controversy. The company was fined £267,000 by HMRC in 2020 for violating anti-money laundering rules.

Purplebricks said: “Further to the announcement on 10 March 2022 relating to the appointment of Helena Marston as chief executive officer of the company, the company announces that due diligence checks required by the AIM rules are ongoing and therefore Helena’s appointment remains subject to completion of these checks.

“A further announcement will be made a soon as possible.”

 

How we can help:

We deliver concise due diligence on businesses, vendors, agents, individuals, customers and other counter-parties to satisfy financial crime compliance and AML demands, so that our clients can operate with confidence. We also assist clients undertake detailed risk assessments and implement tailored programmes in order to overcome their compliance challenges and to deter financial crime.

For more information regarding our due diligence service, please email us via info@tenintel.com. Our team is looking forward to providing assurance and help your organisation make informed decisions.

For more updates, you can follow us on LinkedIn @TenIntelligence.

What is modern slavery and human trafficking | and how due diligence measures help?

What is modern slavery and human trafficking | and how due diligence measures help?

Generating about $150 billion US dollars annually, human trafficking and modern slavery are the third global largest source of criminal profit next to drug trafficking and trading counterfeit goods. Analyst, Fiona Harmsen reports…

Most of this dirty money moves through the global financial system. Therefore, financial institutions play a dominant role in the fight against human trafficking and modern slavery.

Slavery exists in situations of labour, domestic and commercial sexual exploitation, in which the person cannot refuse or leave due to threats or violence, but also in a situation in which someone exercises a power of ownership on that person.

According to the International Labour Force, in 2016, 24.9 million people were victims of forced labour.

Human trafficking is the “recruitment, transportation, transfer, harboring or receipt of persons, by means of the threat or use of force or other forms of coercion, of abduction, of fraud, of deception, of the abuse of power or of a position of vulnerability or of the giving or receiving of payments or benefits to achieve the consent of a person having control over another person, for the purpose of exploitation” (Palermo Protocol 2000)

The 3 most common types of human trafficking are sex trafficking, forced labour, and debt bondage. Human trafficking goes from using children for pornography or armed conflicts, to exploiting adults in to forced labour.

How are human trafficking and modern slavery connected to financial institutions and what are their financial footprints?

From the manufacturing of our electronical devices to the food available in our supermarkets, our products can potentially be generated from forced labour coming from publicly listed trading companies that stock up major holdings from institutional investors.

On one hand, the financial sector can be connected to Human trafficking and modern slavery via their own operations through their own business; this can be done directly, however, the most common connection lies through client engagement: many employees in financial institutions can play a major role in identifying and reporting signs of human trafficking.

On the other hand, financial institutions can also take part of human trafficking and modern slavery via their business relationships, which includes but is not limited to investment, payments, and lending.

As an illustration, a financial institution investing in a business in which modern slavery occurs.

These business relationships and connections vary: they can be with upstream providers of financial inputs and services or with downstream clients.

For instance, financial institutions produce services based on upstream financial inputs, such as subscriptions into banking borrowing.

The providers of these inputs may themselves be linked to human trafficking and modern slavery, especially if they are inputting capital generated from human trafficking and modern slavery.

Or, institutional may own equity stakes in businesses that rely on human trafficking and modern slavery directly or in their supply chains.

Or, banks may lend to such firms, insurances may provide them policies, financial institutions may provide payment services to businesses involved in sex trafficking etc.

How can due diligence help manage human trafficking and modern slavery?

Not only due diligence is a requirement of anti-money laundering legislation, it is also a way to help in the fight against modern slavery and human trafficking.

By identifying the signs

Signs recognition of modern slavery and human trafficking is the first step in order to help managing it.

These signs can be found with the help of due diligence via behavioural indicators (such as evidence of emotional or physical abuse) and KYC process indicators (such as false ID documents or criminal associations).

Additionally, by using monitoring technology, financial institutions can recognize patterns of underlying human trafficking crimes in financial transactions.

These financial transactions can be such as hotel reservations made by the same individual for two rooms during the same period of time, or frequent purchases of small amounts of bitcoins.

On another hand, an unusual or unrelated number of joint account holders can also be a sign of potential modern slavery and human trafficking.

By managing the risks

Alongside with identifying the signs of modern slavery and human trafficking, due diligence also helps to manage these risks.

The process of managing risks comes in different shapes. It can be through facilitating asset confiscation and restitution, through revealing trafficking organisation membership and structure, or even through demonstration the motive of traffickers.

Embellishment or Fraud? The importance of CV verifications

Embellishment or Fraud? The importance of CV verifications

There are many examples of CV manipulation, embellishment and exaggeration.  Rae Legg explores the considerations regarding CVs and fraud.

“What’s the harm in a little white lie?”

“I’m not lying, I’m just omitting the truth!”

“Embellishment is just part of writing a CV!”

“Most job requirements are ridiculous!”

These are some of the many things people say in an attempt to justify lying about their qualifications or previous experience on their CVs. A question frequently asked on r/AskReddit is what people lied about on their CVs, and whether or not they got away with it.

The lies range from being fluent in a different language, having experience with a particular software, to purchasing forged diplomas with no regrets.

It is not surprising to hear how common CV fraud is.

A study conducted in 2019 by Credence and Higher Education Degree Datacheck (HEDD) found that out of the 55,000 CVs that were analysed, 15% returned academic discrepancies, ranging from inaccurate grades, different attendance dates, to making up a degree altogether.

Another survey from CV-Library in 2018 revealed that up to 92.5% of British people got away with lying on their CV, with approximately 71.6% getting a job as a result of their lying.

The frequency of people lying on their CVs may cause people to question or even downplay the harm involved with CV fraud.

History suggests, however, that there is in fact, a lot of harm, and that people who lie on their CV will most likely go on to lie about other aspects, or even commit fraud further down the line, having realised that they’ve got away with the first lie.

In October 2018, a woman from New Zealand was jailed after being found out for lying about having a medical degree when she registered in the UK and practised psychiatry for 22 years with no official qualifications. She had attempted to fake a dementia patient’s will and applied for power of attorney in order to inherit the patient’s £1.3m estate.

This is not an isolated incident. There are many other cases, including the case of ‘Dr’ Daniel Mthimkhulu who not only lied about having a PhD in rail engineering when interviewing for Passenger Rail Agency of South Africa (Prasa) and caused the “Tall Trains” scandal, but also created a fake counteroffer from a rival company in order to increase his salary. He has now been ordered to pay Prasa back R5.7m.

And most people are very aware of the story of the NHS fraudster, Philip Hufton. As detailed in our January 2021 insight, the former senior Business Development manager of an NHS Foundation trust lied about numerous qualifications, such as a PhD and a Master’s degree, and incurred £350,000 worth of fake expenses.

Situations like the above are completely avoidable when recruitment teams invest more in verifying qualifications and previous experience, as opposed to prioritising numbers and bums-on-seats.

Fraudsters get discouraged from applying to roles as it becomes easier to distinguish dishonest candidates from honest ones, and therefore companies are protected from potential reputational, financial, and judicial risk.

International background checks into senior executives, managers and new hires, entails rigorous interrogation and analysis of information gathered from a range of open sources.

Background checks should include searches with press articles, court searches, company registries, public records and documents, insolvency registers, financial regulator fines and licenses, subscribed databases, sanctions checks as well social media platforms.

When required, background checks should cover global jurisdictions and research must be performed in key languages.

 

How we can help:

We have a team of Analysts and Associates who interrogate the individual’s CV, application forms and corporate history specifically looking for adverse information and risk, including undisclosed red flags, conflicting findings, false or exaggerated statements and report these findings to the client.

Cyber Essentials as a Service, keeping CyberSimplified

Cyber Essentials as a Service, keeping CyberSimplified

Cyber Essentials (and Plus), which are the UK Government backed standard cyber certification, ensures that companies, businesses, schools, charities and other organisations are demonstrating good cyber compliance. How can TenIntelligence help…

Our understanding of cyber threats, data protection and security audit procedures and vulnerabilities allows our Team to provide clients with measures to mitigate the risk of a data attack or breach.

How we can help

TenIntelligence works alongside clients; helping them with a guaranteed Cyber Essentials and Cyber Essentials Plus certification:

  • Conduct audits across the organisation to review, identify and assess where data is held and their access control processes
  • Perform internal testing to Identify, implement and improve firewalls
  • Examine access control weakness, strengths and areas for development providing a secure configuration system
  • Audit cyber protection measures, such as malware protection
  • Review all devices, hardware and software platforms to ensure patch management versions are current and updated
  • Work with the organisation to design and implement appropriate technical and internal measures to ensure data security is designed into all processes
  • Monitor and review procedures needed to ensure continued information security and Cyber Essentials compliance
  • Help organisations develop a staff training and awareness program
  • The full price is £999.00 plus VAT.

More advice can be found at www.tenintel.com/cyber-crime-investigations.

As always, if you require any assistance with data protection related issues, please contact us.

Follow TenIntelligence

For further information, visit www.tenintel.com/data-privacy-protection, where you can find out how we support clients with data protection and digital forensics support. Email us at info@tenintel.com and follow us on LinkedIn and Twitter @TenIntelligence for all updates.

Our Intelligence | Your Assurance

Data Protection Updates | June 2021

Data Protection Updates | June 2021

The GDPR turned 3 years old on 25th May 2021. The 2018 regulation has caused a paradigm shift in how organisations and nations around the world control and process personal data, and has made clear to Europeans their right to have their data protected and only used in a manner for which they approve. With Brexit implemented, a major hurdle for regulators is to finalise rules for UK-EU data transfers.

Please find below the most recent and important Data Protection updates.

New Standard Contractual Clauses for International Data Transfers under the GDPR

The Information Commissioner’s Office (ICO) is in consultation over the Summer to create new UK-Specific Standard Contractual Clauses (UK SCCs) to facilitate transfers of personal data outside the UK as a key part of new international transfer mechanisms for restricted transfers outside the UK. The new UK SCCs are unlikely to be substantially different from the EU SCCs, but will be specific to the UK. Data Controllers will need to have UK SCC agreements in place to continue making restricted transfers from the UK.

The ICO intends to publish draft UK SCCs for public consultation in summer 2021. In the meantime, organisations can continue to rely on the current SCCs for restricted transfers outside the UK. Once agreed upon, it is expected that the ICO will give organisations around 18 months to implement the new UK SCCs into their data import/export arrangements.

New EU standard contractual clauses adopted: 18-month deadline to reassess international transfers of personal data from Europe

On 4th June 2021, the European Commission has formally adopted new standard contractual clauses for international personal data transfers from the European Union to third countries (“New EU SCCs”). These New EU SCCs take into account both the Schrems II decision and the requirements of the EU GDPR and enable businesses to account for a variety of complex data transfers.

The New EU SCCs bring in new rules for restricted data transfers, but are also somewhat more flexible than the existing SCCs. The New EU SCCs take a modular approach to implementation and cover a broad range of transfer scenarios including controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller transfers. The New EU SCCs include form provisions for granting specific or general authorization for processors to engage sub-processors in the context of controller-to-processor and processor-to-processor transfers and prohibit onward transfers to additional recipients in third countries unless the onward transfer recipient agrees to be bound by the SCCs, or another specified exemption applies.

The new standard contractual clauses will come into effect June 27, 2021. The old SCCs will be repealed three months following publication of the implementation decision, after which they may no longer be used for new data transfers. Businesses will have 18 months to update their existing data export/import arrangements with the New EU SCCs. It is important that businesses take the next 18 months to analyse the new SCCs to determine whether the new terms affect operational processes and update their existing data-transfer agreements.

Adequacy Decision

The UK is awaiting an adequacy decision from the European Commission for free transfers of personal data from the EU/EEA to the UK. The draft adequacy decision from the European Commission does not allow the UK to deviate from the protections guaranteed by the EU GDPR. Despite the transfer tools being broadly the same, organisations are facing a prospect of having separate SCCs for transfers to third countries from the EU/EEA and from the UK.

While the draft adequacy decision from the European Commission was broadly positive, MEPs recently voted to re-evaluate the draft decision; reviews are ongoing a final decision is expected in the coming months. In the meantime, it is key that appropriate safeguards (e.g. SCCs) are in place in order to ensure data transfers remain possible if an adequacy decision cannot be made by July 2021 and no extension is agreed.

Data Sharing Code of Practice is laid before Parliament

On 18 May 2021, the ICO’s Data Sharing Code of Practice was laid before Parliament.

The new Code is a statutory code of practice, which the ICO is required to publish under the Data Protection Act 2018. The ICO is also required to take the new Code into account when considering whether an organisation has complied with data protection law when sharing personal data.

The Code aims to address misconceptions regarding data sharing, such as misconceptions surrounding consent, and that the GDPR and Data Protection Act 2018 prevent data sharing.

The ICO issued a statement on 18 May 2021, stating ““The new data sharing code aims to give businesses and organisations the confidence to share data in a fair, safe and transparent way, and it dispels many of the remaining myths about data sharing. The code will guide organisations through the practical steps they need to take to share data while protecting people’s privacy.”

The new Code will now lay before Parliament for 40 sitting days before coming into force.

In addition to the Code, the ICO has published additional resources on its data sharing information hub. Organisations should familiarise themselves with the Data Sharing Code of Practise so as to avoid confusion surrounding their rights and obligations under UK GDPR and the DPA 2018.

News, Fines and Breaches

Latest enforcement action by the UK’s Information Commissioner’s Office (“ICO”):

The ICO had handed down several fines in the past month. Most of these related to the sending of unsolicited marketing materials by email and text. It may be helpful to review some of these fines and the reasons behind them to ensure your organisation doesn’t fall into the same situation:

Solarwave Of Grays, Essex, Has Been Fined £100,000 For Making 73,217 Unsolicited Marketing Calls

Solarwave of Grays, Essex, has been fined £100,000 for making 73,217 unsolicited marketing calls about solar panel maintenance between January and October 2020. These were made to people who were registered with the Telephone Preference Service (TPS) list and who should not have received them The company was also issued with an enforcement notice ordering it to stop marketing until consent had been obtained.

The ICO has fined Tested.me Ltd (TML) of St Albans for sending direct marketing emails to people who provided their personal data for contact tracing purposes.

Tested.me Ltd (TML), provides digital contact tracing services which work by offering people a QR code to scan when arriving at businesses’ premises. The company sent nearly 84,000 nuisance emails at the height of the Covid-19 pandemic between September and November last year, when businesses were using private QR code providers to collect personal data to meet the government’s contact tracing rules.

Conservative Party Fined £10,000 For Sending Unlawful Emails

The Information Commissioner’s Office (ICO) has fined the Conservative Party £10,000 for sending 51 marketing emails to people who did not want to receive them. It follows an ICO investigation relating to emails sent from the Conservative Party in the name of Rt Hon Boris Johnson MP during the eight days in July 2019 after he was elected Prime Minister. The emails were addressed to the people they were sent to by name and promoted the party’s political priorities, with the last sentence including a link directing them to a website for joining the Conservative Party.

The ICO found the Conservative Party failed to retain clear records of the basis upon which people had consented to receive marketing emails, as required by law, and concluded the party did not have the necessary valid consent for the 51 marketing emails received by the complainants.

Amex Fined For Sending Four Million Unlawful Emails

The ICO has fined American Express Services Europe Limited (Amex) £90,000 for sending more than four million marketing emails to customers who did not want to receive them.  During the investigation the ICO found that Amex had sent over 50 million, of what it classed as ‘servicing emails’ to its customers. The ICO revealed that 4,098,841 of those emails were actually ‘marketing emails’, designed to encourage customers to make purchases on their cards which were sent illegally without explicit consent of the customer. Amex also did not review its marketing model following customer complaints.

Data Protection and Cyber in the News:

Below is a selection of Data Protection and cyber security stories from the past month:

The organizing committee of the Tokyo Olympics is the latest victim of a breach of a government contractor’s data-sharing tool.

Hackers responsible for causing widespread disruption to the Irish health system have unexpectedly gifted it with the tool to help it recover.

Colonial Pipeline’s CEO addressed a Senate committee on the Russia-based ransomware attack that crippled fuel deliveries up and down the East Coast.

India’s national airline Air India has said a cyber-attack on its data servers affected about 4.5 million customers around the world.

A cyber-attack on a third-party supplier of Canada Post has resulted in a data breach impacting 950,000 parcel recipients,

On May 31 2021, privacy group NOYB led by Max Schrems filed over 500 draft complaints to websites in the EU for using unlawful cookie banners.

As always, if you require any assistance with data protection related issues, please contact us.

Follow TenIntelligence

For further information, visit www.tenintel.com/data-privacy-protection, where you can find out how we support clients with data protection and digital forensics support. Email us at info@tenintel.com and follow us on LinkedIn and Twitter @TenIntelligence for all updates.

Our Intelligence | Your Assurance

World trade in FAKE goods is rising

TenInsight

World trade in FAKE goods is rising

On April 26, TenIntelligence celebrated World Intellectual Property Day. Why? That’s an easy question…

“Fake” or “Forged” products pose a significant threat to consumers by putting their health and safety in jeopardy. Alcoholic beverages, food products, electronic goods, software, toys and luxury items, automobiles and aircraft parts are being maintained with substandard or counterfeit parts.

The money generated by the sale of fake goods doesn’t always end up in the sellers pocket. They often fund organised crime, human trafficking, child prostitution and terror groups.

This continues to be a huge risk to consumers safety and the brand owners’ reputation.

So next time you’re considering buying a cheap handbag, pair of sunglasses or cheap cigarettes – think again.

Based in Dubai UAE, our brand protection headquarters gives us local knowledge when we are asked to assist clients with brand protection services. Our team helps clients identify whether their products are being counterfeited.

We complete market surveys, test purchases, trademark infringement, law enforcement liaison and intellectual property due diligence research.

TenIntelligence has a long and trustful relationship with local Law Enforcement Agencies (including Police, Customs, Departments of Economic Development, Chambers) across the UAE.

Working alongside the Agencies, allows our brand protection services and infringement investigations to help identify and remove counterfeit products safely.

https://tenintel.com/brand-protection/

Our Intelligence | Your Assurance

Nikhil Kamboj joins the TenIntelligence Team as Director of Data Protection

TenInsight

Nikhil Kamboj joins the TenIntelligence Team as Director of Data Protection

With over 15 years of experience in technology, cyber-security and regulatory compliance, Nikhil has deep understanding of data protection legislations, cyber-security threats, security compliance standards, auditing and business continuity.

Nikhil holds an Engineering and Master’s degrees in Computing; is a qualified BSI Certified ISO27001 Lead Auditor; Certified GDPR Practitioner; trained NIST Risk Framework expert; member of the Security Institute.

Nikhil is an experienced Data Protection Officer and Chief Information Security Officer.

He was responsible for leading business strategy for Compliance, IT systems, Cyber-Security and Business Continuity for a nationally renowned large security company.

Nikhil provides TenIntelligence with Data Protection, Cyber Security and Information Security Compliance consultancy through his company Databox 360.

Our Intelligence | Your Assurance