It has not been a good year for tech giants and social networking sites as it concerns data privacy and data security matters, with Facebook being the poster child. Ever since Facebook CEO Mark Zuckerberg was called on by Congress in April to explain how political intelligence firm Cambridge Analytica had illicitly acquired access to the personal data of an estimated 87 million unwitting Facebook users, things continue to get worse for the social networking giant.

That data breach further sparked an investigation by the Federal Trade Commission into whether Facebook’s actions violated a 2011 consent decree, which required the social networking site to, among other things, give consumers clear and prominent notice and obtain consumers’ express consent before sharing their personal information.

Adding to its mounting data privacy failures, Facebook revealed in a Dec. 14 blog post that it had discovered a software bug that may have wrongly given third-party apps access to photos of up to 6.8 million Facebook users. Consequently, it’s now facing an investigation by the Irish Data Protection Commission for potential violations of the EU’s General Data Protection Regulation.

At a high level, Facebook’s data privacy breaches highlight the risks that third parties pose to social networking sites. As Zuckerberg admitted, “There’s more we can do here to limit the information developers can access and put more safeguards in place to prevent abuse.”

Among the changes Facebook has made include removing developers’ access to an individual’s data if they haven’t used their app in three months; and requiring developers to not only get approval but also to sign a contract that imposes strict requirements for access to posts or other private data.


Zuckerberg was not the only CEO to have to answer to regulators in 2018 for a social media controversy. In September, Tesla founder and CEO Elon Musk reached a settlement with the Securities and Exchange Commission over “false and misleading” information that Musk had delivered to investors over Twitter about possibly taking the publicly traded company private. The SEC slapped Musk and Tesla with a $20 million fine.

But that’s not the end of Tesla’s troubles. In a quarterly filing on Nov. 2, Tesla disclosed that it has been asked by the Department of Justice to voluntarily provide information about not only Musk’s prior Twitter statements, but also whether Tesla inflated the production numbers of its Model 3 vehicles.

One broad compliance lesson to come from Tesla is the importance of having in place a policy governing social media. Other companies that don’t want to suffer the same fate should take a page from Tesla’s consent order with the SEC, which calls on Tesla to demonstrate greater oversight of all corporate communications, including, but not limited to, posts on social media, the company’s Website, press releases, and investor calls. The settlement further mandates the “pre-approval of any such written communications that contain, or reasonably could contain, information material to the company or its shareholders.”


On Dec. 10, Japanese prosecutors indicted Nissan Motor Company Chairman Carlos Ghosn and former representative director Greg Kelly for violating the Japan Financial Instruments and Exchange Act, namely making false disclosures in annual securities reports. Nissan was indicted for the same violation.

In a statement issued in November, Nissan disclosed that an internal investigation, the result of a whistleblower report, revealed that “over many years” both Ghosn and Kelly had been under-reporting compensation amounts in the Tokyo Stock Exchange securities report “to reduce the disclosed amount of Carlos Ghosn’s compensation.” Concerning Ghosn, “numerous other significant acts of misconduct have been uncovered, such as personal use of company assets,” Nissan added.

Already arrested on previous charges, Ghosn and Kelly, along with Nissan, were charged with additional counts of financial misconduct. The newest charges allege that an additional $38 million (4.2 billion JPY) in income was underreported from 2015-2018, adding to the original $44 million (5 billion yen) that was allegedly underreported from 2010-2015.

In a response statement, issued Dec. 10, Nissan said it “will continue its efforts to strengthen its governance and compliance, including making accurate disclosures of corporate information.” Nissan is yet another example of what can happen to a company when tone from the top is absent.

Wells Fargo

Unethical conduct and fraudulent employee behavior continues to plague Wells Fargo, bringing into question the sincerity of its latest ad campaign, “Re-established.” Since being hit with a $100 million fine by the Consumer Financial Protection Bureau in September 2016 for secretly opening upward of 3.5 million unauthorized deposit and credit card accounts to boost sales figures, Wells Fargo’s ethics and compliance problems have only escalated.

In December 2018, the Department of Justice launched an investigation into Wells Fargo’s wholesale banking division, prompted by revelations that employees improperly altered customer documents in order to meet a deadline mandated by the Office of the Comptroller of the Currency (OCC), its primary banking regulator, under a 2015 consent order, The Wall Street Journal reported. The OCC’s consent order required, among other things, that Wells Fargo make improvements to its anti-money laundering compliance program related to its wholesale banking group.

The investigation follows just months after Wells Fargo and several of its affiliates in August were ordered to pay a $2.09 billion civil penalty based on the bank’s alleged origination and sale of residential mortgage loans that it knew contained misstated income information and did not meet the quality that Wells Fargo represented. Prior to that enforcement action, the OCC, in a coordinated action with the Consumer Financial Protection Bureau, in April assessed a total civil money penalty of $1 billion against Wells Fargo for engaging in abusive lending practices concerning its auto loans.

To add to its troubles, Wells Fargo said in a securities filing on Nov. 6 that an expanded review of a previously discovered “calculation error” that was first discovered in its mortgage modification underwriting tool in August found additional “errors” that inflated attorneys’ fees estimates, affecting homeowners in the foreclosure process between March 15, 2010, and April 30, 2018, when the new controls were implemented.

Wells Fargo takes legal fees into account when determining whether customers qualify for mortgage modifications or repayment plans. Due to these errors, approximately 870 customers were wrongly denied a loan modification or deemed ineligible to apply in cases where they otherwise would have qualified, resulting in 545 foreclosures.

This is the same company that made Compliance Week’s list of the top five ethics and compliance failures of 2016 after being fined $185 million by various authorities after it was discovered that thousands of Wells Fargo employees illegally and secretively opened two million unauthorized deposit and credit card accounts, dating back to 2011. Based on the latest allegations, it appears its ethics and compliance program still has a long way to go.

Danske Bank

There appears to be no end in sight concerning the money-laundering scandal surrounding Danske Bank, Denmark’s biggest financial institution. In September, Danske Bank CEO Thomas Borgen resigned when allegations surfaced that the bank took part in an alleged €200 billion (U.S. $227 billion) money-laundering scandal made through its Estonian branch between 2007-2015.

On Nov. 28, Danish prosecutors brought preliminary charges against Danske Bank concerning violations of the Danish Anti-Money Laundering Act. Danske Bank is also facing a criminal investigation by the U.S. Department of Justice, as well as authorities in Estonia and Britain.

For others in the financial services industry, the compliance lessons are best summed up in the charging documents brought by Danish prosecutors. Specifically, Danske Bank has been criticized for not having adequate control of the branch’s compliance with guidelines, including compliance with changes to procedures for establishing business relationships with customers, among other things; not training staff members in the rules of the Danish Anti-Money Laundering Act and the bank’s AML procedures; and not appointing a compliance officer at management level.

Danish prosecutors further alleged that Danske Bank:

  • Failed to integrate the Estonian branch in the bank’s risk management and control systems, “instead letting the branch operate with significantly different risk-taking, thus allowing the Estonian branch, inter alia, to establish foreign exchange lines for non-resident customers on the basis of cash collateral without having sufficient insight into the customer’s financial circumstances”;
  • Had in place inadequate IT systems or human resources to process the business relations and perform ongoing transaction monitoring;
  • Failed to obtain sufficient information about the purpose and intended nature of the business relationship, as well as information about the source of the funds;
  • Failed to obtain information to the full extent about the ownership and control structure of business customers or proof of identity of the beneficial owners of business customers; and
  • Established customer relations with intermediaries without the underlying persons or companies being identified.