How Payone’s Non-Compliances May Have Altered Worldline’s Course

In the fast-paced world of financial services, compliance is paramount. It ensures trust, stability, and ultimately, success. However, publicly available compliance events have cast a shadow over one of the payment’s industry’s key players, Worldline, and its Frankfurt based subsidiary, Payone. The question looms large, has Payone’s non-compliance impacted Worldline, and to what extent?

During the last earnings call on 25th October 2023, Laurent Daure, an analyst, posed a poignant question that resonated with investors and industry observers alike. His inquiry took place in the context of Worldline’s financial update event, and the 7th September 2023 announcement by German regulator BAFIN whom intervened in the PAyone GmbH business and compelled their termination of around a 1000 merchants. Executives provided insights into the company’s performance and outlook. Analyst, Laurent Daure’s incisive question echoed the concerns of many:

“I have a couple of questions as well. The first thing, I’m sorry to come back on the merchants you have to terminate because I remember Worldline was very selective in the past when selecting people it wanted to work with. So does it mean that the 1,000 merchant plus are mostly coming from M&A? And have you made due diligence that were detail enough. Any clarification on this would be welcome”.

Laurent Daurant, Worldline SA, Q3 2023 Sales/ Trading Statement Call, Oct 25, 2023

This query underscores the gravity of the situation and prompts a closer examination of Worldline’s compliance practices, particularly in light of recent merchant terminations compelled upon Payone GmbH. A Payone GmbH whistleblower is to appear before the UK High Court in March 2024 amidst a Payone gagging order made against him following disclosure of documents and information relating to alleged AMl breaches made to the Finacial Conduct Authority and the German equivalent BAFIN, made between 2022 and 2023. The Bafin announcement came some 7 months after the last of these disclosures, though it is not certain the extent to which they impacted the special audit or the announcements.

It is true as alluded in the question posed by the analyst that Worldline’s compliance reputation was historically a good and stringent one. A source and former employer of the firm Fiserve told Loopline Media that,

“Worldline had always appeared to be a top payments company in terms of compliance and it was well known around the industry that not just anyone could get a merchant account with Worldline”.

Former employer of Fiserv. ( a senior player in the payments industry and competitor to Worldline)

The termination of over 1,000 merchants, particularly at Payone, has raised eyebrows and prompted speculation about the efficacy of their due diligence processes, especially concerning Worldline’s past M&A activities involving Payone. Could Payone’s non-compliance be a ticking time bomb for Worldline’s reputation and future prospects? Are the recent personnel changes at Payone sufficient or is there a deeper move required? As the old adage goes, only time will tell.

As we await insights from the upcoming call on February 28, 2024, the implications of Payone’s non-compliance on Worldline’s trajectory remain uncertain. With no public news following Bafin’s announcement of a continuing special audit, it is unclear what if any further announcements may be around the corner.

Compliance issues at Payone GmbH

Recent regulatory actions by Bafin have cast a spotlight on Payone GmbH, formerly an electronic money institution, exposing lapses in its implementation of anti-money laundering (AML) measures. These actions underscore a concerning pattern of regulatory shortcomings, emphasising the critical need for enhanced internal controls. The infractions range from administrative errors such as lost confidential employee documents, prompting reprimands from the Information Commissioner’s Office, to more significant failures like the omission of UK employees from mandatory pension schemes. Notably, the latter issue has escalated to the UK High Court, where Payone GmbH faces a counterclaim for breach of contract from an affected employee. These incidents collectively portray a company grappling with a spectrum of compliance issues, from seemingly minor oversights to more serious breaches related to AML. Notably, Payone GmbH’s entry into the UK market shortly after the London 2012 Olympics was marred by a subsequent 5 year failure to secure Employer’s Liability insurance for its employees, a legal obligation.

On July 26, 2023, the German financial regulator BaFin took decisive action against Payone GmbH, prohibiting the institution from conducting transactions for certain high-risk business customers. This move was prompted by alarming findings of serious deficiencies in AML prevention measures and significant money laundering risks within Payone GmbH’s operations.

BaFin’s special audit uncovered shocking revelations about Payone GmbH’s operations, particularly in its e-commerce business area. The institution had amassed a conspicuous high-risk portfolio, with retailers engaging in dubious online transactions linked to fraudulent subscriptions, phishing, and fake shops. Despite these glaring red flags, Payone GmbH failed to adequately assess the risk posed by these business customers, allowing them to continue their operations unchecked.

The firm’s shortcomings in compliance and implementation of due diligence obligations under the Money Laundering Act (GwG) were glaring. The institution lacked adequate security systems to prevent money laundering, exposing itself to exploitation by criminal elements seeking potentially to launder illicit funds through its platform. Moreover, the deficiencies extended to the ongoing monitoring of dealers, with anomalies in risk assessment going unnoticed and unaddressed.

BaFin’s regulatory action against the Worldline outfit was grounded in Section 51 Paragraph 2 of the Money Laundering Act (GwG), underscoring the seriousness of the institution’s failures. The measure took effect on August 29, 2023, signaling a crucial intervention aimed at curbing money laundering risks in the financial sector.

The case of Payone GmbH serves as a stark reminder of the perils of lax regulatory oversight and inadequate AML measures in the financial industry. As regulators grapple with emerging challenges in combating financial crime, it is imperative to hold institutions like Payone GmbH accountable and institute robust measures to protect against money laundering and terrorist financing.

In another related 15 July 2023 judgment, the tribunal found that the Claimant made a qualifying disclosure against Payone. The tribunal rejected the notion that the Claimant lacked a reasonable and genuine belief at the time of the disclosure that it was in the public interest. Although the dispute primarily concerned the Claimant’s private workplace issues, it also raised matters of public interest due to the involvement of a large employer such as Payone. While the employer had only a small number of employees in the UK, the right to a workplace pension is significant, and the failure to provide such a pension can have enduring consequences for individuals. Furthermore, deductions had been made from the Claimant’s salary without being paid into a pension scheme, underscoring the importance of ensuring that the employer did not repeat such mistakes.

Although the Claimant’s motivations may have included personal interests related to his pension and his dispute with the employer, this did not negate the possibility of a genuine belief that the disclosure served the public interest. The tribunal noted that the Claimant was particularly aggrieved by the employer’s failure to address the breach of UK pensions legislation promptly. Despite being aware of the breach, the employer failed to communicate with the Claimant directly, instead leaving it to the Workers Pension Trust to correspond with him, even sending the letter to an incorrect address. Given the ongoing litigation between the parties, the tribunal found it surprising that the employer did not take the simple step of confirming the Claimant’s address and explaining the situation directly. The tribunal emphasised that, given the series of failures, including the mishandling of pension contributions, the employer’s inaction in addressing the situation promptly was unacceptable.

Furthermore, in line with the theme of lax compliance and disregard for data protection regulations, an Information Commissioner’s finding from July 2021 revealed additional concerning practices by the company. The Information Commissioner discovered that the employer had failed to comply with data protection regulations regarding the processing of personal data further underscoring the pattern of non-compliance with legal obligations.

The findings highlighted that the employer had neglected to adequately safeguard personal data, leading to potential risks of unauthorized access or misuse. This negligence not only violated the privacy rights of individuals but also demonstrated a lack of regard for regulatory requirements aimed at protecting sensitive personal information.

This lack of diligence in ensuring compliance with data protection regulations reflects a broader pattern of disregard for legal responsibilities, consistent with the employer’s previous shortcomings in addressing workplace pension obligations.

Additionally, a live complaint dated December 2023 highlights the urgent need for investigation and intervention by the Information Commissioner’s Office (ICO) regarding the unauthorised use of personal Apple ID account by Payone GmbH. The complainant, who worked for Payone GmbH from the UK between 2016 and 2021, detailed a series of concerning incidents:

1. For a period spanning 4.4 years, from November 2016 to March 2021, Payone GmbH employed the personal Apple account of a complainant to operate a company-assigned mobile telephone. Throughout this time, the company repeatedly solicited the complainant’s Apple Account username and password, creating a coercive environment where the complainant is said to have felt compelled to disclose this sensitive information out of potential repercussions on their employment status.

2. Absence of a privacy notice provided in English during the complainant’s tenure at Payone GmbH left them uninformed about who had access to their password and how it was utilised, leading to concerns regarding potential interference with their Apple account. Payone GmbH’s failure to furnish a privacy policy in English, as mandated by Article 12 of the GDPR, coupled with the inadequate provision of information to the complainant, rendered any consent obtained for the password, uninformed and invalid, in non compliance with Article 7 of the UK GDPR.

In summary, Payone GmbH’s longstanding compliance issues have brought to light a range of regulatory concerns, spanning from inadequate anti-money laundering measures to administrative oversights and alleged breaches of contract. There is a compelling argument that these issues may have had repercussions for Worldline, particularly evident in ongoing financial losses stemming from Payone merchant terminations. This presents a challenging predicament for Worldline, especially in light of the burgeoning fintech landscape across Europe and the consolidation of competitors in key markets like Germany, exemplified by the recent announcement of the Global Payments and Commerzbank joint venture set to launch in the first half of 2024. These incidents underscore Payone GmbH’s struggles in upholding regulatory compliance across diverse areas, prompting questions about its internal controls and commitment to legal obligations. Loopline Media remains steadfast in closely monitoring these developments and will continue to offer exclusive updates and insights on its platform, fostering transparency within the payments industry.

london, willis building, reflection-3529954.jpg

This Article is brought to you by

Loopline Media

Catch up with the Author

Post-Brexit: data protection
Card processor sends sensitive data to wrong address
24 August 2022

Worldline SA subsidiary Payone GmbH has been accused of breaching data protection rules after it sent sensitive employee payroll information to the wrong address by accident. The Worldline Group holdS a 60% stake in the Frankfurt based company who have a small UK market presence.

In June 2021, one of Payone GmbH’s ex UK employees (the data subject) received a “potential data breach notification” from the firm advising him that his salary, National Insurance data, nationality (Special Category Data) was amongst various bits of information sent to an incorrect home address.

This included personal information such as the former employees name, age and address.  It also included details such as the date of birth and the amount of annual work bonus he received in his bank account amongst other identifiable data.

Payone GmbH confirmed that this document was sent out in error following an employee making a mistake when re-entering data processed by their third-party payroll provider.  The error arose when the employee was fulfilling an Article 15 GDPR request. The error was spotted by the data subject when he noticed in an email version of the document that the postal address was incorrect. An attempt to notify Payone GmbH of the error went in vain as the document was already irretrievably despatched.

The data subject was alarmed with the incident which exposed him to the possibility of fraudulent activity, amidst reasonable fears his data could end up on the dark web and used by criminals.  Habitually resident in the UK he complained to the Information Commissioner’s Office (ICO) in June 2021. He similarly raised the concern in Germany via The Hessian Commissioner for Data Protection and Freedom of Information (HBDI).

The ICO reprimanded Payone GmbH for the error in their final decision letter.
Similarly, the HBDI cited a violation of Article 5(f) of the General Data Protection Regulation (GDPR) relating to integrity and confidentiality.

The ICO stated in their July 2021 findings that Payone GmbH, “should take steps to ensure that all personal data records are accurate and up to date. Holding inaccurate information, such as addresses, does increase the risk of personal data breaches and poses risks to the security of information”.

The HBDI confirmed in their October 2021 findings that Payone GmbH had taken remedial action. They concluded that a monetary fine would not be imposed on Payone GmbH as they had taken technical and organisational steps in response to the data breach. Data subjects could now request their data in an autonomous portal.

The GDPR, which came into effect in 2018, gave the Information Commissioner’s Office greater powers to tackle data breaches. The new ‘UK GDPR’ charts its own course after Brexit whilst seeking to maintain EU GDPR adequacy.  In extreme scenarios, organisations face penalties of up to £20m or 4 per cent of their global worldwide turnover, whichever is more.

In the years prior to GDPR, the ICO fines were capped at £500,000.

The data subject said: “I am just glad I spotted it; they were going to resend the document again to another wrong address. Prior to Brexit the process would have been commenced via the ICO who in turn would liaise with the HBDI on the data subjects’ behalf; but I found myself communicating with both authorities separately which was an additional step but in the end was surprisingly
effective. Unfortunately, Payone GmbH again sent my incorrect address to the
Workers Pension Trust in January 2022, and documents yet again went to the wrong address. In my opinion they have not learned from the first time and my complaint is sitting with the ICO yet again”.

The former employee is pursuing a remedy under Article 82 UK GDPR via
the Court’s of England & Wales.

Extraordinary Experiences

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Our Core Values

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

We use cookies to improve user experience and analyse website traffic. By clicking ‘Accept’, you agree to our website’s cookie use as described in our Privacy Policy.