In the fast-paced world of financial services, compliance is paramount. It ensures trust, stability, and ultimately, success. However, publicly available compliance events have cast a shadow over one of the payment’s industry’s key players, Worldline, and its Frankfurt based subsidiary, Payone. The question looms large, has Payone’s non-compliance impacted Worldline, and to what extent?
During the last earnings call on 25th October 2023, Laurent Daure, an analyst, posed a poignant question that resonated with investors and industry observers alike. His inquiry took place in the context of Worldline’s financial update event, and the 7th September 2023 announcement by German regulator BAFIN whom intervened in the PAyone GmbH business and compelled their termination of around a 1000 merchants. Executives provided insights into the company’s performance and outlook. Analyst, Laurent Daure’s incisive question echoed the concerns of many:
“I have a couple of questions as well. The first thing, I’m sorry to come back on the merchants you have to terminate because I remember Worldline was very selective in the past when selecting people it wanted to work with. So does it mean that the 1,000 merchant plus are mostly coming from M&A? And have you made due diligence that were detail enough. Any clarification on this would be welcome”.
Laurent Daurant, Worldline SA, Q3 2023 Sales/ Trading Statement Call, Oct 25, 2023
This query underscores the gravity of the situation and prompts a closer examination of Worldline’s compliance practices, particularly in light of recent merchant terminations compelled upon Payone GmbH. A Payone GmbH whistleblower is to appear before the UK High Court in March 2024 amidst a Payone gagging order made against him following disclosure of documents and information relating to alleged AMl breaches made to the Finacial Conduct Authority and the German equivalent BAFIN, made between 2022 and 2023. The Bafin announcement came some 7 months after the last of these disclosures, though it is not certain the extent to which they impacted the special audit or the announcements.
It is true as alluded in the question posed by the analyst that Worldline’s compliance reputation was historically a good and stringent one. A source and former employer of the firm Fiserve told Loopline Media that,
“Worldline had always appeared to be a top payments company in terms of compliance and it was well known around the industry that not just anyone could get a merchant account with Worldline”.
Former employer of Fiserv. ( a senior player in the payments industry and competitor to Worldline)
The termination of over 1,000 merchants, particularly at Payone, has raised eyebrows and prompted speculation about the efficacy of their due diligence processes, especially concerning Worldline’s past M&A activities involving Payone. Could Payone’s non-compliance be a ticking time bomb for Worldline’s reputation and future prospects? Are the recent personnel changes at Payone sufficient or is there a deeper move required? As the old adage goes, only time will tell.
As we await insights from the upcoming call on February 28, 2024, the implications of Payone’s non-compliance on Worldline’s trajectory remain uncertain. With no public news following Bafin’s announcement of a continuing special audit, it is unclear what if any further announcements may be around the corner.
Compliance issues at Payone GmbH
Recent regulatory actions by Bafin have cast a spotlight on Payone GmbH, formerly an electronic money institution, exposing lapses in its implementation of anti-money laundering (AML) measures. These actions underscore a concerning pattern of regulatory shortcomings, emphasising the critical need for enhanced internal controls. The infractions range from administrative errors such as lost confidential employee documents, prompting reprimands from the Information Commissioner’s Office, to more significant failures like the omission of UK employees from mandatory pension schemes. Notably, the latter issue has escalated to the UK High Court, where Payone GmbH faces a counterclaim for breach of contract from an affected employee. These incidents collectively portray a company grappling with a spectrum of compliance issues, from seemingly minor oversights to more serious breaches related to AML. Notably, Payone GmbH’s entry into the UK market shortly after the London 2012 Olympics was marred by a subsequent 5 year failure to secure Employer’s Liability insurance for its employees, a legal obligation.
On July 26, 2023, the German financial regulator BaFin took decisive action against Payone GmbH, prohibiting the institution from conducting transactions for certain high-risk business customers. This move was prompted by alarming findings of serious deficiencies in AML prevention measures and significant money laundering risks within Payone GmbH’s operations.
BaFin’s special audit uncovered shocking revelations about Payone GmbH’s operations, particularly in its e-commerce business area. The institution had amassed a conspicuous high-risk portfolio, with retailers engaging in dubious online transactions linked to fraudulent subscriptions, phishing, and fake shops. Despite these glaring red flags, Payone GmbH failed to adequately assess the risk posed by these business customers, allowing them to continue their operations unchecked.
The firm’s shortcomings in compliance and implementation of due diligence obligations under the Money Laundering Act (GwG) were glaring. The institution lacked adequate security systems to prevent money laundering, exposing itself to exploitation by criminal elements seeking potentially to launder illicit funds through its platform. Moreover, the deficiencies extended to the ongoing monitoring of dealers, with anomalies in risk assessment going unnoticed and unaddressed.
BaFin’s regulatory action against the Worldline outfit was grounded in Section 51 Paragraph 2 of the Money Laundering Act (GwG), underscoring the seriousness of the institution’s failures. The measure took effect on August 29, 2023, signaling a crucial intervention aimed at curbing money laundering risks in the financial sector.
The case of Payone GmbH serves as a stark reminder of the perils of lax regulatory oversight and inadequate AML measures in the financial industry. As regulators grapple with emerging challenges in combating financial crime, it is imperative to hold institutions like Payone GmbH accountable and institute robust measures to protect against money laundering and terrorist financing.
In another related 15 July 2023 judgment, the tribunal found that the Claimant made a qualifying disclosure against Payone. The tribunal rejected the notion that the Claimant lacked a reasonable and genuine belief at the time of the disclosure that it was in the public interest. Although the dispute primarily concerned the Claimant’s private workplace issues, it also raised matters of public interest due to the involvement of a large employer such as Payone. While the employer had only a small number of employees in the UK, the right to a workplace pension is significant, and the failure to provide such a pension can have enduring consequences for individuals. Furthermore, deductions had been made from the Claimant’s salary without being paid into a pension scheme, underscoring the importance of ensuring that the employer did not repeat such mistakes.
Although the Claimant’s motivations may have included personal interests related to his pension and his dispute with the employer, this did not negate the possibility of a genuine belief that the disclosure served the public interest. The tribunal noted that the Claimant was particularly aggrieved by the employer’s failure to address the breach of UK pensions legislation promptly. Despite being aware of the breach, the employer failed to communicate with the Claimant directly, instead leaving it to the Workers Pension Trust to correspond with him, even sending the letter to an incorrect address. Given the ongoing litigation between the parties, the tribunal found it surprising that the employer did not take the simple step of confirming the Claimant’s address and explaining the situation directly. The tribunal emphasised that, given the series of failures, including the mishandling of pension contributions, the employer’s inaction in addressing the situation promptly was unacceptable.
Furthermore, in line with the theme of lax compliance and disregard for data protection regulations, an Information Commissioner’s finding from July 2021 revealed additional concerning practices by the company. The Information Commissioner discovered that the employer had failed to comply with data protection regulations regarding the processing of personal data further underscoring the pattern of non-compliance with legal obligations.
The findings highlighted that the employer had neglected to adequately safeguard personal data, leading to potential risks of unauthorized access or misuse. This negligence not only violated the privacy rights of individuals but also demonstrated a lack of regard for regulatory requirements aimed at protecting sensitive personal information.
This lack of diligence in ensuring compliance with data protection regulations reflects a broader pattern of disregard for legal responsibilities, consistent with the employer’s previous shortcomings in addressing workplace pension obligations.
Additionally, a live complaint dated December 2023 highlights the urgent need for investigation and intervention by the Information Commissioner’s Office (ICO) regarding the unauthorised use of personal Apple ID account by Payone GmbH. The complainant, who worked for Payone GmbH from the UK between 2016 and 2021, detailed a series of concerning incidents:
1. For a period spanning 4.4 years, from November 2016 to March 2021, Payone GmbH employed the personal Apple account of a complainant to operate a company-assigned mobile telephone. Throughout this time, the company repeatedly solicited the complainant’s Apple Account username and password, creating a coercive environment where the complainant is said to have felt compelled to disclose this sensitive information out of potential repercussions on their employment status.
2. Absence of a privacy notice provided in English during the complainant’s tenure at Payone GmbH left them uninformed about who had access to their password and how it was utilised, leading to concerns regarding potential interference with their Apple account. Payone GmbH’s failure to furnish a privacy policy in English, as mandated by Article 12 of the GDPR, coupled with the inadequate provision of information to the complainant, rendered any consent obtained for the password, uninformed and invalid, in non compliance with Article 7 of the UK GDPR.
In summary, Payone GmbH’s longstanding compliance issues have brought to light a range of regulatory concerns, spanning from inadequate anti-money laundering measures to administrative oversights and alleged breaches of contract. There is a compelling argument that these issues may have had repercussions for Worldline, particularly evident in ongoing financial losses stemming from Payone merchant terminations. This presents a challenging predicament for Worldline, especially in light of the burgeoning fintech landscape across Europe and the consolidation of competitors in key markets like Germany, exemplified by the recent announcement of the Global Payments and Commerzbank joint venture set to launch in the first half of 2024. These incidents underscore Payone GmbH’s struggles in upholding regulatory compliance across diverse areas, prompting questions about its internal controls and commitment to legal obligations. Loopline Media remains steadfast in closely monitoring these developments and will continue to offer exclusive updates and insights on its platform, fostering transparency within the payments industry.