You've taken the plunge. Saved up a year's living expenses, quit your day job, and you're now off to make your dream a reality - be that travel writer, open that cafe, build that app! Fast forward six months later. You've done your homework, laid the foundations and the money is starting to roll in. Congratulations, you're officially a success, everything's going right. So you couldn't have possibly gotten anything wrong, could you?
Not so fast, buddy…
There are many reasons why a business could, hand-on-heart, be trying to do the right thing but end up accidentally shooting itself in the foot. Most of the time it's not malicious, but rather something that just slipped through the cracks. This is especially prevalent in the I'll-do-everything-myself startup founder culture. Sometimes a second pair of eyes truly can be the difference between make it or break it.
While by no means exhaustive, below is a list of some of the more common compliance and risk management mistakes that can subject a business to devastating issues down the road, including fines and sometimes even jail time.
Not paying attention to what's going on within your day to day operations
Most businesses are high-involvement and will likely never be 'passive income'. You'll need to be very careful about how you manage your business, staff, and vendors. One such issue is not screening them, even when it's required or after they pass a specific threshold that mandates due diligence. Or worse yet, not checking on what they are buying and selling on your platform. This is especially important if you operate an online marketplace as you essentially go on record as the merchant in the transaction, and are thus liable for all activities that transpire within your platform, including the sale of illegal items and fraud.
Here are some examples of companies that failed to monitor or document all decisions taken. Commerzbank AG was fined $47 million for its failure to put adequate anti-money laundering systems and controls in place between 2012 and 2017 despite being reminded on several occasions.[1] Earlier this year, JP Morgan Chase paid a $250 million penalty over the inadequate internal process and staff controls in its wealth management division especially related to conflict-of-interest transactions.[2]
Growing the business too rapidly
Now there's nothing wrong with growing your business. Increasing profits should be the main objective of any entrepreneur. However, there are pitfalls to growing faster than you can keep up with.
Take for example the online stock trading platforms which have sprung up over the past few years. They operate within a regulated industry, so they can't just begin 'exporting' their service to a new market without first pairing up with a local partner or getting their domestic license. In Malaysia, platforms like eToro, TD Ameritrade, and Binance have been added to the Securities Commission Investor Alert List for performing unlicensed market activities.[3] While this is not a death sentence, it's a list you don't want to be on while attempting to build legitimacy around your brand.
Other businesses have found themselves in hot water for not upgrading their internal systems and controls to match their growing operational complexity like Citigroup was fined $400 million by US regulators for failing to resolve "several longstanding deficiencies" tied to its data and risk management systems.[4] In another recent case, an officer of U.S. Bank was fined $450,000 in his capacity as a C-suite for not ensuring adequate upgrades to the bank's transaction monitoring systems and staff headcount, this was in addition to the bank's own $613 million fine for the same incident two years before.[5]
Not paying attention to advertising and labeling laws
Moving on to trend-based eCommerce businesses that rely heavily on online advertising, it's important to take extra care when dealing with products that may have health implications and are usually restricted under the law e.g. alcohol, nicotine, prescription drugs, or uncertified treatments for known illnesses. Back when e-cigarettes were brand new and completely unregulated, everyone was selling them despite many countries classifying nicotine liquids as poisons or controlled substances which required specific licenses for marketing, storage, and distribution. Another example would be when building a new house brand using white-label production. In many countries, the labeling laws are so strong and you could end up with a fine or a confiscated shipment if you were to name, advertise or label your product wrongly or deceptively - like the difference between selling a 'fruit juice' vs a 'fruit-flavored drink'.
Next, let's address the issue of deceptive marketing where advertising is pushed to the point of distorting facts rather than just creating hype. Take the Volkswagen case, colloquially referred to as Dieselgate where they marketed a 'clean diesel' vehicle that had a device installed to cheat emissions tests.[6] The company paid out over $9.5 billion in compensation to affected consumers over the past five years in one of the largest deceptive marketing cases ever to be heard in the United States.[7] This mammoth payout is in addition to the $4.3 billion and €1 billion fines it paid to US and German regulators for breaching the environmental protection laws.[8] If there are any takeaways from this, it's that good advertising is crucial to growing your business, but fabricating facts is never worth the trouble.
Not investing enough in cybersecurity and preventing data breaches
Data breaches are a dime a dozen these days. It has become the norm for hackers to steal data just to prove they can, dumping it online afterward without selling it to anyone in particular. And with increased regulation on data privacy and data residency, there are more standards than ever to be adhered to. Fines usually get levied not just for having a data breach, but for failing to fix a critical vulnerability after a patch had been issued or not informing the public of the breach promptly.
Some examples of enforcement actions include Marriott being hit with a $124 million fine over its 2018 breach,[9] Equifax agreeing to pay $575 million for its 2017 breach,[10] Uber’s 2016 breach which cost close to $150 million,[11] and more recently Twitter being hit with €450,000 GDPR fine.[12] These are more than just large numbers, they're proof that you should spend time not just keeping up with the basic server patches, encryption, and pentests, but instead invest in hiring people who live and breathe cybersecurity to stay one step ahead of hackers.
Not having a proper business license
We've saved the most cardinal of sins for last because it's also the most basic - not having the right license for your business. In fact, you may need several licenses for federal, state, municipal, and industry levels. A little known fact, some cities require that you have a separate license for every signboard or advertisement you stick on your own storefront. Other things to be wary of include getting the right work permits, tax registrations, and permits for selling restricted items like alcohol, nicotine, etc
One way to illustrate this point would be to look at the stock 'trading gurus' who have emerged online in recent months. They should pay extra attention as providing investment advice without a license is an offense under securities laws in many jurisdictions. Take Malaysia for example, where the act of doing so can attract fines of up to RM10 million and jail time of up to 10 years.[13] That's a heavy price to pay for not fully understanding the law surrounding your new business venture. As the old carpentry adage goes, when it comes to compliance matters, it always pays to 'measure twice, cut once'.
But I don't know what I don't know. What should I do?
Well, remember that second pair of eyes we talked about earlier? You should consider getting someone to specifically look into these areas which may be in your blind spot. You'll be surprised how much a few hours of interrupted thought will yield. Alternatively, you could engage an external party to give you an unbiased perspective on your business processes. Dicorm helps health check the operations of small to medium-sized businesses, giving them the peace of mind that all is going well or pinpointing specific areas that need work. Contact us today for a no-obligation discussion or visit our services page to know more about what we have to offer.