Final Notice
FINAL NOTICE
1.
ACTION
1.1.
For the reasons given in this Final Notice, the Authority hereby imposes on Crosfill &
Archer Claims Limited (“Crosfill & Archer”) a financial penalty in the sum of £110,000
pursuant to section 206 of the Act.
2.
SUMMARY OF REASONS
2.1
Crosfill & Archer is a claims management company (“CMC”). CMCs can play an
important role in helping to secure compensation for their customers, including for
those who otherwise might not make a claim. However, misconduct by CMCs, such as
failings in respect of due diligence on customer data purchased from third party data
providers, can cause widespread harm to consumers.
2.2
With effect from 1 April 2019, responsibility for the regulation of CMCs was transferred
from the Claims Management Regulation Unit (“the CMRU”) (a unit of the Ministry of
Justice that regulated companies providing claims management services to England
and Wales) to the Authority, pursuant to Section 27 of the Financial Guidance and
Claims Act 2018. The Authority’s Claims Management: Conduct of Business Rules came
into force as of 1 April 2019. Prior to 1 April 2019, a different regulatory regime
governed the conduct of CMCs; the Conduct of Authorised Persons Rules 2014
(“CAPR”), which had been made by the CMRU under the Compensation (Claims
Management Services) Regulations 2006 (“the 2006 Regulations”). The 2006
Regulations and the CAPR therefore applied to the conduct of Crosfill & Archer before
1 April 2019 but did not apply to the firm’s conduct after that date when the Authority
commenced regulation of CMCs.
2.3
Pursuant to articles 53 and 65 of the Claims Management Activity Order 2018, which
contains transitional provisions for the transfer of regulatory responsibility from the
CMRU to the Authority from 1 April 2019, a Penalty Letter given to a firm by the CMRU
is to be treated as a Decision Notice given by the Authority under section 208(1)(b) of
the Financial Services and Markets Act 2000 (“the Act”). The Authority was accordingly
substituted for the CMRU as the Respondent to Crosfill & Archer’s appeal against the
CMRU’s Penalty Letter dated 22 March 2019 (“the Penalty Letter”).
2.4
The CMRU originally wrote to Crosfill & Archer to inform its directors by its Minded to
Impose Letter dated 22 June 2018 that it proposed to impose a financial penalty of
£140,000 on the firm for breaches of the CAPR. Regulation 12(5) of the 2006
Regulations sets out that it is a condition of authorisation that authorised firms comply
with the CAPR. Regulation 48(1) of the 2006 Regulations (as amended by The
Compensation (Claims Management Services) (Amendment) Regulations 2014)
provided that the CMRU may impose a financial penalty on a business if it failed to
comply with the conditions of its authorisation.
2.5
In response to the CMRU’s Minded-to Letter, the firm made written representations to
the CMRU dated 15 June 2018 which detailed the improvements the firm considered it
had made to its due diligence processes and procedures following audits by the CMRU
in February and November 2016 and the investigation commenced by the CMRU on 17
February 2017.
2.6
As a result of the firm’s written representations, the CMRU carried out a further audit
on 23 August 2018. The level of penalty was then subsequently reduced to £110,000
in the Penalty Letter, the CMRU having taken into account the firm’s written
representations dated 15 June 2018 and the remedial action Crosfill & Archer had taken
in respect of its due diligence processes. The penalty was imposed pursuant to
Regulation 51(1) of the 2006 Regulations.
2.7
The Minded-to Letter and the Penalty Letter are collectively referred to in this Final
Notice as the “CMRU Letters” and are annexed to this Final Notice as Annex A and
Annex B respectively.
2.8 The bases for the CMRU Penalty Letter to impose a financial penalty of £110,000 on
Crosfill & Archer, were as follows:
(1) Due diligence breaches regarding provenance of data and ensuring that the relevant
consents had been obtained by the third party data providers;
(2) The making of unsolicited telemarketing calls to numbers registered on the TPS
register (which means they had registered not to receive this type of sales call),
without the requisite consent; and
(3) Lack of knowledge and training in respect of a member of the firm’s staff around
using the dialler1.
2.9
Pursuant to Article 66 of the Financial Services and Markets Act 2000 (Claims
Management Activity) Order 2018 (“the Claims Management Activity Order”), no
1 A dialer is an automated system that places calls to customers, from an outbound call centre.
appeal in respect of a decision made by the CMR before 1 April 2019 can be made to
the First Tier Tribunal after 1 April 2019. Article 66(2) of the Claims Management
Activity Order provides that an appeal may be made to the Upper Tribunal in respect
of a decision made by the CMR before the 1 April 2019.
2.10 Although Crosfill & Archer incorrectly sent its Notice of Appeal against the Penalty
Letter to the First Tier Tribunal, the appeal was made within the statutory time limit
that applied to appeals for which the First Tier Tribunal had jurisdiction prior to 1 April
2019. By consent of the parties, on 23 May 2019 the Upper Tribunal (Tax and Chancery
Chamber) (“the Upper Tribunal”) directed that the Notice of Appeal be admitted as a
Reference to the Upper Tribunal.
2.11 The Authority filed and served its Statement of Case and List of Documents in the Upper
Tribunal proceedings on 10 March 2021. Crosfill & Archer was due to file and serve its
Reply pursuant to Rule 5(1) of the Tribunal Procedure (Upper Tribunal) Rules 2008 (“the
Upper Tribunal Rules”) by no later than 8 April 2021, but did not do so. Accordingly,
on 10 May 2021 the Upper Tribunal directed that the reference be struck out and that
the Tribunal proceedings were at an end. Pursuant to Rule 8(5) and (6) of the Upper
Tribunal Rules, Crosfill & Archer had 28 days within which to apply to reinstate the
reference, but it did not do so.
2.12 Accordingly, the Authority hereby imposes a financial penalty of £110,000 on Crosfill &
Archer for the failings identified in the CMRU Letters.
3.
DEFINITIONS
3.1.
The definitions below are used in this Final Notice:
“2006 Regulations” means the Compensation (Claims Management Services)
Regulations 2006 made under the Compensation Act 2006;
“2018 Order” means The Financial Services and Markets Act 2000 (Claims Management
Activity) Order 2018;
“the Act” means the Financial Services and Markets Act 2000;
“the Authority” means the body corporate previously known as the Financial Services
Authority and renamed on 1 April 2013 as the Financial Conduct Authority;
“CAPR” means the Conduct of Authorised Persons Rules 2014;
“CMC” means claims management company;
“CMRU” means the Claims Management Regulation Unit;
“CMRU Letters” refers collectively to the CMRU’s Minded-to Letter and Penalty Letter;
“Upper Tribunal” means the Upper Tribunal (Tax and Chancery Chamber);
“Minded-to Letter” means the CMRU’s notice of proposed financial penalty dated 1 June
2018;
“Penalty Letter” means the CMRU’s notice dated 22 March 2019 under the 2006
Regulations notifying Crosfill & Archer that it was required to pay a financial penalty of
£110,000;
“Crosfill & Archer” means Crosfill & Archer Claims Limited;
“PPI” means payment protection insurance.
4.
FACTS AND MATTERS
4.1.
The facts and matters below are a summary of those set out in the CMRU Letters.
Names of individuals have been redacted in the CMRU Letters reproduced as Annex A
and Annex B to this Final Notice.
4.2
Crosfill & Archer was authorised by the CMRU on 10 October 2014 to provide regulated
claims management services. The firm brings claims for mis-sold Payment Protection
Insurance (“PPI”) on behalf of its customers. The firm held temporary permissions
granted by the Authority from 1 April 2019, to undertake regulated claims management
service activities. The firm was granted full authorisation by the FCA on 6 May 2020.
4.3
Crosfill & Archer was audited by the CMRU on three separate occasions on 4 February
2016 (“the February 2016 Audit”), 29 November 2016 (“the November 2016 Audit”)
and 23 August 2018 (“the 2018 Audit”). Following the outcome of the February 2016
and November 2016 audits the firm was placed under investigation by the CMRU on 17
February 2017, pursuant to Regulation 35 of the 2006 Regulations.
The February and November 2016 Audits
4.4
During the February 2016 Audit, the CMRU identified a number of breaches in relation
to the provenance of the customer data being used. The CMRU had also received details
of complaints made to the Telephone Preference Service (“the TPS”) about contact
being made by the firm with individuals whose names appeared on the TPS register.
As a consequence, the CMRU sent a Letter of Warning to Crosfill & Archer dated 16
March 2016 requiring the firm to take action to remedy the breaches. The CMRU
continued to communicate with the firm after this in order to try and bring about
compliance. However, the CMRU remained concerned about the firm’s telemarketing
practices.
4.5
The November 2016 Audit was conducted by the CMRU following the receipt of further
TPS complaints made by individuals whose names appeared on the TPS register and
who had been contacted by Crosfill & Archer. The CMRU also assessed whether the firm
had acted on the advice provided by the CMRU at the February 2016 Audit.
4.6
During the November 2016 Audit, the CMRU found that the firm had not acted on the
advice given by the CMRU at the February 2016 Audit. At the time of the November
2016 Audit, an external call centre made all outbound sales calls as agents of Crosfill
& Archer in relation to mis-sold payment PPI claims and mis-sold packaged bank
account (“PBA”) claims. Crosfill & Archer supplied all data to the external call centre to
make such calls.
4.7
Crosfill & Archer purchased that data from Company A. However, the CMRU found that
the firm could not provide sufficient details regarding how Company A had obtained the
data. During the November 2016 Audit Crosfill & Archer said they had stopped using
Company A, but then subsequently confirmed that they were still accepting leads from
4.8
The November 2016 Audit also identified that there remained issues relating to due
diligence, TPS complaints and staff monitoring. The CMRU had given Crosfill & Archer
previous advice on these matters. The CMRU therefore commenced their investigation
into Crosfill & Archer on 17 February 2017.
7
The August 2018 Audit
4.9
The CMRU wrote to Crosfill & Archer to inform its directors by its Minded-to Letter, that
the CMRU proposed to impose a financial penalty of £140,000 on the firm, for breaches
of Regulation 12(5)(a)of the 2006 Regulations, which stated that it was a condition of
authorisation that authorised firms must comply with the CAPR 2014. The letter
explained how the firm had breached the CAPR 2014 and explained the corresponding
evidence of the failure to comply with them.
4.10
In response to the Minded-to Letter, Crosfill & Archer made written representations to
the CMRU dated 15 June 2018 citing improvements it considered it had made to its due
diligence processes and procedures following the February 2016 Audit and the
November 2016 Audit and the investigation commenced by the CMRU on 17 February
2017.
4.11
The August 2018 Audit took place, during which the firm demonstrated the
improvements it considered it had made to its due diligence and training processes.
4.12
Upon the CMRU having considered and taken into account Crosfill & Archer’s written
representations dated 15 June 2018, and as a result of the remedial action the firm
had taken in respect of its due diligence processes subsequently identified in the August
2018 Audit, the CMRU reduced to £110,000 the level of financial penalty imposed on
Crosfill & Archer by means of the CMRU’s Penalty Letter.
5.
FAILINGS
5.1
The CMRU found that Crosfill & Archer breached the following rules contained in the
CAPR 2014 (the CAPR 2014 were classified either as “Client Specific Rules” or “General
Rules”. “Client Specific Rules” were conduct rules for businesses that governed how
regulated firms contracted and dealt with their clients, and which were to be complied
with at all times (a business had to be able to demonstrate, and where practicable,
document such compliance). “General Rules” were again to be complied with at all
times and firms were required to be able to demonstrate, and where practical,
document such compliance):
5.2
General Rule 2: which requires that a firm acts with professional diligence by “d)
Maintaining appropriate records” and by taking “e) … all reasonable steps in relation to
any arrangement with third parties to confirm that any referrals, leads or data have
been obtained in accordance with the requirements of the legislation and Rules”;
5.3
General Rule 4: A business shall ensure that any staff or other people working on its
behalf have the necessary training and competence to perform their duties;
5.4
General Rule 5: which requires that a firm shall “observe all laws and regulations
relevant to its business” which would include PECR which provides at Regulation 1(b)
that a person shall neither use, nor instigate the use of, a public electronic
communications service for the purpose of making unsolicited calls for direct marketing
purposes where the number allocated to a subscriber in respect of the called line is one
listed in the register kept under Regulation 26 of PECR; and
5.5
Client Specific Rule 4: which specifies that “cold calling in person is prohibited” and any
“marketing by telephone, email, fax or text shall be in accordance with the Direct
Marketing Association’s Code and any related guidance issued by the Direct Marketing
Association.” The Code includes:
Rule 1.3: Members must ensure that lists containing names and contact details are not
used for marketing purposes unless the list has been cleaned against the relevant
preference services – TPS, MPS, CTPS, BMPS, FPS and Your Choice.
Rule 3.1: Members must follow all legislation relating to the processing of data,
including the Data Protection Act 1998 and the Privacy in Electronic Communications
Regulations 2003.
6.
SANCTION
6.1
The basis on which the CMRU imposed a financial penalty of £110,000 on Crosfill &
Archer is set out in the CMRU Letters which are reproduced in Annexes A and B to this
6.2
By virtue of article 53(2) of the 2018 Order, the CMRU’s Penalty Notice is to be treated
as a decision notice given by the Authority.
6.3
Crosfill & Archer’s reference to the Upper Tribunal against the Penalty Letter was struck
out on 10 May 2021.
6.4
The Authority hereby imposes on Crosfill & Archer a financial penalty in the sum of
£110,000 pursuant to section 206 of the Act.
7.
PROCEDURAL MATTERS
7.1
This Final Notice is given to Crosfill & Archer under and in accordance with section 390
of the Act.
Decision maker
7.2
The decision which gave rise to the obligation to give this Final Notice was made by
the CMRU, but under article 53(2) of the 2018 Order the CMRU’s Penalty Letter
recording that decision is to be treated as a decision notice given by the Authority
under section 208(1)(b) of the Act.
Manner and time for payment
7.3
The financial penalty must be paid in full by Crosfill & Archer to the Authority no later
than 14 days from the date of this Final Notice.
If the financial penalty is not paid
7.4
If all or any of the financial penalty is outstanding after a period of 14 days from the
date of this Final Notice, the Authority may recover the outstanding amount as a debt
owed by Crosfill & Archer and due to the Authority.
7.5
Sections 391(4), 391(6) and 391(7) of the Act apply to the publication of information
about the matter to which this Final Notice relates. Under those provisions, the
Authority must publish such information about the matter to which this Final Notice
relates as the Authority considers appropriate. The information may be published in
such manner as the Authority considers appropriate. However, the Authority may not
publish information if such publication would, in the opinion of the Authority, be unfair
to you or prejudicial to the interests of consumers or detrimental to the stability of the
UK financial system.
7.6
The Authority intends to publish such information about the matter to which the Final
Notice relates as it considers appropriate.
Authority contacts
7.7
For more information concerning this matter generally, contact Matthew Hendin (direct
line: 020 7066 0236) of the Enforcement and Market Oversight Division of the
Authority.
Rob Gruppetta
ANNEX A – CMRU’S MINDED-TO LETTER
The Directors
Crosfill & Archer Claims Limited
141 Kirkstall Road
LEEDS
West Yorkshire
LS3 1JJ
Our Reference: DMT/39981/382725/AKT
Proposed financial penalty
Claims Management Regulation Unit
57-60 High Street
Burton upon Trent
Staffordshire DE14
1JS
On 17 February 2017, we wrote to you to advise that you were subject to an investigation in
accordance with Regulation 35 of The Compensation (Claims Management Services)
Regulations 2006 (“the regulations”). Regulation 48(1) of the regulations (as amended by The
Compensation (Claims Management Services) (Amendment) Regulations 2014) provides
that the Regulator may impose a financial penalty on a business if it fails to comply with the
conditions of its authorisation. In accordance with Regulation 51(1) of these regulations, I am
writing to inform you that I am minded to require you to pay a financial penalty of £140,000.
Regulation 12(5) of the regulations makes it a condition of authorisation that authorised
businesses comply with the Conduct of Authorised Persons Rules 2014. The reasons I
consider this proposed action necessary are set out below.
Due Diligence
Due to our concerns, and the receipt of further Telephone Preference Services (“TPS”)
complaints, we conducted an audit on 29 November 2016. You advised that you make live
telemarketing calls using a data set of 28,000 records and that this data had been
accumulated over a period of 4 years. We have concerns about how you have obtained this
data as you have only been authorised to provide regulated claims management services
since 10 October 2014. You later stated that the data had been accumulated over a period of
2 years.
You stated that clients had provided consent to receive marketing from you when agreeing to
your terms and conditions which contains the following statement:
“By signing the “Letter of Authority” enclosed, you agree to these terms and conditions. We
may contact you in the future to offer our products and services, if you wish to opt out, please
e-mail us… or write to us at …”
This statement does not demonstrate sufficient consent or the provenance of the data, and
you have not supplied any evidence that your clients have agreed to the consent . In addition,
the terms and conditions that you supplied during the authorisation process, and prior to the
audit completed in February 2016, do not contain this statement.
1
Any consent provided when agreeing to your terms and conditions is unlikely to be valid as it
was required for contracting with you for your services and therefore cannot have been freely
given. You have also failed to demonstrate where you obtained the original dataset of 28,000
leads, which you used to make contact with your clients in order to contract with them and
obtain this consent. As such, irrespective of the contradictory information provided regarding
the age of the data, you have not evidenced the provenance of this data or demonstrated that
you have sufficient consent to use it for telemarketing purposes.
During the November 2016 audit, you advised that you have purchased data from
and that the data was generated on
prize draw websites, but you were unable to recollect the specific sites. You confirmed later
that the websites were
and
, and that you had visited
these sites at the beginning of your relationship with
. On 6 December 2016, you
advised that you undertook enquiries prior to engaging with
including; ensuring it was
registered with the Information Commissioners Officer, requesting evidence of membership
with any trade association such as the Direct Marketing Association (“DMA”), and requesting
a copy of ‘opt ins’ and privacy policies. You supplied screenshots of the ‘opt in’ statements
and privacy policies contained on the websites, along with a sample of the data received.
It appears that some attempts were made to ascertain where the data originated from and
whether you had sufficient consent to use it for telemarketing purposes. However, these
attempts are not sufficient to satisfy the Rules. The sample you provided only contains 4 ‘opt
ins’, which is not proportionate or representative of the amount of data purchased. In addition,
the privacy policies contained on the websites are not sufficient to override TPS registration
as they do not specify that you would contact the client. They are also unlikely to meet the
requirements of specific and informed consent due to the number of different categories of
business and types of marketing listed and it is unlikely that a client would reasonably
anticipate receiving a marketing call from you or other similar businesses. Processing of data,
including using the data for marketing purposes, without valid consent is unfair and unlawful.
It is acknowledged that you have attempted to rectify these issues and you have stated that
you have stopped using historic data and no longer work with
. You have also advised
that you have a new due diligence procedure, although this has not been supplied.
Your due diligence processes are insufficient, despite receiving specific advice as a result of
our previous audit on 4 February 2016. During that audit, we identified that you were not
conducting sufficient due diligence as you were unable to establish the provenance of the
data. You were advised in the audit report and letter of warning dated 16 March 2016, that
you must complete due diligence checks on the data purchased, to conduct ongoing checks
by obtaining a sample of opt ins with each purchase order and to maintain audit trails of the
checks completed. Despite this, you have failed to implement a sufficient due diligence
process.
In addition to the specific advice provided, general advice was given to all authorised
businesses to ensure they conducted robust due diligence checks on third parties to ensure
they comply with The Privacy and Electronic Communications (EC Directive) Regulations
2003 and the Data Protection Act 1998 in a special bulletin on direct marketing issued on 21
May 2014. Additional advice about undertaking and documenting due diligence on third
parties was issued in the Conduct of Authorised Persons Rules 2014 Guidance Note on 26
September 2014.
The Guidance Note also advised businesses to operate a due diligence procedure that
verifies the source of data and to retain evidence to show the procedure has been followed
and checks have been completed. You have failed to follow this advice.
Your failure to undertake appropriate due diligence on the data used, following the audit on 4
February 2016 and audit report, demonstrates that these breaches have continued after
notification of non-compliance and advice. The failure to conduct and document due diligence
on the leads accepted from third parties is negligent and reckless, and constitutes a breach of
the following rules:
General Rule 2: A business shall conduct itself responsibly overall including, but not limited
to, acting with professional diligence and carry out the following:
d) Maintaining appropriate records and audit trails.
e) Take all reasonable steps in relation to any arrangement with third parties to confirm that
any referrals, leads or data have been obtained in accordance with the requirements of the
legislation and Rules.
General Rule 15: If required to do so the business must be registered under the Data
Protection Act 1998 and comply with obligations imposed by that legislation.
Telephone Preference Service
At the November 2016 audit, we advised you that we were in receipt of six complaints made
by clients that had registered their telephone number on the TPS register who had received
an unwanted telemarketing call from you. You had responded to the TPS stating that ‘for list
screening: Data8, called on behalf of 3rd party and manually dialled’, indicating that you
made the calls.
You advised that the data was screened against the TPS by your data supplier,
, prior
to you receiving it and it was further screened against the TPS in-house, using
, before
it was uploaded onto your dialler. You supplied invoices relating to the screening conducted
by
. Although the invoices show that data was sent to
to be screened, they do
not confirm that it was screened by
and you have not supplied any documentation to
show the checks that you completed on the screening carried out on your behalf.
On 24 March 2017, we requested the evidence of consent you held to make telemarketing
calls to the clients whose telephone numbers were registered on the TPS and had
complained to the TPS. You were not able to provide any evidence of consent for five of the
six numbers called and explained that this was because you no longer work with
. For
one number, you supplied a spreadsheet detailing an I.P. address and client information,
however the website on which consent was provided was omitted.
During our previous audit on 4 February 2016, concerns were identified in respect of your
TPS screening. In the audit report, you were advised to screen the data every 28 days and
that you must have sufficient consent to call telephone numbers registered on the TPS
register. You were also advised to purchase a TPS licence or use the services of a third
party. Despite this advice, further complaints have been made by clients who have registered
their telephone number on the TPS register.
You were also advised that you should not rely on the assurances of third parties; however,
you failed to complete any checks on the screening completed by
or
on your
behalf.
The making of unsolicited telemarketing calls to numbers registered on the TPS, without
sufficient consent, constitutes a breach of the following rules:
General Rule 5: A business shall observe all laws and regulations relevant to its business.
This includes:
Regulation 21 of The Privacy and Electronic Communications (EC Directive) Regulations
2003:
1(b) A person shall neither use, nor instigate the use of, a public electronic communications
service for the purposes of making unsolicited calls for direct marketing purposes where the
number allocated to a subscriber in respect of the called line is one listed in the register kept
under regulation 26
4 Where a subscriber who has caused a number allocated to a line of his to be listed in the
register kept under regulation 26 has notified a caller that he does not, for the time being,
object to such calls being made on that line by that caller, such calls may be made by that
caller on that line, notwithstanding that the number allocated to that line is listed in the said
register.
Client Specific Rule 4: Cold calling in person is prohibited. Any marketing by telephone,
email, fax or text shall be in accordance with the Direct Marketing Association’s Code and
any related guidance issued by the Direct Marketing Association. This includes:
Rule 1.3: Members must ensure that lists containing names and contact details are not used
for marketing purposes unless the list has been cleaned against the relevant preference
services – TPS, MPS, CTPS, BMPS, FPS and Your Choice.
Rule 3.1: Members must follow all legislation relating to the processing of data, including the
Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003.
Staff Training
During the November 2016 audit,
, assisted with the
inspection of the dialler. He was unable to navigate the dialler during the audit or to produce
reports as requested. Although you provided evidence on 12 April 2017 that showed
had received training on the DMA’s telemarketing guide, no evidence has been
provided to suggest he has been trained to use your dialler. The lack of relevant knowledge
on how to operate the dialler has the potential to cause further detriment to clients as there is
a risk of the wrong campaign being selected or settings being altered, which could lead to
marketing calls being made to clients who have specified that they do not wish to be
contacted. The lack of knowledge required to operate the dialler constitutes a breach of the
following rule:
General Rule 4: A business shall ensure that any staff or other people working on its behalf
have the necessary training and competence to perform their duties.
Financial Penalty
In order to determine an appropriate penalty, I have taken account of the turnover details that
you have provided as a result of our two requests, as well as considering the turnover you
provided for your annual fee to determine your relevant turnover for the calculation of your
financial penalty.
However, you have failed to provide a forecast turnover for April to June 2018. I have
therefore used the information you have supplied to estimate your relevant turnover for April
and June 2018, by using a monthly average as £233,699.39.
The nature and seriousness of the breaches overall was assessed in accordance with the
CMR Financial Penalties guidance scheme (please see attached). Having considered your
actions and the resulting rule breaches, it has been determined that the nature score is
escalated and the seriousness score is medium.
Nature Score: 2 (escalated)
Seriousness score: 4 (medium) Total
score: 6
Penalty Band: 5-8%
Actual Turnover 2 June 2017 to 31 March 2018: £2,318,117.83
Estimated turnover from 1 April – 1 June 2018: £475,188.76
Total estimated relevant turnover: £2,793,306.59
Proposed Penalty Percentage: 5% (rounded up)
Proposed Penalty Amount: £140,000
Number of Payments: 1
Proposed date for payment: 28 days from the issue of a notice under Regulation 52.
As we have estimated your relevant turnover, please now provide your actual turnover from 1
April 2018 to 1 June 2018.
You are invited to make written representations in relation to the proposed financial penalty
and the issues outlined above. Please ensure that any representations you wish to make are
submitted to
, who can be contacted on
or
. Any representations must be received by 15 June 2018. I
will consider any representations you make before reaching a final decision on this matter. If I
do not receive a response by the deadline, it is likely that I will decide to impose a financial
penalty as indicated above.
Yours faithfully,
Kevin Rousell
Head of Claims Management Regulation
ANNEX B – CMRU’S PENALTY LETTER
57-60 High Street
Burton upon Trent
Staffordshire
DE14 1JS
T 0333 200 0110
E contactus@claimsregulation.gov.uk FAO The Directors
Crosfill & Archer Claims Limited
www.gov.uk/moj/cmr
141 Kirkstall Road
LEEDS
West Yorkshire
LS3 1JJ
RECORDED DELIVERY
Our Reference: DMT/39981/413386/AKT
22 March 2019
Dear Sir,
Claims Management Regulation – Financial penalty
I am writing in accordance with Regulation 52 of the Compensation (Claims Management
Services) Regulations 2006 (amended by the Compensation (Claims Management
Services) (Amendment) Regulations 2014) to notify you that I require you to pay a financial
penalty.
My colleague, Mr Rousell, wrote to you on 1 June 2018 (copy of letter enclosed) to inform
you that he was minded to impose a financial penalty of £140,000 because he was
concerned that you had failed to comply with your conditions of authorisation. The letter
explained how you had breached these conditions and explained the corresponding
evidence of the failure to comply with them.
I have considered the written representations made on your behalf by
, dated 15 June 2018. As your representations stated that you had
implemented further due diligence processes, we also conducted an audit at your business
premises on 23 August 2018, so you could demonstrate your change in processes to us.
As a result of the remedial action you have taken, I now require you to pay a reduced
penalty of £110,000. The reasons for this are set out below.
Due diligence
1. You state that the due diligence carried out on data, which is subject to this
investigation, was sufficient as you took reasonable steps to ensure its compliance
with The Data Protection Act 1998 (“DPA”) and The Privacy and Electronic
Communications (EC Directive) Regulations 2003 (“PECR”). You further state that
you had a number of systems and controls in place regarding your due diligence
procedures.
Despite having received advice in relation to conducting due diligence on data in the form
of an audit report and letter of warning sent to you on 16 March 2016, you failed to
demonstrate your compliance at the audit of 29 November 2016. You have not provided
any further records, since this audit, relating to the due diligence procedures you had in
place to demonstrate they were compliant with the relevant rules and legislation at the
time. I therefore remain satisfied that you had failed to conduct sufficient due diligence on
data, leads and referrals accepted from third parties, and that a financial penalty is
necessary.
2. You state that you believe your sampling exercise to be reasonable for “establishing
the method in which the data would be supplied, along with the information which
would be obtained. There is no guidance provided by the Regulator or the
Information Commissioner’s Office regarding what is reasonable in understanding
the provenance of the data.” You say you satisfied yourself prior to purchase,
therefore, question how we can suggest imposing such a large financial penalty,
coupled with limited guidance and no conclusive ruling to adhere to.
During the audit conducted on 29 November 2016, you confirmed that you purchased data
sets that range between 20-40,000 leads per month. Following the audit, we asked you to
provide opt-ins for your data. On 6 December 2016, you provided 4 sample opt-ins for the
data you had obtained but, the sample does not specify the source of the opt-ins. You
accept that you obtained only 4 sample opt-ins and state in your representations that you
believe this to be reasonable for a sampling exercise. Although we do not provide definitive
guidance on what is a reasonable amount of data to sample, the letter of warning dated 16
March 2016 advised that you need to obtain a representative sample of opt-ins each time
you purchase data. This must be proportionate to the number of leads purchased to verify
the consent relied upon. When determining what sample size is appropriate, you should
consider the volume and frequency of data accepted, the number of sources used, and
whether your marketing has generated any complaints. The purpose of sampling data is to
ensure that the consent relied upon has been obtained compliantly. I am satisfied that 4
sample opt-ins were unreasonable given the volume of data (20-40,000 leads per month)
you were accepting at the time. In addition, the sample opt-ins provided do not evidence
the source of the data, so you are unable to establish whether the consent relied upon is
sufficient.
The guidance note accompanying the Conduct of Authorised Persons Rules 2014
(“CAPR”) states that, to comply with General Rule 2 e), businesses must “Take all
reasonable steps…. to confirm the provenance and legitimacy of third- party referrals,
leads and data…” You were also provided with specific advice in a letter of warning dated
16 March 2016. Despite this, you were unable to demonstrate the provenance of your
data. I therefore remain satisfied that a financial penalty is necessary.
3. You question in your written representations whether advice was provided on what
was ‘reasonable’ within the context of General Rule 2 e). You refer to Section 2.3 of
our Enforcement Policy, which states “informal enforcement action includes advice,
letters of warning and written undertakings.” You also refer to Section 3.1.2 of our
QS39i
3
Version 2
Enforcement Policy, which states “The advice will be set out clearly and simply in
writing, with an explanation of the timescales for completing any remedial work
required.” You state that you had not received such advice in regard to the level of
due diligence required, and so were unaware that you were not acting to a
reasonable standard.
We supplied you with specific due diligence advice during the audit conducted on 4
February 2016, and in the subsequent letter of warning dated 16 March 2016. The letter of
warning advised you to obtain a representative sample of opt-ins each time you purchased
data – which is reflective of the number of leads bought – to verify the existence,
provenance and compliance of the consent provided. The letter also required you to
enhance your due diligence process to ensure that you were aware of the provenance of
data, and ensure that the steps taken to monitor data validity were recorded each time new
data was purchased. We set a clear timescale for completing this remedial work of 30
March 2016. Despite this, you have reviewed a disproportionately small data sample and
have been unable to demonstrate the provenance of your data obtained at the time. There
was also a lot of publicly available advice in the form of guidance notes and bulletins that
was available to you during the period in which the breaches occurred. As you were
previously advised and warned in relation to your due diligence processes, I am satisfied
we provided you with informal advice and acted in accordance with our Enforcement
Policy.
4. As part of your written representations you provided a copy of the new due
diligence process and procedure you implemented in January 2017. You further
explain how a number of data suppliers have failed to satisfy your due diligence
checks and suggest that as you have not purchased data from these particular
providers this demonstrates your willingness to comply with the Rules and
legislation.
The new due diligence process and procedure you provided with your written
representations appear to take the necessary steps to ensure compliance with the Rules
and legislation when accepting data from third parties. In particular, it states that you enter
into written agreements to ensure you are able to verify and evidence a full audit trail of the
provenance of data and consent obtained. Although you have implemented a procedure to
show how you intend to comply, you did not provide any evidence that this had been
implemented. We therefore carried out an audit on 28 August 2018 so that you could
demonstrate your processes to us.
During and after audit, your due diligence records for your data suppliers
and
were assessed for compliance.
obtain data from
are re-directed to the
website via
advertisements. The due diligence records for
include
screenshots of the landing and submission pages of this website, dated 7 March 2018.
The records you supplied also provide a copy of the privacy policy on the website, but
there is no record to show when this privacy policy was live, and whether it had
QS39i
4
Version 2
changed since the consent was obtained. The records also show that you identified
that the website did not include a sufficient consent statement and this was recorded
under the ‘issue identified’ section of the due diligence form. The form provided a
consent statement to remedy the issue, however there is no evidence to show whether
the consent statement was implemented and the website is no longer available for us
to check.
The due diligence records for
, dated 30 August 2017, include a copy of the privacy
policy and call script, demonstrating a client’s consent. The records also show that you
had concerns with the provenance of the data and requested further due diligence.
Due diligence records dated 19 June 2018 showed
were processing its previous
database of leads, and were relying upon legitimate interests as the basis for the
lawful processing of the data. The due diligence checks you carried out are more
comprehensive than previously, however it still isn’t enough to satisfy the rules.
Although you have implemented a new due diligence process and procedure and due
diligence form, the checks you have carried out are not sufficient to demonstrate that the
leads were generated fairly and lawfully by your suppliers. You have recorded the consent
on which you rely for both of these suppliers, however, you were unable to demonstrate
the provenance of the data. You further failed to record the checks you carried out to
ensure your compliance with the General Data Protection Regulation (EU) 2016/679
(“GDPR”).
I therefore remain satisfied that a financial penalty is necessary due to your previous
misconduct and the remaining breaches. However, I have reduced the level of penalty due
to the improvements you have made.
Fair and lawful processing of data
5. You state that you hold sufficient third-party consent for marketing under the DPA
as the client consented to the privacy policy and the sharing of their data with third
parties. You refer to the first principle of the DPA by relying on the client consenting
to the privacy policy; therefore, you state that this satisfies the condition for
processing. You state that the data purchased in all circumstances had a tightly
defined category of business for the type of marketing you wished to conduct i.e.
“Mis-Sold PPI” or “Payment Protection Insurance”. You further state that the client,
throughout the journey and process, is directly informed that their personal data
would be shared with third parties for marketing purposes. You make reference to
guidance issued by the Information Commissioners Office (ICO) that states “In
practice, this means that the categories of companies need to be sufficiently
specific that individuals could reasonably foresee the types of companies that they
would receive marketing from, how they would receive that marketing and what the
marketing would be”. You are “confident that the categories were tightly defined”
QS39i
5
Version 2
and that the client would reasonably expect to receive telemarketing calls when
disclosing their information on the website from which the data was sourced.
The guidance you refer to within your written representations is not presented in its full
context. Paragraph 89 of the ICO’s Direct Marketing Guidance states, “Consent is not
likely to be valid where an individual is presented with a long, seemingly exhaustive list, of
general categories of organisation. The names of the categories of companies must be
tightly defined and understandable to individuals.” This sets out the requirements to rely
upon indirect consent. The consent obtained in the privacy policies does not meet the
requirements of specific and informed consent due to the number of different categories of
business and types of marketing listed. Therefore, I remain satisfied that you did not have
sufficient consent to process the data and a financial penalty is necessary.
6. Your representations query the use of the word ‘unlikely’ within the letter for the
proposed financial penalty, issued on 1 June 2018. You state that “this is not
conclusive as to a breach, especially due to this information being provided from the
ICO’s Direct Marketing Guidance rather than regulations or legislation.” You further
query how this degree of uncertainty is relied upon to impose a large financial
penalty.
Paragraph 89 of the ICO’s Direct Marketing Guidance states “Consent is not likely to be
valid…..” This guidance explains the meaning of the legislation, rather than creating best
practice obligations. The same language was used in our letter. I remain satisfied that you
did not have sufficient consent to contact clients and there was a definitive breach for
which a financial penalty is necessary.
Telephone Preference Service (“TPS”)
7. You acknowledge historic issues with your TPS procedure within your written
representations and state you made immediate changes to your process after the
audit conducted on 29 November 2016. You modified your client acquisition
process to alleviate any further complaints as you obtain specific and overriding
consent, removing the need to screen the data against the TPS. You say this
demonstrates your dedication to comply with the Regulator.
The due diligence records reviewed at audit on 23 August 2018 corroborate your written
representations. In addition, you have not received any further TPS complaints since our
letter proposing a financial penalty was sent to you on 1 June 2018. I remain satisfied that
a financial penalty is necessary for your previous misconduct. However, I have reduced
the level of penalty due to the remedial action you have taken.
Staff Training
8. You state the Regulators’ “determination of
competency based on one,
thirty minute demonstration of the dialler, to be harsh and unreasonable.” The
representations further go onto state that “
was relatively new to the
position and the Audit Process taken by a regulatory body which (can) be daunting
process.
admittedly made mistakes during the reporting processing in the
dialler on the day, however, to further make assumptions that
likely to
make a simple function error, such as select the wrong campaign or alter setting
which can cause harm is unfair.”
During the audit on 29 November 2016, it was evident that
did not have the full
competence to manage the dialler as he was unable to carry out any of the requests made
by the audit officers during the inspection, such as producing a dropped call rate report or
being able to search for CLI’s that may have been dialled.
, was
informed
was not able to fulfil the requests in relation to the dialler at the time the
dialler inspection was taking place, but no assistance was provided to
. It is your responsibility to ensure that staff have received the relevant training in
order to carry out their duties.
During the audit carried out on 23 August 2018, you provided records to show that staff
handling the dialler had received the relevant training required to carry out their duties.
During the inspection process the dialler manager was able to carry out the requests made
by the officer, such as producing daily dropped call rate reports, populating all data
uploaded onto the dialler and explaining how the data is separated into campaigns.
The records you supplied show that training provided to staff who manage the dialler was
sufficient and I have taken this into consideration when reducing the level of the financial
penalty.
Other matters for consideration
9. Your representations request that the proposed financial penalty of £140,000 is
reconsidered, as it is not representative of your actions. You further state that if the
penalty were to be imposed, this would cause huge implications and strain and
therefore you would struggle to satisfy the penalty.
I remain satisfied that you breached the CAPR and a financial penalty is necessary.
However, I have reduced the level of penalty by 1% due to the remedial action you have
taken. I will also allow you to pay the penalty in four instalments to facilitate your ability to
pay.
As a consequence, I am therefore requiring you to pay a penalty in accordance with
Regulation 52:
Actual turnover: 2 June 2017 to 1 June 2018: £2,769,614.06
Proposed Penalty Percentage: 4%
Amount of financial penalty: £110,000 (rounded down)
Number of payments: 4
The dates by which the penalty is required to be paid:
First instalment of: £27,500 by 18 April 2019
Second instalment of: £27,500 by 16 May 2019
Third instalment of: £27,500 by 13 June 2019
QS39i
7
Version 2
Fourth instalment of: £27,500 by 11 July 2019
The financial penalty must be paid to the following Financial Conduct Authority (“FCA”)
account:
Bank: Lloyds Bank
Account Name: FCA Collection account
Account number: 00828179
Sort code: 30-00-02
Swift code: LOYD GB 2LCTY
If any part of the financial penalty is not paid by the required date and either you have not
made an appeal under Section 13 of the Compensation Act 2006 or it has been
determined or withdrawn, the Regulator may enforce the full penalty or that part of the
penalty as a debt due in accordance with Regulation 53. An announcement of the financial
penalty will be published on the Claims Management Regulation website in accordance
with our publication policy.
As you will be aware, the FCA will take on responsibility for the regulation of Claims
Management Companies from 1 April 2019. As such, if this matter is not concluded by 31
March 2019, the FCA will become the Regulator for the purposes of enforcing a penalty
debt owed or responding to an appeal under the Financial Guidance and Claims Act 2018
and relevant related legislation.
Should you wish to appeal my decision to impose a financial penalty you can do so to the
First-tier Tribunal (Claims Management Services). You must send the appeal notice to the
Tribunal within 28 days of this letter.
The Tribunals Service
First-tier Tribunal (Claims Management Services)
General Regulatory Chamber
PO Box 9300
Leicester
LE1 8DJ
You can find further information about appeals to the Tribunal at
https://www.gov.uk/courts-tribunals/first-tier-tribunal-general-regulatory-chamber.
Yours faithfully,
Alison Wedge
Deputy Director
Claims Management Regulation