Top E&C failures: Boeing, TD Bank, RTX/Raytheon biggest compliance turkeys of 2024

As 2024 comes to a close, it’s time to look back and pay thanks. That includes the companies on this year’s list of compliance failures, who taught us all lessons in what not to do, and why. 

This year in particular offered a diverse serving of screwups, ranging from head-slapping airplane safety failures to mind-bogglingly obvious money laundering schemes.

Some companies in the defense contracting world taught us entirely new ways to fail, damaging U.S. national security in the process, when they introduced automated systems and AI to the age-old problem of leaking our nation’s secrets to adversaries overseas. 

The human costs that come from these stories can’t be ignored either. In some cases, large companies discovered child labor and human trafficking in their supply chain. Many of these high-profile disasters reminded us that if the world’s biggest companies are screwing this up, it’s likely a far larger problem than we all expect. 

With that in mind, let’s look back at this year’s biggest disasters and hopefully learn lessons from these stories of greed, mismanagement, and neglect. 

Boeing

A decade ago, U.S. airplane manufacturer Boeing was the envy of corporations around the world. A big part of its success was its exacting standards and safety measures. People felt safe flying on their planes.  

Sadly, those days are gone, and it’s directly related to failures in compliance. Boeing’s reputation is now in tatters following a seemingly unending series of disasters, including crashes, parts failures, and one airplane door that literally fell off mid-flight.  

The trouble seemed to start with two fatal plane crashes of 747 MAX airplanes in 2018 and 2019, caused by a malfunctioning flight control system. In the aftermath, the company entered into a deferred prosecution agreement (DPA) with the Department of Justice (DOJ) in 2021, as part of a $2.5 billion settlement. 

More bumps in the road followed, until the beginning of this year when a series of in-flight failures led to waves of Boeing plane groundings and inspections. Meanwhile, the DOJ notified Boeing that it had breached the DPA  and charged it with making material misstatements  to the Federal Aviation Administration (FAA) regarding compliance and safety issues. The DOJ judged that the company had failed in its attempt to design and implement an effective compliance and ethics program.  

The FAA halted production expansion of the 737 MAX, and the DOJ fined the company another $243.6 million. 

TD Bank 

U.S. regulators fined TD Bank nearly $3.1 billion  for allowing three separate money laundering schemes to funnel more than $670 million in dirty money through its network. Perhaps the worst part of all this was that the regulators hadn’t been investigating TD Bank, but rather stumbled onto the money laundering scheme while investigating a Mexican drug cartel. 

Regulators concluded that the chronic underfunding of the bank’s anti-money laundering (AML) program by corporate leadership caused the program to atrophy. Over several years, obvious red flags of money laundering activity were missed or ignored. Huge backlogs developed in transaction monitoring and the compiling of suspicious activity reports. Worst of all, the corporate culture de-emphasized the importance of rooting out and reporting potential criminal activity, leaving employees with no motivation to blow the whistle. They knew nothing would be done, so why bother? 

“TD Bank prioritized growth and convenience over following its legal obligations,” said U.S. Attorney Philip Sellinger for the District of New Jersey at the time the fines were announced. 

RTX/Raytheon

Bribing foreign officials to win contracts, providing false pricing information, fraudulently inflating prices on government contracts, and allowing foreign agents to access U.S. military secrets regarding airplanes and missile systems, Raytheon and parent company RTX had a very bad year in 2024. 

RTX paid $1.2 billion to settle four separate enforcement actions in 2024, all of which centered around the firm’s lax compliance.   

The giving away of military secrets, due to lax compliance at an acquired company  that Raytheon was slow to address was particularly galling. Sadly, this compliance deficiency wasn’t unusual: several companies, including the aforementioned Boeing, made sensitive military data available to U.S. adversaries, harming U.S. national security.  

In two cases, a manufacturer in China used the Raytheon data to make parts used in U.S. military airplanes, helicopters, and unmanned aerial vehicles, according to the U.S. State Department. 

Hyundai Motor

The Department of Labor (DOL) filed a lawsuit in May, accusing a Hyundai Motor auto parts facility in Alabama of employing a 13-year-old girl to work on an assembly line for 50-60 hours a week, for 6-7 months. 

The compliance failures were two-fold. One, somehow a 13-year-old girl was allowed to work on an assembly line that formed sheets of metal into auto body parts. Someone, somewhere inside that facility should have noticed and said something. 

But the bigger compliance question was: How was the child hired in the first place? And for that, you have the second compliance failure: Hyundai Motor’s apparent reliance on third parties to vet documents of certain workers in their facility, whether they work full-time or part-time, on contract, or on a temporary basis. The DOL alleged that parts supplier SMART Alabama and staffing agency Best Practice Service also benefitted from the child’s labor. 

Child labor in U.S. supply chains has become a more prevalent risk as thousands of underage migrant children have been found to work in the United States. As a result, the compliance community has beenencouraged to be more thorough in conducting risk assessments for child labor in their U.S. supply chains, as the DOL has sought more authority to root instances of child labor and punish the companies benefitting from it. 

Costa Coffee

A 13-year-old girl died in February 2023 after drinking a hot chocolate containing cow’s milk from a Costa Coffee store in the U.K., even though her mother told the barista her daughter had a severe allergy. It was an easily avoidable tragedy, one that has implications for compliance. 

The employee who served the drink to the girl did not follow the company’s policy regarding allergens, even though the employee had completed the company’s mandated allergen training. 

An investigation into the incident  by authorities in the U.K. found that allergen compliance at Costa Coffee and its franchisee, SBR Trading, had devolved into a “tick-box” training. 

One store manager had been allowed to take the training quiz 20 times before passing, while another said she used Google translate to help her complete the modules. Modules could be completed at home, retaken multiple times, and without any supervision or oversight, according to the investigation.  

Those practices made the allergen training almost useless. Costa Coffee, SBR Trading, and its employees did not take compliance training seriously. And that cost a teenager her life. 

Dishonorable Mentions

While these companies clearly deserve criticism, they aren’t the only ones who failed throughout the year. Here are some dishonorable mentions:

Evolve Bank & Trust/Synapse: Evolve Bank & Trust, based in West Memphis, Arkansas, is not a household name. The bank, with about $1.6 billion in assets, specializes in providing banking services to fintech through software-as-a-service provider Synapse. Synapse, in turn, helped over 100 fintechs to embed banking services into their offerings, including some that offered loans to consumers, credit card processing for restaurants, and many more.

When Synapse declared bankruptcy in May, thousands of fintech customers had an estimated $158 million of their deposits frozen. Many of those impacted had no idea that Evolve Bank was the entity that held their money. It took months for Evolve to begin returning money  to the fintech customers.

One of the biggest compliance issues that came to light in the whole affair was that Evolve allowed Synapse and some of its other fintech partners to hold co-mingled deposits in one account, without delineating the individual account holders. When Synapse collapsed, Evolve didn’t know who owned what.

Evolve Bank’s egregious compliance failures led to a cascade of regulatory actions. In June, The Federal Reserve Board ordered Evolve  to correct deficiencies in its AML, sanctions, risk management, and consumer compliance programs. Banking regulators later issued guidance  on the risks posed by bank-fintech relationships based directly on the Evolve/Synapse issues. The Federal Deposit Insurance Corp. (FDIC) proposed a new rule  that would require banks to keep better deposit records on ownership funds controlled by their fintech partners.

The FDIC: Why don’t more government agencies have compliance officers? Why don’t they have someone on staff whose job it is to promote ethical behavior, and encourage a speak-up culture within their organization? This disconnect between what regulators say, and what they do in practice, is often quite large.

After allowing sexual harassment, discrimination, and other workplace misconduct to fester unchecked for years, the FDIC has finally corrected course, following a scathing independent review  of its workplace culture. The scandal cost FDIC chair Martin Gruenberg his job, although he’s still officially on the job until the second Trump administration takes over in 2025.

Gunvor: Swiss-based oil trader Gunvor paid more than $661 million  to the Department of Justice in March to resolve violations of the Foreign Corrupt Practices Act (FCPA) regarding a long-running scheme to bribe officials in Ecuador.

And this wasn’t Gunvor’s first time attending the bribe party. Gunvor was penalized in 2019 by Swiss authorities for bribing officials in Congo-Brazzaville and Côte d’Ivoire, according to the DOJ. Repeat offender for bribes? Not a good look.

The company has taken extensive remediation measures, though. Maybe next year, Gunvor (and other companies in this story) will turn things around so well that they’ll get on Compliance Week’s “Compliance Triumphs” list.