New Lessons from the Barclays Whistleblowing Case
05 Apr 2019

KYC360 readers will remember that in May 2018 the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) jointly fined Barclays CEO Jez Staley £642,430 for violating a conduct rule requiring individuals to act with due skill, care and diligence. The penalty related to his two attempts to identify whistleblowers who had raised concerns to Barclays executives, in two separate letters, about the prior conduct of a senior manager the bank had just recruited.

As part of that penalty, the FCA and PRA required Barclays to submit an annual report to its UK regulators on any allegations against its senior managers as well as any attempts to identify anonymous whistleblowers in any case whatsoever. Under the terms of the enforcement action, designated “whistleblower champions,” approved by UK regulators as senior managers, must personally attest each year to the soundness of the bank’s whistleblowing systems and controls.

And so the matter seemed resolved. Then, in mid-December, the New York State Department of Financial Services (NYDFS) announced its own regulatory action against Barclays, as well as against the New York branch where Staley maintained an office. Although the state’s $15 million penalty grabbed headlines, a careful reading of the department’s documentation reveals a number of facts not included in the FCA Final Notice. From these can be drawn new lessons on the sequence of events that led to the penalties.

Bending the rules

Barclays appeared, in the view of the NYDFS, to have a suitable set of policies and procedures, a competent and well resourced department to handle and investigate whistleblowing complaints and an annual training programme advising staff of how to raise concerns and address related matters. Nevertheless, “it appears that the positive cultural transformation, which Group Compliance has been working hard to instil in more than 100,000 Barclays employees worldwide, was not nearly complete,” the department concluded.

The NYDFS also directly criticised Staley for seeking to identify the whistleblowers and discussing the matter with people outside of the institution. Both actions were in direct contravention of Barclays’ policies, the regulator said.

What’s more, both the group chief compliance officer (GCCO) and the group general counsel (GCO) advised Staley in a meeting on 29 June 2016 against trying to discover who had mailed the letters. The following month, Staley received the Monthly Whistleblower Champions’ Report, which indicated both letters were being treated as whistleblowing complaints. A few days later, on 9 July, the head of Investigations and Whistleblowing reminded Staley that he should not attempt to discover more about the individuals. But within three days, without consulting either the GCCO or the GCO, Staley took steps to uncover the identify the sources of the complaints.

By all accounts, Staley’s actions appear to have been a genuine attempt to protect a friend against what he believed to be a malicious and unjustified attack–one that could also hinder his ability to hire senior executives going forward. But he undermined the bank’s policies and exposed it to additional risk by discussing the letters with two ex-colleagues who had never worked for Barclays, the New York regulator concluded.

Enough blame to go around

The NYDFS also noted that Staley was not exclusively at fault for the infractions, as other senior executives and members of the board of directors also failed to act properly.

Staley’s chief of staff, for example, had been present in the meeting between his principal and the GCCO and GCO on 29 June 2016, when Staley was advised not to investigate the whistleblowers. A week later, the head of Investigations and Whistleblowing informed the chief of staff that the letters were being treated as formal complaints. Given that context, the NYDFS found it surprising that the chief of staff raised no objections when Staley disclosed a few days later that he would try to find out the names of the whistleblowers. Nor did the chief of staff seek confirmation from the GCCO or the GCO that Staley’s plan had indeed been cleared.

Whilst the board of directors acted properly in commissioning an independent investigation when Staley’s own actions were “whistleblown” to them in January 2017, it had failed to act in June 2016 when several members received the first letter, according to the department. The regulator found no fault in the fact that the board discussed the letter with Staley, since it included allegations (subsequently rejected) that he had compromised Barclays’ hiring process to assist a friend, but members failed to ensure that Staley had no further involvement in the investigation. In a nod to recently implemented FCA Rules on whistleblowing, the NYDFS also criticised the board for not proactively supervising the case.

Dissonance at the top

The New York regulator also recognized the validity of what has become something of a truism in the compliance world: that the so-called “tone at the top” can have a very important effect on institutional culture. While Barclays executives had taken appropriate steps to comply with new regulations on whistleblowing programmes, “a senior, influential” member of Barclays staff made it known within certain divisions of the bank that “if you are not prepared to stand up, be counted and put your name on something, why should we listen to you?”

This mixed messaging could have led Barclays staff to believe that the bank was not serious about its whistleblowing programme, that whose who spoke out would be ignored and that they should not expect to be protected. Accordingly, the department criticized the bank board and its senior managers for not clearly communicating policy goals to staff.

Selective policy enforcement

Although Barclays’ whistleblowing procedures seemed at first blush to be adequate, the bank had left out two important scenarios: what to do if a whistleblower’s allegations implicate senior management and how executives should handle complaints they directly receive. The NYDFS noted that the “controls in place at the time failed to address this circumstance.”

At the time, Barclays’ policies required staff to undergo annual training on whistleblowing that included an overview of how individuals could speak out anonymously and what protections they should expect when doing so. But the bank’s most senior managers and its board directors were exempted from this requirement–an exception that the NYDFS found “concerning” given the likelihood that related decisions would be made by individuals in the highest echelons of the institution.

At the very least, it could be suggested that this exemption sent the wrong message to staff: bank management isn’t interested in problems reported by whistleblowers.

Lessons to be learned

Compliance staff may draw many lessons from the Barclays saga:

  • Policies and procedures, in all but very rare circumstances, should apply to all staff, from the lowest-paid staff member up to the chief executive and the chair of the board of directors.
  • Equally, senior managers and board directors must ensure that policies and procedures are adhered to by seeking proper assurances rather than simply assuming compliance.
  • A consistent “tone at the top” is critical in demonstrating to staff that compliance with the bank’s policies and procedures is important. Any inconsistent messages or actions may lead to staff confusion and lack of “buy in.”
  • Suitable corporate governance procedures are critical in ensuring that those at the top of an organisation properly direct staff in proper implementation.
  • Training in whistleblowing issues in particular, and compliance matters in general, should be compulsory for all staff, even the chief executive. Staff may ponder what impression an exemption from training for the chief executive and other senior management gives, and whether it is a key element of an adequate “tone at the top”
  • Barclays previously had given the NYDFS assurances on two occasions about its whistleblowing systems. It is important that, when assurances are given to regulators, subsequent actions are consistent with their words.

In conclusion, compliance staff should carefully review the NYDFS documentation and consider whether similar events could occur at their firm. If so, they might learn from Barclays’ mistakes.

Denis O’Connor is both a Fellow of the Institute of Chartered Accountants in England & Wales and the Chartered Institute of Securities and Investment. He was a member of the British Bankers’ Association Money Laundering Committee from 2003 -10; and a member of the JMLSG’s Board and Editorial Panel between 2010 and 2016.

He has been a frequent speaker at industry conferences on financial crime issues, both in the UK and abroad.

This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.

You can claim CPD minutes for this content, by signing up to our CPD Wallet

FREE CPD Wallet