Following a joint FCA and PRA investigation, James Staley the CEO of Barclays Group has been fined a total of £642,430 for failing to act with due skill, care and diligence in the way he acted in respect to an anonymous letter received by Barclays in June 2016. The PRA and FCA imposed identical penalties of £458,000 each on Staley, with a 30% discount for settlement. The PRA and FCA have also agreed special requirements with Barclays whereby Barclays must report annually, detailing how it handles whistleblowing, with personal attestations required from those senior managers responsible for the relevant systems and controls.
In June 2016, a member of the Barclays' Group board received an anonymous letter from an individual outside the bank raising concerns about a senior employee, Barclays' process for hiring him and Staley's role in dealing with those concerns at a previous employer.
Following the receipt of a second letter, this time expressed to be from a Barclays' employee, Staley became concerned the letters were part of a campaign aimed at undermining his hiring strategy and instructed Barclays' Security to try to identify the first letter's author. However, Staley was told that Barclays' Compliance might be treating the first letter as a whistleblow and should not attempt to identify its author. Staley and Security accepted that advice.
Subsequently, Staley was provided with an update from Compliance that the allegations were unsubstantiated and that the investigation was about to be concluded. Staley mistakenly understood this to mean the writer of the first letter was no longer being treated as a whistleblower. However, he failed to confirm this with Compliance and gave instructions to Security to try to identify the author, leading to Security taking steps to identify where postage for the letter was purchased and seeking video evidence.
The PRA and FCA determined that Staley failed to comply with Individual Conduct Rule 2 (ICR2) which provides that he must act with due skill, care and diligence. However they did not find that he breached his obligation to act with integrity. In particular, the PRA and FCA found that Staley:
- Failed to appreciate that the allegations in the letters in part related to him, that there was a conflict of interest and that therefore he should have distanced himself from the investigation and response.
- Failed to recognise that as a non-expert in whistleblowing he should have consulted explicitly with those in Barclays who had primary responsibility and therefore expertise in whistleblowing.
- Failed to recognise that there was a real possibility that the first letter fell within the scope of Barclays' whistleblowing policy and that attempting to identify the first letter's author or to put pressure on them risked leading to the author of the second letter, an employee, being put under pressure.
The PRA and FCA pointed out that:
- Given the role of the CEO, the standard required of Staley under ICR2 is more exacting than for other employees and that CEOs need to ensure that appropriate standards of governance (including independence of decision-making) are maintained.
- Whistleblowers play a vital role in exposing poor practice and misconduct and that it is critical that individuals who wish to raise concerns feel able to speak up anonymously and without fear of retaliation.
In addition to the penalty imposed on Staley, Barclays has "volunteered" to requirements which require it to notify a number of matters to the FCA and PRA each year between 2018 to 2020. Those matters include details of all whistleblowing cases involving senior managers or directors, those cases where it has sought to identify anonymous whistleblowers in accordance with its policies and any cases where an individual alleges they were the subject of retaliation by Barclays for whistleblowing. The responsible senior managers will also have to attest to compliance with whistleblowing rules and policies on an annual basis.
Some commentators have queried why Staley was not subject to a ban for his actions. However, the facts point to negligence rather than deliberate wrongdoing and applying its level 1 to 5 penalty regime, the FCA imposed a level 2 penalty (10% of his salary) – the lowest level which gives rise to a financial penalty (the standard penalty for level 1 is a 0% fine). The PRA applies a less prescriptive penalty policy than the FCA, but has nevertheless imposed an identical fine.
Of note is that this is the first time that the PRA and the FCA have investigated the same individual for precisely the same wrongdoing, publishing notices which are virtually identical. In the past, the PRA or the FCA have either deferred to the other regulator (for example the PRA pursued Co-op Bank executives, leaving the FCA to pursue the Chairman) or, where they have pursued the same individual, it has been for separate and distinct breaches arising out of the same facts. Nevertheless, in Staley's case, neither the PRA nor the FCA have taken account of the other's penalty in imposing theirs. Staley might consider himself unlucky that he is dual regulated – arguably resulting in a doubling of the appropriate penalty.
The PRA and FCA in their joint press release state that this is the first case brought by the FCA and PRA under the Senior Managers Regime. However, the rule requiring individuals to act with due skill, care and diligence has existed in substantially the same form since 2005 and, in truth, the Senior Managers Regime has little to do with this case.