While we here in the United States were stuffing ourselves with Thanksgiving turkey last week, our friends at the Financial Conduct Authority in London whacked Barclays bank with a fine of £72 million ($109 million) for sloppy oversight of a huge private-client deal brimming with financial crime risk—the largest fine in FCA history for financial crime, and one worth a compliance officer’s attention.

The more you read the details of the transaction Barclay’s brokered, and how poorly bank executives managed it, and the reasoning behind the FCA’s decision to sanction, the more you see how this particular enforcement action speaks to so much happening in corporate compliance today. So let’s get into it.

Start with the transaction itself that got Barclays into trouble. Several rich clients—we don’t know their names, nationality, or anything else about them, even to this day—approached Barclays in 2011 to manage a complex financial transaction worth a total of $2.82 billion. These clients were so worried about maintaining anonymity that Barclays agreed to pay a $56.7 million penalty if their identities were ever disclosed, and kept the entire deal off the bank’s usual IT systems to execute deals. The only fact we do know about them is that not only were they Politically Exposed Persons; they were specially designated Sensitive PEPs. (I swear, no matter how long I work in this business, I learn a new acronym every day.) 

The deal itself involved multiple currencies, moved around accounts in multiple currencies. Some of the accounts were temporary, created only to hold money for a while and then closed after the funds moved elsewhere. The entire transaction unfolded over the course of 2011 and 2012.

Let’s underline one important point: The FCA has not accused the clients of any wrongdoing. The FCA has not said that a financial crime occurred, or that Barclays participated in any financial crime unwittingly or otherwise. As sketchy as all this secrecy seems (and it certainly seems sketchy to me) nobody says this transaction is connected to any money laundering or terrorism finance at all.

All this enforcement action addresses is the potential for financial crime that Barclays executives allowed to exist, for the sake of reaping huge fees and compensation. They subverted standard policies for due diligence simply to make more money—and when you get into the details of that, it’s enough to make any self-respecting compliance officer wince. So let’s get into that too.

Barclays’ offer to pay a penalty if it ever disclosed the identity of the clients—that alone speaks volumes. Namely, the bank accepted an incentive to short-circuit its normal due diligence procedures. By keeping the clients’ names off Barclays’ standard computer systems, any automated due diligence checks the bank might have run against the PEPs (with Kroll or WorldCheck or some other vendor) could not happen.

That is, Barclays granted an exception to its normal due diligence processes because of profit, not because the risk was negligible. Bank executives approved the transaction—one specifically said, “Race this through”—without doing a proper risk assessment.

That’s one lesson for modern compliance programs: approving a deal without doing a proper risk assessment is wrong, period. At best you might classify that error as a mistake done by ill-trained employees. More likely, you have a culture that doesn’t take compliance seriously if doing so gets in the way of profits. And that seems to be the case here, since Barclays had been fined a total of £418 million since 2009 for various other infractions, including at least one other instance of sloppy due diligence on customers.

Barclays granted an exception to its normal due diligence processes because of profit, not because the risk was negligible. Bank executives approved the transaction—one specifically said, “Race this through”—without doing a proper risk assessment.

The other telling detail in the Barclays sanction is about process and structure of its compliance department. Like many banks, I suspect, Barclays had a two-step approval process for dealing with PEPs: the front-end executives who work with clients directly had to perform due diligence first, and then compliance staff had to confirm that due diligence. Except that’s not what happened here. Instead, according to the FCA complaint, we had this:

“The front office senior management assumed that the responsibility for assessing financial crime risks rested elsewhere. There was an overreliance by senior management on legal and compliance to evaluate [due diligence] as part of Barclays’ assessment of financial crime risks…”

We’ve been here before, folks. The business executives assumes that the compliance department implements compliance, when the compliance community has been saying for years that compliance only helps to craft policies, procedures, and controls—the business is still responsible for doing the work of compliance. And that didn’t happen with this transaction.

Barclays has taken a few steps in the right direction lately. First, the bank agreed early on with the FCA that it would settle this case (although that partly was to win credit and reduce the amount of penalties). In recent years it has the pool of money devoted to incentive compensation, and structured its incentives to include more deferred pay, which is a good idea. It reshuffled senior leaders, including former CEO Robert Diamond, who was sacked in 2012 after the LIBOR scandal.

Still, the underlying offense is a telling tale. Perverse incentives that tempt executives to evade compliance. Disregard for due diligence. Business executives failing to take responsibility for good compliance. Punishment for allowing imprudent risks to arise rather than actual misconduct.

All of that, to my thinking, gets to what a strong corporate compliance program today is all about—discipline, ideally baked right into your corporate culture. And if it isn’t, regulators will dole out the discipline for you.

Matt Kelly has been editor of Compliance Week for 10 years. He will step down from that role at the end of this year. You can find him on LinkedIn at www.LinkedIn.com/in/mkelly1971 or on GoogleTalk at MattCompliance@gmail.com.