A banking boss’s decision to leak client details to a journalist is likely to cost the industry millions in new compliance checks as U.K. regulators prepare reviews into how banks treat people with extreme political views and whether they are subject to excessive and illegal monitoring.

NatWest’s now-former Group Chief Executive Alison Rose broke the most basic rule on confidentiality and told a BBC reporter that Nigel Farage—the U.K.’s face of Brexit and anti-immigration—had his bank account canceled because he didn’t meet the necessary wealth criteria.

Farage was a customer with Coutts bank, a financial institution that advises account holders be able to borrow at least 1 million pounds (U.S. $1.3 million) or hold £3 million in savings (U.S. $3.8 million) with it. Coutts is part of the NatWest Group.

In June, he posted on X, formerly Twitter, his bank had decided not to do business with him—apparently with no explanation. Days later, the BBC ran a story saying Farage had fallen below the financial threshold required of high net worth individuals to keep an account at Coutts and was therefore offered a standard NatWest account.

Immediately, Farage told the press it was not his bank balance that was the problem. It was his right-wing political views—he was being shunned for being a “politically exposed person” (PEP), a term usually reserved for kleptocrats and associates of dictators accused of funneling dodgy cash through illicit accounts.

He questioned why the bank had leaked the information, made a subject access request to get background intel regarding the decision, and created a maelstrom in his wake.

Farage received a 40-page document—which he gave to the Daily Mail to publish in full—that proved his suspicions were correct.

The dossier of evidence Coutts had built on him on behalf of the bank’s wealth reputational risk committee showed Farage had been monitored for months and that the bank wanted to “exit” him as soon as practicable. It concluded there were “significant reputational risks of being associated with him” and, given his publicly stated views, retaining Farage as a customer was not “compatible” with the bank’s “position as an inclusive organization.”

The report highlighted choice examples of Farage’s alleged “xenophobic and racist” remarks. The dossier made it clear, however, that “despite the adverse press, from a legal perspective [Farage] had not been charged of any wrongdoing and is not subject to any regulatory censure.”

After the document was published, Rose issued an apology and a statement.

“The deeply inappropriate comments made in the now-published papers prepared for the wealth reputation risk committee do not reflect the view of the bank,” she said.

While Rose said legally held political and personal views do not lead to customers being exited, she noted unspecified “reputational considerations” were still a legitimate way to close accounts so long as the process was “sufficiently transparent.” She commissioned a review to investigate these processes.

Cue the furor.

The prime minister and other government ministers lined up to question why banks thought they had the right to close people’s bank accounts for their political and public views and raised the prospect of a sectoral review into their conduct around their treatment of PEPs.

Regulators also stepped in. The Financial Conduct Authority (FCA) wrote to NatWest and Coutts to raise its concerns about account closures and breaches of confidentiality, while the Information Commissioner’s Office (ICO) wrote to all banks underlining the importance of customers’ rights to privacy under the General Data Protection Regulation (GDPR). The ICO warned banks about abusive practices such as trying to collect “unduly unexpected” data—even for suspected PEPs.

On July 26, Rose resigned—a day after NatWest’s chairman and the former head of the FCA’s predecessor, the Financial Services Authority, Howard Davies, backed her. Peter Flavel, the head of Coutts, resigned July 27.

On July 28, NatWest appointed law firm Travers Smith to carry out an independent, two-phase review that would not just examine the circumstances around the decision to close Farage’s account and leak the details but the circumstances that led the bank to close other accounts over the preceding 24 months.

On Sept. 5, the FCA launched its review into the treatment of U.K.-based PEPs by financial institutions.

The episode is troubling for many reasons, and change is likely to result from it. The fact banks have the power to drop customers because of unpalatable political or personal opinions is ripe for reform. It would also be highly unusual if other banks had not monitored customers to find evidence of their views in the way Coutts did with Farage.

If that is the case, where are banks gathering this information from and how do they use it? If such nonconsensual data gathering is taking place—and if someone has been negatively impacted as a result, such as a receiving a bad credit score—the banking sector could face the type of GDPR fines often threatened against tech giants.

The Coutts fiasco is also likely to raise questions about how effective “tone at the top” really is when it comes to holding chief executives to account and why boards—even those featuring former regulators—dither about whether they should sack rather than back bosses who have blatantly broken the rules.