Issue: June 2018

U.K. - Whistleblower Protections in the UK

By: Lynne Bernabei & Kristen Sinisi

The United Kingdom’s Accountability and Whistleblowing Instrument of 2015 established a robust regime of whistleblower protections that went into effect in 2016. Last month, the Financial Conduct Authority and the Prudential Regulatory Authority decided the first test case under those provisions in a matter involving Barclays Investment Bank’s chief executive officer, Jes Staley, and his crusade to unmask a whistleblower. The regulators’ decision to levy a financial penalty against Staley and no punishment against Barclays called into question the extent to which the FCA and PRA will give teeth to the protections.

Pursuant to the new regulations, covered firms, including deposit takers with assets of £250 million or greater and designated investment firms, must develop, impose and maintain procedures for whistleblowers to disclose their reportable concerns. The instrument requires firms to implement internal procedures capable of handling reports for which whistleblowers request confidentiality and providing reasonable measures to ensure that “no person under the control of the firm engages in victimization of that whistleblower[.]”

Further, the instrument obligates firms to appoint a “whistleblowers’ champion,” who bears responsibility for “ensuring and overseeing the integrity, independence and effectiveness of the firm’s policies and procedures on whistleblowing ... including those policies and procedures intended to protect whistleblowers from being victimized because they have disclosed reportable concerns.” To enable whistleblowers’ champions to perform effectively, firms must provide them the requisite authority, independence, access to resources, and sufficient information to execute their duties.

A few months after the instrument became effective, in June 2016, Barclays received two anonymous whistleblower letters from the United States. Both raised issues as to Tim Main, Barclays’ chairman of the global financial institutions group, whom Staley knew from his former career at JPMorgan and had hired. After Staley learned of the letters, he engaged Barclays’ group information security team to unmask the author. When Barclays informed Staley that such conduct was inappropriate, he dropped the matter — temporarily. However, following the bank’s investigation and dismissal of the allegations, Staley reinstated the hunt through Troels Oerting, then-chief security officer at Barclays.

After Oerting got involved, the National Cyber-Forensics & Training Alliance, a nonprofit entity that seeks to identify and neutralize global cybercrime threats, contacted the U.S. Postal Inspection Service at Staley’s direction. Apparently, the NCFTA told an inspector that it sought to identify the author of the letters because they contained “inside information [that] was potentially compromised and leaked,” which constituted “a threat to the bank and [which] involved criminal activity.”[1] The employee understood that the NCFTA was investigating insider trading and directed it to point of sale information, which identified the post office at which the letters were mailed. Although the NCFTA tried to obtain video footage of the transaction, none was available, and the inspector was unable to identify the whistleblower.

Regulatory Investigations

After a Barclays employee reported Staley’s whistleblower hunt, the board of directors hired Simmons & Simmons to perform an internal investigation and notified the FCA and PRA of the allegations. The internal investigation concluded that Staley “honestly, but mistakenly, believed it was permissible to identify the author of the letter.” Following the internal investigation, Barclays reprimanded Staley and announced that it would cut his bonus due to his role in the scandal, pending the outcome of the FCA and PRA investigation. Despite calls to hold Staley accountable at the organizational level, Barclays recently declared its “unanimous confidence” in Staley. Interestingly, however, Barclays asked Oerting to leave the bank after its internal investigation, purportedly because he billed personal expenses as company expenses. Jonathan Cox, who bore responsibility for Barclays’ whistleblower program in 2016, also left Barclays in the fall of 2017, following a settlement he reached with the bank.

Around the same time, the U.S. Postal Service’s Office of Inspector General commenced an internal investigation pursuant to a complaint that its employees used their official positions to aid Barclays’ quest. Ultimately, it found no misconduct and concluded that its employees would not have used their positions to assist Staley had they known the allegations of criminal conduct were false.

Last year, the U.S. Department of Justice also undertook an investigation of whether Barclays’ or the USPS inspector’s conduct violated Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which protects whistleblowers from retaliation, or the applicable criminal laws. Further, the New York Department of Financial Services began interviewing Barclays executives from London and New York at the end of 2017. Those investigations remain pending.

FCA and PRA Report

The FCA and PRA’s investigation of the Barclays debacle was viewed as an important test case. Although the instrument gave lip service to the promise of whistleblower protection, it remained to be seen whether and how regulators would enforce the whistleblower protection provisions. Last month, the authorities concluded their highly anticipated year-long investigation. They determined that Staley failed to act with due skill, care and diligence, but they did not suggest that he lacked fitness to perform his role as CEO or that he acted with a lack of integrity. The U.K. regulators, which proposed a monetary penalty against Staley in the amount of £642,430 and no enforcement action against Barclays, delivered a blow to whistleblower advocates, many of whom sought an equitable remedy instead of merely a financial one.

Given that the FCA and PRA decision is their first under the new whistleblower protection regime, it delivered a clear message to the industry about the fervor with which the regulators will bring future enforcement actions. The regulators’ decision was unprecedented in that they never have fined a sitting CEO, but it fell short of whistleblowers’ hope for mandated top-down change in corporate culture. The regulatory fine of £642,430 provides little punitive effect, given that Staley earned approximately £4.2 million in 2016, the year in which he engaged in misconduct. The fine essentially requires him to forfeit about 15.3 percent of his compensation for that year.

More troubling, though, is the regulators’ decision not to take enforcement action against Barclays. The FCA and PRA created the 2015 instrument to clean up the financial industry following a series of fraudulent actions, such as the Libor-rigging scandal. As the instrument evidences, the FCA and PRA recognized the need to impose organizational culture changes and implement mechanisms that would provide whistleblowers the security they require to come forward. Nonetheless, the regulators failed to hold Barclays accountable for its shortcomings. With no pressure on the firm, what incentive do corporate entities have to comply with the new rule or to compel their employees’ and officers’ compliance? Even if a firm finds itself in the regulatory hot seat, it can escape enforcement action by turning over and exiting the culpable employees. As this case proves, even then, the firm may be able to retain culpable corporate talent.

It is difficult to imagine a more elaborate scheme to identify a whistleblower than the one that occurred at Staley’s direction. Multiple security services in countries on both sides of the Atlantic were engaged to hunt down the tipster. In the process, misrepresentations were made to foreign government officials, which triggered multiple foreign and domestic regulatory and criminal investigations and needlessly consumed law enforcement resources. Barclays’ own leader engaged in the quintessential whistleblower witch hunt, and with all eyes on them, the regulators kept him in place. Even if Staley did learn a lesson from his failure, as he claims, the rest of the world learned a very different one.

Lynne Bernabei

Bernabei & Kabat, PLLC

Kristen Sinisi

Bernabei & Kabat, PLLC