NYDFS fines Barclays US$15 million for Staley's pursuit of informant
Chris Hamblin, Editor, London, 17 January 2019
In June 2016, and again in July, Barclays CEO Jes Staley asked his staff to track down the identity of an informant who complained about his recruitment of a friend. For this breach of Barclays' own internal policies and New York banking law, the city's financial regulator has fined the banking group and obliged it to embark on a campaign to follow "best practices for whistleblowing programmes."
Jes Staley directed his head of group security to identify the author(s) of two anonymous letters sent to various board members which concerned the recruiting and employment of a recently-hired senior executive and friend of Staley's that Staley had recruited to Barclays. Since he became CEO in 2015 Staley has been based at Barclays headquarters in London but also has a second office at the bank's 215-strong New York branch.
In 2015, in anticipation of new British regulatory rules that were to about to come into force, the bank consolidated most of its so-called whistleblowing functions into an investigations and whistleblowing division called the I&W team. It is to this team that Staley ought to have handed the letters, according to the bank's policy, without distributing them to anyone else.
Before Staley joined, Barclays had already made some representations to the NYDFS about its efforts to treat informants fairly and anonymously in 2015 in the wake of two consent orders that the NYDFS had imposed on it to remedy its transgressions in the FX trading scandal. This seems to have given the department its main pretext for intervention. It is also possible that the author of the letters was American, as he went by the name of John Q Public; an Englishman writing in similiar vein would have called himself Joe Bloggs. He claimed to be writing on behalf of a group of long-time Barclays shareholders, of whom he was one.
The two letters
The first letter questioned the new executive’s fitness to work at Barclays and also criticised Staley’s part in soliciting him to join Barclays in the first place. Press speculation has alighted on Tim Main, formerly of JPMorgan Chase where Staley also served, as the likely man. Main, who headed up the North America Financial Institutions Group at JPMorgan Chase, has been chairman of the Global Financial Institutions Group at Barclays since June 2016. The NYDFS's consent order says that the second anonymous letter, which a member of Barclays’ US senior management received on 24 June 2016, "stated explicitly that it was from a group of 'concerned' Barclays employees in the Financial Institutions Group or 'FIG,' which was the Barclays division that had been joined by the new executive."
The second anonymous letter raised concerns about the qualifications and fitness of the new executive that resembled those of the first very closely. It was signed 'Concerned FIGers.' Staley received a copy shortly afterwards. He asked the chief information security officer (CISO) to ascertain the author's identity. The CISO then enlised the help of an American Barclays cybersecurity intelligence analyst, who asked his police contacts for help. Both the group general counsel and the head of group human resources told the CISO that this was a 'whistleblow' and therefore had to be treated anonymously, but he pressed on. At another meeting the group chief compliance officer and the general counsel firmly advised Staley against trying to identify the author(s) of the two letters. None of this, however, was written down in a document by anyone in group compliance. Later, the head of I&W told the CISO not to make any further efforts to identify the author(s) without express approval from group compliance and informed him that, as a general matter, efforts to identify a whistleblower were almost always improper. Days later, the I&W chief told Staley that the letters were being treated "as a whistleblowing matter," exhorting him not to make any attempts to identify the author(s) and adding that the very narrow permissible exceptions to the rule that everything ought to be treated as confidential did not apply to this case in the slightest. He came away with the impression that Staley had agreed not to try to identify the authors. As before, no record was written down by group compliance. Staley redoubled his efforts to unmask the author(s) just three days later.
How to enlist help from the Postal Service
Using cyber-forensics to pinpoint the post office from which the first letter had been sent, the CISO's analyst friend obtained help from a postal inspector at the US Postal Inspection Service, the criminal investigation division of the US Postal Service, telling him that the letter was "a threat to the bank" and involved "potential criminal activity." He (or whoever else may have sent the message) never told USPIS that the letter only pertained to the humdrum hiring of an executive, that the bank was under no imminent threat at all, and that there was no evidence of criminal activity so far. In handing out false information in this manner, according to the NYDFS, Barclays was guilty of breaching 3 NYCRR section 300.1(a). (NYCRR are the New York Codes, Rules and Regulations.) Despite all these desperate efforts, however, the trail soon went cold and the investigation stalled.
The final verdict
The NYDFS does not lay all the blame for this misconduct on Staley's shoulders. The consent order states: "While senior management had taken essential steps to implement an appropriate whistleblower programme following changes to UK law, a few influential members of the bank's top echelon had not yet fully embraced the critical importance of protections for anonymity in whistleblowing."
Staley has taken responsibility for his actions, apologising in public and consenting to be punished by the UK's Financial Conduct Authority and Prudential Regulation Authority. He was fined a total of £642,430 and Barclays clawed back £500,000 of his bonus over the matter. The New York regulator has found that the board was complacent and at fault as well. Although Barclays' annual whistleblowing training requirements were supposed to apply to all bank employees, they exempted its most senior managers and members of its board.
The NYDFS has persuaded a federal court to find that Barclays conducted its banking business in an unsafe and unsound manner by failing to implement effective governance and controls with respect to its whistleblowing programme, in breach of New York Banking Law section 44.