Behind the Barclays Fines: Why Risk Assessments Still Miss the Point
The recent enforcement actions by the FCA against Barclays Bank Plc and Barclays Bank UK Plc, resulting in combined penalties exceeding £42 million, offer a textbook case of what happens when financial crime controls are disconnected from real-world risk.
The cases highlight fundamental weaknesses: the onboarding of a high-risk customer whose business model changed significantly over time; a failure to investigate a close commercial relationship with a convicted money launderer; delayed or absent escalation following law enforcement alerts; and over six years of missed opportunities to reconsider a “low” risk rating that should never have been assigned in the first place.
But across the exhaustive documentation of failings, one critical topic is conspicuously absent: the role of the firm’s Business Wide Risk Assessment (BWRA).
Given the regulatory, and operational, significance of the BWRA as the foundation of a firm’s financial crime risk framework, its absence is not just surprising. It is revealing.
The Silent Framework: A Missing Piece in the Regulatory Narrative
At no point in the Barclays final notices does the FCA reference whether, or how, the BWRA informed the firm’s understanding of the risks posed by customers like Stunt & Co, a business engaged in gold trading with suppliers in West Africa and clients in the Middle East, yet inexplicably classified as “jewellery retail” and assigned a low risk rating for most of its relationship.
Nor is there any indication that Barclays’ BWRA played a role in identifying the inherent risks of exposure to high-risk sectors, unverified sources of wealth, or repeated contact with law enforcement. There is no evidence that the BWRA served as a feedback mechanism to challenge the accuracy of risk scoring, alert thresholds, or control prioritisation.
This isn’t just a gap in the FCA’s analysis. It is an industry-wide blind spot.
Why BWRAs Fail to Influence Risk
Too often, BWRAs are written retrospectively and built around abstract regulatory risk factors, “jurisdiction,” “customer type,” “delivery channel”, rather than plausible events. The output becomes a narrative summary that catalogues existing controls rather than challenging their effectiveness or alignment.
As a result, BWRAs frequently fail to:
Model specific financial crime events (e.g., laundering criminal proceeds through high-value commodity trades),
Capture how controls interact dynamically to mitigate those events (e.g., onboarding due diligence + adverse media alerting + production order handling),
Reflect actual control performance (e.g., missed periodic reviews, unverified risk rating assumptions).
Barclays’ case reflects the consequences. Despite red flags being visible as early as 2015, including inconsistencies in stated business activity, significant unexplained fund flows, and police raids, the relationship with Stunt & Co remained low risk, and control interventions were fragmented, delayed, or absent.
How Our Alternative BWRA Approach Would Have Caught This
Our methodology flips the script. Instead of starting with compliance categories, we begin with specific, plausible financial crime events, the kind that actually occur in complex customer relationships.
Let’s take three failures in the Barclays case and illustrate how they would have been surfaced and managed through our approach:
1. Unverified Source of Wealth: A Trigger Missed, a Risk Unacknowledged
Barclays repeatedly failed to verify James Stunt’s source of wealth, despite longstanding internal concerns and a protracted KYC refresh process. The bank relied on generalised, unsupported statements from an accountant, rather than securing verifiable documentation. No further escalation was recorded, even though source of wealth verification is a foundational control in onboarding higher-risk customers.
In our methodology: This type of exposure would likely have been highlighted through the mapping and evaluation of preventive and escalatory controls tied to customer due diligence, particularly those designed to validate the origin of funds, test documentation completeness, and prompt review when verification processes stall.
While the methodology cannot in itself prove whether controls are operating effectively, it would have elevated the visibility of weakly evidenced onboarding and prolonged verification gaps. Residual risk would have remained high, driving further scrutiny and likely escalation, whether to enhanced due diligence or a decision forum empowered to delay or suspend onboarding pending resolution.
2. Adverse Media and Law Enforcement Alerts: Known But Not Actioned
Barclays received multiple law enforcement enquiries and production orders regarding Fowler Oldfield, alongside clear adverse media links between Fowler and Stunt & Co. Yet, this intelligence was handled in operational silos. The information never reached those responsible for customer risk ratings or ongoing monitoring, and there is no indication that it influenced any control recalibration or customer exit decisions.
In our methodology: This type of breakdown would likely have been identified through the analysis of detective and escalation controls concerned with the intake, triage, and internal distribution of external threat intelligence. These controls are critical not just for regulatory compliance, but for ensuring the institution can translate external insights into internal action.
The methodology would prompt scrutiny of whether such signals were consistently integrated with customer profiles and used to trigger reassessment. While the adoption of the methodology alone cannot verify whether that happened in practice, it would have flagged the absence of linkage as a material risk exposure, indicating the need for control testing, potential re-risking of the customer, and strengthening of the institution’s intelligence-handling processes.
3. Inaccurate Risk Rating: A Control That Failed Silently
Stunt & Co was assigned a low risk rating at onboarding and retained it through much of its lifecycle, even as its financial activity, business model, and relationship to a known money laundering case changed significantly. The firm received over £46 million in funds from a jewellery company under investigation, yet no systematic challenge or reassessment was triggered. Annual reviews were missed altogether, based on the outdated risk rating.
In our methodology: This type of failure would likely be surfaced through the evaluation of detective and corrective controls responsible for identifying behavioural outliers, triggering risk rating reviews, and ensuring that significant changes in customer activity do not go unchallenged.
The methodology would prompt attention to missed review cycles, deviations from expected turnover, and associations with higher-risk sectors (such as gold trading), not in isolation, but as part of a layered view of risk posture. While the BWRA does not itself re-risk customers, it would have raised flags where these control mechanisms were either not operating as designed or were not appropriately joined up, driving prioritisation of control testing and remedial review.
Turning the BWRA into a Risk Operating System
The absence of any meaningful reference to the BWRA in the FCA’s analysis of the Barclays case should concern us all. If the BWRA were functioning as intended, it would have served as the very lens through which these risks were identified, prioritised, and mitigated.
Our alternative methodology turns the BWRA from a static document into a dynamic risk operating system, where:
Risk events are modelled based on how financial crime actually occurs.
Controls are mapped by function, not policy label.
Residual risk is calculated based on performance, not paper.
Internal and external threat signals are integrated continuously.
Outputs feed into resourcing decisions, thresholds, and governance.
This is not just a better BWRA. It’s a different way of thinking about risk altogether.
A Better Way Forward
The Barclays case doesn’t just expose failings in control execution. It exposes the structural limitations of how risk is conceptualised, assessed, and managed at system level.
We don’t need better policies. We need a better mindset, one that recognises that financial crime risk is emergent, dynamic, and interconnected.
The BWRA, properly designed and implemented, is the one framework capable of holding that complexity. But only if we stop treating it as a compliance artefact and start building it as a strategic tool.