Building a whistleblowing culture: lessons from FCA enforcement cases

The FCA’s interest in whistleblowing culture extends well beyond the formal requirements of SYSC 18. Enforcement cases, thematic reviews, and the FCA’s continuing focus on non-financial misconduct have repeatedly revealed that the quality of an organisation’s whistleblowing culture is one of the most reliable early indicators of broader governance and culture failings. Firms that suppress, discourage or inadequately respond to internal disclosures are firms where other regulatory risks — financial crime, market abuse, mis-selling — are more likely to go unidentified and unaddressed for longer.

This article examines what FCA enforcement cases and supervisory communications reveal about how whistleblowing culture fails in regulated firms, why the accountability consequences under SMCR are becoming more acute, and what senior leadership genuinely committed to building a whistleblowing culture needs to do differently.

What enforcement cases actually reveal

The Barclays case: the board’s response to whistleblowing matters as much as the disclosure itself

The Barclays whistleblowing case remains the most instructive UK enforcement example. When an anonymous letter raising concerns about a senior hire was received by the board in 2016, the then-CEO Jes Staley made repeated attempts to identify the author, engaging the bank’s security function in that effort. The FCA and PRA jointly fined Staley £642,430 and found that he had failed to act with due skill, care and diligence.

The significance of the case extends beyond the individual sanction. The FCA’s findings made clear that the regulatory standard for how senior managers respond to whistleblowing concerns is not merely that they refrain from active retaliation — it is that they actively protect the process. A CEO who instructs a security function to identify a whistleblower, even if their motivation is to understand the concern rather than to punish the person raising it, has undermined the entire premise on which internal disclosures operate.

The case also illustrated the board’s responsibility. The board was aware of Staley’s attempts to identify the whistleblower. Its response to that situation — and specifically whether board members with relevant oversight responsibilities fulfilled them — was part of the regulatory assessment. This is what SMCR personal accountability looks like in the context of whistleblowing: not just accountability for the person who caused the harm but scrutiny of those who were aware of it and did not act.

Financial crime cases: whistleblowing failure as a systemic indicator

A significant proportion of the major financial crime cases that have resulted in FCA enforcement action — and particularly those involving money laundering, sanctions breaches, and market abuse — have shared a common feature: internal concerns were raised by staff before the regulatory investigation identified the problem, and those concerns were not adequately acted on. This pattern is not coincidental.

Staff who are close to the business — traders, operations teams, relationship managers — often identify suspicious patterns before the compliance function does. Where the firm’s culture does not support raising those concerns, or where concerns raised are managed rather than investigated, the regulatory exposure accumulates. The FCA’s assessment of firms in enforcement processes routinely considers whether internal disclosures were made and how they were handled, because the answer informs the question of whether the firm was genuinely trying to manage compliance risks or was operating with wilful blindness.

Non-financial misconduct: the emerging enforcement priority

The FCA’s focus on non-financial misconduct — harassment, discrimination, bullying — as a regulatory matter has sharpened significantly. The FCA has been clear that it views non-financial misconduct as directly relevant to an individual’s fitness and propriety under SMCR and to a firm’s overall governance and culture standards. Whistleblowing is the primary mechanism through which non-financial misconduct is brought to the attention of senior leadership.

Firms where the whistleblowing culture does not support reporting non-financial misconduct — because the culture is one where such behaviour is normalised, where senior individuals are protected, or where those who raise concerns find their career progression affected — are firms where the FCA increasingly expects to find other governance failings. The Dear CEO letter on diversity, equity and inclusion published in 2023, and the subsequent focus on non-financial misconduct in enforcement, have made this connection explicit.

The common patterns of whistleblowing culture failure

Tone from the top that contradicts the policy

Many regulated firms have whistleblowing policies that are formally adequate but culturally inert. The policy describes channels, guarantees confidentiality, and prohibits retaliation. Senior leaders speak about the importance of speaking up. And yet staff do not raise concerns internally, or raise them and find the experience discouraging enough that they do not do so again.

The gap between policy and culture is almost always explained by what senior leaders actually do rather than what they say. A CEO who responds defensively to concerns about their own behaviour, a business line head whose team knows that raising concerns will affect their relationship with that leader, or an HR function that is seen as protecting the firm from employment claims rather than protecting staff from misconduct — each of these creates a cultural reality that no policy document can overcome.

Investigation processes that are not genuinely independent

The independence of the whistleblowing investigation process is fundamental to whether the process works. Where disclosures are investigated by people who report to, or have significant professional relationships with, the individual about whom the disclosure has been made, the investigation is structurally compromised before it begins. This is not always a deliberate choice — it is often the result of investigation processes designed for efficiency rather than independence.

Firms need to think carefully about who investigates what. A concern about a senior business line head should not be investigated by someone who requires that individual’s approval for their own career progression. A concern about conduct in a regional office should not be investigated by the regional manager. These arrangements are common and they reliably produce investigation outcomes that do not reflect what actually happened.

Confidentiality failures — accidental and otherwise

Confidentiality is the threshold requirement for an effective whistleblowing process. If the person making a disclosure believes — correctly or not — that their identity will become known to those they have disclosed about, they will not make the disclosure. Firms underestimate how permeable their internal processes are. A disclosure received by a small compliance team in a business where relationships are close, where the nature of the concern makes the identity of the discloser obvious, or where the investigation process itself reveals the identity of the complainant, is not confidential in any meaningful sense.

The FCA’s requirements extend beyond confidentiality — firms must take reasonable steps to ensure that employees who make disclosures are not victimised as a result. Victimisation does not require direct retaliation. Exclusion from projects, being passed over for promotion, being subjected to additional performance management scrutiny — these are forms of victimisation that are harder to identify and address than dismissal but are equally damaging to whistleblowing culture.

No feedback loop for those who disclose

One of the most consistent findings in research on effective whistleblowing cultures is that individuals who raise concerns and receive no feedback about the outcome — who never know whether their concern was investigated, whether it was found to have merit, or what was done about it — are significantly less likely to raise concerns in future and significantly more likely to report externally to the FCA or other authorities. Firms that treat the disclosure as the end of their obligation to the discloser rather than the beginning of a process that should include appropriate communication back have not understood why their arrangements are failing.

What genuine cultural change requires from senior leadership

The FCA has been explicit that senior leaders cannot delegate culture. The tone, the practical reality of what happens when staff raise concerns, and the signal sent by how the firm responds to specific cases are functions of what senior leaders do rather than what they say. Genuine change in whistleblowing culture requires senior leaders who are willing to be held personally accountable for how the firm responds to disclosures — including disclosures about their own behaviour or the behaviour of their peers.

This creates a specific challenge for SMCR firms. The SMF function holders who are personally accountable for governance and culture — the CEO (SMF1), the Head of Internal Audit (SMF5 equivalent in many firms), the Chief Compliance Officer (SMF16 in its compliance oversight incarnation) — need to be people whose response to a disclosure about a senior colleague is to ensure it is properly investigated rather than to protect the relationship. This is a character and values question as much as a competency question, and it is one that boards need to take seriously when making SMF appointments.

The Whistleblowing Champion NED exists specifically to provide board-level oversight that is independent of management. Where that individual is genuinely performing the function — reviewing patterns, forming independent views, holding management to account for the adequacy of the firm’s arrangements — they provide a structural counterweight to the cultural pressures that otherwise tend to suppress internal disclosure. Where the appointment is nominal, that counterweight does not exist.

Practical steps that signal genuine commitment

Firms that are genuinely committed to building a whistleblowing culture share certain practical characteristics. They use multiple disclosure channels — not just a single internal reporting line — including channels that allow disclosures to be received without passing through line management. They conduct regular culture surveys that specifically ask about willingness to raise concerns and perception of what happens when concerns are raised, and they track responses over time. They review the pattern of disclosures against the size of the firm and the complexity of its business, asking whether the volume is plausible — very low disclosure rates in a large, complex firm are often a sign of suppression rather than good behaviour. They train managers specifically on how to respond when a concern is raised — not just on what to do procedurally but on the behaviours that either support or undermine the culture of speaking up. And they review outcomes of disclosures regularly at board level, with the Whistleblowing Champion leading that review.

FD Capital places senior compliance professionals, risk leaders, and Non-Executive Directors in FCA-regulated firms. Where the requirement is an MLRO, CCO, or Whistleblowing Champion NED who has the combination of regulatory expertise and personal qualities that genuine whistleblowing oversight requires, we work exclusively in the regulated financial services space and understand the practical reality of these leadership roles in an SMCR context.

Related Services

• Compliance Recruitment
• NED Recruitment
• MLRO Recruitment
• SMCR Compliance Recruitment
• Financial Crime Recruitment
• Risk and Compliance Recruitment
• Recruitment for FCA Regulated Firms