Image: “Barclays Bank” by Dominic Alves licensed under CC BY 2.0.
The FCA recently fined Barclays £42 million for serious lapses in anti-money laundering (AML) risk management. The failings related to two clients: WealthTek, a wealth management firm, and Stunt & Co, a gold bullion trading business linked to Fowler Oldfield, a jeweller central to a major money laundering operation.
At first glance, you might dismiss this as a “big bank” problem. But the reality is the same weaknesses regulators found at Barclays are often present in all regulated businesses, including accountancy practices. And what went wrong at Barclays wasn’t so much about what they did, but about what they didn’t do.
WealthTek: failing to verify permissions and basics
Barclays’ first major failing in the WealthTek matter was the failure to check whether WealthTek was authorised by the FCA to hold client money. Had it looked at the FCA’s Financial Services Register before opening the client money account, it would have found that WealthTek was not permitted to hold client money. Instead, the bank opened such an account anyway and allowed clients to deposit some £34 million.
For accountants, risk arises when you accept a client’s description of what they do or what authorisations they have, without independent verification. Suppose a client says “we have permission to manage client funds” or “we hold assets for clients.”
As an accountant you should check registers, licences, incorporation documents, and any professional body oversight. And always keep copies or screenshots of those checks. These are basic steps but the absence of them is a recurring error.
Stunt & Co / Fowler Oldfield: missing and ignoring red flags
In the Stunt & Co case, Barclays rated the client as low risk even though it was receiving large amounts of money (nearly £47 million over about a year) from Fowler Oldfield, a firm under suspicion.
Even after Fowler Oldfield came under criminal investigation, after police raids, after law enforcement telling Barclays about Production Orders (formal legal requests/orders for information), and adverse media, the risk rating was not increased, enhanced due diligence (EDD) was not applied, and ongoing monitoring was weak.
For accountants, red flags may not always come as police raids. But they do come in many forms: inconsistent financial statements, media reports, late submission of information, new business lines, sudden large transactions, changes in ownership, clients in high-risk jurisdictions.
When you see such red flags, you must ask questions, escalate internally, possibly refuse or terminate work if concerns are serious and unresolved. Don’t treat risk assessment as a one-off.
Inadequate verification of client permissions or regulatory status
Barclays’ failure in WealthTek is the prime example: it opened accounts and accepted client money when WealthTek lacked the legal authority to do so. That one “simple check” — the Financial Services Register — would have prevented the exposure.
As an accountant, you should embed verification of regulatory status into your onboarding process. If a client claims regulatory permissions, check against the relevant regulator’s public register (FCA, HMRC, SRA etc.). If none exist, treat the client as higher risk, ask more questions, require more documentation. Always document what you found, when, and why you accepted or rejected the client.
Accepting vague explanations without evidence
Barclays allowed clients to move large sums with little more than broad statements about the source of wealth. In one instance, explanations that funds came from private investments were accepted without corroboration.
Accountants face the same risk when clients say “it’s family money” or “proceeds from property” but are reluctant or unable to provide supporting documentation. Accepting these answers without further questioning or evidence could expose you to regulatory action. Following the risk-based approach, you should carefully assess when to ask for documentary proof, whether bank statement audit trails, contracts of sale, or independent verification, and record how you reached your conclusion. Source of funds or wealth is not only where the funds were last transferred from but how they were originally generated and what the geographic origin was.
If you choose not to seek to verify source of funds or wealth where the circumstances might suggest that would be appropriate, you should ensure you document why you made that decision. That documentary explanation would be a key part of your defense in any investigation.
Not acting on red flags
Barclays had multiple red flags: media stories, law enforcement activity, major transfers, production orders. But these were either not shared across Compliance and Monitoring teams or ignored.
For example, even after police raids at Fowler Oldfield and Stunt & Co in September 2016, Barclays did not change risk ratings or apply enhanced due diligence. It also delayed acting until after similar enforcement against other firms.
In an accountancy context, red flags could be irregular invoices, cash deposits that don’t match client profile, unexplained jumps in revenue or expense items, negative news in local press, or the involvement of unknown and unverified persons.
When such signs appear, you need escalation protocols. Who in your firm reviews such information? When do you reclassify risk? Who decides to continue the relationship or even report suspicion (if required)?
Weak ongoing monitoring
One of the key criticisms by the FCA was that Barclays performed onboarding but then failed to monitor changes in risk over time. Even after new information emerged in 2016, internal reviews didn’t happen until 2021. Barclays did not revisit or adjust the accounts or risk ratings properly in the years in between.
For accountants, it’s essential that onboarding isn’t the end. Clients’ business and financial activities evolve. Your risk assessment should be periodically reviewed — we recommend annually for lower-risk clients, possibly more often for those flagged high-risk. Monitor transactions, bank statements and client communication for inconsistencies.
Poor documentation of decisions
The FCA report found that Barclays often did not document why it considered Stunt & Co as “low risk” despite clear signals otherwise. When queries were raised or incomplete information was given, there wasn’t always a record of what was asked, what was followed up or why decisions were taken in favour of maintaining the client relationship without increased scrutiny.
Accountants should treat documentation as a key control. When you assess risk, record what information was obtained, what was missing, how you satisfied yourself or not. If you decide not to escalate or not to treat a client as high risk, record why. If you got adverse media or regulatory warnings, document when you became aware, what steps you took. That documentation will be crucial if your firm is investigated.
Steps you can implement now
To avoid the kinds of failures the Barclays case shows, you should:
1. Insist on documentary evidence for source of funds or wealth — e.g. property deeds, investment contracts, audited accounts — and refuse vague narratives.
2. Create red-flag triggers in internal processes (media alerts, regulatory notifications, customer behaviour changes). Define who reviews these triggers and what actions they prompt.
3. Schedule periodic reviews of risk because risk classification should not be static. Review annually, or sooner if a client changes business model, receives large transactions, or is linked with new jurisdictions.
4. Maintain robust documentation for every client. You should have stored evidence of what you asked, what was provided, any follow-ups, and why decisions were made (risk rating, acceptance, ongoing monitoring).
5. Train your team and make sure everyone understands what constitutes a red flag, what to ask, how to escalate. Senior management should periodically audit your AML to make sure that policies are followed.
Simple actions = big protection
What stands out in the Barclays case isn’t about exotic schemes or complex technology. It’s about failing to do the basics: checking permissions, investigating explanations, acting when new risks emerge, and recording decisions.
For accountants, avoiding compliance failures requires consistent, disciplined application of foundations. Follow the risk based approach, verify what clients say, don’t ignore warning signs, keep an eye on clients over time, document everything. Do these well and you reduce both regulatory and reputational risk.
About Richard Simms
Richard Simms, Managing Director of AMLCC, is in the rare situation of having become a leading authority on anti-money laundering compliance, risk management and education while working as a hands-on regulated professional himself.
Since 2007 when AML regulation for accountants was introduced in the UK, as both a chartered accountant and an insolvency practitioner, Richard has seen first-hand the challenges of implementing effective AML processes.
Working with regulatory supervisors, Richard used his unique professional insights to create AMLCC (Anti-Money Laundering Compliance Company Limited) in 2008 to make AML easier for regulated businesses worldwide.
