Financial crime compliance teams were handed a stark reminder in July 2025 when the UK’s Financial Conduct Authority (FCA) fined Barclays Bank £42 million for “poor handling” of money-laundering risks involving two high-risk clients. Barclays’ failures, related to onboarding and monitoring a gold bullion business (Stunt & Co) and a wealth management firm (WealthTek), show that simply conducting one-off due diligence at account opening is no longer enough. Risks can evolve dramatically over time, and banks that don’t continuously reassess and monitor their customers’ risk profiles face serious consequences. This blog post examines what went wrong at Barclays, the broader regulatory expectations for ongoing risk management, and how modern solutions (like Flagright’s) enable a proactive approach to prevent similar failures.
Barclays’ £42M Compliance Lesson: Onboarding Is Just the Start
Barclays’ fine stemmed from two cases where the bank failed to manage financial crime risk after onboarding the clients. In the first case, Stunt & Co, a gold dealer owned by James Stunt (a high-profile businessman later revealed as a fraudster), had an active Barclays account that was used to launder huge sums of criminal proceeds. Between 2015 and 2016, Stunt & Co received 561 payments totaling £46.8 million from Fowler Oldfield, a jeweler at the center of a major money laundering operation. Many of these were round-figure payments of £100,000, yet Barclays did not flag or investigate this anomalous pattern. In fact, the FCA found that Barclays “did not gather enough information at the start of the relationship or carry out proper ongoing monitoring” of Stunt & Co. The bank missed glaring red flags, including a 2016 police raid on Fowler Oldfield, and only launched a serious review of the account five years later, after learning that another bank (NatWest) was being prosecuted for its dealings with Fowler Oldfield. By continuing to provide banking services without enhanced scrutiny, Barclays facilitated the movement of funds linked to financial crime.
The second case involved WealthTek, a now-collapsed wealth management firm. Barclays opened a client money account for WealthTek in 2019 but failed to assess the true risk of this client. In December 2024, the FCA charged WealthTek’s principal, John Dance, with fraud and laundering £64 million of client funds, revealing that the firm had been misusing customer money. The FCA’s investigation showed that a “one simple check” of the Financial Services Register at onboarding should have alerted Barclays that WealthTek was not permitted to hold client money. However, at the time Barclays’ policies did not require that basic license check, so the account was opened without full understanding of the risk. Even after Barclays updated its procedures in May 2022 to include such checks, it took another 11 months to finally close WealthTek’s account, during which time the fraud continued. The FCA concluded that Barclays Bank UK breached fundamental compliance principles by failing to organize and control its affairs responsibly in how it onboarded and oversaw the WealthTek account.
In short, Barclays treated KYC as a one-and-done exercise. The bank did not adequately verify critical information at onboarding, nor did it adjust its risk view when new warning signs emerged during the customer relationship. This reactive approach proved costly. As Therese Chambers, the FCA’s Director of Enforcement, warned: banks need to “act promptly, particularly when obvious risks are brought to their attention”. In Barclays’ case, obvious risks were present, yet the lack of dynamic risk management allowed a fraudster to slip through and ongoing red flags to go unaddressed.
One-Off Risk Assessments Aren’t Enough: Risks Change Over Time
Barclays’ missteps highlight a broader industry challenge: relying on a single risk assessment at onboarding is dangerously inadequate in today’s environment. Customer risk is dynamic. A client that initially seems low risk can, within months or years, become involved in suspicious activities or be associated with bad actors. In the Barclays case, Stunt & Co’s risk profile should have skyrocketed once it began receiving large unexplained payments (and once law enforcement raided its counterparty), but without proactive monitoring, those risk changes went unnoticed. Likewise, WealthTek may have appeared as just another fintech client at first, but the firm’s unchecked ability to pool client funds (despite lacking permission) turned it into a ticking time bomb. Periodic reviews years apart or only updating KYC records during scheduled refresh cycles clearly failed to catch these escalating risks.
Global regulators have been signalling that ongoing customer due diligence and continuous risk monitoring are expected best practices. For instance, the U.S. FinCEN Customer Due Diligence Rule explicitly requires banks to “conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information”. In the EU, the European Banking Authority (EBA) emphasizes that monitoring should be risk-based and continuous, firms should adjust the intensity and frequency of monitoring as risks evolve, and use information from monitoring to update customer profiles. The Bank of Lithuania (BoL), echoing EBA guidelines, advises that data collected during ongoing monitoring must feed back into the customer’s risk assessment, rather than waiting for an annual review. “Information obtained during monitoring should be used to update KYC information… the more significant the changes observed during monitoring, the more important it is to update the customer information… and not only during the periodic review,” BoL guidance notes. In other words, if a client’s behavior or context changes, new high-risk geographies, sudden spikes in transaction volume, adverse media, law enforcement actions, etc, the institution should promptly reassess and re-risk-rate that customer. A static risk score set on day one can quickly become outdated.
The lesson for compliance leaders: treating onboarding as the finish line for due diligence is a recipe for disaster. Instead, onboarding should be viewed as the starting point of an ongoing, lifecycle risk management process. Regular monitoring, event-driven reviews, and adaptive risk scoring are essential to capture the current risk a customer poses. This approach not only aligns with regulatory expectations across jurisdictions, but also positions institutions to catch criminal activity in real time rather than after the damage is done.
How Flagright Enables Dynamic Risk Assessment and Monitoring
Keeping pace with evolving customer risk may sound daunting, but modern RegTech solutions are designed to make dynamic risk management efficient and automated. Flagright’s compliance infrastructure, for example, helps banks and fintechs move beyond static onboarding checks to truly continuous risk assessment. Key features include:
- Dynamic Customer Risk Scoring: Flagright continuously updates each customer’s risk score based on their latest behaviors, transactions, and other data signals. Instead of a one-time risk rating, the platform recalibrates risk in real time. If a customer’s activity begins to deviate from their stated profile or starts matching known risk patterns, their risk level is automatically adjusted upward and alerts are triggered. This ensures that emerging risks (like the sudden round-number payments and surging volumes seen in the Barclays case) are promptly reflected in the customer’s risk profile, rather than remaining undetected.
- Custom Rules & Automated Workflows: Compliance teams can configure Flagright with tailored rules to catch changes or red flags specific to their business. For example, you might set a rule to flag any customer receiving large payments from previously unknown third parties, or if a client’s transaction geography shifts to high-risk jurisdictions. When such triggers occur, Flagright can automatically escalate the case, e.g. increase the customer’s risk score, route it to a compliance analyst for review, suspend certain account privileges, or request additional KYC documents. These automated workflows ensure that warning signs lead to swift action. In Barclays’ scenario, having rules to detect patterns like frequent £100k deposits or to verify a client’s regulatory status would have prompted an investigation or account freeze much earlier in the relationship.
- Real-Time Transaction Monitoring: Flagright’s platform monitors transactions as they happen, using typology-based rules and machine learning to spot suspicious patterns. This real-time surveillance is crucial for catching evolving money laundering techniques. In practice, if an account suddenly shows unusual behavior, say, bursts of transactions just under reporting thresholds, rapid large transfers from known risky entities, or flows inconsistent with the customer’s line of business, the system will flag it immediately. By comparing current activity against both the customer’s historical profile and known typologies, real-time monitoring can detect issues that static periodic reviews might miss. In the WealthTek case, real-time monitoring could have raised an alert as soon as client funds were being moved in ways that didn’t align with WealthTek’s permissions, prompting Barclays to question the activity before millions were lost.
- Holistic Customer Risk Reassessment: All these pieces come together to facilitate a holistic, ongoing risk assessment. Flagright centralizes KYC information, behavioral data, and alert history into unified customer profiles. As new information comes in (whether a suspicious transaction, a sanctions list update, or negative news article), the platform cross-references it against the profile. This means compliance officers always have an up-to-date view of a customer’s risk and can make informed decisions. Rather than relying on memory or outdated files, teams get a continuously refreshed picture. This approach embodies the regulators’ ideal: treating compliance as a continuous process where the initial due diligence is continuously enriched with new data over the customer’s lifecycle. The result is fewer blind spots and a stronger defense against being caught off-guard by a customer’s illicit activities.
By leveraging such capabilities, financial institutions can avoid the pitfalls that ensnared Barclays. Flagright’s tools effectively turn an AML program from a static, check-the-box function into a living, breathing system that adapts to risk in real time. For compliance leaders and risk teams, this means less reliance on hindsight and more proactive prevention.
Key Takeaways for Risk Teams and Compliance Leaders
- Onboarding is the Beginning, Not the End: Treat customer onboarding due diligence as phase one of risk management. A risk rating assigned at account opening should not be considered final. it’s a baseline that must be continually revisited as the relationship progresses.
- Implement Ongoing Monitoring and Reviews: Establish processes for continuous monitoring of customer transactions and periodic re-assessment of KYC information. High-risk customers might warrant formal review annually or even more frequently, but even outside scheduled reviews, any triggering event (unusual activity, law enforcement alerts, negative news) should prompt an immediate refresh of the customer’s risk evaluation. Don’t wait for a cycle to complete if a red flag emerges today.
- Escalate and Investigate Red Flags Promptly: Ensure your team responds quickly when obvious risks surface. In Barclays’ case, red flags like unexplained £100k payments and police raids were not adequately escalated. Create clear internal triggers, whether manual or automated, so that when such indicators appear, accounts are reviewed and, if necessary, temporarily frozen pending investigation. Speedy action can prevent a suspicious pattern from snowballing into a full-blown regulatory breach.
- Use Technology to Stay Ahead of Criminals: AML technology is crucial for managing dynamic risk at scale. Automated transaction monitoring systems, dynamic risk scoring engines, and integrated case management can handle volumes and patterns that humans might miss. Investing in robust RegTech (such as Flagright’s platform) can augment your compliance team, ensuring that no news or nuance slips through the cracks. This not only helps catch illicit behavior early but also documents your diligence, a critical factor if regulators come knocking.
- Align with Evolving Regulatory Expectations: Regulators globally, from the FCA and EBA in Europe to FinCEN in the U.S, are explicitly expecting a proactive, risk-based approach to AML compliance. Firms should regularly update their policies to reflect the latest guidance (for example, checking regulatory registers for client permissions, as the WealthTek case illustrated). Staying current with guidance and embracing best practices for ongoing customer due diligence will both improve your risk posture and demonstrate to supervisors that your program is up to standard.
In summary, the Barclays saga underscores that a static compliance program can leave even the largest institutions vulnerable. The cost of complacency, in fines, remediation, and reputational damage, far outweighs the investment in building a dynamic, responsive risk management framework. Onboarding is just the starting line in the fight against financial crime. By continuously monitoring customer behavior, updating risk assessments with new information, and leveraging agile compliance tools, banks and fintechs can stay one step ahead of bad actors and regulators’ expectations.
As a next step, consider how your organization can implement these lessons. Explore Flagright’s compliance infrastructure to see how dynamic risk assessment and real-time monitoring can be seamlessly integrated into your operations. With the right technology and mindset, compliance teams can transform their programs from a checkbox function into a strategic shield, preventing the next financial crime fiasco before it happens.
