top of page

Red Flags, Raised & Ignored: The Cultural Failure Behind Every Fine

  • Writer: Elizabeth Travis
    Elizabeth Travis
  • 16 hours ago
  • 6 min read

Stack of white papers covered with colorful sticky notes in pink, green, orange, and yellow on a desk, suggesting busy office work

When the Financial Conduct Authority (FCA) fined Nationwide Building Society £44m on 12 December 2025 for anti-financial crime systems and controls failings between October 2016 and July 2021, it read like a familiar story of weak technology and incomplete due diligence. The regulator described ineffective systems for keeping customer risk assessments current and for monitoring transactions, failings serious enough that the society missed a customer using personal accounts to receive fraudulent Covid furlough payments. Yet the decisive fact sat beneath the penalty. Internal audits had flagged the problem for years. The systems were not absent; the will to act on them was.


Controls do not fail in isolation


Every compliance failure is eventually translated into the language of systems. A transaction monitoring rule that did not fire. A sanctions filter that missed a fuzzy match. A suspicious activity report drafted but never escalated. The vocabulary is comforting because it locates the fault in something fixable, something that can be procured, configured and audited. It promises that the next control will hold where the last one failed.


The Nationwide case refuses that comfort. The FCA found that the society knew about the weaknesses, had begun work to fix them, and still did not address them in an effective or timely way. A control known to be broken and left unrepaired for years is not a technological failure. It is a decision, taken daily, by people who chose other priorities. The framework existed. The judgement that should have animated it did not.


This is the pattern beneath the largest enforcement actions of recent years. Controls are rarely missing outright. They are present, documented and demonstrably weak, and the organisation around them has learned to live with the weakness. The question is never why the control failed. It is why nobody insisted it work. That answer is always cultural.


Behaviour decides whether a control is real


Consider the three functions that consume most compliance resource: customer due diligence (CDD) at onboarding, the filing of suspicious activity reports (SARs), and sanctions screening. Each is governed by detailed procedure. Each can be evidenced in a policy document. And each turns, at the decisive moment, on a person choosing the harder path.


CDD is only as good as the analyst willing to reject a profitable client whose source of wealth does not reconcile. Procedure can mandate enhanced checks; it cannot manufacture the nerve to escalate when a relationship manager is pressing for sign-off and the money runs the other way. The SARs regime is no different. It depends on people who file when the evidence is ambiguous and the easier course is to assume innocence. Even sanctions screening, the most automated of the three, resolves to a person deciding whether a flagged match is a genuine hit or noise to be cleared from a queue. Automation narrows the discretion. It never removes it.


The control is a scaffold. What holds the building up is the disposition of the people standing on it. A firm can buy a better screening engine. It cannot buy the instinct to treat an uncomfortable alert as a signal rather than an obstacle. That instinct is not procured. It is cultivated, or it is absent.


Incentives decide what a warning is worth


The truest test of a culture is what happens when someone raises a concern nobody wants to hear. Metro Bank answers it plainly. When the FCA fined the bank £16.6m in November 2024 for transaction monitoring failings, it found that junior staff raised concerns in 2017 and 2018 about data that was not being monitored, yet the issue was not identified and fixed. The warning existed. The response did not. Over four years, more than 60 million transactions worth over £51bn went unmonitored, the gap left open not by the absence of a voice but by the absence of anyone willing to act on it.


That is what an incentive failure looks like. No policy tells staff to ignore a colleague's warning. The suppression is quieter, encoded in what a firm rewards and what it tolerates. When commercial targets are measured weekly and control quality is reviewed once a year, the message is unmistakable even when unspoken. Monzo taught the same lesson from the opposite end. The FCA found that as the bank grew almost tenfold, from around 600,000 customers in 2018 to 5.8 million in 2022, its financial crime controls failed to keep pace, and it breached a requirement not to onboard high-risk customers tens of thousands of times. Growth was the priority the firm could feel. Compliance was the one it could defer.


The conclusion is uncomfortable. A firm can publish the most enlightened whistleblowing policy and still run a culture in which warnings die on the way up. What protects the firm is not the intention but the incentive. Where the reward structure punishes the friction good compliance creates, the friction disappears, and the protection goes with it.


The regulator has stopped treating culture as soft


For years the industry filed culture under conduct, and conduct under public relations. Financial crime controls were the technical matter; culture was the softer question of how people treated each other. That separation is collapsing. From 1 September 2026, new FCA rules will treat non-financial misconduct, including bullying and harassment, as a breach of the Code of Conduct across almost all regulated firms. The point is not the conduct in scope. It is the principle that how people behave is now a direct measure of whether a firm can be trusted to run its controls.


The logic holds. A team that tolerates intimidation will not escalate bad news. A leadership that punishes the bearer of an uncomfortable alert will, in time, stop receiving alerts. Browne Jacobson has noted that the FCA increasingly treats non-financial misconduct as relevant to fitness and propriety, and that senior managers may face sanction where they foster or tolerate toxic cultures even when the firm meets its technical requirements. The regulator has caught up with what the enforcement record showed long ago. The integrity of a control framework is downstream of the integrity of the people running it.


The warning lands hardest on firms that have bought technology while neglecting behaviour. A flawless control inventory protects no one if the organisation has quietly taught its staff that raising problems is career-limiting. Nationwide's failings endured not because the risk was unknown but because the environment did not reward acting on it.


Paper compliance is a cultural artefact


The distinction between control existence and control effectiveness is understood in principle and ignored in practice. Firms accumulate policies, procedures and attestations because these are auditable and defensible, the evidence a firm reaches for when the regulator calls. But documentation measures intent, not behaviour, and the gap between the two is exactly where financial crime lives.


Paper compliance is not a documentation problem. It is a cultural symptom. When a firm rewards the production of evidence over the prevention of harm, staff learn to optimise for the audit, not the outcome. The control turns green because someone completed the checklist, not because the risk was managed. In time the firm assembles an elaborate apparatus of comfort that satisfies inspection and stops nothing. The FCA's insistence on controls that work in practice, not on paper, is a direct answer to this. A culture that prizes appearance over substance will always build frameworks stronger in the binder than in the building.


What firms should reassess


Culture cannot be delegated to a values statement or an annual training module. It is built through the incentives a firm actually rewards, the behaviour its leaders model when no regulator is watching, and what happens to the person who escalates inconvenient news. Firms should ask, candidly, what becomes of the analyst who blocks a lucrative onboarding, and whether that answer encourages the next one or silences it. They should ask whether their reporting lines surface bad news or filter it out before it reaches anyone able to act.


This means testing behaviour, not just controls. An assurance programme that samples whether procedures were followed will never detect a culture that suppresses escalation, because the suppression operates before any procedure is triggered. Firms need to find where commercial pressure overrides compliance judgement, where staff feel unable to speak, and where the documented process and the lived reality have drifted apart. The firms most exposed are the ones that have stopped asking.


Conclusion


The reflex after every enforcement action is to add a layer. A new system, a tighter procedure, another review. Yet the Nationwide penalty, like so many before it, was not caused by a missing layer. It was caused by a present one nobody insisted on using. Culture is the layer that decides whether the others function, and the only one that cannot be purchased, installed or outsourced. Ethics is not the soft complement to hard controls. It is the infrastructure on which every control stands, and a framework built on weak culture is built on sand. Until firms treat behavioural integrity as the foundation rather than the finish, the next failure is already being written, in audit papers no one will read in time.


When you last tested your controls, did you test the culture that decides whether they are used?


At OpusDatum, we help firms move beyond control existence to control effectiveness, examining not only whether frameworks are documented but whether the culture around them makes them work. Our advisory practice assesses the behavioural and governance conditions that determine whether CDD, SARs and sanctions controls hold under pressure. Contact us to discuss how we can help.

bottom of page