FCA fines Starling Bank £29m for failures in financial crime controls

On 27 September 2024, the Financial Conduct Authority ("FCA") fined Starling Bank Limited ("Starling") £28,959,426 for breaching (i) a requirement not to open any new accounts for high or higher risk customers (the "VREQ") by opening accounts for 49,183 high or higher-risk customers and (ii) Principle 3 of the FCA's Principle of Businesses by failing to implement adequate risk management systems in relation to financial crime (in particular in connection with financial sanctions).

In this post we summarise the key takeaways arising from the FCA's Final Notice (the "Notice").

KEY EVENTS

Background

In 2021, the FCA published the results of its review of the financial crime controls at six challenger banks, including Starling. The FCA subsequently wrote to Starling on 11 March 2021 to set out its concerns regarding the effectiveness of Starling's financial controls, in particular in light of Starling's rapid growth.

Following receipt of the letter from the FCA, Starling commenced an AML Enhancement Plan to address the FCA’s concerns. The plan included the appointment of a Skilled Person to test the adequacy of Starling's transaction monitoring and financial crime controls. The Skilled Person's findings, pointing to weaknesses in Starling's customer onboarding controls, led to the imposition of a VREQ on Starling that, among other things, prevented the bank from opening new accounts for customers with high risk or higher risk of financial crime.

The VREQ

Despite implementing a series of controls to meet the terms of the VREQ, on 21 July 2022, Starling identified that a key financial crime risk control was not functioning correctly, resulting in new accounts being opened for customers who had been previously exited for financial crime reasons, in breach of the VREQ.

Starling informed the FCA of the breach in August 2022, commenced a second line of defence ("2LoD") review of its compliance with the VREQ and put in place an Economic Crime Enhancement Plan on 17 October 2022, superseding the AML Enhancement Plan. On 21 September 2023, a consultancy firm provided an independent review of Starling's implementation of the VREQ, attributing many problems to failures by Starling's senior management.

Financial sanctions compliance

In January 2023, the 2LoD undertook a full end-to-end review of the bank's sanctions screening framework for both customer and payments screening (the "Sanctions Review"). This review identified that, due to a misconfiguration, since the implementation of the bank's financial sanctions screening framework in 2017, the system had only been screening the names of new and existing customers against a fraction of the names on the Consolidated List.

Starling reported to the FCA that, during the period July 2022 to January 2023 (i.e. a period during which there was an unprecedented level of sanctions activity and new designations following the invasion of Ukraine), its system had not produced any financial sanctions screening alerts for individual customers.

The Sanctions Review also identified a number of underlying failures in Starling's financial sanctions systems and controls. Starling's senior management accepted the findings of the Sanctions Review and began a remediation programme in February 2023. Having implemented a number of improvements, third party testing of Starling's systems determined that they were operating at an effective and efficient capacity (by November 2023 in respect of customer screening, and March 2024 in respect of payment screening).

Consequences

In addition to breaching the VREQ, Starling was found to have breached Principle 3 of the FCA's Principles for Businesses by failing to design, implement, and maintain adequate systems and controls to mitigate financial crime risks (in particular in connection with financial sanctions).

Starling agreed to resolve the issues and reached an agreement with the FCA at stage 1 of the investigation, qualifying for a 30% discount under the FCA's settlement procedures. If it were not for the discount, the FCA would have imposed a fine of £40,959,426.

key takeaways regarding sanctions compliance

Although the FCA has, for some time, been emphasising the importance of robust sanctions controls in the regulated sector (see for example its 2022 statement reminding firms of the importance of reporting weaknesses in sanctions controls), it has been a number of years since the FCA brought any enforcement action relating to such controls. The Notice perhaps serves as a reminder to firms of the FCA's focus in this area.

The FCA's particular concerns in this case can be summarised as follows:

• In 2021, Starling was only screening customers against entries on relevant sanctions list which corresponded to individuals who were known to reside in, or have links to, the UK, contrary to its own sanctions policy. Starling was only able to provide a limited rationale as to why it was comfortable with this approach.
• The Sanctions Review identified that the bank's automated customer screening system had been misconfigured (since July 2017) resulting in customers or prospective customers only being screened against a fraction of the entries on the UK's Consolidated List. Starling identified that it had opened an account for at least one designated person as a result of this issue.
• The Sanctions Review identified a number of other issues in its financial sanctions systems and controls including:
  • insufficient risk assessment (including a failure to consider several high risk factors present in Starling's business);
  • a need to update and enhance relevant policies and procedures;
  • no formal methodology or mechanism for the testing and calibration of the bank's financial sanctions screening system;
  • no operational MI relating to financial sanctions;
  • gaps in understanding within the bank's governance, compounded by a lack of / delays to 2LoD and internal audit reviews of financial sanctions screening;
  • Starling was only screening its customers against sanctions lists every 14 days, which is not in keeping with current industry standards;
  • cross-border/international payments were not subject to sanctions screening and payments that were subject to screening were screened using a tool designed for customer (rather than payment) screening; and
  • an independent compliance consultancy had identified issues with the bank's financial sanctions screening procedures in 2021.

The Notice states that Starling carried out certain back-book customer and screening payment exercises following identification of these issues and that a number of potential sanctions breaches were reported to the relevant authorities.

The FCA considered that these matters amounted to a breach of Principle 3 because the firm had failed to take reasonable care to organise and control its systems and controls for managing the risk of financial crime (in particular in connection with financial sanctions) responsibly and effectively.

In addition to underscoring the importance of robust and effective sanctions controls, the Notice also emphasises the need for appropriate governance and oversight in relation to these arrangements, including a need to ensure appropriate MI is available to monitor the effectiveness of controls, and that there is sufficient understanding of the firm's sanctions obligations (and the controls that have been implemented to support those obligations) within the firm's governance structures. This was also a point emphasised in last year's review of firms' sanctions systems and controls (discussed in our previous post).

Although it appears that, for the time being at least, no action is being brought against the bank in respect of any sanctions breaches which may have arisen (for example by the Office of Financial Sanctions Implementation), the penalties that the FCA will seek to impose for weaknesses in systems and controls underscore the importance of these controls.

FCA Enforcement – the new approach in action?

Although the FCA ultimately imposed a fine against Starling, it is striking how many chances the bank was given to remediate before the FCA opened an Enforcement investigation.

The FCA's press release notes that the investigation was completed within 14 months, which would put the start of the investigation in or around July 2023. This was after: the FCA had identified specific issues with Starling's AML arrangements in late 2020, and again in March 2021; the appointment of a Skilled Person in May 2021; Starling had identified that it had breached the VREQ terms (and delayed notifying the FCA of that fact for a month); two separate plans to enhance AML controls had started; Starling's Sanctions Review had identified issues with customer and payments screening (January and February 2023); and Starling had begun a review to learn lessons from issues arising with the VREQ breach at the request of the FCA in March 2023.

Given the range and intensity of interaction between Starling and FCA Supervision, this appears to reflect Therese Chambers' and Steve Smart's desire to use their "other powerful tools"[1] to tackle harm instead of immediately opening Enforcement investigations. However, it is noteworthy that most of the interaction predates their appointment in March 2023, which shows that this more interventionist approach from FCA Supervision has been developing over the last 2-3 years (e.g. 118% increase in the use of section 166 Skilled Person reports from 2020/21 to 2023/24).    

This approach also has the added benefit for the FCA that, if they do end up opening an Enforcement investigation as the harm has not been remediated, there will be plenty of evidence from the FCA's use of Supervisory tools to rely upon. Indeed, while the FCA is keen to trumpet the speed of the investigation, this should not be surprising given that there had been a section 166 report, a series of self-reported breaches of the VREQ and a report from a consultant setting out failures in governance arrangements.