FCA fines Starling Bank nearly £29 million for financial crime failings

Written By Matthew Coady

At the tail end of September 2024, the FCA published a Final Notice imposing a penalty on Starling Bank. The bank was fined nearly £29 million for failings related to its financial crime systems and controls.

Background

The FCA carried out a review of financial crime controls at UK challenger banks in 2021, and wrote to Starling following this outlining concerns it had with the bank's controls. The FCA was concerned that while Starling had grown rapidly, its risk management control framework for financial crime had not kept pace. For example, Starling was only carrying out sanctions screening on individuals residing in or with close links to the UK, and not those customers based in other jurisdictions.

Following this, Starling was subject to a Skilled Person's review which ultimately led the FCA to impose a VREQ on the bank which prohibited them from onboarding any customers identified as high risk or 'higher risk' (as defined in the VREQ) until the control framework deficiencies were remediated.

VREQ breaches

Less than a year later, Starling internally identified that a key system control had failed with the result that thousands of customers had been onboarded in contravention of the VREQ. Starling notified the FCA of the issue, and engaged a consultancy firm to undertake a full review, which found:

• Senior management as a whole lacked the experience to effectively implement the VREQ. They had insufficient AML skills and experience, and designed an insufficient risk management framework.

• Senior management were inexperienced in dealing with significant regulatory changes and there was a general unawareness of the seriousness of the VREQ.

• Senior management failed to adequately oversee and monitor VREQ compliance. At the bank, there was a general confusion about who was responsible for compliance, and some key functions were unaware of the existence of the VREQ altogether (including the in-house 3LOD, as well as the engineering team responsible for necessary software changes).

• The 1LOD, 2LOD and 3LOD were inadequate in their oversight of the VREQ compliance. The Financial Crime team (2LOD) was under-resourced, and there was insufficient challenge from the 3LOD.

• There was also an absence of quality Management Information on the operation of controls relating to the VREQ and compliance with the VREQ. In total, Starling created 54,359 accounts of 49,183 high-risk or higher-risk customers in breach of the VREQ while it was in place. Sanctions breaches In January 2023, the 2LOD at Starling commenced a full review of the bank's customer screening framework, including sanctions screening. This review identified multiple issues, including:

In total, Starling created 54,359 accounts of 49,183 high-risk or higher-risk customers in breach of the VREQ while it was in place.

Sanctions breaches

In January 2023, the 2LOD at Starling commenced a full review of the bank's customer screening framework, including sanctions screening. This review identified multiple issues, including:

• The system was not calibrated properly and was only screening against a fraction of the Consolidated List

• There were no sanctions alerts between July 2022 and January 2023, which is a significant period of time and a time of unprecedented sanctions activity (due to the Russian invasion of Ukraine)

Starling again made a notification to the FCA, and reconfigured its system correctly. A customer back book review was then carried out which resulted in 48,000 sanctions alerts. Furthermore, 2LOD reported multiple failings with the Firm's policy, procedures, governance and oversight in this area. The FCA found these failings to be a breach of Principle 3 of the FCA’s Principles for Businesses, which requires that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

Lessons

This case highlights the importance of some compliance fundamentals, which are broader than financial crime alone:

• Ensure systems and controls (including resources) keep pace with Firm growth • Establish strong governance arrangements with clearly allocated responsibilities

• Be confident that those who are responsible for controls are actually competent in regards those specific controls, and fully understand their responsibility

• Control functions such as Compliance teams must be empowered and encouraged to challenge, and that challenge should be welcomed

• Never underestimate the importance of calibrating automated systems properly, and of regularly testing and re-calibrating as necessary

• Quality management information is key

• Compliance with a VREQ, or other FCA directions when you are in the spotlight, is essential. Non-compliance is an own goal

If any of these points give you pause for thought and you have questions about your current set-up, we would be more than happy to discuss.

Or if you would like to discuss your financial crime controls as a 'kick-the-tyre' exercise, please let us know.

You can read the FCA's Final Notice, here: Final Notice 2024: Starling Bank Limited

Matthew Coady
Previous

FCA Update on Cryptoasset Registrations under the MLRs
Next

FCA Report of Enhanced Appointed Representatives Regime: Key Insights