Enforcement Watch: FCA fines Starling Bank £29m for AML controls failings including in relation to sanctions screening

The FCA has imposed a fine of £28,959,426 (the "Fine") on Starling Bank ("Starling") as a result of: (i) failing to correctly implement changes to ensure underlying requirements imposed in relation to the onboarding of high and higher risk customers were complied with ("VREQ"); and (ii) breaches of Principle 3 in relation to shortcomings in Starling's sanction screening framework.

In the Final Notice, the FCA noted that as a digital challenger bank, Starling had experienced significant growth (from 43,000 customers in 2017 to 3.6 million in 2023) but the expectation is that systems and controls should also grow and adapt to counter the risk that the firm might be used to further financial crime.

Background

During 2020 and 2021, the FCA conducted a review of the financial crime controls in place at 6 challenger banks, including Starling. The review culminated in a letter to Starling in March 2021 stating wide-ranging concerns had been identified in respect of Starling's AML controls framework (the "March Letter"). A Skilled Person was subsequently appointed and, as a result of its findings in relation to further weaknesses in Starling's onboarding controls, the VREQ was put in place at the FCA's request.

Breach of VREQ

Despite implementing a series of additional controls, Starling identified around 10 months later in July 2022 that a key financial crime risk control was not functioning correctly, resulting in new accounts being opened for customers previously exited for financial crime reasons, i.e. customers that were considered to be high-risk or higher risk within the scope of the VREQ.

The matter was reported to the FCA in August 2022 and Starling commenced a review by its second line of defence ("2LOD"), implemented further controls and undertook a remediation programme, including daily testing of compliance with the VREQ.

Following a review by a compliance consultancy firm in 2023 as a result of ongoing FCA concerns (including disappointment that the initial VREQ breaches were not immediately reported to the FCA), further failings were identified including: confusion in relation to senior manager oversight; an absence of quality management information; a lack of resource in the financial crime function; and an absence of controls to implement and oversee the VREQ. A lack of senior management AML skills and experience was also noted.

The FCA notes that between September 2021 and November 2023, Starling opened over 54,000 accounts for approximately 49,000 high-risk customers.

Starling identified that a key financial crime risk control was not functioning correctly in July 2022 and the issue was resolved within a day, together with an impact and root cause analysis. Starling self-reported the breach of the VREQ to the FCA in August 2022.

Financial Sanctions Controls Framework

In the March Letter, the FCA also raised significant concerns about Starling's financial sanctions systems and controls, in particular identifying that:

1. Starling's financial sanctions policy stated that the bank screens customers and transactions against sanctions lists issued by the UK, EU, the UN and the US Department of Treasury but in practice only screened customers against sanctions records for individuals known to reside or have links to the UK. Additionally, Starling was not screening customers against sanctions records for individuals from other countries, including the USA, despite processing payments in US dollars.
2. Starling's screening accepted the risk that Starling could open an account for a sanctioned individual if other authorities were not aware that the individual had moved to the UK.
3. Starling's financial sanctions policy should be updated to reflect the up-to-date best business practices including if it should be screening more than the UK Sanctions List.

A further 2LOD review in January 2023 established that the bank's automated customer screening had not produced any financial screening alerts for individual customers between 1 July 2022 and 30 January 2023, due to system misconfiguration that had existed since 20 July 2017. This had resulted in customers or prospective customers only being screened against individuals on the Consolidated List with UK citizenship or UK residency during this period, meaning it had screened against a list of 39 out of 3088 Designated Persons.

Starling made a Principle 11 notification to the FCA and a sanctions screening review subsequently identified a number of underlying failures in the bank's sanctions systems and controls including: shortcomings in Starling's risk assessment; policies and procedure; no formal mechanism for testing and calibration of screening systems; no operational management information relating to sanctions screening; and a 'capability gap' at a governance level. Starling accepted the findings and commenced a remediation programme in February 2023, following which third party testing in November 2023 confirmed that the new systems were operating at an "effective and efficient capacity".

The FCA concluded in the Final Notice that Starling had failed to take reasonable care to organise and control its financial sanctions systems and controls for managing the risk of financial crime in breach of Principle 3 between 1 December 2019 and 30 November 2023. 

Comments

In reaching its decision on the appropriate financial penalty to impose on Starling for its breaches of the VREQ and Principle 3, an aggravating factor in relation to the Principle 3 breach was that the FCA had written to firms in February 2022 regarding the importance of ensuring compliance with financial sanctions.

Mitigating factors included Starling's full co-operation with the FCA investigation including proactive delivery of presentations on multiple occasions and steps to establish programmes to remediate the breaches, including enhanced monitoring and oversight controls. Due to the bank's early agreement resolve matters with the FCA, Starling was eligible for a 30% discount to the Fine which reduced it from £40,959,426. In its press release, the FCA highlighted the shorter length of its investigation (14 months) compared to its average of 42 months for cases closed in 2023/24 by way of example of the FCA improving the pace of its enforcement investigations.