News & Insights

Client Alert

October 10, 2024

FCA Fines Starling Bank Over Financial Sanctions Screening Failures


On 27 September 2024, the Financial Conduct Authority (“FCA”), imposed a financial penalty of approximately £29 million on the British bank – Starling Bank Limited (“Starling”) – for failings related to its financial crime systems and controls between 1 December 2019 and 30 November 2023.

A review of Starling’s financial crime controls revealed widespread deficiencies in its financial sanctions systems and processes, including with respect to its financial sanctions risk assessment, policies and procedures, sanctions screening, testing and calibration of screening systems, and lack of management information regarding alert volumes and trends. In addition, Starling also breached a voluntary requirement (“VREQ”) not to onboard high(er) risk customers.

This case serves as a stark reminder that UK authorities are stepping up their enforcement action in respect of anti-money laundering (“AML”) and other types of financial crime and that firms must ensure that their anti-financial crime systems and controls keep pace with their overall growth and risk profile. This requires a periodic review of the risk and the controls in place to respond to such risk, including in terms of appropriate policies and procedures, sanctions screening solutions, testing, etc. with support from senior management.

Background

Starling is a ‘challenger bank’ – a modern retail bank that challenges longer-established banks by offering modern financial technology and a more customer-focused approach. It experienced exponential growth in the last decade: between 2016 and 2023, Starling’s customer base grew from just 43,000 customers to over 3.6 million with revenues reaching more than £450 million by the end of 2023.

Starling’s financial crime controls, however, failed to keep pace with this rapid growth, despite various audits and reviews raising significant gaps and concerns relating to the firm’s financial sanctions controls.

On 11 March 2021, the FCA informed Starling of several issues relating to Starling’s AML and financial sanctions systems and controls that were identified during a wider industry review of six challenger banks – including Starling – that took place in late 2020 and early 2021. The issues included (i) sanctions screening practices limited to only a portion of the UK sanctions list (and a failure to screen individuals residing in non-UK countries, including the U.S., despite payments being made in foreign currencies like the US dollar); (ii) a high-risk acceptance rate; and (iii) an outdated financial sanctions policy that did not reflect wider business practice. The FCA had carried out the review as it was concerned that criminals could exploit the faster onboarding process offered by challenger banks like Starling. As part of its review of Starling, the FCA noted that the bank had failed to adequately convey significant financial crime risk management issues (that had been identified by the bank’s own internal audit function in 2018) to either the board or the FCA.

In response to the FCA’s concerns, Starling commenced an “AML Enhancement Plan” to address these issues and accepted the VREQ not to onboard any high or higher risk customers absent a robust financial crime control framework.

On 24 February 2022, in the context of the imposition of sanctions on Russia following its invasion of Ukraine, the FCA reminded Starling in a general communication that it needed to screen new and existing customers as well as payments against the most recent version of the full UK sanctions list, with screening mechanisms that were effective, up-to-date and appropriate for the nature, size, and risk of the business. The FCA also noted that senior management needed to ensure adequate oversight and testing of its financial sanctions systems and controls in order to comply with UK sanctions.

In January 2023, a review by Starling of its screening of financial sanctions (“Sanctions Screening Review”) revealed that – due to a misconfiguration existing since 20 July 2017 – customers were only being screened against individuals on the UK sanctions lists which had UK citizenship or residency. This led to the onboarding of at least one designated person. The Sanctions Screening Review also identified wider systemic issues with respect to Starling’s financial sanctions risk assessment, policies and procedures, sanctions screening, testing and calibration of screening systems, and lack of management information regarding alert volumes and trends. On 16 February 2023, Starling made a Principle 11 notification to the FCA regarding these issues.

Failing financial sanctions systems and controls

In summary, the FCA concluded that Starling had breached its obligations under Principle 3 of the FCA’s Principles for Businesses. This principle requires that a firm “must take reasonable care to organise and control its affairs responsibly and effectively”. Specifically, the following issues – which were largely similar as those identified during Starling’s own Sanctions Screening Review – were identified in the period of review between 1 December 2019 and 30 November 2023:

  • Insufficient risk assessment of financial sanctions to adequately inform the risk decisions and management of the firm’s financial sanctions risks, which led to a low-risk rating despite several high-risk factors (such as payments from crypto-related platforms and multi-currency accounts).
  • Inadequate policies and procedures relating to financial sanctions screening, which required updating and enhancing, including in relation to the responsibilities of staff, reporting, testing and management information requirements.
  • No formal methodology or mechanism for the testing and calibration of the firm’s financial sanctions screening systems at or after implementation.
  • No operational management information relating to financial sanctions, such as alert volumes and trends, which would have allowed Starling to monitor the effectiveness of its financial sanctions screening system.
  • No second line of defence reviews by compliance or audits in relation to financial sanctions screening until the third quarter of 2023.
  • Inadequate sanctions screening of customers, which was only carried out after the onboarding of customers and once every 14 days (a leftover metric from when Starling was a smaller financial institution).
  • No screening of all of the firm’s cross-border/international payments against the UK sanctions list, despite such payments presenting a much higher financial sanctions risk than domestic payments.
  • Screening of payments on the basis of a tool designed for customer screening and as such not designed to screen against payments.
  • Sanctions screening of customers only against individuals on the UK sanctions lists who had UK citizenship or residency, until the first quarter of 2023.
Breach of VREQ

Alongside the issues relating to Starling’s financial sanctions screening systems and controls, the FCA also considered the firm to have breached the VREQ.

Specifically, on 21 July 2022 Starling identified that it had opened over 290 new accounts and provided services to customers who had previously been exited for financial crime reasons due to a malfunctioning of a key financial crime risk control. Starling informed the FCA on 24 August 2022 of this issue after resolving it within a day of discovery.

During an ensuing ‘lessons learned’ review carried out by an external consultant in March 2023, more systemic issues with respect to Starling’s financial controls became apparent, identifying that almost 55,000 accounts for high-risk or higher-risk customers had been opened over the previous three years.

This review identified the following root causes for the breach of the VREQ:

  • Lack of AML skills and experience in senior management.
  • Confusion in relation to senior management’s oversight and responsibility.
  • Lack of communication and oversight of day-to-day implementation of VREQ.
  • Absence of quality and consistently reported management information.
  • Under-resourced financial crime function.
  • Absence or ineffective operation of controls to implement and oversee the VREQ.
  • No documents outlining the roles, responsibilities, and testing carried out by the firm’s various lines of defence.
 Key takeaways:
  1. Firms must ensure that financial crime systems and controls – including financial sanctions screening – remain commensurate to their size and risk profile at all times. This is of particular relevance to start-ups and other firms that experience a sudden exponential growth, develop new products or service offerings, or enter into new geographic markets.
  2. Firms can benefit from a close cooperation with the authorities and proper response to any issues flagged during any internal or external audits, reviews, and/or communication. In the case of Starling, the FCA considered the firm’s cooperation during the investigation and proactive offering of updates during the review period as a mitigating factor. However, the FCA considered its earlier industry-wide reminder to Starling in the context of the imposition of sanctions on Russia as an aggravating factor.
  3. Firms should address all stages of the compliance lifecycle, including the carrying out of an appropriate risk assessment taking into account the nature of the business, the formulation of comprehensive policies and related procedures that are clear, remain up-to-date and are consistently applied throughout the firm, and the continuous monitoring and testing of the effectiveness of sanctions screening, and the regular review and auditing of the overall compliance programme.
  4. With the support from senior management, firms should formulate clear responsibilities and allocate sufficient resources to ensure the compliance function has sufficient in-house experience, support, and oversight at all relevant levels to deal with day-to-day operations or implementation of certain remediation programmes and VREQs.
  5. Sanctions screening practices should be fit for purpose and effective with an appropriate frequency of screening before and after onboarding of customers, coverage of all relevant sanctions lists, a correct use of specific screening tools (e.g. customer vs. payment screening), and regular testing and calibration.

The full notice can be consulted here.