UK regulators have fined one of the country’s high street banks, Metro Bank, more than £16m ($20m) for failing to properly monitor for potential money laundering. The bank started operating in the UK in 2010 and has more than 70 branches throughout the country, with around 2.7 million customers.
The FCA said that the failings had taken place between 2016 and 2020, and noted that many of the transactions were “subsequently reviewed as part of a remediations exercise” but that this was only completed in 2022. The remediations efforts resulted in 153 SARs being submitted and triggered 43 account closures.
“Between June 2016 and December 2020, Metro failed to have the right systems and controls to adequately monitor over 60 million transactions, with a value of over £51 billion, for money laundering risks,” the FCA said.
Data feed issues lead to monitoring failures
In 2016, Metro put in place an automated system in order to monitor customer transactions. According to the FCA “there were serious deficiencies in relation to the set-up, operation and oversight” of this system.
At the heart of the problem was an error in the data extraction methodology employed to retrieve data for the transaction monitoring system from another one of the bank’s databases.
This critical database provided “a near real-time view of the data” held in the bank’s core banking records system, and the connection between the two data stores was there for very good reasons including operational resilience.
But according to Mark Taylor, founding partner at Ibex Compliance, the presence of the logic error meant that “the bank’s monitoring framework was not only ineffective but also neglected to flag transactions occurring on the same day an account was opened, leaving a dangerous gap in oversight.”
The issues were compounded by the fact that the bank failed to ensure that “there was an effective reconcilation process in relation to the data received” by the transaction monitoring system, the FCA said. And it did not have adequate systems and processes in place to deal “exception reports” or with what its systems classified as “bad data.”
Records classified as bad data were simply placed in separate folders that were “only intermittently reviewed as part of wider work to understand” data problems.
As a result of this key records (customer, account and transaction) that should have been loaded into the transaction monitoring system but had been “rejected” as bad data were not monitored “in a timely fashion or at all.”
Operational staff noticed and escalated the issue
The data problems were recognized as a “risk and serious issue” by more junior staff who attempted to escalate this to more senior staff and committees, including the bank’s Financial Crime Steering Group.
And while the Committee agreed to “review the issue” in January 2018, this decision “was subsequently removed from the final minutes” because “the concern that had been raised had not yet been substantiated” and lacked “context”. It was not discussed again until April 2019.
A “tactical fix” was only implemented in 2019, but even then the bank did not have in place “a mechanism to consistently check that all relevant transactions were fed into the monitoring system” according to the FCA’s final notice. A more permanent solution was finally deployed in December 2020.
Taylor suggests that these problems are all connected with one critical issue, namely data control. He said that the bank’s “inability to maintain accurate and comprehensive transaction records severely hampered its monitoring capabilities” and that inadequate data quality “not only obstructed the identification of suspicious activities but also undermined the bank’s overall compliance framework.”
Failings went on too long
“Metro’s failings risked a gap being left in our defence against the criminal misuse of our financial system. Those failings went on for too long,” said Therese Chambers, the FCA’s joint executive director of enforcement and market oversight.
Despite this pointed criticism the press release stated that the initial financial penalty, set at £23,821,700 ($30,508,800), had been reduced to £16,675,200 ($21,356,178) after the bank “agreed to resolve the matter”, which meant that it “qualified for a 30% (stage 1) discount” under the regulator’s settlement procedures.
Responding to the final notice, Metro Bank tried to draw a line under what it termed a “legacy issue” stating that the problems with the transaction monitoring system had been corrected in 2020.
But according to IBEX’s Taylor the ruling “serves as a stark reminder” that “neither good data practices nor compliance are optional” for financial institutions and that the bank’s experience “should resonate as a cautionary tale for all in the industry.”
GRIP comment
The actions or rather the lack thereof by the FCSG at Metro Bank highlights not only the importance of good governance practice, but also the need for committees to take seriously concerns raised by operational staff. To be more explicit ‘less senior’ staff members usually tend to have very good reasons for escalating issues as persistently as they seemed to have in this instance (plaudits to them!) and when a potential compliance issue is raised and discussed at a committee level it seems very strange (almost silly) to simply delete a reference to it from the meeting minutes.
Another thing worth noting is that “bad data” can actually sometimes be “good data.” This seems to be a nonsensical statement, but understanding what triggers exception reports and what data ends up being classified as bad can be very valuable information to specialist staff. An organization’s bad data can be good data if it is employed to analyze and identify potential system weaknesses and existing data capture or flow problems. The specialists who worry about those exception reports are a key line of defence when it comes to more pervasive data problems and should have a path to escalate their concerns to more senior staff and/or compliance.