UK regulator fines Starling Bank £29m for ‘shockingly lax’ screening controls

Mark Taylor of Ibex Compliance identifies the key learning points from the FCA’s action against Starling Bank.

The FCA has fined Starling Bank Limited £29m ($38.5m) for financial crime failings related to its financial sanctions screening. It also repeatedly breached a pre-existing regulatory requirement not to open accounts for high-risk customers.

Starling grew quickly, from approximately 43,000 customers in 2017 to 3.6 million in 2023. However, measures to tackle financial crime did not keep pace with its growth said the FCA.

When the FCA reviewed financial crime controls at challenger banks in 2021, it identified serious concerns with the anti-money laundering and sanctions framework in place at Starling. The bank agreed to a requirement restricting it from opening new accounts for high-risk customers until this improved. Starling failed to comply with this and proceeded to open over 54,000 accounts for 49,000 high-risk customers between September 2021 and November 2023.

Screening failures

In January 2023, Starling became aware that its automated screening system had, since 2017, only been screening customers against a fraction of the full list of those subject to financial sanctions. These issues were proactively communicated to the FCA and Starling cooperated fully with the FCA in its investigation. It also accepted the regulators finding that the bank’s financial crime controls failed to keep pace with the growth of the business.

The Final Notice said the failings resulted in breaches of existing Voluntary Requirements (VREQ) and a breach of Principle 3 of the FCA’s Principles for Businesses.

Starling has since reported multiple potential breaches of financial sanctions to the relevant authorities. The bank has also has completed both a detailed re-screening of transactions and an in-depth back book review of customer accounts in respect of the contraventions detailed in the Notice.

Therese Chambers, Joint Executive Director of Enforcement and Market Oversight, said: “Starling’s financial sanction screening controls were shockingly lax. It left the financial system wide open to criminals and those subject to sanctions.”

“It compounded this by failing to properly comply with FCA requirements it had agreed to, which were put in place to lower the risk of Starling facilitating financial crime,” she added

In a separate statement, Starling said it fully accepts the FCA’s findings and apologizes for the events and shortcomings that led to the FCA’s Final Notice. Starling has established programs to remediate these breaches and to enhance its wider financial crime control framework.

David Sproul, Chairman of Starling Bank, said: “We want to assure our customers and employees that these are historic issues.

“We have learned the lessons of this investigation and are confident that these changes and the strength of our franchise put us in a strong position to continue executing our strategy of safe, sustainable growth, supported by a robust risk management and control framework.”

Expert comment

We asked Mark Taylor, founding partner at Ibex Compliance for his views on the fine and he has provided some key observations, lessons learned as well critical questions connected to governance, risk, processes and systems that any financial institution might consider posing internally to avoid a similar fine.

Importance of robust financial crime controls

FCA final notice: The FCA fined Starling Bank for “shockingly lax” financial crime controls, underscoring the critical need for banks to implement and maintain robust systems to detect and prevent financial crimes.

Growth and controls: The significant growth in its client base meant Starling Bank’s setup was not robust enough to handle this fast-paced expansion. Unlike traditional banks with their aging systems it could have been a robust set-up, but Starling’s rapid client onboarding was not matched by adequate controls to stay compliant with sanctions and AML rules.

Target Operating Model (TOM): Questions arise about Starling’s Target Operating Model for Financial Crime Compliance. Did they have one, and did it evolve as the business grew? It became evident that they lacked sufficient staff (people), effective screening processes (technology), and proper procedures for high-risk clients (process).

Effective customer screening

Sanctions screening failures: Starling Bank failed in its financial sanctions screening, repeatedly breaching requirements by opening accounts for high-risk clients. This highlights the necessity of thorough and effective customer due diligence and screening processes.

Governance: Governance plays a crucial role in effective customer screening. What governance structures did Starling have in place? Which committees reviewed data on high-risk clients, and how was this data proportionally analysed as the firm grew? What KPIs/KRIs were used to monitor financial crime compliance risk, and were these regularly presented to senior management?

Regulatory compliance

Adherence to regulations: The fine serves as a stark reminder of the importance of adhering to regulatory requirements. The FCA can treat such situations as recoverable if the problem is identified and transparency is maintained.

VREQ agreement: Starling Bank agreed with the FCA via a Voluntary Requirement (VREQ) to limit onboarding of high-risk clients (imposed on 17 September 2021). They either should not have agreed to these constraints if they knew they couldn’t comply, or they should have focused all necessary resources to ensure compliance. A significant regulatory breach requires a swift and thorough response, root cause analysis, and commitment from senior management to address the issue.

Risk management

Effective strategies: The case illustrates the need for effective risk management strategies. The growth in client numbers was something that was both evident and, to a certain extent, predictable, and a Risk Committee should have been monitoring this and asking pertinent questions.

Sanctions and risk assessment: As sanctions increased, this should have prompted a deeper dive into risk management. What did Starling’s Financial Crime Risk Assessment look like? Effective risk management involves proactive measures and continuous assessment to address emerging threats and vulnerabilities.

Governance and compliance

Governance and accountability: Strong governance and accountability structures are essential. Despite identifying problems, Starling’s responses were inadequate. Key questions include: Who on the Board was overseeing the Head of Financial Crime Compliance (FCC)? Did Testing and Audit work focus on verifying the information and management information (MI) provided to the FCA?

Monitoring and compliance: Did the firm significantly change its client onboarding monitoring after agreeing to the VREQ? Who authorized and agreed to the VREQ, and what checks were undertaken to ensure compliance and ongoing monitoring? During remediation, what was the program structure, and did it receive appropriate scrutiny and challenge from the Board? Did everyone involved in the client onboarding process understand their responsibilities?

Impact on reputation

Reputation management: Starling Bank could have potentially resolved the issue if they had reacted appropriately to regulatory interventions. The fine and negative publicity resulted from their inability or slowness to react and resolve the problem. Once an agreement with the regulator is made to fix a problem, it must be executed effectively. Failure to do so leads to fines and reputational damage.

By addressing these points, financial institutions can better safeguard against similar issues and enhance their overall compliance and risk management practices.

If you have any specific questions or need further details, feel free to ask mark.taylor@ibexcompliance.com

FCA improving the pace of enforcement investigations

The FCA said this case was an example of how the FCA is improving pace of its enforcement investigations. This case took 14 months from opening to achieving an outcome – compared to an average of 42 months for cases closed in 2023/24.

Chambers said, “We are committed to conducting our investigations at greater pace. Hand in hand with increasing our pace, will be streamlining our caseload and focusing on investigations better aligned to our strategic priorities.”

The FCA said they will continues to supervise firms to ensure that they have the right systems and controls to manage financial crime risks.