Starling’s financial crime controls have left the challenger bank with a hefty fine to pay. What measures should FIs adopt to build effective sanction screening systems?
Shutterstock.com/Ascannio
On 2 October 2024, the UK Financial Conduct Authority (FCA) announced a £29 million (US$38 million) fine for Starling Bank due to failings in its financial sanctions screening.
The FCA imposed the fine under section 206 of the Financial Services and Markets Act 2000 (FSMA) after finding that the digital lender’s “shockingly lax” financial sanction screening controls left its system “wide open to criminals and those subject to sanctions”, according to Therese Chambers, joint executive director of enforcement and market oversight at the FCA.
Between September 2021 and November 2023, Starling opened over 54,000 accounts for high-risk customers, breaching an agreement with the FCA to restrict opening accounts for customers with this profile. This agreement was made after the FCA’s review of challenger banks in 2021, which uncovered weaknesses in Starling’s anti-money laundering (AML) and sanctions screening framework.
Lexology PRO outlines below the alleged failures in Starling’s sanction screening system and key tips for companies to strengthen their own programmes.
Financial crime controls “wide open to criminals”
The FCA identified extensive gaps in the bank’s customer controls and sanctions screening systems, following years of restrictions and agreements with the authority.
In 2020, the UK’s National Risk Assessment (NRA) of money laundering and terrorist financing highlighted the risk that criminals may be attracted to the fast onboarding process that challenger banks advertise.
In response, the FCA conducted a review of financial crime controls at six challenger banks, including Starling.
As a result of the review, the FCA wrote to Starling on 11 March 2021 setting out a wide-range of concerns and outlining that Starling had failed to convey issues identified by an internal audit report from November 2018 on its financial crime control framework to either Starling’s board or the FCA. Additionally, the FCA required Starling to appoint a skilled person to oversee the bank’s transaction monitoring and financial crime risk governance.
On 26 March 2021, Starling began an AML enhancement plan to address the FCA’s concerns. The bank also appointed the required skilled person who found weaknesses in the bank’s customer onboarding controls.
On 17 September 2021, the FCA imposed a voluntary requirement (VREQ) on Starling, stating that the bank could not accept or process new or additional account applications for new or existing customers that are high risk.
Starling identified on 30 January 2023 that its automated customer screening system had only screened customers against a small portion of the full list of those subject to financial sanctions since 2017.
A subsequent internal review identified systemic issues in Starling’s financial sanction framework. The bank reported multiple potential breaches of financial sanctions, according to the FCA.
The problems in the bank’s automated screening system and sanctions framework led to Starling opening over 54,000 accounts for 49,000 high-risk customers between September 2021 and November 2023.
In its 2 October 2024 final notice, the FCA noted that these infractions constituted a breach of Principle 3 of its Principles for Businesses, which requires financial institutions (FIs) “to organise and control its affairs responsibly and effectively, with adequate risk management systems.”
“Thumping” fine for VREQ non-compliance
The fine is the first of its type by the FCA against a digital bank and comes more than two years after the FCA warned that it would continue to monitor challenger banks’ compliance with AML obligations and identify sanctions exposure. April 2024 marked the first month since the imposition of the VREQ that Starling did not onboard any high-risk customers.
The Guardian describes the penalty as “thumping,” saying that Starling was “built on a wing and a prayer when it came to anti-money laundering controls.”
Key tips for robust sanction screening systems
In a statement from the bank on 2 October 2024, Starling announced that it has introduced extensive additional safeguards and enhanced controls to ensure that it complies with FCA’s requirements. It also said that it had paid the fine as full and final settlement.
Companies looking to avoid similar enforcement action can take the following steps to ensure sanction screening systems are robust and proportionate.
Evolve sanctions compliance programmes
The measures needed for a company with approximately 100 customers will be different to the measures necessary to control a customer base of over 100,000. Starling admitted in its 2 October 2024 statement that its financial crime controls failed to keep pace with the growth of the business, which saw its customer base has also grow from 43,000 in 2017 to around 3.6 million in 2023.
As international customers are onboarded and more cross-border transactions occur via the platform, compliance teams should consider filing suspicious activity reports (SARs) where there are known or suspected money laundering risks. This Lexology PRO how-to guide lays out practical steps on how to file a SAR.
Businesses should also ensure they meet their sanctions compliance obligations. Following Russia’s military activity in Ukraine, the UK government has sanctioned individuals and entities. It is the role of the FIs’ compliance team to make sure that these lists are met and complied with.
Whilst sanction screening is not a legal requirement in the UK, Chapter 7 of the FCA’s Handbook outlines that screening new customers and payments against sanctions lists helps to ensure that FIs do not breach the sanctions regime.
Enhance staff awareness and training
The FCA criticised Starling’s senior management for their dealing with financial crime controls in the final notice, stating that they “lacked the experience and capability to effectively implement the VREQ" and specifically "lacked the required AML skills or experience.”
It is important for senior management to continuously stay informed of sanctions risks faced by their organisation and support compliance teams with mitigating those risks. The first step of this Lexology PRO checklist details how to ensure senior management is committed to the company’s sanctions compliance programme.
Having staff who are alert to the risks of money laundering and terrorist financing and are well-trained in the identification of unusual or suspicious activities or transactions is one of the most important controls over the prevention and detection of money laundering and terrorist financing that an organisation can have. This Lexology PRO checklist can help in-house counsel and compliance teams in their obligations regarding staff awareness and training and money laundering and terrorist financing.
Assess money laundering and terrorist financing risk
All businesses regulated under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017) must assess the risk of being used by customers for money laundering and/or terrorist financing purposes. An organisation-wide risk assessment is a key way to measure and assess risk.
Comprehensive and enhanced customer due diligence
Automated filtering and screening systems can be used to flag entities, individuals or transactions that may pose a higher risk to an FI. Customer due diligence should be completed thoroughly when onboarding new customers and should also be conducted regularly to ensure their customers remain compliant with sanctions regimes.
This checklist helps companies subject to the Money Laundering, Terrorist Financing and Transfer of Funds 2017 (MLRs 2017) meet customer due diligence obligations, key to AML and counter-terrorist financing systems.
Businesses should also consider conducting enhanced due diligence, including assessing whether there are categories of work or customers that present a higher risk of money laundering or terrorist financing.
Report breaches quickly to the FCA and cooperate
Following the start of Russia’s military activity in Ukraine in 2022, the FCA outlined good practices for FIs to implement into their internal sanctions controls. The authority encourages businesses to make timely and accurate reporting on potential sanctions breaches.
If found to have breached financial sanctions, FIs are encouraged to cooperate and communicate fully with the FCA as this may result in a reduction of the fine. For example, the FCA notes that Starling would have been fined almost £41 million (US$54 million), but it agreed to resolve these matters and therefore qualified for a 30% discount under the FCA’s penalty processes.