UK Bank Fined $40M for Multiple Sanctions Compliance Failures

The bank’s subpar compliance procedures “left the financial system wide open to criminals and those subject to sanctions,” said Therese Chambers, joint executive director of enforcement and market oversight at the U.K.’s Financial Conduct Authority. She also said Starling didn’t “properly comply with FCA requirements” that were designed to lower the bank’s financial crime risks.

The FCA had warned the bank in 2021 that it had “serious concerns” with Starling’s anti-money laundering and sanctions compliance procedures, and the bank agreed to block all new accounts for high-risk customers until its controls improved. But over the next two years, Starling opened more than 54,000 accounts for 49,000 high-risk customers, the FCA said, eventually discovering that its automated screening system had only been screening customers against a “fraction” of the full list of people and companies subject to financial sanctions. It was also told by an independent consultant that its senior management “lacked the experience” to manage its sanctions risks.

An internal review by Starling in 2023 revealed “systemic issues in its financial sanctions framework,” the FCA said. The bank has since disclosed several possible sanctions violations to the U.K.

The FCA said it investigated Starling for 14 months, eventually settling on the nearly $40 million penalty after taking into account Starling’s cooperation with the U.K. government, its work to put in place “enhanced” sanctions controls, the fact that it carried out “historic financial sanctions screening reviews” of its entire customer base and payments dating back to 2017, and after “significantly increasing” its compliance resources.

FCA said it could have fined the bank about 40 million pounds, or about $54 million, but Starling qualified for a 30% “discount” because it agreed to resolve the issues with the government.

Starling said it “accepts the findings” by the FCA and “regrets and apologises for the events and shortcomings that led to the” penalty. The violations outlined by the FCA “were identified by Starling and proactively communicated to the FCA,” it said Oct. 2. “Starling has cooperated fully with the FCA in its investigation and accepts its finding that the Bank’s financial crime controls failed to keep pace with the growth of the business.”

Starling added that it has “completed both a detailed re-screening of transactions and an in-depth back book review of customer accounts,” and it has put in place “extensive additional safeguards to ensure” its compliance. “Through extensive investment into the Bank’s financial crime resource and expertise, Starling is satisfied that it has the required compliance and risk management controls, procedures and policies in place.”

The FCA said it first found issues with Starling’s compliance framework in 2021 after examining how sanctioned parties may be exploiting digital challenger banks that primarily operate online. After speaking with the FCA, Starling voluntarily agreed not to open any new accounts for high-risk customers while it improved its AML and sanctions frameworks. But Starling “failed to implement all of the underlying requirements and subrequirements” of this agreement with the FCA, causing it to open thousands of accounts for high-risk customers, the U.K. said.

In one instance in July 2022, Starling found out that a “key financial crime risk control” wasn’t working correctly and was causing it to open hundreds of new accounts for customers it had previously restricted for their ties to financial crimes. Although Starling “resolved the issue” within a day, it didn’t inform the FCA until the next month, the FCA said.

After another review of its compliance procedures, Starling discovered in December 2022 that it had actually opened thousands of accounts for high-risk customers. The review “confirmed” that “Starling had not put in place a formal monitoring programme to ensure that it had been meeting the” FCA’s requirements, the authority said.

The FCA then asked Starling to carry out a “lessons learned” review to “assess the root causes of the weaknesses” of its compliance issues. The bank hired an outside consultant, which found that Starling’s “senior management as a whole lacked the experience and capability to effectively implement” its agreement with the FCA, leading to an “inadequate design” of its risk management framework.

The bank’s senior management also was “inexperienced when dealing with significant regulatory changes” and “failed to adequately oversee and monitor the day-to-day compliance.” Several senior managers had “different understandings” of who in the company was responsible for complying with the FCA agreement, the authority said, and the company’s engineering teams, who were responsible for making the changes to Starling’s systems and controls, weren’t “informed of the existence” of the bank’s compliance agreement with the FCA.

The bank discovered in January 2023 that its automated screening system had only been screening against a fraction of the new and existing customers added to the U.K.’s consolidated sanctions list, the FCA said. This was partly caused by a “system misconfiguration which affected the matching between the details of individual customers of the bank and individuals on relevant sanctions lists including the Consolidated List.”

The FCA also said Starling was screening its customers against the sanctions list only once every 14 days, a “leftover” practice from when the bank was smaller. The U.K. said Starling grew from about 43,000 customers in 2017 to 3.6 million in 2023, but its “measures to tackle financial crime did not keep pace with its growth.”

The FCA added that Starling began a review of “historical payments” in May 2023, covering nearly 4 million payments processed between May 2017 and November 2023, to determine whether any of those payments had links to sanctioned parties. The bank completed the review in September “and identified a number of potential financial sanctions breaches,” FCA said. “Starling reported the potential financial sanctions breaches to the relevant authorities.”

The FCA also noted that Starling agreed to make a range of changes to its sanctions compliance controls, including by increasing its customer screening frequency from once every 14 days to daily; putting in place new payments screening software; third-party testing of those customer screening and payment screening systems; a review and redraft of the bank’s sanctions policy; creating a new role in charge of training Starling employees; and reviewing the company’s sanctions e-learning modules.

Third-party testing of the bank’s customer and payment screening systems in November 2023 and March 2023 showed that the bank’s systems “were operating at an effective and efficient capacity,” the FCA said. The bank reported earlier this year that April was its first month since entering into the 2021 agreement with the FCA that “no high-risk customers were onboarded.”