The Financial Conduct Authority (FCA) recently issued a significant enforcement decision against Starling Bank Limited, imposing a financial penalty of £28.9 million after a 30% discount. This fine could have been as high as £40.9 million, highlighting the gravity of the case. The FCA’s final notice, issued on 27th September 2024, revealed various regulatory breaches linked to Starling’s exponential growth and its failure to implement adequate anti-money laundering (AML) systems and controls.

This case offers crucial lessons for compliance professionals, particularly those in fast-growing or digital-first organisations. Below, we summarise the key takeaways and offer practical guidance to help firms avoid similar enforcement actions.

Critical Regulatory Failures and FCA Findings

Between 2016 and 2023, Starling Bank experienced rapid growth, increasing its customer base from 43,000 to 3.6 million and its revenue from £13,000 to £452.8 million. However, this growth was not matched by the maturity of its financial crime compliance systems. The FCA’s concerns date back to a 2021 review of challenger banks and stem from Starling’s failure to address issues flagged as far back as November 2018.

Among the fundamental failings were:

  • Weak AML Systems: Starling failed to strengthen its AML controls and risk management systems despite significant growth. Its customer onboarding procedures were inadequate, resulting in breaches of a voluntary requirement (VREQ) that prohibited the bank from opening accounts for high-risk customers.
  • Inadequate Sanctions Screening: Starling’s sanctions screening systems were flawed, failing to adequately screen new customers and international payments against relevant sanctions lists.
  • Management Failures: The bank’s senior management lacked the experience and oversight to implement and monitor essential compliance requirements. Poor communication between teams also led to confusion over roles and responsibilities.

Practical Guidance for Practitioners

For firms striving to stay compliant, especially in the context of rapid growth or new business models, the following practical steps can be taken to avoid the pitfalls encountered by Starling Bank:

  1. Scale Compliance in Line with Growth

As demonstrated in this case, rapid growth must be accompanied by proportional investments in compliance infrastructure. Firms should anticipate that expanding customer numbers, products, or geographies will require enhanced systems and increased compliance resources.

Practical Tip: Ensure your compliance budget and staffing scale with your business. Regularly review whether your current team and tools are sufficient for your growing customer base and transaction volumes.

  1. Proactively Respond to Regulator Feedback

The FCA identified concerns about Starling Bank as early as 2020, and a feedback letter was issued in March 2021. Starling’s failure to act promptly on these issues or fully implement internal audit recommendations from 2018 was a vital driver of the enforcement action.

Practical Tip: Treat any feedback from the regulator, whether formal or informal, with the utmost urgency. This includes acting on internal audit findings and external recommendations within the agreed timeframes. Where issues cannot be resolved promptly, firms should engage with the FCA to negotiate realistic deadlines and ensure ongoing dialogue.

  1. Appoint Skilled, Experienced Senior Managers and Compliance Personnel

A notable failure in this case was the need for more skilled AML and sanctions compliance staff. The FCA also cited a need for more clarity on roles and responsibilities within the senior management team, which has contributed to VREQ breaches.

Practical Tip: Ensure that individuals with relevant experience and straightforward accountability resource your firm’s senior manager and financial crime functions. Senior managers should be able to demonstrate an understanding of the firm’s financial crime risks and regulatory requirements. The allocation of roles should also be transparent and formally documented, with robust oversight from senior management.

  1. Enhance Sanctions Screening Systems

Starling Bank’s sanctions screening system was found to be inadequate, with systemic failures dating back to its inception in 2017. Specifically, the bank’s automated systems were not screening customers and payments against all relevant sanctions lists, including international ones, despite engaging in cross-border transactions.

Practical Tip: Regularly review and test sanctions screening systems to ensure they are fit for purpose. This includes screening new customers, existing customers, and payments against the most up-to-date sanctions lists. Implement a robust methodology for testing and calibrating your screening systems and ensure these processes are regularly audited.

  1. Navigating a Voluntary Requirement (VREQ)

Starling Bank’s breaches of its VREQ serve as a cautionary tale for firms subject to similar restrictions. A VREQ is a voluntary agreement between a firm and the FCA, typically aimed at mitigating regulatory concerns without formal enforcement action. While the agreement is voluntary, its terms are legally binding and must be strictly followed.

Practical Steps to Navigate a VREQ:

  • Understand the Scope of the VREQ: The FCA’s VREQ, in this case, prohibited Starling from accepting high-risk customers. To ensure compliance, it is critical to have a thorough understanding of all the terms and sub-requirements of a VREQ. Conduct a full risk assessment to determine how the VREQ applies across all business functions.
  • Internal Controls: Once the VREQ is in place, firms must adapt internal systems, controls, and procedures to ensure full compliance. Starling’s failure to implement adequate controls after the VREQ’s imposition led to breaches. Ensure clear documentation and processes are in place to address all VREQ requirements, with periodic reviews to adapt to evolving risks.
  • Ongoing Monitoring: A significant issue in the Starling case was the bank’s lack of monitoring for compliance with the VREQ. Establish robust monitoring and reporting systems that continuously check adherence to the VREQ.
  • Clear Delegation and Governance: In Starling’s case, confusion over who was responsible for the VREQ’s day-to-day implementation contributed to the breaches. It is essential to assign specific roles and responsibilities to individuals or teams, particularly those with experience in regulatory risk management, and ensure proper oversight from senior management.
  • Prompt Reporting of Breaches: Starling delayed reporting its VREQ breaches, which worsened the regulatory response. Firms must immediately notify the FCA of any violations, even if minor, and take immediate corrective action. Implement internal mechanisms for identifying breaches early and reporting them promptly.

  1. Establish Clear Reporting Lines and Governance

Confusion over roles and lack of clear responsibility were significant factors in Starling’s compliance failings. Poor communication between senior management and operational teams meant that essential regulatory obligations were not fully understood or effectively implemented.

Practical Tip: Define and document clear governance structures. Senior management should be visibly accountable for implementing compliance frameworks. Compliance functions should have direct access to senior leadership, and any regulatory requirements should be clearly communicated to all relevant teams, including IT and engineering teams, to avoid communication breakdowns.

  1. Monitor and Report Breaches Immediately

One of the FCA’s criticisms of Starling was its delayed reporting of VREQ breaches. Although the bank eventually notified the FCA, the delay and the continued breaches disappointed the regulator.

Practical Tip: Firms should have robust systems for monitoring compliance with regulatory requirements and clear escalation procedures when breaches occur. Timely notification to the regulator is crucial. Delaying such reports can exacerbate enforcement outcomes.

Conclusion

The Starling Bank case illustrates the importance of embedding robust compliance frameworks early in a firm’s growth. The financial penalty and the reputational damage are stark reminders to practitioners of the risks posed by inadequate AML and sanctions screening systems. By scaling compliance with growth, appointing skilled professionals, and responding promptly to regulatory concerns, firms can avoid the severe consequences of enforcement actions.

Need help?

If you need further assistance strengthening your firm’s compliance and AML frameworks or advice on navigating a VREQ, please contact us at C&G Regulatory Solutions.

Reference

  1. FCA fines Starling Bank £29m for failings in their financial crime systems and controls, Financial Conduct Authority (last accessed 7th October 2024).