Background
Starling Bank, a digital challenger bank authorized by the Prudential Regulation Authority (PRA) in July 2016, provides personal and business accounts, loans, and money transfer services, aiming to disrupt traditional banking through advanced technology. However, on September 27, 2024, the Financial Conduct Authority (FCA) fined Starling £28,959,426 due to significant failures in its financial crime controls, particularly in anti-money laundering measures and sanctions screening, which exposed the bank to risks from high-risk customers. Concerns regarding governance and oversight were first identified in late 2020, with the Authority noting critical gaps in Starling's financial crime controls during a review and recommending that these issues be addressed following an internal audit in November 2018.
Summary of the reasons why FCA fined Starling Bank
- Financial Crime Control Failures
Starling's financial crime controls failed to keep pace with the bank's rapid growth between 2016 and 2023. The bank's customer base increased from approximately 43,000 in 2017 to 3.6 million in 2023.
- Breach of VREQ
The purpose of the VREQ was to stop Starling on boarding any more high risk or higher risk customers (as defined by the VREQ) or opening new accounts for existing high risk or higher risk customers, in the absence of a sufficiently robust and effective financial crime control framework to manage the risk presented by these customers until it had sufficiently progressed its AML Enhancement Plan.
The Authority identified serious concerns with Starling’s anti-money laundering and financial sanctions framework during its review of financial crime controls at challenger banks in 2021. As a result of those concerns, Starling commenced an AML Enhancement Plan to address the FCA’s concerns and voluntarily accepted a requirement from the Authority in September 2021 (the VREQ) not to open any new accounts for high or higher risk customers while it improved its AML control framework Starling opened 54,359 accounts for 49,183 high or higher-risk customers in breach of the terms of the VREQ.
- Sanction Screening
Starling also identified in January 2023 that, since the implementation of its financial sanctions screening framework in 2017, its automated screening system had only been screening the names of new and existing customers against a fraction of the names on the Consolidated List. Although Starling took immediate steps to remediate this fault, its subsequent review of its financial sanctions framework identified wider systemic issues including Starling’s assessment of its financial sanctions risk, policies and procedures, testing and calibration of screening systems, and a lack of MI regarding alert volumes and trends.
- Breach of Principle 3
Principle 3 of the Authority’s Principles for Businesses requires a firm to take reasonable steps to ensure that it has organised its affairs responsibly and effectively, with adequate risk management systems which was raised by them and Staring bank didn’t adequately implement them.
Detailed Report of findings for Breaches
Breach of VREQ
- Starling Bank implemented several controls to enhance its on boarding process, such as placing customers from certain jurisdictions in a manual exception queue and requiring senior management and the Money Laundering Reporting Officer (MLRO) to review Politically Exposed Persons (PEPs) and high-risk customers. However, on July 21, 2022, a malfunction in a key financial crime control allowed 294 previously exited high-risk customers to open new accounts, violating the terms of its Voluntary Regulatory Engagement Framework (VREQ).
- Although the issue was resolved within a day, Starling did not inform the Authority until August 24, reporting that 161 affected customers had been subject to Suspicious Activity Reports (SARs) and 112 had matches on CIFAS. A subsequent review revealed an additional 309 accounts opened in violation of the VREQ, and thousands had been created since its implementation without proper monitoring.
- In response, Starling initiated a remediation plan involving daily testing and automated controls, but the Authority expressed disappointment at Starling's delayed reporting and inadequate oversight, highlighting a failure to recognize its regulatory obligations.
The causes of failures for VREQ
- Starling's compliance failures with the Voluntary Regulatory Engagement Framework (VREQ) were primarily due to deficiencies in senior management's experience and oversight, including a lack of essential anti-money laundering (AML) skills and unclear responsibilities for VREQ implementation, which led to confusion and insufficient authoritative oversight.
- Communication gaps impeded the engineering teams' understanding of the VREQ's requirements, and inconsistent reporting of management information hindered meaningful assessment. The lines of defence (1LOD, 2LOD, and 3LOD) were also under-resourced and ineffective, lacking proper controls and documentation.
- In response to these issues, Starling initiated corrective actions to enhance management skills and oversight and accepted all findings from a Consultancy Firm's report on 26 September 2023. Furthermore, the Authority determined that Starling breached the VREQ by processing over 54,000 account applications for high-risk customers, contrary to the framework's stipulations.
Starling’s financial controls systems
Following a 2021 review, the Authority raised serious concerns about Starling's financial sanctions systems, highlighting discrepancies between the bank's policies and actual practices, particularly its limited customer screening focused on the UK.
In response, Starling was urged to update its sanctions policy and enhance its screening processes, especially after changes to the Russian sanctions regime in early 2022. A comprehensive review by Starling's second line of defence in January 2023 uncovered that its automated screening system had not generated alerts for over six months due to a misconfiguration.
To address these issues, Starling initiated a remediation program that included increasing screening frequency, implementing a new payments screening solution, and enhancing its alert management system. A subsequent review of nearly four million historical transactions revealed potential sanctions violations, which Starling reported to the authorities, while third-party testing confirmed the effectiveness of its updated screening systems.
Breach of Principle 3
The Authority found that Starling breached Principle 3 of the FCA’s Principles for Businesses by failing to maintain effective organization and risk management systems. This was demonstrated through an inadequate assessment of financial sanctions risk, outdated policies and procedures, and a lack of testing for screening effectiveness.
Additionally, Starling lacked operational management information on alert volumes, did not conduct essential assurance reviews, and performed infrequent screenings, particularly missing significant risks linked to cross-border payments. These deficiencies revealed a substantial gap in Starling's control over financial crime risks.
Starling's Response
Starling Bank has:
- Accepted the FCA's findings and apologized for the shortcomings
- Conducted a detailed re-screening of transactions and an in-depth back book review of customer accounts
- Implemented extensive additional safeguards to ensure regulatory compliance
- Increased capability, structure, and resources across all lines of defence
Conclusion
This case highlights the importance of maintaining robust financial crime controls, particularly during periods of rapid growth. It also underscores the need for regular testing and calibration of sanctions screening systems to ensure their effectiveness.