The Financial Conduct Authority (FCA) recently levied a jaw-dropping £29 million fine against Starling Bank (Starling). The fine follows an investigation by the regulator, which exposed the bank's "shockingly lax" sanctions screening controls, and a financial system "wide open to criminals" (see the FCA report here).

Comparatively, the fine dwarves the recent first financial penalty imposed by the Office of Financial Sanctions Implementation (OFSI)—the primary United Kingdom (UK) agency responsible for monitoring compliance with financial sanctions—in relation to a breach of the UK sanctions regime regarding Russia, which amounted to only £15,000.¹ As such, the Starling example serves as a stark warning, not only to neobanks and fintechs but to all financial services businesses, about the need to ensure the implementation of adequate sanctions controls and the risk of FCA enforcement action where firms get this wrong.

In this client alert we consider the Starling example and explore some of the steps companies can take to ensure that their financial crime controls are effective and meet FCA standards.

The Starling Story

Starling was founded in 2014. Between the date of its inception and 2023, its customer base grew exponentially from 43,000 to 3.6 million. 

The FCA first identified failings in Starling's financial crime controls in 2021, following a review of the bank's financial sanctions systems and controls, governance and oversight, and policy and processes. Starling subsequently agreed to implement an AML enhancement plan and abstain from opening new accounts for high-risk customers until improvements had been made. Despite this agreement, Starling proceeded to open 54,359 new accounts for 49,183 high- or higher-risk customers between September 2021 and November 2023. 

In January 2023, it became apparent that the automatic system employed by Starling had, for six years, been screening customers against only a fraction of the full list of individuals and entities subject to financial sanctions. An internal review ensued, which identified systematic issues across the bank's entire sanctions compliance framework with regards to its assessment of financial sanctions risks, policies and procedures, testing and calibration of screening systems, and lack of management information (MI) regarding alert volumes and trends. The bank subsequently reported multiple potential breaches to the relevant authorities.

On 27 September 2024, the FCA determined that Starling had breached both the terms of its 2021 agreement and Principle 3 of the FCA's Principles for Business by failing to implement and maintain adequate systems and controls to mitigate financial crime risks, particularly in relation to financial sanctions. It imposed a penalty of £28,959,426, reflecting a 30% discount, which was applied as a result of Starling's cooperation. Had the bank not qualified for this discount, the fine would have been closer to £41 million.

The FCA's full findings can be found in its Final Notice.

Sanctions Regimes and Staying Compliant

Over the last few years, the global political climate has catalysed an increase in international sanctions regimes, and the landscape is only becoming more complex. It is essential that businesses are alive to sanctions issues and have robust internal systems in place to avoid falling foul of sanction regimes during the ordinary course of business. As the Starling example shows, failures can result in both high financial penalties and reputational damage.

The FCA is clear that, "while the Authority is not responsible for enforcing UK financial sanctions, its role is to ensure that the firms it supervises have adequate systems and controls to comply with the UK's financial sanctions regime." Enforcement action in this area is, therefore, unlikely to wane.

Below are some tips on how financial services businesses can develop and maintain effective and robust financial crime controls:

1. Understand regulatory obligations for businesses when it comes to sanctions compliance. The FCA provides guidance on compliance with the UK's financial sanctions regime here.
2. Understand the risk profile of your business when it comes to sanctions regimes and tailor your internal controls to reflect that risk.
3. Implement clear and detailed sanctions compliance policies and procedures, which are reviewed on a regular basis and revised as appropriate. 
4. Implement a reliable sanctions screening system in line with your sanctions policies and procedures, which screens against all relevant data sanctions lists.
5. Audit your sanctions screening processes and procedures on a regular basis to ensure they are effective and compliant with regulatory obligations.
6. Implement a system for escalating sanctions related issues or breaches to the relevant senior manager or board member.
7. Provide or facilitate regular, mandatory employee training on sanctions compliance to ensure relevant employees understand regulatory obligations relating to sanctions, how to identify red flags, and internal escalation processes.
8. Keep records of screening results, investigations, and decisions to ensure that you have a clear audit trail on sanctions related issues.