This week, the FCA imposed a near £30m fine on Starling Bank for what it described as ‘shockingly lax’ financial crime controls that left the bank vulnerable to criminal activity.
The UK-based digital challenger bank launched in 2016 and quickly rose to prominence by offering a streamlined, app-based approach to personal and business banking. With no physical branches and a focus on cutting-edge technology, Starling set itself apart from traditional high-street banks by providing customers with easy, fast, and flexible banking solutions. By 2023, Starling had expanded rapidly, serving around 3.6 million customers and generating £452.8 million in revenue.
However, the speed of its expansion also exposed vulnerabilities in its compliance and financial crime controls. As the bank scaled, its systems for Anti-Money Laundering (AML) and sanctions screening struggled to keep pace, leading to significant regulatory failings.
This fine is a stark reminder of the importance of robust compliance systems, following significant failures in Starling’s financial crime systems, particularly in relation to sanctions screening, AML, and compliance with FCA-imposed requirements.
The Final Notice issued by the FCA to Starling Bank
For compliance leaders in regulated UK firms, there are essential lessons to be learned from Starling’s recent experience that can help prevent similar failings in your own organisations.
What happened at Starling Bank?
Starling Bank’s rapid growth from a fintech startup in 2016 to a challenger bank serving millions of customers highlighted the dangers of exponential expansion without adequately scaling compliance controls.
The bank’s AML and financial sanctions processes were found lacking in several areas, with significant breaches that exposed the bank to heightened financial crime risks.
Specifically, the FCA flagged Starling’s failure to screen a large portion of their customer base properly against sanctions lists, raising concerns that Designated Persons could potentially open and maintain accounts without detection or suitable due diligence.
🔗 Navigating the complexities: solving the top challenges in sanctions screening
One of the most critical failures occurred when Starling discovered that its automated sanctions screening system had been screening only a fraction of the names on the UK’s Consolidated List, which lists individuals and entities subject to financial sanctions. The issue, affecting systems implemented since 2017, left Starling unable to adequately screen new and existing customers, posing serious financial crime risks.
In addition to this, the FCA highlighted Starling’s breach of a Voluntary Requirement (VREQ) imposed in 2021, prohibiting the bank from onboarding high-risk customers until its controls were strengthened. Starling failed to comply with this, inadvertently opening thousands of accounts for high-risk customers.
Starling Bank’s key failings:
- Inadequate screening of customers against sanctions lists, risking undetected Designated Persons
- Automated system missed most names on the UK’s sanctions list, leading to insufficient screening of new and existing customers
- Breached the VREQ imposed by the FCA which prohibited them from opening accounts for high-risk customers
The causes of Starling Bank’s compliance failures
The FCA’s investigation into Starling’s compliance systems revealed several core issues that can serve as cautionary lessons for regulated firms.
1. Inadequate systems for financial crime controls: Starling’s rapid growth outpaced its ability to implement adequate compliance systems. Between 2016 and 2023, the bank expanded its customer base and transaction volumes significantly, but its sanctions screening systems remained insufficient for such rapid growth.
What can we learn? Compliance leaders need to ensure that internal systems evolve in line with business growth. Simply put, what might work for a startup cannot serve a fully-fledged financial institution with millions of customers. As businesses grow, compliance systems must be continuously evaluated and scaled. A system that works for a small organisation may not be sufficient as customer bases and transaction volumes grow exponentially.
On the topic, Dale Atkinson, Partner at AegisNex Consulting commented: “As I see it, Starling’s situation really goes to show how crucial it is to scale compliance systems alongside business growth. When a company expands rapidly, vulnerabilities can quickly emerge if controls don’t keep up.”
Regular stress-testing and updates to systems, particularly in critical areas like sanctions screening, are essential to avoid the same fate as Starling Bank.
2. Weaknesses in screening processes: Starling’s failure to screen a significant portion of its customer base against the full Consolidated Sanctions List – only 39 of the 3088 Designated Persons were being checked – suggests a serious lapse in sanctions screening processes. This resulted in the bank failing to detect at least one sanctioned individual who successfully opened an account. The root of this was found to be a misconfiguration that went unnoticed for years.
What can we learn? To avoid similar issues, compliance teams should regularly test and calibrate screening systems to ensure their accuracy. Screening systems must be robust and continually updated to reflect evolving sanctions lists and international regulations. Firms should implement automated systems that screen all customers – domestic and cross-border – against updated global sanctions lists.
Dale adds: “No matter how advanced your technology, it won’t be effective if your systems are outdated or poorly configured. The reliance on automated screening shows the need to rigorously test and update systems regularly – something I’ve extolled to numerous clients in the last few years.”
3. Insufficient lines of defence: Starling’s second and third lines of defence were also found to be lacking. The bank’s compliance team (second line of defence) was under-resourced and did not carry out the necessary assurance reviews, while its internal audit (third line) did not adequately challenge the other lines until late 2022.
What can we learn? For regulated firms, having a robust three-line defence model is critical. This means ensuring that each line – the business itself, compliance, and internal audit – has the capacity and resources to function effectively and independently. Firms must maintain a strong three-line defence model, where teams are sufficiently resourced and empowered. The compliance team must conduct regular assurance reviews, while internal audits should challenge both the business and compliance functions effectively.
4. Failing to follow regulatory requirements: When the FCA imposed the VREQ, it was designed to halt Starling from onboarding high-risk customers while their controls were strengthened. Despite this, Starling opened more than 54,000 accounts for over 49,000 high or higher-risk customers in breach of this requirement. The underlying issue was poor monitoring and oversight, with no formal programme in place to ensure ongoing compliance with the VREQ.
What can we learn? The lesson here is clear: firms must not only comply with regulatory requirements but also have robust systems in place to ensure continual adherence.
Dale explains more: “Ultimately, this is a lesson that all firms need to learn: regulatory requirements like VREQs are not just administrative hurdles, but essential protections. Ignoring or underestimating them can lead to serious consequences, not just in terms of fines but in reputational damage.”
Firms must go beyond merely implementing regulatory requirements – they must monitor them continuously. This means setting up clear processes for verifying ongoing compliance with any conditions imposed by regulators, such as the VREQ in Starling’s case.
In conclusion, Starling Bank’s £28.9 million fine is a wake-up call for compliance teams across regulated sectors of the importance of staying ahead of financial crime risks, particularly as businesses grow rapidly in size and complexity.
The bank’s failures in sanctions screening, insufficient oversight, and non-compliance with FCA requirements offer vital lessons for all firms. Compliance isn’t just about ticking regulatory boxes – it’s about building comprehensive, scalable systems that can handle the demands of a growing customer base and evolving financial crime threats.
As the regulatory landscape tightens and sanctions regimes become more complex, firms must prioritise continuous monitoring, testing, and improvement of their compliance systems.
Ultimately, the key takeaway from Starling’s case is that effective compliance is not negotiable. It requires investment, continued vigilance, and a proactive approach to risk management.