Challenger banks’ inexperience, governance failings led to fincrime fines

Starling Bank and Metro Bank’s recent Financial Conduct Authority fines were caused, in part, by inexperience and governance failings, the FCA has said. Starling Bank and Metro Bank were fined £29 million and £16 million, respectively, for financial crimes systems and control failings.

The FCA final notice described Starling’s senior management “as a whole” lacking the “required [anti-money laundering (AML)] skills or experience”. From its founding in 2016 until 2022, Starling assigned a single senior manager to the compliance and anti-money laundering senior management functions (SMF16 and SMF17). There was also frequent turnover in both roles, the FCA register shows.

The FCA says the Starling team’s inexperience caused the bank’s financial crime compliance failings and its failure to execute a voluntary requirement forbidding the onboarding of high-risk customers.

The FCA’s final notice also criticised Metro Bank’s financial crime governance, which caused transaction monitoring failures over four and a half years from June 2016 to December 2020. “Junior staff did raise concerns about some transaction data not being monitored in 2017 and 2018, but these did not result in the issue being identified and fixed,” the FCA said.

Starling lacked AML skills

Starling’s inadequate financial crime systems and control framework first came to the FCA’s attention in late 2020. Subsequent remediation work uncovered more shortcomings in its automated customer screening system, which produced no financial sanctions alerts for individual customers between July 1, 2022 and January 30, 2023. The bank had not screened for sanctions risks properly since 2017, the final notice said.

Starling’s senior management lacked the skills or experience to implement a voluntary requirement (VREQ) designed to restrict onboarding high-risk customers, said the FCA final notice, quoting a consultancy firm’s report. It also led the bank to open more than 54,000 accounts for 49,000 high-risk customers regardless of the VREQ; this included some customers it had offboarded for financial crime risk and, in some instances, about whom it had filed suspicious activity reports (SARs).

“Financial crime now is one of the major operational risks for any bank, and if you have that lack of regulatory and legal understanding within senior management, that will contribute to not understanding the risk,” said John Flynn, head of advisory services at Gracechurch, a financial crime prevention consultancy in London.

Metro suffered poor governance

Metro Bank’s AML failings stemmed from “serious deficiencies” in the set-up, operation and oversight of its automated transaction monitoring system (ATMS) over a four-and-a-half-year period. Errors in the ATMS timestamp code logic meant “a large number of transactions had not been fed into the ATMS for ongoing monitoring, since its implementation on June 6, 2016”.

The bank had inadequate systems and controls for its “bad data” and its “exemption process”. Records rejected by the ATMS went into bad data folders but were checked only intermittently.

“It was only on December 14, 2020, when Metro implemented a fix to remove internal transactions, in respect of which monitoring was not required, from the data feed from the [data store] into the ATMS, that the bank had clear visibility of the true volume of customer transactions (as opposed to internal transactions) being rejected by the ATMS for the first time since the ATMS went live in June 2016,” the FCA said.

Metro’s financial crime working group members escalated the “bad data” problem in January 2018 to the financial crime steering group, which agreed to review it. However, that action was removed from meeting minutes and was not raised again until April 2019 when the timestamp code logic error was identified.

“Even once a fix had been put in place in July 2019, Metro did not have a mechanism to consistently check that all relevant transactions were being fed into the monitoring system until December 2020, over four and a half years after the system was implemented,” the FCA said in a statement accompanying the November 11 notice.

Compliance, MLRO turnover

Starling’s financial crime function, which provided support and guidance to its executive function, was under-resourced and lacking key AML experience and capability at the time of the VREQ implementation and during 2022, the final notice said.

The bank assigned a single senior manager to the head of compliance (SMF16) and anti-money laundering senior management functions (SMF17) from its founding until December 2022, when it finally split the roles, the FCA register shows. Starling had three money laundering reporting officers (MLRO) from 2016 until it appointed the current MLRO in December 2022.

“In fintechs you normally get MLROs that you can tell have no real financial crime, or even MLRO, experience. At new fintechs, they’re small. They might bung somebody in this role so they can tick a box. But that wasn’t the case with Starling. This seems more of a general compliance person, ‘he’ll do for now’ sort of thing,” said Dev Odedra, a consultant at Minerva Stratagem Consulting.

In 2022, the FCA warned firms that SMF16 and SMF17 applicants who do not commit sufficient time to the roles “tend to be unsuccessful”, and said it would also want to understand any conflicts of interests a head of compliance or MLRO might have when doubling up with another role within the firm or externally.

Metro without MLRO

According to the FCA register, Metro Bank has been without a MLRO since August 2024, when the incumbent left, having been there since January 2021. There is an interim MLRO in post and subject to regulatory approval a permanent replacement is due to start in the first quarter 2025, said a bank spokesperson.

Prior to January 2021, an MLRO was in post from 2013 to 2020, while also holding the SMF16 role until May 2021 (at which point the register shows someone in that post for seven days). The current SMF16 has held the role since July 2021.