Five lessons from the Starling Bank FCA Final Notice
On 2nd October 2024, the FCA fined Starling Bank £28,959,426 for failings relating to AML and Sanctions. The main reason for the fine was the bank’s financial crime controls not keeping up with the huge growth experienced between 2016 and 2023.
Our focus here is on the sanctions failings, and specifically, what lessons can be learnt from them.
1. Make sure you’re actually screening sanctions
Starling had stated in their sanctions policy that they screened against UK, EU, UN and US sanction lists. This is completely standard practice for most firms. The problem here was they weren’t doing what they said they were.
In reality, Starling was only screening against a small proportion of the UK Designated Persons list and none of the others between 2017 and 2023. Additionally, screening was only taking place every 14 days when for the size of the firm they should be screening daily.
The reason for this failing was identified as a “system misconfiguration” which caused the system not to generate any alerts for individual customers between 2022 and 2023.
The lesson here is to make sure you can verify that the screening program is fit for purpose and doing the screening you believe it to be doing, especially if you are operating a custom or built in-house program.
2. Have adequate sanctions systems
Another failing was that the systems were simply not operating as they should, and this was not picked up for years. As well as the lack of any alerts generated between 2022 and 2023, the Starling system was only screening against individuals on the consolidated list that had UK citizenship or UK residency.
This meant that, since 2017, the system was only screening against 38 persons on a list of 3088. Once the issue was remediated, at least one Designated Person had been able to open an account with Starling.
Additionally, Starling was not screening all its cross border or international payments against the consolidated list. When they were screening, they were using a tool designed for customer screening, not payments screening.
Lesson here is to have tools that are fit for purpose and have the operational resources to work alert volumes.
3. Perform a sanctions focused risk assessment
The FCA also noted the risk assessment Starling carried out had insufficiently identified the risks, including failing to consider higher-risk payment types.
Starling had also been informed by an independent compliance consultancy in 2021 of issues with its screening processes and highlighting limited second line assurance of the controls.
The lesson - a thorough risk assessment will pull together all the elements that go into a screening program and verify the controls in place, or needed, and inform management of how to focus on mitigants.
4. Get independent testing and calibration of your screening tools
Starling had no formal methodology or mechanism for testing and calibration of its systems – either when they were implemented or after implementation.
Without this testing, it is impossible to determine if the system is operating effectively. Calibration reviews test the system for operational efficiencies and accuracy by reviewing matching logic and rulesets and allow for refinements to be made.
Lesson here is that one of the optimal ways of conducting testing is to have an independent review carried out. This is even more important where a system has been built in-house, as an independent review will typically carry out testing of datasets and rule checking against expected outputs.
5. Produce Sanctions MI
The FCA noted that Starling had no operational MI for sanctions. Indeed, it was lacking any MI that looked at alert volumes and trends. Without this information, it would be extremely difficult to monitor effectiveness of the program.
The lesson here is that without any meaningful MI, management cannot make any educated review of risks and issues, including operational resourcing appropriateness. With out MI, a firm can lack any real discussion of the potential risks of breaching financial sanctions and the topic may simply not be discussed.
Good MI enables firms to assess workflows, alert levels and tool effectiveness, and respond appropriately.
To summarise
- Regularly confirm your sanctions screening is doing what you think it’s doing
- Use appropriate systems for sanction screening. Ensure you have the tools and resources to deal with sanctions alerts
- Undertake a Sanctions focused risk assessment, considering the lifecycle of exposure to sanctions and the operational processes
- Independently test and calibrate your screening tools, including fuzzy logic matching and rulesets
- Produce sanctions MI and use it effectively for reporting and operational efficiencies
For support in these five areas and more, please contact James Dodsworth, Senior Financial Crime Manager at Thistle Initiatives: james.dodsworth@thistleinitiatives.co.uk.