News and Publications

Recent FCA financial crime enforcement actions

Posted: 09/05/2025

This article discusses the FCA's recent enforcement actions in respect of financial crime failings at Starling Bank and Metro Bank. These actions demonstrate the FCA's heightened scrutiny of firms' financial crime systems and controls, focusing on sanctions (in the case of Starling Bank) and the use of automated transaction monitoring system (in the case of Metro Bank).

Both banks are 'challenger banks' and accordingly the enforcement actions against them also indicate that the FCA expects all banks to have strong financial crime systems and controls, regardless of whether they are established behemoths or challenger start-ups. There are lessons also for overseas banks with a small presence in the UK, given that they may, just like start-ups and challengers, face resource constraints in deploying sophisticated and expensive financial crime systems and controls. 

Starling Bank (September 2024)

The FCA imposed a penalty of £28,959,426 on Starling Bank for breach of a voluntary requirement and for breach of principle 3 of the FCA's Principles for Businesses (firms to take reasonable steps to ensure that they have organised their affairs responsibly and effectively, with adequate risk management systems). This amount reflected a 30% discount as Starling reached a settlement with the FCA at Stage 1.

Starling's principle 3 breach arose from a system misconfiguration in the sanctions screening tooling, which resulted in a failure to screen actual and prospective customers against the entirety of the consolidated list of sanctions targets. Instead, the screening was done only against individuals in the consolidated list with UK citizenship or residency (ie, against only 39 of the 3088 designated persons on the list). Accordingly, Starling was omitting a substantial number of designated persons from the screening, with the failure persisting between July 2017 to January 2023. This created a material risk of designated persons being able to open an account with Starling. During the relevant period, at least one designated person had in fact opened an account with the bank.

The following additional shortcomings in Starling’s sanctions systems and controls were identified and relied upon by the FCA for finding a breach of principle 3:

  • Starling’s risk assessment of financial sanctions was not sufficient to inform its risk decisions and the management of its financial sanctions risk. Starling had rated its sanctions risk as low and had failed to consider several high risk factors such as payments from crypto-related platforms and multi-currency accounts.
  • Starling had no formal methodology or mechanism for the testing and calibration of its financial sanctions screening systems at or after implementation. There was also no record of testing and calibration having been carried out.
  • There was no operational management information relating to financial sanctions, such as alert volumes and trends which should have allowed Starling to monitor the effectiveness of both configurations and its overall financial sanction screening effectiveness.
  • Starling did not carry out any second line of defence assurance reviews of its financial sanctions screening or a third line of defence audit specifically for financial sanctions screening during the relevant period.
  • Starling was screening its customers against the consolidated list only once every 14 days and only after onboarding them. The 14-day period was a leftover metric from when Starling was a smaller institution and was not in keeping with current industry standards for similar financial institutions.
  • Starling was not screening all of its cross-border and international payments against the consolidated list, despite such payments presenting a much higher financial sanctions risk than domestic payments.
  • When screening payments against the consolidated list, Starling was using a tool designed for customer screening and not designed for screening against payments.

The FCA noted as a mitigating factor the fact that Starling had undertaken effective remediation of the issues identified in its financial crime systems and controls. Subsequent third party testing of its systems had confirmed that they were effective. In addition, a review of historical payments was also carried out, which identified a number of potential sanctions breaches. These were reported to the relevant authorities.

The lessons learned from this enforcement case have been included by the FCA in its updated Financial Crime Guide.

Metro Bank (November 2024)

In November 2024, the FCA imposed a penalty of £16,675,200 on Metro Bank for principle 3 breaches. This amount reflected a 30% discount due to Metro reaching a settlement with the FCA at stage 1. Metro's failures related to an automated transaction monitoring system (ATMS) that Metro had adopted as part of its compliance with ongoing monitoring requirements under the Money Laundering Regulations 2017. JMLSG guidance allows firms to use automated systems for ongoing monitoring, especially where firms have to monitor large volumes of transactions. However, firms should understand the workings and rationale of an automated system, and the reasons for its output of alerts.

The FCA found serious deficiencies in relation to the set-up, operation and oversight of the ATMS which were not identified and/or remedied by Metro within an acceptable period of time. As a result, Metro failed to monitor over 60 million transactions (circa 6.0% of the total transaction volume) with a value of over £51 billion (circa 7.6% of the total transaction value). Whilst many of these transactions were subsequently reviewed as part of a remediation exercise, there was a lengthy delay in the identification of suspicious activity and this increased the risk of Metro inadvertently being used for the purposes of financial crime.

Failure to check completeness of data fed into ATMS
Data for the ATMS originated from Metro’s data store. An error in the system meant that a large number of transactions had not been fed into the ATMS for ongoing monitoring. The failure by Metro to identify the error in a timely manner arose, in part, as a result of the fact that Metro did not check the completeness of data fed into the ATMS to ensure that all relevant data was being fed into it. There was no reconciliation process between the data store and the ATMS to check that all relevant data was being fed into the ATMS. The FCA considered it a serious failure in the operation and oversight of the ATMS that the error was allowed to persist for over three years before being identified and rectified. As a result, large numbers of transactions were not monitored for AML purposes.

Failure to deal with bad data
Metro also failed to put in place adequate systems and controls for managing an issue which was referred to internally as 'bad data'. The ATMS prevented data being fed into it where there were data quality issues, such as missing or incomplete data. The records which were rejected from the ATMS as bad data were placed into bad data folders. However, Metro failed to establish a process for dealing with rejected records in the bad data folders or to set up a regular review process for those records. As a result, records that should have been routinely loaded into the ATMS but had been rejected were not subject to ongoing monitoring, thus exposing Metro to financial crime risk.

Lack of effective oversight and governance
The FCA pointed to a number of oversight and governance failures in relation to the ATMS issues:

  • There was limited documentation clarifying the roles and responsibilities related to the effective ongoing management of the ATMS. 
  • The bank was unable to identify an individual responsible for ensuring that the data fed into the ATMS was complete in the relevant period.
  • There was neither any management information nor any appropriate governance framework in relation to the bad data issue. Whilst bad data was recognised as a risk and a serious issue at comparatively less senior grades within Metro and individual staff members investigated and attempted to escalate this issue to more senior staff, no material action was taken to address the issue. In fact, reference to the bad data issue was removed from an internal working group's minutes, on the basis that the bad data issue did not appear to be substantiated, which meant there was no action to track and monitor this risk. 

Arrow GIFReturn to news headlines

Contacts

Aatif Ahmad
Aatif Ahmad

Email Aatif
+44 (0)20 7872 8509

Sophie Newman
Sophie Newman

Email Sophie
+44 (0)1865 813790

Related expertise

Share the article

Legal 500 - Top Tier Firm Chambers Leading Firm European Law Group Multilaw

Useful links

Value

Contact an office

Sectors

Services for Business

Services for Individuals

Copyright

© 2025 Penningtons Manches Cooper LLP.
All rights reserved.
Website design by Frontmedia / Dynamic Pear

Penningtons Manches Cooper LLP

Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority under number 419867.

Penningtons Manches Cooper LLP