Court of Appeal finds for London Metal Exchange in Elliott / nickel trade cancellation litigation
了解更多
Starling Bank fined £29 million for financial crime systems and controls failings
On 27 September the FCA published its Final Notice to Starling Bank Ltd, in relation to anti-money laundering ("AML"), financial crime and financial sanctions failings.
Starling breached the terms of a Voluntary Requirement (the "VREQ") that required it not to onboard higher risk customers, and also failed to ensure that its financial sanctions screening systems were operating effectively.
The Final Notice is an important reminder and re-emphasis of a number of key points including: resourcing; the role of senior managers; and the importance of making timely notifications to the regulators.
1. "Financial crime control resources, processes and technology [need] to be commensurate with a bank’s expansion"
Starling underwent "exponential growth" between 2016 and 2023 but its "financial crime controls, however, failed to keep pace with its growth" (FN, para 2.1).
In the Final Notice, the FCA make very clear that:
"When a financial institution undergoes such growth its systems and controls must also grow and adapt to ensure its continued compliance with the Authority’s rules and Principles, and that they are fit for countering the risk that the firm might be used to further financial crime."
Although Starling's growth was exceptional, with customer numbers in the millions, the principle articulated here – financial crime resources, processes and technology must be commensurate with expansion – must surely apply to any and all growth. When a firm or its business grows, for example if a merger or acquisition takes place, a new product or service is offered, or even if the customer base or workflow increases, that firm (and specifically the SMF/16 and SMF/17 holders) must ask itself how and on what basis it can be satisfied that existing financial crime resource can adequately cover the increased risk and workload associated with such growth.
Senior Managers who fail to assess the risks and make appropriate regulatory provisioning for growth are at personal risk. In 2012, Peter Cummings of Bank of Scotland plc was subject to a Final Notice, financial penalty and prohibition for such failing to ensure an aggressive growth strategy was supported by appropriate controls.
A Senior Manager, such as an MLRO, who fails to push for more and adequate resourcing is also at personal risk of regulatory penalty. In 2016 in its Final Notice to Steven Smith (the former MLRO of Sonali Bank (UK) Ltd) the FCA found that:
"Despite suffering from being overworked personally and from a lack of resource in the MLRO department, Mr Smith failed to impress upon senior management the need for further resources even when these were adversely affecting the monitoring work carried out by the MLRO department." (para 2.5).
"The Authority accepts that the extent of the resources available to Mr Smith was only partially within his control. Nevertheless, Mr Smith did not take adequate steps during the Relevant Period to impress upon SBUK’s senior management how overstretched the MLRO department was and how it was adversely affecting his duties as MLRO." (para 4.25).
The FCA has been consistent and clear on the need for adequate resourcing of regulatory controls, and this latest Final Notice serves as a further reminder.
2. Senior Management must oversee and be informed about financial crime and sanctions controls
A Consultancy Firm commissioned to carry out an independent review of Starling's implementation of the VREQ found that:
"Starling’s senior management as a whole lacked the experience and capability to effectively implement the VREQ, specifically … They lacked the required AML skills or experience [and] … they were inexperienced when dealing with significant regulatory changes"
"Starling’s senior management failed to adequately oversee and monitor the day-to-day compliance with the VREQ"
"Starling failed to ensure that the oversight and responsibility for the implementation of the VREQ was delegated to an appropriate Senior Management Function holder. Several members of senior management at Starling had different understandings of whom at Starling had responsibility for the VREQ"
"Starling’s senior management did not provide effective challenge and oversight of those responsible for the day-to-day implementation of the VREQ."
"There was an absence of quality and consistently reported MI, with different committees receiving different information. This had the natural consequence of there being a lack of MI that the Board could assess and challenge."
Although these are the findings of the Consultancy Firm the fact the FCA chose to include them in the Final Notice is noteworthy.
The FCA also noted that a review undertaken by Starling's second line of defence into sanctions screening found that there:
"appeared to be a ‘capability gap’ at governance level in Starling in understanding sanctions compliance requirements. This was evidenced by an insufficient understanding surrounding the use of the Consolidated List and the risk parameters involved in financial sanctions screening".
Senior Management must be engaged with financial crime matters and have sufficient skill, knowledge and experience to challenge, test and ensure the effectiveness of the same. It is not enough for senior managers to leave matters pertaining to financial crime to the MLRO. The FCA's Financial Crime Guide is very clear: "We expect senior management to take clear responsibility for managing financial crime risks" (2.2.1).
The responsibilities of senior management in respect of financial crime have been made clear in recent Final Notices, including those issued to Guaranty Trust Bank (paras 4.78 – 4.81) and Santander UK (e.g. at paras 4.24; 4.25).
3. Systems must be added or developed to ensure compliance with a VREQ
While Starling introduced a series of controls in an attempt to ensure compliance with the VREQ, Starling failed to put in place a formal monitoring process to ensure that it was meeting the VREQ's specific requirements on an ongoing basis. As such, Starling failed to identify that a key financial risk control was not functioning correctly, resulting in new accounts being opened and services provided to customers in breach of the VREQ.
The FCA's Final Notice therefore reminds firms that when a firm is subject to a requirement "it must correctly implement the necessary changes to its systems and controls to ensure that the terms of the requirement are met immediately and on an ongoing basis, until the requirement is varied or cancelled by the Authority" (FN, para 4.18). Such measures will necessarily involve controls designed to comply with the requirement, as well as a formal monitoring plan to ensure compliance on an ongoing basis.
A firm should not agree to the imposition of a regulator requirement if its Senior Management are not certain that the Firm and its systems and controls are and will remain adequate to ensure compliance with that requirement.
4. The FCA (and where applicable PRA) must be notified of notifiable matters promptly
Starling first discovered the VREQ breach on 21 July 2022. However, it took Starling over a month to inform the FCA of the issue. In the Final Notice, the FCA note that its "disappointment that Starling did not immediately report the initial VREQ breaches to it".
Starling was not subject to a Principle 11 finding. However, this is another case in which the FCA have taken the opportunity to emphasise the importance of openness and cooperation, which in most cases will mean that the FCA expect a firm to raise issues that arise "immediately". In the Starling matter, a delay of a month in informing the FCA of the breach of the VREQ was considered by the FCA to fall short of this requirement (paragraph 4.21). Expectations will be heightened when the issues in question are serious, such as a breach of a requirement which has large scale financial crime impacts.
5. Sanctions Screening tools and systems must be appropriately calibrated and tested to ensure efficacy
In addition to breaching the VREQ, Starling failed to ensure that its financial sanctions screening systems that were operating effectively. Starling identified that from 2017 to 2021, its automated financial sanctions screening system had only been screening customers against a limited proportion of the full sanctions list. On further investigation, Starling also discovered that there were "systemic issues" with its sanctions systems, including with its assessment of its financial sanctions risk, policies and procedures, testing and calibration of screening systems, and a lack of MI regarding alert volumes and trends.
Therese Chambers, Joint Executive Director of Enforcement and Market Oversight for the FCA, remarked that "Starling’s financial sanction screening controls were shockingly lax. It left the financial system wide open to criminals and those subject to sanctions".
The Final Notice sets out the findings of a review undertaken by Starling's second line of defence into its financial sanctions systems and controls. These findings provide a useful overview of the actions required to ensure that financial sanctions systems and controls are robust and effective:
a) firms must ensure that its risk assessment of financial sanctions is thorough and sufficient to inform risk decisions and management of said risks;
b) policies and procedures should cover the responsibilities for sanction screening, testing and MI requirements;
c) there should be a formal methodology or mechanism for the testing and calibration of screening systems at or after implementation to ensure that the controls are functioning as required and the firm is complying with financial sanctions;
d) quality MI should be produced to allow the firm to monitor the effectiveness of configurations and overall sanctions screening effectiveness. Such MI should include alerts and trends;
e) Senior Management should have the relevant experience, knowledge and skill to oversee sanctions arrangements (for more on this, see (2) above);
f) the frequency of screening should be commensurate with a firm's size and customer base. Starling was only screening customers against the sanctions list every 14 days, which was a metric left over from when it was a smaller institution. Starling has since amended its policies and procedures so that screening now occurs daily; and
g) the screening tools use should be sufficient for a firm's purposes.