7 lessons learned from FCA inspection of a neobank

Starling Bank has been fined £29M by the UK's Financial Conduct Authority (FCA), mainly because "financial sanction screening controls were shockingly lax"🔗 according to a press release dated 2 October 2024.

📌Starling Bank, a digital challenger bank or neobank, was granted license to operate in the UK in 2016 and, according to the supervisory report, has recorded rapid growth from revenues of £13K in 2016 to £452M in 2023, while its customer portfolio has grown from around 43K in 2017 to around 3.6M in 2023. In terms of international transactions these increased significantly from 385 in 2017 to 236K in 2020 and then to over 1M in 2023.

💡In December 2020, the UK National Risk Assessment warned that criminals are attracted to the faster account opening process offered by neobanks compared to traditional banks, and that the due diligence measures they put in place are insufficient to identify high-risk customers. Accordingly, in 2021, the regulator carried out a review of financial crime controls at a sample of 6 neobanks with a total of over 8M customers in their portfolios, one of the challenger banks reviewed being Starling Bank. ❗In September 2021, the FCA, among other restrictive measures, required Starling Bank to stop accepting any new high-risk customers and to stop opening any new accounts for this category of customers until appropriate risk management systems are in place.

🔔 An independent audit carried out at the FCA's request found that the systems put in place by the bank between September 2021 and May 2023 were ineffective, both in terms of senior management involvement and the 3 internal lines of defense, the bank opened 54K accounts for 49K high-risk customers.

💣In terms of international sanctions, the systems for checking customers against official lists were configured inadequately, checking customers only with a UK residence or citizenship designated persons. It should be emphasized that the screening occurred after the registration of customers in the IT systems, and not online, and the periodic verification of the customer portfolio with the sanction lists was carried out with a very long periodicity, taking into account the size and risk of the bank, i.e. 14 days.

⚠️ After the correct configuration of customer and transaction checking systems, in February 2023, 48K customer alerts and 795K transactions alerts were generated.

📢 The sanction imposed on Starling Bank by the FCA teaches some important lessons in the context of risk management principles:

1️⃣ KYC/AML/CFT/FISA compliance processes must be continuously enhanced, effectively implemented and properly tested;

2️⃣ internal risk management systems must be able to identify, assess and manage potential and especially emerging risks;

3️⃣ internal systems must be constantly monitored in order to identify possible vulnerabilities, to effectively adapt them to the dynamics of the institution, to market risk developments and changes in the legislative system;

4️⃣ investments in advanced technologies for KYC/AML/CFT/FISA processes are necessary for institutions managing high volumes of customers and transactions;

5️⃣ the increasing digitalization of the economy, criminality and geopolitical complexity significantly impacts the need for additional resources in the KYC/AML/CFT/FISA field

6️⃣ regular training is essential at all levels for employees to understand their role in identifying and managing risks while ensuring regulatory compliance.

7️⃣ KYC/AML/CFT/FISA sanctions involve high remediation costs and have a significant reputational impact