The FCA has recently fined Starling Bank Limited for inadequate financial crime controls, specifically criticising its approach to financial sanctions compliance say Mikhail Vishnyakov, partner, and Emily Davies, associate, at Cooke, Young & Keidan LLP.
Aside from the very substantial quantum – £28,959,426 – the Final Notice is significant because it illustrates the FCA’s focus on sanctions compliance, and its ability to impose fines for inadequate sanctions systems without needing to show that sanctions were in fact breached.
FCA’s regulatory requirements
The FCA requires regulated businesses to “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems” and “establish, implement and maintain adequate policies and procedures” in order to comply with their regulatory obligations. This reflects an outcomes-based approach to regulation: regulated businesses have a degree of flexibility and independence in determining their compliance systems, provided they properly comply.
Starling’s sanctions failures
In its decision to fine Starling Bank, the FCA identified the following failures in the bank’s sanctions compliance system:
• for several years, it only screened customers or prospective customers against individuals on the UK sanctions list (known as the “Consolidated List”) with UK citizenship or UK residency;
• its assessment of financial sanctions risks was insufficient to inform decisions and management of that risk;
• it did not test the effectiveness or configuration of its customer or payment screening after implementation;
• it only screened customers once every 14 days; and
• it screened only customers not cross-border / international payments.
Moreover, the FCA noted a “capability gap” at governance level in understanding the bank’s sanctions compliance requirements.
Spotlight on sanctions compliance
The FCA’s comments as to Starling Bank’s sanctions compliance are likely to be of particular interest to FCA regulated firms because they shed light on some of the components of an effective sanctions compliance system. These comments may be instructive for businesses seeking to assess or improve their current systems, say Mikhail Vishnyakov, Partner, and Emily Davies, Associate, at Cooke, Young & Keidan LLP.
The FCA decision also emphasises the importance of checking the Consolidated List. However, UK sanctions extend to entities that are not named on the Consolidated List but are “owned or controlled” by them.
Recent decisions by the UK courts have demonstrated that there are legal difficulties in applying this test. Accordingly, implementing sanctions systems that can screen for such entities (that are not named on the Consolidated List but are sanctioned) is therefore likely to be particularly challenging.
Finally, the UK sanctions regulator, OFSI, has the power to impose fines for sanctions breaches. The FCA’s penalty imposed on Starling Bank illustrates that FCA regulated businesses may be fined (and publicly named) by the FCA regardless and independently of whether sanctions breaches have been established by OFSI.
This penalty will no doubt serve to reinforce the importance of investing in, assessing, and testing sanctions compliance programmes, which in itself requires an advanced understanding of the complex and rapidly changing UK sanctions regime.
By Mikhail Vishnyakov, Partner, and Emily Davies, Associate, at Cooke, Young & Keidan LLP
