Recent enforcement activity by the UK’s Office of Financial Sanctions Implementation (OFSI) and Financial Conduct Authority (FCA) reinforces the importance for businesses of all sizes to implement appropriate and risk-assessed policies and procedures.
Go-To Guide: |
|
On 2 October 2024, the FCA issued a final notice announcing it had fined digital challenger bank[1] Starling Bank Limited £28,959,426 for financial crime and sanctions systems and controls failures. This included breaching a voluntary FCA requirement (VREQ) not to open any new accounts for high-risk customers while it remediated its anti-money laundering framework and failures in its financial sanctions controls. During the relevant period, Starling onboarded 49,183 high or higher risk customers.
On 27 September 2024, OFSI announced it had imposed a £15,000 civil monetary penalty against Integral Concierge Services Ltd (ICSL). While a comparatively small penalty, it represents the first monetary penalty OFSI has imposed for breaches of the UK’s financial sanctions regime against Russia via the Russia (Sanctions) (EU Exit) Regulations 2019 (Russian Regulations) in response to the 2022 invasion of Ukraine.
Starling Bank
VREQ Breach
Starling was part of a wider FCA review of challenger firms’ financial crime controls in 2021. As a result of this exercise, the FCA expressed concerns that Starling’s systems and controls had not kept pace with its rapid growth. The FCA required Starling to appoint a “skilled person” under s.166 Financial Services and Markets Act 2000 (FSMA) to review its financial crime controls. The review resulted in Starling agreeing to the VREQ, thus preventing the bank from onboarding new “high risk” customers until it implemented a wide-reaching remediation programme. About a year after the VREQ, Starling discovered that one of its key financial crime risk controls was not functioning properly, permitting 294 customers who had previously been off-boarded to open new accounts. Starling’s internal review revealed they had also failed to implement a formal programme specifically to comply with the VREQ, enabling thousands of “high-risk” new accounts to be opened in breach of the VREQ. After becoming aware of this failure, the FCA required the Starling board to conduct a “lessons learned” review. An independent consultancy firm identified several systemic issues:
- a failure of senior management oversight and responsibility for VREQ compliance;
- an absence of quality control;
- inconsistent management information provided to the board regarding the VREQ;
- a lack of proper resourcing for the financial crime function;
- an absence of proper controls to enhance VREQ compliance; and
- an absence of proper challenge by internal audit.
Starling accepted these findings and committed to remediation.
Failures in Financial Sanctions Controls
As part of the same 2021 review, the FCA also identified concerns with Starling’s UK financial sanctions systems and controls. According to the FCA, Starling violated its own policies by only screening customers against sanctions records for individuals who were known to reside in or have links to the UK. As part of its internal review, Starling identified that its automated screening system had not produced any alerts between 1 July 2022 and 30 January 2023 due to an error that had existed within the system since 2017, with at least one designated person opening an account as a result. A review of its entire customer base generated a further 43,000 alerts for review, and several payments in potential breach of sanctions. The FCA specifically commented that the bank’s financial sanctions screening controls were “shockingly lax” and left its systems vulnerable to violation.
The FCA identified several systemic issues in connection with Starling’s financial sanctions risks:
- Starling’s initial financial sanctions risk assessment was insufficient to inform its risk decisions and management of such risk;
- Starling’s policies and procedures were inadequate;
- Starling did not test the effectiveness of its customer or payments screening at or after implementation; and
- Starling did not provide operational management information related to financial sanctions.
FCA’s £28.9m financial penalty on Starling demonstrates the Authority’s desire to embed financial crime and sanctions compliance through proper systems, controls, and management oversight.
Integral Concierge Services Ltd
OFSI Enforcement
OFSI, which is responsible for financial sanctions enforcement in the UK, has imposed a civil monetary penalty of £15,000 for Russian Regulations violations against ICSL, a small UK-registered business offering property management services, such as collecting rent from tenants and paying for the upkeep and maintenance of properties. It services a client base of primarily Ukrainian and Russian individuals.
OFSI found that between 2022 and 2023, ICSL had engaged in 26 transactions (valued at £15,487.30) providing services to a residential property in the UK owned by a designated person, despite knowing or having reasonable cause to suspect the payments ICSL made or received violated UK financial sanctions. In addition, OFSI considered ICSL’s failure to report payments it made to water and utilities companies (violating related general licence obligations) to be an aggravating factor.
Notably, ICSL did not make a voluntary disclosure. Rather, OFSI “became aware by proactive means” of potential breaches in relation to the property in late 2022 and, following initial enquiries, contacted ICSL in May 2023. It was only upon being contacted by OFSI that ICSL ceased the transactions involving the designated person.
Having been informed of OFSI’s decision to impose a monetary penalty, ICSL chose not to make representations and did not seek an administrative review of the decision. Because ICSL did not make a voluntary disclosure, OFSI did not reduce the penalty.
Takeaways
Both OFSI and FCA have signalled an intent to increase their enforcement activity in connection with breaches of financial crime controls and violations of the UK sanctions regime. With regards to OFSI, the ICSL penalty came nearly two years after the matter first came to their attention. Further enforcement action connected with the Russian Regulations may follow in light of the sheer volume of reports OFSI has received in the past two and a half years.
These matters provide useful considerations for businesses:
- Enforcement authorities have developed an increasing appetite to take enforcement action.
- Irrespective of the size of the business, failures to design, implement, and maintain adequate systems and controls to mitigate financial crime and financial sanctions risks were at the centre of the enforcement decision.
- As emphasised in both matters, the seriousness of the violations is a key aggravating factor, albeit OFSI considered a mitigating factor to be that had ICSL applied for a licence, it may have granted one. A number of General Licences in place covered some of the services ICSL had provided.
- Cooperation with and voluntary disclosure to the authorities are major mitigating factors that may result in reductions or discounts to financial penalties.
- These matters are a timely reminder of the various sources of information available to law enforcement authorities, including mandatory reporting requirements imposed on certain financial and other institutions (including law firms) to report to OFSI, as soon as practicable, if they know or suspect that a person has committed an offence under the UK sanctions regime. ICSL did not voluntarily report its sanctions breaches, so a third party with reporting obligations of its own may have reported to OFSI.
These enforcement actions highlight the importance for all companies – no matter their size – to understand their exposure to sanctions risks and financial crime, including anti-money laundering, risks and to take appropriate action to mitigate these risks.
[1] “Challenger bank” is a generic term given to new, smaller, digital (i.e. no branches), retail banks that compete with large, well-established national banks in the UK.