Starling bank fined £29m - what can we learn?
Starling’s stark screening process prompts penalty
On the 27th of September, Starling were whacked with a £29m fine from the FCA for their lack of financial crime controls.
The crux of the issue is Starling’s measures and checks not keeping up with their astonishing growth. They went from 43,000 customers in 2017 to 3.6 million in 2023, and rapidly outpaced their onboarding and ongoing customer due diligence checks.
Starling were doing all their own KYC / AML, and fell into some pretty major pitfalls:
🚨 Only checked customers against a subset of the UK sanctions list, rather than the whole list. When they ran their customer base through the full list in 2023, they got 48,000 alerts.
🚨 Didn’t check against non-UK sanctions lists, despite having payments being made in US dollars.
🚨 Only screened customers after they had opened an account, not during the onboarding process.
🚨 Screened current customers, but only every 14 days. This would’ve been fine in the early days, back in 2017, but with 3.6 million customers, they needed to be doing that every day.
🚨 Made no documentation of their risk based decisions - ie when they would allow an account opening for a “politically exposed person”.
So, here’s what I think we can learn from Starling’s fine:
1. Be curious about what’s critical from day one
I’m not saying that when you start a new company, you have to know everything about your sector immediately before you start to do anything.
What I am saying is that you should, at least, be very interested in what it means to be compliant in your sector, and what you will need to do to get there.
Plan to be massive, without jumping over unnecessary hurdles too early. That way, it shouldn’t come as a surprise when you need to tweak things or get more detailed later on.
When Starling were handed their first set of compulsory recommendations by the FCA, they didn’t take them as seriously as they should have, and continued running many of their old processes from when they were much much smaller.
2. You cannot take shortcuts forever.
You have to always do your absolute best to be compliant, even when it’s a total ball ache.
Obviously, this is always relative to the stage you’re at, but it wouldn’t have been hard for Starling to start checking customers against the full list pretty quickly after their launch.
3. Check in on your processes regularly.
There’s a reason why accreditations and standards are reassessed over a number of years. Because things change, especially if you’re a very successful start up.
In that context, running the same process in 2022 as you were in 2017 is, at a minimum, dicey.
As you grow, your processes absolutely must grow with you. What works for a startup with 1,000 customers probably won’t be adequate when that number grows 100,000.
Regular process reviews help ensure that as your customer base, transactions, and operations expand, your controls remain robust and scalable.
It’s absolutely not my intention to stand here in the start-up glass house and throw stones.
The FCA’s 2022 review of challenger banks highlights that this is a risk for all the growing FinTechs out there…growth is golden, and it’s unsurprising that there are companies that can’t keep up with compliance.
Vouchsafe & friends news
➡️ We’re through to the next round in the Santander X UK Awards! We’ll be pitching again this week. Fingers and toes crossed!
➡️ Chloe will be a guest for a lecture at the University of Glasgow’s business school on the 31 October! Happy halloween to all the students there 🎃
➡️ Jaye will be speaking at MALG Conference 2024. Come along to hear about how to provide KYC that customers don’t hate. Aspire Leeds on 7 November is the place to be.
➡️ It’s still ADHD Awareness Month and Chloe is on the case. Follow Chloe on LinkedIn for updates on this topic, and how we support neurodiversity at Vouchsafe more generally.
➡️ We’ll also be going along to Slush in Helsinki on 20 and 21 November. This is a great event to hear about exciting things in tech in general. Say hi if you’re there!
➡️ Our friends at BGV have announced their Autumn / Winter 2024 cohort! We hope all the founders learn as much as we did on the accelerator (and have as much fun, too).
➡️ Our other friends at GoodTech Ventures are helping burnt out founders, check out some thoughts from Chloe in their article. They have also opened applications for their 3rd cohort! We definitely recommend applying.
Links of note
🔗 KYC excludes 627 million from digital services (CCN News) - “Many digital platforms have rigid requirements, often failing to account for variations in identity documentation across countries or regions”
🔗 New powers for banks to combat fraudsters (gov.uk) - Banks can now delay payments by 72 hours if they believe the payment to be fraudulent and need more time to investigate.
🔗 Banks now must refund scam victims (Money Saving Expert) - Banks have been told they must refund victims of “authorised push payment” scams up to £85,000.