Metro Bank’s £16m AML penalty – a case with little to do with challenger banks
19 Nov 2024
Metro Bank’s £16m fine for AML failings prompted commentary that the FCA, after a recently fining Starling Bank for similar, is focussing its attention on “challenger banks”.
This analysis risks missing the bigger picture, says barrister Tom Bushnell who argues the Metro Bank penalty fits a pattern of AML enforcement action against some of the country’s most traditional retail banks, and therefore has much wider relevance.
Earlier this month, the so-called “challenger bank” Metro Bank found itself in the headlines for the wrong reasons, and not for the first time.
While the 14-year-old bank has previously been criticised for issues relating to its regulatory reporting of capital requirements, the problem this time related to insufficient anti-money laundering (AML) measures.
On 12th November 2024, the FCA published a Final Notice imposing a £16m financial penalty (reduced from £23m on account of its settlement of the case) on the bank for AML failings.
Much of the commentary and reporting since then has focused on Metro Bank’s challenger bank status, and an apparent parallel between Metro’s fine and the £29m fine recently levied on another challenger bank, Starling Bank.
Properly understood, however, the Metro Bank case has little, or nothing, to do with its challenger status. On the contrary, the FCA’s Final Notice has striking echoes of action taken by the regulator against some of the most long-established high street banks in the land.
The lessons of the FCA’s action in this case are thus more widely applicable than some suggest.
The background: Metro Bank’s penalty
Metro Bank was found by the FCA to have breached Principle 3 of its Principles for Businesses. This requires a firm “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”
As part of this, firms must also comply with the more detailed requirements of SYSC, or Senior Management Arrangements, Systems & Controls. In essence, these require a firm to have systems and controls in place to – for example – comply with the firm’s regulatory obligations and prevent it being used for financial crime.
Metro Bank was also required to comply with the Money Laundering Regulations 2007 (MLR 2007), which were in the force at the time. Regulation 8 of the MLR 2007 required Metro Bank to conduct ongoing monitoring of business relationships, and do so in a risk sensitive way.
Once a client has been onboarded (and appropriate due diligence carried out), ongoing monitoring is the constant process of checking that the transactions match what a bank expects from its client, and checking for red flags. Successful ongoing monitoring can also strengthen KYC; aid a firm’s risk assessments; and help assess whether a firm is being used for financial crime.
As is common among large banks, Metro Bank used an automated transaction monitoring system (ATMS) as part of its ongoing monitoring efforts. In effect, this is a computer system which applies a set of rules to transactions to spot the abnormal. Unusual transactions can then be investigated.
Metro Bank’s ATMS was seriously deficient: the FCA found failures in how it was set-up in first place, operated and overseen. The net result of this was over 60 million individual transactions, together worth £51bn, did not pass through the ATMS.
The Bank had to undertake a (presumably laborious) “lookback review” after the event to check many of these transactions. This resulted in many suspicious activity reports and some account closures.
Little to do with challenger banks
It is true that Metro Bank’s penalty comes about six weeks after the FCA took action against one of its competitors, Starling Bank, for AML failings.
Starling’s failings were different from Metro’s. Starling was fined for a) contravening a VREQ (voluntary requirement, signed by a firm in order to stop an ongoing weakness) by which the bank agreed not to onboard or open further accounts for any high-risk customers; and b) significant weaknesses in its sanctions controls, including a failure to screen customers against the entirety of OFSI’s Consolidated List of designated persons.
Whilst it looks like Starling’s AML transaction monitoring systems were reviewed (at the very least by a Skilled Person[1]), these were not the cause of its problems.
As such, whilst the two Final Notices have come in quick succession (and during a period of heightened regulatory scrutiny of challenger banks) it would be a mistake to assume that both banks were the subject of the same FCA crackdown.
In fact, Metro Bank’s Final Notice bears a much closer resemblance to action taken against some very familiar traditional retail banks: Santander, NatWest and HSBC.[2] Two themes are strikingly similar.
The difficulties of ongoing monitoring – again
Just as it was in the FCA’s AML cases against NatWest, HSBC and Santander, it was ongoing monitoring which let Metro Bank down (as opposed to, for example, customer due diligence).
The similarities even extend to the method of ongoing monitoring that failed. Retail banks are advised to conducting ongoing monitoring of transactions in at least four ways:
- Automated transaction monitoring;
- Manual transaction monitoring (staff reporting concerns);
- Investigations into activity highlighted by either form of monitoring; and
- Independent reviews (usually periodic or triggered by specific events).
NatWest, HSBC, Santander and now Metro Bank have all seen the first of these – automated transaction monitoring systems – criticised by the FCA within the last three years.
The similarities don’t stop there: there are even likenesses in the types of problems with the automated systems. For example, there seems to be a recurring problem with the data being fed into these systems to begin with.
In the case of Metro Bank, the problem was a technical flaw known as the “Time Stamp Code Logic Error.” This meant that if a customer opened an account and made transactions on the same day, the customer’s transactions would not be fed into the ATMS for review. Over 46 million transactions fell through the net. And whilst the FCA’s Final Notice doesn’t say this, one might think that this technical issue was particularly damaging, given that criminals are not known for bank loyalty: they are surely as or more likely than non-criminal customers to open an account and transact the same day, before the bank (!) or authorities catch up with them.
Issues with the data being fed into the automated transaction monitoring system were a major problem for NatWest and HSBC too. In the case of NatWest, cash deposits were for a time wrongly labelled as cheque deposits by a system feeding data into the automated system. This meant that they were subjected to less onerous monitoring rules, and treated as less risky within the Bank’s “security blanket.”[3]
As for HSBC, the bank was found to have failed to check the completeness and accuracy of data being fed into its transaction monitoring systems; failed to maintain a list of correspondent banking relationships so as to ensure all necessary data was being fed in; and had transactions that were sometimes in the billions of pounds either monitored incorrectly or not at all.[4]
All of these cases – traditional and now challenger bank – therefore underline the importance of automated transaction monitoring, and the importance of it working from end to end.
Remediation – again
The other common theme to these cases is the vast remediation programmes that are required when AML problems are spotted.
Metro Bank’s Final Notice refers to the engagement of not one, but two external compliance firms to review AML issues. The bank undertook a “Lookback Review” to identify the accounts that had been missed from its automated monitoring; and then a further “Lookback Audit” of the “Lookback Review”. And, although the Final Notice doesn’t reveal any figures, it refers to Metro Bank having made:
“a significant investment in additional resource and capability to manage the Bank’s ATMS, to review and assess the quality and effectiveness of the ATMS and to review and investigate possible suspicious activity.”[5]
NatWest’s Agreed Statement of Facts, and the Santander and HSBC Notices contain similar descriptions. The banks have no choice but to remediate their AML failings. But only they will know whether the costs of these remediation programmes, combined with the financial penalties, legal costs and reputational damage, outweigh what could have been spent to comply with the Money Laundering Regulations in the first place.
Festive penalties and the real pattern
Almost two years ago, I noted that the FCA was creating a habit of concluding enforcement action against major high street banks for AML failings every Christmas: NatWest’s criminal sentence and HSBC’s regulatory penalty in December 2021; and Santander’s regulatory penalty in December 2022.
Just as Christmas advertising gets earlier every year so, it seems, does the FCA’s festive AML penalty, with this robust action against Metro Bank happening in mid-November.
But whilst the FCA’s yuletide timing might be mere coincidence, the pattern of AML failings in the banks it regulates is not.
Metro Bank’s sanction fits squarely within the pattern of FCA action against banks for AML failings. Metro’s status as a challenger bank is irrelevant, save for underscoring that the whole banking industry appears to have similar blind spots around ongoing monitoring, and the FCA (rightly) will take action against new banks as well as old.
This shouldn’t be a surprise to the industry. The FCA has consistently said that challenger banks face the same sort of risks as traditional retail banks. In 2022, following a multi-firm review into financial crime controls at challenger banks[6], the FCA said:
“Overall […] we remain of the view that there are limited differences in the inherent financial crime risks faced by challenger banks, compared with traditional retail banks.”
Given this starting point, it is perhaps of little surprise that the FCA expects adequate ongoing monitoring from challenger banks, just as it does from traditional banks.
What next for FCA AML enforcement?
Three things are worth keeping an eye open for in this area.
First, the above-mentioned cases all show the FCA taking enforcement action against banks for basic errors and gaps in automated transaction monitoring systems. It will be interesting to see if the FCA’s expectations (or threshold to take enforcement action) rise as the systems embrace AI and become more sophisticated.
Secondly, are yet more cases to come? In January last year, after the Santander case, I wrote:
“The Santander case shows the FCA’s appetite to go after big banks for AML failings remains undiminished. It will be interesting to see how, if at all, the FCA’s approach to the enforcement of these cases changes when Mark Steward, the FCA’s executive director of Enforcement and Market Oversight, steps down in spring 2023.”
Even making allowance for the time these cases take, it seems the FCA’s motivation to go after big banks for AML failings is not diminished. Nor is it the only regulator that is banging the AML drum.[7] But, given the recurring nature of the failings that are identified in the Metro Bank Final Notice, perhaps it is of little surprise.
Thirdly, banks will need to keep investing more. Cockerill J’s comments when sentencing NatWest in December 2022 remain apt for all banks and large financial institutions, old or new:
“[NatWest’s] compliance costs are enormous – the increase which has recently been made from £700 million to £1 billion for the next 5 years gives some hint of what is needed to properly comply with these Regulations which though demanding are of such great importance.” [para 124]
Tom Bushnell is a barrister within the business crime team at Hickman & Rose. He specialises in financial crime and financial services regulation. He has a particular interest in enforcement action relating to AML and the Money Laundering Regulations. Before joining Hickman & Rose in 2022, Tom practised at the Bar and was the FCA’s junior counsel for its landmark investigation and prosecution of NatWest.
[1] See Starling Bank Final Notice para 4.13.
[2] And, for similar transaction monitoring failures in a commercial bank, see the Commerzbank Final Notice in June 2020.
[3] NatWest Agreed Statement of Facts paras 182-188 and 203a
[4] See HSBC Decision Notice paras 4.82-4.118
[5] Metro Bank Final Notice para 4.118.3
[6] Which, in fact, was the start of the process for Starling Bank that culminated it its enforcement action: see Starling Final Notice paras 4.6-4.10
[7] AML is an area of real focus for the Solicitors Regulatory Authority at the moment: see, for example, my colleague Andrew Katzen’s recent article “What an annual report – and five fined firms – tells us about SRA AML enforcement trends“