FCA Enforcement Action KYC / AML Sanctions Screening October 2, 2024 — FCA Final Notice

Starling Bank's £29M FCA Fine: The KYC Failure Pattern AI FinTech Repeats

In October 2024 the Financial Conduct Authority issued a £28.96 million fine against Starling Bank — one of the UK's most celebrated digital banking success stories. The failure was not a rogue employee or a single bad decision. It was a systemic breakdown in automated Know Your Customer controls that the bank itself had promised regulators it would fix. Every AI-powered KYC vendor selling "automated compliance" today carries the same latent risk.

FCA Final Notice — Starling Bank Limited

Date: October 2, 2024
Fine: £28,959,426 (approximately £29 million)
Violation period: 2021–2023
Accounts opened in breach: 54,359 accounts for high-risk or sanctioned individuals
Official source: FCA Press Release — fca.org.uk

1. What Happened: The Promise to the FCA vs. Reality

Starling Bank's regulatory trouble did not begin in 2024. It began in 2021, when the FCA became concerned about the bank's financial crime controls during a period of rapid customer growth. At that time, Starling agreed with the FCA to restrict its onboarding — specifically committing to accept only customers classified as presenting low financial crime risk.

This is the critical point that makes the subsequent failure so striking: Starling did not accidentally violate a complex, newly issued regulation it had not fully read. It violated a specific, bilateral undertaking it had made directly to its regulator. The guardrails were self-imposed and explicitly agreed.

Between 2021 and 2023, the bank opened 54,359 accounts for customers who were high-risk or who appeared on sanctions lists. These were not borderline cases or ambiguous risk classifications. The FCA's Final Notice made clear that Starling's own automated onboarding framework was the mechanism through which these customers passed — because that framework was neither complete nor current.

54,359

High-risk or sanctioned accounts opened in breach of FCA undertaking

Between 2021 and 2023 — the same period Starling had agreed with the FCA to onboard only low-risk customers. The automated system passed them all.

What makes this case foundational for anyone evaluating AI-powered compliance tooling is the mechanism of failure: it was not human negligence in reviewing flagged accounts. The automated screening system itself was deficient. High-risk customers were not flagged in the first place, so there were no alerts for humans to review. The system generated a false sense of compliance while the underlying controls were hollow.

2. The Technical Failure: Automated Screening That Did Not Actually Screen

The FCA's findings identified two compounding technical deficiencies in Starling's automated sanctions screening framework:

First: The system screened against only a fraction of the required sanctions list. UK sanctions obligations require financial institutions to screen against the full HM Treasury Office of Financial Sanctions Implementation (OFSI) consolidated list, as well as applicable UN and EU sanctions regimes. Starling's automated system was not configured to screen against the complete list. Customers who appeared on portions of the sanctions regime not included in the system's reference data passed through without a match.

Second: The system had not been updated to reflect changes in the sanctions regime. Sanctions lists are not static documents. The Russia-Ukraine conflict from February 2022 onward produced one of the largest and fastest expansions of UK financial sanctions in modern regulatory history. Individuals and entities were added to OFSI's consolidated list in near-real-time. Starling's automated framework — never fully comprehensive to begin with — fell increasingly behind as the sanctions environment changed dramatically around it.

The Compliance Theater Problem: An automated screening system that does not screen the complete list does not produce compliance failures. It produces compliance-shaped outputs — pass/fail decisions that look authoritative but are generated against incomplete reference data. The bank's operations teams saw green lights. The risk was invisible until regulators looked underneath.

This is the technical pattern that AI-powered KYC vendors reproduce at scale. A model trained on historical sanctions data, or integrated with a third-party list provider whose update cadence lags regulatory changes, will produce confident-looking verdicts based on stale or incomplete inputs. The confidence of the output bears no relationship to the completeness of the underlying data.

// What Starling's system effectively did:
function screenCustomer(applicant) {
  // References PARTIAL_SANCTIONS_LIST — not the full OFSI consolidated list
  // Last updated: [months ago — pre-Russia sanctions expansion]
  const result = checkAgainst(applicant, PARTIAL_SANCTIONS_LIST);
  return result.matched ? "REFER" : "PASS"; // Returns PASS for unmatched names
}

// The system returned "PASS" — which was accurate against the list it checked.
// The problem: the list it checked was incomplete.
// 54,359 customers received "PASS" verdicts. Many were on lists never consulted.

3. Why "AI-Powered KYC" Without Human Oversight Creates the Same Vulnerability

The vendor pitch for AI-powered KYC is consistent across the market: faster onboarding, lower false-positive rates, reduced manual review burden, consistent application of policy rules, and real-time decisions at scale. Every one of these claimed benefits is real. Every one of them also describes exactly why AI KYC automation creates a qualitatively new category of regulatory risk.

In a manual review process, deficiencies tend to be visible and localized. A compliance officer who does not check a particular sanctions database misses individual cases. Her manager can audit her work, identify the gap, and correct it. The failure is observable, bounded, and correctable.

In an automated system, a deficiency in the reference data or the screening logic applies uniformly to every single customer processed. A model that does not screen the correct list does not occasionally miss a sanctioned individual — it systematically passes every individual who would only appear on the lists it does not consult. The failure is invisible, total, and compounds with every onboarding decision the system makes.

AI Automation Risk

Systematic failure applied uniformly across all decisions. A single configuration error affects every customer onboarded until discovered. False confidence generated at scale.

Human-in-Loop Mitigation

Errors are localized and auditable. Supervisory review catches gaps before they compound. Judgment applied to edge cases that rules-based systems classify incorrectly.

The FCA has been explicit in supervisory communications that automation does not transfer regulatory responsibility. The firm remains accountable for the outputs of its automated systems to the same degree it would be for manual decisions. A vendor contract that shifts liability to the technology provider does not satisfy the FCA's requirements — the regulated firm is responsible for ensuring its automated controls are fit for purpose.

4. The Sanctions Screening Gap: Passing Compliance Reviews Against Incomplete Lists

The most technically dangerous aspect of the Starling failure is how well the system would have appeared to function during an internal compliance review. If a firm's internal audit team asks "Is our sanctions screening running?" — the answer was yes. If they ask "Does the system flag sanctioned individuals?" — the answer was yes, for sanctioned individuals who appeared on the portion of the list the system consulted. If they ask "Is the system producing decisions?" — the answer was thousands per day.

None of these questions would have revealed the problem. The only question that would have revealed it is: "Which specific sanctions lists does the system consult, and are those lists comprehensive and current?" That question requires a level of technical specificity that many compliance functions — particularly in high-growth fintechs where engineering and compliance teams operate in separate silos — do not routinely ask of their own automated systems.

            The list-completeness question is now a standard FCA supervisory inquiry. Following the Starling action, firms should expect FCA supervisors to ask not merely whether automated sanctions screening exists, but to demonstrate the specific sources screened, the update frequency for each source, and the governance process for verifying list completeness when sanctions regimes change.
        

The Russia-related sanctions expansion made this problem acute. From February 2022 onward, OFSI was adding designated persons to the consolidated list at unprecedented speed. A system configured to check the list as it existed in 2021 — or relying on a third-party data provider whose refresh cycle ran weekly or monthly rather than daily — was not screening against the regime that actually existed. It was screening against a historical snapshot of that regime.

For AI systems that train on or cache sanctions data as part of their operational logic, this problem is structurally worse. A machine learning model that has internalized patterns from historical sanctions designations has no mechanism for incorporating individuals designated after its training cutoff, unless explicit provisions are made for real-time list lookups against authoritative, live sources at the point of each decision.

5. What the FCA's "Dear CEO" Letters on Financial Crime Automation Require

The FCA has issued a series of "Dear CEO" supervisory letters addressing financial crime controls in digital and challenger banks. These letters, while not binding rules in the same sense as the FCA Handbook, represent the regulator's articulated expectations and are treated as quasi-regulatory guidance in enforcement proceedings.

Key themes from FCA supervisory communications on financial crime automation include:

Governance ownership: The board and senior management must own financial crime risk. This cannot be delegated to a technology vendor or an automated system. A named Senior Manager under the Senior Managers and Certification Regime (SM&CR) must be accountable for the firm's financial crime controls, including automated controls.
Control effectiveness, not control existence: The FCA distinguishes between having a control in place and having a control that works. Firms must demonstrate through testing and monitoring that their automated systems produce accurate outputs, not merely that those systems exist and are operational.
Challenger bank growth risk: The FCA has specifically noted that rapid customer growth creates heightened financial crime risk, and that the controls appropriate for a firm with 100,000 customers may be entirely inadequate for a firm with 3 million. Controls must scale with business volume.
Third-party reliance: Firms that rely on third-party KYC or sanctions screening providers must conduct their own due diligence on those providers, including the completeness and freshness of their data sources. Outsourcing the function does not outsource the regulatory obligation.
Ongoing monitoring: The FCA expects firms to have systematic processes for monitoring the performance of their automated financial crime controls — not just initial implementation reviews, but continuous assessment against known-good benchmarks.

SM&CR Implication: Under the Senior Managers and Certification Regime, the individual certified as responsible for financial crime (typically the MLRO or a designated SMF17 holder) can face personal regulatory action if automated controls are found to have failed during their tenure — even if they were unaware of the specific technical deficiency. The "I didn't know the list was incomplete" defense does not meet the FCA's reasonable steps standard.

6. PEP Screening Requirements in Automated Systems

Politically Exposed Person (PEP) screening is a distinct compliance obligation that interacts with sanctions screening but operates under different regulatory logic. Under the UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), firms must apply Enhanced Due Diligence (EDD) to PEPs — but the nature of that EDD is risk-based, not automatic rejection.

Automated PEP screening creates a specific set of problems that the Starling case illuminates indirectly:

PEP List Currency

PEP status is dynamic. An individual becomes a PEP when they take a qualifying public position and remains subject to enhanced monitoring for a defined period after leaving that position. PEP databases maintained by third-party providers vary significantly in how quickly they capture new designations, how they handle former PEPs, and how they manage family members and known associates (who are separately subject to EDD obligations).

False Negative Rates

Name-matching in PEP screening is complicated by transliteration, name order conventions across different linguistic traditions, and the use of aliases. An AI system optimized to minimize false positives — which are expensive in terms of manual review time — will systematically produce false negatives for names that do not closely match the canonical form stored in the reference database.

The Risk-Based Assessment Requirement

The FCA and the Financial Action Task Force (FATF) require that PEP screening outputs trigger a risk-based assessment, not a binary pass/fail. An automated system that applies a uniform treatment to all PEP matches — or, worse, that is configured to pass low-confidence PEP matches to reduce manual workload — is not meeting the regulatory requirement, regardless of how the output is labeled in audit logs.

            Regulatory Direction on Domestic PEPs: Following the FCA's July 2023 review of PEP treatment by financial institutions, the regulator issued detailed guidance requiring firms to treat domestic PEPs with proportionate (not automatic) enhanced scrutiny. AI systems configured with blanket rejection logic for PEPs — or blanket approval logic for "low-risk" PEPs — are out of step with the risk-based approach the FCA requires.
        

7. 12-Item Technical Checklist for KYC Automation Vendors

If you are evaluating an AI-powered KYC or sanctions screening vendor, or auditing your existing automated controls, these are the questions that would have identified Starling's failures before the FCA did.

KYC Automation Due Diligence Checklist

List completeness audit: Can the vendor provide a complete, dated inventory of every sanctions list and PEP database the system screens against? Verify this against the full OFSI consolidated list, HM Treasury asset freeze list, UN Security Council list, and any applicable EU or OFAC lists for your customer base.

Update frequency and SLA: What is the contractual SLA for updating sanctions list data after a new designation is published? Daily is the minimum acceptable standard; real-time API lookups to live government sources are preferable for high-risk use cases.

Sanctions regime change protocol: How does the vendor detect and respond to major expansions of the sanctions regime (as occurred with Russia from February 2022)? Is there a defined process, an SLA, and a notification obligation to clients?

False negative testing: Does the vendor conduct regular false-negative testing using known-sanctioned or known-PEP individuals as test cases? What is the documented false-negative rate, and how is it trended over time?

Name-matching algorithm transparency: What fuzzy-matching or transliteration logic does the system apply? Can the vendor demonstrate that the algorithm's sensitivity thresholds are set at levels that would catch known aliases and alternative spellings for sanctioned individuals?

Human escalation pathway: For every automated decision that produces a "pass" output, what is the governance process for escalating edge cases to human review? Is there a defined threshold below which the system will not operate autonomously?

Audit trail completeness: Does the system generate an immutable audit log for every screening decision, capturing the specific lists consulted, the version/date of each list, the matching scores generated, and the decision rationale? Is this log exportable for regulatory inspection?

Risk classification integration: How does the system's KYC output integrate with downstream risk-based assessment? Is a "pass" in automated screening treated as a final determination, or does it feed into a broader risk-scoring framework that humans can interrogate?

Regulatory scope coverage: For UK-regulated firms: does the system cover the full scope of obligations under MLR 2017, the Proceeds of Crime Act 2002, the Terrorism Act 2000, and the financial sanctions provisions under the Sanctions and Anti-Money Laundering Act 2018?

Third-party sub-processor audit rights: If the vendor uses third-party data providers for sanctions lists or PEP data, does the contract give your firm audit rights over those sub-processors? The FCA expects firms to look through vendor relationships to the underlying data sources.

Ongoing monitoring for existing customers: Does the system screen only at onboarding, or does it conduct ongoing monitoring of the existing customer base against updated sanctions lists? Starling's obligations extended beyond onboarding; so do yours.

Senior Manager accountability mapping: Can you map the system's governance to a named SM&CR function holder who has attested to its fitness for purpose? If the answer is no — if accountability is diffused across engineering, compliance, and the vendor — you have a governance gap that will not withstand FCA scrutiny.

8. How Claire's Approach Differs

The Starling case illustrates that the problem with automated KYC is not automation itself — it is automation without governance, without transparency, and without the human-in-loop verification that regulators require. Claire's financial compliance architecture is built around three principles that directly address the failure modes the FCA identified.

Claire's KYC Compliance Architecture

Human-in-Loop Verification for High-Stakes Decisions

Claire does not treat automated screening outputs as final determinations. Every automated pass or flag feeds into a structured review workflow where a qualified compliance professional reviews the reasoning, the specific lists consulted, and the match rationale before a customer onboarding decision is confirmed. The automation accelerates the process; it does not replace the human judgment that regulators require and SM&CR makes personally accountable.

Real-Time Sanctions List Integration

Claire's sanctions screening pulls from live, authoritative government sources at the point of each decision — not from a cached or periodically updated internal copy. When OFSI adds a designated person, that individual cannot pass through Claire's screening after the designation is published. The system's reference data is always the current official regime, not a historical snapshot of it.

Complete, Exportable Audit Trails

Every decision Claire assists with generates an immutable, timestamped record showing the exact data sources consulted, the match scores generated, the human review steps taken, and the final determination with its rationale. This audit trail is formatted for regulatory inspection and can be produced to the FCA, PRA, or any other relevant regulator on request — without requiring forensic reconstruction after the fact.

Proactive Regime Change Monitoring

Claire monitors OFSI, HM Treasury, OFAC, and UN Security Council publications for sanctions regime changes and surfaces alerts to designated compliance personnel when the sanctions environment changes in ways that may affect existing customer portfolios — not just new onboarding decisions. The Russia sanctions expansion would have triggered immediate re-screening of the existing book, not a gradual degradation of coverage.

9. The Regulatory Lesson for Enterprise Buyers

The Starling Bank enforcement action is not primarily a story about a bank that broke the rules. It is a story about what happens when a firm mistakes the presence of automated controls for the existence of effective controls. The £28.96 million fine was not the cost of non-compliance — it was the cost of believing that automation had achieved compliance while the underlying controls were hollow.

Every enterprise buying AI-powered KYC or sanctions screening today faces the same risk. The vendor will demonstrate a sophisticated dashboard. The system will produce authoritative-looking pass/fail outputs. Integration will be smooth and the onboarding process will become faster and cheaper. And none of that will matter if, at the moment an FCA supervisor asks "which specific sanctions lists does your system screen against and when were they last verified," the answer is unknown.

The technical checklist above is a starting point. The deeper requirement is a governance architecture in which automated tools serve human decision-makers who are accountable for outcomes — not one in which automation is deployed to remove humans from the compliance process entirely.

Evaluating KYC automation for your financial services firm? Claire's compliance architecture team works with fintechs, challenger banks, and established financial institutions to design KYC frameworks that meet FCA expectations for both automation and human oversight. Talk to Claire about your KYC requirements.