Enforcement watch: FCA fines Metro Bank £16.7m for AML transaction monitoring failings

The FCA has fined Metro Bank Plc ("Metro Bank") £16,675,200 for systems and controls failings in relation to monitoring transactions for potential money laundering risks between 6 June 2016 and 17 December 2020 (the "Relevant Period"). This is the latest example of the FCA's ongoing focus on the adequacy of financial crime controls and the second enforcement action against one of the UK's challenger banks, following the regulator's £29m fine imposed on Starling Bank last month. You can read our comments on the recent Starling Bank fine here.

Background

In June 2016, Metro Bank introduced an Automated Transaction Monitoring System ("ATMS") to monitor customer transactions for potential financial crime. The ATMS relied on data uploaded from a separate database within Metro Bank. Once implemented, however, due a number of errors, the data fed into the ATMS was incomplete or inaccurate, and the ATMS rejected some of this data (which was referred to internally at Metro Bank as "bad data").

Whilst a coding error was identified in April 2019 and notified to the FCA the following month, determining the full extent of the various data processing issues and implementing remediation steps took time. Steps taken included: consideration of "bad data" issues at a financial crime working group; the initiation of a lookback review in respect of the coding error; and the commissioning of two sequential external compliance reviews to review Metro Bank's financial crime controls, the second focussing more specifically on Metro Bank's end-to-end architecture of the ATMS' transaction monitoring features. Following these reviews, Metro Bank has taken significant remedial steps including enhancements to the end-to-end architecture and data controls to ensure data fed into the ATMS is complete and accurate.

Findings

As a result of these transaction monitoring failings, over 60 million customer transactions (with a total value of over £51 billion) were not monitored for potential suspicious activity during the Relevant Period. Consequently, the FCA found that Metro Bank breached Principle 3 (management and control) which requires firms to take reasonable care to organise and control their affairs responsibly and effectively with adequate risk management systems. In particular:  

  • Between June 2016 and April 2019, Metro Bank failed to check the completeness of the data being fed into the ATMS. In addition, once a fix had been implemented in July 2019, Metro Bank did not establish a consistent reconciliation procedure to check the completeness of transaction data received by the ATMS until December 2020.
  • During the Relevant Period, Metro Bank became aware of a "bad data" issue, where numerous records were rejected by the ATMS if they contained incomplete or inaccurate data. These records were either not monitored in a timely fashion or at all, which impacted the generation of alerts in relation to potential suspicious or uncharacteristic transactional activity for consideration by Metro Bank's AML teams.
  • Internal documents showed that comparatively less senior staff at Metro Bank raised concerns about the "bad data" issue including at committee meetings in 2017 and 2018, but this issue was removed from the minutes of a Financial Crime Steering Group meeting in January 2018 on the basis that it was unsubstantiated and would be re-visited once the issue was understood. Whilst the issue was considered at a working group level, references to "bad data" did not appear on the Financial Crime Steering Group governance materials until April 2019.   
  • Throughout the Relevant Period, Metro Bank did not adequately understand the level of money laundering risk associated with unmonitored transactions. This was partly due to the volume of rejected transaction data being obscured by the presence of internal transactions that were not removed from the data feed into the ATMS until December 2020. Following the remediation process, Metro Bank submitted over 100 additional suspicious activity reports and over 30 notices to customers closing their accounts. This was in addition to 1,403 suspicious activity reports in respect of the customers affected as part of and prior to the lookback review.

Comments

Having applied step two of its five-step framework to determine the appropriate level of financial penalty, the FCA initially reached a figure of £317,623,870 before reducing this to £23,821,790. The reasons given for this significant reduction in penalty are limited, apart from the FCA's view that the initial figure was disproportionately high. Mitigating factors at step three included Metro Bank's cooperation (which was noted to be materially above the FCA's expectations) and substantial remedial steps. At step five of its framework, the FCA applied a 30% discount on the basis that Metro Bank agreed to resolve the matter early.

These findings demonstrate how important it is for firms to prioritise financial crime systems and controls, particularly where there are known and persistent unresolved data processing issues. In particular, it is important to ensure a clear allocation of responsibility for the effective ongoing management of AML risks within senior management (particularly where there is a loss of institutional knowledge due to personnel changes, as was noted in this case) and that responsibility mapping is reassessed when new issues come to light. This case illustrates the importance of ongoing oversight, including raising questions where no management information is generated or challenging the adequacy of that information, where relevant.

If you have any questions or concerns, please contact a member of our expert team below.

Key contacts

Related