On 11 November 2024, the FCA fined Metro Bank £16,675,200 for systems failures which resulted in a lack of effective monitoring of over 60 million transactions for money laundering risks.
The UK's money laundering regulations and FCA rules require that banks monitor all transactions for risk of money laundering and terrorist financing. Transactions which are unusual or not in accordance with the customer's profile should be flagged for further investigation.
Metro automated the monitoring of customer transactions for potential financial crime in June 2016. However, an error in how data was fed into the system meant transactions taking place on the same day an account was opened, and any further transactions until the account record was updated, were not monitored.
The bank identified the issue in April 2019 and the FCA was notified around six weeks later.
The FCA was critical of the fact that it took Metro nearly three years to identify the data feed error, pointing out that during that time Metro did not have controls in place to check, on an ongoing basis, that data was being correctly processed.
The FCA also established that in 2017 and 2018 the issue was recognised by less senior staff in the bank as a risk and a serious issue. However, attempts to escalate the issues were unsuccessful.
The FCA noted that even after a fix had been put in place in July 2019, Metro did not have a mechanism in place to check that all relevant transactions were being fed into the monitoring systems until December 2020.
The FCA determined that Metro Bank breached principle 3 by failing to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. The FCA also found breaches of specific FCA AML rules, including requirements in SYSC 6.1.1 and 6.3.1 to ensure that policies and procedures included systems and controls that enabled the bank to identify, assess, monitor and manage money laundering risks and SYSC 6.3.3 which requires banks to carry out a regular assessment of the adequacy of financial crime systems and controls.
Metro agreed a settlement with the FCA and was therefore eligible for a reduction of 30% on the penalty imposed.
Comment
Banks in the UK collectively spend billions of pounds on transaction monitoring (an estimate by LexisNexis Risk Solutions this year put the figure at over £4 billion per year). As AI and other techniques for analysing big data develop, FCA expectations of banks will increase.
In November 2024, the FCA published an update to its financial crime guide, including key guidance for firms on how to implement and monitor transaction monitoring systems. The FCA (possibly influenced by this case) highlighted as an example of poor practice "Data fed into an automated systems not migrated smoothly when feeder systems are modified or upgraded or transactions from a specific system have been erroneously omitted from the transaction monitoring system". The FCA also provides other examples of good and bad practice in transaction monitoring. Firms that don't follow the guidance risk following the same path as Metro Bank.
We have seen a shift in FCA enforcement against banks, reflecting positive changes in how banks now operate. FCA enforcement has tended to move away from egregious behaviour such as mis-selling and market manipulation towards risks arising from control failures. Banks usually want to do the right thing, but the increasing complexity of bank systems, coupled with a shortage of skilled staff in the right areas, now presents the biggest compliance risk.