The Compliance Assumption That Cost £29 Million

Starling Bank believed their screening was working for six years. It wasn’t. Here is what that means for your controls.

There is a question most compliance teams never ask, because the answer feels obvious. Is our screening actually working? Not “are we screening?” every institution believes it is. The harder question is whether the infrastructure behind that belief has been tested recently enough to still be true.

In September 2024, the FCA answered that question on behalf of Starling Bank. The answer was £29 million.

What Really Happened Starling’s automated sanctions screening system had been misconfigured since 2017. For six years, it was screening customers against 38 designated persons on a list of 3,088. Not 38 percent. Thirty-eight names. The system generated no alerts. And in compliance, silence tends to feel like safety. Nobody questioned it because nothing appeared wrong. By the time the misconfiguration was found, the bank had grown from 43,000 customers to 3.6 million. The FCA called the controls “shockingly lax.”

This is not a story about ignoring red flags. There were no red flags to ignore. The failure was upstream of human judgment — infrastructure that stopped working in a way that produced no visible signal. The silence looked exactly like compliance. It was not.

Three questions worth asking today;

1. Does your screening cover what you think it covers? Not what the policy says; what it is actually doing, in its current configuration. Starling’s policy stated it screened four major sanctions lists. In practice it screened a fraction of one. Commission an independent calibration review. If the last time anyone verified this was “when we went live,” that answer is overdue.

2. Is your screening continuous or point-in-time? A customer who was clean at onboarding may become a PEP, a sanctioned entity, or an adverse media subject at any point afterwards. In Nigeria’s environment, where political appointments and business relationships shift quickly — continuous monitoring is not optional. It is the minimum viable standard.

3. When your system is quiet, does that mean clean or broken? The only way to know is to test it. Introduce a known match into your pipeline and verify the alert fires. Most institutions do not do this regularly. Starling’s system ran silently for six years. Build a testing cadence before a regulator builds one for you.

On PEP screening specifically The Starling case involved sanctions, but the failure mode applies directly to PEPs; where many Nigerian institutions are misreading the rule entirely. The CBN’s 2023 Guidance Notes are clear: PEP status triggers Enhanced Due Diligence. Not rejection. An institution that rejects a PEP outright, without individual assessment or documented rationale, creates two simultaneous failures — a regulatory one and a legal one — in a single action. EDD means source of wealth and funds documented, senior approval where risk warrants it, continuous monitoring, and full records kept. Not a checklist. A defensible, auditable decision trail.

Compliance is not about who you block, but about what you can prove you assessed.

The question to close on: The Starling misconfiguration ran for six years before anyone found it. So now the question every compliance lead should be sitting with is not “could that happen to us?” It is “how would we know if it already had?”

Screen everyone. Stop no one unfairly.