Metro Bank has been fined £16m by the UK’s Financial Conduct Authority for failing to deploy effective anti-money laundering (AML) technology. According to the regulator, the high street institution failed to filter over 60m transactions for money laundering risks – an oversight attributed to a software error that failed to log transactions on the day a new account was set up. The FCA added that up to £51bn worth of transactions were overlooked over the four years the bug went unpatched.

“Metro’s failings risked a gap being left in our defence against the criminal misuse of our financial system,” said Therese Chambers, the FCA’s joint executive director of enforcement and market oversight. “Those failings went on for too long.”

AML controls neglected, regulator finds

According to UK money laundering regulations, financial institutions are obliged to maintain appropriate monitoring and control procedures to identify and discourage criminal attempts to disguise illegitimate revenue streams. Metro Bank originally automated its AML controls in June 2016. Within a year, however, problems with the system were being raised by junior staff at the firm – concerns that were ignored by upper management. “Even once a fix had been put in place in July 2019,” said the FCA, “Metro did not have a mechanism to consistently check that all relevant transactions were being fed into the monitoring system until December 2020.” 

That bug – known internally as the ‘Time Stamp Code Logic Error’ – saw records of transactions in new accounts being sent from Metro Bank’s Data Store (DS), described by the FCA as a database that contained a ‘near real-time view of the data within Metro’s core banking records system’ being rejected by its Automated Transaction Monitoring System (ATMS.) The flaw was eventually discovered in 2019. A tactical fix was applied, but the problem was not fully resolved until the following year. 

Metro Bank was also accused by the FCA of failing to maintain quality control over its internal data flows. Any information on transactions fed into the ATMS deemed sub-par by the system (usually denoted by the failure of a customer or manager to fill in a mandatory field in a form) was shunted to a folder known internally as ‘Bad Data.’ These transactions weren’t properly monitored either, despite multiple attempts by junior staff to alert senior managers to that fact. 

AML controls at Metro Bank were deficient, FCA finds

Metro Bank eventually reviewed all suspicious transactions that took place during that four-year period as part of a remediation exercise. Completed in 2022, the investigation resulted in 153 suspicious activity reports and the closure of 43 customer accounts. Today’s ruling by the FCA would, said Metro Banks’ chief executive David Frumkin, finally bring some measure of closure to the affair. 

“The conclusion of these enquiries draws a line under this legacy issue,” said Frumkin. It would, he added, allow “the bank to move forward and fully focus on the future, building on the solid foundations it already has.”

Metro Bank’s fate mirrors that of Starling Bank, which was also castigated by the FCA for its seeming inability to implement effective AML technology. In that case, the regulator fined the initially plucky startup £29m for its “shockingly lax” approach to preventing financial crime, an attitude that “left the financial system wide open to criminals and those subject to sanctions.”

Read more: UKRI unveils CRANE NetworkPlus to enhance cybersecurity across key sectors