Case Study 1.1: Verdant Bank's Compliance Reckoning

The Situation

Organization: Verdant Bank (fictional) Industry: UK challenger bank, FCA/PRA regulated Size: 340,000 customers; 400 employees; £2.4B in deposits Time period: January 2020

Background

Verdant Bank launched in 2016 as a mobile-first current account targeting UK consumers aged 18–35. Its growth had been exceptional: 0 to 100,000 customers in 18 months, 100,000 to 340,000 in the subsequent 24 months. Along the way, it had added a savings product, a personal loan product, and, in late 2019, had received its full banking license from the PRA — a milestone that transformed it from an e-money institution into a deposit-taking bank with significantly more onerous regulatory obligations.

The compliance function had not kept pace. The previous Head of Compliance had been a lawyer who managed the licensing process competently but had limited experience building operational compliance programs at scale. The team consisted of four analysts and a part-time data person. The compliance technology was a combination of a third-party sanctions screening tool (renewed annually, not well-integrated with core systems), a manual KYC process managed in spreadsheets, and an off-the-shelf transaction monitoring platform that had been configured years earlier and not significantly updated since.

When the FCA conducted a supervisory review in Q3 2019, it found three specific concerns:

1. KYC completeness: Of the then-280,000 customer accounts, approximately 18,000 had incomplete identity verification records — missing documents, expired verifications, or records that predated the firm's current CIP (Customer Identification Program) requirements. The FCA required Verdant to remediate these records within six months.

2. Transaction monitoring: The monitoring system was generating approximately 340 alerts per week. The team was reviewing approximately 120 per week. The backlog was growing. The FCA noted that the monitoring scenarios had not been reviewed or recalibrated in over 18 months.

3. Regulatory reporting: Verdant's regulatory reporting infrastructure was largely manual — spreadsheets maintained by the finance team and submitted by email. The FCA expected a bank at Verdant's growth stage to have automated, auditable reporting processes.

The FCA's supervisory letter was diplomatically worded but unambiguous: "The compliance framework is not commensurate with Verdant's growth trajectory and must be materially improved within twelve months."

The board had authorized the CEO to hire an experienced CCO. Maya Osei accepted the offer in November 2019 and started in January 2020.

Maya's First 90 Days

Maya spent her first week in meetings: with the CEO, with the board's audit and risk committee, with the finance team, with the technology team, and with her own compliance team. By the end of the week, she had a clearer picture of the situation than the job description had given her.

The KYC backlog had grown from 18,000 at the time of the FCA review to approximately 14,000 remaining (the previous team had made some progress). But the remediation was being done manually, at a rate that would not meet the FCA's six-month deadline unless significantly accelerated. Maya estimated the team would need to process roughly 200 records per day to close the backlog in time. Current capacity was approximately 50 per day.

The transaction monitoring problem was both a technology problem and a process problem. The monitoring platform was generating alerts based on rules configured when Verdant had 80,000 customers with a much simpler product range. The rules had not been updated for the loan product, which created entirely different transaction patterns. The alert generation rate was too high for the team to review; the alert quality was poor (estimated 97% false positive rate by a quick manual sample); and there was no systematic process for documenting review decisions in a form regulators could audit.

The regulatory reporting was exactly as described — manual and fragile. One of the finance team's junior analysts was responsible for most of the regulatory reporting, and the process was undocumented to the extent that if he left, no one else would know how to produce the reports.

By the end of 90 days, Maya had developed a working hypothesis: the compliance function could not solve its current problems with the current team size and process. It needed to get significantly more efficient — through technology — while the FCA's remediation deadline forced immediate action on the backlog.

The Decision

Maya's immediate decisions, made in the first 90 days:

Decision 1: KYC Backlog — Engage a specialist KYC remediation firm to run an intensive 60-day program using their digital verification platform. Cost: £180,000. This would close the backlog before the FCA deadline. Simultaneously, select and implement a permanent eIDV solution for ongoing KYC.

Decision 2: Transaction Monitoring — Do not replace the monitoring platform immediately (too disruptive during the FCA remediation period). Instead, engage a specialized firm to review and update the monitoring scenarios to reflect the current product range and customer base, reducing the alert rate while improving alert quality. Defer the platform decision to Q3 2020.

Decision 3: Regulatory Reporting — Prioritize documentation of the current manual process (to reduce key-person risk), then evaluate and procure an automated regulatory reporting solution within six months.

Decision 4: Team — Hire two additional senior compliance analysts immediately (within the existing budget by redeploying funds from a lower-priority project). Begin building the business case for a compliance technology specialist role — someone who could own the ongoing technology stack.

Decision 5: FCA Communication — Proactively update the FCA on the remediation plan within 30 days. Maya's experience as a former FCA supervisor told her that regulators prefer transparency and proactive communication to surprises.

What Happened

By the six-month deadline, the KYC backlog had been closed. The FCA acknowledged Verdant's progress in a subsequent supervisory contact.

The transaction monitoring scenario review reduced the alert rate from 340 per week to 190 per week, and the false positive rate from an estimated 97% to an estimated 82%. Not good enough for the long run, but sustainable while the platform decision was being made.

The regulatory reporting documentation project revealed that several of the reports had been calculated incorrectly for at least six months. Maya disclosed this proactively to the FCA, which was not a comfortable conversation but was the right one. The FCA's response was to note the disclosure positively and require remediation rather than initiating enforcement.

By year-end 2020, Verdant had: - A new eIDV solution for ongoing KYC, with API integration into the core banking platform - A compliance technology roadmap for the following 18 months - Four additional compliance staff - An automated regulatory reporting pipeline (still partially manual, but significantly more robust)

The FCA's next supervisory review, in Q2 2021, noted "material improvement" in Verdant's compliance framework.

Discussion Questions

1. Maya made the decision to engage a remediation firm for the KYC backlog rather than trying to solve it with internal resources. What were the key trade-offs in that decision? Under what circumstances would the opposite decision have been correct?

2. The transaction monitoring false positive rate was estimated at 97%. This is higher than the industry average of ~95%. What does this tell you about the system's configuration? What information would you need to evaluate whether 82% (post-remediation) is an acceptable short-term target?

3. Maya disclosed the incorrect regulatory reports to the FCA proactively. This created a short-term regulatory conversation but potentially avoided a worse outcome later. What is the regulatory and ethical basis for proactive disclosure? Are there circumstances where proactive disclosure could make things worse?

4. The previous Head of Compliance managed the banking license process competently. Why is managing a licensing process a different competency from managing an operational compliance program at scale? What does this tell you about hiring for compliance leadership?

5. Maya's five decisions in her first 90 days all required different types of resources: external vendors, internal redeployment, budget approval, board engagement, and regulatory communication. Which of these decisions carried the most execution risk? Which carried the most regulatory risk if delayed?

Key Concepts Illustrated

• Compliance scalability: The Verdant scenario illustrates what happens when compliance infrastructure doesn't scale with growth
• The KYC remediation problem: A textbook example of the backlog problem that drives KYC automation
• False positive rates in practice: Real-world calibration of what a 97% false positive rate means in operational terms
• Regulator communication: The strategic value of transparency with regulators
• Compliance technology sequencing: The decision of what to fix first when multiple things are broken