The last decade has been a whirlwind period for Anti-Money Laundering (AML) compliance – or, more accurately, non-compliance. The headlines have been dominated by record-breaking fines and high-profile investigations from regulators worldwide. Despite years of tightening regulations and increasingly sophisticated AML compliance tools, some of the most significant financial institutions and industry giants continue to stumble over the basics.
Here’s a closer look at some of the biggest AML failings of recent years and how these headline-making cases became a stark reminder of the critical importance of robust AML practices.
1. NatWest’s £264m fine for overlooking red flags (2021)
In December 2021, NatWest made headlines when it was fined £264.8 million after pleading guilty to serious breaches of AML regulations. This case involved a staggering £365 million in cash deposits over five years from a single customer, yet the bank failed to act on repeated red flags.
The customer in question, a small Bradford-based business, deposited large sums of cash across its accounts between 2011 and 2016 – amounts that were clearly disproportionate to the scale of the business. The cash deposits reached as much as £1.8 million on some days, which should have triggered immediate scrutiny. Yet, NatWest failed to investigate properly, and the suspicious activity continued unchecked.
Key takeaway: When a client’s transaction behaviour deviates significantly from what is expected – whether that’s in terms of volume, frequency, or origin – compliance teams must act swiftly.
AML programmes need to employ risk-based approaches, where resources are focused on clients and transactions that pose the highest risk. In NatWest’s case, the failure to ask key questions and scrutinise cash-heavy deposits led to the breach. Compliance teams should ensure that high-risk accounts are subject to ongoing monitoring and prompt investigations whenever red flags arise.
2. Danske Bank’s $2bn misstep (2022)
Despite being at the centre of Europe’s largest money laundering scandal a few years before, the biggest bank in Denmark, Danske Bank, once again found itself in hot water in 2022. The bank was hit with a staggering $2 billion fine after investigators uncovered a new series of compliance breaches involving high-risk customers in the Baltics. This stemmed from its Estonian branch, which processed $160 billion in suspicious transactions and facilitated access to the U.S. financial system for Danske Bank Estonia’s high-risk customers, who resided outside of Estonia – including in Russia. The U.S. and Danish authorities penalised Danske Bank after it admitted to defrauding U.S. banks and covering up its AML deficiencies.
This case is particularly damning given the bank’s history and raised serious questions about its ability to ever regain full regulatory trust.
Key takeaway: Global oversight of compliance practices in multinational institutions is non-negotiable. Danske Bank’s Danish headquarters should have maintained a firmer grip on activities in all their branches, particularly in regions known for higher financial risks.
Compliance frameworks should not only be consistent across nations but also adaptable to the specific risks of each jurisdiction. This means regular audits, constant communication between headquarters and regional offices, and the integration of global AML standards in line with local regulations. A centralised compliance programme, combined with localised risk assessments, can help prevent such catastrophic failures.
3. Binance’s $4.3bn fine for crypto AML and sanctions failings
The world’s largest cryptocurrency exchange, Binance, faced its most significant regulatory blow yet with a $4.3 billion fine for breaking AML laws and violating sanctions. U.S. authorities found that Binance had failed to implement sufficient Know Your Customer (KYC) and AML procedures, allowing billions in illicit funds to move through its platform.
The platform was found to have allowed over 100,000 illegal transactions, facilitating money laundering on a massive scale, linked to criminal activities including terrorism and human trafficking. The exchange’s lax approach to regulatory compliance put the entire crypto industry under greater scrutiny as a result and set a new benchmark for enforcement in the digital asset space.
Key takeaway: The rapidly changing cryptocurrency landscape presents unique challenges for AML teams, requiring unique compliance measures beyond traditional banking approaches. Compliance teams must understand the distinct nature of digital assets, including the pseudonymous and decentralised aspects of cryptocurrency transactions, which make traditional monitoring methods insufficient. This requires investing in specialised analytics tools that can identify, vet, and verify each individual or corporate customer before they are able to carry out transactions, and ensuring round-the-clock monitoring throughout their time on the exchange.
4. HSBC’s £1.2bn settlement for global AML failings (2012)
In 2012, HSBC was fined $1.9 billion for failing to prevent money laundering through its U.S. operations, which enabled Mexican drug cartels to launder billions through its branches. The bank’s monitoring systems were found to be inadequate, and its staff were poorly trained to identify and report suspicious activities.
According to the U.S. Senate’s investigation, HSBC’s business strategy emphasised expansion into high-risk regions without ensuring adequate AML controls were in place. The Mexican affiliate’s risky operations were well known, yet they were allowed to persist because of the revenue they generated.
The bank also facilitated transactions for sanctioned countries such as Iran, Sudan, and Myanmar, violating both international sanctions and AML regulations.
Key takeaway: This case is a reminder of the importance of getting the basics right. A robust KYC programme is fundamental to AML compliance. Financial institutions must conduct thorough due diligence on clients, especially in high-risk industries or regions. This includes verifying the source of funds, the nature of the business, and identifying beneficial ownership. Where clients present a higher risk, enhanced due diligence (EDD) should be conducted, with ongoing monitoring throughout the business relationship.
Effective AML compliance relies on robust monitoring systems capable of flagging any unusual activity among individual and corporate clients. High-risk regions should be subject to enhanced due diligence, with specialised teams tasked with monitoring these areas.
5. Deutsche Bank handed $186m fine for lax AML controls (2023)
In July 2023, Deutsche Bank was fined $186 million by the U.S. Federal Reserve for its failure to make sufficient progress in addressing deficiencies in its AML compliance programme. The fine follows a 2017 enforcement in which the bank was required to tighten its AML controls, but, six years later, the Federal Reserve determined that the bank still had not adequately resolved the issues. The case highlighted persistent gaps in Deutsche Bank’s ability to monitor suspicious activity, despite ongoing scrutiny by regulators.
Deutsche Bank’s core issue was its failure to fully remediate the weaknesses identified in 2017. Despite being under regulatory orders for years, the bank had not made sufficient progress in key areas like monitoring and addressing KYC gaps.
Key takeaway: When regulators identify issues, it’s not enough to show short-term improvements. Compliance teams need to implement a structured, long-term plan that includes frequent progress reviews, continuous testing, and audits. This helps ensure that any deficiencies are properly addressed and that the firm is adaptable to emerging AML risks. Having clear timelines for remediation and accountability for each stage is critical for success.