Key learnings from 2024's biggest Financial Crime fines
2024 brought significant regulatory action, highlighting persistent weaknesses in financial crime controls across the industry. As we enter 2025, we take a look back at five significant cases from 2024 and the lessons they provide for organisations aiming to strengthen their financial crime frameworks.
Common themes
Analysis of these regulatory fines highlights four persistent weaknesses that continue to challenge the industry:
- Inadequate governance, accountability and culture: Ineffective governance and fragmented leadership often resulted in unaddressed vulnerabilities. The lack of clear ownership in key compliance areas, such as transaction monitoring and risk remediation, led to delays in resolving issues. This situation was exacerbated by a culture that prioritised business objectives over compliance and did not empower compliance teams.
- Outdated or ineffective transaction monitoring systems: Institutions relied on outdated or poorly configured transaction monitoring systems that did not keep up with evolving risks. These systems failed to identify unusual patterns or start monitoring transactions as soon as accounts were opened.
- Sanctions screening failures: Misconfigured screening systems with incorrectly defined parameters have led to compliance gaps. The failure to implement sufficient control mechanisms—such as routine testing, assurance processes, and timely updates to screening lists—has allowed compliance gaps to remain unchecked for extended periods.
- Inadequate risk management and due diligence: Institutions faced challenges in ensuring effective customer risk profiling and due diligence, particularly for high-risk clients and correspondent banking relationships. Outdated risk assessments, limited awareness of emerging risks, and failure to adjust processes during operational changes, like customer migrations, left gaps that allowed high-risk transactions to bypass scrutiny.
- Insufficient investment in compliance: Organisations failed to allocate adequate resources to AML frameworks, teams, and operational improvements. This lack of investment resulted in outdated systems, backlogs in reviewing suspicious activities, and delays in addressing identified risks. Focusing on expansion rather than compliance has increased vulnerabilities in rapidly growing sectors such as cryptocurrency.
July 2024: CB Payments Limited (Coinbase UK) – £3.5 Million – AML
CB Payments Limited (CBPL), a global crypto-asset trading platform, faced significant regulatory scrutiny due to weaknesses in its financial crime control framework. Following the Financial Conduct Authority’s (FCA) 2020 visit, the FCA imposed a Voluntary Requirement (VREQ) to restrict new high-risk customer onboarding while CBPL remediated its controls. Despite these measures, CBPL breached the VREQ by onboarding and serving 13,416 high-risk customers who collectively deposited $24.9 million in prohibited transactions. This failure occurred due to predominantly operational and technical shortcomings.
Key issues identified
- Incomplete engineer instructions: The engineers responsible for implementing the automated onboarding process to ensure compliance with the VREQ were not provided with the finalised version of the VREQ terms, leading to outdated criteria and failure to flag high-risk customers during onboarding through automated risk assessment.
- Inadequate pre-implementation testing: The VREQ flag’s effectiveness was not thoroughly tested across all systems. Critical products like Coinbase Pro and Coinbase Cards were excluded, enabling 8,183 high-risk customers to bypass restrictions.
- Delayed compliance monitoring: CBPL failed to establish a formal monitoring framework for over two years, allowing breaches to continue undetected and increasing regulatory risk.
- Failure to adjust for migration scenarios: High-risk customers migrating from other Coinbase Group entities were not flagged against pre-set criteria to prohibit onboarding, resulting in prohibited transactions continuing through loopholes.
Lessons learned
- Clear and consistent communication with engineering teams, including providing complete and finalised implementation requirements, is essential to avoid errors such as misconfigured processes.
- Thorough pre-implementation testing must cover all systems, products, scenarios, and client onboarding channels to ensure controls function effectively and prevent high-risk gaps, such as bypassing restrictions.
- A monitoring framework must be implemented without delay and include structured assurance processes, documented procedures, and regular reviews to identify breaches early and mitigate regulatory risks.
- Control frameworks must be reviewed in light of operational changes, such as customer migrations, to ensure risk assessment thresholds and compliance requirements are consistently applied, preventing high-risk customers from bypassing controls.
August 2024: Nordea Bank – $35 Million – AML
The New York State Department of Financial Services (NYDFS) fined Nordea Bank $35 million for AML compliance failures, including inadequate due diligence on high-risk correspondent banking relationships, insufficient transaction monitoring systems, and its role in facilitating offshore accounts and suspicious transactions linked to money laundering schemes exposed by the Panama Papers.
Key issues included
- Deficient AML controls: Nordea’s Baltic branches allowed transactions linked to the Russian and Azerbaijani Laundromats to flow through without proper scrutiny. The lack of proactive escalation protocols and detailed customer risk profiling amplified these deficiencies, creating gaps in AML defences.
- Inadequate transaction monitoring systems: The bank relied on outdated and poorly calibrated monitoring systems. Specific failures included an inability to flag unusual patterns in cross-border transactions, inadequate thresholds for identifying high-risk activities, and insufficient integration with customer risk profiles. Internal assessments categorised Nordea’s overall AML risk as “critical,” yet systemic upgrades were not prioritised.
- Systemic oversight failure: High-risk correspondent banks were onboarded without thorough due diligence, including insufficient assessments of their AML frameworks, transaction patterns, and exposure to high-risk jurisdictions. Additionally, the absence of centralised governance meant compliance responsibilities were fragmented, leading to inconsistent application of AML standards across branches.
Lessons learned
- Empowered compliance teams must implement robust escalation protocols and maintain updated customer risk assessments tailored to regional and operational risks. Regular updates based on transaction behaviours and emerging threats are essential to identifying and addressing high-risk activities effectively in real-time.
- Transaction monitoring systems must incorporate adaptive thresholds, cross-border transaction typologies, and real-time integration with customer risk profiles to detect high-risk activities effectively. Regular enhancements informed by emerging risks and internal feedback are critical to address systemic vulnerabilities.
- Centralised governance frameworks must ensure the unified application of AML standards across branches by incorporating detailed correspondent bank assessments, jurisdictional risk analysis, and clear accountability structures to mitigate fragmented compliance responsibilities.
October 2024: TD Bank – $3 Billion - AML
TD Bank was fined $3 billion, including a $1.3 billion penalty from the Financial Crimes Enforcement Network (FinCEN) and a $1.8 billion settlement with the U.S. Department of Justice. The fines were imposed for failing to detect and report suspicious activities, particularly involving high-risk customers. Key deficiencies included weak transaction monitoring, poor customer due diligence, and systemic lapses in compliance with anti-money laundering regulations.
Key issues included
- Deficient transaction monitoring and reporting: TD Bank failed to monitor significant transaction types, such as Automated Clearing House (ACH) transfers and peer-to-peer (P2P) platforms like Venmo. This failure stemmed from outdated transaction monitoring systems that lacked tailored scenarios and transaction codes, and management oversight failures to invest in upgrades. As a result, suspicious patterns, including low-value, high-frequency transactions associated with human trafficking, went unnoticed, depriving law enforcement of crucial intelligence.
- SAR and high-risk client backlogs: TD Bank faced delays in reviewing suspicious activity and closing high-risk accounts. These backlogs resulted from understaffing and resource allocation failures, with management underinvesting in AML staffing and tools despite escalating risks. This prolonged inaction left flagged accounts operational for months, enabling billions of dollars in transactions linked to money laundering and other financial crimes.
- Insider risks: In 2021, a TD Bank employee facilitated the laundering of narcotics proceeds, opening accounts for shell companies that engaged in funnel account activity worth millions in high-risk jurisdictions. Despite the bank’s awareness of these risks, it failed to implement appropriate controls.
Lessons learned
- Deficiencies in transaction monitoring should be addressed by implementing and regularly testing tailored systems designed to identify high-risk transactions. This focus should be on addressing gaps in Automated Clearing House (ACH) and peer-to-peer (P2P) platforms using adequate transaction codes and scenarios.
- SAR and high-risk client backlogs should be resolved by ensuring sufficient staffing, resources, and streamlined processes to review and report suspicious activities within regulatory timelines.
- Fostering strong governance, clear accountability, and timely disciplinary actions should mitigate insider risks.
October 2024: Starling Bank – £28.9 Million - Sanctions
Starling Bank was fined £28.9 million for breaching financial crime requirements. The bank’s screening systems failed to detect designated individuals due to system misconfigurations, outdated policies that were not updated to reflect current risks, and insufficient oversight by both senior management and compliance teams. Despite rapid growth in its customer base and revenue, the bank did not adequately adapt its financial crime framework to match its expanding operations.
Key issues identified
- Failure to adhere to sanctions screening requirements: Starling's automated screening system matched customer names against only 39 of the 3,088 entries on the Consolidated List, focusing solely on individuals with UK residency or citizenship. This misconfiguration persisted for over five years, from 2017 to 2023, leaving significant gaps in sanctions compliance. During this period, at least one Designated Person successfully opened and maintained an account with the bank, exposing the institution to heightened regulatory and reputational risks.
- Governance and oversight gaps: Senior management struggled with implementing and overseeing effective AML frameworks due to inadequate governance structures. Specifically, there was no clearly defined accountability for ensuring compliance with the VREQ, as multiple senior leaders had differing understandings of who was responsible for its implementation. This resulted in fragmented ownership, with no single person driving compliance efforts. Additionally, the financial crime function was under-resourced, with inadequate staffing levels.
Lessons learned
- Effective sanctions screening requires integration across all customer and payment systems to identify all Designated Persons. These systems should incorporate tailored risk parameters for different jurisdictions and transaction types, and include regular testing and assurance to address any configuration errors and gaps.
- Governance frameworks should clearly define the roles and responsibilities of senior management, specifying designated owners for compliance requirements such as the VREQ to ensure proper oversight and implementation. It is essential to establish clear escalation paths, regular reporting, and standardized communication channels to maintain team alignment and accountability.
November: Metro Bank – £16.6 Million - AML
The Financial Conduct Authority fined Metro Bank £16.7 million for serious deficiencies in its anti-money laundering controls. Between June 2016 and December 2020, Metro Bank inadequately monitored over 60 million transactions, exposing the institution to significant financial crime risks. These shortcomings arose from flaws in their transaction monitoring framework, heightened by delayed remediation efforts despite early warnings from staff.
Key issues identified
- Transaction monitoring gaps: Metro Bank’s automated system failed to monitor transactions from the day an account was opened until the account record was fully processed. Over 60 million transactions, totalling £51 billion, went unmonitored over a 4.5-year period. The issue arose because the monitoring system required complete account data to be recorded and validated before activating monitoring. This delay left a significant gap where transactions bypassed scrutiny, exposing the bank to financial crime risks.
- Delayed action on known errors: Junior staff raised concerns about these monitoring gaps as early as 2017 and 2018, but leadership failed to act swiftly. While a partial fix was introduced in July 2019, it was inconsistently applied, leaving coverage gaps until December 2020.
- Inadequate governance and oversight: The lack of oversight allowed major flaws to persist unaddressed. Despite its scale and potential impact, senior management failed to prioritise resolving the issue. There was no clear accountability or effective governance to address these vulnerabilities in a timely manner.
Lessons learned
- Transaction monitoring systems must activate upon account creation or prevent transactions until all required data is provided, ensuring accuracy to flag suspicious activity effectively.
- Comprehensive testing of data feeds and system configurations is essential to address potential vulnerabilities.
- Leadership must take prompt action on flagged risks and establish clear accountability for compliance with financial crime regulations.
At Thistle Initiatives, we provide tailored, actionable solutions to address your firm's specific challenges in the financial crime landscape. Our expertise ensures that your business remains compliant, resilient, and well-positioned for growth.
How we can support your firm
Audits and Assurance
- Conduct comprehensive health checks and audits to evaluate your financial crime frameworks and proactively identify any gaps.
- Provide specialised assurance and systems testing to ensure your processes and technology align with regulatory standards and risk environment.
- Offer support for regulatory enforcement and remediation services to help your firm navigate and recover from enforcement actions.
Advisory Services
- Assist in building a robust financial crime control framework and in developing and refining policies, procedures, and risk assessments.
- Guide operational enhancements and implement technologies to streamline compliance processes.
- Deliver targeted training and ongoing advisory support through our MLRO hotline, ensuring that your team remains informed and proactive.
People and Outsourcing
- Supply flexible financial crime resources to address backlogs, remediation projects, or onboarding tasks.
- Provide outsourced onboarding support to maintain high standards in customer due diligence and anti-money laundering controls.
For enquiries, please contact us at 0207 436 0630 or via email at info@thistleinitiatives.co.uk.