How to prevent AML failures

Written by Jake Plenderleith on Monday December 19, 2022

Despite the vast amounts of time and expense put towards enhancing financial crime controls, banks and financial services providers continue to be penalised by regulators for anti money laundering (AML) control failures, a notable recent example being the £107m fine issued to Santander by the UK’s Financial Conduct Authority (FCA).

In another landmark case, last December we saw the FCA impose a £264.8 million fine on NatWest for failures in relation to money laundering, with the regulator pressing criminal charges in court.[1]

This represented a significant step, as it was the first time that the FCA had gone to the courts to pursue a case against a financial institution in relation to money laundering.  

Also in December 2021 was another fine, again levied by the FCA, on HSBC for failures in relation to transaction monitoring, inviting a penalty of £63.9 million. [2] 

Neither bank is in any way unique, with many financial institutions suffering similar fates both within the UK and elsewhere.  

Asking questions 

We might sit and ponder why banks continue to be fined, given the ubiquity of staff training, the adoption of new, more effective technology and the growth and expansion of professional expertise and knowledge that today characterises financial services.  

But there really is no need for an inquiry, or a bout of introspection and soul-searching. The truth is simple: fundamental steps can be deliberately or accidentally overlooked, basic controls not implemented, manual processes not updated and monitoring insufficient.  

These are, of course, not universal failures, with most banks and the staff within them abiding by regulation, legislation and internal procedures. The problem is that a failure need only happen once, and in one place, to result in a regulatory penalty. 

Nor are failures always acts of deliberate foul play. But again, however they occur, when they do take place, as the NatWest case and others demonstrate, they are costly not just in financial terms, but also in terms of reputation.  

Anybody working in financial services will know that enormous effort is made to ensure that their institution is on the right side of the law. So failure is very often not for a lack of consideration or due diligence.  

Why, then, do such failures continue to exist? And crucially, what can be done to prevent their recurrence?  

Moving forward 

First, we should recognise that risk is an unavoidable part of financial services. That means that those risks that are acceptable to a particular institution can be taken on, granted there are measures in place to minimise the potential for abuse.  

But some risks are more potent than others. Having examined prominent AML failures, it is clear that more attention needs to be paid to the risks inherent to manual transaction monitoring. Not only is manual monitoring liable to human error, it can also be cumbersome and slow. Those financial institutions overwhelmingly relying on such a monitoring system are inviting inconsistency, particularly with respect to customer due diligence (CDD).  

Automated risk tools for CDD can reduce costs, improve efficiency and help flag issues early, and automation is there to assist. It is an asset that, used properly, can furnish an institution with pertinent information in good time. That information must, of course, then be assessed and an evaluation made by a member of staff. It is therefore crucial that such an employee is cognisant of those patterns that are suggestive of unusual or suspicious activity. Without this knowledge, it is immaterial what automation is being employed, as the knowledge required to analyse that information is absent.  

There is another key aspect that underlines the utility of human engagement, which is that automation is not foolproof. Interestingly, the FCA, in its explanation of the fine imposed on NatWest, highlighted that the bank’s automated transaction monitoring system ‘incorrectly recognised some cash deposits as cheque deposits’. Automation, then, should be used in tandem with human intervention, and should be regularly checked to ensure that it is fit for purpose.  

Applying knowledge 

This brings us to the second pillar, which is education and training. By this, we mean something beyond merely undertaking mandatory training as stipulated by one’s institution – it means staff actively seeking out that which will aid them in the course of their duties. 

A KYC analyst, for instance, needs to be able to critically analyse information. This demands the skill of being able to seek out patterns, compare data, scrutinise documents and detect anomalies. Each of these are attributes that are honed by experience, but they can be developed and sustained through pointed, specific training tailored to an employee’s role. 

It’s vital that key information and skills obtained via training are then applied appropriately. It is of little use being in possession of a certificate having completed a course, only to seldom apply the knowledge acquired.  

To help staff do this, it is useful to encourage a sense of creativity within staff conducting onboarding, or monitoring transactions; in other words, theirs is a proactive, not reactive, role. Such a mindset is far more likely to uncover wrongdoing, as it seeks to expose that which isn’t always immediately obvious. 


If we again return to the NatWest case, we see that staff within the bank did raise their suspicions with senior management, in particular red flags such as the high volume of Scottish notes within English branches, an unusual smell emanating from the money itself and the suspect behaviour of those depositing the cash.  

That staff spotted and raised these red flags is encouraging; that their concerns were not acted upon is not. In her Sentencing Remarks at Southwark Crown Court, Mrs Justice Cockerill noted that, though an experienced staff member had raised their concerns about the pattern of activity of the offending customer, a manager had decided that there were ‘sufficient explanations on the file’. [3] 

These are the fine margins within which staff today in financial services firms are expected to operate. Even with controls in place, and staff alert to the presence of red flags, it only takes the adverse and misguided judgement of one or more individuals to hamper an institution’s efforts to prevent money laundering.  

This is not a problem specific to NatWest – it can afflict any financial services firm. As we approach a new year, it is wise to reflect upon the lessons of such cases, as a reminder of why vigilance, diligence and patience will always need to be drawn upon in order to prevent a firm from being abused by criminal activity.  

You may also like to read


1 FCA, ‘NatWest fined £264.8 million for anti-money laundering failures’, 13 December 2021: -- accessed December 2022  

2 FCA, ‘FCA fines HSBC Bank plc £63.9 million for deficient transaction monitoring controls’, 17 December 2021: -- accessed December 2022  

3 Judiciary of England and Wales, Regina (The Financial Conduct Authority ) v. National Westminster Bank Plc., 13 December 2021:  accessed December 2022  


Please leave a comment

You can leave the name empty should you wish to remain Anonymous.

You are replying to post:



Email *

Comment *

Search posts

View posts by Author