By anyone’s standards, the Financial Conduct Authority hasn’t exactly gone quiet on Anti-Money Laundering (AML) enforcement. Over the last ten years, it’s handed out over £1 billion in AML-related fines, with some figures large enough to rival small national GDPs. 

These fines offer a pretty clear picture of the regulator’s shifting priorities and give compliance teams something better than guesswork when deciding where to focus their often limited time and resources.

So what can you learn from the top 10 AML fines handed down by the FCA between 2015 and 2025? Quite a bit, especially if you’re looking to avoid becoming the next case study. Let’s look at the data and, more importantly, what it signals about where firms are still falling short.

The top 10 AML fines of the last decade

NatWest: £264 million (2021)

NatWest’s fine made waves, not just because of the size, but because it was the first criminal prosecution under the Money Laundering Regulations 2017. The bank failed to prevent the laundering of nearly £400 million, with around £365 million paid in cash. Some of it was even being delivered in bin bags!

If you think your firm could never end up in a case like this, it’s worth looking closer. The failures here weren’t just about a rogue business customer. It was a breakdown in basic ongoing monitoring and internal escalation. Files were flagged, and staff spotted red flags, but no one joined the dots. That puts the spotlight firmly on how you train front-line teams and how your systems surface and respond to unusual activity. Internal reports that go nowhere are just as risky as not detecting anything at all. 

Deutsche Bank: £163 million (2017) 

This fine still stands out as one of the most avoidable. Deutsche Bank was sanctioned for failing to maintain adequate AML controls around its “mirror trading” scandal, where clients moved $10 billion out of Russia via its UK operations. The FCA said the bank failed to act on obvious red flags and didn’t put in place effective AML oversight for higher-risk clients.

For you, the relevance is simple: if you’re running cross-border or correspondent services, you don’t get to rely on clients’ own controls. The FCA expects firms to question what trades are for, who benefits, and how the flow of funds makes sense economically. If your analysts are just ticking boxes on a KYC file without interrogating the business rationale, you’re at risk. 

Credit Suisse: £147 million (2021) 

The fine against Credit Suisse was tied to its role in the so-called “tuna bonds” scandal in Mozambique. The FCA was blunt about the fact that Credit Suisse had failed to conduct proper due diligence on $1.3 billion of loans and bonds. 

The lesson? When you’re facilitating large transactions, due diligence doesn’t stop at identity checks. You need to assess the legitimacy of the transaction itself and whether the deal structure makes sense. MLROs often feel boxed in by business pressure to move quickly, especially with high-value or “strategic” deals. But as Credit Suisse found, waving deals through to keep stakeholders happy can end up costing you 100x the original fee. 

Santander: £107 million (2022) 

Santander’s fine was a clear message on small business banking. The bank failed to properly oversee or review AML controls for its UK-based SME customers, some of whom were using their accounts to launder money.

For those running AML in retail or SME banking, this case hits close to home. The FCA highlighted poor onboarding practices, missed reviews, and a lack of automated triggers for suspicious activity. It’s not enough to have controls in place, they have to function at volume and over time. If your firm has a large customer base with relatively low-value accounts, don’t assume that buys you regulatory slack. The FCA expects effective risk stratification, consistent monitoring, and clear internal thresholds for review – no matter the customer segment. 

Standard Chartered: £102 million (2017)

Standard Chartered’s fine was about governance and escalation. The bank was found to have failed in its oversight of high-risk clients and didn’t act fast enough when red flags emerged. This is one of those cases where the underlying AML framework wasn’t totally broken but decision-making around known risks dragged on or failed to lead to action. 

For compliance, the takeaway is that it’s not just about detecting issues; it’s what happens next. Do your governance forums respond fast enough to emerging threats? Does senior management engage meaningfully with compliance decisions, or does everything get pushed back a quarter? Those questions matter more than ever, especially if you’re dealing with high-risk sectors or jurisdictions. 

Barclays: £72 million (2015) 

This fine came down to the way Barclays handled a politically exposed person (PEP) transaction. The FCA said Barclays had gone out of its way to accommodate a high-value client while ignoring its own internal procedures. The issue here wasn’t weak controls, it was the decision to bypass them. 

For compliance teams, this is one of the most frustrating, and familiar, types of risk. The controls might be strong on paper, but when a senior executive wants something done, shortcuts happen. The FCA made it clear that no client, no matter how high-profile or profitable, should get a pass. If you’re facing similar pressures, now’s the time to tighten controls around exceptions. It should be practically impossible for any individual to push a transaction through without a documented and reviewed rationale. 

HSBC: £63 million (2021) 

HSBC’s fine came down to weak transaction monitoring. The bank had failed to update its systems for over three years, during which suspicious activity went undetected. It’s easy to put off system upgrades, especially when they involve disruption or costs.

But the regulator is increasingly unforgiving about outdated tooling. If your transaction monitoring doesn’t match the complexity of your client base, that’s a problem. And it’s not just about the system, HSBC also failed to test and tune the tools it had in place. 

This case highlights the importance of regular effectiveness reviews. Are alerts meaningful? Are thresholds too high or low? Can your team actually handle the volume? If the answer to any of those is no, you’ve got a risk gap. 

Commerzbank AG: £37 million (2020) 

This was a classic case of non-compliance with internal policies. Commerzbank failed to conduct timely periodic reviews and allowed a backlog of 1,772 overdue KYC checks to build up. 

The size of the fine reflects just how seriously the FCA views ongoing due diligence. It’s not enough to onboard customers correctly; they have to be reviewed in line with risk – and the schedule you’ve committed to internally. If your reviews are falling behind, you’re not alone. 

Many firms struggle with the scale of periodic refresh. But failing to resource this properly is exactly the kind of thing the FCA will pick up on. You’re better off slowing onboarding to make space for ongoing monitoring than letting a backlog become the issue that gets you fined. 

Starling Bank: £28 million (2024) 

Starling Bank’s fine, while smaller than others, was significant because of what it signalled. The FCA found that Starling hadn’t maintained adequate controls around customer onboarding and transaction monitoring as it scaled. 

For digital-first banks, this should read as a warning. Automation and rapid onboarding are great for customers, but if your systems can’t flag unusual patterns, or worse, you’re not reviewing flagged activity, it’s only a matter of time before gaps emerge. 

The key point here isn’t that digital firms are being targeted, but that the FCA won’t accept “we’re still building” as a defence. If you’re expanding fast, prioritise AML tech debt early. Retrofitting controls later rarely ends well.

Monzo: £21 million (2025)

Between October 2018 and August 2020, Monzo Bank’s anti–financial crime framework came under serious FCA scrutiny, resulting in a £21.1 million fine. The regulator identified weaknesses across core AML controls, customer due diligence, transaction monitoring, and ongoing oversight. In 2019, the bank even disabled its address verification system, allowing entries such as Buckingham Palace and 10 Downing Street to pass without challenge.

The problems didn’t stop there. Monzo breached an FCA restriction by onboarding over 34,000 high-risk customers despite a ban, failed to carry out adequate enhanced due diligence, and missed politically exposed persons in its screening. Governance around high-risk account approvals was thin, and oversight processes lacked the teeth to prevent or address these gaps.

While the bank cooperated with the investigation and rolled out a large-scale remediation programme, the FCA said the breadth and persistence of the failings made this a standout case. For compliance teams, it’s a reminder that rapid expansion, particularly in digital-first banking, doesn’t justify taking controls offline or treating regulatory restrictions as optional. Onboarding checks have to work in practice, business-wide risk assessments must genuinely shape decisions, and governance needs to be capable of challenging high-risk growth before it turns into regulatory exposure.