By Stuart Watkins, CEO, Zenoo
2024 has been a defining year for AML enforcement. Across the UK, EU, and globally, regulators have issued fines that collectively signal a clear shift: enforcement is moving faster, targeting a broader range of institutions, and penalising operational failures rather than just policy deficiencies.
For compliance teams, enforcement actions are the most practical form of regulatory guidance available. They tell you exactly what regulators care about, what they test for, and what they consider unacceptable. This review covers the most significant AML enforcement actions of 2024 and, more importantly, what each one means for your compliance programme.
The year in numbers
Total AML-related fines issued globally in 2024 exceeded $4.7 billion. That figure represents an increase from 2023, continuing a multi-year upward trend. But the headline number obscures a more interesting pattern: while the largest individual fines remain in the billions (driven by a small number of major bank settlements), the volume of smaller fines against mid-market institutions has increased significantly.
In the UK alone, the FCA issued enforcement actions against payments firms, e-money institutions, and challenger banks for AML failures. The common thread across these actions was operational deficiency rather than deliberate wrongdoing. These were firms that had AML policies in place but failed to implement them effectively.
Across the EU, national regulators in the Netherlands, Germany, France, and Italy all issued notable penalties. The Dutch central bank (DNB) has been particularly active, reflecting the Netherlands' role as a major European financial centre and the political pressure following high-profile money laundering scandals in previous years.
Transaction monitoring failures dominate
The single most common failure cited in 2024 enforcement actions was inadequate transaction monitoring. Not the absence of transaction monitoring, but the inadequacy of systems that existed on paper but failed in practice.
The pattern is consistent across jurisdictions. The firm had a transaction monitoring system. The system generated alerts. But the alert parameters were poorly calibrated (generating either too many false positives for the team to handle, or too few alerts to catch genuine suspicious activity). Alert disposition was inconsistent. Escalation to SARs was too slow. And the evidence trail was insufficient to demonstrate that the monitoring was effective.
"The enforcement notice did not say we lacked transaction monitoring. It said our monitoring was 'not commensurate with the money laundering risks the firm faced.' That distinction is important. Having a system is not enough. The system has to work, and you have to be able to prove it works."
For compliance teams, the lesson is clear. Your transaction monitoring needs regular calibration testing. Run your system against known suspicious patterns and verify it generates alerts. Measure your false positive rate and demonstrate that it is being managed. Document your alert parameters and the rationale for setting them where they are. And ensure that your disposition and SAR filing timelines are within regulatory expectations.
KYC remediation programmes under scrutiny
Several enforcement actions in 2024 targeted firms that had identified KYC deficiencies in their customer base but failed to remediate them within an acceptable timeframe. This is a growing area of enforcement focus that catches many firms off guard.
The scenario is common. A firm conducts an internal review (or has one imposed by its regulator) and identifies a population of customers whose KYC records are incomplete, outdated, or do not meet current standards. A remediation programme is established. And then the programme runs late, under-resourced, and poorly tracked.
In one notable 2024 case, a European payments institution was fined for operating a KYC remediation programme that took over two years to complete when the original commitment was nine months. The regulator's position was that continuing to bank customers with inadequate KYC for the duration of the extended remediation constituted a continuing breach.
Practical lesson: If you have a KYC remediation programme, treat it as a compliance-critical project with defined milestones, regular progress reporting to the board, and contingency plans for delays. If the programme is running late, proactively engage your regulator rather than waiting for them to discover the delay.
Beneficial ownership: still the weak link
Enforcement actions related to beneficial ownership verification continued to feature prominently in 2024. The recurring failures include: accepting corporate customers without verifying their beneficial ownership structure, relying on outdated beneficial ownership information without periodic refreshes, and failing to identify or investigate discrepancies between declared beneficial ownership and publicly available information.
The EU's upcoming beneficial ownership registry requirements under the AML Package will eventually address some of these data quality issues, but the enforcement standard is not waiting for the new regime. Regulators expect firms to verify beneficial ownership now, using available sources, and to document their verification methodology.
"We were fined because our UBO verification for a corporate customer relied entirely on the customer's self-declaration. The regulator pointed out that a 10-minute Companies House search would have shown the declared UBO was not a director or shareholder of the company. It was a basic check that we simply had not done."
De-risking is not a compliance strategy
An interesting theme in 2024 enforcement was regulatory pushback against de-risking. Several national regulators issued guidance (and in some cases, enforcement actions) against firms that responded to AML risk by exiting entire customer segments or jurisdictions rather than managing the risk.
The FCA has been particularly vocal on this point, emphasising that de-risking without documented, customer-level risk assessment is itself a compliance failure. Refusing to bank all customers from a particular jurisdiction, or all customers in a particular sector, is not a risk-based approach. It is a risk-avoidance approach, and regulators increasingly view it as contrary to their expectations.
This has practical implications for compliance teams. If your institution has de-risked by exiting customer segments, make sure the decision was based on documented, customer-level risk assessments rather than blanket policy decisions. If it was a blanket decision, you may need to revisit it.
Whistleblower protections and internal culture
A less publicised but significant development in 2024 enforcement has been the attention paid to internal compliance culture. Several enforcement actions referenced failures in internal escalation, where compliance concerns raised by staff were not acted upon or were actively discouraged.
Regulators are increasingly looking beyond systems and processes to assess whether a firm's culture supports effective compliance. This includes whether compliance staff have the authority and resources to do their jobs, whether internal reporting channels work, and whether concerns raised by staff at any level are taken seriously.
For MLROs and compliance directors, this means ensuring that your internal escalation routes are documented, tested, and genuinely functional. It is not enough to have a whistleblowing policy. The question is whether your organisation would actually respond appropriately if someone used it.
What the 2024 enforcement landscape tells us about 2025
Based on the patterns in this year's enforcement actions, here is what compliance teams should expect in the year ahead.
Transaction monitoring scrutiny will intensify. Regulators have signalled clearly that they will examine not just whether you have monitoring, but how it performs. Expect more requests for false positive rates, alert volumes, SAR conversion rates, and calibration testing evidence.
The DORA deadline will create overlap. As DORA comes into effect in January 2025, regulators will begin assessing whether firms' ICT risk management, including their compliance technology, meets the new standards. Expect enforcement to follow within 12 to 18 months.
Cross-border enforcement coordination will increase. The establishment of AMLA (though it will not begin direct supervision until 2028) is already creating stronger coordination between national supervisors. Expect more referrals and information sharing across borders.
Fintechs and payments firms will remain in the spotlight. The concentration of enforcement actions against challenger banks, payments companies, and e-money institutions in 2024 reflects a deliberate supervisory strategy. These sectors are growing rapidly, and regulators are determined to ensure that compliance keeps pace with growth.
