AML Penalties in 2025: What Recent Enforcement Actions Reveal About Compliance Weaknesses
- Anna Stylianou
- 14 minutes ago
- 5 min read
Around the world, regulators continue to issue meaningful penalties for AML failures. What is notable in 2025 is not the number of penalties, but the nature of the failures behind them, and the fact that several reputable, well-resourced institutions have been involved.
These cases offer valuable insight into the weaknesses regulators repeatedly identify, and why compliance programmes that appear strong on paper may still fail in practice.
Let’s explore the key lessons.
What 2025 AML Penalties Are Telling Us
Across regions — EU, UK, U.S., Middle East, Asia-Pacific — regulators have identified similar weaknesses. These patterns appear repeatedly, even in firms that are perceived as “leaders” in the financial industry.
1. Weak Implementation of Existing Policies
Many regulated entities have sophisticated AML documentation: policies, manuals, risk assessments, committee structures. However, penalties frequently highlight that written frameworks are not reflected in daily operations.
Typical findings include:
delayed suspicious activity reporting
incomplete or outdated customer files
missing evidence of periodic reviews
poor follow-up on transaction monitoring alerts
risk assessments that do not match the actual customer base
Regulators are placing increasing emphasis on operational discipline rather than documentation.
2. Technology Is Not Enough - It Must Work in Practice
Several penalties in 2025 point to systems and data failures, such as:
monitoring tools that are not calibrated to the business model
excessive false positives with no process to manage the volume
screening filters excluding relevant matches
alert-handling backlogs that continue for months
reliance on outdated rules-based engines without human review
What regulators want to see is coherence: technology that fits the risk profile, realistic thresholds, and clear evidence that alerts are reviewed on time.
3. Governance and Oversight Are Under Greater Scrutiny
Boards and senior management are increasingly part of the supervisory conversation.Where penalties occurred, regulators frequently mentioned:
lack of documented challenge
insufficient reporting to senior leadership
unclear ownership of AML responsibilities
inadequate staffing for compliance functions
budget decisions not aligned with the firm’s risk profile
Regulators are asking: Who knew what? When? And what did they do about it? Good governance must be visible, not assumed.
4. High-Risk Customers Are Not Managed Properly
Enhanced due diligence remains one of the most common weaknesses. Examples from enforcement notices include:
onboarding of high-risk clients without documented justification
missing EDD information
no evidence of source of wealth/source of funds analysis
risk classifications that do not change even when customer activity evolves
lack of monitoring scenarios tailored to high-risk behaviours
For regulators, EDD is not a “one-off” activity - it is a continuous process.
Examples from 2025
J.P. Morgan SE - €45 million (Germany)
Specifically, BaFin found that between October 2021 and September 2022 the institution “systemically failed” to submit suspicious transaction reports (STRs) “without undue delay.”
This penalty underscores that even globally recognised institutions - with resources, size, and brand - are not immune when internal control processes and escalation/reporting discipline are weak.
Monzo Bank Ltd - £21,091,300 (United Kingdom)
The UK regulator Financial Conduct Authority (FCA) levied a £21,091,300 fine on Monzo in July 2025 for widespread deficiencies in its anti-financial crime controls. The findings included failure to design, implement, and maintain adequate customer onboarding, customer risk assessment, and transaction-monitoring systems — deficiencies that persisted even as the bank rapidly expanded its customer base.
Notably, Monzo repeatedly onboarded high-risk customers despite existing restrictions; it also accepted implausible customer information, exposing a disconnect between business growth ambitions and compliance resilience.
Xeltox Enterprises Ltd. (Cryptomus) – C$176.96 million (Canada)
In October 2025, FINTRAC imposed an administrative monetary penalty of C$176,960,190 on Xeltox Enterprises Ltd., a British Columbia-based money services business operating as Cryptomus, for egregious non-compliance with Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
The firm failed to submit 1,068 suspicious transaction reports between July 1 and July 31, 2024, despite red flags linked to child exploitation, fraud, ransomware, and sanctions evasion. It also failed to report 1,518 large virtual currency transactions over C$10,000, did not implement a compliant AML program, and breached a Ministerial Directive.
This represents the largest AML fine in Canadian history and signals FINTRAC’s zero-tolerance stance on systemic failures in the virtual asset sector.
Other global penalties
In 2025, financial regulators across Asia, Europe, North America, the Middle East, and Australia issued a wave of AML enforcement actions against banks, fintechs, crypto exchanges, and payment institutions.
Across jurisdictions, the most frequently cited weaknesses included:
Failure to timely investigate alerts, seen across traditional banks and payment providers in Singapore, Germany, and the UK
Ineffective sanctions screening, including major remittance firms and virtual asset service providers in Singapore, Australia, and Canada.
Outdated KYCs particularly among legacy institutions and under-regulated offshore firms
Gaps in enhanced due diligence (EDD) Regulators identified cases where firms failed to apply sufficient scrutiny to high-risk customers.
Transaction monitoring failures across the crypto, fintech, and banking sectors, especially where volumes outpaced compliance capacity
Insufficient evidence of governance – from board oversight and escalation protocols to the absence of risk-based controls in high-growth environments.
Although the specifics varied, regulators sent a clear message: fast growth, technological innovation, or brand reputation do not excuse AML control failures.
What Regulated Entities Should Take Away
Most institutions are trying to do the right thing, but staying ahead of AML expectations is demanding, especially in complex, fast-moving environments. Enforcement actions from 2025 offer important lessons for those working hard to strengthen their frameworks:
Make execution practical and consistent: Policies are only effective when they’re realistic and embedded in daily operations. Simplicity, clarity, and frontline engagement matter.
Build stronger escalation habits: Delays in filing suspicious activity reports are still one of the most common - and preventable - failures. Clear thresholds and confident escalation make a difference.
Show - not just say - there’s oversight: Boards and senior leaders must be able to demonstrate how they oversee AML risks. Governance can’t be passive or assumed.
Tailor monitoring to your business: Monitoring systems must reflect your actual activity and risk profile. This means regular tuning, not set-and-forget.
Treat EDD as a journey, not as one-off requirement: High-risk clients need ongoing attention. One-time reviews are not enough. As relationships evolve, so does risk.
Conclusion
AML penalties in 2025 serve as a reminder that compliance programmes succeed or fail at the operational level. Policies, technology, and frameworks matter - but the consistency of behaviour, decision-making, and escalation is what regulators examine most closely.
Even reputable institutions with strong infrastructures face penalties when daily execution falls short.
For regulated entities, the path forward is clear: focus on practical implementation, strengthen governance, and ensure your AML framework operates exactly as intended.
