AML Penalties 2026: Why Fines Keep Increasing Despite Stricter Rules

January 2026 has already brought several AML and sanctions penalties across Europe, reinforcing a trend that regulators have been signalling for years. More specifically:

• In the UK, Bank of Scotland PLC received a £160,000 penalty from the Office of Financial Sanctions Implementation.

• Luxembourg’s Commission de Surveillance du Secteur Financier (CSSF) fined Rakuten Europe Bank €185,000 for AML and CFT failings.

• In Denmark, Saxo Bank was fined over €40 million for weaknesses in customer due diligence and monitoring particularly in white-label arrangements.

• In Spain, CaixaBank received a €30 million fine from Sepblac for AML failures linked to a complex real estate transaction (according to Bloomberg)

Different institutions. Different regulators. Patterns many compliance teams will recognise. And it’s only January.

These cases did not involve unknown or unregulated entities. They involved well-known, reputable institutions with established and long-running AML programs. Despite having formal frameworks, experienced teams, and documented controls in place, significant weaknesses still emerged.

That is precisely why these cases matter. They offer practical lessons for every AML function. By studying where strong institutions fell short, compliance teams can identify blind spots, strengthen controls, and improve how their own AML programs operate in practice.

What Went Wrong in Bank of Scotland Sanctions Screening Case

What happened

In the Bank of Scotland case, sanctions screening did not detect a designated individual because of name spelling variations. The screening control existed, but it did not produce a match in practice.

Why this matters

This type of failure does not happen because a screening system is missing. It happens when teams configure the screening tool too narrowly, accept inconsistent customer name data, or fail to trigger re-screening after customer details change. Real customer data includes spelling differences, multiple languages, and transliterations. Screening controls must be built and tested for these conditions.

These failures can be caused by:

• Staff record the customer’s name differently across files and systems, and no one standardizes or reconciles the differences

• The screening tool uses strict match settings, so it ignores close spelling variations

• The firm never tests the tool using alternative spellings or translated versions of the same name

• When staff update a customer’s name or ID details, the system does not run sanctions screening again

• Testing focuses only on expected matches and “clean” examples, not on difficult or borderline name variations

What AML and sanctions teams can do

Teams should design and test sanctions screening based on how customer data actually appears in real files and systems, not how it looks in clean test samples. Name variation is normal and must be built into control design and testing. Some practical control actions include:

• Test screening tools with real spelling variations and near-matches, not only exact matches

• Run sample testing using transliterations (i.e. محمد → Mohammad / Mohammed / Muhamad / Mohamed) and alternative script versions of names

• Review and document fuzzy-matching thresholds and override rules

• Configure systems so any name or ID update automatically triggers re-screening

• Standardise how staff record customer names across onboarding, KYC refresh, and operations systems

• Perform periodic back-testing of screening performance using historical customer data

• Record and approve any threshold tuning or match-suppression decisions through governance controls

Remember: Effective sanctions screening requires reliable technology, high-quality data, sound configuration, and disciplined processes. Gaps in any of these areas reduce detection effectiveness.

What Went Wrong in Rakuten Europe Bank AML Alert Handling Case

What happened

In the Rakuten Europe Bank case, the regulator identified significant and recurring delays in processing alerts generated by the bank’s transaction monitoring and screening systems. Approximately 9 % of alerts were closed more than two months after they were created, and several thousand alerts were awaiting review at the time of the inspection, including alerts relating to screening against restrictive measures in financial matters and politically exposed persons lists.

The CSSF found that the institution had not taken the necessary measures to process alerts rapidly once potential suspicious activity or sanctions-related indicators were identified, which breaches applicable AML/CFT regulations.

The sanction also recorded that in some cases suspicious activity reports were filed with the Financial Intelligence Unit (FIU) weeks after potential indicators were identified, and in at least one case involving a customer previously subject to terrorism-related asset freezes, no suspicious activity report was filed at all.

Why this matters

The regulator's decision places alert processing speed and follow-up action within the scope of AML/CFT compliance obligations. Institutions must review and act on transaction monitoring and screening alerts within a timeframe that supports effective risk mitigation.

Where alerts remain pending for extended periods or reporting follows late, monitoring and screening controls lose practical effectiveness. Risk indicators remain unresolved, escalation slows, and reporting obligations may not be met within expected timeframes.

The decision describes the delays and related control weaknesses. It does not provide a full internal workflow breakdown. However, in practice, alert handling delays often relate to control gaps such as:

• teams measure total alert volumes but do not track alert "ageing"

• firms assign equal urgency to all alerts regardless of risk level

• investigation capacity does not match actual alert volumes

• ownership of alert queues remains unclear across teams

• escalation rules for overdue alerts do not exist or are not enforced

• poor data quality and weak scenarios generate unnecessary alert volumes

What AML and sanctions teams can do

Teams should treat alert timeliness as a core control metric. Review speed, prioritisation, and escalation rules require formal definition and oversight.

Alert handling should follow risk-based timeframes and documented ownership. Some practical control actions include:

• define resolution timeframes by alert risk level

• monitor alert ageing alongside total backlog

• trigger automatic escalation when alerts exceed defined time limits

• assign clear ownership for each alert queue

• review samples of aged alerts to identify root causes of delay

• align staffing levels with actual alert volumes and complexity

• review scenario quality and data inputs that drive alert generation

• report alert timeliness metrics to compliance management

Remember: Alert generation alone does not reduce risk. Timely review, clear ownership, and sufficient investigation capacity determine whether alerts actually protect the institution.

What Went Wrong in Saxo Bank Due Diligence and Monitoring Case

What happened

In the Saxo Bank case, Finanstilsynet issued an administrative fine notice that Saxo Bank accepted on 22 January 2026. The fine was DKK 313,000,000 and related to breaches of the Danish AML Act requirements on customer due diligence and ongoing monitoring.

Finanstilsynet’s findings focused on two areas:

• insufficient collection of information about the purpose and intended nature of the business relationship for a number of customer relationships, and

• insufficient ongoing monitoring in relation to White Label Clients (WLCs), where Saxo provided its trading platform to the WLC’s end customers.

The conduct covered the period January 2021 to May 2023, and the supervisor specifically highlighted how AML obligations operated in an intermediated/white-label structure.

Why this matters

White-label and partner distribution models change how institutions obtain customer information and monitor risk. Due diligence controls must adapt to that structure. When firms rely heavily on partner processes without sufficient independent verification, risk visibility decreases and control effectiveness weakens.

Clear responsibility, direct access to risk information, and continuous oversight determine whether due diligence works in these models.

What typically causes this type of failure in practice

These failures can be caused by:

• reliance on partner onboarding and monitoring controls without independent testing

• limited access to underlying customer and transaction data

• unclear allocation of due diligence responsibilities between partner and institution

• weak oversight of partner control performance over time

• periodic reviews that rely on partner summaries instead of source data

• contractual reliance without operational verification

What AML and sanctions teams can do

Teams should design white-label due diligence frameworks around visibility, verification, and accountability. Oversight controls should operate continuously, not only at onboarding.

Some practical control actions include:

• define and document which party performs onboarding, monitoring, and periodic reviews

• obtain direct access to required customer and transaction data for risk assessment

• test partner controls through sampling and file reviews

• validate partner due diligence quality through independent checks

• set escalation triggers for higher-risk partner relationships

• perform periodic oversight reviews of white-label arrangements

• align contractual terms with actual control and data access needs

Remember: Effective due diligence in white-label models depends on visibility, verification, and clear accountability. Partner reliance requires continuous oversight and independent control testing.

What Went Wrong in CaixaBank AML Escalation Case

What happened

In the CaixaBank case, the penalty related to AML failures to internally communicate indications of possible money laundering connected to a high-value real estate transaction, specifically the sale of the Torre Foster office tower in Madrid.

Although public official sources do not describe the full internal decision sequence, the published sanction refers to a breach of the obligation to internally report and escalate indications of suspected money laundering.

Why this matters

Cases involving complex or high-value transactions often require input from several teams. These situations place pressure on escalation channels and decision ownership.

Escalation forms part of the AML control framework. Detection alone does not reduce risk. Staff must pass concerns to the right level, and decision-makers must respond within defined timelines.

Unclear escalation paths, uncertain thresholds, and undefined decision ownership slow response and increase exposure. High-risk transactions require faster and more structured escalation handling.

In practice, escalation breakdowns usually appear through gaps like the following:

• unclear escalation thresholds for suspicious indicators

• front-office staff unsure when escalation is mandatory

• compliance concerns raised without a defined decision workflow

• multiple review layers without time limits

• requests for additional information delaying escalation decisions

• unclear ownership of the final escalation decision

• reliance on informal discussions instead of recorded escalation steps

What AML and sanctions teams can do

Teams should design escalation frameworks that operate clearly under pressure and in complex transactions. Escalation should follow defined triggers, timelines, and decision ownership.

Some practical control actions include:

• define mandatory escalation triggers linked to specific risk indicators

• assign decision ownership at each escalation level

• set response timeframes for high-risk and high-value cases

• document escalation steps and decisions in case systems

• require written escalation records instead of informal messaging

• test escalation workflows using scenario exercises

• review past complex cases to identify where decisions slowed.

Remember: Effective escalation depends on clear triggers, defined decision ownership, and response timelines. Risk concerns must move quickly to the level where action can be taken.

Looking Ahead: AML Enforcement Trends and Penalties in 2026

Recent AML penalties in 2026 highlight how regulators evaluate control performance in real operating conditions. Enforcement findings focus on how screening, alert handling, due diligence, and escalation processes function in practice.

These areas often weaken gradually through configuration drift, operational pressure, unclear ownership, or process gaps. Supervisory reviews bring those weaknesses to the surface when controls do not operate consistently.

For AML teams, the forward focus remains practical. Test controls using real data and realistic scenarios. Review where delays occur and where decisions slow down. Confirm that escalation pathways operate clearly in complex cases as well as routine ones.

Enforcement direction continues to emphasise control execution and operational discipline. Organisations that review and strengthen these areas early reduce supervisory risk and remediation pressure later. We expect that as regulatory inspections tighten, AML penalties will be increasing.