The Biggest AML Fines — and What They Teach Compliance Teams

Few things concentrate the mind on anti-money laundering quite like the size of the fines for getting it wrong. Regulators around the world have imposed penalties running into billions, and the cases behind them are a masterclass in what not to do. Here are some of the largest and most instructive AML fines — and, more usefully, the practical lessons every firm can take from them.

NatWest — £264.8 million (UK, 2021)

This was a landmark: the first time the UK's Financial Conduct Authority pursued criminal charges for money-laundering failings. NatWest was fined £264.8 million after pleading guilty to failures in monitoring the accounts of a commercial customer, Fowler Oldfield. Around £365 million was deposited over the relationship, roughly £264 million of it in cash, and although some staff raised concerns, no effective action followed. The lesson is stark: controls that exist on paper are worthless if alerts and internal concerns are not acted upon.

TD Bank — about $3.09 billion (US, 2024)

In October 2024 TD Bank agreed to penalties totalling roughly $3.09 billion for Bank Secrecy Act and AML failures, including a criminal fine and a large penalty from the US Financial Crimes Enforcement Network. Regulators found the failures allowed criminals to launder hundreds of millions of dollars. It became one of the largest AML penalties on record and a reminder that scale offers no protection — large institutions are held to the highest standard precisely because of the volumes they handle.

Binance — $4.3 billion (US, 2023)

The cryptocurrency exchange Binance reached a settlement of around $4.3 billion with US authorities over AML and sanctions failures, among the largest corporate resolutions of its kind. The case signalled clearly that the same anti-money-laundering expectations apply to crypto-asset businesses as to traditional finance — a theme reinforced by the EU's incoming crypto rules.

Starling Bank — £28.9 million (UK, 2024)

The FCA fined the challenger bank Starling £28.9 million in 2024 for financial-crime control failings, including in sanctions screening, after it opened tens of thousands of accounts for higher-risk customers despite a requirement to improve its framework first. The case shows that rapid growth must be matched by proportionate controls — scaling a customer base faster than the compliance function is a recipe for enforcement.

Danske Bank — the Estonian scandal

One of Europe's most notorious cases involved Danske Bank's small Estonian branch, through which an estimated €200 billion of suspicious funds flowed over several years. The fallout included the branch's closure, a US guilty plea and a settlement of around $2 billion in 2022. It is a textbook illustration of how a poorly supervised, high-risk corridor can dwarf the rest of an institution's risk.

The common threads

Look across these cases and the same failures recur: weak transaction monitoring, ignored internal warnings, onboarding higher-risk customers without matching controls, and a culture that treated compliance as a cost rather than a control. None of these is unique to giant banks. A small accountancy practice that fails to act on a clear red flag is making the same category of mistake as NatWest did — just on a different scale.

What firms should take away

Three practical lessons stand out. First, act on alerts and internal reports — most enforcement involves warnings that were raised but not actioned. Second, match controls to growth and risk, not to last year's business. Third, build a culture where staff feel able to escalate. These are exactly the capabilities that good anti-money laundering practice and structured compliance CPD are designed to embed.

Frequently asked questions

What was the first FCA criminal AML prosecution?

The NatWest case in 2021 was the first time the FCA brought criminal charges for money-laundering control failures, resulting in a £264.8 million fine.

Do AML fines only affect big banks?

No. While the largest headline fines hit major institutions, supervisors take enforcement action against firms of all sizes, including accountancy and other professional practices, for AML control failures.

What is the single most common failing in these cases?

A recurring theme is that warning signs or internal reports were generated but not acted upon — the controls detected the problem, but the organisation failed to respond.

The fines grab the headlines, but the real takeaway is simpler: most AML disasters were preventable, and usually someone inside the organisation had already noticed. The firms that stay out of trouble are the ones that listen.