Luxembourg Regulator Fines Rakuten Europe Bank €185,000 Over AML and CTF Failings

The Commission de Surveillance du Secteur Financier has imposed an administrative fine of €185,000 on Rakuten Europe Bank S.A. after identifying serious shortcomings in the institution’s anti-money laundering and counter-terrorist financing controls. The decision was formally adopted on May 19, 2025, and made public on the regulator’s website in early 2026. The sanction corresponds to approximately one percent of the bank’s annual turnover as reported at the end of the 2022 financial year. The enforcement action followed an in-depth on-site inspection carried out between February and November 2023, during which supervisors assessed the effectiveness of the bank’s internal control framework. That review uncovered long-standing weaknesses in transaction monitoring and alert handling that had remained uncorrected for years, despite earlier warnings issued by other national competent authorities within the European Union.

According to the findings of the Luxembourg supervisor, the bank did not have an adequate transaction monitoring system capable of identifying suspicious or illicit financial activity across its digital operations. Inspectors determined that the scenarios embedded within the monitoring software were obsolete and no longer reflected the full range of transactions processed by the institution. The situation was exacerbated by the departure of key employees from the information technology and compliance functions during a critical restructuring phase, which significantly undermined the bank’s ability to configure, maintain, or update detection parameters needed to identify suspicious activity in real time. Compounding these issues, the bank continued to operate a version of its monitoring software that was no longer supported or maintained by the external vendor, exposing the institution to heightened operational and compliance risk. This technological stagnation created a serious gap in the bank’s oversight of its financial flows and weakened its ability to safeguard the integrity of the Luxembourg financial system. Notably, these same deficiencies had already been highlighted by another European supervisory authority as early as 2019, yet the bank failed to address them over the following four years. This prolonged inaction allowed systemic vulnerabilities to persist, even after explicit feedback had been provided regarding the inadequacy of the existing systems. The regulator stressed that an institution of this size is expected to ensure the continuous reliability and effectiveness of its core compliance technology to prevent the misuse of its infrastructure for criminal purposes.

The inspection also revealed substantial delays in the handling of automated compliance alerts, which played a central role in the decision to impose the fine. Investigators found that around nine percent of alerts generated by the bank’s systems were left unreviewed or unresolved for more than two months after being triggered. This backlog encompassed thousands of alerts linked to sanctions screening, politically exposed persons, and potential terrorist financing risks, all of which required immediate human assessment. The failure to process these alerts promptly meant that the bank did not always apply legally required restrictive measures without delay, in breach of Luxembourg regulatory obligations. Supervisors further noted that several suspicious activity reports were not submitted to the Financial Intelligence Unit within the prescribed deadlines, even after indicators of potential money laundering had been detected. In one particularly serious case, the bank did not file a report at all for a customer who had previously been subject to asset freezes in France in connection with terrorism-related concerns and specific criminal investigations. These procedural failures demonstrated an insufficient prioritization of high-risk warning signs that could point to the exploitation of the banking platform for financing activities linked to serious crime or global security threats. The volume of unresolved alerts suggested that the compliance function was either inadequately resourced or lacked sufficient managerial oversight to cope with the operational demands of the business.

Further regulatory concerns arose from deficiencies in customer due diligence practices and risk assessment processes. The on-site inspection found that the bank lacked effective automated controls to ensure that simplified due diligence measures were applied only when all relevant legal conditions were satisfied. In multiple instances, customers continued to benefit from reduced scrutiny even after changes in their business activities meant that a low-risk classification was no longer appropriate. The bank’s risk assessment methodology was also deemed inadequate because it failed to properly incorporate the country of residence of beneficial owners into the final risk score. As a result, the institution was unable to accurately assess the geographic risk associated with its clientele, increasing the likelihood that higher-risk relationships were incorrectly categorized. Inspectors also identified insufficient investigation of red flags linked to merchants who submitted documentation that did not align with the nature of the goods they claimed to sell online. By not resolving these inconsistencies through enhanced due diligence, the bank exposed itself to the risk of facilitating transactions involving counterfeit products or other predicate offenses that generate illicit proceeds. Regulators emphasized that effective customer due diligence must be dynamic, requiring continuous verification of client information against actual account activity. In contrast, the bank was found to rely too heavily on static or incomplete data, preventing a comprehensive understanding of the risks present within its merchant portfolio.

When determining the level of the fine, the CSSF took into account both the seriousness and the extended duration of the breaches, many of which spanned several years. The ongoing nature of the technological shortcomings in the transaction monitoring system was considered an aggravating factor, particularly given the earlier warnings issued by other European authorities. At the same time, the regulator acknowledged that the bank has since recognized the extent of its deficiencies and has presented a detailed remediation plan to address them. Implementation of corrective measures began during the inspection itself and continued in the months that followed, with the aim of strengthening the overall compliance framework. Planned and ongoing actions include the complete replacement of the outdated monitoring system, as well as the reinforcement of the second line of defense to improve oversight of delegated compliance responsibilities. The bank has also expanded staffing levels in both compliance and IT to avoid a recurrence of the technical and operational weaknesses that contributed to the failures. While the €185,000 fine serves as a penalty for past shortcomings, the CSSF has indicated that continued supervisory attention will focus on whether the new controls are capable of effectively mitigating money laundering and terrorist financing risks going forward. The regulator reaffirmed its commitment to upholding high standards across the financial center to preserve Luxembourg’s reputation as a secure and well-regulated jurisdiction, warning that future non-compliance could result in more severe measures, including higher fines or restrictions on the bank’s license if systemic issues persist.

By fLEXI tEAM