MoneyGram Sanctioned by French Regulator Over Major Anti-Money Laundering Failures

MoneyGram International SA has been formally reprimanded and fined €1.3 million following a ruling by Autorité de contrôle prudentiel et de résolution, after inspectors uncovered widespread and systemic deficiencies in its anti-money laundering and counter-terrorist financing systems during an on-site review. Authorities stressed that the scale of the penalty reflects deep and broad non-compliance with the legal and regulatory framework designed to safeguard the financial system. Over the course of the investigation, regulators identified multiple structural weaknesses, particularly in how the payment provider monitored its high-volume transaction flows. The case underscores growing regulatory pressure on international payment firms to ensure that their local operations fully comply with national financial security standards.

Central to the findings was the company’s flawed approach to classifying its customers, which led to insufficient oversight. One of the most critical issues concerned how the firm differentiated between occasional users and those engaged in an ongoing business relationship. MoneyGram applied extremely strict criteria, requiring a customer to complete four successful transactions per month over three consecutive months before being classified as having a formal relationship. Regulators found this benchmark to be completely misaligned with actual customer behavior, noting that the typical client carries out fewer than five transactions per year. As a result, the vast majority of active users were excluded from stricter monitoring requirements. Data revealed that even among thousands of individuals who conducted twelve or more transactions annually, nearly all were still treated as occasional customers. This classification gap allowed individuals to transfer substantial sums through repeated transactions over extended periods without ever being subjected to enhanced due diligence measures.

The regulator also found serious shortcomings in the collection of essential financial information. Even for clients recognized as having an established relationship, the company routinely failed to gather key details such as occupation, income level, or overall wealth. Internal procedures did not require the systematic collection of such data, relying instead on simple declarations regarding the origin of funds for each transaction. Given the inherent risks in the remittance sector—particularly cash-based transfers often directed to higher-risk regions—this approach was deemed inadequate. Without a clear financial profile of its customers, the firm lacked the ability to detect discrepancies between transaction activity and an individual’s economic capacity. The authority further noted that when professional information was recorded, it was often too vague to be meaningful, consisting of generic labels like banking or executive that offered little insight into the customer’s true risk exposure.

In addition, the monitoring systems used by the company were found to be poorly adapted to the French market. Automated surveillance tools relied heavily on global rules that set transaction thresholds far above the typical amounts observed locally. Many alerts were only triggered for transactions exceeding $2,000, whereas the average transfer in France was approximately €300. This mismatch meant that a significant volume of potentially suspicious transactions went undetected. Moreover, local monitoring scenarios failed to account for individual customer risk profiles or geographic risk indicators. This lack of calibration rendered the firm’s internal controls largely ineffective in identifying common patterns of financial crime associated with money transfer services.

A further point of concern involved the failure to properly monitor transactions linked to non-cooperative tax jurisdictions. The company’s internal list of high-risk countries did not align with those established by the European Union and the Organisation for Economic Co-operation and Development. Notably, territories such as Gibraltar, Guam, and the United States Virgin Islands were absent from its monitoring framework. As a result, hundreds of transactions involving these jurisdictions were processed without enhanced scrutiny. Regulators emphasized that inclusion on such international lists automatically designates a jurisdiction as high-risk for money laundering or tax evasion, regardless of the transaction volume. The company’s argument that these transfers were limited in scale was dismissed, with authorities reiterating that enhanced vigilance is mandatory in such cases.

The investigation also highlighted structural weaknesses in coordination across compliance functions. The firm’s reliance on a super-agent model, involving networks of retailers and buralistes, complicated oversight. Although these agents were registered with the central bank, the primary institution retained ultimate responsibility for ensuring compliance across the network. Auditors found that central compliance teams lacked sufficient control over how these agents conducted local risk assessments, resulting in fragmented supervision. Given that a large share of the company’s operations in France was carried out through these retail intermediaries, this lack of centralized oversight created significant vulnerabilities and allowed unusual transaction patterns to persist undetected.

Internal audit and control mechanisms were also criticized for their lack of responsiveness. Regulators noted that several deficiencies identified during the 2023 inspection had already been raised in earlier communications dating back to 2019. Although the company had committed to lowering its thresholds for identifying business relationships, these changes were not effectively implemented until after formal disciplinary proceedings had begun. This delay was considered an aggravating factor, indicating a failure to act proactively on known risks. The financial sanction was therefore intended not only to address the violations themselves but also to signal that repeated inaction in response to regulatory warnings would result in serious financial consequences.

The case highlights the inherently high-risk nature of remittance service providers within the global financial ecosystem. These institutions often serve unbanked populations and process large volumes of cash-based transactions, making them attractive channels for illicit financial flows. The French regulator made clear that adopting a risk-based approach is not optional but a legal obligation. This requires tailoring controls to reflect the economic realities of customers and the specific risks of the regions in which the firm operates. A uniform global compliance model that ignores local conditions fails to meet this standard and undermines the institution’s role in protecting financial integrity.

The ruling also underscores the growing importance of robust and dynamic data collection in compliance practices. Regulators now expect firms to go beyond customer self-declarations and actively verify information to build detailed risk profiles. This includes confirming professional status and ensuring that transaction behavior aligns with known financial circumstances. In this case, the firm’s failure to collect and analyze such data severely limited its ability to maintain effective oversight, reducing its anti-money laundering framework to a procedural formality rather than a functional safeguard.

The decision to publish the sanction in a nominative format for a period of five years adds a significant reputational dimension to the penalty. Authorities rejected claims that such disclosure would disproportionately harm the company, concluding that transparency serves the broader public interest. By making the sanction public, the regulator aims to inform both consumers and financial institutions about the risks associated with the company’s compliance practices, while also sending a clear warning to the wider payment services industry that enforcement actions will be both visible and consequential.

Looking ahead, the case illustrates the urgent need for remittance providers to embed risk management deeply within their operational frameworks. This includes deploying advanced monitoring technologies capable of adapting to local transaction patterns and identifying subtle anomalies. Firms must move away from rigid global thresholds and adopt flexible systems that can respond to evolving risks. High transaction volumes, far from justifying weaker oversight, demand even more precise and effective surveillance mechanisms.

Equally critical is investment in compliance personnel. Teams must be equipped and empowered to question internal processes and investigate suspicious activity thoroughly. The findings of the French inspection point to a disconnect between regulatory expectations and operational practices, one that can only be addressed through a strong compliance culture driven from the top levels of management and implemented consistently across all agents and partners. Continuous training and independent audits are essential to ensure that policies are actively enforced rather than merely documented.

As international regulatory standards continue to tighten, financial institutions will face increasing demands for transparency and accountability. Remittance providers, in particular, must be prepared to demonstrate not only the existence of compliance systems but their effectiveness in practice. This includes regularly updating risk assessments to reflect new jurisdictions and emerging financial crime trends. The €1.3 million penalty serves as a stark reminder that failing to meet these obligations carries significant financial and reputational costs, reinforcing the principle that safeguarding the integrity of the financial system is a shared responsibility across the industry.

By fLEXI tEAM