Nationwide Fined £44m for Prolonged AML Control Failures

The Financial Conduct Authority has imposed a £44 million fine on Nationwide Building Society after identifying widespread and persistent weaknesses in its anti-money laundering controls over a period stretching from October 2016 to July 2021. According to the regulator, Nationwide failed to maintain adequate systems to ensure that customer due diligence and risk assessments for personal current account holders were kept up to date, while its transaction monitoring capabilities were also found to be insufficient. The enforcement action highlights the significant risks that arise when financial institutions do not evolve their compliance frameworks in line with changing business practices and regulatory expectations. The length and breadth of the shortcomings point to a fundamental failure to meet the core requirements of the UK’s money laundering prevention regime.

At the centre of the regulator’s findings was Nationwide’s inability to establish and maintain effective customer due diligence, a cornerstone of any credible AML framework. The building society repeatedly failed to properly identify, assess, monitor and manage money laundering risks associated with its personal current account customers. Nationwide was aware that a portion of these customers were using personal accounts to conduct business activity, despite this being a clear violation of its terms and conditions. At the time, Nationwide did not offer business current accounts, leaving it without the appropriate processes, systems and controls needed to manage the heightened financial crime risks that naturally accompany business-related transactions.

This gap created a serious and unaddressed vulnerability within the organisation. By failing to capture and analyse the true nature and purpose of account activity as it shifted from personal to commercial use, Nationwide assigned inaccurate risk profiles to affected customers. As a result, the firm did not have a reliable understanding of which customers posed an increased financial crime risk, directly undermining the risk-based approach mandated by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), as well as the preceding legislative framework. Without accurate customer risk assessments, downstream controls—most notably transaction monitoring—were fundamentally compromised. The FCA concluded that Nationwide’s systems and controls were not merely weak but were “inadequate” given the scale and complexity of its operations, leaving the firm exposed to the risk of facilitating serious financial crime.

The shortcomings in transaction monitoring were brought into sharp focus by at least one particularly severe case examined by the regulator. Transaction monitoring is designed to detect unusual or suspicious activity through the analysis of customer behaviour, but its effectiveness depends heavily on sound customer profiling and ongoing due diligence. Nationwide’s flawed CDD processes directly impaired its monitoring systems, which were either insufficiently calibrated to detect business activity on personal accounts or failed to generate alerts proportionate to high-risk transactional behaviour.

In the case highlighted by the FCA, a customer used personal current accounts to receive fraudulent payments linked to the Covid furlough scheme. Over a 13-month period, the accounts received 24 payments amounting to around £27.3 million. Of this total, approximately £26.01 million was paid in over an exceptionally short period of just eight days. Such a dramatic surge in funds, entirely inconsistent with normal personal account usage, should have triggered immediate and significant alerts within a properly functioning monitoring system. The volume, speed and nature of the transactions represented a classic money laundering typology involving layering and structuring. Nationwide failed to identify and act on multiple warning signs, allowing the funds to pass through its accounts and resulting in roughly £800,000 of criminal proceeds remaining unrecovered by His Majesty’s Revenue & Customs. The episode underlines the regulatory requirement for firms to carry out continuous monitoring to ensure transactions align with their knowledge of the customer, their activities and their assessed risk, as stipulated under the MLR 2017.

The fact that these failures persisted for almost five years also raised serious concerns about governance and oversight at senior management level. Nationwide was aware for an extended period that its systems and controls were deficient, yet it did not remediate the issues in a manner that was either sufficiently effective or timely. Such delays are viewed by the regulator as a significant aggravating factor, as they indicate a failure to take reasonable care in organising and controlling business affairs responsibly and effectively, in breach of Principle 3 of the FCA’s Principles for Businesses.

The FCA has repeatedly made clear, including through a series of “Dear CEO” letters to the retail banking sector, that responsibility for robust AML controls rests firmly with boards and senior management. Nationwide’s continued acceptance of unmanaged financial crime risk, particularly in relation to the known misuse of personal accounts for business purposes, represented an unacceptable exposure to money laundering. Although the building society eventually launched a wide-ranging financial crime transformation programme in July 2021, the regulator determined that the actions taken between 2016 and 2021 fell short of what was required. This prolonged period of non-compliance ultimately culminated in the substantial financial penalty, imposed because the firm’s deficiencies materially increased the risk of it being used for financial crime. The outcome serves as a clear warning that simply recognising weaknesses is insufficient; firms must deliver prompt, effective and demonstrable remediation.

The FCA’s decisive action against Nationwide sends a strong signal about the essential role financial institutions play in protecting the integrity of the financial system. The £44 million fine reflects the regulator’s view that failures in fundamental controls, such as customer due diligence and transaction monitoring, constitute serious breaches of regulatory obligations with real-world consequences, as illustrated by the significant volume of undetected fraud. Banks and building societies function as critical gatekeepers, and lapses in their controls directly enable the movement of illicit funds.

The case also illustrates a common and persistent money laundering typology: the use of personal accounts for undisclosed business activity. This practice significantly complicates the detection of suspicious transactions, as expected behaviour on personal accounts differs markedly from that on business accounts. As financial crime threats continue to evolve, firms are required to ensure that their systems and controls not only comply with the Money Laundering Regulations but are continuously adapted to reflect the specific risks posed by their customers, products, services and delivery channels. The regulator’s message is clear: financial institutions must remain constantly vigilant, regularly reviewing and enhancing their AML frameworks to detect, prevent and report suspicious activity, safeguard the financial system and limit the harm caused by economic crime.

By fLEXI tEAM