Santander Fined Over €40 Million After AML Failures Uncovered at Digital Unit Openbank

Banco Santander SA has been ordered to pay a penalty exceeding €40 million following an extensive supervisory review of the anti-money laundering arrangements at its digital subsidiary, Openbank. Spain’s anti-money laundering authority, Sepblac, concluded that there were material weaknesses in the internal procedures and control systems governing Openbank’s operations in Spain. The sanction, one of the largest ever issued by the watchdog, reflects heightened regulatory pressure on banks to ensure effective oversight across all customer categories, including accounts that are blocked, inactive, or otherwise non-operational. The size of the fine was calculated on the basis of the overall scale of the Santander group, rather than being limited to the seriousness of any individual transactions identified during the review.

Sepblac’s enforcement action underscores the obligation for financial institutions to ensure that their internal monitoring frameworks are fully aligned with the requirements of Law 10/2010 on the prevention of money laundering and terrorist financing. The investigation focused in particular on how Openbank administered and periodically reviewed its customer base, with special attention paid to accounts that had remained dormant for long periods. Spanish legislation requires banks to keep customer due diligence information accurate and up to date regardless of whether an account is actively used. Regulators have repeatedly warned that overlooking inactive profiles can create latent weaknesses that may later be exploited for illicit purposes. Although the bank has stated that the shortcomings identified relate to past practices and have since been remedied, the scale of the penalty sends a clear signal that rapid digital growth must be accompanied by equally strong compliance controls. According to the authority, the stability of the financial system depends on the consistent application of due diligence obligations across all products and services, without exception.

In the digital banking environment, compliance demands have evolved beyond traditional branch-based supervision toward continuous, data-driven monitoring. Openbank plays a central role in Santander’s broader retail and digital expansion strategy, meaning any deficiencies in its anti-money laundering safeguards carry wider reputational and systemic implications. Supervisors examined the bank’s internal control manuals as well as how often customer risk classifications were reviewed and updated. From the regulator’s perspective, the fact that an account is blocked or inactive does not release a bank from its duty of ongoing vigilance. Maintaining comprehensive historical data ensures that, if an account is suddenly reactivated or misused for layering illicit funds, anomalies can be detected without delay. The fine of more than €40 million therefore serves not only as a punishment but also as a corrective measure, forcing closer alignment between digital innovation and regulatory expectations.

As Santander continues to embed its digital platforms into its core retail offering, Openbank has come under increasing scrutiny from national supervisors. The shift toward agile, low-cost digital banking models presents specific challenges for compliance structures originally designed for physical branch networks. Sepblac has stepped up its oversight of how digital institutions identify beneficial owners and monitor sources of funds in highly automated settings. The penalty imposed highlights the principle that the larger the banking group, the greater its responsibility to prevent financial crime throughout its entire structure. The case also exposed differing interpretations between the bank and the regulator regarding procedural obligations, particularly where less intensive monitoring had been applied to inactive or blocked accounts. Supervisors have consistently classified such accounts as areas of elevated risk rather than administrative exceptions.

The regulator further noted that while digital banks increasingly rely on advanced algorithms to identify suspicious behavior, the foundational risk assessment and control processes at Openbank during the period examined did not meet the required standard. Santander’s subsequent merger of Openbank with its European consumer finance business suggests a move toward more centralized governance, which may help standardize compliance practices across borders. Even so, the severity of the sanction demonstrates Sepblac’s readiness to use substantial financial penalties to prevent digital subsidiaries from becoming weak points in a global banking group’s anti-money laundering defenses. Although the Ministry of Economy, which oversees the authority, has declined to comment on internal deliberations, the magnitude of the fine reflects a broader policy objective of tightening oversight where internal data management and control systems fall short.

The legal foundation for the sanction lies in the powers granted to the Commission for the Prevention of Money Laundering and Monetary Offences, which allow the executive service to scrutinize internal policies, control manuals, and risk assessments of regulated entities. When these internal frameworks are found to be inconsistent with statutory requirements, the authority is entitled to impose penalties calibrated to the financial capacity of the institution concerned. This approach is intended to ensure that sanctions are genuinely dissuasive and that large banking groups are incentivized to correct weaknesses in legacy systems. The case demonstrates that regulators can impose significant fines even in the absence of proven money laundering activity, where deficiencies in the control environment alone are deemed serious enough. Compliance with Royal Decree 304/2014 requires continuous oversight and regular reporting to financial ownership registries, obligations that become increasingly complex as customer numbers expand.

Spanish law also obliges banks to conduct enhanced reviews of transactions or behaviors that appear unusual or lack a clear economic rationale. In a digital setting, this requires more than automated alerts; it demands effective escalation to human review and timely reporting to authorities. According to Sepblac, the processes in place at Openbank did not ensure a sufficiently strong feedback loop between automated detection systems and manual analysis. By tying the penalty to the size of the parent group, the regulator has reinforced the message that spending on compliance should be regarded as a core investment rather than a discretionary cost. This stance mirrors international regulatory trends that emphasize the overall resilience of an institution’s anti-money laundering framework, rather than focusing solely on isolated incidents of misconduct. Banks are increasingly expected to demonstrate not only that they have avoided laundering illicit funds, but that their systems would make such activity extremely difficult to carry out undetected.

The conclusion of the review represents an important moment for Spain’s banking sector as it navigates the tension between technological innovation and financial security. Regulators have made it clear that all accounts, active or dormant, must be subject to the same rigorous standards of monitoring. Santander has chosen to contest aspects of the findings, signaling an ongoing debate between regulators and the industry over how proportional such penalties should be. At the same time, the immediate response has involved a comprehensive strengthening of internal processes at the digital unit to prevent a recurrence of similar failings. As digital banking continues to expand across Europe, the lessons from this case are likely to influence compliance strategies well beyond Spain. The emphasis remains firmly on identifying risks at an early stage and ensuring that the transparency and integrity of the financial system are preserved.

Looking ahead, the cross-border expansion of digital consumer banking will demand a nuanced understanding of national regulatory expectations. The Spanish enforcement action provides a template for how authorities may respond to large-scale digital growth in other jurisdictions. Banks are being reminded that as their operations scale, tolerance for compliance failures diminishes sharply. Sustained investment in advanced analytics, staff training, and clear reporting structures is increasingly essential to avoid substantial administrative sanctions. While Santander maintains that its overall standards remain high, Sepblac’s intervention illustrates the determination of regulators to scrutinize fast-growing digital platforms. The central challenge for the coming years will be ensuring that the pace of digital transformation does not outstrip the development of safeguards designed to protect the integrity of the international financial system.

By fLEXI tEAM