Why Bad Data, Not Bad Intentions, Is Behind Most Compliance Failures

An analysis of five years of FCA enforcement actions reveals a systemic blind spot. Financial institutions keep getting fined not for lacking compliance frameworks, but for failing to verify, update, and connect basic customer information.

Damian
Why Bad Data, Not Bad Intentions, Is Behind Most Compliance Failures

The UK's Financial Conduct Authority (FCA) has imposed more than £430 million in anti-money laundering penalties on financial institutions between 2020 and 2025. The headline number alone is striking. What makes it more troubling is the pattern underneath: in roughly two-thirds of those enforcement cases, data deficiencies, outdated records, missing ownership details, or unverified customer declarations, were a material contributing factor.


That finding comes from a recent analysis of 22 FCA Final Notices conducted by Kyckr, a compliance data provider. The study did not attribute blame solely to poor data. Governance breakdowns, weak oversight, and flawed control design were typically present as well. But in case after case, the thread connecting them was the same: institutions could not verify what they thought they knew about their customers.

The implications extend well beyond the firms already penalized. With the FCA set to become the UK's single AML supervisor for professional services - adding roughly 60,000 law, accountancy, and trust firms to its remit - the regulator's data-first enforcement philosophy is about to reach a far wider universe of businesses.


The Fines at a Glance

The 15 firms cited in the Kyckr analysis for data-related AML shortcomings span banks, brokers, and fintechs. The largest individual penalty went to NatWest, at nearly £265 million.

Firm

Year

Fine (£)

NatWest

2021

264,772,620

Santander

2022

107,793,300

Monzo

2025

21,091,300

Barclays

2025

39,314,700

Nationwide Building Society

2025

44,000,000

Guaranty Trust Bank

2023

7,671,800

JLT Specialty

2022

7,881,700

ADM Investors

2023

6,470,600

Ghana International Bank

2022

5,829,900

Al Rayan Bank

2023

4,023,600

Note: Barclays and Nationwide were fined in 2025 in separate enforcement actions outside the Kyckr study's original 22 cases but reinforce the same pattern.

Four Recurring Failure Modes

The Kyckr analysis groups data-related failures into four categories. Each appeared across multiple institutions and, in several cases, directly enabled the movement of illicit funds.

  • Outdated or missing records (45% of fines): Firms relied on stale customer databases, dormant account lists, or incomplete onboarding files. Gatehouse Bank screened investors against an outdated PEP list and did not discover the discrepancy for nearly two years. Ghana International Bank failed for five years to notice a client had stopped trading entirely.
  • Unverified customer declarations (4 firms penalized): Institutions accepted what customers said about themselves without cross-checking against public registries. Monzo onboarded customers who listed addresses at Buckingham Palace and 10 Downing Street - a case that also highlighted the limits of automated compliance when human oversight is absent. At Santander, a company claiming to be a translation service with £5,000 in monthly turnover had £26 million pass through its account within ten months - its actual Companies House classification was financial intermediation.
  • Beneficial ownership gaps (32% of fines): Banks failed to identify or verify ultimate beneficial owners. Monzo could not verify UBOs for 19,198 business entities it had onboarded. JLT Specialty could not obtain a basic certificate of incorporation for a Panamanian entity it was doing business with.
  • Source of wealth and funds left unchecked (32% of fines): Al Rayan Bank failed to verify source of funds for 82% of sampled customers and source of wealth for 96%. One client deposited £580,000 in cash despite initially claiming it would make monthly installments of £2,000.

The Solo Group: A Case Study in Connecting the Dots

Five brokers - Sunrise, Arian Financial, Bastion Capital, TJM Partnership, and Sapien Capital - were fined for failures linked to the Solo Group, an FCA-regulated entity later alleged to have engaged in fraud. All five outsourced customer due diligence to the Solo Group itself, trusting its regulated status.

The problem was not just outsourcing. The brokers could not see that many of the Solo Group's purported clients were controlled by its own associates. Some beneficial owners were former employees. One was an 18-year-old listed as the beneficiary of five US pension funds. The information was technically available - CVs were included in KYC materials - but no one connected the dots.

The FCA's message was clear: verifying individual identities is not sufficient. Institutions must be able to map ownership structures and detect linkages between supposedly independent entities.

A Broader Enforcement Surge

The UK's data-focused approach is part of a wider global escalation. According to Fenergo's annual enforcement report, global AML penalties totaled $3.8 billion in 2025. While that figure was down 18% from the prior year's $4.6 billion, the decline was driven almost entirely by a 61% drop in US fines under the Trump administration's deregulatory stance. Elsewhere, enforcement intensified sharply.

Region

2025 Trend

Global total

$3.8 billion (down 18% from 2024)

North America

Down 58%

EMEA

Up 767%

APAC

Up 44%

UK (FCA alone)

£124–186 million in 2025

The FCA's own enforcement data shows total fines rising from roughly £38 million in the prior year to between £179 million and £186 million in 2024/25, with penalties on individuals more than tripling. Financial crime remains the regulator's core strategic priority through 2030.

According to Finance Magnates Intelligence estimates, if the FCA's current enforcement trajectory holds - with UK AML penalties roughly quadrupling year-on-year and data deficiencies present in two-thirds of cases - cumulative UK AML fines over the 2025–2028 period could exceed £800 million, with data-related enforcement accounting for more than £500 million of that total.

The addition of 60,000 professional services firms to the FCA's supervisory perimeter only increases the potential enforcement surface.

What Comes Next: The FCA's Expanding Remit

In October 2025, HM Treasury confirmed that the FCA will become the single professional services supervisor for AML - absorbing oversight of approximately 60,000 law firms, accountancy practices, and trust and company service providers currently monitored by 22 separate professional body supervisors. The move follows years of criticism that fragmented oversight left gaps in sectors frequently used as conduits for illicit finance.

Early compliance data from those sectors underscores the challenge ahead. HM Treasury's 2024–25 supervision report found that only 24% of accountancy firms and 29% of legal firms were fully compliant with AML requirements. Among the highest-risk legal firms, 28% were non-compliant. Based on those figures, Finance Magnates Intelligence estimates that upwards of 40,000 of the 60,000 firms entering FCA supervision may require material upgrades to their AML data and verification processes - representing a significant compliance remediation cycle that could stretch well into 2028.

At the EU level, a parallel development is underway. The new Anti-Money Laundering Authority began operations in Frankfurt in July 2025, marking the start of direct EU-wide supervision for high-risk entities. Taken together, these shifts signal that AML enforcement is moving away from periodic audits and toward continuous, data-driven oversight.

Where This Leaves the Industry

The pattern in FCA enforcement is not subtle. The regulator has moved beyond asking whether firms have AML policies in place. It now examines whether institutions can obtain, verify, and maintain accurate customer data in practice - and whether they can connect that data across entities and ownership structures.

For the firms already fined, most violations occurred well over a decade before the penalties were imposed. That lag between conduct and consequence is itself a warning: compliance weaknesses that seem manageable today may be building toward enforcement actions years down the line. And with the FCA's remit about to expand dramatically, the pool of institutions exposed to that risk just got a lot bigger.