Perspectives
Perspective 007Governance

Why good AML policies still produce poor outcomes.

Supervisory findings rarely stem from missing policies. They stem from the gap between what a policy says should happen and what happens in practice.

By Everett MorganWinter 202610 min read
European boardroom interior at dusk
Executive brief

Reading time · 10 minutes  ·  Primary audience · Boards, Audit and Risk Committees, MLROs, Heads of Compliance

Why this matters

Every material European AML enforcement decision of the last decade has involved a firm whose policies, read on paper, were broadly adequate. Starling Bank, N26, ING, Danske Bank, Coinbase Europe, Revolut: each had a policy suite that a peer would recognise. The findings did not name the policy. They named the outcomes the policy was supposed to produce and did not. Boards that assume policy approval is the endpoint of oversight are testing a different question from the one supervisors are now asking.

Key findings
  1. 01In every major European AML action since 2020 the firm held a compliant-looking policy suite. Supervisors found the outcome, not the document, was defective.
  2. 02The most common outcome failure is inconsistency: two similar customers, two different risk ratings, two different levels of due diligence, no defensible reason.
  3. 03Management information tends to report activity (alerts raised, files reviewed, training completed). Supervisors want to know whether the activity produced the right result.
  4. 04Firms that close the policy-to-practice gap treat their own QA output as the primary control on control quality, not as an administrative deliverable.
Questions Boards should ask
  1. 01If we took ten similar customer files from three different teams, would the risk ratings, EDD depth and monitoring treatment be broadly the same?
  2. 02What proportion of our closed alerts, on independent re-review, would we still close on the same basis?
  3. 03Where our MI shows a stable trend, do we know whether the underlying decisions are getting better, worse or drifting?

The problem: a compliant policy suite is a poor predictor of a compliant firm

A firm can have a well-drafted BWRA, a coherent customer risk methodology, a set of EDD and monitoring procedures aligned to the JMLSG and EBA guidelines, a clear SAR playbook and a training curriculum signed off by the Board. It can still, at the same time, be onboarding customers whose risk profile has not been genuinely assessed, closing monitoring alerts on rationales that would not survive re-review, and reporting to the Board in a way that describes activity rather than effectiveness. All of that is now routinely uncovered in supervisory work across the European financial services perimeter.

The distance between the policy shelf and the operating floor is where enforcement risk now sits. Boards that ask whether the policies exist are asking the question their predecessors asked ten years ago. Boards that ask whether the outcomes the policies were designed to produce are actually being produced, consistently and at scale, are asking the question that matches current supervisory practice.

The evidence: the same finding, in different jurisdictions, in different sectors

The recurring finding in European AML enforcement is remarkably consistent. It is worth naming the cases.

Different regulator, different jurisdiction, different sector, same finding. In each case the policy suite was intact. The outcomes were not.

Root causes: why the gap persists

The gap between policy and practice tends to have four recurring causes, and they compound. Understanding which of them a firm is carrying is the first step in closing it.

Good practice and poor practice, side by side

The clearest way to test a firm's exposure is to compare, on a specific control, what good practice looks like and what poor practice looks like. The examples below are drawn from recent readiness reviews. They are ordinary; that is the point.

Business impact: what the gap actually costs

The direct cost of the gap is the fine, and the fines are now substantial: £28.9 million at Starling, €21.5 million at Coinbase Europe, sustained double-digit-million penalties across the German, Dutch and Nordic markets. But the direct fine is rarely the largest item. Section 166 skilled-person costs, remediation programme costs (typically two to five times the fine), diversion of first- and second-line capacity from business change for eighteen to thirty-six months, restrictions on new customer acceptance in some cases, and the reputational effect on institutional counterparties are all larger items in aggregate. The gap is expensive precisely because closing it after enforcement costs several multiples of closing it in advance.

Practical solutions: closing the gap without another policy refresh

Closing the policy-to-practice gap is not a policy exercise. The following steps, done in order, tend to produce the largest shift for the least disruption.

The Claritas approach

We do not begin an engagement by proposing a new policy. Where a client asks us to look at the gap between policy and practice, we begin by taking a small, structured sample of the outcomes the current policy is producing, and reading them against each other. Typically that is ten customer files across three teams, twenty closed alerts across two typologies, the last four Board packs and the associated minutes. The exercise is short. It is intentionally not a full assurance review.

The output is a note that names the specific gaps we saw, the pattern behind them, the two or three fixes we would sequence first, and the KRIs by which the Board could measure whether the gap is closing. It is written to be read in one sitting by a non-executive audience, and to be defensible if presented in a supervisory meeting the following week. That is the standard we work to.

What success looks like
  • 01Similar customers receive similar treatment across teams, and where they do not, the file records why.
  • 02Closed alerts read as decisions, and a proportion is independently rejudged each month against the same evidence.
  • 03The Board pack answers three questions: what changed, what is drifting, what would you like the Board to decide.
  • 04The gap between what the first line believes and what the second line finds is measured, published and narrowing.
  • 05For every material financial crime decision, the pack, the challenge and the supporting evidence sit together in a single retrievable record.
References
About the author
Everett Morgan
Founder & Principal Adviser, Claritas Risk Advisory

Everett has more than twenty years' experience in financial crime, AML governance, regulatory compliance and operational risk gained within Deutsche Bank, Morgan Stanley and BNP Paribas. He established Claritas Risk Advisory to provide smaller regulated financial institutions with experienced independent judgement, practical insight and proportionate recommendations.

Need an independent perspective?

Preparing for regulatory change starts with understanding where your organisation stands today.

If you would like to discuss your financial crime framework or explore how Claritas Risk Advisory can help, I would be pleased to arrange a confidential conversation.

Let's start with a conversation