The problem: a compliant policy suite is a poor predictor of a compliant firm
A firm can have a well-drafted BWRA, a coherent customer risk methodology, a set of EDD and monitoring procedures aligned to the JMLSG and EBA guidelines, a clear SAR playbook and a training curriculum signed off by the Board. It can still, at the same time, be onboarding customers whose risk profile has not been genuinely assessed, closing monitoring alerts on rationales that would not survive re-review, and reporting to the Board in a way that describes activity rather than effectiveness. All of that is now routinely uncovered in supervisory work across the European financial services perimeter.
The distance between the policy shelf and the operating floor is where enforcement risk now sits. Boards that ask whether the policies exist are asking the question their predecessors asked ten years ago. Boards that ask whether the outcomes the policies were designed to produce are actually being produced, consistently and at scale, are asking the question that matches current supervisory practice.
The evidence: the same finding, in different jurisdictions, in different sectors
The recurring finding in European AML enforcement is remarkably consistent. It is worth naming the cases.
Different regulator, different jurisdiction, different sector, same finding. In each case the policy suite was intact. The outcomes were not.
Root causes: why the gap persists
The gap between policy and practice tends to have four recurring causes, and they compound. Understanding which of them a firm is carrying is the first step in closing it.
Good practice and poor practice, side by side
The clearest way to test a firm's exposure is to compare, on a specific control, what good practice looks like and what poor practice looks like. The examples below are drawn from recent readiness reviews. They are ordinary; that is the point.
Business impact: what the gap actually costs
The direct cost of the gap is the fine, and the fines are now substantial: £28.9 million at Starling, €21.5 million at Coinbase Europe, sustained double-digit-million penalties across the German, Dutch and Nordic markets. But the direct fine is rarely the largest item. Section 166 skilled-person costs, remediation programme costs (typically two to five times the fine), diversion of first- and second-line capacity from business change for eighteen to thirty-six months, restrictions on new customer acceptance in some cases, and the reputational effect on institutional counterparties are all larger items in aggregate. The gap is expensive precisely because closing it after enforcement costs several multiples of closing it in advance.
Practical solutions: closing the gap without another policy refresh
Closing the policy-to-practice gap is not a policy exercise. The following steps, done in order, tend to produce the largest shift for the least disruption.
The Claritas approach
We do not begin an engagement by proposing a new policy. Where a client asks us to look at the gap between policy and practice, we begin by taking a small, structured sample of the outcomes the current policy is producing, and reading them against each other. Typically that is ten customer files across three teams, twenty closed alerts across two typologies, the last four Board packs and the associated minutes. The exercise is short. It is intentionally not a full assurance review.
The output is a note that names the specific gaps we saw, the pattern behind them, the two or three fixes we would sequence first, and the KRIs by which the Board could measure whether the gap is closing. It is written to be read in one sitting by a non-executive audience, and to be defensible if presented in a supervisory meeting the following week. That is the standard we work to.
- 01Similar customers receive similar treatment across teams, and where they do not, the file records why.
- 02Closed alerts read as decisions, and a proportion is independently rejudged each month against the same evidence.
- 03The Board pack answers three questions: what changed, what is drifting, what would you like the Board to decide.
- 04The gap between what the first line believes and what the second line finds is measured, published and narrowing.
- 05For every material financial crime decision, the pack, the challenge and the supporting evidence sit together in a single retrievable record.
- Financial Conduct Authority, Final Notice: Starling Bank Limited, October 2024. www.fca.org.uk/publication/final-notices/starling-bank-limited-2024.pdf
- Central Bank of Ireland, Enforcement action: Coinbase Europe Limited, December 2024. www.centralbank.ie/news/article/press-release-central-bank-of-ireland-reprimands-and-fines-coinbase-europe-limited
- SEPBLAC, Annual Report 2025: supervisory findings and thematic observations.
- European Banking Authority, Guidelines on customer due diligence and money laundering and terrorist financing risk factors (Revised, 2023).
- JMLSG, Prevention of money laundering / combating terrorist financing, Guidance for the UK Financial Sector, current edition.



