Perspectives
Perspective 011Practice

Why AML remediation programmes fail, and how to keep yours on track.

Successful remediation is not about clearing backlogs. It is about restoring confidence in your financial crime framework, and that begins with governance, quality assurance and independent oversight.

By Everett MorganSummer 202611 min read
Long architectural corridor in a European corporate building at dusk, warm light against navy shadows
Executive brief

Reading time · 11 minutes  ·  Primary audience · Boards, Programme Sponsors, MLROs, Heads of Financial Crime, Chief Operating Officers

Why this matters

Large AML remediation programmes are one of the most exposed pieces of work a regulated firm can undertake. They tend to arise when confidence in the framework has already been questioned, often by a supervisor. They involve large volumes of work, significant external cost, sustained management attention and a Board whose credibility is already under pressure. In my experience across programmes at Deutsche Bank, Morgan Stanley, BNP Paribas and mid-tier European firms, the programmes that fail rarely fail because the population was too large or the standard too demanding. They fail for reasons that are visible in the first ninety days and that can be addressed. This Perspective is about those reasons.

Key findings
  1. 01Programmes rarely fail on volume. They fail on governance, on quality assurance design and on management information that measures activity rather than risk.
  2. 02The scoping workshop determines more of the eventual outcome than any subsequent decision. Programmes that begin with an under-specified scope struggle to recover.
  3. 03A completed file has to be defined before the programme starts, in operational terms an analyst can apply and a QA reviewer can test. Ambiguity here is the largest single cause of throughput drift.
  4. 04Independent QA on a defined sample, with a calibration forum to resolve disagreements, is the single most productive control on remediation quality.
  5. 05The Board pack for a remediation programme should be different from a business-as-usual financial crime pack. Its purpose is to evidence controlled progress, not to describe activity.
Questions Boards should ask
  1. 01Do we have a written definition of a completed file that our analysts, our QA function and an external reviewer would apply consistently?
  2. 02Is the QA pass rate rising, stable or falling, and can we distinguish between changes in file quality and changes in QA calibration?
  3. 03If the supervisor asked to see one closed file and one QA rejection today, would either withstand scrutiny?

The problem: programmes that were on plan until they were not

A large remediation programme rarely announces its difficulty. The early months tend to look reassuring. Population sizing is signed off. Vendors are appointed. Analysts are hired. The first tranche of files is processed. The MI pack shows steady throughput. Six months in, the throughput plateaus, the QA pass rate begins to slip, and the programme discovers it has been measuring the wrong thing. Nine months in, the second line raises a concern that the definition of a completed file has been drifting; the operations lead disagrees; the Board pack begins to lose coherence. Twelve months in, the programme is behind plan, above budget and under supervisory attention.

That trajectory is not inevitable. It is the predictable consequence of a small number of specific decisions that were, or were not, taken in the first ninety days.

The evidence: what recent enforcement remediation has taught the market

The five failure modes we see repeatedly

Good practice and poor practice in remediation design

Business impact: the cost of drift

A remediation programme that drifts by six months on throughput typically extends by twelve months in total once the rework of the drifted period is factored in. Where the supervisor is engaged, the cost of the additional oversight (skilled-person work, additional testing, remediation of the remediation) frequently exceeds the incremental programme cost. In every case in my direct experience, the aggregate cost of drift has been between two and five times the cost of the specific investment that would have prevented it.

Practical solutions: what the first ninety days should look like

The Claritas approach

We are usually asked to help either at the beginning of a programme, to design it in a way that will not drift, or at month nine, when it already has. The interventions differ. At the beginning we work with the client on the five items above and, once the programme is running, step back to a monthly independent oversight role. In month nine, the work is diagnostic first: we take a sample of completed files, we take a sample of QA-passed rejections, we read the last three Board packs against the last three programme operating committee minutes, and we produce a note that names the specific decisions that would need to be reset for the programme to recover.

In either case the deliverable is short. Programmes rarely fail for lack of paper. They fail for lack of a small number of decisions being taken in the right order. Our job is to name those decisions and to give the Board the confidence to take them.

What success looks like
  • 01A written definition of a completed file exists, is endorsed by the second line, and is the same document a QA reviewer, an analyst and an external adviser would apply.
  • 02The QA divergence rate between first line and second line is reported as a headline KRI and is on a trend the Board can defend.
  • 03The Board pack opens with residual risk position, not with productivity.
  • 04One accountable executive, one weekly operating committee, one monthly Board format. Every material decision is taken in one of the three.
  • 05An independent readiness view is commissioned at month three, month nine and at the point of programme closure.
References
  • Financial Conduct Authority, Final Notice: Starling Bank Limited, October 2024 (referenced remediation obligations).
  • Central Bank of Ireland, Enforcement action: Coinbase Europe Limited, December 2024.
  • SEPBLAC, Annual Report 2025, remediation and periodic review findings.
  • Wolfsberg Group, Statement on effective monitoring for suspicious activity (relevant to remediation QA design).
About the author
Everett Morgan
Founder & Principal Adviser, Claritas Risk Advisory

Everett has more than twenty years' experience in financial crime, AML governance, regulatory compliance and operational risk gained within Deutsche Bank, Morgan Stanley and BNP Paribas. He established Claritas Risk Advisory to provide smaller regulated financial institutions with experienced independent judgement, practical insight and proportionate recommendations.

Need an independent perspective?

Preparing for regulatory change starts with understanding where your organisation stands today.

If you would like to discuss your financial crime framework or explore how Claritas Risk Advisory can help, I would be pleased to arrange a confidential conversation.

Let's start with a conversation