Out of the black box – a harmonised approach to AML fines?

Hardly a month goes by without reports of ever-increasing fines being imposed on financial institutions in the area of anti-money laundering and countering the financing of terrorism (AML/CFT). Fines are often in the millions, even where sometimes the actual violation appears to be – relatively speaking – rather minor. However, the opposite can also be the case, where – at first glance – rather severe violations are not fined accordingly. The approach taken by regulators when deciding on fines, especially in the context of AML/CFT, is often far from clear, let alone harmonised. 

Accordingly, a 2024 report by the European Banking Authority (EBA) found that 

• “more than half of all NCAs did not have a comprehensive enforcement and sanctioning policy or procedures in place. This meant that NCAs relied on the professional judgement of individual staff to determine the severity of a weakness or a breach, define the value of fines or decide on administrative or corrective measures”; and 
• “in almost half of all NCAs, irrespective of the severity of the breach, fines or administrative measures were often low and not commensurate with the severity of breaches. This meant that enforcement was not always effective.”

The new European AML Package (see our client briefing for an overview) envisages that the new European AML Authority (AMLA) shall address these issues by developing draft regulatory technical standards setting out 

• indicators to classify the level of gravity of breaches;
• criteria to be taken into account when setting the level of pecuniary sanctions or applying administrative measures; and
• a methodology for the imposition of periodic penalty payments.

In doing so, the EBA – in lieu of the not yet fully operational AMLA - published draft regulatory technical standards (the Draft RTS) on 6 March 2025. This blog post provides an overview of the key aspects of the Draft RTS and is part of a series tracking the implementation of the European AML Package (see our blogpost on direct AMLA supervision for further background).

I. Indicators to classify the level of gravity of breaches

Under the Draft RTS, supervisors shall classify the level of gravity of a breach and allocate the breach into one of four categories on the basis of set indicators, such as the duration or repetition of the breach, the conduct that led to the breach, the impact of the breach, etc.:

• Category 1: Breaches with no or only minor direct impact on the obliged entity that only lasted for a short period of time and have been committed on a non-repetitive basis. 
• Category 2: Moderate impact on the obliged entity.
• Category 3: Significant impact on the obliged entity and the breach persisted over a significant period of time or occurred repeatedly or systematically.
• Category 4: Very significant impact on the obliged entity or where there are structural failures with regard to AML/CFT systems. Also, where the breach has facilitated or led to significant criminal activities.

Especially cases of weak KYC systems that resulted in fraud on a large scale are therefore likely to be considered category 4 breaches in the future. However, the degree of responsibility does not appear to have an impact on the classification of the breach; intentional behaviour can rather result in an increase of the fine (see below).

A category 3 or 4 breach shall automatically be deemed to be a serious, repeated or systematic breach within the meaning of Article 55 AMLD. The consequences of such designation are severe:

• The maximum pecuniary sanction that can be imposed must amount to at least twice the amount of the benefit derived from the breach where that benefit can be determined, or at least EUR 1 million, whichever is higher.
• Where the obliged entity is a credit institution or a financial institution, legal persons maximum pecuniary sanctions of at least EUR 10 million or 10 % of the total annual turnover shall be imposed, whichever is higher. Where the obliged entity is a parent undertaking or a subsidiary of a parent undertaking required to prepare consolidated financial accounts, this threshold shall be calculated at group level.
• In the case of a natural person, maximum pecuniary sanctions of at least EUR 5 million shall be imposed.

The above-mentioned fines represent a considerable tightening of the current legal regime and still leave a significant amount of discretion for NCAs. An even greater margin will remain for category 1 and 2 breaches.

II. Criteria to be taken into account when setting the level of pecuniary sanctions or applying administrative measures

The Draft RTS further sets out indicators that shall have a positive or negative impact on a fine. 

An envisaged fine shall decrease, among others, where the natural or legal person held responsible 

• cooperates with the supervisor;
• has quickly and effectively brought the complete breach to the supervisor’s attention;
• has actively and effectively contributed to the investigation of the breach conducted by the supervisor; 
• has taken effective and timely remedial action to end the breach;
• has taken voluntary adequate measures to effectively prevent similar breaches in the future.

Conversely, the envisaged fine shall increase, among others, where the natural or legal person held responsible

• has not cooperated with the regulator;
• did not disclose to the supervisor anything the supervisor would have reasonably expected;
• took actions aiming at concealing partially or fully the breach to the supervisor or at misleading the supervisor; or
• has not taken remedial action.

The degree of responsibility, the benefit derived from the breach as well as the losses to third parties resulting from the breach are also among the criteria to be considered in this context.

These criteria highlight the importance of an immediate and transparent response to AML breaches and subsequent internal investigations and “lessons learned” exercises. A strong risk culture (see the ECB’s draft guide on governance and risk culture in this respect) does therefore not only aim at preventing breaches but can also contribute to lower fines in relation to detected breaches.

III. Methodology for the imposition of periodic penalty payments

Periodic penalty payments (PPPs) appear to be the new supervisory tool of choice for EU regulators. Where obliged entities fail to comply with administrative measures within the deadline set, PPPs are seen as a tool “to apply enhanced pressure on the obliged entity to restore compliance without delay”. The Draft RTS sets out, among others, that

• the natural or legal person held responsible shall have a right to be heard before a decision to impose a PPP is made;
• a decision on the imposition of a PPP shall at least indicate the legal basis, the reasons for the decision and the amount that will be used for the calculation of the final accrued amount of the PPP;
• the PPP amount can be set on a daily, weekly or monthly basis; and
• the PPP shall be enforced and collected only for the period of non-compliance with the relevant administrative measure.

IV. Next steps

It will be some time before the above-proposed criteria are applied in practice: The Draft RTS is part of an EBA consultation and stakeholders can respond to the consultation by 6 June 2025. The Draft RTS will be submitted to the Commission by 10 July 2026. The AMLD 6 itself will need to be transposed into national law by 10 July 2027, on which date the Draft RTS will also start to apply. Nonetheless, the Draft RTS send already now a clear message that financial institutions are well advised to comply with AML/CFT requirements.