Last week, Nationwide Building Society, the UK’s largest building society, was handed a £44m fine by the Financial Conduct Authority (FCA) for financial crime failings. For a business that has graced the British high street for over 140 years with a long-standing reputation of prudence and member focus, Nationwide has become the latest target of regulatory interest for inadequate anti-financial crime systems and controls dating back as far as October 2016.
In what could have been a near £63m fine if Nationwide had not agreed to resolve the issues highlighted by the FCA, the Final Notice and subsequent media coverage make for sobering reading. They describe weaknesses in the firm’s due diligence and monitoring processes that ran for years, affecting millions of personal current account customers, and left the firm exposed to money laundering and fraud risks that should never have gone unchecked.
In this article, we take a look at exactly what went wrong for Nationwide and how Anti-Money Laundering (AML) compliance teams like yours can avoid the same fate.
What the FCA actually fined Nationwide for
The £44m penalty issued by the FCA related to failings in Nationwide’s financial crime controls between 2016 and 2022. And, when you read the details covered in the Final Notice, it becomes clear how seemingly small gaps can stack up over time and cause real damage. According to the FCA, the building society failed to adequately monitor and manage risk linked to its accounts and was “was unable to effectively identify, assess, monitor or manage the money laundering risks among its personal current account customers” (FCA).
At a time when Nationwide did not even offer business current accounts, the FCA reported that the society was aware of some customers using their personal accounts for business purposes, in a breach of its own terms and conditions. The FCA makes it clear that Nationwide knew about this unauthorised business use and even recognised the financial crime risks it posed, but it did not have a suitable framework for identifying, assessing and managing the financial crime and fraud risks associated with business accounts. As a result, this also meant that, according to the FCA, Nationwide “did not have an accurate picture of its customers who presented a higher risk of financial crime.”
In turn, personal accounts were left in a sort of regulatory limbo – subject to retail AML controls that were not designed to capture the risk factors that a comprehensive Know Your Business (KYB) risk assessment would have, such as identifying beneficial ownership, mapping out corporate structures, screening directors, and analysing the expected risk profile and behaviour of a corporate account.
The most egregious illustration of this lax approach to financial crime risk management was during the COVID-19 pandemic. During this time, the UK government implemented the Coronavirus Job Retention Scheme which was designed to protect the UK economy by helping employers whose operations were adversely affected by coronavirus and the subsequent restrictions to retain their employees through furlough payments.
The FCA found more than 33,000 Coronavirus Job Retention Scheme payments totalling £64.6m had been paid into over 5,000 personal accounts; a strong indicator that these accounts were being used for business purposes. In one instance, a customer received 24 fraudulent furlough payments into their Nationwide accounts, totalling £27.3m over a period of 13 months, with £26m arriving over eight days between 2020 and 2021.
How Nationwide’s financial crime framework fell apart
In its Final Notice, the FCA was clear that Nationwide’s systems did not keep up with the size and complexity of its customer base. On paper, the components of a solid AML framework were in place at Nationwide: risk assessments, monitoring, escalation routes, remediation plans. In practice however, each of these parts did not operate as a joined up system.
Controls were built around assumptions that no longer held true, particularly around how accounts were being used. Personal accounts being used for business purposes, large volumes of government support payments, and unusual transaction flows were not reflected in customer risk ratings or monitoring alerts.
Additionally, it has been reported that the way Nationwide’s ongoing monitoring was structured meant that alerts were only raised retrospectively and investigators had up to twenty working days to act. This timeframe meant that, for savvy fraudsters, the money was long gone by the time it was investigated. To date, over £800,000 of that fraud remains uncovered. In the end, HMRC identified the fraud and intervened to freeze accounts and obtain forfeiture orders to seize assets.
There were also serious weaknesses in how financial crime risk was owned internally. The Final Notice suggests that accountability was “not assigned for the setting and managing of risk appetite as there was no clear owner for doing so.” In every AML compliance process, a lack of ownership and responsibility is something that can quietly erode entire frameworks.
What makes the details of the case especially uncomfortable reading is that these were not hidden problems. Nationwide itself identified issues with its controls and had embarked on a remediation programme aimed at resolving some of the weaknesses in its compliance framework, but the firm didn’t move fast enough, nor did any of the fixes go far enough. As a result, years passed while gaps remained.
Practical AML and KYB improvements
The lessons from the Nationwide fine are not about the latest cutting-edge financial products or obscure loopholes, but about everyday behaviours, delayed decisions, and risks that sat in plain sight. For AML teams, this case serves as a reminder that financial crime frameworks tend to fail quietly, through small gaps that persist for too long. Here are a few handy steps that can make a difference:
Ensure customer risk assessments are dynamic: Customer risk assessments must become more dynamic. Static risk ratings that are refreshed annually are not enough when behaviour can change in a matter of days. You should be able to trigger further investigation or due diligence based on activity, not just periodic reviews. Alerts of any adverse changes to a customer’s risk profile should be promptly investigated and, where necessary, escalating into enhanced due diligence, requesting additional information about trading activity, or indeed, restricting account use if explanations are not forthcoming.
Leverage reliable KYB data: Once business activity is identified, your team should have structured processes and tools to vet and verify it. That includes confirming the nature of the business, understanding ownership and control structures, identifying any politically exposed persons, checking connections to sanctioned entities, and mapping business relationships. Public company registers, beneficial ownership databases, and Companies House filings can reveal hidden stakeholders or complex structures. Sanctions lists, watchlists, and regulatory warnings highlight exposure to high-risk individuals or entities, while law enforcement alerts, adverse media, and open-source intelligence flag reputational or operational risks.
Hardwire financial crime awareness across your business: Financial crime risk doesn’t sit neatly within one function, but as a compliance team, you sit at the point where each of these departments need to come together. Frontline teams may notice customers talking about trading activity on a personal account, operations may see repeated payroll-style payments or inbound transfers that do not fit a retail profile. Customer support may handle queries about delayed supplier payments that point to business use. These teams should all understand what emerging financial crime risk looks like in their part of the organisation, and more importantly, how to escalate it.
Test your framework against real scenarios: Frameworks often fail when they are simply maintained and not challenged. Firms should regularly test how your AML and KYB controls performance against realistic scenarios that could occur within your business. Financial crime rarely confines itself to the parts of the business labelled “high risk”. It often turns up where controls are light because everyone assumes nothing serious will happen there. If you convince yourself a risk does not exist, you are unlikely to design systems to spot it. In Nationwide’s case, this may have been the misuse of personal accounts, sudden surges in payments from government funds, and changes in customer behaviour. If controls only work in theory or under ideal conditions, they have no chance of withstanding regulatory scrutiny when something goes wrong. The Nationwide case is a reminder that frameworks are often judged by how they perform under staring, not how they are described in policy documents.
Protect your firm from the risk of penalties and fines with robust KYC and KYB checks. Trust ID-Pal to enable seamless, robust AML screening for your business.
Streamline risk, detect fraud and automate compliance with ID-Pal. Find out more.
