On 12 December 2025, the Financial Conduct Authority (FCA) published a Final Notice imposing a fine of £44,078,500 on Nationwide Building Society for inadequate anti-financial crime systems and controls between October 2016 and July 2021.
Key takeaways
Key takeaways are set out directly below, but for more details on the findings see our ‘Notice in a nutshell’ table beneath these:
- Importance of periodic and event‑driven reviews: Firms must maintain up to date knowledge and understanding of their customers and business relationships. As part of this, they should undertake reviews of existing customer records to ensure that documents and information obtained for customer due diligence (CDD) and enhanced due diligence (EDD) purposes remain accurate. In this case, for the majority of the relevant period, in breach of its own policies, Nationwide had no process for undertaking either periodic or event-driven reviews of a large number of its customer relationships. The FCA found that the absence of these controls prolonged the time it would take for existing customer relationships to be reviewed and their CDD refreshed, so compromising Nationwide’s ongoing understanding of its customers.
- Need for integrated, calibrated systems which evolve: An effective transaction monitoring framework should take into account the firm’s understanding of its customers and evolve over time to reflect any changes such as customer behaviours. Any disconnect between systems can lead to failures to identify issues. If thresholds are too high, not kept under review and/or applied indiscriminately, suspicious funds may not be identified and patterns may be missed. In addition, where alerts are raised, firms need to ensure these are promptly and adequately investigated and actioned.
- Adequately manage business use of personal accounts: Whether to tolerate unauthorised use of personal current accounts for business use is a matter for a firm to decide. However, the FCA is clear that allowing accounts designed for personal use to be used for business, without effective mitigating controls through adequate policies and procedures, creates risks across the customer lifecycle. This is because the financial crime risk profile of SME banking customers is different from, and potentially higher than, that of personal customers due to factors such as the greater complexity involved in identifying corporate customers and monitoring their transactional behaviour, and the size and number of the transactions. Here, Nationwide was aware that some of its customers were using their personal accounts for business activity, in breach of its terms. As Nationwide did not offer business current accounts at this point, it did not have the right processes in place to adequately manage the financial crime risks from such business activity.
- Remediate promptly once weaknesses are known and ensure any new measures apply across the customer population: Identified weaknesses in CDD, customer risk assessments and transaction monitoring and controls must be effectively remediated in a timely manner. In this case, Nationwide was aware of weaknesses in its monitoring controls and progressed or implemented a number of workstreams aimed at remediating or uplifting these matters. However, these workstreams did not address the weaknesses in a sufficiently effective or timely manner, and the measures also did not apply across the whole customer base.
- Continued FCA focus on anti-money laundering (AML) controls: This case is a reminder of the FCA’s continued focus on firms’ AML systems and controls and follows other sizeable fines due to inadequate AML controls. Firms impacted by this decision should consider whether there are any lessons to be learned from the case for them, including in terms of amendments or additions to internal procedures/guidance, such as in relation to CDD, customer risk assessment and transaction monitoring systems.
Key information
Decision maker | FCA Settlement Decision Makers |
Firm | Nationwide Building Society |
Related material | None |
Sanction | £44,078,500 |
Settlement | Yes, a 30 percent discount was obtained. |
Provisions | Principle 3 of the FCA’s Principles for Business SYSC 6.1.1R and 6.3.1R |
Relevant period | 1 October 2016 to 1 July 2021 |
Factual findings | Key events during the relevant period included: 2015: FCA feedback indicated areas for development in Nationwide’s financial crime risk management including with regards to risks posed by customers. Nationwide confirmed that a retail risk profiling (RRP) project was underway, to introduce automated financial crime customer risk assessment. 2016: Nationwide’s system for risk assessing customers was an unsophisticated interim solution with a formal scoring process still being developed which categorised customers as ‘standard risk’ unless they fell into certain limited categories. Internal Audit reported that, whilst Nationwide’s T&Cs did not allow business use of current accounts, c 2,700 accounts were being used to facilitate business transactions and a lack of measures to monitor, manage and exit accounts operating in contravention of the T&Cs. 2017: An external review recommended that Nationwide consider an effective event driven review process linked to the outcome of customer risk assessments. 2019: Nationwide commenced a project to review and improve its transaction monitoring systems and controls including the prescriptive nature of the transaction monitoring rules, which were categorised by product with singular thresholds applied to all customers and the introduction of behavioural and peer comparison-based rules via segmentation of customers. May 2019: Following the operationalisation of the RRP system, Internal Audit reviewed the CDD data used by the RRP customer risk assessment and the application of the system’s defined criteria. Internal Audit concluded that data quality controls required “significant improvement”, partly due to discrepancies in the number of records across systems utilised by the RRP. Internal Audit also identified a lack of oversight to ensure the quality of data being transferred between those systems. October 2020: An external review expressed concern about whether the full extent of the high-risk customer population had been identified. February 2021: An internal financial crime control assessment rated Nationwide’s transaction monitoring as needing “significant improvement”. June 2021: An external review highlighted that periodic reviews were not being performed at all on existing customers who had not been assessed as high risk. September 2022: The MLRO report for the period April 2021 to July 2022 noted that Nationwide had been acting outside of its financial crime risk appetite due to a need to improve a number of primary AML controls. |
Failings | The FCA found that Nationwide had breached: (i) Principle 3 of the FCA’s Principles for Businesses requiring that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems; and (ii) SYSC rules 6.1.1R and 6.3.1R. The deficiencies in Nationwide’s AML systems and controls had a material impact on its ability to monitor effectively its customer relationships. In particular:
The deficiencies created material risks that unusual activity by customers might remain undetected and customers becoming high-risk might not be identified. The risk was particularly acute for customers who were using personal accounts for business activity in breach of Nationwide’s T&Cs. Nationwide’s financial crime prevention controls were not set up for business use and allowing accounts to be used for business purposes without effective mitigating controls created additional risk, including that unusual or suspicious business activity would not be detected and reported to the National Crime Agency. In one case, Nationwide missed opportunities to identify unusual activity by a customer who made fraudulent claims for furlough payments from HM Revenue & Customs and funds were transferred from accounts before freezing and forfeiture orders were obtained. Steps taken to address certain weaknesses were insufficient to ensure they were addressed in a timely manner. |
Related content
View all the other “Notices in a nutshell.”
/Passle/6182994d49b2340a4c485aab/SearchServiceImages/2026-01-06-14-35-34-434-695d1db6d11cd484ab248072.jpg)
/Passle/6182994d49b2340a4c485aab/SearchServiceImages/2026-01-21-10-18-51-102-6970a80b18495354879275c5.jpg)
/Passle/6182994d49b2340a4c485aab/SearchServiceImages/2026-01-15-05-13-40-725-69687784795a8a75bc6bc9e5.jpg)
/Passle/6182994d49b2340a4c485aab/MediaLibrary/Images/2026-01-13-10-52-20-680-696623e47e4f0ca466eaaa4c.jpg)