From 2023 to 2025, global enforcement actions tied to AML, KYC, sanctions, and customer due diligence totaled approximately $6.6 billion in 2023, $4.6 billion in 2024, and $3.8 billion in 2025. The aggregate numbers fluctuated, yet the supervisory approach became more structural. Authorities relied increasingly on criminal resolutions, independent compliance monitors, remediation programs, and growth limitations. Financial penalties were only one part of the outcome; operational constraints and governance restructuring often proved more consequential.

Enforcement activity spanned traditional banking, digital banking, crypto exchanges, payments, and high-risk corporate sectors such as gaming. The nature of the failures differed by industry. Banks struggled with monitoring architecture and lifecycle governance. Digital platforms faced sanctions screening and onboarding enforcement gaps. Crypto exchanges confronted global jurisdictional exposure. In corporate cases, regulators examined whether AML programs were genuinely fit for purpose.

Across these cases, one common dynamic emerges: business expansion outpaced control architecture. Regulators increasingly evaluate whether KYB frameworks operate continuously, scale proportionally, and enforce risk decisions systematically. Onboarding checklists and written policies alone no longer satisfy supervisory expectations.

TL;DR

Recent high-profile KYB failures were driven by structural control breakdowns.

• Binance — sanctions and AML governance misaligned with global scale
• TD Bank — prolonged monitoring infrastructure deficiencies
• Starling Bank — sanctions screening and onboarding enforcement gaps
• Nationwide — behavioral misclassification of customers
• Crown Resorts — AML program design not aligned with risk exposure

In each case, policies and data existed. The weakness lay in how controls were engineered and enforced.

Case 1 — Binance (2023)

Industry: Crypto

Penalty: $4.3B+

Core Issue: Sanctions and AML governance at global scale

When U.S. authorities announced the $4.3 billion resolution in November 2023, the message was clear. The Department of Justice, FinCEN, OFAC, and the CFTC concluded that Binance had failed to maintain an effective AML program under the Bank Secrecy Act and permitted transactions involving sanctioned jurisdictions.

The public record describes gaps in customer identification, monitoring, and sanctions controls. Yet the deeper issue was structural. Risk segmentation existed. Enforcement of that segmentation was inconsistent.

High-risk geographies were insufficiently escalated. Corporate structures did not always receive enhanced due diligence aligned with their exposure. Sanctions risk was not recalibrated dynamically as activity evolved. Controls were not proportionate to the platform’s global footprint.

Regulators emphasized implementation failure. Internal compliance policies did not translate into binding operational constraints. Growth continued while governance remained under-engineered for the scale involved.

Prevention would have required enforceable risk-tier logic embedded into onboarding systems, automatic sanctions recalibration upon data changes, consolidated entity-level risk scoring across jurisdictions, and immutable audit trails for onboarding decisions.

For global platforms, risk segmentation must function as executable logic, not guidance.

Case 2 — TD Bank (2024)

Industry: Traditional Banking

Penalty: $3B+

Core Issue: Monitoring infrastructure breakdown

In 2024, TD Bank faced coordinated enforcement from FinCEN, the OCC, the Federal Reserve, and the DOJ. FinCEN imposed a $1.3 billion penalty and mandated a four-year independent monitor. Additional fines and growth restrictions followed. Authorities cited prolonged monitoring deficiencies between 2018 and 2024 across trillions of dollars in transaction volume.

The issue centered on core AML infrastructure. Monitoring systems did not operate at the intensity required by the bank’s risk profile. Lifecycle KYB did not translate into proportionate surveillance. Risk assigned at onboarding did not consistently influence monitoring depth over time.

This was architectural misalignment. Coverage gaps, escalation failures, delayed remediation, and monitoring capacity that did not scale with transaction volume formed a systemic pattern.

Resilient architecture would include a unified entity risk ledger, validation that monitoring coverage maps to risk categories, event-driven recalibration of risk tiers, and escalation pathways that cannot be bypassed operationally.

Monitoring frameworks must operate predictably under scale, regardless of growth trajectory.

Case 3 — Starling Bank (2024)

Industry: Digital Banking

Penalty: £29M

Core Issue: Sanctions screening enforcement

The UK FCA fined Starling Bank after identifying weaknesses in financial crime controls. The bank breached a voluntary restriction prohibiting onboarding of certain high-risk customers. Accounts were opened despite those restrictions.

The core failure involved sanctions screening coverage and enforcement integration. Screening systems did not consistently incorporate all relevant identity fields. Onboarding controls did not technically block prohibited activity. Manual override pathways weakened the integrity of restrictions.

Policies were in place. System enforcement was insufficient.

Mitigation would require full identity normalization prior to screening, comprehensive re-screening of the customer base upon list updates, hard onboarding blocks tied to defined risk thresholds, strict override governance, and independent validation of screening coverage.

Sanctions controls must function as an embedded control layer within product architecture.

Case 4 — Nationwide (2025)

Industry: Retail Banking / Lending

Penalty: £44M

Core Issue: Behavioral risk drift

The FCA’s enforcement action against Nationwide focused on lifecycle weaknesses. Some customers initially onboarded as retail clients began using personal accounts for business purposes. Risk classification did not adjust accordingly.

This represents profile drift. Customer behavior evolved while classification remained static. Ongoing due diligence did not detect the shift early enough to trigger escalation.

Risk frameworks that rely solely on declared intent at onboarding face limitations when transactional behavior changes. Effective KYB requires behavioral signals to influence classification dynamically.

Mitigation mechanisms include anomaly detection models linked to risk tiers, automatic upgrades in monitoring intensity upon threshold breaches, mandatory product-risk alignment checks, and event-triggered enhanced due diligence.

Lifecycle governance requires continuous recalibration, not periodic reassessment alone.

Case 5 — Crown Resorts (2023)

Industry: Corporate (Gaming)

Penalty: AUD 450M

Core Issue: AML program design

In 2023, AUSTRAC’s proceedings against Crown Resorts culminated in a Federal Court order requiring payment of AUD 450 million. The court concluded that Crown’s AML/CTF program failed to satisfy its statutory purpose of identifying and mitigating money laundering and terrorism financing risks.

The deficiency was programmatic. Risk assessments did not consistently translate into enforceable controls. High-risk customers were not always subject to appropriately gated enhanced due diligence. Governance oversight did not ensure effective linkage between risk identification and operational mitigation.

This case highlights a distinct supervisory focus: whether an AML program demonstrably mitigates risk in practice.

Preventive architecture includes mandatory EDD gating aligned with defined risk tiers, behavioral escalation logic, continuous control testing, evidence-linked case management, and structured documentation supporting regulatory review.

An AML program must show measurable alignment between risk assessment and control execution.

Conclusion

Recent enforcement actions demonstrate increased scrutiny of control architecture across industries. Regulators evaluate whether risk assessment translates into proportionate monitoring, enforceable restrictions, and documented decision pathways.

KYB expectations now include dynamic risk recalibration, consistent escalation, integrated sanctions controls, and demonstrable linkage between program design and operational mitigation. Supervisory review increasingly examines whether control systems scale with business complexity.

The direction of travel is clear. Institutions are assessed on the resilience and enforceability of their risk infrastructure. The difference between compliance on paper and compliance in operation determines supervisory outcomes.

About Scoreplex

Scoreplex KYB AI Agent is an end-to-end business verification system that manages corporate due diligence as a unified case workflow. It automatically enriches registry data, maps ownership and UBO structures, screens companies and associated individuals against sanctions and PEP lists, analyzes adverse media, evaluates digital footprint signals, and links every finding to traceable sources. Instead of returning fragmented screening results, the system produces a structured, evidence-backed compliance report that consolidates ownership analysis, risk indicators, screening outcomes, and a clear risk assessment aligned with internal policy thresholds.

Users receive a consolidated case file rather than disconnected data points. Each decision is supported by source-linked evidence, confidence-scored matches, and an AI-generated compliance narrative ready for review and audit. For the business, this translates into faster onboarding cycles, lower manual review burden, reduced false-positive escalation, improved audit traceability, and the ability to scale verification volume without proportional headcount growth. The core benefit is structural efficiency: compliance teams spend less time assembling cases and more time evaluating material risk.