What happens when a bank fails an AML exam?

The full answer

When a bank fails an AML exam, the regulatory response scales with severity. Isolated gaps might result in supervisory findings with a remediation deadline. Systemic failures produce public enforcement actions, civil money penalties, and sometimes criminal prosecution.

The first output from a failed exam is a supervisory finding. US bank examiners from the OCC, Federal Reserve, FDIC, or state regulators issue Matters Requiring Attention (MRAs) or, for urgent deficiencies, Matters Requiring Immediate Attention (MRIAs). These aren't public, but they bind the bank to a remediation timeline. What triggers a regulatory exam? Examiners track progress at the next exam cycle, and unresolved MRAs become the foundation for escalation.

If deficiencies persist, regulators move to informal actions: board resolutions, memoranda of understanding, or commitment letters. The board is now personally accountable, signing off on milestones.

Formal enforcement comes next when informal action fails. The main instruments are consent orders (public, binding, deadline-driven), civil money penalties, cease and desist orders, and activity restrictions. Capital One paid $390 million to FinCEN in January 2021 for willful BSA violations including inadequate SAR filing and a failure to monitor certain account types. In October 2024, TD Bank pleaded guilty to BSA conspiracy and money laundering charges, paid over $3 billion, and accepted an OCC-imposed asset cap, making it the largest bank ever to plead guilty to BSA violations.

Missed or late SAR filings are one of the most common drivers of exam failures. Banks have 30 days to file a SAR from the detection of suspicious activity, with a possible 60-day extension in limited circumstances. Chronic delays show up immediately in exam sampling. Civil penalties for missed CTRs are similarly well-documented.

Customer due diligence failures are another consistent exam finding. Inadequate CDD and EDD procedures, missing beneficial owner data, and stale customer risk ratings appear in consent orders across the US and UK. Customer risk ratings that aren't refreshed on schedule signal a broken risk monitoring program to examiners.

At the serious end, the DOJ can pursue a deferred prosecution agreement, a non-prosecution agreement, or a criminal guilty plea. These result in fines, compliance monitors, and in some cases restitution to affected parties.

When regulators don't trust a bank to self-remediate, they impose a monitorship. An independent monitor, reporting to the regulator, oversees every aspect of the remediation program. Monitorships typically cost the bank $10 million to $50 million per year and last two to five years. What is a monitorship and when is one imposed on a bank?

Remediation requirements across most consent orders include the same core elements: rewrite the AML program, clear the alert backlog, run a lookback review of historical transactions, retrain AML staff, and fix transaction monitoring systems. The OCC publishes its formal enforcement actions as permanent public records. Missing regulatory milestones doesn't pause the clock. It escalates the action.

Why this matters

A failed AML exam doesn't stay in the compliance department. Within weeks it reaches the board, the CEO, the press, and in some cases regulators in other jurisdictions.

Formal enforcement actions are public. Institutional counterparties read them. Correspondent banks review them before renewing relationships. Rating agencies may factor significant consent orders into their analysis. A consent order is effectively a reputational event as much as a regulatory one.

The financial cost extends well beyond the penalty notice. Remediation programs, lookback reviews, consultant fees, and monitorships routinely add tens of millions to the bill even for mid-size institutions. A bank spending $40 million on remediation after a consent order is spending budget that wasn't planned.

For compliance teams, the operational impact is immediate. Activity restrictions freeze new product launches and acquisitions. Staff get redirected to remediation. Alert queues grow because the team is stretched across normal operations and the remediation program simultaneously. Excessively high false positive rates are both a symptom of a failing AML program and a cause of exam failures: analysts drown in noise and real suspicious activity slips through.

Several banks under consent orders have accelerated AI-based monitoring programs specifically because manual processes couldn't scale to meet regulators' remediation timelines. Can AI be used for AML transaction monitoring? The short answer is yes, but regulators require documented validation and explainable outputs. Technology alone doesn't satisfy an exam finding; the program and governance around it do.

How FinCEN defines suspicious activity matters here too. Exam teams test whether the bank's own definition of suspicious activity matches FinCEN's standard. A narrow internal definition that systematically excludes categories of suspicious behavior is itself an exam finding.

Related questions

• What triggers a regulatory exam?
• What is a monitorship and when is one imposed on a bank?
• How long do banks have to file a SAR?
• What is the penalty for a missed CTR?
• How does FinCEN define suspicious activity?

Related concepts and regulations

• What is the difference between CDD and EDD?
• What is a beneficial owner?
• What is the difference between AML and CFT?
• How often should customer risk ratings be refreshed?
• Who files a SAR - the MLRO or the compliance officer?