What happens when a bank fails an AML exam?
Quick answer
When a bank fails an AML exam, regulators issue formal findings that can escalate to civil money penalties, consent orders, or monitorships. Severe or repeat failures trigger criminal referrals under the Bank Secrecy Act. The OCC, Federal Reserve, FDIC, and FinCEN each hold separate enforcement authority.
The full answer
Failing an AML exam doesn't produce a single outcome. It produces a graduated regulatory response that scales with the severity of findings, the bank's prior exam history, and whether the institution treated previous MRAs as a genuine mandate or administrative paperwork.
The starting point is typically a written finding: a Matter Requiring Attention (MRA) or a Matter Requiring Immediate Attention (MRIA). These are binding directives, not penalties. The bank submits a remediation plan, and examiners return to verify it. What triggers a regulatory exam? explains what sets an exam cycle in motion.
When findings are systemic or prior MRAs went unaddressed, regulators escalate through five primary tools:
Civil Money Penalties (CMPs): FinCEN imposes CMPs under 31 U.S.C. § 5321, with no statutory ceiling for willful violations. TD Bank's October 2024 settlement included $1.3 billion in FinCEN CMPs, part of a $3.09 billion package that included a criminal guilty plea by the holding company.
Consent Orders: Binding, public agreements that restrict the bank's activities. Product launches, branch openings, and acquisitions require prior regulatory approval while a consent order is active. They're not lifted until examiners are satisfied remediation is complete, which typically takes three to five years.
Memoranda of Understanding (MOUs): Less formal than consent orders but still public. Counterparties read them.
Deferred Prosecution Agreements (DPAs): Used by the DOJ when criminal conduct is present and the institution cooperates. HSBC's 2012 DPA came with a $1.9 billion settlement and a monitorship after examiners found it had processed cartel-linked transactions without adequate controls.
Monitorships: What is a monitorship and when is one imposed on a bank? covers the mechanics in full. The bank funds an independent expert, supervised by the court, who reports directly to regulators. Deutsche Bank was under a monitorship from 2017 onward following its $10 billion Russian mirror trading AML failures.
Criminal referrals sit above all of this. FinCEN refers to the DOJ, which can charge the institution under the BSA or the Money Laundering Control Act (18 U.S.C. § 1956). BNP Paribas pleaded guilty as an entity in 2014, paid $8.9 billion, and lost dollar-clearing access for a year.
US examiners use the FFIEC BSA/AML Examination Manual as their standard, evaluating five pillars: internal controls, independent testing, a designated BSA officer, ongoing training, and customer due diligence. Failure across multiple pillars in a single exam is a reliable predictor of formal action.
Why this matters
An AML exam failure isn't a compliance box to check and move past. It creates operational constraints that persist for years and reshape strategy in ways that compound over time.
A consent order freezes growth. A bank that can't approve new products or open branches while competitors move forward loses ground that's hard to recover. A monitorship adds millions in annual cost, funded entirely by the institution. All of it is public.
The paper trail compounds too. OCC findings are shared with FinCEN. FinCEN findings go to the DOJ. An exam that identifies SAR filing deficiencies can trigger a historical review of actual SAR submissions, potentially surfacing individual instances of unreported suspicious activity that become separate enforcement matters. How long do banks have to file a SAR? outlines the timelines examiners benchmark against. What is the penalty for a missed CTR? covers the related filing exposure for currency transaction reports.
The most common failure points examiners document:
- Alert backlogs: Thousands of unreviewed transaction monitoring alerts building up over months. What percentage of AML alerts are false positives? explains why backlogs grow so fast even in well-resourced teams.
- Weak customer due diligence: Particularly on high-risk clients where enhanced controls are required. What is the difference between CDD and EDD? explains when enhanced due diligence applies.
- Stale customer risk ratings: Profiles unchanged since onboarding, with no periodic review. How often should customer risk ratings be refreshed? covers standard regulatory expectations.
- Incomplete beneficial ownership records: A persistent gap despite FinCEN's 2018 CDD Final Rule. What is a beneficial owner? covers the definition and ownership thresholds.
Remediation after a failed exam typically requires large-scale temporary staffing to clear alert backlogs, replacement of transaction monitoring infrastructure, and rebuilding CDD documentation from scratch. Banks that use AI for AML transaction monitoring tend to have an easier time demonstrating audit-ready alert dispositioning to examiners, because the decision rationale is automatically documented rather than reconstructed after the fact. How does FinCEN define suspicious activity? covers the definitional standard examiners apply when reviewing alert outcomes.
The FinCEN Enforcement Actions register is worth reading regularly. What regulators penalize at one institution this quarter tends to become an exam priority at comparable banks in the next cycle.
Related questions
- What triggers a regulatory exam?
- What is a monitorship and when is one imposed on a bank?
- What is the penalty for a missed CTR?
- How long do banks have to file a SAR?
- How does FinCEN define suspicious activity?