ING Bank 2018: $900M Enforcement Action

What happened?

ING Bank N.V., one of the Netherlands' largest financial institutions, agreed in September 2018 to pay €775 million to settle a criminal investigation by the Dutch Public Prosecution Service (Openbaar Ministerie). The settlement was announced on September 4, 2018, and it was at the time the largest criminal settlement in Dutch legal history.

The failures covered approximately 2010 to 2016. According to the Dutch DPP's published statement, ING's compliance function failed to adequately screen customers and monitor transactions across this period. The gap left accounts open to use by clients engaged in suspected financial crime. Multiple clients moved funds through ING accounts that regulators later characterized as proceeds of corruption or fraud.

One documented area of exposure involved ING's correspondent banking relationships. Public reporting linked ING accounts to payments connected to the VimpelCom (now VEON) bribery case, in which US authorities separately found that hundreds of millions of dollars in bribes had been paid to Uzbek officials for telecommunications licenses. The DOJ and SEC settled with VimpelCom in 2016. ING was not a party to that settlement, but the cases together illustrate how correspondent banking can transmit AML exposure upstream when underlying customer due diligence is inadequate.

The Dutch DPP found that internal compliance warnings had been raised at ING but were not acted on with sufficient urgency. Transaction monitoring was under-resourced relative to the volume and complexity of the bank's client base. The investigation ran over several years before culminating in the 2018 settlement.

What did regulators say?

The Dutch Public Prosecution Service was direct about the scale of ING's failures. According to the September 2018 press release, the DPP stated that ING had exhibited "serious shortcomings in the prevention of financial and economic crime." The statement confirmed that customers had used ING accounts for years to launder money without the bank taking appropriate action.

The DPP made clear this wasn't a case of isolated operational errors. Regulators alleged that ING had failed over an extended period to implement and maintain the CDD and transaction monitoring controls required under Dutch law. The press release referenced specific instances where accounts were used for payments connected to suspected bribery and fraud.

The DPP also emphasized the institutional character of the failure. The breakdown wasn't limited to a single desk or product line; it reflected systemic gaps in how ING managed financial crime risk across its corporate client base. Regulators noted that ING had cooperated with the investigation and had begun improving its compliance infrastructure before the settlement was reached. That cooperation contributed to the decision to resolve the matter by settlement rather than public prosecution.

Dutch central bank De Nederlandsche Bank (DNB), which had supervisory oversight of ING's AML controls during this period, subsequently signaled it would intensify AML examinations across the broader Dutch banking sector.

What controls failed?

Three categories of control failure drove this case.

Customer due diligence. ING's KYC processes for corporate clients didn't establish beneficial ownership reliably. Regulators alleged the bank didn't consistently know who actually controlled the accounts in question or where funds originated. Under FATF Recommendation 10, firms must understand the nature and purpose of business relationships and conduct ongoing due diligence. ING's onboarding and refresh processes fell short of this standard for a significant portion of its corporate portfolio over a sustained period.

Transaction monitoring. The bank's monitoring systems weren't calibrated to catch the patterns that later proved suspicious. Alert volumes were high, escalation paths were unclear, and resolution timelines were too long. For a bank with ING's correspondent banking footprint, these gaps were especially consequential. FATF Recommendation 13 is explicit about what correspondent banks must do to manage respondent relationship risk. ING's monitoring didn't meet that standard.

Suspicious transaction reporting. The most practically serious failure was the gap in STR filings to FIU-NL, the Netherlands' financial intelligence unit. Transactions that should have triggered reports went unreported. FATF Recommendation 20 sets a clear obligation to report suspicious activity promptly. Years of insufficient reporting meant investigative leads were never surfaced to authorities.

Governance. Internal compliance alerts were raised but didn't translate into action. The compliance function lacked the authority and resources to drive change at the pace the bank's risk profile demanded.

Which regulations were violated?

The settlement was grounded in the Wet ter voorkoming van witwassen en financieren van terrorisme (WWFT), the Netherlands' primary AML and counter-terrorist financing legislation. The WWFT implements EU AML directives into Dutch law and reflects the international standards developed by the Financial Action Task Force.

FATF's framework runs throughout the case. FATF Recommendation 1 requires firms to apply a risk-based approach to their client portfolios. ING's failure to calibrate resources and controls to its actual client risk profile meant high-risk relationships persisted without adequate oversight. FATF Recommendation 11 on record-keeping was also implicated, given the documentation gaps in ING's KYC files. The FATF's mutual evaluation process for the Netherlands had previously flagged weaknesses in the Dutch financial sector's AML implementation; ING's settlement is a concrete example of what those weaknesses looked like in practice.

The EU AML directives in force during 2010-2016 (the Third and Fourth AMLD) formed the broader regulatory backdrop. The 6AMLD, which came into force in December 2020 and expanded criminal liability for money laundering across EU member states, reflected the policy response that enforcement actions like ING's helped drive.

The insufficient STR filing also placed ING in breach of FATF Recommendation 20 obligations. The WWFT requires financial institutions to report suspicious transactions to FIU-NL promptly; the Dutch DPP found ING had not consistently met this requirement.

Which typologies were involved?

The ING case centered on two connected financial crime patterns.

Bribery facilitation through corporate accounts. The most prominent pattern was accounts used to route payments connected to alleged bribery. ING's corporate and correspondent banking clients structured payments to resemble legitimate commercial transactions. Without effective behavioral monitoring or deep CDD, the bank couldn't distinguish normal business flows from proceeds of corruption. FATF Recommendation 13 addresses exactly this risk: before entering or maintaining correspondent relationships, banks must assess whether respondents apply adequate AML controls. ING's processes didn't reliably make that assessment.

Corporate layering to obscure beneficial ownership. Regulators alleged that clients used corporate structures to create distance between funds and their true origin or destination. Each intermediate entity added a layer of apparent legitimacy. The defense against this typology is reliable beneficial ownership identification: knowing who ultimately controls an account and what that person or entity does. FATF Recommendation 24 sets that standard. ING's CDD processes didn't consistently pierce the corporate structures its clients presented.

Long-running relationship risk. A secondary but important pattern was the persistence of these accounts over years. Typologies that run for extended periods typically indicate that monitoring isn't catching anomalies or that alerts aren't triggering escalation. Effective CDD and behavioral monitoring would have identified the patterns earlier in these client relationships, creating opportunities to exit or report before the problem became entrenched.

Aftermath and remediation

The €775 million settlement was paid in 2018. ING committed to a multi-year compliance remediation program covering its Dutch retail and corporate banking operations. Dutch supervisors monitored progress against that commitment.

CEO Ralph Hamers faced immediate political pressure. Dutch parliamentarians called for his resignation, and public debate focused on whether ING's board had received adequate information about the compliance failures during the relevant period. Hamers remained as ING's CEO and later moved to UBS. Separate legal proceedings in Switzerland related to this matter were eventually dropped.

The reputational impact was material. ING's share price fell sharply on the day of the announcement. Some counterparties reviewed their correspondent relationships with the bank, and institutional investors scrutinized ING's governance and compliance risk management more closely in subsequent years.

The case had sector-wide consequences in the Netherlands. De Nederlandsche Bank intensified its AML examinations across Dutch banks, and several other institutions subsequently disclosed their own AML remediation programs. Collective compliance investment in the Dutch banking sector grew substantially in the years after 2018, driven partly by regulatory pressure and partly by the signal the ING settlement sent to bank boards across the country.

ING itself expanded its financial crime compliance headcount, rebuilt its transaction monitoring infrastructure, and improved its STR filing processes. Board-level oversight of the compliance transformation was made explicit in the bank's annual reports in the years that followed.

Lessons for other institutions

The ING case is specific enough to yield concrete takeaways for compliance teams at banks with comparable corporate and correspondent banking exposure.

Match resources to risk, not revenue. ING's compliance function was under-resourced relative to its client base's complexity. Compliance staffing and monitoring technology need to scale with the risk profile. If your alert queue can't be cleared within a defined SLA, that's an executive-level problem, not a team-level one.

Escalation must produce visible action. Compliance warnings that don't lead to documented action are worse than no warning at all. They create a paper trail showing the institution was on notice and didn't respond. Senior management must act on compliance concerns, and there must be records that demonstrate they did.

Know who controls every account. FATF Recommendation 24 is a minimum standard. Every corporate relationship needs a documented, verified beneficial owner. Refresh cycles should be proportionate to risk: higher-risk clients annually, with triggers for event-driven reviews on change-of-control events or unusual activity.

Treat correspondent relationships as your own risk. FATF Recommendation 13 is explicit: assess the AML controls of respondent institutions before taking on the relationship. A respondent bank's CDD failures become your exposure the moment its clients' funds move through your accounts.

File STRs on time. Regulators treat late or missing STR filings as a serious indicator of a dysfunctional compliance culture. Build the processes and staffing levels that make timely filing routine, with escalation triggers when reporting timelines slip.

How FluxForce helps prevent similar failures

ING's failures were operational: transaction monitoring that missed what it should have caught, KYC processes that didn't establish beneficial ownership consistently, and STR filings that lagged or didn't happen. FluxForce's AI agents address each gap. Nova Sentinel monitors transaction behavior in real time and surfaces anomalies that static rule sets miss. Aiden Flux manages KYC workflow: it tracks beneficial ownership documentation and triggers refresh reviews on schedule. Every decision carries a complete audit trail. Where a transaction meets the STR threshold, the system drafts the report automatically for compliance review. Request a demo to see it in action.