Nationwide’s AML fine: more lessons on SARs and the need to “know your customer”

Summary

In December 2025, the Financial Conduct Authority (“FCA”) fined Nationwide Building Society (“Nationwide”) £44,078,500 for financial crime systems and controls failures between October 2016 and July 2021 (the “Relevant Period”). The fine emphasises the importance of firms ensuring that their systems and controls are calibrated to the particular financial crime risks that their business poses and is confirmation of the FCA’s continued determination to take enforcement action for the most egregious financial crime-related failings.

Nationwide

Nationwide is the world’s largest building society. By July 2021, it had approximately 18 million UK customers, totalling £170 billion in customer deposits across its product range, with a 10% market share of UK current accounts. Nationwide’s business was and remains an entirely retail business.

The nature of the issue

During the Relevant Period, deficiencies in Nationwide’s anti money laundering (“AML”) systems and controls had a material impact on its ability to monitor effectively its customer relationships.

It did not have effective systems for refreshing CDD and conducting customer risk assessments. Unless the customer fell into certain limited categories (e.g. they had been charged or convicted of a financial crime), they were automatically classed as standard risk.
When measures were introduced to gather enhanced CDD, they only applied to new customers and existing customers seeking new products.
It had no process for undertaking either periodic or event-driven reviews of a substantial proportion of its customer relationships.
Those deficiencies effected its transaction monitoring system as a means by which inconsistent or unusual customer behaviour could be detected, investigated and addressed on a risk-orientated basis.

The weaknesses created the risk that unusual activity by customers might remain undetected and/or that customers moving into the ‘high risk’ category over the course of their relationship might not be identified and actively managed.

Business banking

The risk was more acute in circumstances known to Nationwide (from at least 2016) that certain of its customers were using their personal current accounts for business activity in breach of Nationwide’s terms and conditions.

Business banking customers present a different and potentially higher AML risk than personal customers due to factors such as the greater complexity involved in identifying corporate customers and monitoring their transactional behaviour, and the size and number of the transactions.

Although, whether to accept use of its accounts for business purposes in breach of its terms and conditions was a matter for Nationwide, it had to meet its legal and regulatory obligations, including the risk that an account might be used for the furtherance of financial crime.

Nationwide’s AML controls were not calibrated for business activity because it ran a purely retail business. For example:

they failed to capture essential business characteristics such as beneficial ownership, or expected usage patterns;
transaction monitoring systems were not designed to detect business-related suspicious activity; and
training and processes did not include sufficient guidance on how to investigate misuse of business accounts.

Nationwide accepted the risks of customers using their personal accounts for business purposes because it was planning to launch a business banking product to which personal current accounts being used for business purposes could be migrated. Only when those plans were dropped in 2020, were initial steps taken to mitigate the AML risks arising from the use of personal accounts for business purposes.

Undetected Covid fraud: ‘Customer A’

The weaknesses in Nationwide’s AML systems and controls led to the financial crime risk crystalising.

In one egregious case, Nationwide failed to identify that one of its customers (“Customer A”) fraudulently claimed and received from HMRC into their Nationwide accounts 24 Covid-19 furlough payments totalling £1.35 million over 13 months and £26 million over eight days between 2020 and 2021. This was despite obvious red flags regarding Customer A, including:

an account application that was declined because the address provided triggered a fraud network match alert;
account applications contained misrepresentations, including regarding Customer A’s address, occupancy status and income; and
repeated material changes of address, none of which were residential and one of which was linked to company registration activity with almost 60,000 companies linked to it.

The issue also highlighted weaknesses in Nationwide’s investigation and escalation of suspicious customer transactions. Transaction monitoring alerts were generated at the beginning of a month, based on the previous month’s activity, and staff were permitted 20 working days for those alerts to be investigated, meaning it could be almost two months before a suspicious transaction was investigated.

Furthermore, although suspicions regarding Customer A were escalated to the relevant authorities, when further suspicions subsequently arose, Nationwide’s policy was not to alert the relevant authorities if they had done so in relation to the same matter within the previous three months.

In the event, HMRC identified the fraud and obtained account freezing and forfeiture orders, leading to the recovery of all but almost £800,000 of the fraudulently obtained funds.

Practical lessons for firms

The Final Notice is further reminder for firms that their financial crime systems and controls must be commensurate with the nature, scale and complexity of firms’ activities. Firms’ financial control architecture should be fully integrated and evolve as firms’ business evolves.

CDD must inform risk assessment, which in turn inform EDD and transaction monitoring. Nationwide’s CDD did not capture essential information relevant to business banking such as the nature of the business, expected trading patterns and, where the business was that of a legal entity, their owners and controllers. That materially impeded Nationwide’s ability to produce accurate risk assessments to inform effective EDD and transaction monitoring. When unusual and/or suspicious activity arose in relation to a customer, it was not always able to recognise that, resulting in a failure to escalate matters appropriately, including in relation to a £27 million Covid fraud.

Firms must ensure that financial products are used consistently with the customer’s stated purpose. Nationwide failed to appropriately manage the use of personal bank accounts. Business banking presents a different and potentially higher AML risk because of the complexity, number and size of transactions. This is a stark example of what happens when a firm fails to do that. While it is a matter for firms as to whether to permit personal bank accounts to be used for business banking purposes in breach of terms and conditions, firms must nonetheless ensure that they have in place adequate and effective controls to mitigate the heightened AML risks that business banking poses.

Customer relationships must be reviewed both periodically, at defined intervals informed by the customer risk assessment, and on an event driven basis, when events take place impacting on the risk presented by the customer.

Where customer activity is inconsistent with the firm’s understanding of the customer, it should investigate promptly and (where appropriate) submit a suspicious activity report to the National Crime Agency. Nationwide’s “three-month rule” was implemented to avoid duplication of SARs in any three-month period. New NCA SAR Guidance issued in December 2025 addresses the question: “If new or additional information comes to light after I submit a SAR, what should I do?”. In those circumstances, the NCA now expects that: “[p]rovided the new or additional information enhances or adds to your suspicion, you should submit a new SAR, in which you can provide the new or additional information that has come to light”.