Dutch Central Bank Fines Bunq €2.6M for Repeated AML Failures

The Dutch neobank Bunq is facing a hefty €2.6 million fine after regulators found persistent lapses in its anti-money laundering (AML) controls. This enforcement by De Nederlandsche Bank (DNB) underscores a broader regulatory crackdown on fintech banks across Europe. Below, we analyze what led to the fine, Bunq’s compliance missteps, and the lessons for other neobanks operating under increasingly stringent European AML oversight.

DNB’s Enforcement Action: €2.6M Fine for AML Lapses (2021–2022)

DNB imposed the €2.6 million fine in May 2025, targeting serious shortcomings in Bunq’s AML controls between January 2021 and May 2022. The central bank examined four customer cases during that period and concluded that Bunq “failed to properly investigate and report” clear red flags of possible financial crime. In practice, this meant Bunq’s systems flagged suspicious transactions, but the bank did not sufficiently follow up on those alerts or submit timely suspicious activity reports (SARs) to authorities. According to DNB, some alerts were not investigated “in sufficient depth, if at all”, allowing potential illicit transactions to go unreported.

Notably, Bunq has formally objected to the fine, indicating disagreement with the regulator’s findings. A Bunq spokesperson stated that the bank “takes its role as gatekeeper very seriously” and that it uses “the most advanced technology” to combat fraud and money laundering. Bunq asserts it has been continuously strengthening its systems, including improvements made after the 2021-2022 incidents, and remains confident in its position. Despite this stance, the Dutch central bank deemed the identified violations severe enough to warrant punitive action.

Repeat Warnings Ignored: A Pattern of Inadequate Remediation

This fine did not emerge out of the blue, it came after years of warnings and earlier enforcement actions that Bunq failed to fully address. DNB revealed that it had conducted multiple examinations of Bunq between 2018 and 2023, repeatedly finding serious AML compliance deficiencies. Previous reviews had already flagged major shortcomings in Bunq’s customer due diligence and transaction monitoring practices, and DNB had even taken enforcement measures on several occasions (including a prior fine) to compel improvements.

However, the latest investigation showed that Bunq’s remediation efforts fell short. The bank had not made “sufficient progress” in fixing its AML program despite those earlier warnings. In DNB’s words, earlier enforcement “did not result in sustained compliance” by Bunq. This history explains why the regulator opted for a sizable fine in 2025, it was essentially a follow-up penalty after Bunq failed to demonstrate lasting improvement following prior sanctions and a remediation program. DNB’s enforcement approach generally emphasizes getting institutions into compliance, but when violations are both severe and repeat, regulators are quicker to resort to fines. The Bunq case exemplifies this escalating approach: initial findings and even a smaller fine failed to change behavior, leading to a more punitive response.

Key AML Failings Identified at Bunq

What exactly went wrong inside Bunq’s AML controls? The DNB investigation highlighted a few critical failures in Bunq’s anti-money laundering program:

• Incomplete Alert Investigations: Bunq was found “deficient in following up on its transaction monitoring alerts”. In plain terms, when Bunq’s systems flagged unusual transactions, the bank’s compliance team often did not investigate thoroughly. Some alerts showing potential money laundering were never examined deeply, or at all, according to DNB. This gap meant obvious warning signs were missed.
• Failure to Report Suspicious Activity: Because alerts were not properly investigated, signals of possible financial crime were not reported to authorities as required. Banks must file SARs (suspicious activity reports) with the Financial Intelligence Unit (FIU) whenever they detect transactions that look criminal. Bunq failed to file or was late in filing such reports in several of the examined cases. DNB even noted Bunq could not demonstrate why two transactions with similar red flags led to a report in one instance but not in another, an inconsistency suggesting the bank lacked clear reporting criteria or diligence.
• Inadequate Ongoing Monitoring: The bank “failed to exercise adequate ongoing monitoring” of the four high-risk customer files that DNB reviewed. Effective AML requires continuously monitoring customer behavior (especially for high-risk clients) to catch new risks. Bunq did not maintain sufficient insight into these customers’ profiles or the nature of their transactions. This lack of continuous due diligence meant that evolving risk factors or patterns indicating money laundering were overlooked.
• Insufficient Customer Due Diligence (CDD): By labeling the fine as a penalty for “insufficient customer due diligence,” DNB signaled that Bunq’s know-your-customer procedures were subpar. A bank must “know who its customers are, where their money comes from, and what they intend to do with the funds”. Bunq’s records did not meet this standard in the cited cases, the bank lacked key information on the customers involved in suspicious transactions, undermining its ability to judge whether their activity made sense.

Collectively, these failures created a risk that “illicit money flows [could] continue unchecked,” as DNB starkly put it. When a bank doesn’t robustly investigate or report unusual transactions, it effectively leaves the door open for criminals to abuse the financial system. The regulator deemed the deficiencies in Bunq’s controls both “severe and culpable,” fully justifying the fine’s size.

A Wider Trend: European Regulators Scrutinize Neobanks and Fintechs

Bunq’s run-in with regulators is part of a broader European pattern of increased AML scrutiny on neobanks, fintechs, and electronic-money institutions. Across the EU, supervisors have grown more aggressive in enforcing financial crime compliance, not just with traditional banks, but with digital challengers and payment firms that have risen in prominence.

In the Netherlands, all major banks have been pressured to tighten AML controls in recent years. ING and ABN Amro, the country’s largest banks, each paid massive fines in the past (ING paid a €775 million settlement in 2018, ABN AMRO €480 million in 2021) for AML failures, which prompted a nationwide compliance cleanup. This set a tough precedent. Now even a smaller player like Bunq is not exempt from strict oversight. In April 2025, fellow Dutch lender Rabobank disclosed it will face a court case over alleged money-laundering failures after it couldn’t reach a settlement with prosecutors. The message is clear: regulators and even criminal prosecutors are willing to take action if banks, old or new, fall short in their gatekeeping duties.

Elsewhere in Europe, digital-only banks have similarly come under the microscope. In Germany, for example, the regulator BaFin has repeatedly intervened in N26, one of Europe’s largest neobanks, due to compliance weaknesses. Back in 2021, BaFin capped N26’s new customer onboarding (at 50,000 per month) after finding AML control deficiencies, and it fined N26 €4.25 million that year for delayed suspicious activity reports. Further audits led to another €9.2 million fine in 2024 for continued issues with late reporting. BaFin even appointed a special monitor to oversee N26’s remediation. At one point, regulators in Italy went so far as to temporarily bar N26 from accepting new customers in 2022 over similar AML concerns. This enforcement streak culminated in investor pressure that forced N26’s founders to step down from management in 2025. The N26 saga underscores that fast-growing fintech banks are being held to the same standards as traditional banks and will be penalized if they can’t keep up.

At a continental level, the European Banking Authority (EBA) has explicitly warned of rising financial crime risks in the fintech sector. In a fresh 2025 report, the EBA noted that 70% of national regulators in the EU see high or increasing money-laundering risk in fintech firms. Supervisors worry that many fintechs and neobanks have prioritized rapid customer growth and innovation “over compliance,” leaving gaps in controls. Key vulnerabilities cited include inadequate customer due diligence, weak oversight of outsourced activities, and untested algorithms. The EBA bluntly stated that “innovation comes at the cost of compliance” in some fintech outfits, observing that many fintech companies lack the expertise and governance structures needed to manage AML/CFT risks effectively. This concern is driving a tougher supervisory stance. Indeed, European regulators (and soon a new EU Anti-Money Laundering Authority by 2026) are increasingly inclined to make examples of non-compliant fintechs to incentivize better behavior across the industry.

In short, the era of light-touch oversight for neobanks is over. Central banks and watchdog agencies are making it plain that digital banks and payment platforms must invest in robust AML controls early on, or face enforcement consequences. Bunq’s fine is one more data point in this Europe-wide trend of regulators ramping up scrutiny on all players, not just the old giants.

Why Fintechs Often Struggle with AML Maturity

Why do so many fintechs, neobanks and payment startups find themselves in trouble with AML compliance? A number of structural challenges tend to put neobanks at risk of lagging behind on AML maturity:

• Growth Outpaces Compliance: Neobanks often experience explosive customer and transaction growth. Bunq, N26, and their peers rapidly onboard users with sleek apps and quick sign-ups. But if a bank’s compliance team, processes, and systems don’t scale up at the same pace, gaps emerge. It’s not uncommon for a fintech to be handling volumes or geographies far beyond what its initially small compliance program was designed for. Regulators have noted that some fintechs focus on customer acquisition and assume they can “catch up” on compliance later, a risky strategy.
• Automation without Adequate Oversight: Fintechs lean heavily on technology (algorithms, AI, machine learning) for transaction monitoring and customer screening. Advanced software can indeed detect patterns faster, but technology is only as effective as its configuration and oversight. A careless or “unthinking” application of AML software can create blind spots. For instance, Bunq pioneered an AI-driven, risk-based AML system and even won a 2022 court case against DNB to use it in lieu of traditional rules. Yet this same reliance on automation may have contributed to complacency in manually reviewing alerts. If alerts are ignored or the AI’s output isn’t continuously validated, suspicious activity slips through. Regulators expect firms to supervise their automated tools, not to assume that software alone will meet all obligations.
• Thin or Inexperienced Compliance Teams: Many fintech startups operate with lean staffing. Traditional banks have large compliance departments and layers of checks; neobanks often start with a skeleton crew. This can mean fewer eyes on alerts, less expertise in-house to interpret red flags, and overworked analysts. Inexperienced staff might dismiss anomalies that should be escalated. It takes seasoned compliance officers to challenge unusual customer behavior and to know when to file official reports. Fintechs that don’t invest in experienced compliance leadership early can find themselves firefighting when regulators come knocking.
• Low Case Escalation and SAR Filing Rates: One quantitative red flag is when a digital bank reports very few suspicious transactions relative to its volume of business. While low SAR filing could mean effective upfront screening, it often signals that the institution is under-investigating alerts or setting the bar too high for what it considers “reportable”. Bunq’s inability to explain why some similar cases were reported to the FIU and others weren’t is an example of inconsistent judgment in escalation. Regulators compare peers and expect a certain level of reporting; an abnormally low rate can prompt questions about whether the bank is truly ferreting out illicit activity.
• Weak Governance and Culture: Finally, a root cause can be lack of a strong compliance culture at the top. If leadership prioritizes growth and product innovation to the exclusion of risk management, the compliance function may lack authority and resources. A mature AML program requires support from the board and executives, embedding compliance into the business strategy. Some fintech founders (often from tech or startup backgrounds) may initially underestimate regulatory expectations. Building that culture of compliance where adherence is as valued as user growth is a hurdle many fintechs have to consciously overcome.

In Bunq’s case, these factors seem to have converged. The bank’s “most advanced technology” and innovative ethos did not translate into an effective AML outcome when measured by regulatory standards. Advanced tools produced alerts, but human follow-through was lacking. Bunq’s rapid expansion across Europe might have strained its relatively young compliance framework. As a result, the bank is now a case study in why fintechs must deliberately invest in AML maturity as they scale.

How Neobanks Can Avoid Repeat Enforcement: Best Practices

For other neobanks and fintech payment companies, Bunq’s experience is a cautionary tale. Compliance leaders in these firms can draw several practical lessons to prevent similar enforcement and ensure their AML programs meet regulators’ expectations:

• Embed Compliance from Day One: Treat AML compliance as a core business function, not an afterthought. This means hiring qualified compliance officers early, conducting risk assessments before launching new products or expanding markets, and building a compliance budget into the business plan. A strong culture of compliance must start at the top, executive management and boards should set the tone that effective AML controls are as important as growth metrics.
• Continuous Improvement and Independent Reviews: After any regulatory warning (or even internal audit finding), take remediation seriously and verify its effectiveness. Implement changes, then have independent parties test whether those fixes actually work. Engaging external auditors or consulting experts for periodic reviews can provide an objective check. Do not assume that because a fix was implemented on paper, the issue is closed, test it in practice, and if one solution fails, be prepared to do more. Demonstrating a proactive approach to fixing compliance gaps can appease regulators and prevent follow-up sanctions.
• Robust Transaction Monitoring & Case Management: Invest in a scalable transaction monitoring system that can handle increasing volumes and adapt to new typologies. Rules and machine learning models should be regularly tuned to balance false positives vs. missing true risks. Equally important is a case management process for alerts: every alert should be logged, reviewed by an analyst in a timely manner, and either cleared with a documented rationale or escalated for investigation. Establish clear playbooks for analysts on how to investigate an alert (e.g. gather additional customer info, transaction details) and when to escalate to compliance management. Ensure an audit trail exists for each suspicious alert showing who reviewed it, what was found, and why a decision to report (or not report) was made.
• Timely and Consistent Reporting: Make it a non-negotiable policy that all regulatory reports (SARs, STRs, CTRs, etc.) are filed within required deadlines. Monitor your reporting metrics, if your number of SAR filings seems low for your business size or high-risk customer count, re-examine whether alerts are being missed or wrongly dismissed. Consistency is key: similar situations should yield similar outcomes. If an alert on one customer led to a SAR, ensure that a comparable scenario would trigger the same action, unless a documented reason justifies otherwise. Regulators take very seriously the failure to report suspicious transactions, this is often what turns a compliance finding into a punitive fine.
• Strong Customer Due Diligence and Ongoing KYC: Revisit your KYC and customer risk rating processes. Ensure you truly know your customers, not just at onboarding, but through the life of the relationship. This may involve periodic reviews of high-risk customers, refreshing identification documents, checking for adverse media or sanctions hits, and understanding the source of funds and purpose of accounts. If a customer’s activity deviates from expected behavior, your team should catch it and inquire. Maintain documentation on each high-risk customer explaining why their profile and activity make sense (or not). This “risk narrative” can be invaluable if regulators review your files, it shows you are actively assessing and managing risk, not just ticking boxes at onboarding.
• Adequate Resourcing and Training: Align your compliance staffing and training to the complexity of your business. Analyst headcount should grow with transaction volume and alert volumes, if alerts are piling up unresolved, that’s a red flag needing immediate attention (either by adding staff or improving systems). Provide regular AML training to all relevant employees, not just the compliance team. Frontline customer support or onboarding teams, for instance, should be trained to spot and escalate suspicious signs. A well-trained staff creates multiple lines of defense. Furthermore, consider specialized training or certifications for your compliance officers to ensure they stay current on typologies and regulatory expectations.
• Management Information and Board Oversight: Implement dashboards and reporting so that senior management and the board have visibility into AML performance. Metrics like number of alerts, backlog of pending reviews, SARs filed, accounts closed for suspicion, etc., should be reviewed at a high level. Board oversight ensures accountability, if the board of directors regularly asks questions about AML metrics and progress on any remediation plans, it signals that the institution takes compliance seriously at the highest level.

By following these practices, neobanks and fintechs can move from a reactive stance to a proactive AML posture. The goal is not only to avoid fines but also to genuinely prevent financial crime and build trust with regulators, banking partners, and customers. As regulators often say, effective AML compliance is an ongoing journey, not a one-time project; it requires continuous adaptation and commitment.

The Role of RegTech: Scalable Solutions for Modern AML Compliance

One advantage fintech companies have is their agility to deploy modern technology and this can be harnessed to strengthen, not weaken, AML efforts. RegTech solutions (regulatory technology) are now available to help automate and streamline compliance in ways that were not possible a decade ago. Platforms like Flagright, for example, provide fintechs with a centralized, scalable AML toolkit that can grow alongside the business. Flagright’s no-code platform offers features such as real-time transaction monitoring with risk-based rules and AI, which can detect suspicious patterns and trigger alerts to compliance teams instantly for review This ensures that as transaction volumes surge, the bank isn’t flying blind, potential issues are flagged in milliseconds.

Beyond alert detection, modern AML platforms integrate case management and documentation capabilities. This means when an alert is triggered, the system can automatically create a case, pull in relevant customer data, and track the investigation workflow from start to finish. Compliance officers can add notes, attach evidence, and record their decisions in one place. Such end-to-end case management helps ensure nothing falls through the cracks, every alert is dispositioned and can be audited later. In the Bunq scenario, having a clear record of why certain transactions were reported and others were not might have helped demonstrate consistency; a good case management tool enforces that discipline.

RegTech solutions also often include customer risk scoring and KYC orchestration. For instance, Flagright’s platform can assess customer profiles in real-time, pulling in identity verification, sanctions screening, and even adverse media checks. This means a fintech can quickly spot if a new user or an existing client suddenly presents higher risk (say they appear on a sanctions list or start transacting in high-risk regions) and then automatically adjust monitoring rules for that client. Automation of routine KYC and screening tasks can free up human analysts to focus on the truly complex cases. The key is to combine automation with human judgment: let machines do the heavy data crunching and pattern detection, but have skilled compliance professionals oversee the outputs and handle the nuanced decisions.

Crucially, good regtech platforms facilitate regulatory reporting and audit trails. They can auto-generate suspicious activity reports with the required data fields populated, making it easier to file complete and timely reports to FIUs. And they maintain logs of all system actions and user interventions. If a regulator comes for an inspection, the fintech can easily produce documentation of its monitoring and reporting activities. This level of organization and transparency can significantly ease the supervisory process and demonstrate a firm’s commitment to compliance.

For fintechs, partnering with a regtech provider like Flagright can accelerate the build-out of a mature AML infrastructure without having to reinvent the wheel. These platforms are designed to be flexible and scalable, meaning a small startup can use it at launch and continue using it as a larger institution without hitting a wall. They also stay updated with evolving regulatory requirements, for example, when new EU AML regulations or typologies emerge, the platform updates its capabilities accordingly. That kind of support is invaluable in the fast-changing compliance landscape.

In summary, technology is a double-edged sword for fintech compliance: if used carelessly, it can create loopholes (as regulators fear), but if used smartly with proper oversight, it is the fintech’s best ally in meeting and exceeding modern AML expectations. The combination of cutting-edge tools with a strong compliance culture is what will set successful neobanks apart from those that stumble.

Conclusion: Compliance from the Ground Up – A New Normal for Fintechs and Neobanks

The Bunq enforcement saga sends a resounding message to fintechs across Europe: regulators expect AML program maturity from the outset, not as an afterthought. In a financial ecosystem increasingly defined by digital-first banks and instant payments, regulators are sharpening their tone to ensure that innovation does not come at the expense of integrity. We see a convergence of actions, national regulators issuing fines and growth restrictions, the European Banking Authority highlighting fintech risks, and the upcoming European AML Authority (AMLA) which will directly supervise certain high-risk institutions, all pointing toward a stricter regime for compliance in the fintech and payments space.

For heads of compliance, risk, and operations at neobanks and payment service providers, the take-away is clear. AML compliance must be built in from day one and continuously reinforced as a company grows. There is no grace period in which a fast-growing fintech can defer implementing robust controls. On the contrary, those that proactively establish strong AML frameworks will have a competitive advantage: they will avoid costly enforcement distractions, earn regulators’ trust (making licensing and expansion easier), and ultimately protect their customers and reputation from the damage associated with financial crime incidents.

The future likely holds even less tolerance for compliance failures, not more. Regulators today have better data, enhanced cooperation, and political backing to pursue money laundering issues aggressively, whether the target is a century-old bank or a five-year-old fintech unicorn. As such, fintechs need to evolve from a startup mindset to a “financial institution” mindset rapidly when it comes to risk and controls. This means fostering a culture where compliance teams are empowered and adequately resourced, where boards actively oversee risk, and where the organization strives to be “compliance-forward” and not merely reactive to problems.

Bunq’s CEO and team may well be reflecting on how being a technologically innovative bank also requires being an innovative compliance leader. The hope is that, after resolving this penalty and implementing the necessary fixes, Bunq emerges with one of the stronger AML systems in the market, turning a painful lesson into an opportunity to set a higher standard. For its peers, it’s far wiser to learn from that lesson now than to repeat the mistakes.

In the end, fintechs that weave robust AML compliance into their DNA will not only avoid fines, but also contribute to a more secure and trustworthy financial system. In an era of heightened regulatory expectations, the cost of compliance is far cheaper than the cost of compliance failure, a fact that every neobank boardroom should keep front and center as they build the bank of tomorrow.

‍