Nationwide’s blind spot. The AML collapse every firm should learn from before the FCA arrives

When the FCA released its £44 million Final Notice against Nationwide Building Society in December 2025, most headlines focused on the size of the penalty.

But for law and accounting firms about to come under FCA supervision this case is far more than a banking story. It’s a preview. A case study in what the FCA looks for, what it will challenge, and how operational cracks can turn into systemic AML failures when left unattended.

Nationwide didn’t fall over a single mistake. It fell because small gaps; slow monitoring, patchy CDD, disconnected data, tolerated risks, piled up until the AML framework simply couldn’t protect the organisation. For firms heading into FCA oversight, it’s an early warning: “good enough” isn’t going to cut it.

This article breaks down what went wrong, why the FCA came down hard and what firms should act on as they move into a new regulatory era.

The foundation cracked: Nationwide didn’t have a complete picture of its customers

Nationwide’s CDD and risk assessment framework looked solid on paper. In practice, the data behind it wasn’t strong enough to support real risk decisions.

The FCA found:

• most customers were pushed into “standard risk” by default
• over 44,000 accounts never entered the risk engine at all
• enhanced CDD barely touched the customer base and never fed monitoring
• hundreds of thousands still had incomplete ID&V by 2022

The result? Nationwide didn’t know who was high risk, who was properly verified or where its exposure really sat. With poor data, even the best AML policy becomes guesswork.

Monitoring lagged behind reality - literally by months

This is one of the most important, and often overlooked, parts of the case. Nationwide’s transaction monitoring didn’t fail in theory; it failed in very specific, very practical ways.

A monthly batch cycle created baked-in delay.

Rather than analysing activity in real time or even weekly, Nationwide ran transaction monitoring once per month:

• Rule logic looked at the previous month’s transactions
• Alerts were generated at the beginning of the next month
• Investigators then had up to 20 working days to review each alert

In other words, suspicious activity could go six to eight weeks before anyone looked at it. This wasn’t a one-off. It was how the system was designed to operate.

Rules didn’t reflect customer profiles

Nationwide’s monitoring rules applied uniformly across millions of customers. Risk ratings weren’t consistently fed in. Enhanced CDD wasn’t feeding in either.

So the system couldn’t answer basic questions like:

“Does this transaction size make sense for this person?”
“Is this behaviour typical for someone in this profile?”

As a result:

• High-value deposits didn’t trigger alerts
• Income-to-turnover mismatches went undetected
• Behaviours that would look obviously suspicious to a human were invisible to automation

The FCA also found thresholds were set so high that real risk simply didn’t register.

Customer A: a case study in how small weaknesses compound into real harm

If there’s one part of the Final Notice people will remember, it’s this: the JRS fraud that slipped through multiple layers of control.

Customer A received:

• £1.35m in fraudulent JRS funds over 13 months
• followed by £26.01m in just eight days
• All into a basic retail account.

Here’s how the monitoring system responded:

• Only the final four deposits triggered alerts - each for more than £6m
• Those alerts weren’t generated until the following month
• Investigators then had 20 working days to review them

Meanwhile, more than £800,000 was transferred out and never recovered. Nationwide didn’t identify the fraud. HMRC did.

Business use of personal accounts made the problem worse

Nationwide knew as early as 2016 that thousands of personal accounts were being used for business activity and knew its controls weren’t built for that kind of behaviour.

Still, it tolerated the issue, for almost four years, while exploring a possible business banking product. Only when the banking product launch was abandoned "that impactful steps were then taken to develop a model to identify business use and create a formal written framework for defining, investigating, managing and, if appropriate, exiting unauthorised business customers."

By 2021, about 133,000 customers showed signs of business use and 16,000 accounts were closed for sitting outside risk appetite. Letting business activity flow through personal accounts inflated every existing weakness: more volume, more complexity, more noise, but the same blunt monitoring rules.

Why the FCA’s penalty was so high

The FCA rarely penalises a firm for a single miss. It penalises for patterns; especially when those patterns are known internally and persist.

Nationwide’s failures were:

• Prolonged: four and a half years
• Systemic: affecting CDD, monitoring, governance and data
• Foreseeable: Nationwide received internal and external warnings
• Harmful: real criminals laundered real funds through its accounts
• Cultural: improvement came, but came too late

The FCA’s message is clear: if you know something is broken, you need to act fast. Tolerating risk is not a mitigation strategy.

What firms need to start doing now in preparation for FCA supervision 

Nationwide’s failures aren’t just a banking story, they’re a preview of what the FCA will look for when it starts supervising law and accounting firms. If your AML programme was built for SRA or professional-body oversight, the shift to FCA expectations will be a step-change. Here’s what to get moving on now.

Keep your client picture complete and current

Onboarding-only CDD won’t pass. You need up-to-date verification, real risk differentiation and event-driven refreshes.

Replace static checks with continuous, risk-sensitive monitoring

The FCA expects monitoring that adapts when risk changes. For professional services, that means tracking shifts in ownership, geography, instructions, source of funds and matter complexity, not banking-style transaction rules.

Connect your CDD, risk scoring and matter workflows

Nationwide’s biggest weakness was disconnected data. The FCA will expect one source of truth: CDD feeding risk scoring, risk scoring powering monitoring and monitoring triggering escalation.

Speed up AML decision-making

Timeliness matters. Nationwide’s slow alert reviews were a key criticism. Firms need prompt review of high-risk indicators, fast escalation paths and clear timelines. 

Fix known gaps

The FCA treats long-standing, unaddressed weaknesses as a breach in itself. Map issues, assign owners, set deadlines and demonstrate progress. 

Give your MLRO operational control

Under FCA supervision, the MLRO isn’t just a policy lead, they’re accountable. They need access to data, oversight of monitoring and authority to block or exit clients.

Prepare for data-led supervision

The FCA supervises by interrogating evidence, not reading policy statements. Make sure audit trails are clean, decisions are documented and SARs show quality, not volume.