FCA Data Exposes Gaps in Enforcement of AML: Hundreds of Breaches, No Visible Consequences

The UK’s financial regulator has been quietly collecting hundreds of warnings about repeat anti-money laundering (AML) breaches. What it hasn’t been able to show is whether it has acted on them.

A Warning Buried in the Numbers

When the UK’s financial regulator was asked under Freedom of Information (FOI) law to disclose how often it had been alerted to payment service providers (PSPs) repeatedly breaching the Wire Transfer Regulation (WTR), the response was quietly damning. Since 2020, the Financial Conduct Authority (FCA) has received 265 notifications from PSPs about their peers failing to include the most basic information required in cross-border payments.

These breaches were not obscure technicalities. They involved missing names, incomplete addresses, and absent account numbers; the very identifiers that enable law enforcement to trace illicit money flows. The FCA’s disclosure revealed failures stretching across more than 60 countries, including the UK and the United States. But when asked what action followed, the regulator admitted it could not confirm whether enforcement had taken place. Establishing this, it said, would require manually examining each case file, a task it considered beyond its FOI obligations.

The effect is a troubling picture: the UK’s AML regime is receiving hundreds of red flags but cannot demonstrate that it has acted upon them. For a country that prides itself on being a leader in financial integrity, the implications are serious.

The Legal & Regulatory Foundations

The Wire Transfer Regulation is no obscure piece of compliance machinery. It is the practical expression of a global standard: the Financial Action Task Force (FATF) Recommendation 16, which requires that every wire transfer carry accurate and complete information on the originator and beneficiary. The purpose is simple but vital: without this information, law enforcement cannot trace illicit money flows, and financial institutions cannot block them.

The European Union embedded this principle in Regulation (EU) 2015/847, applied from 2017. In the UK, the obligation was on-shored through the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. The regime has since been amended multiple times: in 2019 to cover crypto exchanges and art market participants, in 2022 to expand trust registration requirements, and in 2023 to adjust how politically exposed persons are treated. Each amendment broadened the perimeter, but the core obligation remained unchanged: every payment must carry the necessary identifiers.

Industry guidance underscores the stakes. UK Finance has warned that incomplete or missing payer data creates friction across payment chains and undermines the integrity of AML frameworks. The Wolfsberg Group has stressed that transparency in cross-border payments is the bedrock of financial crime prevention.

Notifications on the Rise

The FOI data illustrate a worrying pattern. In 2020, the FCA received just 18 notifications. By 2021, this surged to 97 before falling back, only to creep upwards again in recent years.

FCA Notifications of Repeated WTR Failures

Figure 1. Notifications of repeated WTR failures reported to the FCA. Source: FOI response, August 2025.

The spike in 2021 may reflect early industry adjustment to the UK’s on-shored rules and the global tightening of AML expectations. But the persistence of reports into 2025 shows the problem has not been resolved. Repeated breaches have become structural, not exceptional.

What the Failures Look Like

The substance of the failures is equally revealing. The FCA’s breakdown shows that in 99 cases, both originator and beneficiary information was insufficient. In 81 cases, payer addresses were incomplete; in 25, they were missing entirely. Other lapses included absent account numbers, missing names, and incomplete payer details.

Most Common Data Failures Reported to FCA

Figure 2. The most frequently reported data failures. Source: FOI response, August 2025.

These are not esoteric technical issues buried in payment message standards. They are the foundational identifiers required to prevent financial crime. Without them, law enforcement cannot follow the money, and PSPs cannot meet their obligations to detect suspicious activity.

A Global Web of Weakness

The FOI also revealed the global nature of the problem. Among the 135 distinct PSPs reported, firms were based in more than 60 jurisdictions. The UK itself accounted for 22, holding the top spot jointly with the US, while Kenya, Saudi Arabia, Qatar, Mexico, Egypt and United Arab Emirates also featured prominently.

Top 10 Countries by Number of PSPs with Incomplete WTR Data

Figure 3. Geographic concentration of PSPs submitting incomplete WTR data. Source: FOI response, August 2025.

The presence of the UK and US at the top of this table is significant. It undermines the assumption that poor compliance is confined to fragile jurisdictions or offshore outliers. Instead, some of the world’s largest and most sophisticated financial centres are implicated.

Enforcement in the Dark

The FCA’s inability to confirm whether enforcement has followed raises profound concerns. Enforcement is the backbone of deterrence. If firms believe breaches will be tolerated, the incentive to invest in compliance weakens.

This opacity also undermines the UK’s credibility internationally. The FATF, which last evaluated the UK in 2018, will be looking closely at how supervisors respond to repeated non-compliance. Transparency about enforcement outcomes is not a luxury; it is a requirement under global standards.

The FCA is not alone in facing these pressures. The US Treasury’s FinCEN has levied multi-million-dollar fines for failures to include required information in wire transfers, and European regulators have increasingly treated WTR breaches as serious offences. Against this backdrop, the UK risks appearing an outlier, collecting notifications but not acting visibly upon them.

Industry Strains & Operational Excuses

The industry acknowledges the challenges. UK Finance has issued interpretative guidance to help firms navigate payment message formats, derogations and exemptions, and straight-through processing. It concedes that inconsistencies between PSPs create friction, leading to delays, queries, and manual interventions.

No amount of guidance can compensate for the vacuum left by weak enforcement. Without visible sanctions, compliance quickly falls down corporate agendas. The FCA’s silence signals to firms that breaches don’t matter, and if it doesn’t matter, why invest in fixing them? The result is a market tilted toward risk-takers, eroding the principle of collective AML integrity. Rules without credible enforcement are not rules at all, but suggestions, and in boardrooms, commercial pressures will always win unless regulators show they mean business.

FATF Standards & the UK’s Credibility

This matters internationally. The FATF Recommendation 16 is explicit: countries must ensure that PSPs include accurate originator and beneficiary information, and that regulators enforce this effectively. In its last evaluation of the UK, FATF praised the legal framework but flagged concerns about supervisory follow-up.

The FCA’s FOI response risks confirming those concerns. A regime that gathers data but cannot show action undermines not only the UK’s domestic AML efforts but its credibility abroad. As the UK prepares for its next FATF evaluation, the ability to demonstrate enforcement will be critical.

Sanctions, Shadow Fleets & Global Risk

The failures identified in the FOI are not benign. Incomplete payment data has been exploited in sanctions evasion schemes, particularly since Russia’s invasion of Ukraine. The so-called “shadow fleet” of oil tankers has relied on convoluted payment chains that obscure remitter and beneficiary details. Without robust enforcement of WTR rules, the UK risks becoming a conduit for sanctions breaches.

The same vulnerabilities apply to terrorist finance and kleptocracy. Small but repeated transfers can slip beneath detection thresholds if payer details are missing. For kleptocrats seeking to launder wealth, incomplete payment data is an invitation. Each absent field is a blind spot in the global fight against illicit finance.

Technology & Supervisory Capacity

The FCA’s limitations are not just legal but technological. Unlike banks, it does not have direct visibility into payment transactions. It relies on notifications from PSPs and even these, the FOI revealed, can be mishandled. Three emails reporting breaches were lost entirely due to technical issues.

Supervising global payment flows requires data science capabilities that go far beyond the FCA’s current resources. Effective oversight now depends on real-time analytics, pattern detection, and cross-border information sharing. Unless the UK invests in its supervisory technology, it will struggle to uphold the standards it demands of industry.

What Must Change

The FCA’s FOI disclosure points to urgent reforms. At minimum, the regulator should publish aggregate data on enforcement outcomes from WTR notifications. Firms and the public must be able to see whether reports lead to action. The pathway from notification to sanction must be visible and predictable.

Cross-border coordination also needs strengthening. When a UK PSP reports a US counterpart, regulators on both sides should be working together. And the FCA itself needs investment in digital infrastructure to track patterns across hundreds of notifications.

Above all, the UK must demonstrate that the Wire Transfer Regulation has real bite. Without credible enforcement, the regime risks becoming performative, eroding trust in the international payments system and in the UK’s global reputation for financial integrity.

Conclusion: The UK’s Moment of Truth

The FCA’s FOI response is more than a bureaucratic curiosity. It is a warning that the UK’s AML defences are fraying at the edges. The Wire Transfer Regulation was meant to seal the cracks through which illicit money slips. But without visible enforcement, the regime risks becoming a paper tiger.

The stakes are not limited to compliance departments. They touch the UK’s role as a global financial centre. If London cannot uphold its own AML rules, its ability to demand higher standards abroad collapses.

As FATF prepares for its next evaluation of the UK, the message is clear. The country must demonstrate not just that rules exist but that they are enforced. Otherwise, the integrity of its payments system, and its global reputation, may be fatally compromised.