MoneyGram’s AML/CFT Failures: Key Insights for Fintechs

MoneyGram Fined by Frence Authority: AML/CFT Lessons Learned Checklist for MSBs and Fintechs

In April 2026, the French Autorité de contrôle prudentiel et de résolution (ACPR) imposed a €1.3 million financial penalty and a formal reprimand on MoneyGram International SA following an extensive on‑site inspection of its French operations.

Invariably, large fines levied on financial institutions found guilty of having systemic weaknesses in their anti-money laundering and counter financing of terrorism (AMLCFT) programs tend to highlight similar, if not the same failings. MoneyGram’s Frence operations being fined for systemic weaknesses in its AMLCFT program, mirrors similar outcomes to that of TD Bank in 2025, among others.

Once more, this newest case of a financial institution being fined for systemic weaknesses in its AMLCFT program, is yet another reminder to Board of Directors, Executive leadership and Compliance professionals that the institutions AMLCFT programs must be fit for purpose and reflect the intent of AMLCFT laws. Also worthy of mention is the importance of the third line of defense, internal audit, in the AMLCFT governance oversight of financial institutions.

The recent MoneyGram example reminds us of the importance of our compliance programs passing the test in these key areas:

1. Customer Classification & Relationship Definition

Ensure business‑relationship definitions reflect real customer behavior

  • Relationship thresholds (frequency, volume, duration) must be risk‑based and empirically aligned to actual usage patterns, not arbitrary metrics disconnected from the customer base. There is no one size that fits all approach. It is not sufficient to apply global thresholds across jurisdictions. Controls should be tailored to specific market, in keeping with its AMLCFT risk.

Prevent structural over‑reliance on “occasional customer” status

  • Controls must ensure active or repeat customers are not systematically exempted from enhanced customer due diligence (CDD) obligations due to overly narrow classifications that do not reflect the reality of the business based on aggregated value and volumes, and customer activity, mindful of specific regulatory guidance where CDD and enhanced due diligence (EDD) requirements are codified.

Periodically validate classification logic

  • Re‑test customer segmentation rules using transaction data to confirm that risk exposure is accurately captured. Financial institutions cannot set it and forget it, in relation to their controls. These require periodic review and adjustment to align with changing AMLCFT risk and customer profiles.

 

2. Customer Due Diligence (CDD) Data Quality

Collect mandatory financial profile information for business relationships

  • Maintain documented information on customers’ professional activity, income, and overall financial situation where a business relationship exists. Policies and procedures must effectively lay out CDD and EDD requirements for customers (may be considered on a progressive level based on customers’ aggregated threshold activity and or risk classification).

Link CDD scope to customer risk and activity

  • Data collection depth must be scaled with transaction frequency, volume, and geographic exposure.

Enforce periodic refresh cycles

  • Customer information must be reviewed and updated to maintain relevance and reliability over time.

 

3. Ongoing Due Diligence & Monitoring

Ensure transaction monitoring is customer‑context aware

  • Alerts should be assessed against a well‑documented customer risk profile; monitoring systems without adequate contextual data are inherently ineffective.

Detect cumulative transaction risk

  • Systems must identify patterns of repeated low‑value transfers that cumulatively present ML/TF risk.

Escalate repeat activity appropriately

  • Multiple transactions over sustained periods should trigger reassessment of customer status and monitoring intensity. This is key in identifying and reporting suspicious activity.

 

4. High‑Risk Business Model Controls

Recognize remittance activity as inherently high risk

  • Cash‑based, cross‑border, and corridor‑sensitive payment services require enhanced safeguards by default.

Apply heightened scrutiny to sensitive jurisdictions

  • Geographic risk indicators must translate into tangible monitoring and review controls, not static risk ratings.

Align control intensity with transaction velocity

  • High‑volume systems require proportionately strong real‑time or near‑real‑time oversight.

 

5. Governance & Compliance Framework Alignment

Ensure AML/CFT frameworks match the institution’s risk profile

  • Regulators will penalize mismatches between declared risks and implemented controls, even where policies exist on paper.

Treat systemic weaknesses as governance failures

  • Recurrent gaps across multiple control areas indicate failures in oversight, not isolated operational errors.

Empower compliance functions to challenge the business

  • Compliance must be able to influence customer segmentation rules, monitoring logic, and onboarding standards.

 

6. Internal Controls & Assurance

Test AML controls against real use cases

  • Internal audits and compliance testing should simulate realistic customer behavior, not only theoretical policy requirements.

Validate the effectiveness of control outcomes

  • The question regulators ask is not “do controls exist?” but “do they prevent risk exposure in practice?”

Document remediation actions and outcomes

  • Supervisors expect evidence that weaknesses are identified, corrected, and retested not merely acknowledged.

 

7. Regulatory Expectation Awareness

Avoid formalistic compliance interpretations

  • Narrow or literal readings of AML/CFT rules that undermine their protective intent will not withstand supervisory scrutiny.

Anticipate supervisory focus on substance over form

  • Enforcement actions increasingly target whether compliance frameworks actually mitigate ML/TF risk, not whether minimum documentation exists.

 

Final Takeaway for MSBs and Fintechs

The MoneyGram case underscores a clear regulatory message:
Systems that structurally exclude large portions of active customers from enhanced due diligence are, by definition, non‑compliant. For MSBs and Fintechs, success in AML/CFT is no longer about policy presence—it is about demonstrable, data‑driven risk coverage aligned to the realities of the business model.

Author: Fabian E. Sanchez, JP | LinkedIn

CIPM, Intl. Dip. AML, CAMS, CIRM, MBA, BBA   fsanchez@fabian-sanchez.com