When AML Backlogs Meet Inspections: DFSA, DNB, CSSF and CBI

In this post we compare the experiences between Denmark (DFSA), Netherlands (DNB), Luxembourg (CSSF) and Ireland (Central Bank of Ireland) inspections.

For a long time, fintechs were telling themselves:

European regulators have now answered that assumption with public cases and eight‑figure fines. This post will look at:

1. How supervisors in Denmark, the Netherlands, Luxembourg, Ireland and Lithuania actually run AML inspections;

2. What they focus on when they sit with your AML team;

3. What happens in practice when they find backlogs or unmonitored flows; and

4. What “good” looks like if you want to stay out of the press releases.

How AML inspections are actually run now

Across these markets, the inspection mechanics are surprisingly similar.

1. Risk‑based planning and off‑site data

All supervisors work off risk‑based annual plans, focusing on sectors and firms with higher inherent risk (cross‑border EMIs/PSPs, crypto‑exposed business models, large or complex fund platforms).

Denmark’s DFSA explicitly scaled up its AML Division after the Danske Bank case, using a formal risk model to pick who gets on‑site, and for how long.

Luxembourg’s CSSF does the same for investment funds and managers, combining its own sub‑sector risk assessment with detailed AML surveys.

Regulators demand structured AML data, for example:

• Luxembourg: annual AML reports from the RC (responsable du contrôle) for each fund/IFM, plus a granular CSSF AML survey covering investors, intermediaries, PEPs, and risk assessment outcomes.

• Ireland: a redesigned AML Risk Evaluation Questionnaire (AML REQ) for payment and e‑money institutions, filed as machine‑validated XML only, with 13 sections of detailed metrics on customers, geographies, products, controls and governance.

• Lithuania’s BoL and FNTT are on the same path: BoL uses risk‑based inspection plans, standard AML templates and growing reliance on structured returns; FNTT publishes annual inspection plans and sector instructions (nurodymai) that it then inspects against.

On‑site (or via remote fieldwork), inspectors everywhere want to see three things in practice:

• Customer files – KYC/ODD completeness, BO identification and verification, risk scoring rationale, EDD and periodic review evidence.

• Monitoring and STRs – how alerts are generated, triaged and investigated, how STR decisions are reached, and whether volumes make sense relative to risk.

• Governance – who actually owns AML risk, how MLRO/RCs report, whether board minutes, risk reports and internal audit findings show real oversight.

The philosophy is consistent: not “do you have a policy,” but

2. The three failure patterns regulators keep punishing

When AML teams struggle, it tends to show up in the same three places.

1. Onboarding due diligence, ODD (files opened but never fully KYC’d) backlogs;

2. Periodic reviews, sanctions/PEP alert clearance;

3. and transaction‑monitoring cases.

A CAML analysis of EU enforcement actions between 2022–2025 highlights a set of familiar names:

• Revolut (Lithuania) – €3.5m, Lithuania’s largest AML fine, with monitoring and governance issues central to the story.

• N26 (Germany) – €9.2m for systematically late suspicious activity reports; BaFin effectively said that SAR backlogs are structural failures, not just ops noise.

• Bunq (Netherlands) – €2.6m for failing to investigate alerts properly and weaknesses in CDD/monitoring over several years.

• ING Spain – €3.9m for delayed internal reporting.

• TransferGo (Lithuania) – €310k for insufficient transaction monitoring.

​

Regulators are explicit: if alerts and reviews “sit” for weeks or months, your institution is not capable of executing its own policies in real time. That is a regulatory violation, not a KPI issue.

In the most severe cases, like Transactive Systems in Lithuania, a €280k fine for monitoring models that “couldn’t handle transaction volumes,” leaving suspicious activity unreviewed, came with full licence revocation. The message: where backlogs are designed into the model, you may lose the business, not just pay a fine. Same with Railsbank Technology UAB.

If backlogs are one red line, outright blind spots are another.

The best current illustration is Coinbase Europe in Ireland:

Coding defects in its monitoring systems meant 30,442,437 transactions—around 31% of flows—were not properly monitored, covering more than €176bn over 12 months.

When the firm re‑monitored those flows nearly three years later, it had to file 2,708 STRs on suspected money laundering, fraud, drug trafficking, cyber‑attacks and child sexual exploitation.

The Central Bank of Ireland concluded Coinbase had failed to fully and properly monitor transactions, lacked adequate AML policies/controls, and had not applied additional monitoring to nearly 185,000 high‑risk transactions.

Penalty: €21.46m, reduced from a higher starting figure under their settlement scheme.

​

The crucial point is that even after the retrospective monitoring and STRs, the Central Bank treated the original blind spot as irreparable: the opportunity to block, freeze or trace funds in real time had been lost, and that is what the fine priced in.

Governance and “paper programmes”

Almost every serious case also contains a governance sub‑plot:

• Luxembourg: CSSF sanctions often highlight inactive or under‑empowered AML officers (RCs), weak reporting to boards, and poor oversight of delegates and distributors in fund structures.

• Ireland: CBI enforcement against an Irish AIFM focused on failure to oversee a delegated investment manager that put €17.7m into illiquid, hard‑to‑value assets riddled with conflicts; AML and governance issues were intertwined.

• Banks and EMIs: multiple 2025 penalty reviews stress the same themes—policies existed, but operations lagged; risk assessments did not match the actual customer base; management did not staff or fix the problems even after early warnings.

Supervisors are increasingly uninterested in well‑written frameworks that are not executed. Operational discipline—clearing alerts on time, refreshing high‑risk files, back‑testing systems—is where credibility is now won or lost. 3. How the “big four plus Lithuania” compare in practice

Putting Denmark, Netherlands, Luxembourg, Ireland and Lithuania side by side reveals some useful contrasts.

Denmark (DFSA)

After Danske Bank, DFSA built a dedicated AML Division and a formal risk‑assessment model, significantly increasing the number and depth of on‑sites.

It gained legal tools to impose fixed‑penalty notices, appoint monitors and ban new customers until AML weaknesses are resolved—painful measures beyond pure fines.

In inspections, DFSA expects to see working transaction‑monitoring systems on premises and a risk assessment that genuinely drives CDD and TM priorities.

​

Netherlands (DNB)

DNB follows a long‑view escalation model: repeated examinations, remediation demands and, when weaknesses persist, escalating fines.

The Bunq case (repeated CDD and monitoring failings, €2.6m fine) and Volksbank (€5m) show DNB will punish firms that fail to deliver sustained remediation.

DNB’s public communications emphasise investigation quality and STR discipline: not just that alerts exist, but that they are analysed and escalated consistently.

Luxembourg (CSSF)

For asset managers and funds, Luxembourg is governance‑heavy: every fund/IFM must appoint an RR (board‑level responsible) and an RC (AML officer) with defined responsibilities and annual reporting duties.

CSSF combines off‑site AML surveys plus RC reports with targeted on‑sites; 2024 activity included 15 AML on‑sites, 67 face‑to‑face meetings, 12 injunction letters and a €3m fine on BNP for AML breaches.

Delegation and distribution chains are a major focus: managers must show how they oversee initiators, delegated portfolio managers and intermediaries from an AML perspective.

Ireland (CBI + AMLCU)

CBI operates one of the most data‑driven AML supervision models in Europe: the AML REQ for PIs/EMIs is a highly structured, schema‑validated data return that will also feed into EU AMLA reporting.

The Coinbase case (unmonitored €176bn flows, 2,708 retrospective STRs, €21.46m fine) shows CBI’s willingness to sanction major firms where TM coverage fails.

For funds, CBI focuses heavily on delegate oversight, liquidity and valuation risks, and AML controls at both the management company and service‑provider level.

The Dept. of Justice’s AML Compliance Unit (AMLCU) in parallel carried out 749 inspections of DNFBPs in 2024, demonstrating how normalised frequent AML inspections have become in Ireland.

​

Lithuania (BoL and FNTT) in context

BoL’s AML fines for EMIs/banks (e.g., €165k–€370k, roughly 1–3% of revenue in several cases) are material but smaller in absolute terms than Irish and some Dutch cases, but come with similar remediation and inspection intensity.

FNTT has shown it is prepared to revoke licences (e.g., Transactive Systems) where monitoring models simply cannot handle volume.

Backlogs and monitoring weaknesses are increasingly treated the same way as in the larger markets – as direct PPPF/PPTFPĮ breaches.

4. What does this mean for AML teams in practice?

There are a few hard but helpful truths that emerge from all of this.

• Consider that a backlog is a serious problem.

• Monitoring blind spots is priced like systemic risk events.

• Documentation without discipline is a liability.

5. A practical inspection‑proofing checklist

For asset managers, funds, EMIs and PSPs operating in or out of these jurisdictions:

• Know your real backlog – size it, risk‑rate it, and have an honest burn‑down plan. If you have backlogs, treat them as standalone projects with steering, metrics and ring‑fenced capacity, not as “extra work after BAU.”

• Prove monitoring coverage – be able to demonstrate, technically, that all relevant flows and customer types are in scope, including new products, crypto integration, and third‑party channels.

• Link BWRA → risk scores → controls – your business‑wide ML/TF risk assessment should clearly drive customer risk‑rating, EDD triggers, TM scenarios and review cycles; inspectors will test that linkage across files and systems.

• Elevate AML governance – ensure RC/MLRO roles have real authority, direct board access, and adequate resources; boards should receive regular, data‑driven AML MI and challenge it.

• And prepare your narrative – be ready to explain, with data:

  • how fast you are growing vs how fast you scaled AML;

  • where you fell behind and how you are fixing it;

  • why your current risk level is controlled, not just “on the way” to being controlled.

Supervisors do not expect perfection. They do, however, now expect risk‑based systems that actually work at scale—and they have shown, repeatedly, that the cost of getting this wrong is a multi‑million‑euro fine, business restrictions, and in the worst cases, the end of the licence.