01
Currency
The document is accurate on the day it is produced. Regulatory requirements change. Business models evolve. The methodology ages immediately.
Executive Summary
The examiner sitting across from you asks why EDD kicks in at a customer risk score of 75 rather than 70. You open your laptop. You pull up the methodology document. You scroll. Two minutes pass. You’re aware that “I’ll have to get back to you” is the wrong answer.
You have sophisticated AML technology. You have a thick policy binder. What you don’t have, when it counts, is the document that answers the question BaFin is actually asking. Not what, but why.
This is the brain of compliance. And in most institutions we’ve worked with, it’s missing.
When regulators arrive (BaFin under §44 KWG, the FCA under SYSC, FinCEN under the Bank Secrecy Act, MAS under Notice 626), they don’t just examine what a bank did. They examine why. They look for a documented, coherent, institution-specific methodology that connects regulatory requirements to operational decisions. In its absence, even the most sophisticated AML tooling can’t prevent findings, sanctions, or enforcement actions.
This paper maps the gap we keep seeing: what it is, why it shows up in every major jurisdiction, why the consulting-led model of closing it doesn’t work, and what’s now possible for the first time.
A note on the numbers in this paper: the deficiency-frequency percentages and §44 finding patterns are WBP’s own analysis, drawn from publicly reported BaFin enforcement measures and our direct engagement experience across BaFin-supervised institutions between 2022 and 2025. Where a claim is sourced from a specific regulatory publication or enforcement notice, we cite it inline and in the References section at the end of the paper.
What's inside
| Section | Chapter |
|---|---|
| Section 1 | What Is the Methodology Layer? The intellectual framework that explains why every compliance decision was made, and what it comprises. |
| Section 2 | The Global Pattern: Audits Find This Every Time How BaFin, FCA, FinCEN, MAS, and FINMA examinations all surface the same structural gap. |
| Section 3 | Why the Gap Persists The economics, consultant dependency, technology disconnect, and volume pressures that keep methodology last on the list. |
| Section 4 | The Public Record: Enforcement and the Methodology Gap Six published enforcement actions and the shared root cause that ties them together. |
| Section 5 | Closing the Gap: What Is Now Possible Why the structural barriers to living methodology documentation have been eliminated. |
| Section 6 | The AMLR Forcing Function Why EU AMLR effective 1 July 2027 turns methodology from a long-term aspiration into a near-term requirement. |
1. What Is the Methodology Layer?
The AML/CFT risk methodology is the foundational document of a financial institution’s compliance programme. It is not a policy statement, a procedure manual, or a technology specification. It is the intellectual framework that answers the regulator’s most fundamental question:
“How does this institution understand its own money laundering and terrorist financing risk, and how has it designed its controls accordingly?”
A complete methodology layer comprises several interconnected components:
| Component | Description |
|---|---|
| Business Reality Assessment | Institution-specific mapping of products, services, customer segments, geographic footprint, and delivery channels, with risk ratings applied to each. |
| ML Risk Assessment | Structured analysis of money laundering exposure across all business dimensions, with threat identification, vulnerability assessment, and residual risk calculation. |
| TF Risk Assessment | A separate, dedicated terrorist financing risk analysis, required under BaFin AuA February 2025 and AMLR Article 8. Distinct from ML risk; requires its own methodology. |
| Scenario Library | Documentation of which typology scenarios are active, which are excluded, and, critically, why. BaFin expects explicit rationale for exclusions, not simply a list. |
| Control Framework | A mapping of every control to every identified risk, with evidence that controls are proportionate, effective, and regularly reviewed. |
| Customer Risk Model | The institution-specific CDD matrix: how customers are risk-scored, what data drives the score, how scores trigger review thresholds, and how the model was validated. |
| Review Cycle | Documented triggers and schedules for methodology review, tied to regulatory updates, material business changes, and examination findings. |
These components form an interdependent system. A customer risk model not grounded in the ML risk assessment produces scores that cannot be defended. A scenario library disconnected from the business reality assessment leads to scenarios that are irrelevant or dangerously incomplete. The methodology is the connective tissue that holds the entire compliance programme together.
When this connective tissue is absent, the compliance programme has operational components (technology, people, processes) but no intellectual foundation. It can process cases. It cannot explain, to a regulator’s satisfaction, why those cases exist or what risk framework shaped every decision.
1.1 What the Methodology Is Not
A common misconception conflates the methodology with the policy document. Policies describe what the institution will do. The methodology explains why: the risk rationale behind each policy choice. A policy stating ‘EDD will be applied to High Risk customers’ is not a methodology. A methodology explains how a customer becomes High Risk, why that threshold was set where it was, what data validated the model, and how the threshold relates to the institution’s specific risk exposure.
Another conflation is with the compliance manual, the procedure guide for operational execution. The methodology sits above both: it is the why of risk design, not the how of execution.
2. The Global Pattern: Audits Find This Every Time
The methodology gap is not a German problem. It is not a European problem. It is a structural deficiency appearing with remarkable consistency across every major financial regulatory jurisdiction in the world.
2.1 Germany: BaFin §44 KWG Examinations
Germany’s BaFin conducts ongoing prudential and AML/CFT examinations under §44 of the Kreditwesengesetz [1]. The February 2025 update to the AuA introduced heightened requirements for methodology documentation, including mandatory separation of ML and TF risk analysis [2], a requirement that the majority of mid-tier institutions had not yet implemented.
BaFin §44 Finding Pattern (2022–2025): The most consistently cited deficiencies are: (1) absent or inadequate AML/CFT risk methodology, (2) failure to separately document TF risk assessment, (3) insufficient rationale for excluded typology scenarios, and (4) UBO collection methodology not documented. These four issues appear across institutional types: banks, payment institutions, FinTechs, and asset managers alike.
For institutions under active §44 examination, the cost of inadequate methodology is not abstract. BaFin has issued enforcement actions with fines ranging from €50,000 to over €10 million for AML deficiencies, with the methodology gap as a contributing or primary factor in the majority of cases.
| Deficiency Category | Estimated Frequency in §44 Findings |
|---|---|
| Absent or inadequate risk methodology | 60–70% of mid-tier examinations |
| No separate TF risk assessment | 55–65% post-February 2025 AuA update |
| Missing scenario exclusion rationale | 45–55% of examinations reviewed |
| UBO collection methodology undocumented | 40–50% of examinations reviewed |
| Customer risk model not validated | 35–45% of examinations reviewed |
| Review cycle not triggered by findings | 30–40% of examinations reviewed |
2.2 United Kingdom: FCA SYSC and MLR 2017
The FCA’s enforcement record under the Money Laundering Regulations 2017 [11] and SYSC 3 reveals the same structural gap. The FCA’s expectation, set out in its Financial Crime Guide [10], is that a firm-wide risk assessment (FWRA) constitutes a documented, institution-specific analysis of ML/TF risk that connects directly to the firm’s control framework.
FCA Enforcement Pattern: The FCA’s 2023 AML thematic review cited ‘inadequate firm-wide risk assessment’ as a finding in the majority of firms reviewed. Enforcement actions against NatWest (£264.8M, 2021) [8], Santander UK (£107.7M, 2022) [9], and multiple wealth managers explicitly reference methodology deficiencies as contributing factors.
The FCA’s approach creates a dual consequence for institutions with methodology gaps: regulatory findings during supervision, and elevated enforcement risk during investigation. The FCA’s ability to prosecute criminal offences under the Proceeds of Crime Act 2002 means that a methodology gap is not merely a regulatory inconvenience; it is a potential criminal liability.
2.3 United States: FinCEN and OCC BSA/AML Expectations
The FFIEC BSA/AML Examination Manual [12] makes clear that a documented, risk-based BSA/AML risk assessment is expected. This assessment must be institution-specific, must document the methodology used to assess risk, and must be current.
FinCEN / OCC Consent Order Pattern: OCC enforcement actions from 2020–2025 repeatedly cite ‘failure to implement and maintain a risk-based BSA/AML compliance program’, with the risk assessment identified as the primary gap. Consent orders against regional and community banks routinely require remediation of the risk assessment as the first step before any other programme improvement.
2.4 Singapore: MAS Notice 626
Singapore’s 2023 and 2024 thematic inspections of the private banking and payments sectors both cited methodology gaps as the primary driver of control weaknesses [13]. The MAS’s approach explicitly connects methodology adequacy to technology control requirements: institutions that cannot articulate the risk rationale behind their transaction monitoring scenarios cannot demonstrate that those scenarios are appropriate.
2.5 Switzerland: FINMA AML Ordinance
FINMA’s supervisory practice, revealed through enforcement notices and the 2024 risk monitor [14], shows consistent findings around methodology adequacy, particularly for wealth management and asset management institutions.
2.6 The Universal Pattern
Across all five jurisdictions, the pattern is identical:
- Regulators expect a documented, institution-specific methodology connecting risk assessment to controls
- Most mid-market institutions lack a complete methodology or possess one that is generic, outdated, or disconnected from actual operations
- Examination findings consistently cite the methodology gap as a primary or contributing deficiency
- Enforcement actions reference the methodology gap in the majority of cases reviewed
- Remediation of the methodology is typically required before any other programme improvement can be demonstrated
3. Why the Gap Persists
If the methodology gap is this consistently cited, this universally present, and this consequential, why does it persist? The answer lies in structural economics of compliance investment combined with the nature of methodology work itself.
3.1 The Economics of Compliance Investment
When a compliance programme is built or upgraded, investment follows a predictable sequence: technology first, people second, processes third, documentation last. Technology produces visible outputs (alerts, cases, reports) that can be demonstrated to regulators. Documentation produces nothing visible until a regulator asks for it. The result is that methodology documentation is consistently the last item funded and the first item deferred.
3.2 The Consultant Dependency
For mid-tier institutions that do invest in methodology, the dominant model is annual external consultancy at a cost of €100,000–€500,000 per engagement. This model has three structural problems.
02
Ownership
A document produced by an external consultant is not deeply understood by the institution's own compliance team. When an examiner asks why a threshold was set, the MLRO who didn't write the document cannot answer with authority.
03
Connectivity
The consultant produces a document. The institution operates a compliance programme. These two things frequently describe different realities.
3.3 The Technology Disconnect
The five-point-solution compliance technology stack (transaction monitoring, screening, KYC onboarding, case management, reporting) is designed to execute compliance operations. It is not designed to document methodology. Each system produces its own data, in its own format, with its own audit trail. None produce a coherent picture of why the institution’s risk framework is designed the way it is.
The result: a systematic disconnect between what the technology does and what the methodology says. The methodology specifies monthly transaction review for High Risk customers. The system implements quarterly review, because someone configured it differently three years ago. The examiner who compares methodology to system configuration finds a discrepancy. That discrepancy is a finding.
3.4 The Volume Problem
A complete, institution-specific methodology runs to 25–40 pages of substantive content for a mid-tier bank. Producing it manually takes a senior compliance professional 3–5 days minimum. Updating it when regulations change requires another 1–2 days. For an MLRO managing a live compliance operation, this time does not exist, so the methodology is deferred until the examination arrives.
4. The Public Record: Real Enforcement Actions and the Methodology Gap
The fine is the cheap part. The part that doesn’t show up in BaFin’s press release is what happens inside the institution afterwards: the remediation plan that eats the MLRO’s next eighteen months, the special representative who now sits in every compliance meeting, the bonus pool that quietly gets reallocated, the board that starts questioning every Q3 onwards whether it has the right CCO. By the time the fine lands, the damage is already structural.
The cost of missing methodology isn’t theoretical. It’s documented in published enforcement notices from BaFin, the FCA, FinCEN, and MAS. Public record, accessible to any institution that chooses to learn from them.
4.1 J.P. Morgan SE: BaFin €45 Million Fine (November 2025)
In October 2025, BaFin issued its largest ever AML enforcement action: a €45 million administrative fine against J.P. Morgan SE, the Frankfurt-based European subsidiary of JPMorgan Chase [4]. The finding: between October 2021 and September 2022, J.P. Morgan SE had ‘systemically failed’ to submit suspicious transaction reports (STRs) ‘without undue delay’ under Germany’s Money Laundering Act.
Methodology gap: The STR submission failure was not, at root, a technology failure. The transaction monitoring system generated alerts. Those alerts were not escalated to STRs within the statutory timeframe. A documented methodology should specify: what constitutes a sufficient alert threshold for STR escalation, what the internal escalation process is, who holds accountability at each stage, and what the maximum elapsed time is between alert and report. Without this documented framework, the timing gap becomes an ad-hoc judgment call made under operational pressure.
4.2 N26 Bank AG: BaFin €9.2 Million Fine (May 2024)
Germany’s largest digital bank received a €9.2 million fine from BaFin in May 2024 [5], following an earlier €4.25 million penalty in 2021, a customer onboarding cap, and the appointment of a BaFin special representative.
Methodology gap: The N26 enforcement record spans five years and three discrete BaFin interventions. The same class of deficiency recurs in each: the institution’s operational systems were not connected to a documented methodology that specified how each process should work, at what threshold, and with what governance. The methodology layer is the document that would have made this connection explicit and testable. Its absence made repeated intervention inevitable.
4.3 Commerzbank AG: BaFin €1.45 Million Fine (April 2024)
BaFin fined Commerzbank AG €1.45 million [6] for AML supervisory obligation breaches: employees had not updated customer data on time, internal security measures were inadequate, and enhanced due diligence requirements were inadequately applied.
Methodology gap: The root cause BaFin identified is the absence of ‘an effective system of supervisory measures.’ That phrase describes exactly what the methodology layer provides: a documented framework specifying when customer data must be updated, under what criteria EDD applies, and how compliance obligations are translated into operational instructions.
4.4 Solaris SE: BaFin €6.5 Million Fine (March 2024)
BaFin fined Germany’s largest banking-as-a-service provider €6.5 million [7] for systematically submitting suspicious money laundering reports late. The fine followed a 2020 special audit, capital requirement increases, onboarding restrictions, and a special representative whose mandate was subsequently extended.
Methodology gap: Solaris processed payments for hundreds of partner businesses. Each partner relationship required its own risk assessment, defined EDD criteria, and documented STR escalation framework. Without the methodology layer as the source of design decisions across all partner relationships, the system becomes unmanageable at scale.
4.5 NatWest: FCA £264.8 Million Criminal Fine (December 2021)
The most significant AML enforcement action in UK history. Southwark Crown Court fined NatWest £264.8M [8] following guilty pleas to three offences under the Money Laundering Regulations 2007. Against a projected annual turnover of £15 million, a customer deposited £365 million over five years, including £264 million in cash, some of it delivered in black bin bags.
Methodology gap: The customer risk model did not flag a customer whose deposits were running at 24× the projected amount. The transaction monitoring system classified cash as cheques due to a configuration error never validated against the risk assessment. Internal red flags had no documented escalation path. Each of these is a disconnection between the institution’s documented risk framework and its operational reality.
4.6 Santander UK: FCA £107.7 Million Fine (December 2022)
The FCA fined Santander UK £107.7M [9] for ‘serious and persistent gaps’ in its AML control framework affecting 560,000+ business customers over five years. A customer registered as a translation business was operating as an unlicensed money services business, channelling £298 million through Santander.
Methodology gap: The customer risk model classified MSBs as standard business banking customers because there was no documented methodology specifying how MSBs should be identified, risk-rated, and monitored differently. Teams operated in silos because there was no single methodology document that all teams worked from.
4.7 The Pattern Across All Six Cases
| Institution | Fine | Finding / methodology gap |
|---|---|---|
| J.P. Morgan SE BaFin · October 2025 | €45M | No documented STR escalation framework connecting risk assessment to operational timing requirements. |
| N26 Bank AG BaFin · May 2024 | €9.2M | No methodology connecting risk framework to operational process at scale across a growing customer base. |
| Commerzbank AG BaFin · April 2024 | €1.45M | Customer risk model review cycle not documented; EDD criteria not connected to a written risk methodology. |
| Solaris SE BaFin · March 2024 | €6.5M | No methodology connecting partner risk exposure to STR obligations across a multi-partner BaaS model. |
| NatWest FCA · December 2021 | £264.8M | Customer risk rating changed without documented justification; TM system configuration never validated against the risk assessment. |
| Santander UK FCA · December 2022 | £107.7M | No methodology for identifying and risk-rating MSBs; monitoring intensity not connected to customer risk profile. |
5. Closing the Gap: What Is Now Possible
Until recently, the methodology problem had no scalable solution. Producing a complete, institution-specific, regulatory-citation-accurate methodology was inherently manual. It required a compliance expert with deep regulatory knowledge, several days of senior time, and an annual engagement cycle that guaranteed the document would be outdated within months of delivery.
The structural barriers that made this work expensive, slow, and inaccessible to mid-market institutions have been eliminated. This is what we built the WBP Methodology Engine to do. It generates your methodology from your own operational inputs: your risk factors, your scenario library, your customer segmentation, your corridor exposure. Every threshold is traceable to the risk rationale that set it. Every regulatory update is mapped to the chapters it affects. The MLRO owns it and can defend every choice in thirty seconds, not thirty minutes.
The practical implications are significant. The €100,000–€300,000 annual consultancy engagement that produced a document outdated on delivery is replaced by a platform that generates and maintains the methodology continuously. The MLRO who couldn’t explain the methodology under examination because a consultant wrote it is replaced by a compliance team that built it themselves and can defend every threshold and every choice.
5.1 Three Moves That Separate Survivors From Outliers
Closing the gap requires a shift from periodic artefact to living infrastructure. Three concrete moves separate institutions that survive examinations from those that don’t.
First, own the document internally. Whatever tooling or external support is used to produce it, the MLRO and compliance team must have built it, understood every choice, and be able to defend every threshold under questioning. The practical test is simple: if an examiner asks why EDD kicks in at a customer risk score of 75 rather than 70, the answer should take thirty seconds, not thirty minutes searching for the consultant’s original working file. A methodology that can’t be explained by the person accountable for it isn’t a methodology. It’s a liability.
Second, connect methodology to configuration. When a TM threshold changes in the system, the methodology version should update, log the justification, and trigger a governance review. When the methodology changes, it should be immediately clear which scenarios, risk-scoring rules and CDD triggers are affected. In practice this means the methodology document and the system configuration register reference each other by version, so a BaFin examiner asking “why is this scenario tuned this way” gets a single, traceable answer rather than two documents describing different realities.
Third, separate TF from ML explicitly. Under BaFin’s updated AuA, and under AMLR from 1 July 2027, a combined ML/TF risk assessment won’t satisfy Article 8(3). In concrete terms, this means a dedicated TF threat assessment covering sanctioned jurisdictions, dual-use goods exposure, NPO customer segments and correspondent banking flows, with its own scenario set and its own review cycle. Institutions that haven’t yet separated the two are already behind the line BaFin is drawing in current examinations.
6. The AMLR Forcing Function
The EU Anti-Money Laundering Regulation [3], effective 1 July 2027, represents the most significant overhaul of the European AML/CFT framework in two decades. For all EU-supervised entities, the AMLR creates a hard deadline that compresses the timeline for methodology compliance from a long-term aspiration to an immediate operational requirement.
6.1 What AMLR Changes for Methodology
Art. 8
Risk Assessment
Codifies in EU law the requirement for a documented, institution-specific ML/TF risk assessment. Generic methodology frameworks will not satisfy Article 8.
Art. 8(3)
TF Separate Assessment
Explicitly requires a separate TF risk assessment covering sanctioned jurisdictions, dual-use goods exposure, NPO customer segments and correspondent banking flows. Already required under BaFin AuA February 2025 for German institutions; AMLR extends it EU-wide.
Art. 20
Customer Due Diligence
New documentation obligations for the customer risk model. Institutions must demonstrate the CDD approach is methodology-driven.
Art. 26
Ongoing Monitoring
Monitoring frequency and intensity must be demonstrably risk-based, which requires the methodology to specify how monitoring intensity is calibrated.
Art. 22
Transaction Monitoring
TM scenarios must be selected and calibrated based on the institution's ML/TF risk assessment.
6.2 The 18-Month Window
With AMLR effective July 2027, institutions have approximately 18 months from Q1 2026 to achieve compliance. This is shorter than it appears:
- Internal governance: Methodology revisions require management body approval. The governance cycle alone can consume 3–6 months.
- Technology implications: AMLR’s methodology-to-operations connectivity requirements may require system configuration changes.
- Regulatory supervision: BaFin and other national competent authorities will begin thematic AMLR readiness reviews well before the effective date.
- Consultant market capacity: If the majority of 4,800+ BaFin-supervised institutions seek external methodology consultancy simultaneously, market capacity will be severely constrained.
Conclusion
The methodology gap doesn’t close itself when you buy more technology. Every €45M fine is proof of that.
It has survived a decade of regulatory pressure, rising fines, and continuous investment in AML technology because the industry has kept treating it as a documentation problem. It isn’t. It’s an infrastructure problem. And infrastructure problems aren’t solved through periodic artefacts. They’re solved through systems that keep methodology, configuration and governance continuously aligned.
Two futures are forming.
In the first, institutions that move now will arrive at 1 July 2027 with a methodology they own, a compliance team that can defend it in examination, and a direct line from their risk assessment to every scenario, threshold and control their systems run. When BaFin arrives, they’re answering questions, not reconstructing the reasoning behind a document a former consultant produced two years earlier.
In the second, institutions will do what they’ve always done: defer, rely on the annual consultancy cycle, and hope the examination year happens to align with a fresh delivery. For those institutions, the next five years will look a lot like the last five. Findings, remediation, fines, repeat.
The institutions that do this right enter the next decade with a compliance function they can defend without flinching. The MLRO who answers every examiner question in thirty seconds. The board report that doesn’t include a remediation plan. The §44 review that closes without a finding. The team that spends its Q4 on forward work instead of reconstruction. That’s what’s on the other side of closing the gap.
The brain of compliance has been scattered for a long time. The window to put it back together is finite, and it’s closing.
References
| # | Source |
|---|---|
| [1] | BaFin. §44 KWG Supervisory Practice and Examination Guidance. Bundesanstalt für Finanzdienstleistungsaufsicht. |
| [2] | BaFin. Auslegungs- und Anwendungshinweise zum Geldwäschegesetz (AuA), February 2025 update. |
| [3] | Regulation (EU) 2024/1624 on the prevention of the use of the financial system for money laundering or terrorist financing (AMLR). Articles 8, 8(3), 20, 22, 26. Official Journal of the European Union. |
| [4] | BaFin. Administrative fine imposed on J.P. Morgan SE, 28 October 2025. Published supervisory measure. |
| [5] | BaFin. Administrative fine imposed on N26 Bank AG, 21 May 2024. |
| [6] | BaFin. Administrative fine imposed on Commerzbank AG, April 2024. |
| [7] | BaFin. Administrative fine imposed on Solaris SE, March 2024. |
| [8] | Southwark Crown Court; FCA final notice. R v National Westminster Bank Plc, 13 December 2021. |
| [9] | FCA. Final notice: Santander UK Plc, 9 December 2022. |
| [10] | FCA. Financial Crime Guide (FCG), FCA Handbook. |
| [11] | Money Laundering Regulations 2017 (SI 2017/692), United Kingdom. |
| [12] | FFIEC. BSA/AML Examination Manual. Federal Financial Institutions Examination Council. |
| [13] | Monetary Authority of Singapore. Notice 626: Prevention of Money Laundering and Countering the Financing of Terrorism — Banks. |
| [14] | FINMA. Risk Monitor 2024. Swiss Financial Market Supervisory Authority. |
