What happened

1Malaysia Development Berhad (1MDB) was a Malaysian state investment fund. Between 2009 and 2014, an estimated $4.5 billion was misappropriated through bond issuances arranged by Goldman Sachs and others, layered through shell companies, and integrated into luxury real estate, art, films, and yachts. Goldman Sachs reached a global resolution in 2020, paying ~$2.9B to the DOJ plus regional settlements, with subsidiary Goldman Sachs Malaysia pleading guilty to FCPA conspiracy.

Control failures

• Inadequate KYC on shell-company structures used to receive bond proceeds — multi-layer entities with thin substance, but accounts opened on relationship-driven exception
• Failure to escalate red flags raised internally about the unusually large fees and structurally suspicious bond proceeds destinations
• UBO trace did not connect bond-proceed beneficiaries to ultimate political-exposed parties despite available adverse-media context
• Senior compliance approval bypassed via deal-pressure escalation paths — classic governance failure

Regulatory response and lessons

Reinforced expectations under FATF R12 (PEP) and R10 (CDD), accelerated enhanced UBO-trace requirements in MLR 2017 amendments, and was a core driver of US Corporate Transparency Act BOI reporting. Reinforced personal accountability at named senior individuals under SMCR. Drove tier-1 banks to formalise “deal compliance” functions independent of revenue-side coverage teams.

Interview takeaway

“1MDB shows how complex shell-company structures defeat ownership-threshold-only UBO logic when control-path tracing isn’t enforced. The case drove tier-1 banks to mandate UBO trace to natural persons across all control paths regardless of percentage thresholds, and reinforced senior-compliance independence from deal teams. It’s also why most senior interviewers expect candidates to discuss UBO control-path tracing alongside ownership-percentage logic.”

What happened

Between 2006 and 2010, HSBC’s Mexican subsidiary (HBMX) processed billions of dollars in cash deposits from Mexican drug-trafficking organisations. US dollar cash deposits at HBMX bulk-shipped to HSBC US, where insufficient transaction-monitoring controls allowed the funds to enter the US financial system. The bank entered a Deferred Prosecution Agreement with the DOJ and agreed to a ~$1.9B settlement.

Control failures

• Inadequate customer risk rating on Mexican entities and money-service businesses despite known cartel-financing typology in the region
• Cross-border cash flows accepted at HSBC US without adequate KYC-on-KYC review of HBMX’s own AML programme — a textbook correspondent-banking failure
• Transaction-monitoring thresholds calibrated to operational throughput rather than to the actual risk profile of cartel-cash typology
• Internal compliance escalations on suspicious cash patterns documented but not actioned

Regulatory response and lessons

Drove FATF R13 enhancement on cross-border correspondent banking, was a foundational case for FinCEN CDD Rule (2018) which formalised UBO and risk-rating requirements, and entrenched the principle that TM thresholds must be calibrated to risk — not to alert volume. Cited extensively in MLR 2017 supervisory guidance and DFSA AML Module on correspondent banking.

Interview takeaway

“HSBC Mexico is the case that defines correspondent-banking AML. The lesson is that KYC-on-KYC is mandatory — you can’t outsource your AML risk to the respondent. It also drove the principle that transaction-monitoring thresholds calibrated to operational volume rather than risk are themselves a regulatory finding. When senior interviewers ask about correspondent banking risk, they’re testing whether you understand the HSBC Mexico failure mode.”

What happened

Between 2007 and 2015, Danske Bank’s Estonian branch processed an estimated €200 billion in suspicious flows, primarily from non-resident customers from Russia and former-CIS jurisdictions. The Estonian branch operated effectively outside the parent bank’s AML controls. Following whistleblower disclosure in 2017–2018, the bank’s CEO resigned, the Estonian branch was wound down, and the bank entered settlements totalling billions of dollars across jurisdictions.

Control failures

• Non-resident customer book onboarded with materially weakened CDD relative to parent-bank standards — a deliberate governance gap
• UBO and source-of-funds documentation absent or perfunctory across thousands of high-risk customers
• Adverse-media screening in Russian and former-CIS languages effectively non-existent
• Branch-level compliance independence compromised; escalations to parent suppressed for years despite internal warnings
• Transaction monitoring on cross-border flows from designated high-risk jurisdictions inadequate or absent

Regulatory response and lessons

A primary driver of EU 6AMLD harmonisation, the AMLA enforcement framework operating from 2026, and the European Banking Authority’s expanded AML supervisory powers. Also drove FATF and EU emphasis on group-wide AML programmes and parent-bank responsibility for branch-level compliance. Reinforced multi-language adverse-media screening as a non-optional control for non-resident customer books.

Interview takeaway

“Danske Estonia is the case that drove EU AMLA. It’s the textbook example of a branch-level compliance gap defeating a sophisticated parent-bank AML programme. The lessons are group-wide compliance, multi-language adverse media on non-resident books, and branch independence with documented escalation paths to parent compliance. When EU regulators talk about why AMLA was necessary, they always come back to Danske.”

What happened

Between 2004 and 2007, Wachovia (acquired by Wells Fargo in 2008) processed an estimated $390 billion in suspicious wire transfers from Mexican casas de cambio (currency-exchange houses), substantial portions of which were later established as drug-cartel proceeds. The DOJ deferred prosecution agreement in 2010 imposed a ~$160M penalty, with regulators noting Wachovia had inadequate CDD and TM on the casa-de-cambio correspondent relationships.

Control failures

• Casa-de-cambio relationships maintained without genuine KYC-on-KYC due diligence on the respondent MSBs’ own AML programmes
• Wire-transfer volume and pattern materially inconsistent with declared business of correspondent counterparties — not flagged
• Internal compliance staff who flagged the pattern reportedly not actioned at senior level
• TM on cross-border correspondent flows operated at thresholds that effectively masked cartel-volume patterns

Regulatory response and lessons

Together with HSBC Mexico, Wachovia is one of the foundational cases for modern correspondent-banking AML expectations. Drove FinCEN guidance on MSB-as-respondent risk. Reinforced the principle that whistleblower-protected internal escalations must be independently actionable. Cited in supervisory expectations under FCA, OCC, and DFSA on correspondent banking and MSB customers.

Interview takeaway

“Wachovia is the ‘before HSBC Mexico’ case. The same correspondent-banking pattern, the same MSB risk, the same TM-threshold failure, but earlier. Together they entrench the rule: KYC-on-KYC for correspondents, MSB-respondent risk gets enhanced scrutiny, and TM thresholds calibrated to risk not volume. If you can articulate that pair together, you’ve answered the senior interviewer’s correspondent-banking question.”

What happened

Standard Chartered settled US sanctions violations in 2012 (~$667M) primarily for stripping identifying information from Iran-related wire transfers passing through New York. Subsequent settlements followed in 2014 and 2019 for continued sanctions-control deficiencies and inadequate remediation, totalling over $1.1B in cumulative penalties.

Control failures

• Wire-stripping practice removing originator/beneficiary identifiers to defeat US sanctions screening — a deliberate control circumvention
• Inadequate sanctions-screening configuration on cross-border correspondent flows touching the US clearing system
• Remediation under the 2012 DPA proved insufficient, leading to subsequent settlements
• Senior governance failed to enforce sanctions policy across regional operations independently

Regulatory response and lessons

Drove OFAC’s expanded extraterritorial enforcement posture, the formalisation of the “wire-stripping” offence in OFAC enforcement guidance, and stricter NYDFS expectations on sanctions controls at any institution touching US dollar clearing. Reinforced the principle that DPA remediation must be genuine and verifiable — iterative settlements are themselves treated as governance failures.

Interview takeaway

“Standard Chartered is the wire-stripping case. The lesson is that any institution touching USD clearing has direct OFAC exposure, and sanctions-control failures get treated as deliberate offences if originator information is being stripped. It also shows that iterative settlements signal governance failure — regulators expect remediation to actually work, not to be theatrical.”

What happened

BNP Paribas pleaded guilty in 2014 to processing approximately $8.8 billion in transactions involving Sudan, Iran, and Cuba between 2002 and 2012, in violation of US sanctions. The bank agreed to a ~$8.9B settlement — at the time, the largest sanctions-related settlement in US history. The bank also lost USD clearing privileges for certain business lines for a period.

Control failures

• Systematic concealment of sanctions-touching transactions through complex routing and modified messaging
• Senior management awareness of the practice without independent compliance escalation
• Sanctions-screening controls on USD clearing flows inadequate by design rather than by accident
• Lack of independent compliance authority to halt commercial activity that touched sanctioned jurisdictions

Regulatory response and lessons

Cemented OFAC’s extraterritorial reach over any institution accessing US dollar clearing, regardless of headquarters jurisdiction. Drove EU and global expectation that compliance independence at named-officer level (MLRO, Head of Sanctions, Head of FCC) carries personal regulatory liability. Cited in subsequent supervisory expectations under FCA, NYDFS, DFSA, and HKMA on sanctions-control governance.

Interview takeaway

“BNP Paribas is the largest sanctions case in modern history and the clearest example of why USD clearing is treated as a regulatory privilege, not a right. The lessons are independent compliance authority, named-officer personal liability, and the principle that sanctions controls must be designed to halt commercial activity — not to manage around it.”

What happened

In September 2020, BuzzFeed News and the International Consortium of Investigative Journalists published an investigation based on approximately 2,100 leaked Suspicious Activity Reports filed with FinCEN between 1999 and 2017. The reports covered an estimated $2 trillion in suspicious flows, naming many tier-1 banks. The disclosure didn’t prove the banks had committed offences, but exposed the volume and recurring nature of suspicious activity flowing through tier-1 institutions despite active SAR filing.

Control failures (systemic, not single-bank)

• SARs filed but not actioned downstream — banks continuing to maintain customer relationships despite repeat SAR filings
• FIU pipeline limited by analytical capacity to process the volume of SARs filed, particularly defensive filings
• Cross-jurisdictional information-sharing constrained by national-FIU silos
• Repeat-customer SARs — filing on the same customer over years without relationship review or exit — treated as a compliance pattern in itself

Regulatory response and lessons

Accelerated the AML Act of 2020 (US), which expanded FinCEN information-sharing powers and mandated SAR programme-effectiveness reviews. Drove EU AMLA emphasis on cross-border information sharing. Reinforced the principle that filing a SAR isn’t a substitute for action — relationship review, EDD refresh, and exit consideration must follow material SAR activity. Catalyst for tier-1 banks formalising “post-SAR follow-through” as a distinct programme requirement.

Interview takeaway

“FinCEN Files is the case that broke the ‘file and forget’ pattern. The lesson is that SAR filing is the start of a process, not the end — relationship review, EDD refresh, and exit consideration must follow material SAR activity. Senior interviewers test this through scenarios about repeat SARs on the same customer; the right answer is always that the relationship should have been reviewed, not just re-SAR’d.”

What happened

Wells Fargo’s 2016–2020 settlements covered a combination of practices: opening of customer accounts without authorisation (account-fraud scandal, 2016), inadequate AML programme controls leading to FinCEN penalties, and broader governance failures at the senior level. Cumulative fines and remediation costs exceeded $3B. The Federal Reserve imposed an asset growth cap on the bank in 2018 — a near-unprecedented supervisory action.

Control failures

• Sales-incentive structures driving employees to open unauthorised customer accounts — a culture-and-control failure
• Customer identification programme weaknesses on the unauthorised-account population that fed downstream AML programme weaknesses
• Senior management awareness of the pattern without independent compliance escalation effective enough to halt it
• Inadequate response to early whistleblower and supervisory warnings

Regulatory response and lessons

Drove the Federal Reserve’s 2018 asset cap as a supervisory tool, expanded CFPB and OCC enforcement coordination, and reinforced that AML and consumer-protection failures often share root causes (governance, incentive structures, escalation gaps). Cited in supervisory expectations on culture-and-conduct programmes and on the linkage between sales-incentive design and AML risk.

Interview takeaway

“Wells Fargo is the case that connects culture-and-conduct to AML. Sales incentives that drive unauthorised account opening produce KYC and AML weaknesses downstream — the customer-onboarding programme depends on accurate customer identification, which depends on an honest sales process. The lessons are governance independence, escalation effectiveness, and the principle that AML risk is shaped by culture as much as by control design.”