Search
Choose a style
Dark
Light
Time to read: 6 min

Rakuten failure exposes need for banks to protect AML knowledge

TOKYO, JAPAN - September 24, 2020: Sign on a Rakuten Mobile store in Tokyo's Kasai area.
Editorial credit: Ned Snowman / Shutterstock.com

Rakuten Europe Bank accepts CSSF findings and is implementing a full remediation plan as experts warn firms must safeguard AML knowledge. 

Luxembourg’s financial regulator has ordered Rakuten Europe Bank to pay an administrative fine of €185,000 after identifying multiple breaches of its anti-money laundering (AML) and counter-terrorist financing (CFT) requirements.

The decision was taken by the Commission de Surveillance du Secteur Financier (CSSF) on May 19, 2025 but only published on January 6 this year. The fine represents approximately 1% of the bank’s annual turnover as of December 31, 2022.

The breaches were identified during an on-site inspection conducted between February and November 2023, which focused on the bank’s AML/CFT framework and the corrective measures implemented following findings by another European authority. 

While the CSSF noted the bank’s cooperation and remediation efforts, it concluded key controls were not operating effectively at the time of the inspection.

According to the CSSF, the breaches were primarily linked to weaknesses in transaction monitoring, alert handling and customer risk assessment. While the regulator acknowledged the bank cooperated with the investigation and began corrective measures, it concluded controls were not sufficiently effective at the time of the inspection.

Speaking to Payment Expert, Rakuten Europe Bank accepted the CSSF’s decision and had launched a remediation programme following the regulator’s initial findings.

“As a global group, we are fully aware that we have a great responsibility in combating money laundering and the financing of terrorism,” a spokesperson for the bank says.

“Following the initial notification from the authorities, we commenced an extensive remediation plan to address all of the points raised. While our ongoing efforts reflect a strong determination to achieve full compliance with legal requirements, it has become evident that our measures had not yet met these standards at the time of the CSSF’s investigation.”

The spokesperson went on to explain the bank is continuing to implement and verify corrective actions and emphasised Rakuten Europe Bank is legally independent from other financial and banking entities within the wider Rakuten Group.

Monitoring gaps and alert backlogs

One reason of the primary reasons for the fine was Rakuten’s transaction monitoring framework, which the CSSF found to be outdated and poorly maintained. Several monitoring scenarios had not been updated for years, did not cover all transactions and in some cases were incorrectly configured. 

The regulator’s statement also stated the bank was operating a version of its monitoring system which was no longer supported by its supplier.

The CSSF identified significant backlogs in alert handling, with around 9% of transaction alerts closed more than two months after being generated, while thousands of alerts linked to sanctions screening, politically exposed persons and adverse media remained unresolved at the time of the inspection. 

This included delays in reviewing alerts related to restrictive measures and potential terrorist financing, limiting the bank’s ability to apply due diligence or asset-freezing measures in a timely manner. 

The regulator also identified due diligence failures, with automated systems missing exceeded transaction thresholds and weaknesses in customer risk assessments that underestimated money laundering and terrorist financing risks.

Another issue raised by the CSSF was the loss of internal expertise following staff departures in IT and compliance. This left the bank unable to properly configure or maintain its transaction monitoring systems, allowing known issues to persist. 

Operational resilience under scrutiny

Speaking to Payment Expert, Chris Jones, Managing Director at PSE Consulting, said the case highlights a recurring challenge across the financial sector, where AML teams lose institutional knowledge as systems grow more complex.

Chris Jones, Managing Director at PSE Consulting
Chris Jones, Managing Director at PSE Consulting

“Loss of institutional knowledge in AML/CFT functions is more common than many firms would like to admit, particularly where transaction monitoring systems are complex, heavily customised, and understood by only a small number of specialists,” Jones said.

He noted regulators are increasingly focused on whether firms can sustain and adapt their controls over time, rather than simply whether systems are in place. This includes governance, documentation and succession planning, particularly when key staff leave.

The timing of this sanction is notable, with the EU preparing to implement an overhaul of its AML framework. 

The package introduces a single rulebook through the Anti-Money Laundering Regulation (AMLR) and establishes a new EU-level supervisor, the Anti-Money Laundering Authority (AMLA), which began taking on supervisory powers from July 2025, though full application of the regime is expected by 2027.

Under the reforms, cash payments will be capped at €10,000, crypto-asset service providers will face stricter due diligence and data-sharing obligations and the focus of regulated entities will broaden to include sectors such as accountants, tax advisers and professional football clubs involved in high-value transactions.

This comes at worrying time in Europe where compliance is involved. In May 2025, Regulatory intelligence solution Vixio shared that over $40.7m in fines were handed to European payment providers over the past year due to AML failures.

“Looking ahead, the new EU AML framework, including AMLR and AMLA, is likely to increase regulatory scrutiny of exactly these kinds of governance and operational weaknesses,” Jones said. 

“Supervisors will be less tolerant of firms that can’t demonstrate sustained control, ownership, and resilience over their AML systems, regardless of whether the underlying technology itself is sound.”

In a statement sent to Payment Expert, the CSSF said: “Looking ahead, we indeed foresee some evolutions with the new EU AML framework which will influence the legal regime surrounding sanctions. First, with regards to the publication, we refer to Article 58 of Directive 2024/1640 which indicates that, in principle, decisions on sanctions will have to be published by the supervisors immediately after the persons responsible for the breach are informed of those decisions, even in the case of an appeal (in which case, supervisors shall also publish information on the appeal, as well as any subsequent information on the outcome of the appeal).

“Finally, CSSF also anticipates more generally an enhanced harmonisation at EU level on the framework on AML/CFT sanctions. In that regard, AMLA will indeed play an important role to materialise such harmonisation, e.g. with the issuance of Guidelines on the base amounts for the imposing of pecuniary sanctions (in accordance with Article 53, 11. of Directive 2024/1640) or with the drafting of regulatory technical standards setting out criteria to be taken into account when setting the level of pecuniary sanctions (in accordance with Article 53, 10. of Directive 2024/1640).”

Subscribe to our newsletter