BankThink

When mergers increase, AML compliance headaches surface

Years of consolidation have damaged competition in the banking sector. Regulators should be more, not less, restrictive about approving mergers.
Time and again, seemingly successful bank mergers have been rocked by revelations of poor anti-money-laundering compliance. Assessing the AML risk of a potential merger partner is extremely tricky, writes Mikhail Karataev.
Adobe Stock

During the first term of President Donald Trump, U.S. financial institutions significantly strengthened their position in the global mergers and acquisitions market. Current forecasts suggest that M&A activity will continue to rise in the coming four years, placing new demands on American banks. For smaller banks, the primary goal is positioning themselves for a more lucrative sale, while larger institutions focus on refining risk assessment methodologies to strike the right balance between potential risks and advantages.

Anti-money-laundering risks in M&A remain one of the most controversial aspects of modern compliance. Despite the broad and complex regulatory framework governing anti-money laundering, no dedicated international guidelines or national compliance standards specifically address AML risks in M&A. This means that financial institutions cannot formally benchmark a risk against a standardized set of AML compliance requirements, leaving banks to navigate this critical issue largely on their own.

The regulatory vacuum surrounding AML in M&A creates a false sense of security. Technically, all banks involved in M&A deals are already licensed financial institutions subject to AML regulations. If an acquiring bank were to flag the target institution as high-risk, this would imply regulatory failure, as authorities should have intervened earlier. In theory, a financial institution subject to an M&A deal should have already met AML compliance requirements — yet practice tells a different story.

Regulatory inaction does not equal regulatory approval, and history has repeatedly shown that AML vulnerabilities often surface only after a merger is completed. Yet, because compliance teams at major banks typically lack specialized expertise in assessing AML risks within M&A, these risks are often underestimated until it's too late.

One of the most striking examples of AML risks materializing post merger is the 2008 acquisition of Wachovia Bank by Wells Fargo. At the time of the M&A deal, Wachovia appeared to be a legitimate and well-regulated institution, but beneath the surface, the bank had serious AML deficiencies that had gone unnoticed by regulators. After the merger, it became clear that Wachovia had failed to implement basic AML controls, allowing Mexican drug cartels to launder an estimated $378 billion through its accounts. By 2010, Wells Fargo found itself inheriting not just Wachovia's assets but its compliance failures, culminating in a $160 million settlement with the Department of Justice and the Financial Crimes Enforcement Network. The bank faced greater oversight from the Office of the Comptroller of the Currency and the Federal Reserve. This case underscores a critical lesson for M&A transactions: AML risks do not simply disappear when banks merge; they transfer often with devastating legal, financial and reputational consequences.

The small-business lender bought a Chicago community bank in what some experts say will be the first of many such deals.

March 20
Office of the Comptroller of the Currency

Without proper due diligence, M&A in 2025 could just as easily stand for Mayhem & Audit, the inevitable post-merger chaos when regulators start dissecting past AML lapses. Worse, acquiring banks could find themselves dealing with Missteps & Accusations, as undisclosed fines and historical violations resurface, leading to reputational damage and financial penalties that no one saw coming. AML professionals must recognize that M&A in 2025 inherently carries Massive & Alarming risks, necessitating a proactive approach to due diligence and integration. To avoid costly surprises, banks should adopt an M&A strategy focused on a Mitigation & Avoidance principle, not just checking boxes on a compliance checklist but embedding robust compliance frameworks into the deal process. By prioritizing AML safeguards from the outset, institutions can transform M&A from a high-stakes gamble into a well-managed growth strategy.

When evaluating AML risks in M&A transactions, a target bank's current compliance metrics and AML process effectiveness may serve as indicators of broader corporate governance maturity. However, relying solely on present-day AML performance is a critical mistake. To gain a realistic understanding of risk, banks must conduct a historical retrospective analysis of AML compliance. One of the most overlooked enforcement patterns for U.S. banks is how American regulators treat domestic vs. foreign institutions. U.S. banks tend to face swift regulatory action, typically receiving moderate fines within six months of identified AML violations. Meanwhile, foreign banks often operate under the illusion of compliance — until years' worth of accumulated infractions suddenly result in record-breaking penalties. The numbers are telling: Nine out of the 10 largest AML fines in recent years were levied on institutions headquartered in jurisdictions officially classified as low-risk for AML purposes.

Since walking away from an M&A deal solely because of AML risks is hardly feasible for a modern U.S. bank, and external regulatory guidance in this area is virtually nonexistent, compliance departments must develop their own optimal risk management parameters. Drawing on 21st-century market practices, we can distill three best practices.

The first is widely represented in modern consulting and includes a comprehensive plan for assessing current risks, including AML analytics, regulatory risks, sanctions, know-your-customer and enhanced due diligence rules, anti-corruption, insider trading, ethics, and more. The second element, as previously discussed, is a retrospective AML risk analysis covering one to five years, depending on the profile of the deal's participants. The third element is the development of a structured AML risk mitigation strategy. In practice, such strategies are typically built on three core pillars: The first is risk elimination (for existing clients), which involves excluding a designated pool of high-risk clients from the M&A deal by carving them out into a separate legal entity. The second is risk limitation (for ongoing processes and clients), which requires defining quantitative or monetary risk thresholds for each client category, product, IT system or process. The third is risk hedging (both internal and external), requiring pre-reserving resources intended to offset potential losses. The objective isn't to reduce the likelihood of a risk event per se but to cushion the financial blow or introduce deferred deal conditions.

A well-executed AML risk assessment is more than a compliance exercise — it is a strategic safeguard for the stability and profitability of an M&A deal. In 2025, smart banks will see AML not as a regulatory burden but as a cornerstone of sustainable M&A growth. These banks will not only protect their bottom line but also demonstrate that growth and compliance are not mutually exclusive. One ensures the sustainability of the other.

For reprint and licensing requests for this article, click here.
AML M&A Regulation and compliance
MORE FROM AMERICAN BANKER