When the alarm works but nobody answers it
Bunq, one of Europe’s largest neobanks, spent years arguing it had some of the most advanced financial crime technology in banking. In 2025 it was fined anyway, and the reason should give pause to every compliance leader who assumes good detection is enough.

Ask most compliance teams where the real risk in their operation sits, and they will point you toward detection. Are we screening against current sanctions data, are our models catching the right patterns, are we missing anything? It is a reasonable instinct, and the entire monitoring industry is built around feeding it. Yet a growing share of the enforcement actions landing on European fintechs tell a stranger story, one in which the detection worked exactly as intended and the firm was penalised regardless.
The Bunq case is the clearest recent example, and it is worth understanding in some detail, because the lesson in it applies to almost everyone.
Bunq is not the kind of bank you would expect to lose an argument about monitoring technology. Founded in Amsterdam in 2012, it was one of the first companies to be granted a European banking licence in decades, and it now serves several million customers across the continent as one of the region’s largest digital challenger banks. It has spent years positioning itself as one of the most technologically aggressive players in European finance, to the point where, back in 2022, it actually took the Dutch central bank to court for the right to use artificial intelligence in its anti-money laundering checks, and won.
So when the same regulator turned around three years later and issued a €2.6 million fine, the natural assumption was that something in the technology must have broken. A model that missed a match. A screen that failed to run. A blind spot somewhere in the data.
That assumption was wrong, and the way in which it was wrong is the most instructive thing about the entire case.
When De Nederlandsche Bank examined four high-risk customer files from the period between January 2021 and May 2022, the problem it found was not that Bunq had failed to notice anything. It was that the bank, in the regulator’s own words, had been deficient in following up on its transaction monitoring alerts, so that signals of possible financial crime were not investigated in sufficient depth, if at all.
The alarms had gone off. Several of them, in fact. What was missing was anyone reliably answering them.
The detection worked. The very technology Bunq had fought so hard to defend did its job. The fine landed in the space that came afterwards.
The failure that never shows up in a demo
This is worth sitting with for a moment, because it cuts against the grain of how most fintechs buy and think about compliance.
When a firm goes shopping for a monitoring solution, the demonstration is almost entirely about detection. How quickly does it screen, how current is the sanctions data, how clever is the model at catching the pattern a tired human would miss.
Detection is visible, it demonstrates well, and it is reassuring, which is partly why the European market for it has become so mature and so crowded.
What no demonstration ever shows you is the part that actually landed Bunq in trouble. That part is the unglamorous and largely invisible machinery of what happens to an alert once it has been raised.
Who picks it up, and how quickly? Whether it gets a proper investigation or merely a passing glance. Whether, when the analyst who opened it goes on leave, anybody else even knows it is sitting there waiting. And, perhaps most importantly, whether at the end of the whole process there is a clear record showing what was decided and why it was decided that way.
The regulator was direct about the consequence. Because Bunq had not carried out adequate ongoing monitoring in those four files, it did not have sufficient insight into the customers or their transactions, and given the severity and the extent of the deficiencies, DNB judged the fine to be both necessary and appropriate.
One detail from the findings lingers in particular. The regulator observed that Bunq could not always explain why it had treated similar transactions as suspicious in some instances but not in others.
That is not a detection failure at all. It is the signature of a missing process sitting behind otherwise capable detection.
Why onboarding gets the attention and refresh gets none
There is a structural reason this kind of failure has become so common, and it comes down to where firms instinctively spend their energy.
Onboarding feels like the moment that matters. It is the front door of the relationship, it is where the commercial pressure concentrates, and it is where the satisfying green tick appears the moment a new client clears their checks. Teams pour real resources into making that first verification feel effortless.
But onboarding is only a photograph, taken once, on the day the relationship begins.
Regulation has never asked for a photograph. It asks for something closer to continuous footage, because customers do not remain frozen in the state they were in on day one.
A director joins a government advisory board and quietly becomes a politically exposed person. A clean company is acquired by an entity carrying a very different risk profile. An account that has sat dormant for two years suddenly begins receiving large payments from unfamiliar third parties.
Every one of these is an event that a monitoring system can detect, and very often does.
The difficult question, and the one the Bunq case ultimately turns on, is what happens in the days that follow once a signal has fired.
Here is how the life of a single alert tends to play out inside a fast growing firm that has invested heavily in detection but barely at all in the workflow sitting behind it.

At no point in that sequence did the technology let anyone down. The smoke alarm worked perfectly. What was absent was the fire brigade, by which I mean a defined process to receive the signal, weigh it against everything else competing for attention, act on it within a sensible window, and leave behind a record proving that the action was taken.
The pressure is building from two directions at once
If this were merely the story of one bank enduring a difficult couple of years, it would be easier to set aside. It is not. Two forces are pressing down on European fintechs at the same time, and together they make this particular failure more likely rather than less.
The first is regulatory. The European Union's new Anti Money Laundering Authority, together with its Single Rulebook, is raising the baseline expectation for what ongoing monitoring actually means, pushing firms toward continuous assessment of risk rather than periodic checks taken at a single point in time. The definition of what counts as ongoing is being written down and enforced, and the Bunq penalty is plainly part of an escalating European pattern. Within the same window the United Kingdom's Financial Conduct Authority fined Starling Bank £29 million and Monzo around £21 million for financial crime control failures, and a theme running through these cases is that controls did not scale alongside growth.
The second force is scale itself, and it is the quieter of the two. The reason most often cited for the penalties handed to challenger banks across Europe is not malice or indifference. It is simply that their compliance frameworks failed to grow in step with their customer bases. In the Starling case the regulator noted that customer numbers had climbed from roughly 43,000 in 2017 to 3.6 million by 2023, while the financial crime controls did not keep pace. A process that copes comfortably when a diligent analyst handles a manageable trickle of alerts begins to fracture once the volume multiplies and the headcount stays flat. The cases that slip through are, almost by definition, the very ones a regulator will later choose to examine.
THE PATTERN REGULATORS KEEP NAMING
Across recent European and UK enforcement, the finding repeats with striking consistency. It is rarely that firms could not see the risk. It is that they could not show, when asked, what they did once they had seen it. The detection was present. The defensible, documented follow up was not.
The answer is not sharper detection, it is orchestration
If the failure keeps occurring in the space between the alert and the action, then that space is where the investment needs to go. Detection, for most regulated fintechs, is already good enough. Orchestration, the layer that governs what happens next, is the part that tends to be missing, and it is precisely what an orchestration layer is built to handle.
In practice that comes down to a handful of things working in concert. It means every alert being routed and prioritised automatically according to risk, rather than dropping into one undifferentiated pile where the genuinely urgent case looks identical to the fortieth false positive of the week. It means deadlines that escalate on their own and cases that get reassigned the moment someone steps away, so that nothing slides into invisibility simply because one person forgot. It means that when a refresh requires updated documents from a client, the outreach and the chasing happen on their own rather than depending on an analyst's memory. And above all it means that every alert, every investigation, and every conclusion, including the entirely legitimate conclusion that a flagged transaction turned out to be nothing at all, is captured with a rationale, a timestamp, and a named owner. When a regulator pulls the file fourteen months later, the answer to the question of what you did about this is a single click away rather than a frantic reconstruction.
None of this takes the human out of the loop, and that distinction matters more than anything else in the discussion. The analyst still investigates. The money laundering reporting officer still makes the call. The accountability remains exactly where regulation insists it must sit, with a responsible and named individual. What changes is that the person's judgment gets spent on the cases that genuinely deserve it, at the right moment, with the surrounding administrative work captured automatically rather than left to chance.
THE PRINCIPLE UNDERNEATH ALL OF IT
Automation should handle the work, which is to say the routing, the chasing, the document collection, and the record keeping. The human keeps the decision. And the system proves, in a way that nobody can dispute after the fact, that the decision was made, when it was made, and on what basis. Automate the work, keep the decision, prove everything.
What that €2.6 million actually paid for
It is worth returning, in the end, to where this started. The penalty Bunq received was not the price of a detection failure, because the detection had worked. It was the price of being a firm that could identify a problem yet could not adequately demonstrate that it had acted on it. And in compliance, an action you cannot evidence is, for every practical purpose that matters to a regulator, an action you did not take. It should be said that Bunq has formally objected to the decision and the matter remains under appeal, but the principle the regulator articulated holds regardless of how that particular dispute is eventually resolved.
This is the uncomfortable shift that perpetual KYC imposes on every regulated fintech operating in Europe today. It is no longer enough to know that something about a customer has changed. You have to be able to show, whenever you are asked, what your firm did in response, when it did so, and on what basis, and you have to be able to do that continuously, across the whole of your client base, through every refresh cycle, without a single case slipping quietly through the gaps because one analyst happened to be buried that particular week.
None of that is a detection problem. The market quietly solved detection years ago. It is an orchestration problem, and it is the one most firms have yet to solve.



