The classification mistake that cost Santander £107 Million in AML failures

In the world of financial crime compliance, knowing who your customer isn’t enough. You need to understand what they actually do.

At The Data City, we provide real-time company classification to help banks and FinTechs meet their KYB (Know Your Business) and AML (Anti-Money Laundering) obligations with greater speed, accuracy, and confidence.

Our technology replaces outdated SIC codes and vague self-declared activity data with AI-driven insights into real-world business operations.

This isn’t a theoretical problem. Misclassifying a company’s activities can lead to missed red flags, regulatory breaches, and in some cases massive fines under regulations such as the UK Money Laundering Regulations (MLR 2017) and Financial Conduct Authority (FCA) rules.

One of the clearest examples? Santander UK.

Santander’s £107.7 Million fine

In December 2022, the FCA fined Santander UK £107.7 million for serious failings in its AML controls.

The bank failed to properly oversee over 560,000 business customers over several years, with some firms operating in ways that completely contradicted their declared business types.

Examples included:

• A translation company that moved over £250 million through its account
• A wholesaler that in reality was acting as an unlicensed payments firm

Despite red flags, these inconsistencies weren’t picked up or escalated, leading to prolonged regulatory breaches.

Why it happened

The FCA was clear: Santander didn’t understand what many of its business customers actually did.

Santander UK’s processes failed to ensure that staff onboarding business banking customers obtained sufficient information to understand the nature of a customer’s business.

The FCA cited breaches of its Principles for Businesses, particularly Principle 3, which requires firms to take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems.

This wasn’t a one-off mistake, it was a broader failure in how the bank classified and monitored customers. The core issues:

• It relied too heavily on what customers said they did during onboarding
• It used vague, outdated SIC codes to assign risk
• It lacked systems to detect high-risk activity or changes over time
• It didn’t review or escalate suspicious cases when red flags appeared

Without accurate business classification, the bank couldn’t assess risk properly — and missed serious warning signs.

The problem with SIC codes

Looking at the final notice published by the FCA, there’s one customer (“Customer A”) that highlights these issues clearly.

On paper, they listed their SIC code as 64999 – “Financial intermediation not elsewhere classified.” However, documents obtained during the onboarding process, described their business as a “Travel Agency”.

But their website URL included the term “FX” (a common reference to foreign exchange) and the site itself made it clear the business was involved in currency services. This is a high-risk activity under UK AML rules and should have triggered Enhanced Due Diligence (EDD).

Instead, the business was given a standard risk rating. No one verified the declared information or checked the website. Over time, £269 million flowed through the account before the issue was picked up.

Internal data misalignment

The FCA also found that Santander wasn’t even aligned with the publicly available data.

The SIC code used internally by Santander for Customer A didn’t always match what Companies House or commercial data providers held for the same company. In other words, not only were the SIC codes vague and outdated, Santander’s own internal versions were inconsistent with official records, compounding the problem.

This wasn’t an isolated case. In a review of 51,600 business customers, the FCA found 38% had SIC codes that didn’t match external sources like Companies House. That meant thousands of businesses were likely misclassified, and potential risks were left unmanaged.

If you get the classification wrong at onboarding, everything downstream, from risk scoring to transaction monitoring, starts on the wrong foot.

How The Data City could have helped

This is exactly the kind of challenge our platform is designed to solve.

At The Data City, we’ve built a classification infrastructure to help financial institutions accurately understand and monitor what businesses do in real time — not what they claim to do.

Real-Time SIC Codes (RSICs) fix the limitations of traditional SIC codes by using AI and web data to reclassify every UK company based on what it actually does, not what it declared at incorporation.

Real-Time Industry Classifications (RTICs) go further, offering a new layer of classification for the modern economy. Built by combining machine learning with expert validation, RTICs cover sectors that traditional systems miss — including FinTech, Crypto, AI, and Embedded Finance.

If Santander had used The Data City:

• Customer A would have been reclassified more accurately using RSICs. Instead of relying solely on the vague 64999 code, our system would have assigned a more complete and realistic profile based on the company’s website and activity patterns. Most likely, this would have included:
  • 64999 – Financial intermediation not elsewhere classified
  • 62012 – Business and domestic software development
  • 66120 – Security and commodity contracts dealing activities
  • 66190 – Activities auxiliary to financial intermediation n.e.c.

• The company would also have been placed into RTIC sectors such as:
  • FinTech: Crypto Asset Exchange
  • or the broader Cryptocurrency Economy

• Our keyword detection engine would have flagged risk signals in real time — including terms like “FX”, “foreign exchange”, and “remittance” from the company’s website — prompting Enhanced Due Diligence (EDD) at onboarding.

This intelligence would have allowed compliance teams to assess the customer’s risk profile far more accurately, triggering reviews and safeguards before £269 million flowed through the account.

A better way to know your business customers

As part of its role to protect consumers and maintain market integrity, the FCA has repeatedly penalised firms for poor management of their AML systems. It has fined Standard Chartered Bank £102.2 million, HSBC Bank plc £63.9 million, and its investigation led to NatWest being fined £264.8 million.

These cases underline the cost of non-compliance, not just financially, but reputationally. The common thread? A failure of AML risk management and a lack of understanding of what customers actually do.

Misclassifying business customers isn’t just inefficient, it’s dangerous. As the Santander case shows, poor classification can lead to missed red flags, enforcement action, and reputational damage.

With The Data City’s real-time classification tools, banks and FinTechs can onboard faster, assess risk more accurately, and avoid the regulatory blind spots that cost Santander £107 million.

Ready to improve your KYB data? Talk to us or sign up for a free trial today to see the data in action.