State-Level AML Enforcement Gets Wise

Today we have another example of U.S. state regulators stepping up their own enforcement regimes against corporations for compliance failures. That’s not quite a new trend, but it is one that seems to be accelerating as the Trump Administration retreats from vigorous corporate enforcement generally. Let’s take a look.

What happened? The states of New York, California, Texas, Massachusetts, Nebraska, and Minnesota banded together to bring a joint enforcement action against Wise U.S., the U.S. subsidiary of British money-transfer business Wise Inc. The six states faulted Wise for poor anti-money laundering compliance practices, and last week announced a settlement that imposed a $4.2 million fine and numerous AML compliance program improvements. 

We review the AML compliance failures momentarily. The larger news for financial firms is that the states brought their enforcement action under the coordination of the Conference of State Bank Supervisors. This is the second instance this year of a multi-state enforcement action under the auspices of the CSBS (the first happened in January, when all 50 states collectively fined three mortgage servicers $20 million for poor cybersecurity practices), when typically a CSBS enforcement action would make news sometime between never and when hell freezes over. 

Moreover, the Consumer Financial Protection Bureau previously sanctioned Wise in January, fining the company $2.02 million for misleading customers about account fees and charges. Except, that settlement was a holdover from the Biden Administration; once the Trump 2.0 crew arrived, new CFPB leadership cut the penalty down to $45,000. 

Clearly the states’ enforcement action was underway before the CFPB decided to gut its own settlement; it’s incorrect to say that this new multi-state settlement happened because of the CFPB retreat. Still, it’s a sign of the enforcement times that states are looking to fill that vacuum in enforcement authority by whatever means are at their disposal. The CSBS is one such means. 

Consider this statement from Khalil Mohseni, commissioner of the California Department of Financial Protection & Innovation: “This action highlights the ongoing collaboration between the DFPI and other state regulators to strengthen consumer protection and uphold trust in the financial services industry nationwide.”

I suspect we’ll hear more such pronouncements from state regulators in the future.

Wise’s AML Compliance Issues

So exactly what were the AML compliance issues at Wise that provoked the states’ ire? The consent order struck between Wise and the states tells the tale. 

State bank examiners showed up at Wise at the start of 2024 to perform a routine examination of the firm’s compliance efforts. That exam documented numerous shortcomings, including:

• Failure to commission an independent review of the AML compliance program “on a frequency commensurate with services provided;”
• Deficiencies in Wise’s processes for investigating and reporting suspicious activity, including failure to file suspicious activity reports in a timely manner;
• Various data integrity issues related to transaction monitoring;
• Failure to correct issues raised in prior examinations and internal audits in a timely manner. 

So, nothing we haven’t seen many times before in other AML enforcement actions; we just typically see those actions from federal regulators such as FinCEN or the Office of the Comptroller of the Currency, rather than from U.S. states.

For its part, Wise said it has made “significant remediation efforts” to prevent similiar failures in the future. Those steps include better procedures for data integrity, customer due diligence, and documentat; and a look-back exercise on previously closed accounts to see whether any suspicious activity had been happening there, too. 

Even better, Wise promised that it will “ensure adequate levels of personnel and resources are available to manage the amount and complexity of case alerts” to assure those timely SAR filings. How many people that might be isn’t clear, but in its most recent annual report, Wise’s global parent reported that it moved £145.2 billion across borders for 15.6 million people and businesses in fiscal 2025, a 23 percent increase compared to the prior year. The company is clearly on a healthy growth path, so it does need to invest in its compliance capabilities to keep pace.

Wise also promised to undertake independent testing of its AML compliance program, including quarterly testing of transaction data to confirm the effectiveness of Wise’s internal controls and data integrity; and quarterly written reports to verify that all corrective actions Wise has promised to make are actually happening. 

Lastly, Wise must submit its own quarterly progress reports to all six state regulators for the next two years. 

For the record, Wise neither confirms nor denies any of the allegations included in the six states’ consent order. Yet another example of how state-level enforcement follows the federal model, I suppose.