Olinda, a company owned by Qonto, has been sanctioned by the Bank of Italy with a €390,000 penalty for serious deficiencies in its anti-money laundering framework. The sanction underscores how weaknesses in compliance processes create fertile ground for money laundering, and how regulators are no longer tolerating gaps in fintech subsidiaries that present themselves as modern alternatives to traditional banks. This case stands as a reminder that money laundering risks are amplified when due diligence, suspicious transaction reporting, and record-keeping are treated as administrative obligations rather than core defenses.

Money laundering risks at Olinda SAS

The Bank of Italy’s inspection carried out between January and April 2024 focused on Olinda’s Italian operations and identified multiple systemic flaws. Inspectors concluded that the company failed to ensure adequate organization and internal controls. Among the key deficiencies were incomplete customer profiling, weak ongoing due diligence, and inconsistent approaches to verifying beneficial ownership.

Customer due diligence is not a mere formality. By failing to properly verify clients, Olinda left its operations exposed to high-risk customers who could exploit gaps to deposit illicit funds or layer transactions across borders. This weakness in profiling is one of the oldest and most well-documented entry points for laundering proceeds from fraud, tax evasion, and organized crime.

The inspection also uncovered failures in data retention. Under Legislative Decree 231/2007, financial institutions are required to retain client and transaction records for at least ten years. Olinda’s failure to consistently preserve this data meant that authorities would struggle to reconstruct financial trails in the event of an investigation. Missing or incomplete records weaken the integrity of the financial system and allow launderers to obscure the origin of their funds.

Even more concerning was the omission of suspicious transaction reports. Italian law makes filing of these reports a central obligation for financial intermediaries. When red flags are ignored, the Financial Intelligence Unit cannot perform its role of analyzing patterns and escalating cases to law enforcement. Olinda’s omissions created blind spots where suspicious activity could pass undetected, depriving investigators of critical intelligence.

The combination of inadequate internal controls, missing records, and omitted reports is precisely the scenario criminals exploit. A fintech platform that scales rapidly without embedding AML rigor effectively opens its infrastructure to those seeking to disguise illicit proceeds. The €390,000 fine, although modest compared to the potential harm, is meant to highlight that even partial compliance failures have systemic consequences.

The regulatory framework and obligations

The sanction against Olinda is rooted in a dense legal framework designed to protect the integrity of Italy’s financial system. At its core is Legislative Decree 231/2007, which transposed EU Directive 2005/60/EC into Italian law, later amended by Legislative Decree 90/2017 to incorporate Directive 2015/849. Together, these laws impose obligations around customer identification, beneficial ownership verification, transaction monitoring, record-keeping, and reporting of suspicious activity.

The Bank of Italy has issued further detailed provisions over the years to ensure consistent application. In 2019, it released rules on internal procedures and controls, emphasizing the independence of compliance functions and requiring institutions to align monitoring with risk profiles. The 2019 and 2020 provisions on customer due diligence and record preservation reinforced the requirement that financial intermediaries implement risk-based systems rather than generic, box-ticking exercises.

Olinda breached multiple articles of this framework. Articles 7 and 16–20 of the decree define the requirements for adequate verification of clients, while Articles 35 and 62 mandate that suspicious transactions be reported without delay. Article 62 also establishes administrative sanctions when obligations are ignored. The Bank of Italy concluded that Olinda’s omissions were serious enough to justify a fine, but not so severe as to require suspension of operations.

By acting under Article 145 of the Italian Banking Act and Article 65 of the AML decree, supervisors formally communicated the charges, offered Olinda the chance to respond, and then considered mitigating actions. While Olinda argued that it had taken remedial steps, the Bank of Italy decided that the gravity of the breaches outweighed the mitigating factors.

This demonstrates how the supervisory process works in practice: institutions are given the chance to defend their actions, but where evidence shows systemic failure, sanctions follow. In Olinda’s case, the process concluded with a pecuniary penalty of €390,000, finalized by a resolution of the Bank’s Directorate.

Lessons for fintech compliance programs

The Olinda case is a textbook example of how fintech subsidiaries can underestimate the complexity of AML compliance. While traditional banks have long-established compliance departments, fintechs often try to embed AML functions within lean operational models, emphasizing automation and user experience over manual checks.

Yet the very characteristics that make fintech attractive to customers—speed, ease of onboarding, cross-border availability—are the same that attract money launderers. Without rigorous profiling, criminals can exploit digital onboarding to open accounts under false identities or through shell companies. Without robust transaction monitoring, illicit flows can be broken down into micro-payments, layered across multiple jurisdictions, and reassembled elsewhere with little trace.

Olinda’s omission of suspicious activity reports is particularly telling. Reporting is not optional. It is the critical link between the private sector and national financial intelligence efforts. By failing to file reports, Olinda deprived authorities of crucial leads. Even if only a fraction of unreported transactions were linked to criminal proceeds, the missed opportunity for detection is significant.

For fintech compliance officers, three strategic lessons emerge from the Olinda sanction:

1. Resourcing and independence of AML teams: Compliance officers must have enough staff, authority, and independence to challenge business decisions.
2. Technology supported by human oversight: Automated onboarding and monitoring tools reduce costs, but without experienced professionals to interpret alerts, high-risk activity can slip through unnoticed.
3. A proactive culture of reporting: Filing suspicious transaction reports should be framed as a positive action that protects the institution and the financial system, not as a bureaucratic burden.

Qonto, as the parent company, must now demonstrate that Olinda’s deficiencies are not reflective of broader group practices. Investors and regulators will watch closely whether corrective measures are fully implemented and whether governance structures prevent similar failures in the future.

Broader implications for the financial sector

The fine imposed on Olinda is not an isolated event. Across Europe, regulators are paying increased attention to fintech subsidiaries, electronic money institutions, and payment service providers. These players are now central to financial ecosystems, handling billions in transfers, and therefore represent both opportunities and vulnerabilities in the fight against money laundering.

The Olinda case highlights that regulators expect fintechs to meet the same standards as established banks. There is no grace period or exemption because of a digital-first model. Moreover, fines are only one dimension of enforcement. Repeated or severe breaches can lead to restrictions on business activities, reputational harm, or even revocation of licenses.

For the wider financial community, the sanction raises a deeper point: AML compliance is not just about satisfying legal requirements, but about ensuring the credibility of the financial sector itself. When institutions allow blind spots to persist, they risk becoming tools for criminal groups. This not only erodes public trust but also creates vulnerabilities that can be exploited for tax evasion, drug trafficking, corruption, or terrorist financing.

By sanctioning Olinda, the Bank of Italy has reinforced the principle that fintech innovation cannot come at the cost of financial integrity. For compliance professionals, the case illustrates the enduring importance of embedding AML considerations at the heart of strategic planning, rather than treating them as peripheral obligations.

---

Related Links

• Bank of Italy – AML Provisions
• European Banking Authority – AML Guidelines
• European Commission – Anti-Money Laundering
• Financial Action Task Force – Italy Country Data
• Italian FIU – Official Website

Other FinCrime Central News About Italy

• French and Italian Police Smash International Money Laundering Network Moving Millions in Gold
• New Banca d’Italia Report Exposes Fragile Side of AML Technology
• Italy Enforces EU Crypto Regulation to Tackle Illicit Transactions in 2025

Source: Banca d’Italia (PDF)

Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.

Want to promote your brand, or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.