586 institutions fined 576 million yuan! In the first quarter, banking anti-money laundering and data security regulation tightened

In the first quarter of 2026, banks collectively received more than 500 million yuan in regulatory penalty notices.

According to iFinD data, as of the midday of March 31, a reporter from the International Finance News had searched and found a total of 625 penalty records issued by the People’s Bank of China, the National Financial Regulatory Administration, and their local branches, with total fine amounts reaching as much as 576 million yuan, including three penalties at the tens-of-millions level. By drilling down into the industry’s penalty reasons, it can be seen that since the first quarter, regulation in the areas of anti-money laundering and data security has been tightening.

Experts interviewed said that the regulatory logic is moving from compliance-based oversight in the past to a new stage characterized by systematization, penetration-style supervision, and a focus on substance. Regulatory tools will also be upgraded in terms of digitalization, which will further enhance regulatory penetration and deterrence. Banks should shift from passive rectification to proactive governance, and build a “systematic, intelligent, and normalized” compliance management system.

Credit violations remain a “major trouble spot”

According to iFinD data, this year’s first quarter saw at least 586 banking institutions (including head offices, branches, credit card centers, etc.) receive regulatory penalty notices.

Judging from the types of institutions punished, state-owned banks and local rural commercial banks and township banks together account for more than half. In the first quarter, penalty records involving six state-owned large banks totaled 191, accounting for 30.56%. Penalty records for rural commercial banks and township banks combined totaled 175, accounting for 28%.

In terms of penalty amounts, the total penalties imposed on the banking industry in the first quarter reached 576 million yuan. Middle and small banks have high violation frequency, but large banks impose larger penalties per case. Specifically, state-owned large banks’ head offices and their branches were jointly fined more than 175 million yuan.

In terms of the amount per single penalty notice, there were three penalties at the tens-of-millions level in the first quarter, with penalty amounts of 42.9551 million yuan, 42.2289 million yuan, and 11.10 million yuan, respectively. There were nine penalty notices of more than 5 million yuan, involving institutions such as Agricultural Bank of China’s Zhejiang branch, Zhejiang MinTai Commercial Bank, and Quanzhou Bank.

In addition, from January to March this year, the number of penalty notices showed a downward trend month by month, at 330, 155, and 140 respectively, and the overall amount of penalties for single notices in March declined as well.

After reviewing the types of violations by the punished institutions, the reporter found that credit violations remain a “major trouble spot.” This includes not only issues in traditional credit, but also violations in businesses such as credit cards, bills, and letters of credit. In addition, violations related to related-party transactions and issues such as inadequate employee conduct management, inflated loan and deposit balances, and failure to perform duties after not being approved for qualifications to hold posts also appear in large numbers.

In the view of Shi Shuo, an assistant researcher at Fudan Development Research Institute and an assistant director of the macroeconomic research center at Ping’an Fudan, the regulatory logic is moving from the compliance-based oversight stage of the past to a new stage characterized by systematization, penetration-style supervision, and a focus on substance.

“The regulator’s focus is no longer satisfied with whether a bank has a system; rather, it is whether the system is effectively operating. At the 2026 Financial Stability Work Conference, the PBOC emphasized that efforts should be advanced to make technology-driven empowerment more profound and practical, and to strengthen financial risk monitoring, assessment, early warning, and early correction—showing that regulatory tools will also improve their digitalization level, which will further enhance regulatory penetration and deterrence,” Shi Shuo analyzed.

Anti-money laundering and data security penalties are being stepped up

Since the beginning of this year, the intensity of penalties for anti-money laundering and data security has been continuously increasing.

In terms of anti-money laundering supervision, using the 141 penalty notices in March as the statistical object, penalty notices involving “failure to conduct customer due diligence in accordance with regulations” and “violating anti-money laundering management regulations” totaled 52, accounting for more than one-third. For example, penalty information released on March 2 by the PBOC Qingyuan branch shows that the Guangdong Fogang Rural Commercial Bank, for violating regulations related to financial statistics, payment and settlement, financial technology, money and precious metals, the treasury, credit reporting, and anti-money laundering business management, was warned and fined 17.262 million yuan. Another example: Pingxiang Rural Commercial Bank was warned and fined because of issues such as “failure to conduct customer due diligence in accordance with regulations,” with a penalty amount of 9.943 million yuan.

It is worth noting that on November 28, 2025, the PBOC, the National Financial Regulatory Administration, and the CSRC jointly released the Measures for the Administration of Financial Institutions’ Customer Due Diligence, Customer Identity Data, and Transaction Record Retention (hereinafter referred to as the “Measures”), which took effect on January 1, 2026.

Shi Shuo pointed out that the growth in anti-money laundering penalty notices centers on the core violation point of “failure to conduct customer due diligence in accordance with regulations.” The Measures upgrade the former “customer identity identification” to “customer due diligence.” This requires banks to shift from static “checking ID cards” to dynamic “know your customer,” to penetrate and identify the beneficial owners, and to continuously monitor transaction behavior. Many banks have not yet adapted to this shift, leading them to repeatedly cross the line in cases such as “failure to report suspicious transactions in accordance with regulations” and “transactions with customers whose identities are unclear.” Moreover, they have invested insufficiently in anti-money laundering technology systems (such as abnormal transaction monitoring models) and in talent reserves, making it difficult to effectively identify complex money-laundering patterns.

As for data security, during March there were also 23 penalty records involving “violating regulations on cybersecurity management” and “violating regulations on data security management.” For example, on March 27, the PBOC Hubei branch issued a penalty notice to Hubei Bank. The bank was fined 24.99 million yuan because it was involved in 10 unlawful acts including cybersecurity and data security.

Looking ahead, Shi Shuo believes that keeping the bottom line of avoiding systemic risk will remain the overall regulatory approach. To this end, issues such as the normalized regulation of real estate financing, local government debt, and illegal financial activities, and the continued prohibition of funds being idle for churn, regulatory arbitrage, making risk easier to contain at small and medium institutions, and corporate governance and shareholder supervision are still expected to be regulatory priorities.

“Banks should shift from passive rectification to proactive governance, and build a ‘systematic, intelligent, and normalized’ compliance management system. In particular, they should establish a full lifecycle data security management mechanism, break data silos, and strengthen the investigation and cleanup of ‘dark data’ (historical data scattered in personal computers and test databases). In addition, they should establish dynamic customer risk profiles and implement due diligence throughout the full lifecycle,” Shi Shuo advised. “Small and medium banks, in particular, should address governance shortcomings and talent gaps. They can rely on provincial credit unions or the lead arranger bank to establish shared anti-money laundering service centers and data security monitoring centers, using intensive operations to reduce compliance costs for individual institutions.”

大量资讯、精准解读，尽在新浪财经APP