The Swedish Financial Supervisory Authority Finansinspektionen has imposed a historically large administrative fine on Swedbank for serious violations of money laundering legislation and of provision of information.

The case assessed Swedbank’s compliance with national anti-money laundering regulations in its Swedish banking operations and in its subsidiaries in Latvia, Lithuania and Estonia. It was also assessed how Swedbank had complied with its disclosure requirements to Finansinspektionen. According to the assessment, Swedbank had failed to fulfil its obligation to identify, measure, steer, internally report and control the money laundering risks associated with their business.

Customer risk assessment and monitoring of ongoing business relationships

The risk classification model was, according the decision, not in line with the bank’s general risk assessment and did not take into account all of the high-risk products and industries the bank had identified in its general risk assessment. Therefore, the risk classification model had rated several high-risk customers as customers of moderate risk.

A large part of the transaction volumes of the Baltic subsidiaries consisted of transactions with foreign customers or were directed at high-risk countries. In addition, a large part of the transaction volumes belonged to domestic customers with foreign beneficial owners. A significant proportion of these were customers who had been classified by banks as high-risk customers. According to Finansinspektionen, due to foreign connections and the high-risk rating of customers, it would have been particularly important to establish effective and appropriate practices for preventing money laundering. Due to the deficiencies a significant part of the subsidiaries’ operations were exposed to an increased risk of money laundering.

Deciding the sanction

Finansinspektionen considered several of Swedbank’s violations to be particularly serious and therefore considered withdrawal of the bank’s authorization. According to the preparatory works of the Swedish Anti-Money Laundering Act, a warning is considered an appropriate measure when the conditions to withdraw an authorization are present, but a warning appears to be sufficient in the matter in question. Mitigating circumstances include, for example, the active facilitation of Finansinspektionen’s investigations and the bank’s actions to rectify infringements if these measures indicate that the bank is unlikely to repeat the violations.

According to Finansinspektionen, Swedbank had not facilitated the investigation, but had taken and intended to take extensive measures to rectify the identified deficiencies and the forecast for the bank could thus be considered positive. Therefore, a warning was considered a sufficient sanction.

The maximum amount of the administrative fine must correlate with the severity of the violations. The starting point for assessing the maximum amount of the administrative fine was Swedbank’s turnover; according to current Swedish law, the maximum administrative fine shall be determined to ten per cent of the group turnover. Before the amendment of the Act, the maximum administrative fine was ten per cent of the credit institution’s turnover. Since the violations took place both before and after the amendment, Finansinspektionen used the average of the maximum amounts in the previous and new provisions to assess the amount of the administrative fine. Swedbank’s turnover amounted to SEK 52.08 billion, and the corresponding turnover at the group level amounted to SEK 60.36 billion. Therefore, the cap for the administrative fine according to the older provisions amounted to SEK 5.21 billion and according to the new provisions to SEK 6.04 billion. The average of these amounts was SEK 5.62 billion, which Finansinspektionen found to be the cap for the administrative fine.

What was considered in the assessment?

Finansinspektionen paid particular attention to the following points:

• The risk assessment and the risk classification of customers must be connected.
• The risk classification model that Swedbank used in the Swedish banking operations for customer risk assessment did not, according to Finansinspektionen, consider all the risks the bank had identified in its general risk assessment since some high-risk industries and products were not included as high-risk factors in the risk classification model.
• As a result, the bank had customers that had been rated as moderate-risk clients leading to no enhanced customer due diligence measures being taken.
• Resources and competence in the subsidiary banks to combat money laundering.
• Roles and responsibilities of the personnel shall be clear.
• The board must be informed of the risks and shortcomings associated with customer projects.
• The compliance function must be sufficiently independent.
• Subsidiary banks must have a risk management system and clear instructions for high-risk customers on how to manage foreign customers and beneficial owners.
• The monitoring systems must compare the extent and nature of the customer transactions to their historical transactions or to information provided by the customer and take into account the personal risk classification of the customers.
• Customer due diligence data and information about the purpose of the customer relationship and the scope of the business are collected for further use in the ongoing monitoring of the customer relationship.
• The system had only taken into account a small part of high-risk customer transactions since the monitoring of high-risk customers did not differ from monitoring of other customers.
• Monitoring should use the customer’s individual information and business history, not only compare the customer transactions to other transactions at a general level.

• A corporation as large as Swedbank cannot rely on manual updates of customer risk classifications to fulfil the requirements of the Anti-Money Laundering Act.

• An entity under Finansinspektionen’s investigation must provide all requested information.
  • According to the decision, Swedbank had neglected to disclose internal material to Finansinspektionen for evaluation of the bank’s operations.
  • According to the decision, an authority information request does not have formal requirements and it does not need to reference to something that the authority is not aware of at the time of the request. Therefore, the authority does not have to be aware of all the circumstances in order to require information on them.

What conclusions can be drawn from the solution?

Entities subject to the reporting obligation under the Anti-Money Laundering Act may accept high-risk customers. However, high risk customers set high requirements on internal processes and guidelines for prevention of money laundering and require plenty of resources and competence.  The decision emphasized the parent company’s responsibility to provide subsidiaries with necessary guidance to prevent money laundering as well as to systematically monitor the subsidiaries’ compliance with money laundering regulations and to respond to deficiencies at a low threshold.

The decision emphasized that, instead of a reactive approach, the prevention of money laundering should be proactive. The procedures, guidelines and processes concerning the prevention of money laundering should be proportional to the size and nature of the business. Particular attention should be paid to the characteristics of transactions and customers and possible links to high-risk countries as well as the customer’s personal risk classification that is based on the above mentioned factors.

Both The Fourth Anti-Money Laundering Directive and European Supervisory Authorities’ Joint Guidelines on Risk Factors provide examples of risk-enhancing factors that banks and other entities under anti-money laundering regime must consider in their risk assessments. These are, for instance, customers’ links or transactions to high-risk countries as well as transactions made without personal contact with the customer. Non-resident beneficial owners may also constitute an elevated risk; according to FATF, multinational corporate structures are often used for money laundering purposes due to the weak possibilities to control such arrangements. Private banking customers are also generally considered to constitute a higher risk of money laundering since such customers often carry out large and complex transactions.

The decision has been published on the website of Finansinspektionen.

Katja Flittner, Senior Associate, tel. +358 50 410 0512, [email protected]