AML Sweden: Increased SFSA Sanctioning, Model Risk Management, and New EBA Guidelines on Remote Customer Onboarding

 

Amidst the rapid evolution of regulatory demands, businesses are grappling with increasing pressure to meet rigorous anti-money laundering (AML) standards. Authorities are intensifying their reviews and sanctions, leaving no room for complacency. At the same time, new rules within AML are presented from the European Banking Authority (“EBA”).

For a couple of years, a particular focus has been on, among other things, the accounting industry, where compliance has been and still is acknowledged to be uneven. Companies in the industry are sanctioned on an ongoing basis. For other types of companies, it is necessary to adapt to the EBA’s new rules on onboarding of remote customers, which must be complied with from 2 October 2023.

This blog post sheds light on the key developments shaping the Swedish AML landscape, highlighting three crucial areas of focus:

• Learnings from the recent SFSA sanctions and advice on mitigating risk;
• General risk assessment deficiencies in the audit and accounting firms;
• How to get ready for EBA’s new rules on remote customer onboarding by October 2nd.

 

Insights from SFSA’s Investigation on Goobit Group: Findings on Model Risk Management

In June 2023, the Swedish Financial Supervisory Authority (“SFSA”) concluded its investigation of Goobit AB, one of the first cryptocurrency exchanges in Sweden. According to the SFSA, Goobit has had shortcomings in its work against money laundering and terrorist financing.

The decision does not include any actual new regulatory interpretations from the authority, but addresses shortcomings that are common in several industries. In particular, the section on “model risk management” is of interest in many industries.

Model Risk Management in practice

Companies that use models (e.g. weighted scoring systems to risk classify customers) must establish procedures to manage the risks associated with the models. The SFSA reminds that the model must be robustly designed and validated at least annually (or more often, e.g. if a new customer category is brought in).

 

Sanctions in accounting and auditing firms: How to strengthen your general risk assessment practice?

The county administrative boards, in particular, maintain a high pace of supervision of accounting firms. The Swedish Inspectorate of Auditors supervises auditors. A number of sanctions have been announced in the past quarter. A recurring deficiency among the companies, which is reflected in the sanctions, concerns the general risk assessment. Some risks are omitted entirely, or are insufficiently described. With inadequate general risk assessments, practical measures are also generally insufficient, as they are supposed to be ‘risk-based’.

Authorities’ expectations of general risk assessments have increased significantly in recent years, without at the same time significantly changing the rules.

Our advice is to review your general risk assessment. It simplifies both the practical AML work and reduces the risk of sanctions from the authorities.

 

Supervisory cases in currency exchanges unveils compliance deficiencies

The Swedish Financial Supervisory Authority has initiated supervisory cases against, among others, five currency exchanges. Four of these have now chosen to revoke their registrations themselves during ongoing cases. The reason is most likely (recitals have not been published) that significant compliance deficiencies have been identified. The industry has a high exposure to money laundering, while the companies, which often have very limited human resources, find it difficult to comply with all AML rules in a satisfactory manner.

 

New EBA rules on remote customer onboarding: How to get ready by October 2nd, 2023?

The European Banking Authority has presented new rules on how operators should act when onboarding remote customers.

The rules apply to the following categories: credit institutions, insurance undertakings, fund managers, marketing units, insurance intermediaries, as well as a number of types of financial institutions, and branches thereof. For a full list, see art. 3.1-3.2 of the EU 2015/849, https://eur-lex.europa.eu/legal-content/SV/TXT/PDF/?uri=CELEX:32015L0849

The rules have an impact on a number of areas, and require updating of the following documents by the companies:

• Onboarding and KYC procedures
• Education plan
• General risk assessment
• Outsourcing routines
• Operational and technical risks
• Compliance control plan
• Routine description for CFA
• Test and evaluation plans

The requirements are very detailed and far-reaching. The rules have several purposes. On the one hand, the authorities want the companies themselves to be sure that the right person is onboarded and that fraud is avoided, and on the other hand, customers should be better protected through increased IT security. These central rules are supplemented by requirements in the areas of internal controls, training, etc. For companies that already use BankID or other or other electronic identification schemes notified under article 9 of EU no 910/2014, the rule implementation is simplified.

Because the rules may require new systems to be introduced at the companies, the implementation process should begin as soon as possible. As mentioned above, the rules will enter into force in Sweden on 2 October 2023.

 

Meeting Swedish AML requirements with Penneo KYC

I collaborated with Penneo to develop the legal framework for their KYC software, adapted to the requirements of the Swedish AML laws.

Penneo KYC is now available in Sweden. Book a personalized session with our KYC experts.

Disclaimer: Disclaimer: This article applies to the AML updates in Sweden. Be aware that country-specific differences exist, if you are dealing with AML compliance in a country different from Sweden.