Money Laundering

On 1 August 2017, new regulations came into force regarding measures against money laundering and terrorist financing. In these pages we provide information about what firms in the financial industry need to do to comply with the new regulations.

Rules on money laundering and terrorist financing

In Sweden, there are two main laws that regulate combating money laundering.

The Money Laundering and Terrorist Financing (Prevention) Act (the Anti-Money Laundering Act) is the administrative framework applying to firms in certain sectors. The purpose of the regulations is to prevent firms from being used for money laundering and terrorist financing.

Firms that are subject to the Anti-Money Laundering Act are responsible for reporting, without delay, suspected money laundering or terrorist financing in their operations to the Financial Intelligence Unit within the Swedish Police. Reporting shall be done as instructed by the Financial Intelligence Unit. Firms can contact the Financial Intelligence Unit by e-mailing fipo@polisen.se or calling 010-56 368 00.

The Act on Penalties for Money Laundering Offences is the criminal law framework covering money laundering and terrorist financing. Under the Act, laundering money is a criminal offence.

Finansinspektionen's task is to supervise the financial firms that are subject to the Anti-Money Laundering Act to ensure their compliance with the rules set out therein to prevent them from being used for money laundering.

Terrorist financing

Activities that constitute “terrorist financing” are described in the Money Laundering and Terrorist Financing (Prevention) Act (the Anti-Money Laundering Act).

The law mentions collecting, providing or receiving assets in order for them to be used, or with the knowledge that they are intended to be used, to commit such criminal offences as set out in the Act on Criminal Responsibility for the Financing of Particularly Serious Crime in Some Cases, or for such travel as set out in the Act on Criminal Responsibility for Public Provocation, Recruitment and Training concerning Terrorist Offences and other Particularly Serious Crime.

Firms that are subject to the Anti-Money Laundering Act are responsible for reporting, without delay, suspected money laundering or terrorist financing in their operations to the Financial Intelligence Unit within the Swedish Police. Reporting shall be done as instructed by the Financial Intelligence Unit. Firms can contact the Financial Intelligence Unit by e-mailing fipo@polisen.se or calling 010-56 368 00.

Finansinspektionen's responsibility is to ensure that the financial firms take measures in accordance with the Anti-Money Laundering Act, which is the administrative framework applying to firms in certain sectors to prevent them from being used for terrorist financing.

Firms subject to the Act

Both financial firms and non-financial business operators are subject to the Money Laundering and Terrorist Financing (Prevention) Act.

Finansinspektionen is responsible for supervising the financial firms. Other authorities and self-regulating bodies are responsible for supervising the non-financial entities. This page sets out the authority or self-regulating body which is responsible for supervising the respective business operators.

Finansinspektionen supervises natural and legal persons conducting

  • banking or financing business
  • mortgage lending business
  • life insurance business
  • securities business
  • financial operations subject to a notification obligation
  • currency exchange subject to an application obligation
  • deposit business
  • insurance mediation of life insurance
  • issuance of electronic money
  • fund operations
  • payment institutions
  • operations to provide payment services without being a payment institution
  • alternative investment fund management
  • certain consumer credit-related operations.

Process – work method for measures to counteract risks of money laundering

These steps should be included in a comprehensive process to avoid the risk of being used for money laundering and the financing of terrorism.

Risk assessment

Banks, insurance companies and other financial firms must perform an assessment of the risk of the products and services they offer being used for money laundering or terrorist financing. The firm must also assess the scope of this risk.

When the firm performs a general risk assessment, it must take account, among other things, of the following factors:

  • type of products and services offered
  • customers and distribution channels
  • geographic risk factors.

It might also be worth looking at analyses and measures for monitoring and reporting conducted at the firm. Further guidance is provided in the annexes of the fourth Money Laundering Directive, which addresses factors and indicators for high and low risk, respectively. FATF's website contains a number of reports on the risk of money laundering and terrorist financing in areas such as private banking, crowdfunding and correspondent bank relations. The European Banking Authority (EBA) has prepared guidelines on risk factors in financial services.

Due consideration must also be given to information brought to light in the firm's reporting to the Financial Intelligence Unit on suspicious activities and transactions. Information received by the firm from authorities, for instance on commonplace methods for laundering money and financing terrorism, shall also be taken into account.

Scope of the risk assessment is determined by size and business

The scope of the general risk assessment is determined by the size and nature of the business. 'Size refers, for example, to sales, number of employees, number of operational units, etc. 'Nature' refers, for example, to the type of business conducted, the goods or services provided, and the extent of their complexity. The scope of the general risk assessment can thus vary from firm to firm.

The risk assessment must be up-to-date

The general risk assessment must be documented. It must also be evaluated regularly and updated as needed. It must be evaluated at least once a year. Before the firm offers new or materially modified products and services, the risk assessment must also be updated.
The firm's risk assessment forms the basis of the firm's procedures, guidelines and other measures against money laundering and terrorist financing. It is therefore crucial that it is up to date.

Procedures

A firm shall have in place procedures and guidelines in terms of measures for customer due diligence, monitoring, reporting and processing of personal data.

Procedures and guidelines to counteract money laundering and terrorist financing shall be risk-based and proceed on the basis of the firm's general risk assessment. That means that they shall be devised so as to manage and counteract the risks identified by the firm.
The procedures and guidelines shall be documented. In a group, the parent company shall establish common procedures and guidelines to apply throughout the entire group.
The bill for the new Anti-Money Laundering Act lists three categories of procedures and guidelines.

The first category has the purpose of providing guidance on which measures should be taken in different situations. Examples include verifying id, breaking down customers into risk classes, enhanced customer due diligence measures and monitoring activities and transactions. These procedures shall be risk-based.

The second category is linked to the firm's staff, such as background screening and staff training. This also includes procedures for protecting staff from threats, etc. ensuing from them performing controls and other measures to fulfil the firm's obligations under the Anti-Money Laundering Act.

The third category pertains to compliance and internal control functions. It is a matter of which duties are to be performed by the various functions –specially appointed executive, appointed officer for controlling and reporting obligations andindependent audit function. This also includes model risk management procedures.

Model risk

If a firm has risk management models, for instance for risk management and risk classification of customers, there must be procedures in place to quality-assure and enhance the models used. A firm's model risk management procedures shall contain a description of the underlying theory and the assumptions that led to how the models were devised. Furthermore, firms shall have model validation procedures that ensure that they function as intended and serve their purpose (risk classification of customers, etc.).

Functions at the firm

There must be specific internal control functions. The firm must always appoint aappointed officer for controlling and reporting obligations . Also, a particular designated officer and an independent audit function must be appointed – if motivated in light of the size and nature of the business.

Specially appointed executive

The particular designated officer is responsible for the implementation of the measures needed to comply with the Anti-Money Laundering Act and the regulations.

The function is responsible for

  • performing and updating the general risk assessment
  • there being in place internal and common procedures and guidelines, and updating them
  • verifying and performing follow-up to ensure that measures and procedures are carried out
  • reporting to the board of directors or managing director.

The particular designated officer is able to delegate certain tasks, or appoint one or several deputies. However, actual verification that the measures are indeed implemented in the operations, and reporting to the board and CEO of the firm, cannot be delegated.

Appointed officer for controlling and reporting obligations

There must always be a appointed officer for controlling and reporting obligations. It shall be placed within the firm and be independent in relation to the functions and areas it is to monitor and verify.

Basic duties consist of ongoing responsibility for controls, and ensuring that reporting to the Financial Intelligence Unit is carried out.

The function shall also

  • perform monitoring and controls to ensure that the firm is compliant with laws, regulations and internal procedures and guidelines
  • provide advice and support, and information and training
  • provide information to authorities upon request
  • verify that procedures and guidelines are appropriate and effective
  • be responsible for reporting suspicious transactions and activities to the Financial Intelligence Unit
  • report to the board of directors or CEO.

Independent audit function

The responsibilities of the independent audit function include reviewing and evaluating the efficiency and appropriateness of

  • organisation, IT systems, procedures and guidelines
  • internal control
  • risk management based on the general risk assessment
  • reliability and quality of the work conducted by the firm's other control functions

In this context, the function shall only perform its review based on the rules in the anti-money laundering regulations. What constitutes an "appropriate review" can be judged based on the needs of the firm in its business. The independent audit function shall report directly to the board of directors of the firm.

The independent audit function shall, in organisational terms, be separate from the functions and areas it is to monitor and control. Employees of the function may not participate in the work of other functions or in the operating activities.

The firm may outsource the tasks of the independent audit function. In such cases, it is important to remember that the firm is always responsible for the outsourced activities.

Training

A firm’s employees shall receive training to provide them with sufficient knowledge to follow the firm’s anti-money laundering procedures and guidelines.

A firm shall ensure that persons performing duties of significance to preventing the business from being used for money laundering and terrorist financing continually receive relevant training and information. This applies to employees, contractors and other people in the business.

The training shall ensure that employees have sufficient knowledge to ensure that the firm's procedures and guidelines are followed.

The content of the training shall be adapted to the employee's duties and responsibility, and the firm's general risk assessment. The timing of training and supplementary training shall be adapted to what the firm decided in its risk assessment and to any changes to the business or work duties.

The training shall inform of rules and guidelines, but also convey facts about trends, patterns, methods and other aspects with which those concerned might need to be familiar in order to prevent and detect attempts at money laundering and terrorist financing.

A firm shall document the training carried out. The content, list of participants of the training session and date of when it was held shall be included in such documentation.

Customer due diligence

The firm must possess solid knowledge about its customers and their affairs so as to make it more difficult for the business to be used for, and to prevent, money laundering or terrorist financing.

Measures to attain customer due diligence shall proceed on the basis of the firm's general risk assessment in combination with an assessment of the risk presented by the individual customer.

Without sufficient knowledge about the customer, a firm may not establish or maintain a business relationship, or carry out occasional transactions.

Neither may a firm establish a business relationship if it is suspected that its products and services might be used for money laundering or terrorist financing. Similarly, a firm may not carry out a transaction if, on reasonable grounds, it could suspect money laundering or terrorist financing.

Firms shall always take measures to attain customer due diligence about a customer with whom they establish business relationships. This also applies to an occasional transaction if it equates to EUR 15,000 or more, or to several transactions which, combined, equate to the same amount.

Customer due diligence measures

Identifying and verifying customer identity

With the requirement to identify the customer, the firm must ask about the customer's name and other relevant information. Such information is important for determining whether the customer is a politically exposed person. The firm must then verify that the identity matches the information. The degree of thoroughness of such controls varies depending on the risk associated with the customer.

Beneficial owner

The firm shall investigate whether the customer has a beneficial owner; that is, a person who directly or indirectly exercises controlling influence over the customer. The firm shall investigate the customer's ownership and control structures, in order to understand any potential risk posed by the customer. In that case, it might be necessary to ask the customer additional questions. It is also important to verify whether the beneficial owner is to be considered a politically exposed person.

If the customer has a beneficial owner, it is important to verify the identity of that person.
If the beneficial owner cannot be determined, the firm shall verify the identity of a person who is the chairman of the board, managing director or equivalent executive.

Politically exposed person (PEP)

If a customer is to be considered a politically exposed person, the firm must take enhanced measures – i.e. it must always find out the origin of the assets processed in a business relationship or individual transaction. It also means that approval shall be obtained from an authorised decision-maker prior to entering a business relationship. The firm must also carry out enhanced continual follow-up of the business relationship.

When a politically exposed person has ceased to perform their functions, the enhanced measures shall be applied for a minimum of 18 months and until it is considered that the person no longer poses a risk of money laundering or terrorist financing.

The provisions regarding enhanced measures shall also be applied to family members and known colleagues of a politically exposed person.

High-risk third country

A firm shall verify whether the customer is established in a non-EEA country which has been identified as a high-risk third country by the European Commission.

Purpose and nature of the business relationship

A firm shall obtain information about the purpose and nature of the business relationship.The information shall form the basis of

  • an assessment of the activities and transactions that can be expected of the customer in the context of the business relationship
  • a risk classification of the customer

If factors emerge that indicate a high risk, the firm shall take enhanced customer due diligence measures.

Adapting measures to the situation

The extent of the measures to be taken depends on the complexity of the service or product concerned, and the risk associated with it. Sometimes, the risk in a business relationship or transaction can require the firm to obtain more information about the customer's financial situation and/or information about the origin of the customer's financial funds.

Managing EU sanctions

In terms of terrorist financing, an important customer due diligence measure is screening the customer against the EU's consolidated list of persons, entities and groups that are subject to EU sanctions.

Risk classification

Customer due diligence measures shall be adapted based on an assessment of the extent of the risk of being used for money laundering and terrorist financing.

The assessment of being used for money laundering and terrorist financing shall be performed based on the firm's general risk assessment and its knowledge of the customer. Due consideration shall also be given to the descriptions set out in law of circumstances that could indicate low or high risk. The European supervisory authorities for the financial market have also published Risk Factor Guidelines that further exemplify various risks.

Risk in the firm's operations

A firm shall perform a general risk assessment of its operations, i.e. it shall risk-classify

  • its products and services
  • the geographic area in which it is located and operates
  • the type of customers the firm has
  • the transactions and distribution channels used by customers

An example of an area where a higher risk classification might be needed is products and services with a complex structure. Another example is if a firm approaches an international market.

Risks associated with the individual customer

Besides the firm's general risk assessment, the firm shall also assess the risk associated with the individual customer and business relationship. Depending on the risk associated with the customer, different customer due diligence measures shall be taken. If the risk in a business relationship is considered low, the firm may take simplified due diligence measures. If the risk is considered high, enhanced due diligence measures shall be taken.

Monitoring

A firm shall review transactions in order to detect transactions and other activities that could be suspected to form an element of money laundering or terrorist financing.

A firm shall also regularly monitor ongoing business relationships. That means verifying and documenting to ensure that executed transactions are consistent with the information possessed by the firm about the customer, the customer's business and risk profile and – if necessary – the origin of the customer's funds.

Documents, information and disclosures related to the controls shall be kept up-to-date. The ongoing follow-up is part of the customer due diligence process and cannot be performed properly without sufficient and up-to-date documentation regarding the business relationship.

The ongoing follow-up shall be adapted to the customer's risk. A customer considered to pose a high risk requires more thorough follow-up than one considered to pose a low risk.

Two-part follow-up

This ongoing follow-up consists of two parts. One part consists of continually analysing the customer due diligence data retrieved, assessing whether it is sufficient and up to date, and whether the customer's assessed risk has changed.
The other part consists of verifying the customer's transactions to see whether the customer's behaviour is in line with, or deviates from, expectations. In practice, the second part is often linked to the firm's transaction monitoring.

Record keeping

Documents and information about customer due diligence measures taken shall be kept by the firm for five years. The period shall be calculated from the date the measures were taken or, in the case of a business relationship having been established, from the date the business relationship ended.

If the documents or information present any indication of money laundering or terrorist financing, if a report of suspicions has been submitted to the Financial Intelligence Unit, and if an authority has informed the firm that they must be saved, documents or information shall be kept for ten years.

These documents and information shall be stored securely, electronically or on paper. The firm shall ensure that they are easy to access and identify.

Reporting to the Financial Intelligence Unit

You are obliged to review and report suspicious transactions. Proof does not have to exist of money laundering or terrorist financing actually having occurred.

A report must be submitted without delay to the Financial Intelligence Unit. Firms can contact the Financial Intelligence Unit by e-mailing fipo@polisen.se or calling 010-56 368 00.

Roaring can help with the KYC process (Know-Your-Customer).

Roaring can help all companies, organizations, and agencies introduce automated and digital control of Beneficial owner, PEP and Sanction Lists

Read more