When the bank asks for your enterprise-wide risk assessment – what does the anti-money laundering act require?

When your bank requests your enterprise-wide risk assessment or other documentation regarding your compliance with the anti-money laundering act, it is to confirm that you have assessed the risks of money laundering and terrorist financing in your business in accordance with the legislation. Banks are legally obliged to know their customers and may request this documentation and use it in their risk assessment of you as a customer. Without a complete risk assessment, you risk the bank restricting your services or declining to establish a business relationship, as customers who do not follow the rules are naturally viewed as a high money laundering risk.

The anti-money laundering act requires all in-scope businesses to prepare an “enterprise-wide risk assessment”, regardless of size or sector. Whether you employ one person or several, the assessment must be performed. Smaller businesses are often less complex, which means the scope will be proportionate. The assessment must be documented and reflect risks linked to customer types, products and services, distribution channels and geography. It is not enough to “know your customer” – you must demonstrate a systematic aml risk assessment methodology to identify, analyse and manage risks at business level, supported by clear risk assessment documentation.

Which businesses must apply the anti-money laundering act?

The legislation covers not only financial institutions but also a range of professional services that could be exploited for money laundering or terrorist financing. If you operate in accounting, bookkeeping or certain types of advisory work, the rules may apply to you. Where a business is in scope of the aml regulations, it is also subject to supervision. Depending on the type of activity, different authorities or organisations exercise supervision. The categories below are grouped by supervisory body.

Businesses supervised by the County Administrative Board (Länsstyrelsen)

• Professional trade in goods, where the business receives or pays cash of EUR 5,000 or more, in one or several transactions.
• Pawnbroking activities.
• Bookkeeping services provided by, for example, accounting consultants or accounting firms.
• Professional tax advisory services.
• Independent lawyers when, in their practice, they perform tasks equivalent to those that apply to advocates and law firms as set out below.
• Intermediation, storage or trade in works of art where the amount paid or received totals EUR 10,000 or more, in one or several transactions.
• Professional services involving: (i) forming legal persons, selling limited companies and brokering legal persons; (ii) acting as a director or company officer; (iii) providing a registered office or postal address to a legal person; and (iv) acting as a nominee shareholder for another, except where acting for a legal person listed on a regulated market.

Businesses supervised by the Swedish Financial Supervisory Authority (Finansinspektionen)

• Banking or financing business under the Swedish Banking and Financing Business Act (2004:297).
• Life insurance business.
• Occupational pensions under the Occupational Pension Companies Act (2019:742).
• Investment services under Chapter 2, Section 1 of the Securities Market Act (2007:528).
• Currency exchange or other financial operations under the Currency Exchange and Certain Financial Operations Act (1996:1006).
• Insurance distribution relating to life insurance under the Insurance Distribution Act (2018:1219).
• Issuance of electronic money under the Electronic Money Act (2011:755).
• Fund operations under the Investment Funds Act (2004:46).
• Payment services as a payment institution or registered payment service provider.
• Managers of alternative investment funds under the Alternative Investment Fund Managers Act (2013:561).
• Consumer credit under the Act on Certain Consumer Credit Operations (2014:275) (repealed; relevant during a transition period).
• Housing credit under the Act on Certain Housing Credit Operations (2016:1024).
• Crowdfunding services under Regulation (EU) 2020/1503 on European crowdfunding service providers for business.

Businesses supervised by the Swedish Bar Association (Advokatsamfundet)

• Advocates and law firms when providing services involving: acting in a client’s name and on their behalf in financial transactions or real estate transactions.
• Assisting in planning or executing, on a client’s behalf: purchases and sales of real estate or businesses; management of client money, securities or other assets; opening or managing bank, savings or securities accounts; obtaining capital needed to form, operate or manage businesses; and forming, operating or managing companies, associations, foundations or trusts and similar legal structures.

Other supervised businesses

Estate agents or estate agency firms with special registration for tenancy brokerage or full registration under the Estate Agents Act are supervised by the Swedish Estate Agents Inspectorate (Fastighetsmäklarinspektionen).

Licensed or registered gambling activities under the Gambling Act are supervised by the Swedish Gambling Authority (Spelinspektionen).

Authorised or approved auditors and registered audit firms are supervised by the Swedish Inspectorate of Auditors (Revisorsinspektionen).

It is the actual activities that determine whether the anti-money laundering act applies – not job titles, company names, corporate form or external descriptions. If you act as a consultant or adviser, you are in scope if you carry out measures covered by the law, for example bookkeeping services, even as an add-on for one or a few clients. If so, you must implement an aml framework with aml policies and procedures, perform the risk assessment and comply with supervision.

Know Your Customer (KYC): what the bank must establish

The bank needs to understand you as a customer, including which customers you serve, to understand the purpose of the relationship and expected transactions – all to support a correct customer risk assessment. The bank gathers information on your business, for example ownership structure, beneficial ownership verification and how you implement the swedish anti money laundering act. This information forms the basis for assessing risk in the relationship. If, for example, you serve higher-risk customers, you may be classified as higher risk yourself.

• Identification and verification of you as customer and your beneficial owner.
• Understanding your business, purpose and operating model.
• Ongoing monitoring of transactions and risk profile.
• Reporting to the Swedish Financial Intelligence Unit (Finanspolisen) in case of unusual behaviours or transactions.

Properly conducted KYC allows the bank to assess whether your business presents a low, medium, high or unacceptable risk. This may affect the scope of services and the measures the bank must take. A robust risk based approach, supported by an aml risk assessment template, increases consistency and auditability.

What happens if you do not submit your risk assessment?

If you fail to provide your enterprise-wide risk assessment when requested, the banking relationship may become difficult or be terminated. The bank may restrict or even refuse access to payment, clearing or other financial services. The bank must act where customer due diligence is insufficient and, in serious cases, may report you to the Swedish Financial Intelligence Unit. Beyond regulatory impact, delays can harm your reputation in the market. By acting proactively and engaging the right expertise, you minimise operational disruption and supervisory consequences. If you do not have internal expertise to produce or quality assure the assessment, engage an experienced AML lawyer – especially when interacting with the bank or a supervisory authority. We advise clients across Europe.

How to produce a compliant enterprise-wide risk assessment under the anti-money laundering act

To meet the requirements, first identify risks linked to customer types, services offered, distribution channels and geographic exposure. Then analyse those risks considering internal and external factors. Finally, document the assessment in a structured format that can be shared with the bank or a supervisory authority on request. Using a clear aml risk assessment methodology and keeping risk assessment documentation current are essential.

• Description of method and analysis process.
• Mapping of the business, including customer base structure, services offered, distribution channels and geographic exposure.
• Risk rating per risk factor (customer risk assessment, product risk assessment, distribution channels and geographic risk assessment).
• Where relevant, an action plan to manage identified risks.

Once prepared, review and update the assessment regularly – particularly when customers, operations or law change. Even if nothing changes, review it annually to ensure it remains current and compliant over time. This keeps you ready to evidence compliance to your bank or a supervisory authority and aligns with good practice under the anti-money laundering act and wider aml regulations.

Common questions on banks’ AML requirements

Is it enough to collect customer data at onboarding? No. The rules require ongoing updates to KYC throughout the relationship, especially when circumstances change.

Is it sufficient to perform the assessment internally? If you have relevant expertise, yes. Otherwise, external AML counsel is strongly recommended to avoid errors and misunderstandings when dealing with a bank or supervisory authority.

How often must we update the assessment? Review on material change – for example new services, major changes in customer base or new legislation – and at least annually. Embedding a disciplined aml framework and a risk based approach will help you maintain compliance with the swedish anti money laundering act.

We provide legal support on AML and the anti-money laundering act. Our AML lawyers can help you prepare or review your enterprise-wide risk assessment and other documentation to evidence compliance, and advise in discussions with both banks and supervisory authorities across Europe.