AML checklist: five key areas after the Financial Supervisory Authority’s sanction on Svea Bank

View as Markdown
8 mins read • Simon • ANTI–MONEY LAUNDERING • 23 December 2025
  1. Legal framework in brief
  2. Svea’s shortcomings – typical pitfalls
  3. AML checklist – five priority areas to secure
  4. How financial institutions can proceed

In December 2025, the Swedish Financial Supervisory Authority (Finansinspektionen) issued Svea Bank AB with a remark and an administrative fine of SEK 170 million for extensive shortcomings in its efforts to combat money laundering and terrorist financing. The infringements concerned, among other things, the enterprise-wide risk assessment, customer risk classification, customer due diligence (KYC), enhanced due diligence for high-risk customers, and documentation; they are analysed in this post by an AML lawyer.

Although the decision targets a specific bank, the conclusions are directly relevant for banks, payment institutions, finance companies and other obliged entities subject to the anti-money laundering framework. The Financial Supervisory Authority particularly emphasises that small and medium-sized banks can no longer expect to “fly under the radar” – risk is now considered significant there as well, since larger banks have tightened their controls and threat actors instead turn to smaller institutions.

Legal framework in brief

The Swedish AML framework is based on a risk-based approach to AML. In simplified terms, the core can be described as follows:

  • The firm must understand the risks of money laundering and terrorist financing in its business (enterprise-wide risk assessment).
  • The firm must assess the level of risk inherent in each customer relationship (the customer’s risk profile).
  • The firm must hold sufficient customer due diligence to manage the identified risk – otherwise the business relationship must not be established or may not continue.
  • The firm must take enhanced due diligence measures for high-risk customers, including understanding the customer’s economic background and the source of funds.
  • The firm must document and retain information so that it can evidence, after the fact, which assessments and checks were actually conducted.

The decision against Svea illustrates what happens when the AML programme fails and how weaknesses “infect” other elements – for example, from a weak enterprise-wide risk assessment to inadequate customer risk profiles and deficient KYC.

Svea’s shortcomings – typical pitfalls

In its decision, the Financial Supervisory Authority identified, among other things, the following deficiencies at Svea:

  • The enterprise-wide risk assessment did not cover all products and lacked assessments of both money-laundering and terrorist-financing risks for several services.
  • When two companies were merged, it took almost a year before an updated, consolidated risk assessment applied to the merged business.
  • The customer risk model (customer risk profile) did not factor in all high-risk indicators the bank itself had identified.
  • Identification of the beneficial owner was deficient; in many cases no search was made in the Companies Registration Office’s register of beneficial owners.
  • Information on the purpose and intended nature of the business relationship was often too generic to support anomaly detection.
  • Enhanced due diligence for high-risk customers was entirely absent in several cases, or conducted without understanding the customer’s financial situation and the source of funds – in some instances long after the customer had been rated high risk.
  • Documentation lacked dates, and CDD information was scattered across systems in a way that hampered oversight and control.

Against that background, here is a practical AML checklist in five parts that can be used internally by the board, senior management, the AML function and the first line.

AML checklist – five priority areas to secure

The checklist supports internal control, self-assessment, routine updates or preparation for supervision by the Financial Supervisory Authority.

1. Enterprise-wide risk assessment

Svea was criticised for failing to identify and document risks tied to specific products, and for shortcomings in connection with mergers:

  • Have we assessed the risk of every individual product and service we offer – including what may be perceived as “standard” or low risk, for example Swish-type solutions, overdrafts or invoice-based payments? (product risk assessment and service risk assessment)
  • Have we assessed both money-laundering and terrorist-financing risks for all products? (In Svea’s case, terrorist-financing assessments were missing for several products.)
  • If we merge companies, acquire a business or onboard products from another group entity – do we perform a new enterprise-wide risk assessment immediately in the receiving entity? We cannot rely solely on a previous assessment in another company.
  • Are all analyses, including conclusions from workshops and risk meetings, formally documented in or as appendices to the enterprise-wide risk assessment? References to undocumented discussions or loose notes are not sufficient.

2. Customer risk classification (customer risk profile)

The Financial Supervisory Authority found that Svea’s model did not capture all high-risk factors identified in the enterprise-wide risk assessment:

  • Does our model for customer risk classification take account of all high-risk factors we have identified in the enterprise-wide risk assessment? For example:
    • cash-intensive sectors (construction, restaurants, cleaning, hairdressing, gaming, etc.),
    • companies with nominee directors or complex ownership structures.
  • Is it clear in the model which factors are high risk and how they affect the customer’s risk class?
  • Have we validated the model (tested that it works as intended) before go-live and when we made major changes? This follows from the Financial Supervisory Authority’s AML regulations.
  • Do we document the model’s assumptions, limitations and data inputs – so we can explain to the Financial Supervisory Authority why a customer receives a particular risk class?

3. KYC – beneficial owner, and purpose and intended nature

The Financial Supervisory Authority identified deficiencies in how Svea analysed ownership structures and the purpose and intended nature of business relationships. Here are key control questions:

Verification of the beneficial owner

  • Do we always search the Companies Registration Office’s register of beneficial owners and retain evidence (for example, an extract or screenshot) to demonstrate the search was performed?
  • Do we go beyond identifying a single person and map the full ownership structure to determine whether others exercise significant control if, for example, one person owns 25%?
  • Do we have procedures to escalate unusual or complex ownership structures, for example chains of companies, foreign owners or nominee directors?

Purpose and intended nature of the business relationship

  • Do we ask sufficiently detailed questions to understand how the customer intends to use the account, credit products or payment services – not merely “general business operations”?
  • Do we assess the plausibility of the customer’s information against other sources, for example annual reports and registered data? Examples:
    • high stated turnover but historically no turnover,
    • declared salary payments but no staff costs in the annual report,
    • care-of address to a private individual combined with supposedly extensive operations.
  • Do we document both the customer’s information and our own plausibility assessment (not just a tick in a system)?

4. Enhanced due diligence for high-risk customers

For high-risk customers, Svea at times performed light-touch checks that did not address financial risks, for example media monitoring.

  • Once a customer is rated high risk, do we obtain information on the customer’s economic background and the source of funds, in addition to baseline checks?
  • Do we tailor our enhanced measures to the specific risk in the relationship (product, sector, geography, ownership structure, etc.)?
  • Do we take enhanced measures immediately after the risk is identified? The Financial Supervisory Authority noted cases where measures were taken up to a year later.
  • Do we ensure the outcome of enhanced measures actually feeds back into our ongoing risk assessment, transaction monitoring and any decision to restrict or exit the relationship?

5. Documentation and orderliness

Svea was criticised for undated documents and information dispersed across systems, making it difficult to evidence when checks were performed and what CDD existed at a given time.

  • Are all core AML records and notes dated – including checks of beneficial ownership, PEP/RCA screening, collected information on purpose and intended nature, and risk-class decisions?
  • Is CDD information consolidated so it is easy to retrieve and identify during internal control, Financial Supervisory Authority supervision or a criminal investigation?
  • Have we avoided spreading KYC data across systems that do not “talk” to each other – or at least designated a clear “golden source” for customer due diligence?
  • Do we have procedures for retention and deletion in line with statutory AML record-keeping requirements?

How financial institutions can proceed

The decision against Svea shows that the Financial Supervisory Authority requires tight alignment across all parts of the AML effort – from the enterprise-wide risk assessment through to concrete actions in individual customer relationships and disciplined documentation.

Practical next steps for banks, finance companies and fintechs may include:

  • Conducting a targeted review of the enterprise-wide risk assessment to ensure it covers all products, including those perceived as standardised.
  • Performing a gap analysis between the assessment and the customer risk model – are all relevant high-risk factors captured with the right weighting?
  • Running file sampling focused on beneficial ownership, purpose/intended nature and enhanced measures for high-risk customers.
  • Reviewing structure, system support and responsibilities for documentation – who ensures CDD records are complete, dated and retrievable?
  • Ensuring the board and senior management receive adequate reporting on AML status and deficiencies so that remediation can be prioritised at the right level.

At Morling Consulting, our AML lawyers help companies, banks and fintechs analyse money-laundering risks, strengthen models and processes, and design documentation that withstands supervisory scrutiny – before deficiencies lead to interventions and administrative fines.

AML compliance officer reviewing customer due diligence, risk assessment and monitoring alerts, with compliance checklist and legal shield icon.

22 January 2026

Role and responsibilities of the AML specialist – a compliance perspective
Read more
Illustration of a legal professional at a desk with a digital interface showing structured regulatory compliance, internal controls, and AML processes for financial institutions.

21 January 2026

Exemptions for financial activities, prior notification and internal controls under the AMLR
Read more
Lawyer consulting a client at a desk, discussing legal advice and compliance documents, with contract approval icons on screen.

20 January 2026

When to ask a lawyer for faster answers at lower cost
Read more