AML shortcomings in Zimpler – implications for payment providers

When a company engages an AML lawyer to secure compliance with anti-money laundering rules, the underlying work must withstand regulatory scrutiny. This is made clear in the recent decision by the Swedish Financial Supervisory Authority (FI), where the payment service provider Zimpler AB received a remark and an administrative fine of SEK 3 million for shortcomings in its efforts to prevent money laundering and terrorist financing. The Swedish Financial Supervisory Authority found that Zimpler lacked a sufficient overall risk assessment, customer risk assessment and customer due diligence in an environment with high exposure to gambling. These types of deficiencies drive not only money laundering risk but also the risk of fraud within payment flows.

What the Zimpler sanctions decision covers

The sanctions decision concerns Zimpler’s handling of the AML regulatory framework during the period from July 2023 to April 2024. The Swedish Financial Supervisory Authority concludes that the company failed in its central risk management, its assessment of customer risk and its procedures for customer due diligence. At the same time, the authority assesses that the breaches are not so serious that Zimpler’s authorisation should be withdrawn or that a formal warning should be issued. Instead, a remark combined with an administrative fine is considered a proportionate response.

Three central shortcomings highlighted by the Swedish Financial Supervisory Authority

In its decision, the Financial Supervisory Authority identifies three core shortcomings in Zimpler’s AML framework:

• Insufficient overall risk assessment: Zimpler lacked an adequate analysis of how the company’s currency exchange service could be misused for money laundering or terrorist financing.
• Deficient customer risk assessment: Despite a high-risk profile – including significant connections to the gambling sector – customer risk levels were not assessed in a sufficiently robust or structured way.
• Inadequate customer due diligence routines: The authority concludes that Zimpler’s KYC (know your customer) and ongoing monitoring routines were not robust enough to match the risk in the business model.

Why Zimpler’s exposure to gambling raises the bar

Zimpler’s activities have close links to the gambling sector. Of the company’s 258 merchants, around 30 per cent operated in gambling, and approximately 70 per cent of end users had a connection to the same sector. The Swedish Financial Supervisory Authority assesses that this level of exposure creates a high risk that the payment chain could be exploited by criminals for money laundering or terrorist financing.

For payment service providers, this illustrates a broader point: where the business model involves or is closely connected to high-risk sectors – such as gambling, currency exchange or certain crypto-related services – risk management and internal routines must be designed specifically for that profile. Standardised controls that do not reflect the actual risk in the payment flows will rarely be sufficient.

Key AML lessons from Zimpler for other payment providers

Based on the supervisory assessment of Zimpler, several concrete lessons can be drawn for other payment providers and financial firms operating in complex payment chains:

• Begin with a comprehensive, business-wide risk assessment that covers all services – including currency exchange, gambling-related and other high-risk services – and how each can be exploited for money laundering or terrorist financing.
• Ensure that customer risk assessment is continuous and forward-looking. When the business has strong links to high-risk sectors, enhanced measures, granular segmentation and clear documentation of risk levels will typically be expected.
• Design customer due diligence, transaction monitoring and follow-up measures so that they are robust, documented and verifiable, particularly where payment flows are complex or involve multiple intermediaries.

Engaging specialist AML counsel can be a sound investment to secure compliance with the regulatory framework, reduce exposure to supervisory action and mitigate the risk of sanctions similar to those imposed on Zimpler.

Putting the Zimpler lessons into practice

Morling Consulting supports payment service providers and other financial actors across Europe with AML frameworks, licensing projects, risk analysis and customer due diligence routines. If your organisation needs support to ensure that its operations meet the requirements of the AML regime, we can assist with both strategic advice and practical implementation.

You are welcome to contact us for a discussion of your needs and how our AML specialists can help strengthen governance, improve risk management and prepare your organisation for scrutiny from the Financial Supervisory Authority and other supervisory bodies.