Remark and administrative fine

Transcription

1 DECISION Nordea Bank AB FI Ref Attn: Chairman of the Board of Directors STOCKHOLM Remark and administrative fine Finansinspektionen s decision (to be announced on 16 April 2013 at 8:00 a.m.) 1. Finansinspektionen is issuing Nordea Bank AB ( ) a remark. (Chapter 15, section 1 of the Banking and Financing Business Act [2004:297]) 2. Nordea Bank AB shall pay an administrative fine of SEK 30,000,000. (Chapter 15, section 7 of the Banking and Financing Business Act [2004:297]) To appeal the decision, see Appendix 1. Summary Nordea Bank AB (Nordea or the Bank) is a joint stock bank that has authorisation to conduct banking business in accordance with the Banking and Financing Business Act (2004:297). Finansinspektionen s investigation shows that Nordea has not had sufficient internal governance and control of the risk that funds or economic resources are being made available, directly or indirectly, to or for the benefit of the natural or legal persons, entities or bodies listed in the EU sanctions regulations. Nordea also failed to fulfil its obligation to immediately notify Finansinspektionen about 58 transactions in accounts frozen in accordance with the EU sanctions regulations. 1(20)

2 As a whole, the deficiencies demonstrate that the Bank does not have sufficient internal governance and control to be able to follow the EU sanctions regulations. In the spring of 2012 Finansinspektionen started an investigation into Nordea s management of its obligations and bans in accordance with the EU sanctions regulations. The investigation encompassed the obligation to notify Finansinspektionen about transactions in frozen accounts and to ensure that funds or economic resources are not made available, directly or indirectly, to or for the benefit of the natural or legal persons, entities or bodies listed in the EU sanctions regulations. The background to the investigation was that Finansinspektionen found deficiencies at Nordea during an investigation that was started in 2009 in the same area. Finansinspektionen also investigated Nordea s measures to prevent the bank from being used for money laundering and the financing of terrorism in a specific case and found that the Bank also failed its obligation to perform risk-based customer due diligence for a specific customer. Several of the deficiencies identified by Finansinspektionen are serious in nature and have existed for a long period of time. Despite being aware of the deficiencies, Nordea has neither taken action to rectify them nor clearly explained why they have not been rectified. It is therefore necessary for Finansinspektionen to intervene by issuing the Bank a remark and an administrative fine. 2

3 Table of Contents FINANSINSPEKTIONEN S DECISION... 1 SUMMARY INTRODUCTION BANS AND OBLIGATIONS PURSUANT TO THE SANCTIONS REGULATIONS BACKGROUND SCREENING BENEFICIAL OWNERS Applicable provisions Finansinspektionen s assessment REPORTING OF TRANSACTIONS Applicable provisions Finansinspektionen s assessment MEASURES AGAINST MONEY LAUNDERING AND THE FINANCING OF TERRORISM BACKGROUND APPLICABLE PROVISIONS FINANSINSPEKTIONEN S ASSESSMENT INTERNAL GOVERNANCE AND CONTROL APPLICABLE PROVISIONS FINANSINSPEKTIONEN S ASSESSMENT CONSIDERATION OF INTERVENTION APPLICABLE PROVISIONS THE BANK S MEASURES Screening beneficial owners Reporting of transactions Customer due diligence measures Internal governance and control FINANSINSPEKTIONEN S ASSESSMENT Screening beneficial owners Reporting of transactions Customer due diligence measures Internal governance and control CHOICE OF INTERVENTION APPENDIX 1 HOW TO APPEAL APPENDIX 2 APPLICABLE PROVISIONS

4 1. Introduction Nordea Bank AB (hereafter referred to as Nordea or the Bank ) has authorisation to conduct banking business in accordance with the Banking and Financing Business Act (2004:297) and securities business in accordance with the Securities Market Act (2007:528). Nordea is the Parent Company of the Nordea Group and according to the Bank s annual report from 2012 the Group has more than 11 million customers and a balance sheet total of EUR 677 billion. With a market value at year-end 2012 of just over EUR 29 million and more than 31,000 employees, the Group is one of northern Europe s largest financial Groups. Nordea s banking operations must comply with a number of different rules in the form of laws, regulations and ordinances, but there are also a growing number of rules from the European Union that must be followed, for example guidelines and recommendations from European authorities and EU Regulations. It is Finansinspektionen s task to supervise Nordea and verify that the business is conducted in accordance with the laws and regulations that regulate Nordea s operations as well as the internal instructions the Bank must have in accordance with various regulations. If Nordea fails to fulfil its obligations, Finansinspektionen should intervene. Finansinspektionen carried out an investigation at Nordea of the Bank s ability to live up to the requirements placed on it by international sanctions regulations that the Council of the European Union has decided on. As part of this investigation, Finansinspektionen also opted to investigate the measures the Bank is obligated to take for an individual customer in order to prevent money laundering and the financing of terrorism. Following the investigation, Nordea was given the opportunity to respond to Finansinspektionen s preliminary assessments that the Bank failed to fulfil its obligations and to the observations that served as a basis for the assessments. During the course of the investigation, additional written communications were exchanged between the Bank and Finansinspektionen. 2. Bans and obligations pursuant to the sanctions regulations 2.1 Background The Council of the European Union has decided to implement international sanctions against a number of countries and regimes. These measures were implemented in EU Regulations that are directly applicable in Swedish national law (hereafter referred to as the sanctions regulations). Economic and financial sanctions must be applied by all persons and entities conducting business within the EU. The sanctions regulations contain provisions relating to, for example, the obligation to freeze funds and economic resources for natural or legal persons, 4

5 entities and bodies listed in the EU sanctions regulations, but also a ban on making funds or economic resources available, directly or indirectly, to or for the benefit of the natural or legal persons, entities or bodies listed in the EU sanctions regulations. At the end of 2009, Finansinspektionen started an investigation at Nordea to determine how the Bank handled the bans and obligations set out in the sanctions regulations. Finansinspektionen found during the course of its investigation that the Bank s procedures were inadequate and that the Bank thereby risked being in violation of the regulations. During its investigation, Finansinspektionen was able to identify deficiencies in Nordea s procedures for reporting transactions in frozen accounts. Finansinspektionen was also able to identify deficiencies with regard to the obligation to ensure that natural or legal persons, entities and bodies listed in the EU sanctions regulations neither directly nor indirectly via Nordea could gain access to funds or economic resources through the failure of Nordea to screen the person with whom the Bank had a relationship with through their customer, for example beneficial owners. Finansinspektionen made the assessment, however, that there were grounds to forgo an intervention against Nordea since the Bank, during the course of the investigation, took appropriate measures or was implementing or planning to implement measures that could be expected to rectify the deficiencies. Finansinspektionen notified Nordea about the results of the investigation on 9 June 2010 and informed the Bank via a final report on 28 January 2011 about the areas that the investigation showed were in need of follow-up from the Bank. In order to follow up and ensure that Nordea had satisfactorily implemented the measures the Bank had announced, Finansinspektionen started a new investigation in June Screening beneficial owners One of the main objectives of the sanctions regulations is to prevent financial assets or economic resources from being made available to natural or legal persons, entities and bodies listed in the EU sanctions regulations and to prevent financial services or other related services to be provided to them, whether directly or indirectly. To ensure that the Bank does not directly make funds or economic resources available to such persons, entities or bodies, Nordea monitors the lists in the sanctions regulations and reconciles them against its list of customers. Finansinspektionen investigated Nordea s measures for also ensuring that beneficial owners to the Bank s customers are not listed in the sanctions regulations and indirectly gain access to funds or economic resources and the financial system through the Bank. For example, a beneficial owner can be an owner with a controlling influence over one of the Bank s corporate clients. 5

6 2.2.1 Applicable provisions Pursuant to Article 2.1b of Council Regulation (EC) No. 2580/2001 of 27 December 2001 on specific restrictive measures directed against certain persons and entities with a view to combating terrorism, no funds, other financial assets or economic resources may be made available, directly or indirectly, to, or for the benefit of, a natural or legal person, group or entity included in the Council s list. The EU sanctions regulations also contain provisions stating that funds or economic resources may not be made available, directly or indirectly, to or for the benefit of the natural or legal persons, entities or bodies listed in the EU sanctions regulations. Appendix 2 contains excerpts from the articles that are relevant for Finansinspektionen s assessment under section Chapter 1, section 5, point 8 of the Money Laundering and Terrorist Financing (Prevention) Act (2009:62) (Money Laundering Act) defines a principal (a beneficial owner) as a natural person on whose behalf any other person acts, or where the customer is a legal person, the person who exercises a controlling influence over the customer. Chapter 6, section 2 of the Banking and Financing Business Act (2004:297) states that a bank shall identify, measure, steer, internally report and have control over the risks associated with its business. A bank shall in this regard ensure that it has satisfactory internal control Finansinspektionen s assessment Finansinspektionen asked Nordea during its investigation if the Bank screens beneficial owners of customers against the EU sanctions regulations. The investigation was a follow-up of a previous investigation that was started in In its response to Finansinspektionen dated 17 August 2012 Nordea stated that beneficial owners are not screened against the EU sanctions regulations. By not screening beneficial owners against the sanctions regulations, Nordea has risked being in violation of the ban on making funds and economic resources indirectly available to or for the benefit of natural and legal persons, entities and bodies listed in the sanctions regulations. It is worth noting that the ban in the sanctions regulations is categorical and does not apply a risk-based approach. Finansinspektionen therefore finds that the risk Nordea exposed itself to by not screening beneficial owners against the sanctions regulations represents a failure by the Bank to fulfil its obligation to steer and control the risk that funds or economic resources are made available, directly or indirectly, to or for the benefit of the natural or legal persons, entities or bodies listed in the EU sanctions regulations. Nordea stated that the Bank implemented measures following the conclusion of the investigation and that since 17 October 2012 the Bank has screened benefi- 6

7 cial owners on a daily basis via an established system. Finansinspektionen notes, however, that the screening is only carried out for the beneficial owners that have been transferred to the new customer system. Of the more than 250,000 customers for whom the identification and control of beneficial owners is relevant, the Bank, according to its most recent response dated 22 February 2013, stated that the Bank has not yet determined if a beneficial owner exists for around 160,000 of these customers. The Bank adds that around 100,000 of the customers where the beneficial owner assessment is relevant are associations, which often do not have beneficial owners. Finansinspektionen asked when Nordea believes that all of the Bank s beneficial owners will be screened against the sanctions regulations. In its response the Bank stated that it is not possible to provide such a date since the Bank supplements the remaining customers beneficial owners in stages following a risk assessment or when the relationship with the customer changes. The obligation to identify customers beneficial owners went into effect on 15 March 2009 through the implementation of Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing via the Money Laundering Act. According to the transition provisions for the Money Laundering Act, the Bank shall take measures to identify beneficial owners of customers with whom the Bank has signed agreements before the law entered into force when, based on the assessment of the risk for money laundering and the financing of terrorism, this is considered appropriate. Because of this transition provision Nordea is still not obligated under the Money Laundering Act to have complete information about all beneficial owners of the Bank s customers since the risk assessment determines when this information should be obtained. However, this does not mean that the Bank can apply the same risk-based approach to the ban on making funds or economic resources available, directly or indirectly, to or for the benefit of the natural or legal persons, entities or bodies listed in the EU sanctions regulations. The fact that Nordea is aware of a risk and that the Bank is opting to only manage and control this risk ex post is a serious matter and indicates that the Bank has deficient control of its compliance with the sanctions regulations. In summary, Finansinspektionen can state that Nordea, for a long period of time, at least until 17 October 2012, has not carried out any controls to ensure that the Bank does not indirectly make funds or economic resources available to, or allow such funds or economic resources to be made available, directly or indirectly, to or for the benefit of the natural or legal persons, entities or bodies listed in the EU sanctions regulations. This is not in line with the Bank s obligation according to Chapter 6, section 2 of the Banking and Financing Business Act to govern and control the risks associated with the banking business. The fact that the Bank also has not taken measures to mitigate this risk in a satisfactory manner is a serious breach of the risk management principles which, ac- 7

8 cording to Chapter 6, section 2 of the Banking and Financing Business Act, shall be present in a healthy, sound banking business. 2.3 Reporting of transactions One requirement in the sanctions regulations is that funds and economic resources belonging to natural or legal persons, entities or bodies designated in the regulations must be frozen. This is to prevent the transfer and use of, and changes to, the funds. When an account has been frozen, the Bank is obligated to immediately submit information about the account and the amounts that were frozen to the authority that has been designated as authorised to receive such information. Furthermore, the Bank must immediately report to the competent authority if transactions are made in the frozen account. In Sweden, the Government issued a decision in which it assigned Finansinspektionen to receive information about frozen accounts and information that can facilitate compliance with the sanctions regulations when an account has been frozen Applicable provisions The provisions which regulate obligations to freeze accounts and submit information are set out in the currently applicable sanctions regulation against the regime in question. A number of different articles are therefore applicable in the investigation. The provisions that are relevant for Finansinspektionen s assessment in section are listed in Appendix 2. In brief, the relevant articles in the currently applicable regulations entail that transactions in accounts belonging to natural and legal persons, entities or bodies designated in the sanctions regulations may under certain circumstance be carried out by a bank. In order to conduct transactions on such frozen accounts, the bank in many cases must apply for authorisation from different authorities. When transactions are carried out in frozen accounts, the provisions that the bank must immediately notify Finansinspektionen about changes that were made to the frozen accounts go into effect Finansinspektionen s assessment Finansinspektionen s investigation monitored if Nordea fulfilled its obligation to immediately notify Finansinspektionen about transactions in frozen accounts. The investigation included transactions occurring between 1 January 2010 and 28 June 2012 and referred to accounts that belong to natural or legal persons, entities or bodies designated in the regulations with regard to Libya, Syria and Iran. It should be noted that Finansinspektionen limited the scope of its investigation to determine if reporting in accordance with the sanctions regulations was carried out properly. Finansinspektionen has thus not reviewed if the authorisations that were required for the transactions had been acquired or if the transactions otherwise were carried out properly. 8

9 To begin with, Finansinspektionen can state that Nordea fulfilled its obligation to immediately notify Finansinspektionen about all ten changes to frozen accounts belonging to an entity designated in the sanctions regulation concerning restrictive measures in view of the situation in Libya. For accounts belonging to natural or legal persons, entities or bodies designated in the sanctions regulations concerning restrictive measures in view of the situation in Syria, Finansinspektionen s investigation shows that 48 transactions were made in frozen accounts at the Bank. Initially, in August 2012, Nordea said that the Bank had notified Finansinspektionen about 31 of the transactions and that the notifications were often sent to Finansinspektionen before the transactions were made. However, not one of the notifications for the 48 transactions in frozen accounts was received by Finansinspektionen, and Nordea confirmed in a later statement that it had not reported the transactions. It is not acceptable that the Bank cannot keep track of whether or not it reported transactions to Finansinspektionen and as a result provide incorrect information when Finansinspektionen requests information in conjunction with an investigation. Finansinspektionen furthermore finds it remarkable that the Bank seems to believe that notifications of completed transactions can occur already before the transactions in question were actually completed. For accounts belonging to natural or legal persons, entities or bodies designated in the sanctions regulations concerning restrictive measures in view of the situation in Iran, Finansinspektionen s investigation shows that 16 transactions were made in frozen accounts at the Bank. Finansinspektionen can state that Nordea only properly notified Finansinspektionen about six of the 16 transactions. In summary, a total of 74 transactions were made by the Bank in frozen accounts belonging to natural or legal persons, entities or bodies designated in the sanctions regulation concerning restrictive measures against Libya, Syria and Iran. Of these, the Bank properly notified Finansinspektionen about 16 transactions. Nordea failed to fulfil its obligation in accordance with the rules in the various sanctions regulations to immediately notify Finansinspektionen about changes in frozen accounts with regard to 58 transactions. 3. Measures against money laundering and the financing of terrorism 3.1 Background Finansinspektionen also investigated Nordea s handling of one of the Bank s customers and the measures the Bank took while performing customer due diligence. The reason that Finansinspektionen was investigating the circumstances around a specific customer is that this is one of the few cases, both in Sweden and internationally, where the risks of a bank being used for extensive money laundering were brought to the forefront. As a result, Finansinspektionen was in- 9

10 vestigating if Nordea, in this specific case, had taken the measures required by the Bank to fulfil the rules for money laundering and the financing of terrorism. 3.2 Applicable provisions The objective of Chapter 1, section 1 of the Money Laundering Act is to prevent financial operations, among others, from being used for money laundering or the financing of terrorism. Firms subject to this act shall therefore take a number of measures to decrease the risk that this will occur. Pursuant to Chapter 2, section 1 of the Money Laundering Act, the Bank shall take measures to perform customer due diligence. The scope of these measures shall be adjusted given the risk for money laundering or the financing of terrorism. Furthermore, Chapter 5, section 1 of the Money Laundering Act states that an entity conducting business shall have risk-based procedures for preventing its operations from being used for money laundering or the financing of terrorism. Pursuant to Chapter 2, section 2 of the Money Laundering Act, the Bank shall take measures to perform customer due diligence when establishing a business relationship. The basic measures for customer due diligence pursuant to Chapter 2, section 3 of the Money Laundering Act are verification of the customer s and the beneficial owner s identities and the obtaining of information about the purpose and nature of the business relationship. Furthermore, the Bank shall investigate the customer s ownership structure and control structure to verify the beneficial owner s identify. Pursuant to Chapter 2, section 10 of the Money Laundering Act, the Bank shall also regularly follow up on existing business relationships by verifying and documenting that the transactions that are carried out are in agreement with the knowledge the entity conducting business has obtained about the customer, its business and risk profile and, if necessary, the origin of the customer s economic funds. Pursuant to Chapter 2, section 6 of the Money Laundering Act, Nordea is also obligated to always take enhanced measures to perform customer due diligence if there is a high risk for money laundering and the financing of terrorism. These measures shall extend beyond the basic measures set out in Chapter 2, section 3 of the Money Laundering Act. 3.3 Finansinspektionen s assessment Since the matter in this respect refers to Nordea s implementation of measures or failure to implement measures related to money laundering for a specific customer, Finansinspektionen would like to first emphasise that it does not know whether or not the Bank has been used for money laundering or the financing of terrorism. Finansinspektionen has not investigated this matter. The purpose of the investigation, rather, is to investigate if Nordea in this specific case fulfilled its obligation to perform adequate customer due diligence. 10

11 Based on the documentation Nordea submitted to Finansinspektionen, the customer in question answered the standard questions the Bank uses to obtain information about the purpose and nature of the business relationship when the business relationship was established. The Bank also verified the identification documents for the customer s representatives and owners and screened the customer against the EU sanctions regulations. The documentation also states that the customer is a company registered in Gibraltar and that the representative and the beneficial owner are citizens of Uzbekistan. Finansinspektionen was also able to determine that a sum corresponding to around SEK 200 million was transferred to the account after the business relationship was established via six different transactions. The Bank has not submitted information or documentation showing that the Bank performed additional customer due diligence after the business relationship with the customer was established. Nordea told Finansinspektionen that the Bank performed customer due diligence in accordance with the Bank s instructions for customers with normal risk. However, the Bank notes that the basic analysis of the performed customer due diligence, primarily due to the beneficial owner s ties to a country with a higher risk, should have resulted in a higher risk classification, which would have led to a more in-depth analysis. Nordea has stated that if the customer had received a higher risk classification, the Bank would have taken measures to more frequently follow up on the customer relationship, including following up on the transaction amounts. The Bank also has not conducted a manual review of the transactions in the customer s account since the customer was not classified as having a higher risk. Nordea also states in its statement to Finansinspektionen that, even if the Bank had given the customer a higher risk classification, and then taken the measures resulting from this classification, it cannot be determined if the Bank, after performing additional due diligence than that performed to establish the customer relationship, would have rejected a business relationship with the customer. Nordea has thus in this case taken measures to prevent money laundering and the financing of terrorism to an extent that corresponds to customers associated with a normal level of risk for using the Bank for money laundering and the financing of terrorism. The objective of Finansinspektionen s investigation is to determine whether Nordea fulfilled its obligation to take risk-based measures to avoid being used for money laundering or the financing of terrorism by the customer in question. It is therefore not important whether any eventual knowledge about the customer that the Bank could have received would have affected its decision about whether or not to establish a business relationship. It is also not of importance for the 11

12 assessment whether or not the Bank was actually used for money laundering or the financing of terrorism. Instead, Finansinspektionen is assessing whether or not Nordea failed to take adequate measures to minimise the risk of the Bank being used for money laundering or the financing of terrorism. In order to be able to take adequate measures for a specific customer, it is of utmost importance that a bank conduct a risk assessment of the customer. Based on this assessment, the bank can then classify the customer s risk and take appropriate measures to ensure that the bank will not be used for money laundering or the financing of terrorism. If the bank s risk assessment of the customer is faulty, the bank risks not taking sufficient measures. Finansinspektionen believes that the fact that a customer s representative and beneficial owner come from a country characterised by extensive corruption constitutes a circumstance that entails a higher inherent risk for being used for money laundering and the financing of terrorism. Uzbekistan is considered to be one of the world s most corrupt countries in accordance with Transparency International s index; only five countries are considered to have worse corruption. Finansinspektionen therefore believes, like Nordea, that the risk assessment of the customer should have resulted in a higher risk classification than normal risk, given that the beneficial owner has ties to a country with a higher risk. Since Nordea took measures that correspond to a normal risk level for being used for money laundering or the financing of terrorism by a customer who is considered to have an inherent higher risk, it is Finansinspektionen s assessment that the Bank failed in its obligation pursuant to Chapter 2, section 6 of the Money Laundering Act to perform enhanced customer due diligence when there is a high risk of money laundering or the financing of terrorism. It is not possible to draw general conclusions from a single case about the extent to which Nordea normally performs sufficient customer due diligence. However, Finansinspektionen can state that in this particular case Nordea has taken inadequate measures for preventing money laundering and the financing of terrorism by not having performed sufficient customer due diligence. 4. Internal governance and control 4.1 Applicable provisions Chapter 6, section 2 of the Banking and Financing Business Act states that a bank shall identify, measure, steer, internally report and maintain control over the risks associated with its business. The bank shall in this regard ensure that it has satisfactory internal control. As a guideline for how the provisions in Chapter 6 of the Banking and Financing Business Act should be applied, Finansinspektionen issued Finansinspektionen s 12

13 general guidelines (FFFS 2005:1) regarding governance and control of financial undertakings. The general guidelines set out in FFFS 2005:1 on the application of the provisions in Chapter 6 of the Banking and Financing Business Act provide guidance on how financial firms can fulfil the requirements. However, the guidelines do not need to be followed and are not binding if the firm has found another way to fulfil the requirement. Section 5 of FFFS 2005:1 defines internal governance and control as a process through which the firm s board of directors, managing director, senior management or other personnel obtain reasonable certainty that the firm s goals are achieved, for example, for compliance with appropriate laws, ordinances and other regulations. Chapter 3 of FFFS 2005:1 regarding internal governance and control states that good internal control ensures a good ability to comply with laws and ordinances and internal regulations, as well as generally accepted practice or generally accepted standards. The Board of Directors and the Managing Director should endeavour to ensure that the firm has good internal control that has been adapted to the changes in the risks to which the firm is exposed. 4.2 Finansinspektionen s assessment Nordea has conveyed to Finansinspektionen that the Bank does not believe that the mistakes that were made in these specific instances and that were identified by Finansinspektionen can be interpreted to mean that the Bank failed to fulfil the requirements for internal governance control at a bank such that it has satisfactory control over the risks associated with its business in accordance with Chapter 6, section 2 of the Banking and Financing Business Act. The objective of Finansinspektionen s assessment in this respect is to determine if Nordea has satisfactory internal control of the risks associated with its banking business. It is very important for the Bank to have the ability to identify its risks in order for it to be possible to control them, and thereafter measure, steer and manage them. Internal reporting of the risk shall occur continuously to decisionmakers within the Bank. The provisions regarding risk management are some of the most central and significant regulations in place for a bank, and the management of risks must therefore occur naturally within all areas of the bank. As mentioned above, Finansinspektionen conducted an investigation of Nordea at the end of 2009 that demonstrated major deficiencies in the Bank s ability to comply with several of the provisions of the EU sanctions regulations. Finansinspektionen, which notified Nordea on 9 June 2010 about the results of the investigation, directed sharp criticism to Nordea in its final report on 28 January 2011, 13

14 but refrained from any intervention since it was judged that the measures the Bank intended to take to rectify the deficiencies were sufficient. Thus, Nordea was made aware through the previous investigation that the Bank was at risk of non-compliance with laws, ordinance and other regulations that regulate the Bank. The measures required by the Bank for having adequate risk management were to steer and control the risk. Despite the fact that Nordea was aware of the deficiencies, it has not made any improvements in the area since the final report. The investigation that has now been completed shows that the Bank as recently as at the end of June 2012 still has not reported all of the transactions in the frozen accounts to Finansinspektionen. The fact that Nordea also has not managed to provide Finansinspektionen with the correct information during Finansinspektionen s follow-up investigation indicates that there are additional fundamental deficiencies in the control. To date, Nordea has also yet to ensure that the ban on funds or economic resources being made available, directly or indirectly, to or for the benefit of the natural or legal persons, entities or bodies listed in the EU sanctions regulations is satisfactorily fulfilled. The requirement of having control over the risk of non-compliance with laws, ordinances and other regulations that the Bank should follow is thus not fulfilled. For almost three years (or just over two years using Finansinspektionen s final report as the starting point), Nordea has failed to rectify this deficiency despite the fact that the Bank has been aware of the risk of non-compliance with the provisions. Given this background, it is Finansinspektionen s assessment that Nordea has been deficient in its internal governance and control which, in accordance with Chapter 6, section 2 of the Banking and Financing Business Act, is required of a bank to have satisfactory control over the risks in the area of the EU sanctions regulations with which its business is associated. 5. Consideration of intervention 5.1 Applicable provisions Finansinspektionen, in accordance with Chapter 15, section 1 of the Banking and Financing Business Act, shall intervene if a bank fails to fulfil its obligations pursuant to the same Act, other regulations that regulate the institution s operations, the institution s articles of association or internal instructions based on regulations that regulate its operations. Pursuant to Chapter 15, section 1, second paragraph of the Banking and Financing Business Act, Finansinspektionen s intervention is in the form of the issuance of an order that for a stipulated time period limits the business in some respect, lowers its risks or takes other measures to rectify the situation, a ban on decision-making or a remark. If the breach is serious in nature, the Bank s au- 14

15 thorisation shall be withdrawn or, if deemed sufficient, the Bank shall be issued a warning. Chapter 15, section 1, third paragraph of the Banking and Financing Business Act states that Finansinspektionen may refrain from intervening if the breach is negligible or excusable, if the Bank rectifies the matter or if any other authority has taken action against the bank and this action is deemed sufficient. Chapter 15, section 7 of the Banking and Financing Business Act also states that if Finansinspektionen issues a warning or remark, Finansinspektionen may decide if the bank shall pay an administrative fine. In accordance with Chapter 15, section 8 of the Banking and Financing Business Act the administrative fine may fall between SEK 5,000 and SEK 50 million. However, the fine may not exceed ten per cent of the bank s turnover during the previous financial year. Chapter 15, section 9 of the Banking and Financing Business Act states that when determining the size of the administrative fine, special consideration shall be given to how serious the breach is and how long it has existed. 5.2 The Bank s measures In the Bank s statement to Finansinspektionen, Nordea presented the measures the Bank has taken, or plans to take, to rectify the deficiencies identified by Finansinspektionen. The measures the Bank presented to Finansinspektionen are included here in summary form Screening beneficial owners Nordea implemented changes in its customer system since 17 October 2012 so that the beneficial owners registered in the system are screened daily against the EU sanctions regulations. After the implementation of these changes the Bank also gradually transferred the newly identified beneficial owners. Nordea also started a project in which the forms and instructions are being adapted in order to make it possible to screen beneficial owners in other relevant areas Reporting of transactions Nordea updated the Bank s instructions for handling the sanctions regulations. A monitoring group and a compliance unit for the sanctions regulations have been formed and on 10 December 2012 Nordea implemented control and report procedures in which the Bank daily checks its frozen accounts for any changes. The Bank also removed automated transactions for frozen accounts. In addition, Nordea developed a new work process and expanded the ongoing training of affected employees. 15

16 5.2.3 Customer due diligence measures Nordea implemented a new risk classification method at the beginning of 2012 that focuses on money laundering risks. In November 2012 the Bank reviewed all of its customer groups and individual companies in its current customer base to confirm the assessment of which customers can be considered to be high risk customers. An in-depth risk review has been started and will encompass all customer groups. The Bank planned to implement during the first quarter of 2013 an upgraded methodology for its ongoing customer due diligence and the customer s risk profile Internal governance and control Nordea stated that the Bank, due to Finansinspektionen s remarks, the Bank s own observations and the enhanced and increased requirements of the regulatory framework, intensified its work within control, process improvement and distribution of resources for the areas in question. This work has been and will continue to be carefully followed by the Board of Directors and management. The measures presented by Nordea that were taken with regard to internal governance and control are as follows. Group management appointed in 2011 a temporary work group to investigate and propose measures to strengthen governance and follow-up of procedures to prevent money laundering. As a result of this investigation, Nordea has introduced training programmes, specialist units, new policy documents and investments in IT support. Nordea also instructed the internal audit to focus on this area in particular. In June 2012 the Bank also decided on new policy documents and reviewed the Bank s procedures for measures preventing money laundering and the financing of terrorism. 5.3 Finansinspektionen s assessment Finansinspektionen s investigation shows that Nordea failed to fulfil its obligations in accordance with the Banking and Financing Business Act, the Money Laundering Act and the EU sanctions regulations. Below is Finansinspektionen s assessment of the breaches in relation to the provisions on intervention Screening beneficial owners Provisions stating that funds or economic resources may not be made available, directly or indirectly, to or for the benefit of the natural or legal persons, entities or bodies have been in the sanctions regulations for more than a decade. Council Regulation (EC) No. 2580/2001 on specific restrictive measures directed against certain persons and entities with a view to combating terrorism, is based on a UN resolution. It was adopted a short time after the terrorist attacks in the USA on 11 September 2001 and has been in effect since the end of Nordea has been subject to the bans in the EU sanctions regulations since they entered into force, even if the Bank only has been obligated for just over four years, in accordance 16

17 with the Money Laundering Act and when appropriate from a risk-based approach, to perform customer due diligence by identifying the beneficial owners of the Bank s customers. The fact that beneficial owners of Nordea s customers have not been screened against the EU sanctions regulations is a serious deficiency. The entire function that is the regulation and ban of listed persons and entities access to the financial system risks being undercut if it is possible to circumvent the provisions by a person, entity or body designated in the sanctions regulations acting through another natural or legal person. Because Nordea is still not fully aware of who the beneficial owners of the Bank s customers are, it has not been possible to determine if the failure to screen beneficial owners in practice has resulted in funds or economic resources being made indirectly available to or for the benefit of the natural or legal persons, entities or bodies listed in the EU sanctions regulations, but if this has happened the breach is very serious. The fact that Nordea is allowing itself to run the risk of being in violation of one of the most basic provisions of the sanctions regulations represents, according to Finansinspektionen, a serious deficiency in the Bank s handling and control of the risks associated with the banking business. It is therefore necessary that Finansinspektionen intervene Reporting of transactions The EU regulations constitute one of the most forceful types of regulations from the European Union and are used to directly implement appropriate provisions in a uniform manner throughout the union. Sweden is obligated to ensure that the firms that fall under Swedish jurisdiction comply with the sanctions regulations issued by the EU. Finansinspektionen has been appointed by Government decision to be the competent authority for carrying out certain tasks resulting from the EU sanctions regulations. One of these tasks is to report information about transactions in frozen accounts to the European Commission. In order for Finansinspektionen to be able to properly carry out its assignment, and consequently that the Commission has access to correct information in its work with international sanctions, it is crucial that the information about frozen amounts be immediately reported to Finansinspektionen. One consequence of Nordea s deficient reporting on transactions that occurred in the Bank s frozen accounts is that Sweden reported incorrect amounts to the Commission. Finansinspektionen already directed sharp criticism in 2011 toward Nordea s handling of its notifications to Finansinspektionen. The fact that Nordea did not rectify the problems with its reporting despite this criticism is remarkable. And despite the fact that Nordea previously stated that the Bank would make organisational changes and implement new methods and procedures, there has not been 17

18 a noticeable improvement. Finansinspektionen notes that the same deficiencies that existed at the end of June 2012 were those that existed when the previous investigation was started in This also presents grounds on which it is necessary for Finansinspektionen to intervene against the Bank. It shall be noted in particular that Nordea, as far as Finansinspektionen is aware, has had the authorisations that are required to carry out the transactions in question. Nordea also emphasised to Finansinspektionen that the Bank, when such is required, has had authorisation from competent authorities in all cases. The Bank must apply for authorisation to carry out transactions from different authorities based on the nature of the transaction. This means that the Bank has had the ability to fulfil its obligations in accordance with the sanctions regulations in this respect. That Nordea despite this was not able to carry out such a simple act as sending an to Finansinspektionen to notify the authority of the transactions is remarkable and difficult to understand Customer due diligence measures The rules regarding the measures for preventing money laundering and the financing of terrorism are based on the entity conducting business that is subject to the rules applying a risk-based approach. Therefore, the exact measures that shall be taken for specific cases are not stipulated in the rules. The responsibility lies with the entity conducting business to determine, based on its own risk assessments, which measures are appropriate in each case based on the risk. However, the rules contain requirements on basic measures in order to establish a minimum level for what measures shall be taken. The rules also state that if there is a high risk, the entity conducting business is obligated to take more extensive measures. Finansinspektionen s investigation shows that Nordea has not taken sufficient measures for performing due diligence for a customer who, in Finansinspektionen s opinion, is associated with high risk. Finansinspektionen also notes that even Nordea comments in its statement that a higher risk classification should have been used. After the investigation Nordea implemented a number of measures to ensure that the Bank takes measures that are appropriate given the risk that the Bank might be used for money laundering and the financing of terrorism. However, this does not mean that the breach is excusable or negligible. Neither does it mean that the measures have rectified the deficiency in the case in question. Finansinspektionen shall therefore intervene Internal governance and control Finansinspektionen s investigation shows that Nordea s problems with handling the EU sanctions regulations have existed for a long time. In addition, the deficiencies that were reported in this decision with regard to the EU sanctions regu- 18

19 lations had been presented to Nordea previously in the final report at the conclusion of the previous investigation. The fact that Nordea, despite being clearly informed about these deficiencies a few years ago, was not able to change its procedures such that it complied with the rules indicates that the organisation has not had effective governance and control in this area. Furthermore, the fact that Nordea, at the conclusion of this investigation, still is not fully aware of the beneficial owners of the Bank s customers is also grounds for the assessment that the Bank in this respect is not able to steer and control its risks. The measures the Bank presented for the reporting of transactions in frozen accounts as a result of the previous investigation also have not meant that the Bank has been compliant in the area. This is also not in line with requirements on internal governance and control. This also presents grounds on which it is necessary for Finansinspektionen to intervene. 5.4 Choice of intervention Nordea has been in violation in several respects of provisions that are of central importance for the Bank s management of the risk of non-compliance with the EU sanctions regulations and of being used for money laundering and the financing of terrorism. Several of the breaches have existed for a long time despite the fact that Nordea was informed about the breaches much earlier. Nordea has not clearly explained why the Bank did not rectify the deficiencies about which the Bank had been informed following Finansinspektionen s previous investigation. This opens the possibility for the assumption that Nordea did not care that the Bank was in violation of the rules or that the Bank thinks it is too costly to comply with them. Regardless of the reason, Finansinspektionen finds it remarkable that one of the most important actors in the financial markets, not just in Sweden but also in northern Europe, treats its obligation to follow the rules so lightly. Deficiencies in its ability, or even worse its willingness, to follow the rules in general could have serious consequences. Given the fact that the deficiencies have only been identified in the limited area that was investigated, however, there are no grounds for a consideration of the withdrawal of Nordea s authorisation. This also means that there are no grounds for issuing the Bank a warning. However, there is no question that the deficiencies are of such a serious nature that Nordea will be issued a remark and an administrative fine. The administrative fine may fall between SEK 5,000 and SEK 50 million, but it may not exceed ten per cent of the Bank s turnover during the previous financial year. Nordea s turnover in the most recently adopted annual report was just over SEK 67 billion. The administrative fine therefore may be a maximum of SEK 50 million. The administrative fine shall be viewed as a gradation of the Bank s breach of the regulations. When determining the size of the fine in this case, there is cause for taking into account, as recently stated, that the breaches are of such a serious nature and that they existed for such a long despite the Bank being informed about them. Finansinspektionen also places importance on the fact that Nordea s deficient reporting of transactions meant that the EU Commission re- 19