Sweden’s financial regulator, the Financial Supervisory Authority (commonly referred to as Finansinspektionen, FI), has opened a new investigation into Swedbank to assess whether the bank met Sweden’s anti-money laundering customer due diligence (CDD) and customer knowledge requirements.
The review covers 1 December 2023 to 30 November 2025 and will examine the bank’s CDD measures under Sweden’s AML framework.
What the regulator is looking at
FI has said the investigation is about whether Swedbank complied with “customer knowledge” requirements, which in practice usually means scrutiny of how the bank:
- identifies and verifies customers (including beneficial owners)
- understands the purpose and intended nature of relationships
- risk-rates customers and applies enhanced due diligence where needed
- keeps information up to date (trigger events, periodic reviews)
- monitors activity and escalates unusual or suspicious behaviour appropriately
FI has also framed AML and counter-terrorist financing controls as a key supervisory priority in 2026, reflecting the broader regulatory push across Europe for demonstrable, effective controls rather than paper compliance.
Why this matters (even if you are not a bank)
CDD is the control that everything else depends on. If your customer records are incomplete, out of date, or inconsistent, it undermines:
- transaction monitoring (alerts become noisy or miss real risk)
- sanctions and PEP screening (false positives, missed matches)
- suspicious activity reporting (weak narratives, delayed escalation)
- audit and regulator confidence (hard to evidence decisions)
For non-banks, the lesson is the same. Regulators increasingly expect organisations to prove they can explain their customer risk decisions and show a clear trail of evidence.
The US case closed, but scrutiny continues
FI’s announcement follows the closure of a long-running US Department of Justice investigation into Swedbank without enforcement action.
That is an important point for compliance teams: even where one investigation ends, supervisory scrutiny can continue elsewhere, and regulators will still test whether controls are operating effectively in the relevant period.
Practical takeaways for compliance teams
If a regulator assessed your CDD programme over the past 24 months, could you evidence it clearly and consistently? Use the Swedbank probe as a prompt to stress-test your own position.
1) Pressure-test your “customer knowledge” standard
- Do you have a clear definition of what “knowing the customer” means for each risk tier?
- Can front-line teams explain it without referencing policy documents?
- Are your risk factors specific to your products, channels, geographies, and delivery model?
2) Review your trigger events and refresh cycles
Common weaknesses sit in the gaps between onboarding and ongoing monitoring:
- customer changes (ownership, controllers, addresses, activity)
- periodic reviews not happening on time
- refresh decisions not evidenced (why you did not apply EDD, why you accepted a source of funds explanation)
3) Validate beneficial ownership and control
Ask:
- do you verify beneficial ownership to an appropriate standard, or rely on self-declaration too often?
- can you evidence how you handled complex structures, nominees, trusts, and layered entities?
- is EDD actually “enhanced”, or just more documents with the same level of analysis?
4) Align CDD with monitoring and escalation
Transaction monitoring and CDD should reinforce each other:
- do alerts lead to CDD updates where appropriate?
- are cases closed with rationale a third party could understand?
- do you have consistent escalation thresholds, or do they vary by team?
5) Make your evidence audit-ready
Regulators and internal audit typically look for:
- decision logs and approvals (especially for higher-risk relationships)
- complete audit trails (who did what, when, and why)
- management information showing that the programme is controlled and improving
What to watch next
FI has not publicly clarified whether the review is routine or triggered by specific concerns, and investigations can take time to conclude.
For compliance teams, the most useful approach is to treat this as a reminder of where regulators are focusing: CDD quality, ongoing review discipline, and evidence of effective implementation.
