Swedbank to rebuild anti-money laundering systems after damning report

Swedbank is overhauling its anti-money laundering (AML) IT infrastructure in the wake of a highly critical report that identified deficient AML detection, control and customer validation systems as the key factors that contributed to the Swedish bank’s systematic failure to prevent money laundering-related transactions in its Baltic subsidiaries.

The report, conducted for Swedbank by London-based law firm Clifford Chance, found that €36.7bn in transactions, all carrying a high risk for money laundering, were processed through the bank’s branch network in Estonia, Latvia and Lithuania between 2014 and 2019.

The report calculated that an estimated €4.4bn in transactions may have violated financial sanctions imposed by the US against named Russian oligarchs suspected of laundering money through banks operating in the Baltic states.     

The report also said Swedbank actively targeted high-risk customers from Russia and former Soviet states. Swedish, Danish and US authorities continue to investigate the scale of money-laundering activities conducted through largely unvetted accounts in Nordic-owned banks in the Baltic states.

The report highlighted inaction by Swedbank’s senior management and board in failing to adequately police its Baltic bank subsidiaries, while neglecting to invest in high-performance AML systems that could be monitored in real time from the bank’s headquarters in Stockholm.  

Swedbank is rebuilding its AML infrastructure against the backdrop of continuing investigations by economic crime agencies in Sweden, Estonia and the US. In March, financial market regulators in Sweden and Estonia imposed fines totalling €347m on Swedbank in respect of breaches of money-laundering laws. The US’s financial watchdog is expected to impose substantial fines on Swedbank by the end of 2020.

“Mistakes were made by management that were serious,” said Jens Henriksson, Swedbank’s CEO. “There was also a certain culture in the bank that contributed to errors and inaction. A review has begun to examine this culture and help us decide what needs to be done to correct existing deficiencies.”

The Clifford Chance-led probe used specialist forensic support from risk management firm FTI Consulting to uncover irregularities in Swedbank’s AML systems.

The FTI-headed investigation deployed 21 algorithmic detection scenarios to collect and analyse potentially suspicious transaction data over a five-year period to March 2019. A total of 30 billion transactions were scrutinised as part of the overall probe. Swedbank’s branches in the Baltics accounted for 50% of all the transactions inspected.

The forensic examination of data by FTI concluded that of the €36.7bn in transactions that presented as high risk for money laundering from 2014 to 2019, €17.8bn emanated from payments to customer accounts and a further €18.9bn from customer accounts that were held with Swedbank’s branches in the Baltic states. 

The Clifford Chance-FTI investigation revealed that Swedbank did not introduce compliance protocols with systematic automated customer and transaction screening in its Baltic subsidiaries until 2017. The vast majority of high-risk money transactions conducted by Swedbank through its Baltic branches, by volume and value, were determined to have taken place before 2017.

Swedbank updated its IT-based customer screening systems in May 2018 in response to a know your customer (KYC) directive issued by Sweden’s ministry of finance. This mandated all banks in Sweden to adhere to stricter controls and procedures concerning the identification of bank customers. Under the directive, banks are required to verify a customer’s identity data using a specific range of “information technology means and methods” in circumstances where face-to-face meetings are either inconvenient or unfeasible.

The Clifford Chance-FTI investigation collaborated with Swedbank’s IT personnel to access SharePoint site listings containing data fields that included site address, name, description, owner, commission date and monthly views for live and archive sites dating back to 2016 – the point at which site listings were automated.

Swedbank’s SharePoint intranet and content management system was used to identify and collect documents from 148 current and former bank employees, including senior managers. FTI extracted 20 million individual records from email mailboxes and archives, user share data, laptops and mobile devices. A further 220,000 individual employee-generated records were harvested from SharePoint.

The Clifford Chance-FTI probe uncovered a number of critical shortcomings in Swedbank’s technology-led AML capability. The bank’s system for screening payments was deemed inadequate and unfit for purpose. This system was later upgraded, at the request of Swedbank’s Group Compliance, to use ProScan to screen payment transactions more effectively.

Deficiencies were also identified in the manual transaction monitoring systems used at Swedbank’s Baltic subsidiaries. This system was replaced by a Nice Actimize automated monitoring system customised for potentially high-risk transactions.

“The investigation report gives us the facts that we can use to resolve outstanding problems in our AML structures and systems,” said Göran Persson, Swedbank’s chairman. “We will implement any changes needed to correct weaknesses that exist in our AML systems and compliance. The bank has clearly not measured up to our responsibilities or to the requirements of our customers and society generally.”