The County Administrative Board has supervisory responsibilities over certain businesses and organizations under the Money Laundering and Terrorist Financing Prevention Act. We check that businesses and organizations take adequate measures to prevent their operations from being used for money laundering or terrorist financing.
Money laundering is to take actions with the purpose of hiding the link between a crime and money, or other assets. The problem, when profits from criminal activities – such as drug crimes, human trafficking and tax evasions – are integrated with the legal economy, is both a national and international problem. Money laundering may have extensive negative consequences for Sweden’s security and economy.
Terrorist financing is to financially support terrorism by direct contributions or by gathering, receiving, or transfer money and other assets that serves the purpose of financing terrorism. Even very small amounts of money can cause great damage.
The Money Laundering and Terrorist Financing Prevention Act, the Money Laundering Act, (2017:630) applies to businesses and legal persons (entrepreneurs) in certain sectors. Those who are under the county’s supervision shall also follow the County Administrative Board’s provisions and guidelines.
The purpose of the money laundering regulations is to prevent businesses from being used for money laundering and terrorist financing. The firms must adapt their measures to counteract money laundering and terrorist financing to the risks. This is called the risk-based approach.
In the work to counteract money laundering and terrorist financing, you, as a business owner, have an obligation to assess the risks of your business being used for money laundering or terrorist financing. On the basis of your risk assessment you are then obliged to develop procedures and guidelines. Getting to know your customer or client before a transaction is made, or before any business relations are established, is an important measure to take in the work to counteract money laundering and terrorist financing. The scope of the measures is determined by the results of your risk assessment, that is, dependent on the customer’s or client’s risk profile
As a business owner you have an obligation to assess the risks of your business being used for money laundering or terrorist financing. This is called a risk assessment and it must be documented as well as up-to-date. The scope of the risk assessment is determined by the size and nature of the business as well as the assessed risks in the business.
When you perform a general risk assessment you must take into account the properties of the businesses’ products or services that may be vulnerable to money laundering or terrorist financing attempts. Is it possible to use the products or services to hide that certain assets are linked to crime? Or, is it possible to use the products or services to gather or transfer money, or other assets, to a terrorist organization?
Identify factors that affect the risk of the products being used for money laundering or terrorist financing. The risk factors may be identified in customer or client relations, distribution channels, geographic risk factors, or business-specific circumstances.
When you have identified the risks and risk factors in your business, you must decide how big the risk is of your business being used for money laundering or terrorist financing. Ask yourself the following questions:
To be able to assess the scope of the risk you must have an understanding of how the products, services and the different risk factors are linked. For example, one factor may seem to pose a low risk if seen for itself, but a higher risk when linked to other factors.
The risk of your business being used for money laundering or terrorist financing may increase or decrease due to changes in the business or world. Therefore, the general risk assessment must be re-assessed and updated regularly, at least once per year. You must always re-assess the general risk assessment before your business offers new or substantially altered products or services, directs itself towards new markets, or makes other changes that are relevant for the business. Note the date for each re-assessment. If your re-assessment shows that the risks of your business have changed, you must update the documentation accordingly.
As a business operator, you must assess the risks of money laundering and financing of terrorists in every customer relation. The scope of the customer due diligence depends on your assessment of the customer – is the customer a low or high risk customer?
The starting point in customer risk assessment is what you know about the customer before you make a transaction, or establish a business relationship. To have knowledge about the purpose and nature of the business relation is necessary to assess the risks that may be associated with establishing a relationship with a specific customer. To determine the risk profile, you need to relate your knowledge about the customer to the risk factors – customer category, distribution channels and geographical factors – you identified in the general risk assessment.
You, as the business owner, must make sure that documented procedures and guidelines for working to prevent money laundering and terrorist financing are in place in your business. The procedures and guidelines shall be risk-based and proceed on the basis of the general risk assessment.
Keep in mind that the procedures and guidelines must be re-assessed in a regularly, at least once per year. Note the date for each re-assessment. If you believe that the risks of your business being used for money laundering or terrorist financing have changed, you must update the documents accordingly.
The procedures and guidelines must include:
If you have employees or contractors that perform tasks, which are relevant to the work of counteracting money laundering or terrorist financing, you must also have procedures that include:
You must also make sure that your employees and contractors continuously receive relevant information and education in order to be able to fulfill their obligations under the Money Laundering Act and the County Board’s Provisions.
As a business owner you are obliged to establish procedures and guidelines for the business’ customer due diligence. The procedures and guidelines must contain information about when, how and which customer due diligence measures that are to be taken. Read more about which customer due diligence measures you need to take when working with different customer categories under the tab: ”Customer due diligence”.
The business procedures and guidelines must clarify your obligation to supervise your current business relations and assess single transactions. It must also clarify that a business relation must not be established, and a transaction must not be made, if you suspect that the products or services will be used for money laundering or terrorist financing.
In addition, the procedures must clearly state that you are obligated to immediately report suspicious transactions and activities to the Financial Intelligence Unit. Read more under the tab: “Supervising and reporting to the Financial Intelligence Unit”.
As a business owner you must have procedures and guidelines for retention of documents and data. The same applies for processing personal data.
Documents and data that must be saved are:
How should documents and data be saved?
The documents and data may be saved electronically or in paper form. The important thing is to make sure that the storage is safe, and that the retention procedure of documents and data is described in the business guidelines. Documents and data needs to be stored in an accessible way and it should be easy to search in the storage. On request, you should be able to provide the Financial Intelligence Unit, the County Administrative Board, or any other authority with the data.
As a starting point, save the documents and data for five years after the transaction date or after ending your business relationship.
As a business owner, under the Money Laundering Act and county provisions, you have the right to process personal data to be able to fulfill your obligations. The Money Laundering Act takes precedence over the provisions on personal data processing under the General Data Protection Regulation (GDPR) and the Data Protection Act.
To make sure that your business fulfills its obligations under the Money Laundering Act and county provisions, it is important to have an internal distribution of responsibilities. Therefore, you must have procedures and guidelines for internal control. The procedures and guidelines must clarify the existing control functions and also contain information on who is responsible for each function. In addition, there must be information on how internal controls are carried out in compliance with money laundering regulations.
Depending of the business size and nature, the following functions may be required:
No matter what business you own, and how small your business is, you must appoint a person responsible for the business compliance with the regulations and for internal control as well as reporting to the Financial Intelligence Unit.
The business procedures and guidelines must ensure that employees and contractors are suitable for the tasks they are performing. The scope of the aptitude testing should be proportionate in relation to the person’s function and tasks in the business as well as the assessed risks. Normally, the aptitude testing is based on certificates, report cards, references and interviews, which the employer uses in regular recruitment processes. But, there may be situations where an extended aptitude testing is motivated.
It is important to have a work environment where employers and contractors feel safe and secure when working to fulfill their obligations under money laundering regulations. As a business owner you are obliged to establish procedures and guidelines as well as taking necessary measure to protect employees and contractors from threatening and unpleasant situations. The scope of the procedures and guidelines is dependent on, among other things, the general risk assessment, any threats and the nature of the business.
Information to, and education of, your employees should be based on the risks identified in the general risk assessment. The content and frequency of educational efforts should also be based on the employees’ and contractors’ different tasks and functions. Completed educational efforts must be documented. The documentation must include information on the content, the names of the participants and the date of completion.
To get to know your customers is an important part of the money laundering regulations. An adequate customer due diligence is necessary in order to handle the risks of your business being used for money laundering or terrorist financing.
Customer due diligence measures need to be taken before you establish a business relation with a customer. Thereafter, evaluate the business relation continuously.
Customer due diligence is also required before you carry out single transactions where the amount amounts to a value of 15 000 Euro or more. The requirement also applies if you suspect that there is a link between several transactions of minor amounts, but when put together the transactions amounts to 15 000 Euro or more.
The customer due diligence requirement does not apply to, among others, tax advisors and independent legal staff, if the purpose of the business relation is:
For retailers and stores, who are subjected to money laundering regulations, the requirement on customer due diligence applies for business relations, or single transactions, with cash amounts of 5000 Euro or more. The requirement also applies if you suspect that there is a link between several transactions of minor amounts, but when put together the transactions amounts to 5 000 euro or more.
If you, in your dealings with transactions and customers, discover deviances you must take extended due diligence measures. If you suspect money laundering or terrorist financing, always report your suspicion to the Financial Intelligence Unit. Read more under the tab: “Supervision and reporting to the Financial Intelligence Unit”.
An initial measure for customer due diligence is to identify your customer and perform an identity verification. This measure must be taken in relation to existing customers and well-known previous customers as well. You may need several verification methods to verify a customer’s identity. The harder it is to verify the identity, the higher the risk of the customer being involved in money laundering or terrorist financing.
If the customer is a natural (physical) person, ask for the person’s name, social security number and address. The data is thereafter verified by passport, driver’s license or another valid identity document. The data may also be verified by electronic identification or by checking other documents and data from reliable sources.
Identity documents must display a photo of the natural person. It must also be issued by an authority or another certified and reliable issuer. If there are any circumstances, for example geographical factors, which indicate a high risk situation, the identity document should also display information about the person’s citizenship.
If the customer is not present in person, the identity verification is subjected to higher requirements. The data, which is collected at identification, must be validated against external records, certificates or other independent and reliable sources. Thereafter, you must either:
In high risk situations there may be a reason to apply both measures.
No matter if the customer is present or absent at the verification, the identity can be controlled by a reliable electronic identity verification. More guidance on electronic identity verification can be found on the Agency for Digital Government's website.
If the customer lacks identity documents or electronic identity verification, there is a possibility to verify the identity by reviewing other documents and data. For example, excerpts from a certified authority, or a certificate from an employer. The prerequisite is that the reviewed sources are independent and reliable. A source is regarded independent if it has been verified by someone other than the person whose identity you are investigating. If you run into trouble assessing if a source is reliable, use various other sources.
If the customer lacks a social security number, ask for their coordination number. A coordination number is an identity designation assigned by the Swedish Tax Agency to a person who is not, or who used to be, registered in Sweden. More information about coordination numbers can be found on the Swedish Tax Agency’s website.
If the customer is a legal person, identification is made by obtaining data on the customer’s business name and business license, registered address and representatives. Thereafter, data on the legal person, as well as on their representative, are verified by checking registration certificate, register excerpts or data from other independent and reliable sources.
The registration certificate, or corresponding register excerpt, should not be older than a week at the verification occasion. If an excerpt is obtained from a website, which provides data on legal persons, it should be clarified that the data on the website is obtained from the Swedish Companies Registration Office, or from a corresponding register from another nation’s authority.
The legal person’s representative must be identified and verified through the same procedures as for other physically present customers. The representative’s authorization to represent the legal person must be checked against power of attorney documentation, appointment certificate, or corresponding authorization documentation.
If a person declares himself to represent a customer who is a natural person, the representative’s power of attorney documentation, appointment certificate, or corresponding authorization documentation must be checked.
Appointment certificate means, inter alia, a document from the Swedish board of guardians (Överförmyndarnämnden) proofing that the representative is an appointed guardian or trustee of the customer. If the customer is a minor, a corresponding document could be, for example, a civic registration certificate, which proofs that the representative is the customer’s parent.
You should investigate if the customer has one or multiple beneficial owners. A beneficial owner means a person (or persons) that on their own (or together) owns or controls the customer. The Act on Registration of Real Principals states under what circumstances a legal person can be assumed to have a beneficial owner.
If your investigation reveals that the customer has one, or multiple, beneficial owners, you must verify their identity in the same way as for customers who are natural persons. If the customer is a legal person, a trust, or a similar legal construction, your investigation should include measures to understand the customer’s ownership and control structures.
The Swedish Companies Registration Office provides a register over beneficial owners. Therefore, a starting point of your investigation may be to check their register. The customer’s risk profile, as well as your extended knowledge of the customer, may, in some cases, motivate further investigations to find out if there is one, or multiple, beneficial owners.
More information on beneficial owners can be found on the Swedish Companies Registration Office’s web site.
Exceptions from the investigation obligation apply to customers that are limited companies (Ltd), and whose shares are traded on a regulated market in Sweden, within EES, or in a corresponding market outside the EES.
If the result of the investigation clarifies that your customer do not have a real principal, you must appoint a so called alternative real principal. The same applies if you have reasons to believe that the one who has been identified as a real principal does not ultimately own, or control, the customer.
You should appoint the person who is the chairman, the managing director, or corresponding, to alternative real principal. Only one person should be appointed, and you should appoint the person that you consider to be the one with most power in the business. The alternative real principal’s identity must also be verified.
Another customer due diligence measure is to find out if the customer, or the customer’s real principal, is a politically exposed person (PEP), or, alternatively, a family member or a known co-worker to a PEP. A PEP is someone who has, or had, a prominent position in a nation, or an important leadership function in an international organization.
If the customer is a PEP, or a relative to a PEP, you must take adequate actions to find out where the origin of the assets. You must also apply a continuous and enhanced evaluation of the business relation.
Before you establish a business relation you need to gather information about the purpose and nature of the relation. You need to know what the customer’s business is about, and you need to know how the customer will use your products or services.
The information about the purpose and nature of the business relation should serve as a basis for your assessment of which activities and transactions the customer is expected to carry out within the framework of your relationship. The information can also serve as a basis for your assessment of the customers risk profile.
In some cases, the purpose and nature of the business relation is clear already at the establishment of the relation, while other cases require extended investigations.
The scope of the investigation
The scope of the investigation depends on the assessed risk attributed to the business relation. A higher risk means you have to pose additional, and more in-depth, questions, while a lower risk means it may be enough for you to make some assumptions. For products and services with a well-defined and limited area of use, your assumptions may, in most cases, be based on how customers normally use these products and services.
The customer due diligence measures need to be adjusted to your risk assessment of a single customer – to the customer’s risk profile. The due diligence measures mentioned here, must always be applied when dealing with a normal risk customer. If the assessed risk is low, simplified measures can be taken. A simplified measure is, for example, to verify the customer’s identity after a business relation has been established. If the assessed risk is high, extended customer due diligence measures must be taken. An extended measure is, for example, to ask questions about the customer’s financial situation and the origin of the money as well as to verify the customer’s information.
Other examples of simplified or extended measures can be found in the County Administrative Board’s provisions and guidelines on measures to counteract money laundering and terrorist financing.
Current business relations shall be evaluated continuously to ensure that the customer due diligence is current and adequate to handle the assessed risks for money laundering and terrorist financing. The evaluation should, for example, aim at renewed verification of representatives and beneficial owners as well as renewed focus on the purpose and nature of the business relation.
You, as a business operator, may not enter into or maintain a business relation with a customer, or carry out single transactions, if you have not achieved customer due diligence.
The County Administrative Board supervises pawnshops, accountants, tax advisers, independent legal staff that offer specific services, PO Box businesses and trustees. Merchants and retailers, which accept and pay out cash amounting to 5000 Euro or more, are also supervised.
Businesses that are run under pawnshop regulations must have a permit. Other businesses, which are under the Board’s supervision, are obliged to register their business in the Swedish Companies Registration Office’s register for preventing money laundering.
The County Administrative Board’s supervision apply to the following businesses:
The amount limit equivalent to 5000 Euro applies to both received and paid out cash. It may be one transaction equivalent to 5000 Euro, or multiple transactions adding up to 5000 Euro that are believed to be linked together.
You do not have to actually have received, or paid out, cash equivalent to 5000 Euro in your business to be obliged to compliance with the money laundering regulations. It is sufficient if it can be assumed that the business will receive, or pay out, cash amounting to 5000 Euro. The assessment will be dependent on the type of products and business’ procedures to handle cash transactions.
If you are pursuing professional activities covered by the money laundering regulations, you must notify your business to the Swedish Companies Registration Office’s Register to Counteract Money Laundering. You can find a detailed list of all activities and services that are covered by the County Administrative Board’s supervision under the tab: ”Included businesses”.
If your business ceases, or if the business changes so that you no longer pursue business activities covered by the notification obligation, you must unregister the business from the Swedish Companies Registration Office’s Register to Counteract Money Laundering. If your business changes in any other way, the change must be notified to the Swedish Companies Registration Office.
More information can be found on the Swedish Companies Registration Office’s website:
What happens if I don’t register?
If your business is covered by the notification obligation, you may not perform services if the business is not registered with the Swedish Companies Registration Office’s register. If you are pursuing such business activities without being registered in the register, the County Administrative Board order you to close down the business. The order may be combined with a fine.
Exemption from the notification obligation
Businesses that are run under pawnshop regulations, pantbankslagen, are covered by the permit obligation. Therefore, such businesses do not have to be notified to the Swedish Companies Registration Office’s Register to Counteract Money Laundering.
If you suspect that your business is being used for money laundering or terrorist financing you are obliged to immediately report to the police authority’s Financial Intelligence Unit.
If you suspect that one or multiple transaction are linked to money laundering or terrorist financing you are obliged to decline the transactions.
Proof of money laundering or terrorist financing does not need to exist. Even the slightest suspicion is enough for you to be obliged to report. Your report is important and may help forensic authorities to discover and solve crimes.
Business operators who report suspicious money laundering or terrorist financing activities to the Financial Intelligence Unit are covered by confidentiality. Therefore, information about who reported, or what was reported, will not be released to the suspect, or anyone else. You are also covered by a so called ban to communicate information, which means that you are not allowed to tell the suspect, or anyone else, that a report to the police has been made.
For information about how to report suspicious transactions contact the Financial Intelligence Unit: Phone 010-563 68 00 or E-mail email@example.com.
If you knowingly carry out a transaction that is linked to money laundering or terrorist financing, you may be guilty of a crime.
The money laundering regulations guiding the County Administrative Board’s work are:
The Swedish money laundering regulations are based on EU’s Fourth Anti-Money Laundering Directive (in english). The provisions in the directive are based on international standards, which have been issued by the intergovernmental organization Financial Action Task Force - FATF.
The provisions that apply to you as a business operator are stated in the Money Laundering Act and the regulations. In the County provisions you can also find guidelines in the form of general advice.
The penalty laws that regulate crimes related to money laundering and terrorist financing are:
The County Administrative Board’s work to counteract money laundering and terrorist financing includes supervision, taking measures against unregistered businesses, information effort and announcing regulations. The County Administrative Board supervises specific businesses under the Money Laundering Act, by ensuring that the businesses comply with money laundering regulations through controls and inspections.
The County Administrative Board carry out an aptitude test, a so called vandelsprövning, of all representatives for companies under the Board’s supervision. Single traders, retailers, and persons that are qualified shareholders in a legal person or are a part of its management board, are included in vandelsprövningen. Vandelsprövning means that the County Administrative Board checks all representatives against criminal records as well as against the Swedish Tax Agency’s debt register and the Swedish Enforcement Authority’s debt register.
If it is discovered that a representative, to a significant degree, has failed to fulfill his/hers obligations in the business operations, or if the representative has been guilty of a serious crime, the County Administrative Board may order the person to sell its shares, resign from the board or close down the business. The order may be combined with a fine.
The County Administrative Board reviews the businesses risk assessments, procedures and guidelines to counteract money laundering and terrorist financing. Usually, the Board performs a so called desk review, which means that the business owner is ordered to submit the documents and data the Board needs to be able to carry out the review. The Board may also do visits on site to, among other things, follow-up on how the procedures and guidelines are put into practice.
If the business owner fails to fulfill its obligations under the Money Laundering Act and the County Administrative Board’s provisions, the County Administrative Board may order the business owner to make corrections, or, under certain conditions, close down the business. The order may be combined with a fine, and, in case of non-petty breaches, the Board may announce a sanction fee.
All businesses who are included under the County Administrative Board’s money laundering supervision, in addition to pawn shops, must report their business to the Swedish Companies Registration Office. The County Administrative Board engages in outreach activities and will follow-up on businesses that decided not to register. The Board may order businesses to register with the Swedish Companies Registration Office, and if registration does not occur, the Board may order the business owner to close down the business. These orders may be combined with a fine.
The County Administrative Board announces provisions on prevention of money laundering and terrorist financing. The provisions are co-authored with the County Administrative Boards of Stockholm County, Skåne County, and Västra Götaland County, but are decided by each county administrative board. The provisions are binding to the businesses. In 2017 the county provisions were supplemented with guidelines, in the form of common advice.
The provisions and the common advice complement each other and clarify the businesses’ obligations under the Money Laundering Act.
To increase knowledge about the Money Laundering Act and the County Administrative Board’s supervisory work, various information efforts are implemented. The county administrative boards regularly invite businesses to information meetings about the Money Laundering Act and the supervisory work as well as send out newsletters.
County Administrative Board of Skåne
Phone 010-224 10 00