Norwegian Regulator Exposes Serious AML Failures at Handelsbanken Norway Following Extensive Supervisory Review

The Financial Supervisory Authority of Norway has identified serious breaches in anti-money laundering controls at Svenska Handelsbanken AB NUF, operating as Handelsbanken Norway, following a comprehensive regulatory inspection that began with supervisory meetings in early 2024 and concluded with a final report outlining systemic weaknesses across multiple compliance areas. The findings indicate that the Norwegian branch failed to satisfy core legal obligations related to risk assessments, customer due diligence, and internal control mechanisms. Although the bank has since initiated structural reforms designed to centralize and strengthen its compliance framework, the historical deficiencies remain a major regulatory concern. The case highlights the high standards imposed on foreign bank branches operating in Norway and the expectation that they maintain effective defenses against illicit financial activity.

According to the supervisory assessment, one of the most significant shortcomings involved the institution’s inability to align its day-to-day operations with the specific requirements of the Anti-Money Laundering Act. Central to the regulator’s criticism was the bank’s overarching risk assessment methodology, which serves as the foundation of any effective compliance framework. Authorities found that while the institution relied on an external tool to document risks, it failed to tailor the analysis to reflect the realities of its Norwegian operations. Several risks categorized as low or medium inherent risk were effectively disregarded in the final assessment, despite the branch maintaining significant exposure to those sectors and customer categories. As a result, the institution lacked an accurate understanding of its actual vulnerability to financial crime.

The regulator also found that the bank failed to properly distinguish between inherent risk and residual risk. In sectors such as real estate and construction, widely recognized as particularly vulnerable to illicit activity, the institution concluded that residual risk levels were moderate or low without adequately demonstrating how existing controls mitigated the substantial inherent risks. The reasoning supporting those conclusions was frequently described as opaque and lacking substantiation. Regulators viewed this pattern as evidence of a compliance culture focused more on completing procedures than conducting meaningful analysis of financial crime threats. Because risk assessments were not effectively linked to the bank’s operational realities, subsequent controls were misaligned with the actual risks present in the customer portfolio.

Internal oversight mechanisms were also found to fall short of statutory expectations. The report concluded that internal control routines were static and failed to address the full scope of regulatory requirements over time. Of particular concern was the limited focus on customers classified as standard risk, with almost no testing conducted to assess whether ongoing monitoring for this substantial segment of the customer base was adequate. Regulators warned that this created significant blind spots in which suspicious activity could remain undetected simply because customers did not fall into a higher-risk category. The inspection further revealed that numerous internal audit findings had remained unresolved for years, with some dating back to 2017, raising concerns about the bank’s responsiveness in addressing known compliance vulnerabilities.

Training arrangements for employees and contractors were similarly deemed inadequate. Norwegian law requires all personnel involved in financial transactions to receive regular, role-specific training that equips them to recognize indicators of money laundering and terrorist financing. However, the bank’s training materials were found to be overly generic and insufficiently tailored to critical internal processes, including handling transaction alerts and managing outsourced activities. Regulators also noted that the institution could not demonstrate that its training framework was based on a meaningful assessment of employee skill gaps. Without a properly trained workforce, even sophisticated technological controls become less effective, particularly when human judgment remains a critical line of defense against the movement of criminal proceeds through legitimate channels.

The inspection also raised significant concerns about the effectiveness of the bank’s electronic transaction monitoring systems. Regulators found that monitoring rules were primarily designed to identify obvious risks, such as cash transactions and transfers involving high-risk jurisdictions, while largely overlooking domestic transfers, intra-group movements, and industry-specific risks. The system was found to generate a substantial number of false positive alerts, while numerous other monitoring rules had not generated a single alert over a three-year period. This imbalance suggested the system was poorly calibrated to the bank’s actual risk profile, potentially overwhelming compliance staff with irrelevant alerts while allowing genuine threats to go undetected.

The institution’s suspicious activity reporting practices to the national financial intelligence unit, Okokrim, were also criticized for procedural weaknesses. The bank maintained a high threshold for escalating alerts into full investigations, resulting in the majority of cases being closed during preliminary review. In many instances, staff accepted customer explanations for suspicious transactions without conducting independent verification or evaluating the plausibility of the information provided. The report also identified a serious breach of the tipping-off prohibition, noting that the bank inadvertently informed a customer they were under investigation during communications concerning sanctions risk. Regulators treated this breach of confidentiality as particularly serious, given the possibility that it could allow suspected criminals to move assets before authorities can intervene.

The findings extended to the bank’s handling of specific customer segments, where regulators found failures to apply enhanced due diligence in situations that clearly warranted greater scrutiny. In cases involving complex corporate structures and politically exposed persons, the institution did not apply the level of investigation required, increasing the risk that the branch could be used for money laundering purposes. The supervisory authority stressed that responsibility for these shortcomings rests with branch management, which must ensure the compliance function has adequate resources, authority, and operational independence to perform effectively. As financial crime risks become increasingly complex, regulators emphasized the critical importance of strong local branch compliance functions in protecting the integrity of the national financial system.

In response to the findings, the bank has begun a significant overhaul of its Norwegian compliance operations, including structural reforms aimed at centralizing processes to improve quality and consistency across anti-money laundering functions. The institution has informed regulators that many of the deficiencies identified during the 2024 inspection have either been addressed or incorporated into detailed remediation plans. These measures are intended to reduce deviations identified by internal controls and ensure that risk assessments and compliance routines are fully operational and regularly updated. While the regulator acknowledged these remediation efforts, it made clear that their effectiveness will depend entirely on successful implementation and long-term sustainability.

The supervisory authority has requested regular progress reports to monitor the status of the bank’s remediation efforts, with the first report due in mid-2026. All completed corrective measures must be validated by the branch’s internal auditor to confirm they satisfy required standards. This ongoing oversight reinforces the principle that regulatory compliance is not a one-time exercise but an ongoing process requiring continuous adaptation to evolving financial crime risks. The case serves as a broader warning to financial institutions that supervisors increasingly expect firms to move beyond checklist-driven compliance and develop evidence-based, operationally grounded understandings of the risks they face.

The regulator’s findings also place pressure on Handelsbanken Norway to demonstrate a deeper transformation in compliance culture. Authorities made clear that moving from a historically reactive approach to one focused on proactively managing financial crime risks will require more than structural centralization. While the decision to centralize the anti-money laundering function was recognized as a positive step, regulators emphasized that it must be accompanied by a broader change in organizational mindset at every level. Only by embedding regulatory requirements into the institution’s core business strategy can the branch hope to avoid future supervisory intervention and preserve the trust of both regulators and the public. The upcoming remediation reports will serve as a critical test of whether the institution has genuinely addressed the failures identified in the 2026 assessment.

By fLEXI tEAM