AML/CTF Blog

Your Gateway to Understanding AML Made Simple.

Swedbank’s Fresh AML Probe: What Happens When Remediation Doesn’t Stick

Posted by:

Viktor H

|

On:

|

, , ,

By Viktor Ha | February 2026 | AML-CAMS Blog

A record SEK 4 billion fine. An internal investigation spanning 12 years. Remediation programs across four countries. A former CEO prosecuted.

And on 20 February 2026 — just last week — Sweden’s Financial Supervisory Authority (Finansinspektionen, or FI) announced it will investigate whether Swedbank’s customer due diligence controls complied with Swedish AML rules, covering the period from December 2023 to November 2025.

That is not a historical review. That is a probe into what Swedbank has been doing in the past two years — well after the fines were paid, the reports were written, and the remediation was supposed to be complete.

If you work in financial crime, this case should make you uncomfortable. Not because of what Swedbank did in the Baltics a decade ago — but because of what it suggests about the gap between remediation on paper and remediation in practice.

The Background: A Quick Recap of the Baltic Scandal

Swedbank’s AML problems have deep roots.

In February 2019, the bank engaged external lawyers to conduct an internal investigation into suspected money laundering risks across its Swedish and Baltic operations (Estonia, Latvia, Lithuania). The review examined a 12-year period from January 2007 to March 2019 — and what it found was damning.

The internal report, published in March 2020, revealed that Swedbank’s Baltic branches had processed approximately €17.8 billion into customer accounts and €18.9 billion out of customer accounts between 2014 and 2019 alone, with a significant portion flagged as potentially suspicious through algorithmic detection. The deficiencies were not isolated to one branch or one product. They were systemic — spanning risk assessment, governance, internal controls, and management oversight.

Critically, investigators found that Swedbank’s management had been aware of the risks and had received multiple internal and external warnings but failed to act adequately. This was not a case of unknown unknowns. The bank knew, and the controls still failed.

The 2020 Enforcement: Record Fines and Parallel Actions

On 19 March 2020, two regulators acted simultaneously.

Sweden’s FI concluded that Swedbank had “serious deficiencies in its management of the risk of money laundering in its Baltic operations.” FI issued a formal warning and imposed an administrative fine of SEK 4 billion (approximately USD 386 million at the time) — a record AML penalty for the Swedish regulator.

On the same day, the Estonian Financial Supervisory Authority (Finantsinspektsioon) issued a precept requiring Swedbank’s Estonian subsidiary to implement measures to improve its AML risk-control systems, which were found to be “not in line with anti-money laundering requirements.” Estonia also noted that a separate criminal investigation would determine whether actual money laundering had occurred.

Former Swedbank CEO Birgitte Bonnesen was subsequently prosecuted for allegedly misleading disclosures related to the bank’s AML issues. She was acquitted in January 2023.

January 2026: The DOJ Closes Its Case

Swedbank’s AML history also attracted the attention of the U.S. Department of Justice, which conducted a long-running investigation into the bank’s historical AML issues.

In January 2026, the DOJ closed its investigation without enforcement action. For Swedbank, this looked like the final chapter — the last major regulatory overhang from the Baltic scandal, resolved without further penalty.

That sense of closure lasted approximately one month.

February 2026: A Fresh Probe Into Current Controls

On 20 February 2026, Sweden’s FI announced it would investigate Swedbank’s customer checks and CDD measures for the period from December 2023 to November 2025.

FI did not disclose whether the investigation was routine or triggered by specific suspicions. It stated only that how banks counter risks of money laundering and terrorist financing is a priority issue in FI’s supervision in 2026.

The timing is notable. The review period — December 2023 to November 2025 — covers a window that is entirely post-remediation. This is not FI revisiting the Baltic scandal. This is FI asking: after everything that happened, are your CDD controls actually working now?

Why This Matters Beyond Sweden

It is tempting to dismiss the Swedbank probe as a European story with limited relevance to Australian financial crime teams. But the underlying dynamic is universal, and it mirrors what we are seeing closer to home.

The pattern is the same everywhere

Consider the parallels. Swedbank paid a record fine in 2020, conducted extensive remediation, and faced sustained regulatory scrutiny for years. And yet, in 2026, the regulator is back — looking at current controls, not historical failures.

In Australia, ANZ received an operational risk capital add-on of AUD 500 million from APRA in 2019 for non-financial risk management weaknesses. By 2023, APRA had increased it to AUD 750 million. In 2025, it rose again to AUD 1 billion. Each increase reflects APRA’s assessment that remediation progress was insufficient.

Bendigo Bank’s Deloitte review found AML/CTF deficiencies spanning six years from 2019 to 2025 — a period during which the bank’s own annual report claimed 98 per cent of staff had completed mandatory AML/CTF training. The controls looked adequate on paper. They were not adequate in practice.

The lesson is consistent across jurisdictions: remediation programs that fix systems without fixing culture tend to produce compliance theatre, not lasting change.

What “not sticking” actually looks like

When regulators come back and find that post-remediation controls are still deficient, the root causes are usually the same:

Governance gaps. The remediation program was treated as a project with an end date rather than a permanent uplift in risk management capability. Once the project was “completed,” oversight intensity dropped.

First-line disconnect. New policies and procedures were written by second-line risk and compliance teams but never fully embedded in first-line operations. The people conducting CDD on the front line continued doing what they had always done.

Static controls in a dynamic risk environment. Controls were designed to address the specific failures identified by regulators — but the risk environment moved on. New products, new customer segments, new typologies were not captured by the remediation scope.

Insufficient ongoing assurance. There was no mechanism to continuously test whether remediated controls were actually operating effectively over time. The independent review happened once, the box was ticked, and no one checked again until the regulator did.

What This Means for You

If your institution has been through — or is currently going through — a remediation program, Swedbank is a cautionary example.

The regulator’s clock does not stop when your remediation project closes. FI’s new probe covers a period that is entirely post-remediation. APRA’s escalating capital add-ons at ANZ demonstrate the same principle. Completing a remediation program is not the finish line — it is the starting point for demonstrating sustained compliance.

Ongoing assurance is not optional. If you do not have a mechanism to continuously test the effectiveness of your AML/CTF controls after remediation, you are assuming they work without evidence. That assumption failed at Swedbank. It failed at Bendigo Bank. It is failing somewhere right now.

Culture eats remediation for breakfast. You can rewrite every policy, recalibrate every TM rule, and retrain every analyst. But if the underlying risk culture — the way people think about and respond to ML/TF risk in their daily work — has not genuinely shifted, you are building on sand. APRA recognised this at Bendigo Bank when it explicitly called out risk culture alongside risk management practices. FI recognised it at Swedbank when it found that management had been aware of deficiencies but failed to act.

Australia is watching. With the AML/CTF reforms commencing from 31 March 2026, AUSTRAC’s stated enforcement priorities for 2025-26, and a FATF mutual evaluation on the horizon, Australian regulators have every incentive to follow FI’s approach — coming back to check whether institutions that promised to improve actually did.

Key Takeaways

  • Swedbank’s SEK 4 billion fine in 2020 and years of remediation did not prevent a fresh FI probe in February 2026 into CDD controls covering December 2023 to November 2025 — a period entirely post-remediation.
  • The pattern of regulators returning to assess current controls after historical enforcement actions is consistent across jurisdictions — Swedbank in Sweden, ANZ and Bendigo Bank in Australia.
  • Remediation programs that address systems and processes without fundamentally shifting risk culture and governance tend to produce short-term compliance gains that erode over time.
  • Ongoing assurance — continuous, independent testing of whether remediated controls remain effective — is the missing piece in many institutions’ post-enforcement strategies.
  • For Australian FC teams, the message is clear: completing a remediation program is the beginning, not the end, of demonstrating to regulators that your AML/CTF controls work.

Viktor Ha is a Senior Financial Crime Analyst based in Melbourne and the author of the AML-CAMS Blog. Follow him on LinkedIn for weekly insights on financial crime, AML enforcement, and FC career development.

#AML #FinancialCrime #Swedbank #Remediation #AUSTRAC

Posted by

Viktor H

in

Leave a Reply

Your email address will not be published. Required fields are marked *