Combined penalty payment of EUR 7,670,000 and public warning for S-Bank Plc
Press release 23 May 2025
Combined penalty payment of EUR 7,670,000 and public warning for S-Bank Plc
The Financial Supervisory Authority (FIN-FSA) has imposed a combined penalty payment of EUR 7,670,000 on S-Bank Plc for omissions in the bank’s operational risk management. The FIN-FSA also issued a public warning to S-Bank Plc for omissions regarding strong customer authentication and the payer consent required for executing payment transactions. The omissions relate to a programming error that was in S-Bank Plc’s IT system between 20 April 2022 and 5 August 2022.
The omissions in operational risk management were omissions in information system security and in effective incident management procedures. The bank also did not have adequate policies and processes for identifying, assessing and managing operational risks in the above-mentioned areas. Furthermore, in regard to these areas, the bank was not adequately prepared for the realisation of risks pertaining to outsourcing.
The omissions were revealed in an inspection performed by the FIN-FSA in 2022–2023 and in a programming error investigation by the FIN-FSA. The inspection aimed to ascertain whether the management of the bank’s ICT and information security risks was appropriately organised.
“The importance of digital security in banking services is pronounced in Finland, as customer service has moved almost entirely to mobile and online banking. The geopolitical situation highlights the importance of digital services management in supervised entities. The supervision of ICT, cyber and outsourcing risks remains an operational priority for the FIN-FSA in 2025,” says FIN-FSA Director General Tero Kurenmaa.
A combined penalty payment, payable to the State, was imposed on S-Bank Plc for the omissions. The amount of the combined penalty payment was based on a comprehensive assessment, which took account of factors such as the nature, extent and duration of the omissions and the bank’s previous omissions concerning financial market provisions and regulations. The bank’s measures to prevent a recurrence of the omissions and the bank’s cooperation with the FIN-FSA in resolving the matter were taken into consideration as factors mitigating the amount of the combined penalty payment.
The FIN-FSA’s decision is not yet legally binding. S-Bank Plc has the right to appeal the decision to the Helsinki Administrative Court within 30 days of receipt of notice of the decision. Information on the legal validity of the decision is available on the FIN-FSA website.
For further information, please contact
Janne Häyrynen, Head of Unit, Legal, and Jussi Terho, Head of Division, Payment Services and IT Supervision
Requests for interviews are coordinated by FIN-FSA Communications, tel. +358 9 183 5030, Mon–Fri 9:00–16:00.