Supervision release 11 October 2021 – 46/2021

FIN-FSA recommendation on compliance with EBA ML/TF Risk Factors Guideline

On 1 March 2021, the European Banking Authority (EBA) issued updated English-language Guidelines on money laundering and terrorist financing risk factors (ML/TF Risk Factors Guidelines). The Finnish and Swedish-language versions of the Guidelines were published on 7 July 2021 (EBA/GL/2021/02).

On 11 October 2021, the Financial Supervisory Authority (FIN-FSA) issued regulations and guidelines 7/2021 implementing the updated EBA Guidelines nationally. The FIN-FSA guidelines will enter into force on 26 October 2021.

The EBA Guidelines contain guidelines on the customer due diligence obligation and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions. The purpose of the EBA Guidelines is provide supervised entities with tools to assess the ML/TF risks related to their operations and customer relationships as well as monitoring methods and other controls needed in risk management. Additionally, they support supervisory measures taken by competent authorities in assessing risk assessments made by supervised entities and the adequacy of risk management measures.

In its guidelines, the FIN-FSA recommends that supervised entities falling within the scope of the EBA Guidelines comply with them.

Paragraph 2.5 of EBA Guidelines describes risk factors that may be relevant when identifying the risk associated with a customer’s or a customer’s beneficial owner’s reputation. One of the risk factors provided in the paragraph is information that the customer or customer’s beneficial owner has been subject to criminal proceedings. Pursuant to Article 10 and Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), the processing of personal data relating to criminal convictions and offences or related security measures is possible only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

The FIN-FSA urges its supervised entities to take into account that valid national legislation does not include a provision that enables obliged entities to use information concerning a criminal sentence pertaining to their customer in fulfilling their customer due diligence obligations.

For further information, please contact

Jonna Ekström, Senior Legal Advisor, telephone +358 9 183 5531 or jonna.ekstrom(at)