Statement 9 December 2016 – 3/2016

Customer due diligence and banks’ procedures

Since the beginning of 2016, the Financial Supervisory Authority (FIN-FSA) has received numerous customer contacts enquiring about the appropriateness of banks’ procedures relating to obtaining customer due diligence information. In a press release on 19 February 2016, the Financial Supervisory Authority presented its view on banks’ procedures, and the Office of the Data Protection Ombudsman gave its own view on the issue on 22 June 2016.

In this statement, FIN-FSA outlines the information that, in its view, is necessary and essential for banks in establishing and maintaining a customer relationship involving basic banking services.

In the context of basic banking services, a customer relationship refers to one in which the customer only has a payment account, a payment card and access to online banking.

Both the Credit Institutions Act and the Money Laundering Act require that the bank obtains customer due diligence information. This information must be processed in accordance with the Personal Data Act. Under basic banking services regulations, a bank may refuse to open an account for, among other things, a reason arising from the Money Laundering Act. In addition to the customer due diligence information required in the Money Laundering Act, banks must ascertain from customers necessary information concerning the implementation of taxation. In this release, FIN-FSA does not take a position on this information.

It is the responsibility of banks to manage risks. Banks have the right to prepare questions to be presented to customers in order to obtain due diligence information from customers. The due diligence information obtained must, however, be necessary and essential in establishing and maintaining a customer relationship, taking into account the risk-based assessment referred to in the Money Laundering Act.

Questions relating to due diligence information1

Section 10 of the Money Laundering Act contains provisions on the information that the bank is obliged to obtain for customer due diligence purposes. Some of the information is explicitly specified in section 10, while in the case of some information the level of detail required is left to the bank’s risk-based assessment.1

In FIN-FSA’s view, the following information is necessary and essential in establishing and maintaining a customer relationship involving basic banking services, provided that no special situation referred to in the Money Laundering Act is associated with establishing and maintaining the customer relationship:

  • customer’s name, address, personal identity number and nationality
  • information on whether the customer holds an important public position abroad (politically exposed person, PEP) or whether he/she is a family member or a close associate of such a person2
  • information on the customer’s life situation, describing his/her financial status (e.g. employer, pensioner, student)
  • information on whether the customer relationship to be established is the customer’s main banking customer relationship
  • information on the origins or source of funds and regular payment transfers/cash flows
  • assessment of the customer’s regular payment transaction volumes
  • assessment of the customer’s foreign payment transaction volumes and the grounds for such transactions

In addition, the bank must take into account that which is stated in section 7 and section 10 of the Money Laundering Act about the identification of a customer representative and the verification of identity.
The bank may also, if necessary, request from the customer documentation to clarify information he/she has provided.

In other customer relationships other those involving basic banking services, the bank may be justified in requesting, in addition to the information referred to above, other information affecting customer due diligence. The necessity for such information depends on the nature and extent of the customer relationship.

Maintaining and updating due diligence information 

The bank must maintain and, when necessary, update the due diligence information relating to existing customer relationships. If the bank has not, in connection with the establishment of the customer relationship, ascertained from the customer all the information necessary for identification, it may, in customer relationships it assesses to be low risk, update the due diligence information to the level required by law using information already collected from the customer’s use of banking services.

Informing the customer on the processing of due diligence information

FIN-FSA emphasises that, in accordance with the Personal Data Act, processing of customer information must be planned in advance. Moreover, for the handling of which tasks customer information is being processed at any given time must be specified. According to the Personal Data Act, only such information as is necessary for its purpose may be collected on customers.

Under the Personal Data Act, banks must inform customers clearly about why information is requested and for what purpose it will be used.

The new Money Laundering Act, which enters into force in 2017, obliges banks to inform their customers that customer information is used for the prevention of money laundering and terrorist financing. The new Act states that personal information obtained solely for purposes referred to in the Money Laundering Act may not be used for marketing. On the other hand, the same personal information collected on other grounds, such as for granting credit or providing investment services, for example, may be used for marketing if the customer has been informed accordingly. The customer has always the right to forbid the use of personal information for marketing purposes.

For further information, please contact: 

  • Maarit Pihkala, Senior Legal Adviser, tel. +358 9 183 5240, maarit.pihkala(at)
  • Sanna Atrila, Legal Adviser, tel. +358 9 183 5552, sanna.atrila(at)


FIN-FSA's press release 19 February 2016: Banks' procedures in obtaining customer due diligence data

For information

Federation of Finnish Financial Services
Office of the Data Protection Ombudsman
National Bureau of Investigation/Financial Intelligence Unit
1 Section 10(2)(9) of the Money Laundering Act obliges banks to keep the information referred to in section 9(1) that is obtained to conduct customer due diligence, such as information on the customer's transactions, the nature and extent of the customer’s business, his or her financial status, the grounds for the use of transactions or services and information on the source of funds.
2 In the new Money Laundering Act, the definition of politically exposed person is extended to also cover persons and their close associates holding certain domestic public positions.

The English-language version of this statement was published on 27 July 2017.