Society’s rapid digitisation is accelerating the transition from bank branches to digital banking, and this is raising demand for stable IT environments and protection against external threats. It is critical that Swedbank provides secure IT systems, including stable and reliable digital channels and internal IT environments. Combating financial crime is also a continuous effort within Swedbank with steadily improving routines, system support and processes.
Anti-money laundering and counter-terrorist financing
Everything Swedbank does should be characterised by high ethical standards, with Swedbank and its employees actively assessing every transaction, relationship and activity from the standpoint of the bank’s ethical norms and positions. According to the Swedish Act (2017:630) on Measures against Money Laundering and Terrorist Financing, Swedbank is obligated, without delay, to report suspicions of money laundering or terrorist financing (suspicious activity reports, SAR) to the Financial Intelligence Unit within the Swedish Police.
The preventive work to detect and report suspected money laundering and terrorism financing remains the highest priority at Swedbank. The bank has established an Anti-Financial Crime (AFC) unit to strengthen the fight against money laundering and financial crime.
Intelligence and collaborations
For security work to be effective, access to intelligence is essential. Swedbank works with a number of public and private actors to track and understand threats to the financial sector. Swedbank’s security response team collaborates with others in the sector, in addition to police authorities. As a bank, Swedbank is obligated to report suspicions of market abuse such as insider trading, market manipulation and unlawful disclosure of inside information (pursuant to the EU's Market Abuse Regulation, MAR).
To prevent its payment systems from being exploited for criminal activity, Swedbank has built up a set of internal rules, processes and support functions to ensure that we comply with applicable laws and regulations in the area. Swedbank has an obligation to have knowledge about its customers, understand where their money comes from and why they want a relationship with the bank, in order to better detect unusual behaviour. Swedbank minimises these risks through the “Know Your Customer” process, where systems monitor transactions and reconciliations of customer databases against sanction lists.
Internal alerts process ("whistle blowing")
For Swedbank it is important that irregularities within the Group are detected and addressed in time. For this reason an internal alert process ("whistle blowing") has been established within the Group, enabling employees to anonymously report suspected violations of internal or external rules. In 2019 a total of 30 reports were filed using the internal alerts process.
Information security work
Swedbank has organised a central function responsible for coordinating and leading information security work. It is led by the bank’s Chief Information Security Officer (CISO) and maintains a management system for information security as well as functions for incident response and proactive security testing of the bank’s IT environment. Swedbank´s CISO reports directly to Head of Anti-financial crime, who is represented in Group Executive Committee. Though the CISO can, if relevant, also report on and escalate certain Information Security matters directly to the CEO. Every business area also has Information Security Managers, who coordinate security work locally.
The Board of Directors Risk and Capital Committee (The RCC) oversees the information security work and the implementation of the information security strategy. In this regard, the RCC supports the Board in its work to ensure that routines are in place to identify information security risks and that the risks are adequately monitored and managed. Swedbank’s security and Incident Response team is a certified TF-CSIRT Trusted Introducer since 2010. Regular external security audits and vulnerability assessments are executed.
Training for employees
Swedbank takes an active role to prevent financial crime, where the preventive work mainly consists of various trainings, guidelines and materials connected to the work. All Swedbank employees are required to participate in annual training sessions on countering money laundering and terrorist financing, and further in-depth training may be undertaken, according to the role and tasks that the employee has. In addition, all Swedbank employees undergo mandatory training on Swedbank's code of conduct, data privacy (GDPR) and information security (this also applies to contractors) and general safety training.