Ikano Bank's AML Fine: The EDD Failures KYC Teams Must Fix

On 17 June 2026, Sweden's financial supervisory authority Finansinspektionen issued a formal remark and an administrative fine of SEK 140 million — approximately €13 million — against Ikano Bank AB. The decision identified four specific areas where the bank's anti-money laundering programme had failed. Each finding is precise, documented in a public enforcement notice, and already being used by peer supervisors as a reference for what adequate AML controls must produce.

Ikano Bank is not a fringe institution. Founded in 1995 by Ingvar Kamprad, the creator of IKEA, it is a licensed bank operating across Europe with consumer credit, savings, and payment products. It was not caught operating outside the rules. It was caught operating with an AML programme that had quietly become obsolete while the rulebook around it changed.

That distinction is what makes this case worth reading carefully.

The Four Violations

Finansinspektionen structured its enforcement decision around four specific deficiencies. They are not procedural technicalities — they describe a compliance programme that existed on paper and did not function in practice:

#	Violation	Core Failure
1	Incomplete product risk assessment	No separate TF exposure analysis for corporate clients
2	Outdated ML/TF typologies	Updated regulatory guidance not integrated into controls
3	Inadequate Enhanced Due Diligence	Purpose, source of funds, source of wealth, and UBO not gathered
4	Regulatory intelligence gap	FIU and authority guidance excluded from the general risk assessment

Read together, these four violations describe the same structural problem: a compliance programme that was built correctly at some point and then left to drift. The documentation existed. The processes existed. What did not exist was the operational discipline — or the tooling — to keep them current.

Failure 1: A Risk Assessment That Did Not Cover Corporate Clients

Finansinspektionen found that Ikano Bank's general risk assessment did not include a separate, realistic analysis of how its products could be misused by corporate customers for terrorist financing purposes. The corporate book had not been assessed as a distinct population with distinct exposure patterns.

This matters because EU AML law — both under current directives and the incoming AMLR — requires obliged entities to assess risk across the actual distribution of their customer base, not an assumed average. Corporate clients carry different structural risks from retail consumers: shell company layering, misuse of commercial credit flows, complex beneficial ownership chains. An AML framework that treats a €50,000 SME trade credit line and a €50,000 personal savings account as equivalent risk exposure fails the segmentation standard.

Finansinspektionen's finding confirms what multiple supervisors have been signalling: a single consolidated risk score that averages across customer segments does not satisfy the requirement. Firms that cannot demonstrate segment-specific risk analysis for material customer populations — corporate, retail, high-value, non-resident — are exposed to this finding.

Failure 2: Outdated Money Laundering Typologies

The regulator found that Ikano Bank had not integrated updated money laundering and terrorist financing methods published by Swedish authorities. The bank's internal control frameworks had not been revised to reflect new typologies identified by the national FIU and other supervisory bodies.

The information was available. It was not incorporated.

This is a structural compliance failure, not an oversight. Swedish authorities — like AMLA at the EU level — regularly publish typology reports, risk bulletins, and national threat assessments. The obligation to receive this information, review it, and translate it into operational control adjustments is explicitly established in the AML framework.

AMLA, which became operational on 1 July 2025, has committed to publishing 23 Level 2 and Level 3 technical standards before the AMLR becomes fully applicable in July 2027. Several of those standards contain updated guidance on risk categorisation and monitoring requirements. An obliged entity that reads the publications without operationalising them will fail the same test Ikano Bank failed.

The practical question for compliance teams is not "do we receive regulatory intelligence?" but "do we have a documented process for reviewing, approving, and implementing regulatory updates within a defined window?" If the answer is informal — updates are read when someone has time — the Ikano Bank outcome is a precedent.

See AMLA's draft ongoing monitoring guidelines, published two weeks before this enforcement action, for the specific framework AMLA has proposed for keeping risk classifications and customer information current. The Ikano Bank failure sits exactly within the operational gap Guideline 2 addresses.

Failure 3: Enhanced Due Diligence Without the Enhanced Part

This is the violation with the most direct implications for KYC teams across Europe.

Finansinspektionen found that Ikano Bank had not gathered the information required to implement Enhanced Due Diligence: the purpose of the business relationship, source of funds, source of wealth, and beneficial ownership details. EDD existed as a named process. The substantive inputs that give EDD its meaning were absent.

EDD is not a document collection task. It is an investigation — a structured attempt to understand not just who a customer is, but why they are using this product, where their money comes from, and who ultimately controls and benefits from the relationship. The FATF Recommendations and every EU directive built on them are explicit about what EDD requires for higher-risk customers:

• Purpose of business relationship: What is the customer trying to accomplish? Does the transaction pattern match the stated purpose?
• Source of funds: What is the origin of the assets used in this relationship — salary, business revenue, sale of property, inheritance? Each carries a different verification burden.
• Source of wealth: What is the origin of the customer's overall wealth? This is distinct from source of funds and requires separate analysis for high-net-worth and business clients.
• Beneficial ownership: For legal entities, who ultimately owns or controls the customer? Who benefits economically from the relationship?

Ikano Bank could not demonstrate consistent collection of these fields. That is not an EDD programme with gaps — it is an EDD programme that did not function.

For context on what data regulators now expect these fields to contain, and how the AMLR will standardise their collection across all 27 EU member states, see AMLA's CDD technical standards. The standards define the minimum content requirements for each field and the verification approach expected for different customer risk categories.

Failure 4: Regulatory Intelligence Excluded from the Risk Model

The fourth violation is related to the second but distinct in scope. Finansinspektionen found that information from authorities about ML/TF risks and methods had not been incorporated into the bank's general risk assessment. The model was self-referential: calibrated against the bank's own historical data and internal assumptions, without external input.

This creates a systematic blindspot. Financial crime evolves faster than individual institutions accumulate experience with new methods. The typologies that supervisors publish in threat assessments often reflect patterns that are months ahead of what any single institution can detect in its own transaction data. A risk model that is not continuously calibrated against external intelligence will consistently underweight novel attack vectors until they have already caused material exposure.

What This Fine Signals About 2026 EU Enforcement

The Ikano Bank decision is part of a visible pattern. The UK's Money Laundering and Terrorist Financing (Amendment) Regulations 2026, signed on 9 June, signal the same direction. Multiple EU regulators have issued enforcement actions in the first half of 2026 based on the effectiveness gap — not whether controls exist, but whether they work.

AMLA's direct supervision model, which will apply to 40 selected firms from 2028, is built on exactly this evaluative framework. The data collection exercise AMLA launched in early 2026 is designed to identify which entities are operating with structural gaps — risk assessments that look complete but miss key populations, EDD processes that collect some fields and omit the ones regulators actually check.

Finansinspektionen chose to issue a formal remark — the instrument reserved for structural deficiency rather than isolated procedural error. Ikano Bank did not make a single mistake. It operated with a programme that had become systemically inadequate over time.

The Automation Gap in EDD

Each of the four violations traces to the same operational problem: the gap between what a compliance programme documents and what it actually delivers.

Manual EDD processes degrade predictably. Customer records go stale between review cycles. Risk assessments are drafted once and revisited only when someone schedules the update. Regulatory typology guidance lands in inboxes and gets read but not operationalised. This is not negligence — it is the predictable consequence of a compliance programme that depends on human bandwidth to remain current.

Automated EDD approaches this differently. Continuous monitoring against adverse media, sanctions, and PEP databases keeps customer risk classifications current without waiting for a periodic review. Trigger-based workflows initiate EDD refresh when a new fact — a change in beneficial ownership, an anomalous transaction, a regulatory alert — is detected in real time. Source of funds and wealth fields are captured at onboarding and verified through integrated data sources rather than collected manually at remediation time.

Joinble's autonomous identity agents are built around this operational model: EDD fields are gathered at onboarding and updated on a cadence tied to customer risk classification, not to a shared calendar. Regulatory intelligence feeds into the risk scoring engine continuously. The audit trail is built in real time — not reconstructed under enforcement pressure.

None of this is a guarantee against regulatory scrutiny. But it closes the specific operational gaps that Finansinspektionen has now documented, publicly, as costing one European bank €13 million.

For a complete picture of what a modern KYC programme should deliver from the ground up, see our KYC guide for 2026.

---

FAQ

What exactly did Ikano Bank do wrong in its AML programme?

Finansinspektionen found four specific failures: (1) an incomplete product risk assessment that omitted a separate TF exposure analysis for corporate clients; (2) failure to integrate updated ML/TF typologies from Swedish supervisory authorities; (3) inadequate Enhanced Due Diligence — missing purpose of relationship, source of funds, source of wealth, and beneficial ownership data; and (4) failure to incorporate regulatory intelligence into the general risk assessment. The violations were assessed as structural, not isolated.

Why was Ikano Bank fined SEK 140 million specifically?

Swedish AML law allows Finansinspektionen to impose administrative fines up to 10% of annual turnover. The SEK 140 million figure reflects Ikano Bank's revenue base and the severity of the violations. A formal remark was issued alongside the fine — an instrument reserved for cases where the regulator identifies systemic deficiency rather than a one-time procedural failure.

How does this enforcement action relate to AMLA's 2026 guidelines?

AMLA published draft ongoing monitoring guidelines on 3 June 2026, two weeks before the Ikano Bank decision. Those guidelines address exactly the failures Finansinspektionen identified: how often customer information must be updated, what constitutes a mandatory refresh trigger, and how risk classifications must remain current. The Ikano Bank case is an early enforcement example of what non-compliance with this framework looks like.

What is Enhanced Due Diligence and when must it be applied?

EDD applies to higher-risk customers — typically politically exposed persons, customers from high-risk jurisdictions, non-face-to-face relationships, and business models with elevated ML/TF exposure. EDD requires collecting and verifying the purpose of the business relationship, source of funds, source of wealth, and beneficial ownership. It is not satisfied by collecting some fields and leaving others blank.

Can automated systems satisfy EDD requirements under EU AML law?

Yes. AMLA has adopted a technologically neutral position: what matters is whether the system produces effective identification and escalation of ML/TF risks. Automated EDD systems that collect verified source-of-funds and beneficial ownership data at onboarding, monitor adverse media and PEP databases continuously, and refresh customer records on a risk-based cadence can satisfy the obligation more reliably and more consistently than manual review cycles.

What should compliance teams do immediately in response to this case?

Three practical steps: audit whether your general risk assessment contains separate, documented exposure analyses for each material customer segment (including corporate); confirm that your programme has a defined, time-bound process for receiving and implementing regulatory typology guidance; and verify that your EDD records contain all four required fields — purpose, source of funds, source of wealth, and beneficial ownership — for every higher-risk customer in your portfolio.