The Most Common KYC/AML Violations: What Swedish Firms Get Wrong and How to Avoid It
In recent years, Swedish regulators have sounded the alarm about widespread shortcomings in companies’ anti-money laundering (AML) efforts. Since 2020, County Administrative Boards (Länsstyrelserna) have handed out over 70 million SEK in combined fines to roughly 100 businesses for AML compliance failures – and more than half of those penalized are accounting and audit firms. The most frequent violations involve basic requirements that fell through the cracks, from missing risk assessments to insufficient customer due diligence documentation.
For an accounting firm or consultant covered by Sweden’s AML regulations, these mistakes can be costly both financially and reputation-wise. The good news is that most common violations are preventable with the right awareness, routines, and tools. Below, we break down the top KYC/AML pitfalls seen among Swedish companies, why they happen, real examples of consequences – and practical advice on how to ensure your organization doesn’t fall into the same traps.
Inadequate General Risk Assessment
A thorough business-wide risk assessment is the foundation of any AML program – an overarching analysis of how and to what degree your firm could be exploited for money laundering or terrorist financing. Yet many firms lack a documented risk assessment entirely or have a version that is incomplete and outdated. If your firm doesn’t identify and analyze all relevant risk factors (such as your services, types of clients, delivery channels, and geographical exposure), you have no compass for guiding the rest of your anti-money laundering measures.
Why does this happen? Small and mid-sized companies often underestimate their own risk – “we just deal with regular clients” – and postpone doing the risk assessment. Sometimes there’s a lack of know-how or time, and people aren’t sure how to proceed, so the task never gets properly done or ends up too generic to be useful.
Consequences: Regulators take this very seriously. For example, in 2024 a major accounting firm, Aspia, was fined 4 million SEK for shortcomings in its general risk assessment. Without a solid risk assessment, your entire AML program may be deemed insufficient, leading to hefty fines or even orders to cease operations in severe cases.
Make it a priority: Dedicate time and resources to perform a thorough general risk assessment at least annually. Involve key people at your firm and use guidance from authorities or industry templates to structure it.
Cover all risk factors: Systematically review the services you offer, the types of clients you serve, how you engage clients (e.g. online or in person), and the markets or countries you operate in. Document how each factor could be misused for money laundering and how likely that is.
Keep it up to date: Treat the risk assessment as a living document. Update it whenever your business or the risk environment changes, and revisit it at least yearly to keep it current.
Lack of Clear Internal Policies and Procedures
Another common violation is not having written internal routines and guidelines for AML work, or having documentation that is superficial and insufficient. The law requires that you establish tailored procedures for customer due diligence, risk classification of clients, detecting and reporting suspicions, and more. Without clear instructions, staff may act inconsistently or miss critical steps.
Why does this happen? Smaller firms might assume “common sense” is enough or that informal understandings within the team will do. In some cases, a template policy is copied verbatim but never customized to the firm’s actual operations. The result is a document that gathers dust and isn’t followed in practice.
Consequences: Regulatory audits often find that a firm’s written procedures are inadequate or not being followed. That can trigger warnings or fines even if no actual money laundering incident is detected. It also increases the chance that real red flags will slip through day-to-day operations due to lack of guidance.
Document your processes: Based on your general risk assessment, write down step-by-step how your firm performs KYC – from ID verification to when a suspicious matter should be escalated. Use plain language that everyone can understand.
Tailor it to your business: Ensure the guidelines reflect your specific services and risk areas. If you mostly handle Swedish small businesses, focus on the scenarios relevant to them, for example.
Train and enforce: Go over the procedures with your staff so everyone knows the playbook. Also, perform occasional spot-checks or internal audits to confirm the routines are being followed, and update them as needed.
Incomplete Customer Due Diligence (KYC)
Customer due diligence (CDD) – known as kundkännedom in Swedish – means knowing your client well enough to detect anomalies and assess risk. Many companies fall short here. Common lapses include not properly verifying the customer’s identity, failing to determine the beneficial owner (the real person(s) ultimately behind a company), or neglecting to check the client against sanctions lists and PEP lists (Politically Exposed Persons). Some firms even continue business relationships without having obtained complete KYC information – which is against the law.
Why does this happen? Often it comes down to time pressure or a desire not to inconvenience the client. You might “know” the client from before and skip formal checks, or assume that a small local client can’t possibly pose a risk. In some cases there’s a lack of good tools to streamline these checks, so staff hesitate to perform steps like PEP screening because it feels cumbersome.
Consequences: Poor CDD is dangerous because it means criminals could exploit your firm under the radar. If you fail to notice that a client is high-risk, a PEP, or even on a sanctions list, the fallout can be severe. The authorities can impose harsh penalties; in one case, a company was found to have met “almost none” of the AML requirements – resulting in a markedly increased risk of being used for money laundering. That firm was fined accordingly.
Follow the full KYC process: Collect and verify identification documents for every new client (using BankID or similar electronic ID can make this easier). Always identify and record the client’s beneficial owners as well.
Screen for PEPs and sanctions: Incorporate checks against up-to-date PEP and sanctions databases during onboarding. This can be automated with digital tools so that no potential match is overlooked.
Don’t proceed without complete info: If a client doesn’t provide all required information or something doesn’t add up, do not start or continue the business relationship. It’s better to walk away than to risk breaking the law.
No Ongoing Monitoring of Clients
Performing KYC isn’t a one-and-done task. Ongoing monitoring means continuously overseeing the business relationship and updating client information as needed. Many firms fail in this area by never revisiting a client once they’re onboarded. A client’s activities or risk profile may change over time – but the firm won’t catch it if no one is responsible for periodic reviews.
Why does this happen? It’s easy to adopt an “if it isn’t broke, don’t fix it” mindset and focus on other work as long as the client seems routine. Without automated systems, manually monitoring every client is time-consuming. There may also be a knowledge gap – some might not realize that the law mandates keeping customer due diligence data up to date on an ongoing basis.
Consequences: Without monitoring, important warning signs can be missed. For example, a client might suddenly start making large atypical transactions or quietly change owners. If the firm doesn’t notice, there’s no re-assessment of risk and no suspicious activity report filed with the police. During an inspection, lack of ongoing oversight will be viewed as a serious deficiency and can contribute to enforcement action.
Schedule periodic reviews: Set review intervals for clients based on their risk level (e.g. high-risk clients annually, low-risk every 2–3 years). Use calendar or system reminders so these reviews aren’t forgotten.
Watch transaction activity: If you handle client funds or see their financial transactions, stay alert for unusual patterns. Define what would trigger a closer look – such as sudden large international transfers – and investigate when those occur.
Keep information current: Ask clients to inform you of any significant changes (new owners, new lines of business, etc.). Update your documentation and risk assessment when changes happen or at the regular review cycle.
Failing to Report Suspicious Activities
All businesses subject to AML laws are required to report suspicious activities and transactions to the police (Financial Intelligence Unit). Despite this, many accounting consultants have never filed a single suspicious transaction report – sometimes because they truly never encounter anything suspicious, but other times because warning signs go unnoticed or people hesitate to act. Fear of being wrong, loyalty to the client, or uncertainty about how to file can lead to this obligation being overlooked.
Why does this happen? In addition to the above reasons, lack of training can mean staff simply don’t recognize red flags for money laundering. Some may think they need solid proof of a crime to report, when in fact a reasonable suspicion is enough. Technical barriers like unfamiliarity with the online reporting portal (goAML) can also discourage timely reporting.
Consequences: Failing to report is serious. If it comes to light that your firm ignored clear signs and didn’t raise the alarm, you could face regulatory action, fines, or even personal liability. Beyond that, you miss the opportunity to help prevent crime – after all, the whole point of the law is to ensure information reaches authorities in time.
Set clear internal procedures: Define how to handle potential suspicions: who on your team should be informed, how to evaluate the situation, and who is responsible for submitting the actual report via goAML.
Train on red flags: Ensure everyone on the team has basic training on common warning signs of money laundering in your industry. The earlier you spot something fishy, the better.
When in doubt, report: Do not hesitate to file a report “just in case.” You have nothing to lose by reporting in good faith – but a lot to lose if a suspicious activity goes unreported and later implicates your firm.
In summary, these common missteps show that AML/KYC compliance needs to be a proactive, ongoing effort at your firm. By building strong routines, keeping knowledge up to date, and leveraging smart tools, you can save time and avoid costly setbacks. No firm is “too small” to be used for money laundering, and regulators expect even smaller practitioners to know their risks and manage them.
Next Steps: Make sure your firm doesn’t make these mistakes. Consider modernizing your KYC processes with automated solutions – for example, by letting Qapla handle routine checks and monitoring for you. If you want to see how this works in practice, book a free demo with Qapla today. That way, you can stay confident that you’re meeting compliance requirements while freeing up time to focus on your core business.