Introduction
As a result of the increasing digitalisation of banking and payments, both the opportunities for and the requirements on operators to prevent money laundering and terrorist financing (AML/CFT) are becoming more sophisticated. According to the Act (2017:630) on anti-money laundering and countering the financing of terrorism, operators are required to continuously monitor ongoing business relationships and to scrutinise and assess individual transactions in order to identify activities that may be suspected of constituting money laundering or terrorist financing. Thus, as the number of transactions increases, it becomes increasingly important for operators to use appropriate and risk-based monitoring models to fulfil these requirements. The large amount of data that such models need to handle, combined with a more comprehensive and detailed regulatory framework in recent years, has contributed to the increasing relevance of quantitative methods for model development and validation.
Regulatory Framework
At EU level, measures against money laundering and terrorist financing are regulated by the Fourth Money Laundering Directive, (EU) 2015/849, which in Sweden has been implemented through the Act (2017:630) on measures to combat money laundering and terrorist financing and Finansinspektionen's regulations on measures to combat money laundering and terrorist financing (FFFS 2017:11).
The regulatory framework requires operators to conduct a business-wide risk assessment of how the products and services provided in the business may be used for money laundering or terrorist financing. This assessment must be regularly evaluated and, where necessary, updated to ensure that it continues to reflect the actual risk exposure of the business. Based on the risk assessment, operators must conduct continuous monitoring of business relationships and assess individual transactions in order to identify unusual or suspicious activity. In practice, due to the large number of customers and transactions that often occur in the business, it is necessary to use automated models for this monitoring.
Requirements for Models
To be fit for purpose, a model used for monitoring business relationships and transactions should:
- Be subject to established validation and quality assurance procedures prior to the implementation of the model and in case of significant changes.
- Be risk-based and based on the operator's business-wide risk assessment, taking into account all identified relevant risks.
- Consider customer due diligence (CDD), including the customer’s risk profile.
- Be designed to identify anomalous or suspicious activities and transactions.
- Take into account the customer's historical transaction patterns as well as the customer's behaviour in relation to other customers within the same customer segment.
- Be subject to documented procedures and guidelines for monitoring and the handling of alerts.
- Be subject to model risk management procedures, including clear allocation of responsibilities and internal controls.
- Be documented with regard to underlying assumptions, methodology and possible limitations.
Validation of Models
Models or other risk assessment, risk classification, transaction monitoring or similar procedures shall be validated prior to their implementation and in case of significant changes. The purpose of the validation is to quality assure the model, to ensure that it is fit for purpose and that it is designed to adequately address the risks identified in the business-wide risk assessment.
As monitoring models should be based on and take into account all relevant risks identified in the business-wide risk assessment, they also need to be validated on an ongoing basis and, where necessary, updated as the risk assessment evolves and changes over time. At the same time, the monitoring requirements and associated methodologies should be applied in accordance with the principle of proportionality, meaning that their design, complexity and scope should be proportionate to the size, nature and risk exposure of the operator. For operators with lower identified risk, simpler solutions may be sufficient, while organisations with high transaction volumes or higher risk exposure will normally need more advanced and resource-intensive solutions.
Shortcomings in model validation and related governance have also been recognised by the Swedish Financial Supervisory Authority (FI) in their supervision. FI published in February 2026 its supervisory priorities for the year, with financial crime, including AML/CFT, being a key focus area. At the same time, in recent years several operators have been subject to sanctions as a result of inadequate risk management procedures, deficiencies in ongoing monitoring and lack of model validation, in the AML/CFT area. This emphasises the importance of ensuring that surveillance models are not only appropriately designed, but also regularly reviewed, documented and monitored in practice.
Support with AML Models
The AML regulatory framework does not explicitly specify who, or which function within the operator, is responsible for model validation. The Swedish Anti-Money Laundering Institute (SIMPT) states in its guidance on modelling risk management (p. 18) that, as highlighted in other industry guidance, it is good practice to separate validation responsibilities organisationally from the functions that develop, implement or use the model.
Developments in the field of money laundering are moving towards increasingly data-driven and quantitative methods for risk assessment and transaction monitoring. At the same time, there is an increasing demand for these models to be well documented and subject to structured and independent validation. For operators, this implies a need for both technical expertise and deep regulatory understanding. In this respect, monitoring models are fundamentally similar to other quantitative risk models, an area where NFC has extensive experience in both development and validation.
NFC offers end-to-end solutions in risk modelling and model validation, with particular expertise in quantitative models dealing with large amounts of data. We can support organisations throughout the model lifecycle, from development and implementation to validation, backtesting and adaptation to new regulatory requirements. Read more about our risk modelling and model validation services or contact us if you want to strengthen your work on anti-money laundering models or ensure that your solutions are fit for purpose and regulatory robust.
