Finansinspektionen 2026 AML, CFT and Sanctions Priorities: What Nordic Reporting Teams Must Address

Last updated: June 2026

When a supervisor publishes its prioritised risks for the year, it is telling you where its inspectors will look first. The FI 2026 AML priorities are exactly that. Finansinspektionen (FI), the Swedish financial supervisory authority, set them out on 18 June 2026 in its report on prioritised risks related to money laundering, terrorism financing and international sanctions. The document is short. The operational consequence is not. If your firm is subject to FI’s AML/CFT supervision and sits in one of the named sectors, your business-wide risk assessment should explain how the FI priorities and the national risk assessment have been considered, or why your firm has reached a different risk view.

The headline FI sets out is blunt. The latest national risk assessment, published in June 2026, assesses the overall risk level in the financial sector to be higher than it was in the 2020/2021 assessment, driven mainly by a rising threat from organised crime and the deepening integration of crime into legal economic structures. Several sectors that FI supervises are placed at the highest risk level. For the roughly 2,200 entities under FI’s AML/CFT mandate, from global banks to one-person operations, the 2026 FI AML priorities are not abstract. They translate directly into what your business-wide risk assessment, your customer due diligence, your transaction monitoring and your suspicious transaction reporting need to demonstrate this year.

This article walks through what the FI report actually says, where the legal obligations sit in Swedish and EU law, and what reporting teams in banks, payment institutions, electronic money institutions and crypto-asset service providers should check against their own controls. It is written for the person who files, not for the marketing deck.

Related reading: AUSTRAC’s 2026 financial crime risk snapshot and what EU AML teams can take from it

What the FI 2026 AML priorities cover and why the report carries weight

The report is titled Prioritised risks related to money laundering, terrorism financing and international sanctions, dated 18 June 2026, carrying FI reference 26-14962 (id=87ab1d8ed5fe7372, prioritised-risks-related-to-money-laundering-terrorism-financing-and-international-sanctions.pdf). FI publishes this kind of risk identification every year so that it can allocate supervisory resources to where it assesses the risks to be highest. The legal hook is that FI is tasked with controlling whether financial entities comply with the rules designed to stop their misuse for money laundering and terrorism financing, and with checking compliance with UN and EU sanctions.

FI is explicit that several of the 2026 risks repeat risks it identified in previous years. Reporting teams should treat that repetition as continued supervisory focus, not as evidence that the topic is closed.

One detail that teams routinely get wrong is treating a supervisor’s risk-priority report as background reading rather than as an input to their own documentation. FI says directly that it uses information received through firms’ annual periodic AML reporting and the national risk assessment to identify priorities. The flow runs both ways. The data you submit feeds FI’s risk model, and FI’s published priorities should feed back into your business-wide risk assessment under the risk-based approach. If your next risk-assessment refresh does not reference the sectors and typologies FI named, an inspector can reasonably ask why your firm reached a different view of the threat environment than its own regulator did.

The legal basis: Swedish law sitting on an EU framework

The obligations FI supervises are not in the priority report itself. They live in the Swedish Anti-Money Laundering Act, lagen (2017:630) om åtgärder mot penningtvätt och finansiering av terrorism, known in practice as penningtvättslagen. That Act transposes the EU anti-money laundering directives and sets out the core duties: a risk assessment, customer due diligence, ongoing monitoring, record-keeping and the obligation to report suspicions to the Swedish Financial Intelligence Unit. FI supplements the Act with its own regulations, FFFS 2017:11, on measures against money laundering and terrorist financing (source: FI, Rules to prevent money laundering and the financing of terrorism). The criminal-law side of money laundering sits separately in the Money Laundering Offences Act, lagen (2014:307) om straff för penningtvättsbrott.

The framework is mid-transition. The EU’s new directly applicable rulebook, Regulation (EU) 2024/1624 (the AML Regulation, or AMLR), applies from 10 July 2027, and the accompanying Sixth Anti-Money Laundering Directive, Directive (EU) 2024/1640 (AMLD6), must be transposed by Member States by the same date, subject to certain exceptions (sources: EUR-Lex, Regulation (EU) 2024/1624; EUR-Lex, Directive (EU) 2024/1640). That timing matters for how you read the 2026 priorities. FI is supervising against the current Swedish Act now, but the controls it is pushing firms to strengthen this year are the same controls the directly applicable AMLR will harden into a single EU rulebook from July 2027. Building to FI’s 2026 expectations is, in practice, building toward AMLR readiness.

The sanctions side has a recently rewritten Swedish criminal and implementation framework. Directly applicable EU restrictive-measures regulations remain binding in Sweden in their own right, while lagen (2025:327) om internationella sanktioner, the new International Sanctions Act, provides the Swedish framework for sanctions offences and for implementing international sanctions that are not directly applicable in Sweden. The Act entered into force on 10 June 2025 and replaced the older 1996 sanctions act. The sanctions that bind Sweden are decided by the UN or the EU, and FI describes Sweden as bound by around forty sanction regimes spanning both targeted measures against named persons and entities and designated sanctions targeting specific geographical areas. A common error here is to file the old citation. If your sanctions policy still references the 1996 act as the operative Swedish instrument, that is now out of date, and updating the legal references is the kind of housekeeping that should accompany this year’s policy review.

Payment institutions and international transactions: the perennial priority

FI puts payment institutions and other operators offering international transactions at the front of its 2026 priorities. The reasoning is the speed and reach of digital financial services. Fast, digital cross-border payments, sometimes offered without any physical presence, create exactly the conditions criminals exploit. FI points to the national risk assessment for 2023/2024, which addressed neobanks and fast digital services specifically, and to the 2024/2025 assessment, which again flags high risks for both payment institutions and electronic money issuers (id=a239ee25c0058327).

For a reporting team, the practical question is whether your transaction monitoring keeps pace with your own product velocity. The trap FI implicitly describes is a monitoring model calibrated for a slower, account-based world running against a product book of instant, low-friction transfers. Monitoring rules that were adequate when settlement took a day can miss layering that completes in minutes. The regulation requires risk-mitigating measures proportionate to the risk, which means that when you launch a faster or more anonymous product, the monitoring and due-diligence controls around it have to move at the same time, not in a later remediation phase.

Electronic money issuers sit in the same bracket and should not assume that a stored-value or prepaid model carries less scrutiny. FI names entities licensed to issue electronic money explicitly among the highest-risk sectors. If your firm holds an e-money authorisation, the 2026 priorities apply to you with the same force as to a payment institution.

Banks: small and medium-sized institutions, and correspondent relationships

FI’s banking-sector priority has two distinct edges. The first is its continued attention to criminals seeking out small and medium-sized banks. The implicit point is that smaller institutions can present softer controls or less mature monitoring, which makes them attractive entry points. A smaller bank should not read the sector’s largest institutions as the only targets of supervisory concern. FI says the opposite.

The second edge is correspondent relationships, which FI again highlights as a banking-specific risk. In a correspondent relationship, one bank provides services to actors with whom it has no direct business relationship, which means it must rely on the counterparty having effective controls in place. This is where the due-diligence burden is easy to underestimate. The regulation requires enhanced due diligence on correspondent relationships precisely because the respondent’s customers are not your customers and you cannot see them directly. FI’s 2024/2025 national risk assessment lists several routes through which the banking sector is exploited, including corporate accounts, cash withdrawals and digital banking services. A correspondent-banking review that checks the respondent institution but never tests the typologies flowing through the relationship is doing half the job.

What this does not mean is that correspondent banking should be exited wholesale to remove the risk. FI is careful, in the same report, to warn against over-strong measures that off-board customers from the regulated system. The expectation is calibrated control, not retreat.

Crypto-asset service providers: MiCA authorisation does not close the gap

FI assesses trading in crypto-assets as carrying a high risk of money laundering, terrorism financing and sanctions evasion, citing the possibility of anonymity and fast cross-border transactions, and noting that the volume of crypto-asset trading continues to increase. The Swedish Police Authority describes crypto-assets as a prerequisite for darknet drug trafficking and an attractive way for criminals to hide or trade criminal profits (id=a239ee25c0058327).

FI acknowledges that the EU’s Markets in Crypto-Assets Regulation reduces the risk somewhat by requiring authorisation from FI to provide crypto-asset services, which lets FI run an initial assessment of whether an applicant can manage money laundering and terrorism-financing risks. But FI is direct that authorisation does not make the risks disappear. The number of entities FI has licensed is currently low compared with the number of operators serving Swedish consumers from other countries, which limits what FI can do. The point teams misread is that holding a MiCA authorisation discharges the AML obligation. It does not. Authorisation is the entry gate; the ongoing AML/CFT controls, the screening, the monitoring and the reporting, are the standing obligation, and they apply to an authorised crypto-asset service provider on the same terms as to any other obliged entity.

FI adds a Swedish-specific enforcement development that should be on every compliance officer’s radar. As of 1 March 2026, it is a criminal offence in Sweden to conduct financial activities without the necessary authorisation from, or registration with, FI. Offering such services intentionally or through gross negligence can now lead to criminal punishment. FI observes that some crypto-asset traders whose operations would require a licence continue to trade without applying, and that for these operators both risk awareness and the ability to prevent criminal exploitation appear low. This is interpretation worth flagging clearly: the new criminal liability changes the calculus for unlicensed activity, but it does not directly add a reporting line for already-authorised firms. For licensed CASPs, the operational takeaway is to ensure your perimeter assessment is current, so that every service you offer is covered by your authorisation.

Companies as tools of crime and the insider threat

FI treats two risks as cross-sectoral rather than sector-specific. The first is the use of companies and other legal persons as tools of crime. FI describes how businesses across different industries can be combined to meet different money-laundering needs, for example managing large cash flows or routing frequent transactions between business accounts, and how complex transaction chains through business accounts are harder to see through than transactions in personal accounts. Low thresholds for starting, winding down and changing the management of a company impair traceability (id=a239ee25c0058327).

For monitoring teams, the lesson is that corporate-account behaviour deserves scenario coverage that matches its complexity. A monitoring model tuned mainly to retail patterns will struggle with structured corporate layering. Beneficial-ownership verification and ongoing monitoring of changes in control are not a one-time onboarding step here; they are the controls that preserve traceability as a shell or front company changes hands.

The second cross-sectoral risk is insiders, or enablers, meaning people who use their employment or position to assist criminal networks. FI says information from the Financial Intelligence Unit indicates there are employees in the financial sector assisting criminal networks in fraud and money laundering, and references a Swedish National Audit Office report showing that government agencies are also at risk of infiltration. The insider threat is the one that most AML control frameworks address least well, because it sits at the seam between financial-crime controls and internal security, HR screening and access management. FI naming it as a priority is a prompt to check whether your firm’s financial-crime risk assessment actually covers the internal-enabler scenario, or whether it quietly assumes the threat is always external.

Terrorism financing: small sums, fast transfers, high demands

FI keeps terrorism financing on its priority list and frames it as distinct from money laundering. Unlike laundered proceeds, terrorism financing can originate from funds earned legally as well as illegally, and small sums may be enough to enable an attack. Assets can be collected and transferred quickly, simply and cheaply, and the financier needs no special capability, though international contacts matter for moving the money to its destination. FI states that the sectors where terrorism-financing risk is highest are banks and several types of payment institutions, and that crypto-asset trading is also an area of particularly high terrorism-financing risk (id=784efb215bec9013).

FI also gives the current threat-level context. The Swedish Security Service continues to assess Sweden as a legitimate target for terrorist attacks. The terror threat level was lowered in May 2025 from level four to level three on a five-point scale, moving from high to elevated, but FI stresses the threat is still assessed as serious, with an increased risk of attacks by individual perpetrators with Islamist or right-wing extremist motives. Getting that detail right matters: the level came down, the concern did not. Describing the threat as resolved because the number changed would misstate FI’s own position.

The operational difficulty with terrorism financing is that small-value, legitimate-source transactions are exactly what most monitoring models are designed not to alert on. That is the point FI is making when it says the work places high demands on firms. Detecting terrorism financing is less about transaction size and more about network, destination and context, which is why screening against designated-persons lists and attention to high-risk geographies carry disproportionate weight in this risk area.

International sanctions: screening effectiveness under scrutiny

The sanctions priority is shaped by Russia’s full-scale invasion of Ukraine, ongoing since 2022, which has driven the EU to expand both the number and scope of targeted financial sanctions. FI cites the Sanctions Cooperation Council’s status report indicating that while direct exports from Sweden to Russia have fallen sharply, significant indirect exports likely continue in ways that may be criminal. The Swedish Economic Crime Authority assesses that sanctions violations and money laundering are, to some extent, carried out by the same actors using complex international corporate structures to hide their real business partners (id=784efb215bec9013).

The finding that should concentrate minds is from FI’s own 2024 thematic review of the sanctions area: FI’s 2024 thematic review found that banks in general could increase the effectiveness of automated sanctions-screening systems and that some banks have room to improve; screening tuning and alert handling should therefore be treated as likely supervisory focus areas in 2026. When a supervisor names a control as underperforming sector-wide and then keeps the area on its priority list, the screening tuning, the list-management process and the alert-handling workflow are all fair game for the next inspection. The common error FI is pointing at is treating sanctions screening as a procurement decision that ends when the system is installed. Screening effectiveness is an ongoing calibration exercise, measured by whether the system actually catches what it should against current lists, not by whether a tool is in place.

For Swedish firms, the sanctions obligation has two layers worth keeping distinct. The directly applicable EU restrictive-measures regulations bind you regardless of national law, and the Swedish International Sanctions Act, lagen (2025:327), provides the domestic framework and the criminal-law backstop. FI is one of several Swedish authorities responsible for implementation and supervises financial entities’ compliance with UN and EU sanctions. Practitioners outside Sweden tracking parallel measures may find our explainer on a recent EU sanctions instrument a useful comparison point: see our coverage of Council Regulation (EU) 2026/1164 and its sanctions reporting touchpoints.

The de-risking trap FI explicitly warns against

One of the most useful parts of the FI report is the warning it puts up front, because it cuts against the instinct a risk-priority list might otherwise trigger. FI states that anti-money laundering rules are risk-based, so higher risks call for stronger measures, but it then cautions that overly strong measures can have undesirable and serious consequences. The example FI gives is the customer’s right to a payment account. An increased money-laundering risk does not automatically mean an account or service should be denied or terminated. Instead, firms need to make an individual assessment based on the customer’s circumstances and take sufficient risk-reducing measures. Otherwise customers are off-boarded from the regulated system, which runs against the purpose of the rules (id=87ab1d8ed5fe7372).

This is the de-risking problem, and FI is signalling that blanket exits are not the compliant response to elevated risk. The supervisory expectation is calibration, not avoidance. A firm that responds to the 2026 priorities by terminating whole customer segments may find it has traded an AML finding for a different supervisory problem around access to basic payment services. The same tension is live across the EU. Practitioners managing this balance will recognise the issue from our analysis of the CSSF’s communication on de-risking and ML/FT risk management, where the supervisor likewise pushed back on wholesale off-boarding.

How AMLA and the cooperation network change the supervisory picture

FI does not supervise in isolation, and the 2026 report makes the network visible. Domestically, FI works with the Financial Intelligence Unit, the Swedish Economic Crime Authority, the Swedish Gambling Authority and the Swedish Tax Agency, and within the Coordinating Function to Combat Money Laundering and Terrorism Financing and the Sanctions Cooperation Council. The national risk assessment FI relies on is itself issued by the Coordination Function, a collaboration described as involving sixteen authorities and the Swedish Bar Association (id=87ab1d8ed5fe7372).

Internationally, FI singles out its work with AMLA, the EU’s Authority for Anti-Money Laundering and Countering the Financing of Terrorism, established under Regulation (EU) 2024/1620 and operationalised in 2025. FI also references the Nordic-Baltic Working Group against Money Laundering, the International Monetary Fund, participation in around eighty AML colleges for institutions operating across several EU/EEA jurisdictions, and the FATF. AMLA is the structural change to watch. It launched a data-collection and testing exercise in March 2026 to calibrate the risk-assessment models that will inform the 2027 selection of up to forty entities for AMLA’s direct supervision, which starts in 2028 (id=205e000e5435555e, amla.europa.eu data collection exercise). For the largest cross-border Swedish and Nordic groups, the supervisory relationship may shift from FI alone to a joint footing with AMLA before the decade is out. Teams that want the mechanics of how entities are identified for that direct-supervision tier can read our explainer on which obliged entities face direct AMLA supervision, which sets out the selection logic that applies across Member States, not only in Luxembourg.

What reporting teams should actually check this year

Translated into a worklist, the FI 2026 priorities point at a handful of concrete checks. First, refresh the business-wide risk assessment so it explicitly addresses the sectors and typologies FI named, and document why your firm’s view aligns with, or justifiably differs from, the national risk assessment. Second, test whether transaction monitoring keeps pace with the speed and anonymity of your actual product set, especially for instant and cross-border payments. Third, for correspondent relationships, confirm that enhanced due diligence reaches the typologies flowing through the relationship and not just the respondent institution’s paperwork. Fourth, for crypto-asset service providers, confirm that the perimeter of your authorisation covers every service you actually offer. Fifth, run a genuine effectiveness check on sanctions screening, measured against current lists and live alerts, not against the existence of a system. Sixth, make sure the insider and corporate-vehicle scenarios are present in the risk assessment, because they are the ones most often missing.

Most of these checks map to existing AML/CFT obligations under penningtvättslagen and FFFS 2017:11, including business-wide risk assessment, CDD, monitoring and suspicion reporting. Sanctions screening must also be mapped to directly applicable EU restrictive-measures regulations and Sweden’s International Sanctions Act, while CASP authorisation perimeter checks should be mapped to MiCA and the relevant Swedish authorisation rules. The FI report indicates which risk areas FI will prioritise in 2026 supervision.

Frequently Asked Questions

Is FI’s prioritised-risks report legally binding on Swedish firms?

The report itself is not a binding rule. It is FI’s annual statement of where it will focus supervision. The binding obligations sit in the Swedish Anti-Money Laundering Act, lagen (2017:630), FI’s regulations FFFS 2017:11, and the directly applicable EU sanctions regulations. The report tells you how FI intends to apply and enforce those existing obligations during 2026.

Which sectors does FI place at the highest AML/CFT risk for 2026?

FI names payment institutions and other operators offering international transactions, banks (with particular attention to small and medium-sized banks and to correspondent relationships), electronic money issuers, and crypto-asset service providers. It also identifies two cross-sectoral risks: companies used as tools of crime, and insiders or enablers within financial entities.

Does holding a MiCA authorisation from FI satisfy a crypto firm’s AML obligations?

No. FI is explicit that the authorisation requirement reduces risk by enabling an initial assessment but does not make the money-laundering, terrorism-financing and sanctions-evasion risks disappear. An authorised crypto-asset service provider remains subject to the full set of ongoing AML/CFT controls, including customer due diligence, monitoring, screening and reporting suspicions to the Financial Intelligence Unit.

Where do Swedish firms report suspicious transactions?

Suspicions are reported to the Swedish Financial Intelligence Unit, which sits within the Swedish Police Authority. The duty to report suspicions is set out in the Anti-Money Laundering Act. FI is the supervisor that checks compliance with that duty; it is not the recipient of suspicious transaction reports.

What is the current Swedish legal basis for international financial sanctions?

The current basis is lagen (2025:327) om internationella sanktioner, the International Sanctions Act, which entered into force on 10 June 2025 and replaced the older 1996 sanctions act. It operates alongside the directly applicable EU restrictive-measures regulations, which bind Swedish firms regardless of national law.

How does the new EU AML Regulation affect what FI expects in 2026?

Regulation (EU) 2024/1624, the AML Regulation, applies from 10 July 2027, and the Sixth Anti-Money Laundering Directive must be transposed by the same date. FI supervises against the current Swedish Act now, but the controls it is pushing firms to strengthen in 2026 are broadly the controls the AMLR will harden into a single EU rulebook. Building to FI’s 2026 expectations supports AMLR readiness.

Does an elevated money-laundering risk mean a firm should close the customer’s account?

Not automatically. FI warns against overly strong measures and stresses that an increased risk does not by itself justify denying or terminating an account. The expectation is an individual assessment of the customer’s circumstances and sufficient risk-reducing measures, so that customers are not off-boarded from the regulated financial system.

Related Articles

• AUSTRAC 2026 Financial Crime Risk Snapshot – How Australia’s financial intelligence regulator frames its annual risk priorities and what EU AML teams can learn from the comparison.
• FCA Financial Crime Speech June 2026 – The UK regulator’s latest financial-crime supervisory priorities and their reporting implications for regulated firms.
• CSSF De-Risking and ML/FT Risk Management – How Luxembourg’s supervisor addresses the de-risking and off-boarding tension that FI also flags.
• AMLA Direct Supervision and Eligible Entities – The selection logic for the EU entities that will move to AMLA’s direct supervision from 2028.
• Council Regulation (EU) 2026/1164 Iran Sanctions – A worked example of an EU restrictive-measures instrument and its screening and reporting touchpoints.
• Riksbank Cross-Currency Instant Payments – The Swedish payments-infrastructure backdrop against which instant cross-border transaction risks are evolving.

Key Takeaways

• FI published its 2026 prioritised-risks report on 18 June 2026 (FI Ref. 26-14962), assessing the financial sector’s overall AML/CFT risk as higher than in 2020/2021, driven by organised crime.
• The named priority sectors are payment institutions and international-transaction operators, banks (small and medium-sized institutions plus correspondent relationships), electronic money issuers, and crypto-asset service providers.
• Two cross-sectoral risks stand out: companies used as tools of crime, and insiders or enablers inside financial firms, the scenario most risk assessments cover least well.
• A MiCA authorisation from FI does not discharge a crypto firm’s AML obligations; ongoing due diligence, monitoring, screening and reporting still apply in full.
• FI’s 2024 thematic review found that banks in general could increase the effectiveness of automated sanctions-screening systems and that some banks have room to improve; screening tuning and alert handling should be treated as likely supervisory focus areas in 2026.
• FI explicitly warns against de-risking: elevated risk does not justify automatic account closure, and wholesale off-boarding runs against the purpose of the rules.
• The obligations sit in penningtvättslagen (2017:630), FFFS 2017:11, and the International Sanctions Act (2025:327); the directly applicable EU AML Regulation (EU) 2024/1624 applies from 10 July 2027.
• AMLA’s March 2026 data-collection exercise feeds a 2027 selection of up to forty entities for direct supervision from 2028, reshaping the supervisory picture for the largest Nordic groups.

Sources and References

• Finansinspektionen, Report: Prioritised risks related to money laundering, terrorism financing and international sanctions, 18 June 2026, FI Ref. 26-14962: fi.se (PDF) and the publication page: fi.se report page
• Finansinspektionen, Rules to prevent money laundering and the financing of terrorism (citing lagen 2017:630, lagen 2014:307, FFFS 2017:11, and the EU AML framework): fi.se
• Lag (2017:630) om åtgärder mot penningtvätt och finansiering av terrorism (the Swedish Anti-Money Laundering Act), consolidated text, Sveriges riksdag: riksdagen.se
• Lag (2025:327) om internationella sanktioner (the Swedish International Sanctions Act, in force 10 June 2025), Sveriges riksdag: riksdagen.se
• Regulation (EU) 2024/1624 of the European Parliament and of the Council (the AML Regulation, applicable from 10 July 2027), EUR-Lex: eur-lex.europa.eu
• Directive (EU) 2024/1640 (the Sixth Anti-Money Laundering Directive, transposition by 10 July 2027), EUR-Lex: eur-lex.europa.eu
• AMLA, “AMLA launches data collection exercise to test risk assessment models” (16 March 2026; selection of up to 40 entities in 2027, direct supervision from 2028): amla.europa.eu
• Finansinspektionen, Internationella sanktioner (FI’s role in implementing UN and EU financial sanctions): fi.se

Reading FI’s priorities before the inspector does

The value of an annual risk-priority report is entirely in the timing. FI has told the Swedish financial sector, in advance, where its supervisory attention will sit in 2026 and why. The firms that benefit are the ones that treat the document as an input to their next risk-assessment refresh and their next control review, rather than as a press release to be filed. Read against your own monitoring rules, your correspondent-banking files, your screening calibration and your authorisation perimeter, the report is a fairly precise map of the questions you will be asked. The practical benefit is timing: firms can address the FI priorities before they are tested in supervision.

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.