Sanctions Controls Under Strain as Finland’s Regulator Targets Payment Providers

Key Takeaways

• Risk Exposure Steady: The FIN-FSA found no notable change in overall sanctions risk exposure across supervised sectors.
• High Exposure in Cross-Border Payments: Payment institutions, registered payment service providers and crypto-asset service providers remain in higher-risk categories due to the nature of their activities.
• Controls Strengthened in Some Sectors: Insurance companies and authorised fund management firms have shown positive development in aligning controls with Regulations and Guidelines 4/2023.
• Screening Deficiencies Identified: In the payment services sector, weaknesses are concentrated in customer and transaction screening processes.

Deep Dive

In a recent supervision release, Finland's Financial Supervisory Authority (FIN-FSA) published a summary of its updated sanctions risk assessment covering sectors supervised under the Anti-Money Laundering Act. The previous summary was issued in autumn 2024.

The assessment does not attempt to measure which sectors are most likely to breach sanctions. Instead, it evaluates whether the policies, procedures and internal controls in place are adequate in light of each sector’s sanctions risk exposure, particularly compliance with sanctions regulations and national freezing orders.

The regulator’s core conclusion is that overall sanctions risk exposure has not materially changed since the previous assessment.

But the areas of highest exposure remain clear. Sectors that facilitate quick and seamless cross-border transfers continue to sit in the higher-risk category. This includes credit and payment institutions offering international payment services, registered payment service providers and crypto-asset service providers.

The logic is straightforward. Where funds can move rapidly across borders, the risk environment is inherently more complex. That does not mean these firms are violating sanctions (the FIN-FSA explicitly notes that the assessment does not evaluate the likelihood of breaches) but it does mean their controls must be proportionately strong.

A Test of Post-Guideline Progress

The update focuses heavily on whether supervised entities have strengthened their controls since the FIN-FSA’s Regulations and Guidelines 4/2023 on customer due diligence related to compliance with sanctions regulations and national freezing orders came into force on 1 March 2024.

The original risk assessment relied on data from 2023. The updated version draws on information reported for 2024, along with supervisory findings from 2024 and 2025. In other words, this is the regulator’s first meaningful check-in on how firms responded after the new guidance became binding.

There are signs of progress. The most positive developments have occurred in the insurance sector and among authorised fund management companies, including UCITS and AIF managers. Entities in these sectors have reported that they have largely arranged their controls to meet the minimum requirements set out in law and in the FIN-FSA’s regulations.

That alignment, at least at the level of minimum compliance, marks a shift from the baseline observed in the earlier assessment.

Payment Sector Still Falling Short

The tone changes when it comes to payment services.

According to the updated assessment, development of controls in the payment services sector has not been sufficient when viewed against the sector’s sanctions risk exposure. Given the speed and cross-border nature of payment services, this gap carries particular supervisory weight.

The FIN-FSA points specifically to deficiencies in customer and transaction screening, controls that are central to preventing sanctioned individuals or entities from accessing the financial system. In sectors built on high transaction volumes and near-instant transfers, weaknesses in screening frameworks are not peripheral issues; they sit at the core of sanctions compliance.

Targeted Supervision Ahead

The purpose of the sanctions risk assessment is to support the FIN-FSA’s risk-based supervision of compliance with obligations set out in Chapter 3, Section 16 of the Anti-Money Laundering Act.

Based on the updated findings, supervisory measures will now be targeted toward sectors where the level of controls is considered insufficient relative to sanctions risk exposure.

While overall exposure has not shifted, the regulator notes that sanctions regulations continue to evolve and that new observations related to sanctions evasion have been taken into account in the update. The message is less about new categories of risk emerging and more about ensuring that control environments keep pace with a sanctions landscape that remains politically and operationally sensitive.

For payment institutions and crypto-asset service providers in particular, the assessment reads as a signal that scrutiny will intensify—not because risk exposure has increased, but because control development has not kept up with it.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.