Account of the case

In April 2024, the customer approached the bank and wanted to deposit cash worth approximately 8,000 euros. The customer stated that it was his personal savings that had accumulated over the years and that he had transferred funds to his friend in rubles, and the friend had withdrawn them in euros. In addition, the customer provided his bank statement from a Russian bank as clarification. The bank refused to accept the funds because the source of the funds could not be verified based on the bank statement alone, as the funds had passed through a third party.

Between April 1 and July 4, 2024, the customer made cash deposits at an ATM. In August 2024, the bank contacted the customer and found out that they were the same funds that had been refused in April. The bank refused to accept the deposit of these funds into his account.

The customer’s complaint

In April the customer was able to finally withdraw his savings from his Russian account, which had to be in cash due to current limitations. He contacted the bank right away, saying that he wanted to deposit the money with them, and he was ready to provide whatever documentation he could. He was requested to provide account statements, and he did. They were in Russian, though, and obviously they can't show direct link to the cash. He was denied possibility to deposit everything at once, but he was not prohibited from depositing monthly within the standard 1,000 euros limit, which he started doing.

In August he was contacted by the bank asking about those deposits and asking for clarification of the source (now asking for it in English, which is not even a requirement as per contract). He was denied from depositing anything else ever, unless he provides documents proving the source of funds (which is not possible for cash in his situation).

Banks are obliged to hold a transaction or otherwise block the funds and report suspicious activity, not deny service right away. The bank didn’t ask for any extra information that might have cleared the issue, but they just said a hard no. He may not have been able to give them anything extra, but they did not even ask for anything else.

The customer wants his deposit services to be re-enabled – even though he has already sent the remainder of the money to his girlfriend in Ukraine through Western Union.

The customer has made the following demands:

1. The bank unblocks cash deposit service for him, unless he needs to deposit another large sum of money without any evidence of where the money came from.
2. The bank makes it clear in the app and on the website what services are limited for the client (not just for him, but for all clients).
3. The bank updates the general terms of the service to require clear, logical, and specific reasoning to be provided to the client, in case a service is denied, transaction is blocked, a sum of money is withheld and other similar issues.
4. The bank will clearly state in terms of service that evidence related to transactions' history from 3rd parties doesn’t need to be translated to Finnish/Swedish/English, unless the evidence is a legal contract with complex terms and liabilities described in it. Even if such document is not translated, lack of translation doesn’t mean that the document is disregarded (since translation tools exist), but rather its weight in overall assessment may be lowered proportionally due to potential discrepancies in translation by automated tools.
5. The bank will update the terms of service and their system(s) to allow voluntarily restrictions on sums that they may deem "risky" even after all information is provided. Based on evidence provided, the sum, transactional history and the like, it will be possible to suggest client to process transaction but put the "problematic" sum on a separate account (can be an investment account with profits split between the bank and the customer), that would not allow withdrawal of the money until the agreed date. Once the date passes, the money is automatically returned to the main account of the customer.
6. After points 3, 4, and 5 (and ideally 2) are implemented, retrospectively review all currently blocked services (not individual transactions) for all active clients. Depending on the volume of such blocked services, review may be limited to some reasonable time, for example last five years. Those blocks that contradict new terms of services should be lifted.

The bank’s reply

In August 2024, when the bank inquired from the customer about the deposits that he had made, the customer stated that he had no other clarification of the source of the funds besides the bank statement he had provided earlier. The bank informed the customer that he could not deposit the funds into his account and that if he wanted to make cash deposits in the future, he would need to provide comprehensive clarification of the source of the funds.

However, the customer’s services were never restricted nor were cash deposits categorically refused. The customer was clearly informed that the deposit of these funds was prohibited, as evidenced by the correspondence with the customer via online messaging. The customer was also informed that if he continued to make cash deposits at the ATM, his banking services could be restricted or ultimately terminated if sufficient clarification was not provided in advance or upon request.

According to Section 3:3.2 (8) of the Act on Preventing Money Laundering and Terrorist Financing (hereinafter referred to as the AML act), information of the source of funds is one of the customer due diligence data. In addition, according to Section 3:4 of the AML act, the obliged entity must pay particular attention to unusual transactions and, if necessary, investigate the source of the funds related to the transaction. According to Section 3:1 of the AML act, if the obligated entity is unable to carry out the due diligence measures, it may not conclude a trans-action or maintain a business relationship.

According to Section 14 of the Financial Supervisory Authority's Regulation and Guidelines Collection (MOK 2/2023, p. 70 of the version in English), in circumstances where a customer fails to provide adequate customer due diligence data, the supervised entity shall primarily restrict services (for example by blocking a payment instrument or restricting the incoming and/or outgoing payments of the customer).

The bank did not receive sufficient clarification from the customer to verify the source of the funds, and the customer informed the bank that he could not provide any further documentation. Based on this, the bank refused to accept the funds and instructed the customer to provide documentation of the source of the funds if he intended to deposit other cash funds in the future. The bank did not restrict the customer's services but refused a single transaction due to regulatory obligations. The bank has complied with the regulatory obligations and could not have fulfilled them differently.

Reports

In addition to the communications between the parties, the Banking Complaints Board was provided with the following documents:

The customer has given a clarification of the source or intended use of private customer funds about the deposit of 8,150 euros. It states:

“From personal saving account in Rosbank. Conversion done through a friend: I sent rubles to him, he withdrew euros from his account. Money were accumulated over the years, with a percentage transferred recently from account of my late grandmother. Purpose is to partially use as cash buffer and partially invest (most likely mutual funds).”

Messages between the customer and the bank between 20 August and 13 September 2024 about clarification of the cash deposits. The bank had noticed unusual transactions in the customer’s account and asked for clarification. The bank also requested copies of the documents stating the origin of funds, in English, Swedish, or Finnish. Documents must be translated by an official translator. The customer replied that the deposits were from his savings from Russia and that he could not provide any other documents than the statement that he had shared earlier.

Additionally, the general terms of the account agreement have been provided in the matter.

Resolution recommendation

Formulation of the question

In order to resolve the dispute between the parties, the Banking Complaints Board must assess whether or not the bank had the right to decline the customer’s cash deposit on the basis of the information it had received from the customer. Furthermore, the Board must assess whether or not the bank has unnecessarily restricted the customer’s cash deposits.

The applicable norms of law

According to Laki rahanpesun ja terrorismin rahoittamisen estämisestä (444/2017, Act on Preventing Money Laundering and Terrorist Financing), chapter 3, section 1:

“Asiakkaan tunteminen ja riskiperusteinen arviointi.
Jos ilmoitusvelvollinen ei pysty toteuttamaan asiakkaan tuntemiseksi tässä luvussa säädettyjä toimia, ilmoitusvelvollinen ei saa perustaa asiakassuhdetta, suorittaa liiketointa tai ylläpitää liikesuhdetta. Jos ilmoitusvelvollinen on luottolaitos, se ei myöskään saa toteuttaa maksutapahtumaa maksutilin kautta, jos se ei pysty toteuttamaan asiakkaan tuntemiseksi säädettyjä toimia. Ilmoitusvelvollisen on myös arvioitava, onko sen tarpeellista tehdä tapauksesta epäilyttävää liiketoimea koskeva ilmoitus. Ilmoitusvelvollisen on keskeytettävä asiakkaan tuntemista koskevat toimet, jos ilmoitusvelvollinen perustellusti arvioi tuntemista koskevien toimien vaarantavan epäilyttävää liiketoimea koskevan ilmoituksen tekemisen.

Ilmoitusvelvollisen on asiakassuhteeseen liittyviä rahanpesun ja terrorismin rahoittamisen riskejä arvioidessaan otettava huomioon uusiin ja jo olemassa oleviin asiakkaisiin, maihin tai maantieteellisin alueisiin sekä uusiin, kehitettäviin ja jo olemassa oleviin tuotteisiin, palveluihin ja liiketoimiin sekä jakelukanaviin ja teknologioihin liittyvät rahanpesun ja terrorismin rahoittamisen riskit (riskiperusteinen arviointi).

Tässä luvussa säädettyjä asiakkaan tuntemista koskevia toimia on noudatettava riskiperusteiseen arviointiin pohjautuen koko asiakassuhteen ajan. Lisäksi ilmoitusvelvollisen on noudatettava asiakkaan tuntemista koskevia säännöksiä, kun ilmoitusvelvollisella on tai on ollut lakisääteinen velvollisuus hallinnollisesta yhteistyöstä verotuksen alalla ja direktiivin 77/799/ETY kumoamisesta annetun neuvoston direktiivin lainsäädännön alaan kuuluvien säännösten kansallisesta täytäntöönpanosta ja direktiivin soveltamisesta annetun lain (185/2013) tai muun vastaavaa velvoitetta koskevan sääntelyn nojalla ottaa kalenterivuoden aikana yhteyttä asiakkaaseen tosiasiallista edunsaajaa koskevien merkityksellisten tietojen tarkistamista varten.

Ilmoitusvelvollisen on voitava osoittaa valvontaviranomaiselle tai valvomaan asetetulle, että ilmoitusvelvollisen tässä laissa säädetyt asiakkaan tuntemista ja jatkuvaa seurantaa koskevat menetelmät ovat riittävät rahanpesun ja terrorismin rahoittamisen riskin kannalta.”

Translation:

“Customer due diligence and risk-based assessment.
If an obliged entity is unable to carry out the customer due diligence measures laid down in this chapter, the entity may not establish a customer relationship, conclude a transaction or maintain a business relationship. Where the obliged entity is a credit institution, it also may not execute a payment transaction through a payment account if it is unable to carry out the measures laid down for customer due diligence. The obliged entity shall also assess whether it is necessary in this case to submit a suspicious transaction report. The obliged entity shall suspend the customer due diligence measures if, on reasonable grounds, it determines that the customer due diligence measures would endanger the submission of a suspicious transaction report.

In assessing the money laundering and terrorist financing risks in a customer relationship, an obliged entity shall take into account the money laundering and terrorist financing risks relating to new and pre-existing customers and to countries or geographic areas, and to products, services, transactions, delivery channels and technologies that are new, under development or already exist (risk-based assessment).

The customer due diligence measures laid down in this chapter shall be observed throughout the course of the customer relationship on the basis of risk-based assessment. In addition, an obliged entity shall comply with the provisions on customer due diligence when the obliged entity has or has had, under the Act on Administrative Cooperation in Taxation and on National Implementation of the Provisions of Council Directive Repealing Directive 77/799/EEC and on Application of the Directive (185/2013) or any other regulation concerning a corresponding obligation, a legal duty to contact the customer in the course of the calendar year for the purpose of reviewing any relevant information relating to the beneficial owner.

An obliged entity shall be able to demonstrate to the supervisory authority or a body appointed to supervise that their methods concerning customer due diligence and ongoing monitoring laid down in this Act are adequate in view of the risks of money laundering and terrorist financing.”

According to chapter 3, section 3, subsection 1–2:

”Asiakkaan tuntemistiedot ja niiden säilyttäminen
Ilmoitusvelvollisen on pidettävä kaikki asiakkaan tuntemista ja liiketoimia koskevat asiakirjat ja tiedot ajantasaisina ja olennaisina. Tiedot on säilytettävä luotettavalla tavalla viiden vuoden ajan vakituisen asiakassuhteen päättymisestä. Jos kysymyksessä on 2 §:n 1 momentin 1 tai 2 kohdassa taikka mainitun pykälän 2 momentissa tarkoitettu satunnainen liiketoimi, asiakkaan tuntemista koskevat tiedot on säilytettävä viiden vuoden ajan liiketoimen suorittamisesta.

Asiakkaan tuntemista koskevista tiedoista on säilytettävä:
[…]
8) tiedot asiakkaan toiminnasta, liiketoiminnan laadusta ja laajuudesta, taloudellisesta asemasta, perusteet liiketoimen tai palvelun käytölle ja tiedot varojen alkuperästä sekä muut 4 §:n 1 momentissa tarkoitetut asiakkaan tuntemiseksi hankitut tarpeelliset tiedot; […]”

Translation:

”Customer due diligence data and their retention
Obliged entities shall ensure that all documents and data concerning customer due diligence and customer transactions are up to date and relevant. The data shall be retained in a reliable manner for a period of five years after the end of the permanent customer relationship. In the case of occasional transactions referred to in section 2, subsection 1, paragraphs 1 and 2 or in subsection 2 of the said section, customer due diligence data shall be retained for a period of five years from the conclusion of the transaction.

The following customer due diligence data shall be retained:
[…]
8) information on the customer’s activities, nature and extent of business, financial standing, grounds for use of transaction or service and information on source of funds as well as the other necessary information referred to in section 4, subsection 1 acquired for the purpose of customer due diligence;[…]”

According to the chapter 3, section 4:

“Asiakasta koskevien tietojen hankkiminen, jatkuva seuranta ja selonottovelvollisuus
Ilmoitusvelvollisen on hankittava tietoja asiakkaansa ja tämän tosiasiallisen edunsaajan toiminnasta, liiketoiminnan laadusta ja laajuudesta sekä perusteista palvelun tai tuotteen käyttämiselle. Ilmoitusvelvollinen saa hyödyntää asiakkaasta tai tämän tosiasiallisesta edunsaajasta eri tietolähteistä saatavilla olevia tietoja asiakasta koskevan riskiarvion laatimiseksi ja ylläpitämiseksi, rahanpesun ja terrorismin rahoittamisen estämiseksi sekä tässä laissa tarkoitetun ilmoitusvelvollisuuden ja selonottovelvollisuuden täyttämiseksi. Ilmoitusvelvollisen on kiinnitettävä erityistä huomiota tietolähteen uskottavuuteen ja luotettavuuteen. Luonnollisten henkilöiden suojelusta henkilötietojen käsittelyssä sekä näiden tietojen vapaasta liikkuvuudesta ja direktiivin 95/46/EY kumoamisesta (yleinen tietosuoja-asetus) annetussa Euroopan parlamentin ja neuvoston asetuksessa (EU) 2016/679, jäljempänä tietosuoja-asetus, ja tietosuojalaissa (1050/2018) säädetään henkilötietojen käsittelystä.

Ilmoitusvelvollisen on järjestettävä asiakkaan toiminnan laatuun ja laajuuteen, asiakassuhteen pysyvyyteen ja kestoon sekä riskeihin nähden riittävä seuranta sen varmistamiseksi, että asiakkaan toiminta vastaa sitä kokemusta ja tietoa, joka ilmoitusvelvollisella on asiakkaasta ja tämän toiminnasta.

Ilmoitusvelvollisen on erityisesti kiinnitettävä huomiota liiketoimiin, jotka rakenteeltaan tai suuruudeltaan taikka ilmoitusvelvollisen koon tai toimipaikan osalta poikkeavat tavanomaisesta. Samoin on meneteltävä, jos liiketoimilla ei ole ilmeistä taloudellista tarkoitusta tai ne eivät sovi yhteen sen kokemuksen tai tietojen kanssa, jotka ilmoitusvelvollisella on asiakkaasta. Tarvittaessa liiketoimeen liittyvien varojen alkuperä on selvitettävä.”

Translation:

“Obtaining customer due diligence data, ongoing monitoring, and obligation to obtain information
Obliged entities shall obtain information on their customers’ and their beneficial owners’ activities, the nature and extent of their business, and the grounds for the use of the service or product. Obliged entities may use available data from different information sources on the customer or its beneficial owner for the purpose of preparing and maintaining a risk assessment of the customer, preventing money laundering and terrorist financing and meeting the reporting obligation and the obligation to obtain information referred to in this Act. Obliged entities shall pay special attention to the credibility and reliability of the information source. Provisions on the processing of personal data are laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereafter the Data Protection Regulation, and in the Data Protection Act (1050/2018).

Obliged entities shall arrange monitoring that is adequate in view of the nature and extent of the customers’ activities, the permanence and duration of the customer relationship and the risks involved in order to ensure that the customers’ activities are consistent with the obliged entities’ experience or knowledge of the customers and their activities.

Obliged entities shall pay particular attention to transactions that differ from the usual in respect of their structure or size or with regard to the size or office of the obliged entity. The same also applies in the event of transactions which lack an obvious economic purpose or are inconsistent with obliged entities’ experience or knowledge of the customer. When necessary, steps shall be taken to establish the source of the funds involved in the transaction.”

Evaluation of the case

Under the Act on Preventing Money Laundering and Terrorist Financing (hereafter referred to as the Anti-Money Laundering Act), banks must know their customers. The obligation of customer due diligence applies throughout the duration of the customer relationship. Using a risk-based approach, banks must obtain sufficient information in order to evaluate the risks related to the customer relationship and to determine the customer’s individual risk level. If necessary, banks must obtain information on the origin of funds, for example. If the bank is unable to carry out the measures laid down for customer due diligence, it may be obliged to refuse to conduct the business transaction or to maintain the business relationship at all. The evaluation should be conducted on the basis of a comprehensive risk-based assessment.

Concerning customer due diligence, the preparatory materials for the Anti-Money Laundering Act (HE 228/2016 vp., pp. 102–103) indicate that in situations where the customer does not provide sufficient customer due diligence information, the obliged entity should primarily limit the services offered (e.g. by closing a payment instrument) and only resort to termination of the contract as a last resort. However, limitations of services or the closing of a payment instrument should not be resorted to unless the deficiency in the customer due diligence information is material and indispensable in evaluating the customer due diligence measures as provided by law and the risk-based assessment of the customer. If a credit institution, for example, does not receive the necessary customer due diligence information, it should not execute a payment transaction through a payment account. In addition, the preparatory materials indicate that mentions of customer-related risk factors that predict an enhanced customer due diligence obligation include, for instance, the fact that a business transaction was concluded in unusual circumstances or that business activities are conducted in a cash-intensive manner. Furthermore, the preparatory materials mention that geographical risk factors should also be taken into account as part of the customer due diligence obligation. An example of a heightened geographical risk factor would be the fact that the customer received his or her license or was registered in a state which is, according to reliable estimates, host to widespread corruption or other criminal activities or which the EU or the UN have placed under sanctions.

In the case at hand, the customer attempted to deposit approximately 8,000 euros in cash to his account with the bank. The customer says that the cash was from his bank account in Russia. He had sent the rubles to his friend who had withdrawn them in euros from his account. The customer says that the money was accumulated over the years, with a part of it transferred recently from the account of his late grandmother. As an account of the source of the funds the customer has provided the bank with a statement from his account in a Russian bank.

The bank has stated that they did not receive sufficient clarification from the customer to verify the source of the funds, and the customer informed the bank that he could not provide any further documentation. Based on this, the bank refused to accept the funds and instructed the customer to provide documentation of the source of the funds if he intended to deposit other cash funds in the future. The bank stated that they did not restrict the customer's services but refused a single transaction due to regulatory obligations.

The Banking Complaints Board notes that the bank has discretionary power over which information and documents it considers necessary for customer due diligence, including verifying the origin of funds. According to Chapter 3, Sections 1 and 4 of the Anti-Money Laundering Act, different risk factors must be taken into account in assessing the matter. In the case at hand, the Banking Complaints Board notes at least the following risk factors mentioned in the Act and in its preparatory materials: the geographical risk relating to the source of funds and potential sanctions and the use of cash for the payment transaction.

On the basis of the information provided, the Banking Complaints Board finds that the bank did not exceed its discretionary power under the Anti-Money Laundering Act in applying the requirements on customer due diligence information. The Banking Complaints Board also finds that under the Anti-Money Laundering Act, the bank has a confidentiality obligation concerning any assessments of the suspicious nature of a business transaction and related obligations.

Based on the applicable legislation, the Banking Complaints Board considers that the bank had the right, and potentially even an obligation, to decline the cash deposit.

There have been no claims that the customer hasn’t been able to deposit cash from other sources than the abovementioned cash. Therefore, the Board considers that the bank has not limited the customer’s services more than was necessary to limit.

Referring to the customer’s demands, the Board has previously addressed the customer's first demand regarding unblocking cash deposit service.

As regards the customer’s second demand concerning the provision of information about service restrictions, the Board finds that the bank has refused to accept the aforementioned deposit and required the customer to disclose the source of funds for future deposits, and that the customer has been aware of these conditions.

According to FINE’s rules section 6, the Banking Complaints Board provides recommendations on disputes related to the banking relationship raised by the customer or the bank before the Board. The Board notes that it does not have the authority to address the customer's demands concerning the bank's general operations or its relationship with all customers. Therefore, the Banking Complaints Board does not provide further opinion regarding the customer’s demands beyond what has been stated above.

Final outcome

The Banking Complaints Board finds that the bank has not restricted the customer’s banking services more than was necessary.

The Banking Complaints Board’s decision was unanimous.

THE BANKING COMPLAINTS BOARD

Chairman Sillanpää
Secretary Heino

Members:
Atrila
Ketola
Makkonen
Punakivi