Anti-Money Laundering – Regulatory Guide 2025
The anti-money laundering regulatory framework aims to prevent and detect money laundering and terrorist financing. The financial sector is well-acquainted with these regulations and generally maintains robust procedures for managing money laundering risks. However, the regulatory landscape is constantly evolving, and practical compliance remains challenging. This article provides an introduction to the regulatory framework and a brief update on its status in 2025.
1. Background and Regulatory Framework
Money laundering refers to participating in, or contributing to securing, converting, or concealing the proceeds of a criminal act. Terrorist financing includes the financing of terrorist acts, terrorist organisations, and individual terrorists. The anti-money laundering (AML) framework serves as a shield against such criminal activities. It has been developed based on many years of national and international experience in blocking criminals’ access to the legal economy and preventing terrorist financing.
The current Norwegian Anti-Money Laundering Act and its associated regulations entered into force on 15 October 2018. This is the third AML Act in Norway since 2004, built on the work of the international cooperation group Financial Action Task Force (FATF) and the EU’s AML framework. The Act implements the EU’s Fourth AML Directive (EU) 2015/849, while amendments under the Fifth AML Directive (EU) 2018/843 were incorporated through regulatory changes adopted on 31 May 2021.
At the EU level, the AML package was adopted in June 2024. This package consists of the Sixth Anti-Money Laundering Directive, the single-rulebook regulation, and the regulation establishing the European Anti-Money Laundering Authority (AMLA), which will be headquartered in Frankfurt. Amendments to the EU’s Transfer of Funds Regulation (TFR) also form part of the broader framework. These developments will have relevant implications for Norway, necessitating corresponding updates to Norwegian law in the foreseeable future. A working group appointed by the Ministry of Finance is currently assessing the implementation of the AML package in Norway, with a report expected by the end of 2025.
A wide range of stakeholders are responsible for ensuring compliance with AML regulations, including banks and other financial institutions. To support compliance efforts, regulatory authorities oversee adherence to the AML framework. The Financial Supervisory Authority of Norway (Finanstilsynet) is primarily responsible for monitoring compliance among reporting entities. Additionally, the Supervisory Council for Legal Practice and the Norwegian Gaming Authority oversee sector-specific compliance.
Entities that fail to comply with the AML framework may face enforcement measures, including compliance orders, coercive fines, prohibition from holding managerial positions, administrative fines, and, in severe cases, criminal liability leading to imprisonment.
2. Who is Subject to the Obligations?
The regulatory framework applies to a defined group of entities, referred to as reporting entities. Legal persons covered by the legislation include financial institutions, investment firms, central securities depositories in designated situations, management companies for mutual funds, insurance companies, insurance intermediaries, depositaries, alternative investment fund managers (AIFMs), and lending intermediaries.
Branches of foreign entities operating in Norway are also subject to Norwegian AML regulations. This means that a branch must comply with Norwegian law regardless of the regulatory framework applicable to its head office in its home country. Accordingly, it must ensure full compliance with Norwegian AML requirements.
Individuals covered by the AML framework in a professional capacity include, among others, auditors, accountants, lawyers involved in financial transactions or real estate transactions under specified conditions, real estate agents and firms, providers of corporate services, persons with limited authorisation to offer payment services, and gambling service providers.
3. Key Obligations – What Must Entities Ensure Compliance With?
The AML framework is extensive and imposes detailed requirements. No part of the regulations can be disregarded as insignificant. However, certain fundamental pillars of the framework demand particular attention:
3.1. Enterprise-Specific Risk Assessment
The regulatory framework requires that reporting entities conduct an enterprise-specific risk assessment. This serves as the foundation for implementing AML measures within the organisation. The assessment must identify and describe the risks of money laundering and terrorist financing specific to the entity. While the Norwegian AML Act provides little guidance on how to structure the risk assessment, regulatory practices and supervisory guidance offer direction.
The risk assessment should cover inherent risk (exposure to money laundering and terrorist financing), the effectiveness of the entity’s mitigation measures, any vulnerabilities within these measures, and residual risk. Both potential and actual risks must be assessed. Industry-standard templates may be used but must be adapted to reflect the reporting entity’s unique risk profile. Supervisory practices in banking and financial services indicate that reliance on standardised procedures—whether industry-specific or group-wide—without proper tailoring to the institution’s specific risks has been consistently criticised.
Terrorist financing risk must always be evaluated, even in cases where the entity considers the risk to be low. This aspect has also been a focal point in supervisory inspections.
The risk assessment should be based on both internal sources (knowledge and experience from the entity’s own operations) and external sources. As a minimum, reporting entities must consider evaluations and recommendations from regulatory authorities, the National Police Directorate, and the Norwegian Police Security Service (PST). Entities should also be aware of risk assessments from their industry organisations and relevant reports from Økokrim, Kripos, PST, and the National Authority for Investigation and Prosecution of Economic and Environmental Crime (NTAES).
For financial institutions, it is expected that they also consult sources such as the European Commission, FATF, and the European Banking Authority’s Risk Factor Guidelines.
The risk assessment should be updated at least annually and otherwise as needed. Updates should reflect new developments in money laundering and terrorist financing methods, lessons learned from the reporting entity’s own experience and external sources, and newly published risk assessments from authorities and industry bodies.
Regulatory inspections of investment firms and AIFMs have identified deficiencies in risk assessments, including, in some cases, a complete lack thereof. Additionally, supervisory findings highlight common issues such as:
- Failure to adapt risk assessments and risk classifications to Norwegian conditions.
- Insufficient consideration of combined risks linked to different customers, customer groups, products, and services, as well as product risks in light of criminal trends.
- Failure to account for key person risks within the entity, particularly in branches of foreign institutions where key personnel are linked to the head office and not necessarily present in the Norwegian branch.
3.2. Procedures
Obliged entities must also establish operational procedures describing how they will implement compliance with anti-money laundering (AML) regulations in practice. There must be a clear link between the risk assessment and the procedures.
The requirement to prepare procedural descriptions follows from Section 8 of the Norwegian Anti-Money Laundering Act. Both the risk assessment and the procedures must be documented in writing and be available for supervisory authorities upon request.
The procedures must be reviewed. At a minimum, an annual assessment should be conducted to determine whether updates or adjustments are necessary. The guidance states that revisions will generally be required when the risk assessment is updated, new regulatory requirements emerge, new products are developed, or other changes occur—whether in the risk landscape or within the business itself.
The Financial Supervisory Authority (Finanstilsynet) has highlighted deficiencies in procedures in several inspections. These deficiencies often relate to an over-reliance on checklists and tables for data entry, rather than detailed descriptions of how risk assessments are conducted and measures implemented.
3.3. Risk Classification, Customer Due Diligence and Ongoing Monitoring
The procedures must set out and describe the obliged entity's risk classification of customers, as well as the implementation of customer due diligence (CDD) measures and ongoing monitoring. The customer risk classification must reflect the findings of the entity’s risk assessment. Based on this classification, the obliged entity must implement tailored CDD measures and ongoing monitoring.
All customers must be risk-classified to ensure appropriate CDD measures, cf. Section 9 of the Norwegian Anti-Money Laundering Act. The classification should be based on elements derived from the entity’s overall risk assessment. While standardised risk profiles may be applied, they must be tailored to reflect the entity’s specific risks.
The Norwegian Anti-Money Laundering Act distinguishes between standard, simplified, and enhanced CDD, which must be applied in accordance with the customer’s specific risk classification.
Deficiencies in risk classification have also been highlighted in supervisory reports, particularly the need for a genuine differentiation of customer risk. The classification must ensure that customers are appropriately distinguished based on their money laundering risk and the corresponding CDD measures applied.
The Act permits obliged entities to rely on CDD measures carried out by certain specified third parties, subject to agreement and specific conditions. However, this does not exempt the obliged entity from its duty to record and retain information and documents, nor from its ultimate responsibility for ensuring that statutory CDD measures are implemented. Supervisory practice has identified instances of non-compliance, particularly where investment firms have relied on measures taken by other entities, including custodian banks, account operators, and affiliated investment firms.
Banks, credit institutions, and financing institutions are required to maintain electronic monitoring systems as a support function for transaction monitoring within the framework of ongoing customer due diligence. These systems must be adapted to the nature and scale of the entity’s business, and generic tools without customisation options are unlikely to meet statutory requirements. However, automated monitoring must not replace necessary manual controls. The obliged entity must understand the system’s limitations to ensure sufficient oversight and implement additional controls where necessary. A recurring theme in supervisory reports is the lack of multiple, specific, and diversified rules, scenarios, and threshold levels for identifying suspicious transactions. Additionally, clear flagging and classification of transactions have been called for. The obliged entity should maintain documented assessments of the rules, scenarios, and thresholds applied in transaction monitoring.
3.4. Investigation and Reporting Obligation
Where circumstances indicate that funds may be connected to money laundering or terrorist financing, the obliged entity has an obligation to investigate. If, following such investigations, there are grounds for suspicion, the obliged entity must report the matter to the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime (Økokrim).
3.5. Internal Control and Training
The Act sets out requirements concerning internal control, role allocation, and training in connection with AML compliance.
Several weaknesses have been highlighted in supervisory reports. One area of concern is the lack of a clear and structured division of responsibilities within firms, including the appointment of an anti-money laundering officer pursuant to Section 8(5) of the Act and a compliance officer pursuant to Section 35(2) of the Act.
The anti-money laundering officer should, as a rule, be a senior manager with a first-line control function and a specific responsibility for implementing procedures. The compliance officer, by contrast, serves as a second-line control function, responsible for ensuring adherence to AML regulations through internal control measures. While the appointment of an anti-money laundering officer is mandatory, a compliance officer is only required where a risk assessment of the firm’s size and nature indicates such a need.
Supervisory practice has accepted that investment firms may appoint an operational leader involved in customer onboarding as the anti-money laundering officer. In exceptional cases, small firms with limited resources may concentrate expertise within the second line of defence. However, this requires a documented risk-based justification and must ensure that the second line does not oversee its own work. The anti-money laundering officer and the compliance officer cannot be the same person, to prevent self-monitoring.
The anti-money laundering officer’s tasks may be delegated to others within the firm where appropriate, provided that the obliged entity has sufficient instructions and procedures in place to govern such delegation. For branches of foreign firms within the EEA, it is not mandatory to appoint a separate anti-money laundering officer in Norway, provided that an officer is appointed in the home country. However, the Norwegian branch remains independently responsible for compliance with Norwegian AML regulations. It is therefore recommended that one or more individuals be designated with delegated responsibilities within the Norwegian branch.
Another area of supervisory focus has been internal training. Section 36 of the Act requires obliged entities to ensure that employees and relevant external personnel receive adequate training on money laundering and terrorist financing. Training requirements have been scrutinised across all levels, from boards and senior management to temporary employees, indicating that obliged entities should adopt a broad approach. Supervisory practice suggests that firms should have a documented training plan and maintain records of training activities, even where the firm has only one employee. The training plan should also be reflected in the obliged entity’s procedures.
4. Recent Developments in the Field of Anti-Money Laundering
- As of 1 January 2025, the Norwegian Anti-Money Laundering Act has been extended to apply to art dealers and storage service providers for transactions exceeding NOK 80,000.
- On 15 November 2024, the Ministry of Finance appointed a working group to assess the implementation of the EU’s sixth anti-money laundering package in Norway. The group will report by the end of 2025 and is working in collaboration with the private sector. The regulatory framework is expected to be EEA-relevant, although certain provisions may be exempt.
- The register of beneficial owners was opened for registrations on 1 October 2024. The correct interpretation of the registration obligation appears to be that it applied from that date, but the rule on enforcement fines will not take effect until 31 July 2025.
- The regulation to the Act on the Register of Beneficial Owners was amended on 30 September 2024, introducing changes relating to access to the register, its operationalisation, reporting requirements, and other matters.
- The EU AML package—comprising the Sixth Anti-Money Laundering Directive, the "single rulebook" regulation, and the directive establishing the AMLA supervisory authority—was adopted in June 2024.
In case HR-2024-1184-A, the Norwegian Supreme Court considered the obligation to terminate customer relationships where ongoing customer due diligence cannot be carried out, pursuant to Section 24(4) of the Norwegian Anti-Money Laundering Act. The ruling, which concerned an insurance company, has broader implications for other reporting entities. The Court held that the obligation to terminate depends on the type of customer information required and the extent of due diligence necessary. Identifying beneficial owners is a key factor, and a risk-based approach must be applied. The threshold for termination is high, and a general refusal of high-risk customers is not permitted—enhanced due diligence measures should instead be implemented. - Beneficial ownership: The FATF has updated its guidance on beneficial ownership and transparency of legal arrangements, in line with Recommendation 25 and the February 2023 revision.
- AMLA to be based in Frankfurt: It has been decided that the new EU supervisory authority for anti-money laundering and counter-terrorist financing (AMLA) will be headquartered in Frankfurt. The location of AMLA was a key element in finalising the EU’s new AML package, which we have been monitoring throughout its adoption and implementation.
- The FATF and EU lists of high-risk countries have been updated.
All our articles are subject to our copyright and liability provisions, which can be read here.
