The IMY received a high volume of applications and because of it there’s now a proposal put in motion from IMY to allow all Swedish companies that are under supervision of the Financial Supervisory Authority ("Finansinspektionen") to screen for publicly available sanction lists from foreign countries (including OFAC).
It was supposed to be entered into force from March 1st 2024 but IMY is a bit behind. When they do make the change, Swedish customers regulated by Finansinspektionen will be able to screen against OFAC.
In navigation the complexities of GDPR and AMLD, this new proposal to allow Swedish companies to screen against OFAC will make it a lot easier for Swedish companies to conduct their crucial KYC (Know-Your-Customer) processes.
The new regulations for regulated companies is as follows:
(Swedish)
Företag under Finansinspektionens tillsyn
6 § Företag under Finansinspektionens tillsyn som erbjuder finansiella tjänster och som är skyldiga att efterleva kraven i lagen (2017:630) om åtgärder mot penningtvätt och finansiering av terrorism får behandla personuppgifter som avses i artikel 10 i EU:s dataskyddsförordning för kontroller mot sanktionslistor om
- Sanktionslistorna är fastställda i demokratisk ordning och allmänt tillgängliga på utfärdande myndigheters eller mellanstatliga organisationers webbplatser, och
- Företagen har vidtagit relevanta skyddsåtgärder för att kunna skilja på äkta och falska träffar.
Personuppgiftsbehandling enligt första stycket får endast avse företagens befintliga och presumtiva kunder, befintliga och presumtiva leverantörer, samarbetspartners, förmedlare, arbetstagare, arbetssökande, uppdragstagare, styrelsemedlemmar, fullmaktshavare, ställföreträdare, firmatecknare, ägare, verkliga huvudmän, tredjemanspantsättare och borgensmän, motparter i en transaktion och därmed jämförliga kategorier av personer.
(English)
Companies under the supervision of the Swedish Financial Supervisory Authority
Section 6 - Companies under the supervision of the Swedish Financial Supervisory Authority that offer financial services and are obligated to comply with the requirements of the Act (2017:630) on measures against money laundering and terrorist financing may process personal data referred to in Article 10 of the EU General Data Protection Regulation for checks against sanction lists if
1. The sanction lists are established in a democratic manner and are publicly available on the websites of issuing authorities or intergovernmental organizations, and
2. The companies have implemented relevant protective measures to distinguish between genuine and false matches.
Processing of personal data under the first paragraph may only concern the companies' existing and prospective customers, existing and prospective suppliers, partners, intermediaries, employees, job applicants, contractors, board members, attorneys-in-fact, representatives, signatories, owners, beneficial owners, third-party pledgees, and guarantors, counterparties to a transaction, and similarly comparable categories of persons.
Note: this is not legal advice and you should check if new regulations apply to your specific business.