Rules Navigator

S-Bank Plc to pay over €7m for omissions in operational risk management

The doors to S-Pankki.
Photo: Nina Kaverinen

Martina Lindberg

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Some of S-Bank’s customers experienced financial losses after criminals exploited the malfunction.

S-Bank Plc (S-Pankki) has been issued a combined penalty payment of €7,670,000 ($8,682,136) by the Financial Supervisory Authority (FIN-FSA) for omissions in its operational risk management. The bank was also issued a warning for omissions connected to strong customer authentication and the payer consent required for making payment transactions.

The failures related to an error in S-Bank Plc’s IT system between April 20, 2022, and August 5, 2022, and were revealed after an inspection by FIN-FSA in 2022-2023.

The authority also found that S-Bank Plc failed to have proper policies and processes to identify and handle such risks, nor those risks connected to outsourcing.

Customers lost funds

According to the bank, the concern’s related to an “exceptional and very difficult-to-detect malfunction” that occurred in a software update in one of its system providers in 2022. Due to the malfunction, suspected criminals were able to exploit the faulty system – which resulted in financial losses to a small number of bank customers.

Yet the bank says the system malfunction was fixed as soon as it was discovered, and the affected customers were compensated.

“The geopolitical situation highlights the importance of digital services management in supervised entities.”

Tero Kurenmaa, FIN-FSA Director General 

“S-Bank has cooperated closely with the authorities to investigate the case and has implemented comprehensive measures to prevent a similar occurrence,” the bank said.

S-Bank also added that it is “improving its operating practices and risk management continuously to ensure the security of its services in the changing operating environment.” 

“The importance of digital security in banking services is pronounced in Finland, as customer service has moved almost entirely to mobile and online banking. The geopolitical situation highlights the importance of digital services management in supervised entities,” said FIN-FSA Director General Tero Kurenmaa.

The authority earlier announced its supervisory priorities for 2025. IT and cyber risks, and risks related to outsourcing are some of its focus areas. Kurenmaa said that “the supervision of ICT, cyber and outsourcing risks remains an operational priority for the FIN-FSA in 2025.”

Cooperated with FIN-FSA

FIN-FSA said that the combined penalty of €7,670,000 ($8,682,136) was based on a “comprehensive assessment”, which accounted for factors including:

  • the nature, extent and period of the omissions;
  • earlier omissions concerning financial market provisions and regulations; and
  • its cooperation with the FIN-FSA to resolve the issue, as well as the measures the bank took to prevent similar issues in the future.

S-Bank Plc has the right to appeal the decision within 30 days to the Helsinki Administrative Court, and have said that it will examine the decision.

“S-Bank takes the Financial Supervisory Authority’s decision seriously but considers the penalty payment to be severe,” the bank stated.

, , , , , , , ,

You may also like