The Financial Supervisory Authority of Norway published an inspection report on Eiendomsmegler A AS following a June 2024 review of its real estate brokerage operations, identifying deficiencies in compliance with the ICT Regulation, risk management and internal control, client money security and settlement statements. The review also found multiple shortcomings in the firm’s anti-money laundering (AML) framework, affecting its risk assessment, written procedures and application of controls in individual brokerage assignments. On ICT governance, the firm lacked documented procedures for approving test results before ICT systems are put into ordinary operation and for annual testing and exercises of the crisis solution, including documentation of results, even where systems are outsourced. In governance and control, written work routines had not been approved by the board and there was no documented assessment that routines embedded in the brokerage system were sufficient to address risks identified in the firm’s risk assessment, while the risk assessment did not cover specific fraud risks for loss of client funds such as falsified payment instructions. Weaknesses in client money security included single-factor authentication for access to the settlement module, no dual authorisation for client money payments, and no automated transaction blocks based on size or frequency. The authority also found that settlement statements were sent to buyers before all transactions were completed, and stated they should be sent after the document duty has been paid. In AML, the authority found gaps in the firm’s enterprise-wide risk assessment, including insufficient documentation of external sources used and a lack of concrete assessment of how the firm could be exploited for terrorist financing. It also highlighted that the structure of the firm’s routines and its use of the NTAES indicator list could blur the distinction between high-risk indicators requiring enhanced customer due diligence and suspicious circumstances requiring further investigation and potential reporting to Økokrim. A sample review of nine assignments identified case-level deficiencies including missing politically exposed person (PEP) checks, inadequate identity verification in mandates involving a proxy, missing or weak information on the purpose and intended nature of the relationship, and risk classifications that did not align with the firm’s own risk assessment and routines, leading to enhanced measures not being applied.
Norwegian Finanstilsynet 2025-03-20
Financial Supervisory Authority of Norway finds ICT controls, client money safeguards and AML weaknesses at Eiendomsmegler A AS
Norway's Financial Supervisory Authority inspection of Eiendomsmegler A AS revealed significant deficiencies in ICT governance, risk management, client money security, and AML frameworks. Issues included inadequate ICT procedures, insufficient fraud risk assessments, weak client money security measures, and gaps in AML risk assessments and procedures. The report highlighted the need for improved governance, documentation, and adherence to regulatory standards.