Finland's Financial Supervisory Authority imposes EUR 7,670,000 combined penalty and public warning on S-Bank for operational risk and payment authentication failings

The Financial Supervisory Authority (FIN-FSA) has imposed a combined penalty payment of EUR 7,670,000 on S-Bank Plc for omissions in operational risk management and issued a public warning for omissions relating to strong customer authentication and payer consent for payment transactions. The failings were linked to a programming error in the bank’s IT system between 20 April 2022 and 5 August 2022. The operational risk management deficiencies covered information system security and effective incident management procedures, as well as inadequate policies and processes to identify, assess and manage operational risks in these areas. FIN-FSA also found S-Bank was not adequately prepared for the realisation of risks related to outsourcing. The issues were identified through a FIN-FSA inspection conducted in 2022–2023 and a separate investigation into the programming error; the penalty amount reflected factors including the nature, extent and duration of the omissions and the bank’s prior non-compliance history, with mitigating weight given to remediation steps and cooperation with FIN-FSA. The decision is not yet legally binding, and S-Bank may appeal to the Helsinki Administrative Court within 30 days of receiving notice of the decision.