Financial Supervisory Authority of Norway finds AML, settlement journal and ICT control deficiencies at Noroppgjør AS

The Financial Supervisory Authority of Norway published an inspection report on Noroppgjør AS covering compliance with anti-money laundering (AML) and real estate brokerage requirements, internal control and client funds handling, alongside an information and communication technology (ICT) inspection. The review identified multiple breaches and control gaps, including inadequate documentation that internal control is externally monitored, non-compliant settlement journalkeeping, weaknesses in AML risk assessment and oversight of outsourced customer due diligence, and shortcomings in ICT risk management and governance. The report requires the firm to establish external monitoring of internal control and to keep a settlement journal in line with the Real Estate Brokerage Regulation, noting that the firm’s current approach using case management exports to spreadsheets does not meet traceability and change-log expectations. It also flags weaknesses in routines for safeguarding client funds, a lack of documented checks that client account interest rates are market-based, and instances where statutory guarantees were provided late without documented buyer information. On AML, the authority points to an enterprise-wide risk assessment that does not reference key external sources and a risk matrix that is too generic to guide case-level risk classification, alongside insufficient written routines for periodic, systematic quality control of outsourced customer measures. Sample testing identified gaps including late or incomplete customer identification and verification, weak documentation of ownership and control, questionable risk “downgrading”, inadequate follow-up of suspicious indicators, and recordkeeping practices that the authority considers inconsistent with the AML Act, as well as shortcomings in sanctions screening coverage. In ICT, the authority concludes that the firm relies heavily on supplier reporting without sufficient own controls, lacks key elements such as a business impact analysis and robust crisis testing, and needs to review outsourcing contracts and security requirements, establish adequate asset inventories, and document change management processes. Noroppgjør AS is required to confirm that its settlement journalkeeping has been brought into compliance no later than 1 May 2026, and the authority asks the firm to send a copy of the report to its auditor.