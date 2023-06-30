In S-bank’s opinion, its board as a whole and its members individually are reliable, suitable and professional. The bank’s board admits that the “corrective measures” of the negligence have been completed too slowly.

Financial Supervisory Authority (Fiva) investigates the suitability, reliability and operation of the board of S-bank, which has been mired in many messes. According to information from Helsingin Sanomat, Fiva is also investigating the qualifications of the management team at the same time.

The reason for the supervisor’s very extensive and exceptional investigation is that S-bank has received several administrative penalties imposed by the Financial Supervisory Authority between 2019 and 2022, and in 2020 a notice from the data protection officer about S-mobile bank’s extensive data security problem.

Sanctions in addition, S-bank had to report a new and exceptionally serious data security breach just under a year ago in 2022. As a result, the account information of the bank’s customers had been hacked and identities had been used without permission in strongly identified Kela and Suomi.fi services.

The hackers were able to use both public and private online services with the identities of S-bank’s customers. Through a hole in the online bank, the hackers were also able to transfer 1.2 million euros to the accounts of a few hundred people.

These data security flaws are also the reason for the extensive investigation launched by Fiva on the competence and activities of S-bank’s board and executive management.

According to its own announcement, S-bank has 3.2 million customers, whose deposits worth 7.9 billion euros and assets of 6.0 billion euros are managed by the bank.

Financial Supervisory Authority started its investigation of S-bank’s board in late August 2022. Fiva wanted a new report on reliability, suitability and professionalism from each member of the board, and the supervisor was also interested in the competence of S-bank’s board as a whole.

Fiva requested the clarifications only a few weeks after it had received the first notification of data security problems from S-bank on August 5, 2022. S-bank told the public of serious IT problems only more than a month later on September 13.

S-bank gave a statement to its supervisor at the end of September 2022, but Fiva was not satisfied. Right at the end of October, the banking supervisor made a request for additional clarification.

Financial Supervisory Authority urged S-Bank to supplement the previous report with an assessment of the reliability, suitability and professionalism of the board members.

The supervisor wanted S-bank to pay particular attention to the requirements regarding board members’ use of time and management of conflicts of interest.

Finanssivalvonta told S-bank that it found that the board members were very busy with their work. The supervisor wanted to know if they have enough time left to perform their board duties at S-bank.

Likewise Fiva was concerned that S-Bank’s board members had positions in SOK-backed companies, which could create conflicts of interest in S-bank’s board work. S-Bank is owned by SOK and regional cooperatives belonging to the S group.

Along with the board, the Financial Supervisory Authority also focused its attention on part of the management team. Fiva wanted a report on the reliability, suitability and professionalism of the persons responsible for information technology and security risks, among other things.

The report no longer applies to the CEO, because S-bank changed the CEO after the messes that were revealed.

S Bank responded to a request for further clarification in December. According to the bank, its board as a whole and its members individually are reliable, suitable and professional.

S-bank sent updated reports on reliability, suitability and professionalism of some of the board members who were the chairman Jari Annalamembers Jorma Vehviläinen, Heli Arantola, Brother Matti Liimatainen, Hillevi Mannonen and Olli Vormisto.

Jari Annala is the CEO of SOK Liiketoiminta oy, Jorma Vehviläinen is the financial director of Suomen Osuuskauppo Keskuskunta, Veli-Matti Liimatainen is the CEO of Helsinki Osuuskauppa Elanto, Hillevi Mannonen is an actuary and entrepreneur approved by the Ministry of Social Affairs and Health (SHV) and Olli Vormisto is the CEO of Cooperative Hämeenmaa.

Those who work in cooperative companies also sit on several other group boards. The current CEO of A-lehti, Heli Arantola, left S-bank’s board of directors last spring.

S-bank says that it has strengthened its risk management skills by appointing actuarial Hillevi Mannonen to its board of directors, who has worked, among other things, at the occupational pension company Ilmarinesa.

S Bank also responded to the concerns related to the time use of its board members. In S-bank’s opinion, Fiva’s way of solving the matter automatically leads to a result where the total time spent by the person may seem high.

S-bank also appealed to the fact that the requirements of the Working Time Act do not apply to the board member and CEO.

S-bank did not see any conflicts of interest in the board work either.

According to the bank, in situations of conflict of interest, the government’s general “policy” or guidelines are followed. According to it, “individuals responsible for managing the bank and working in key positions are obliged to actively assess potential conflicts of interest in their daily activities”.

Financial Supervisory Authority was not completely satisfied with the explanation provided by S-bank even after the request for additional clarification. Some of the board members received an invitation to a conversation with the supervisor in February.

Finanssivalvonta decided that S-bank’s board chairman Jari Annala and independent members Heli Arantola and Hillevi Mannonen will be invited to the interview.

S-bank’s board chairman Jari Annala in Helsinki on May 31, when the bank announced that it would buy Svenska Handelsbanken’s operations in Finland.

“With the interviews, we tried to find out e.g. board members’ financial sector [riskien] expertise, the board’s collective expertise and competence, the board’s functionality and decision-making in general, familiarity with the regulation of related party lending, and the independence of decision-making from the S-group,” says the meeting minutes of the Financial Supervisory Authority’s management team.

“ The Financial Supervisory Authority is investigating whether S-bank’s board knew how to react correctly to the messes reported to it.

At least the interviews did not fully convince the Financial Supervisory Authority. At the end of April, the supervisor sent another additional clarification request to S-bank, asking them to complete the previous additional clarification.

This time, the Financial Supervisory Authority wanted to know how much the government knew about the messes of the past years and the measures to correct them. So it was about the board’s decisions and other activities and not just the qualifications and suitability of the persons for the board position.

The Financial Supervisory Authority is therefore investigating whether S-bank’s board knew how to react correctly to the messes reported to it.

To the government the reported messes were about the sanctions imposed by Fiva: a 60,000 euro fine for failure to report on derivative contracts in 2022, A penalty payment of 1,650,000 euros 2021 for omissions related to the detection of suspicious transactions and A penalty payment of 980,000 euros 2019 on negligence in the fight against money laundering.

Fiva also wanted to get clarity on how S-bank’s board had reacted to the notice received from the data protection commissioner’s office in 2020, in which S-bank’s information related to banking secrecy was displayed incorrectly to other users in the mobile bank.

In its response, S-bank assured that the sanctions and remarks have been brought to the attention of the government without undue delay and that the government has taken them seriously. According to S-bank, the events have also been handled to an appropriate extent and sufficient corrective measures have been taken.

“ “Repeated administrative sanctions show deficiencies in the bank’s control and management systems.”

S-bank however, the government admits in its response to Fiva that the “corrective measures” have been completed too slowly.

S-Pankki told its supervisor that it has increased the number of board members independent of the owners since 2021, so that there are currently three independent members on the board, i.e. two more than before. According to S-bank, they are risk management expert Hillevi Mannonen, IT expert Kati Hagros and an expert in banking business Tom Dahlstrom.

Hagros is the director of digitization and information technology at Aalto University and Dahlström works at the consulting company Good Ventures oy.

Financial Supervisory Authority considered in the supervisor’s assessment at the beginning of May that many things in S-bank have improved: customer knowledge information is at a better level compared to previous years, but not yet completely comprehensive or up-to-date.

The two new independent members of the board also complement the expertise, Fiva praises.

However, according to the Financial Supervisory Authority, the repeated administrative sanctions show deficiencies in the bank’s control and management systems. Fiva also considered as risks that the guidelines for related party lending and the documentation of related party information in the bank’s systems are incomplete.

“ At first, S-bank did not react correctly to information security notices from its customers.

At the bank there have also been deficiencies in the assessment of reliability, suitability and professionalism and in the notifications to the Financial Supervisory Authority.

The inspection of information technology and information security risk management carried out by the Financial Supervisory Authority in the fall of 2022 produced 12 findings, two of which were of serious importance.

Fiva considered, for example, that S-bank’s preparation for exceptional circumstances is insufficient. The reason is that the bank has outsourced the majority of its IT services to several parties, who in turn have outsourced them to their subcontractors.

According to the Financial Supervisory Authority, the problem is especially that “some of the critical services” are produced outside Finland’s borders, says the inspection report completed last February.

According to the report, the problem was also that S-bank hadn’t told the Financial Supervisory Authority about all its outsourcing.

Financial Supervisory Authority the audit also revealed that S-bank initially did not react correctly to the information security notifications received from its customers in the summer of 2022, which is why it was late to patch the big information security gap.

Observation from the Financial Supervisory Authority’s inspection report on February 15, 2023.

According to Fiva, “the IT expert who investigated the customer’s report could not immediately find out, based on the information received from the customer, what the issue was and left the investigation unfinished”. According to Fiva, this was a clear mistake, as the information received from the customer showed that it was a “potentially very serious problem” and S-bank should have continued with the information security investigations.

After this, the feedback from another customer on August 3 was not reacted to properly, when S-bank’s customer service failed to inform the information security expert about it, Fiva says in its inspection report. There was a serious software error in S-bank between April 20 and August 5, 2022, as a result of which the funds and personal data of all S-mobile customers were “exposed to misuse”.

Financial Supervisory Authority has not yet reached its conclusions about the consequences of the S-bank’s inspection. The case is pending, after which Fiva will give S-bank a decision or letter about the results of the inspection.

The Financial Supervisory Authority can give S-bank notices or prohibit certain persons from participating in the bank’s management. It is also possible that Fiva considers S-bank to have corrected its operations sufficiently and the financial institution gets a clean bill of lading from an exceptionally thorough inspection.

S-bank must implement the calls and recommendations given by Fiva by the end of 2023.