From Routine CDD Field to Police Referral: What the Nordea Case Says About 'Purpose and Intended Nature'

On May 4, the Danish Financial Supervisory Authority did not fine Nordea Finans Danmark. It asked the police to investigate.

The complaint is not about a missed sanctions hit, a missed beneficial owner, or a delayed suspicious activity report. It is about a question. A question that sits in every customer due diligence file in Europe, and that most firms answer with three or four formulaic words. The question is why the customer wanted the product and what they intended to use it for.

What the FSA Actually Said

The Danish FSA's referral, based on a June 2023 inspection, is unusually specific about what went wrong. The watchdog assessed that Nordea Finans Danmark "did not have sufficient knowledge of individuals within a larger group of customers who were issued with credit cards." The customer files, the FSA said, were insufficient to assess the purpose and intended nature of the business relationship, and no risk classification was performed for the affected group. Press reports put the affected population at approximately 21,000 customers.

Nordea is contesting the proportionality. It points out, correctly, that neither the FSA nor the bank itself has identified actual money laundering within the affected portfolio. In Nordea's framing, what the regulator found is a documentation gap, not a crime.

The supervisor disagrees. It disagrees forcefully enough to ask the National Unit for Serious Crime to open a criminal investigation, three years after the underlying inspection.

Purpose and Intended Nature Is a Substantive Test, Not a Field

The requirement to assess the purpose and intended nature of the business relationship appears in AMLR Article 20 and in every transposed national equivalent across the EU. It has always been a substantive CDD obligation. In practice, it has often been treated as a free-text field with four or five common answers: "personal banking," "corporate banking," "fund administration services," "wealth structuring." Many firms autofill it from the product code.

The Nordea referral is a supervisor saying, explicitly, that this practice is no longer tolerable. The complaint is not that Nordea failed to write something in the field. The complaint is that what was written did not constitute an assessment. Whatever the customer file contained, it did not let the bank explain, six months or two years later, why this customer wanted this product and what they were doing with it.

That is a much higher bar. It is the bar that AMLA's draft Article 28 RTS on CDD has been raising for months, and that the BWRA guidelines reinforce by requiring entities to ground their risk-based decisions in real customer-level reasoning. The Nordea case is the first significant enforcement action in the European cycle that operationalises the bar at the customer-file level. It will not be the last.

The Volume Is the Point

The FSA's complaint emphasises that the deficiency was systematic. Not three files. Not three hundred. The affected portfolio is reportedly around 21,000 customers, large enough that the supervisor labelled the failure systematic rather than isolated.

This matters because supervisors have historically pursued documentation failures one of two ways. As a thematic inspection finding requiring remediation, or as an aggravating factor in an enforcement action where the substantive AML failure was independently clear. The Nordea referral is neither. The substantive AML failure is the documentation failure. The volume is what makes it actionable as a criminal matter rather than an administrative one.

For management companies and TCSPs, the operational read is direct. If a customer file population contains a "purpose and intended nature" assessment that consists of "fund administration services" repeated 800 times across 800 entities, the file population itself is the exposure. A supervisor looking at it does not need to find money laundering. They need to find that the firm cannot explain, on a per-customer basis, why the relationship exists.

The Three-Year Gap and What It Implies

The inspection that produced the referral happened in June 2023. The referral was filed in May 2026. That is roughly three years between supervisory finding and criminal referral.

Three years is not a delay. It is a process. Danish authorities issued two formal orders to Nordea after the 2023 inspection, Nordea has stated it complied with both, and the referral happened anyway.

The implication for any firm receiving a CDD-related supervisory finding in the next 24 months is that remediation may not close the file. If the supervisor concludes that the underlying deficiency was systemic, the response timeline does not reset when the firm fixes the gap. It starts from the inspection. The Nordea timeline suggests that supervisors are willing to spend years building a record before referring upward.

That is a meaningful change in posture. It rewards firms that can demonstrate, with timestamped evidence, that their CDD reasoning has been substantive at every point in the customer lifecycle, not just at the point of remediation.

Funds, TCSPs, and the Same Question in a Different Shape

The purpose and intended nature requirement applies identically to Luxembourg management companies servicing AIFs, TCSPs providing directorship and domiciliation, and fund administrators handling capital activity for institutional investors. The product is different. The requirement is the same.

The questions a management company should be able to answer for every client are concrete. Why is this fund using this management company rather than another? What is the intended nature of the capital activity, given the fund's stated strategy? What would constitute a deviation from that intended pattern? The answers should be on file, dated, and refreshed at periodic review.

For TCSPs, the question is sharper. Why does this client need this corporate structure? What is the intended use of the directorship or domiciliation service? What is the relationship between the stated commercial rationale and the actual transaction pattern? The CSSF's 2026 update to the TCSP Sub-Sector Risk Assessment, which kept inherent ML risk at high while residual risk sits at medium, signals that this is exactly where supervisory attention is concentrating.

The Nordea case is not a Danish case. It is a preview of how European supervisors, eventually including AMLA in its 2028 supervisory cycle, will read the purpose and intended nature field.

The Field Was Always a Question

The discipline this requires is not a software upgrade or a new template. It is the willingness to treat purpose and intended nature as a question the firm has to answer about every customer, in writing, with reasoning the firm would stand behind in a criminal investigation three years later.

That is harder than it sounds. It cannot be done at scale by humans alone. It cannot be done by software alone either, because the question demands judgment about commercial rationale and intended use that a checklist cannot encode. The firms that will survive this supervisory cycle are the ones that have built a CDD architecture where the assessment of purpose is captured as a structured artefact, attached to specific evidence, and refreshed on a defined cadence.

The Nordea case did not change what the law required. The law has required this since AMLD4. The Nordea case changed what a supervisor is willing to do about it.

If you are reviewing how your CDD framework captures and refreshes the purpose and intended nature assessment, particularly for management company or TCSP portfolios under CSSF or FSC supervision, we can help you think through the architecture.