Key Laws and Regulations Governing the Swedish Banking Sector
A substantial portion of Swedish banking regulations is derived from EU directives and regulations, reflecting Sweden’s membership in the European Union. However, the primary domestic legislation governing the banking sector in Sweden is the Banking and Financing Business Act (SFS 2004:297). This act covers various aspects, including rules related to authorisation, governance, operations, corporate provisions, credit assessment, ownership, and supervision.
In terms of financial soundness, the Capital Requirements Regulation ((EU) 575/2013) (as amended by Regulation (EU) 2019/876 (CRR II)) (CRR) is directly applicable. Supplementing this regulation are two additional pieces of legislation: the Credit Institutions and Securities Companies (Special Supervision) Act (SFS 2014:968) and the Capital Buffers Act (SFS 2014:966), implementing the Fourth Capital Requirements Directive (2013/36/EU) (as amended by Directive (EU) 2019/878 (CRD V)) (CRD).
For recovery and resolution matters, the Resolution Act (SFS 2015:1016) is the pertinent national legislation implementing the Bank Recovery and Resolution Directive (2014/59/EU) (as amended by Directive (EU) 2019/879 (BRRD II)) (BRRD).
Other laws and regulations applicable to the banking sector, depending on specific services offered, include:
The Swedish Financial Supervisory Authority (SFSA) also issues regulations and general guidelines that complement fundamental rules. Regulations are binding, requiring compliance, while general guidelines offer recommendations on adherence to binding provisions.
Regulators
Supervision of Swedish banks involves multiple authorities: the SFSA, the Swedish Central Bank (Riksbanken), the Swedish National Debt Office (Riksgälden), and the Ministry of Finance (Finansdepartementet). These entities collectively form the Financial Stability Council, a forum for discussing financial stability and crisis measures. Decisions, however, are made independently by the government and relevant authorities.
SFSA
The SFSA is responsible for micro- and macro-level supervision of banks and conducts on-site inspections and requests information to analyse and control operations. It also monitors systemic risks, such as financial imbalances in the credit market.
Swedish Central Bank
With a mandate to promote a stable financial system, the Central Bank focuses on maintaining a secure payment system and addressing potential financial crises. Regular monitoring includes analysis of risks to the financial system’s stability, encompassing payment systems, major banking groups, borrower profiles, and macroeconomic developments.
Swedish National Debt Office
Tasked with managing banks in crisis and overseeing the deposit insurance scheme, the Swedish Debt Office plays a critical role in financial stability.
Ministry of Finance
Responsible for formulating laws and regulations applicable to the financial system, the Ministry of Finance plays a key role in shaping the legal framework for the banking sector.
Types of Licences
Banking or financing operations, with some exceptions, may only be conducted following the granting of authorisation by the SFSA. The prerequisites for conducting banking or financing business are set out by the Banking and Financing Business Act (2004:297) and the Banking and Financing Business Ordinance (2004:329). Special rules for savings banks are set out in the Savings Banks Act (1987:619) and for members’ banks in the Members’ Banks Act (1995:1570).
Definitions
Banking business encompasses:
Financing business encompasses:
Foreign Banks
Credit institutions (which include both banks and credit market undertakings) domiciled in an EEA country may conduct business in Sweden either through a branch or by providing services in Sweden from their home country. Credit institutions domiciled in a non-EEA country may conduct business in Sweden through a branch or a representation office.
Activities and Services Covered
A bank may engage in a broad range of activities, which include, inter alia:
This list is merely illustrative, and consequently a bank may conduct other financing operations and operations, provided that these have a natural connection with the financing operations.
Conditions for Authorisation
A licence to conduct financing business may be granted to Swedish limited companies and co-operative associations. Such entities are referred to as credit market undertakings. A licence to conduct banking business may be granted to Swedish limited liability companies, co-operative associations, and savings banks.
Other general conditions that need to be fulfilled in order to have a licence granted include:
In conjunction with an assessment of whether a holder is suitable, such person’s reputation and financial strength shall be taken into consideration. It shall also be taken into consideration as to whether there is reason to believe that:
Filing Documents
The Banking and Financing Business Ordinance (2004:329) lays down the formalities that apply to the application and the information that should be included in the application. This is further outlined in the SFSA’s general guidelines (FFFS 2011:50) regarding an application for authorisation to conduct banking or financing business, which stipulate that the application shall include the following:
The business plan should contain, and append to the plan, the information set out below:
Application Process
The original application and one copy should be submitted to the SFSA. An additional copy should be furnished to the company’s auditor. Applicants must pay a fee of SEK1,400,000 in conjunction with the application.
Once the application has reached the SFSA, an application becomes a matter and is assigned a reference number. An administrator is then appointed as responsible for the matter and confirmation that the application has been received by the SFSA is sent out.
After the application fee has been paid, the administrator conducts a formal review of the application to verify if it is complete. If there are any formal deficiencies, the SFSA will request supplementary information. Once the application is deemed formally complete, the SFSA initiates its material review of the documentation to assess whether the conditions for the authorisation are met. The SFSA may, during the handling process, also request supplementary information before a decision is reached.
Provided that the application is formally complete and the fee has been paid, the SFSA will make a decision within six months.
Requirements Governing Change in Control
Prior to the acquisition of a qualified holding of shares, an application for authorisation to acquire shares must be submitted to the SFSA.
A “qualifying holding” is defined as a direct or indirect holding that represents 10% or more of the capital or of the voting rights, or which makes it possible to exercise a significant influence over the management (eg, through a shareholder agreement). Authorisation is also required when a direct or indirect holding increases above a prescribed percentage of 20%, 30% or 50%, or which causes the undertaking to become a subsidiary. A notification shall be made to the SFSA if the holding decreases so that it falls below one of the mentioned thresholds (10%, 20%, 30% or 50%).
Authorisation must be obtained prior to the acquisition. Where the acquisition has occurred as a result of a division of joint marital property, testamentary disposition, corporate distribution, or any other similar measure, consent shall instead be required for the acquirer to retain the shares of participating interests. The acquirer shall thereupon apply for consent within six months of the acquisition.
Restrictions
There are currently no specific restrictions on private ownership or geographical restrictions on foreign ownership of Swedish banks. However, Sweden is introducing new legislation (the “FDI Act”) to give effect to the EU Screening Regulation (Regulation (EC) 2019/452) which will introduce a screening regime for certain foreign direct investment transactions. The purpose of such screening is to examine whether the relevant foreign investment may harm national security or public order. The FDI Act will enter into force on 1 December 2023 and will have a significant impact on investments. Any investment that falls within the scope of the FDI Act must, prior to closing, be approved, or subject to a decision of not taking any further actions, by the screening authority. Currently, there is uncertainty as to which financial institutions are considered to provide “protected activities” and subsequently to fall within the scope of the regime.
Factors to be Considered
Authorisation shall be granted for an acquisition where the acquirer is deemed suitable to exercise a significant influence over the management of a bank and it can be assumed that the anticipated acquisition is financially sound. Consideration shall be taken of the acquirer’s likely impact on the business of the bank.
In conjunction with the assessment, the acquirer’s reputation and financial strength shall be taken into consideration. It shall also be taken into consideration whether:
Information to Include in the Application
The SFSA’s regulations regarding ownership, ownership management and management assessment in credit institutions (FFFS 2023:13) set out the information that a company must submit to the SFSA in conjunction with ownership assessments. These regulations apply during ongoing ownership assessments, but are not applicable at the time of applying for authorisation. During the authorisation phase, the following applies: the Commission Delegated Regulation (EU) 2022/2580 of 17 June 2022 supplementing Directive 2013/36/EU of the European Parliament and of the Council with regard to regulatory technical standards that specify the information to be submitted in a credit institute’s authorisation application and the factors that can prevent competent authorities from conducting efficient supervision.
The information to be submitted includes:
As a part of the ownership assessment, the SFSA collects information from, for example, the Swedish Police, the Swedish Companies Registration Office, the Swedish Tax Agency, the Swedish Enforcement Authority and firms that provide credit assessments.
Application Process
A decision of the SFSA regarding an authorisation to an acquisition shall be issued within 60 working days after the confirmation has been sent (the evaluation period). Where the SFSA requests supplementary information, the evaluation period may be extended. The SFSA shall be deemed to have given consent to the acquisition where the authority has not issued a decision in respect of the application during the evaluation period. The fee is currently SEK30,800.
Governance Rules
The main corporate governance rules applicable to banks are set out in the SFSA’s regulations and general guidelines (FFFS 2014:1) regarding governance, risk management and control. The guidelines on internal governance issued by the European Banking Authority (EBA) are also applicable (EBA/GL/2021/05) in relation to banks’ governance arrangements, including their organisational structure and the corresponding lines of responsibility, processes to identify, manage, monitor and report all risks they are or might be exposed to, and the internal control framework. Due to domestic legislation being incompatible with the guidelines in a few areas, some of the provisions are not applicable (nomination committee and independent board members).
The main governance rules are summarised below.
General organisational requirements
The company shall ensure that it has an appropriate, transparent organisational structure with a clear allocation of functions and areas of responsibility that ensure sound and efficient governance of the undertaking and enable the SFSA to conduct efficient supervision.
The responsibility of the board of directors and the managing director
When the board of directors establishes the company’s strategies, it shall observe long-term financial interests, the risks to which the company is or could perceivably become exposed, and the capital required to cover its risks. Board members shall have sound knowledge and understanding of the company’s organisational structure and processes in order to ensure that they are consistent with the decided strategies. Board members shall be thoroughly familiar with and knowledgeable about the operations and the nature and scope of the risks.
The board of directors or managing director shall regularly review and assess the efficiency of the organisational structure, procedures, measures, methods, etc, as established by the company to comply with laws and other statutes regulating the operations that are subject to authorisation. The board of directors or managing director shall also take appropriate measures for addressing any deficiencies therein.
Ethical rules
The company shall conduct its operations in an ethically responsible and professional manner, and maintain a sound risk culture.
Conflicts of interest in the operations
The company shall identify and address any conflicts of interest that exist or which could perceivably arise in the operations. The company shall have internal rules specifying how it addresses conflicts of interest. The internal rules shall be appropriate, taking into account the size and organisation of the company and the nature, scope and complexity of the operations.
Risk management
The company shall have a risk management framework containing the strategies, processes, procedures, internal rules, limits, controls and reporting procedures required to ensure that the company may, on an ongoing basis, identify, measure, govern, internally report and exercise control of the risks to which it is or could perceivably become exposed.
Control functions
The company shall have a risk control function, a compliance function and an internal audit function. The control functions shall, in organisational terms, be separate from each other. In smaller companies with less complex operations, the risk control function and the compliance function may be combined.
Outsourcing arrangements
The company shall have internal rules for managing its outsourcing agreements. The company shall exercise due skill, care and diligence when entering into, managing and terminating outsourcing agreements relating to work or functions of material significance to the operations.
Regulatory Approval of Appointment
The main requirements applicable to senior management are set out in the Banking and Financing Business Act (SFS 2004:297) which stipulates that any person who is to serve on the board of directors or serve as managing director, or be an alternate for any of the aforesaid, possesses sufficient insight and experience to participate in the management of a bank and is otherwise suitable for such duties and the board of directors as a whole has sufficient expertise and experience to run the company.
Swedish banks are also, except for certain provisions, subject to the joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body (ESMA35-36-2319 and EBA/GL/2021/06) and key function holders, which further outline the requirements regarding the suitability of members of the management body.
An application regarding suitability assessment must be filed with the SFSA in connection with appointing a new person or making changes to the following positions in the bank:
As a part of the suitability assessment, the SFSA collects information from the Swedish Police, the Swedish Companies Registration Office, the Swedish Tax Agency, the Swedish Enforcement Authority and firms that provide credit assessments. Other information and documents that need to be included in the application are:
A decision of the SFSA shall be issued within 60 working days provided that the application is complete, and the fee of SEK16,800 has been paid.
For every change to the board of directors, the company must assess whether the board as a whole has the requisite knowledge and experience to manage the company.
Accountability
In terms of accountability, the board of directors of a bank has the overall responsibility to ensure the fulfilment of the provisions regulating the business of a bank.
The SFSA may intervene against a person who is a member of a bank’s board of directors or is its managing director, or an alternate for any such person, where the bank has violated certain obligations pursuant to the business. Intervention may only take place where infringement is serious and the person in question caused the infringement intentionally or through gross negligence.
In addition, senior management may also have to compensate damages caused to the company, the shareholders or other persons due to infringements of the Banking and Financing Business Act (SFS 2004:297) and the Companies Act (SFS 2005:551) – provided, however, that the damages are caused intentionally or negligently.
General
Requirements for the remuneration policies and practices of banks licensed in Sweden are governed by the SFSA’s regulations (FFFS 2011:1) regarding remuneration structures in credit institutions, investment firms and fund management companies licensed to conduct discretionary portfolio management.
The regulation stipulates that the board of the bank shall establish a documented remuneration policy that is in line with and promotes sound and effective risk management and counteracts excessive risk-taking behaviour. The remuneration policy shall encompass all employees.
The board of directors shall decide on:
The decision of the board of directors shall, where applicable, comply with decisions made by the Annual General Meeting with regard to the company’s remuneration.
The total variable remuneration shall not limit the ability of the company to maintain, or strengthen as needed, a sufficient capital base. The control function shall annually review the company’s remuneration structure for compliance with the remuneration policy.
Remuneration Structure
Where a company’s remuneration contains variable components, it shall ensure that the fixed and variable components are appropriately balanced. The fixed components shall represent a sufficiently large portion of the employee’s total remuneration that the variable components can be set at zero.
The performance assessment used to calculate variable remuneration components shall primarily be based on risk-adjusted profit measures. Both current and future risks shall be considered. Actual costs of the capital and the liquidity required for the business activities shall also be taken into account.
Specially Regulated Staff
Senior management and employees in the following categories of staff are identified as specially regulated staff:
A risk taker is an employee belonging to a category of staff whose professional activities can have a material impact on the firm’s risk level. This normally refers to employees who can enter into agreements or take positions on behalf of the firm or in any other way impact the firm’s risks.
Variable remuneration to specially regulated staff shall be based on both the employee’s performance and the overall performance of both the business unit and the company. Both financial and non-financial criteria shall be considered in the assessment of the employee’s performance. The variable compensation for this category may not exceed the fixed compensation.
The company shall ensure that at least 40% of the variable remuneration to specially regulated staff, whose variable remuneration over a period of one year totals at least SEK100,000, is deferred over a period of not less than three to five years before it is paid or the right of ownership passes to the employee. The company shall also defer at least 60% of the variable remuneration for members of senior management and other employees belonging to the firm’s specially regulated staff with particularly high amounts of variable remuneration.
A significant bank shall ensure that at least 50% of the variable remuneration to a member of senior management consists of the firm’s shares, participations or instruments linked to the firm’s shares or participations, or other instruments that fulfil the conditions for Tier 1 capital contributions. Where appropriate and possible, the company shall allow the variable remuneration components within the meaning of the foregoing.
A significant bank shall ensure that the shares, participations and other instruments are subject to restrictions such that the employee may not exercise control over the instruments for at least one year, or longer depending on the bank’s long-term interests, after the ownership rights to the instrument have passed to the employee. This applies regardless of whether the variable remuneration has been deferred or not.
The company shall ensure that deferred variable remuneration components are only paid or passed to the employee to an extent justifiable by the financial situation and the performance of the company, the business unit in question and the employee. The deferred portion of the remuneration shall also be able to be cancelled in full for the same reasons.
Breaching the Requirements
Where a bank violates the requirements in the foregoing, the SFSA has the authority to, and shall, intervene. Depending on the specific circumstances at hand, the board of directors may also be liable for damages.
The main AML and CTF legislation in Sweden is the Money Laundering and Terrorist Financing (Prevention) Act (SFS 2017:630), transposing the fourth EU Anti-Money Laundering Directive ((EU) 2015/849) (as amended by the fifth EU Anti-Money Laundering Directive (2018/843/EU)). This is further accompanied by the SFSA’s regulations (FFFS 2017:11) regarding measures against money laundering and terrorist financing.
The regulations impose a range of obligations on banks including:
In addition, banks in Sweden should adhere to the EBA’s guidelines on the use of remote customer onboarding solutions (EBA/GL/2022/15), the EBA’s guidelines on the role of AML/CFT compliance officers (EBA/GL/2022/05) as well as the EBA’s guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risks associated with individual business relationships and occasional transactions (EBA/GL/2021/02).
Banks are further required to comply with the various international financial sanctions that stem from the EU and the United Nations.
The Swedish deposit insurance scheme was introduced in 1996 and the responsible competent authority is the Swedish National Debt Office. The deposit insurance scheme has been extended on several occasions and today all deposits in banks and credit market institutions are covered.
Deposit insurance applies to all private persons (including minors), as well as companies and other legal persons, such as the estate of a deceased person. However, financial institutions, and public and local authorities are not eligible for compensation.
All types of accounts are covered by the deposit insurance regardless of whether they are restricted or free to withdraw. However, individual pension accounts are not covered. Deposit insurance also does not apply to bank money orders (cashier’s cheques) because these fall outside the definition of deposits under the Deposit Insurance Act (SFS 1995:1571).
For client accounts, the main rule is that every underlying individual owner of the money receives compensation up to the maximum amount covered. A client account is an account whereby a company has deposited money for several customers in a single account.
If the account is covered by the deposit insurance, a depositor is entitled to compensation equal to the amount deposited, including interest, up to the date on which the institution was declared in default or the decision to activate the deposit guarantee scheme was made. The insurance provides compensation of up to SEK1,050,000 per depositor. If an account is opened in two or more persons’ names, each person is counted separately.
The deposit insurance scheme is financed by contributions from the member banks and institutions, which are invested in a fund. The fees are calculated based on a number of risk indicators and the institute’s guaranteed deposits as of 31 December of the previous year. The institute’s fee is also affected by the fact that the total fee must amount to 0.1% of total guaranteed deposits. Based on the risk indicators, a risk score is calculated for each institute. Based on the risk score, the institutes are then divided into different risk classes. The institution’s risk class and size of guaranteed deposits then determine which fee the institution must pay.
Duty of Confidentiality
An individual’s relationship with a bank may not be disclosed without authorisation (this includes both physical and legal persons). Bank confidentiality includes all information between the individual and the bank, both written and oral. This also includes whether or not a certain individual is an actual customer at the bank.
However, the duty of confidentiality is not strict, and exceptions can be made when:
For example, the Swedish Parental Code (SFS 2008:913) contains provisions regarding the obligation of banks to provide information to the chief guardian. A bank is also obliged to disclose information regarding an individual’s relations with the bank where such information is requested by the investigating officer in the course of an investigation pursuant to the provisions regarding preliminary investigations in criminal actions, by the public prosecutor in a matter pertaining to legal assistance in criminal actions, on application by another country or an international court, or in a matter pertaining to recognition and execution of a European Information Order.
Additional statutory obligations to provide information on individuals’ relationships with banks include, inter alia:
Violation of bank secrecy is, depending on the relevant circumstances, punished by:
Capital Requirements
The capital requirements in Sweden are based on principles designed by the Basel Committee, which have been implemented through the EU capital adequacy regulations, Swedish laws, and SFSA’s regulations. The principles contain minimum own funds requirements (Pillar 1), additional own funds requirements (Pillar 2), and combined buffer requirements.
Pillar 1
Banks measure their risks and calculate minimum own funds requirements following the rules and calculation models set out in the EU Capital Requirements Regulation (575/2013/EU).
The minimum own funds requirement is 8% of the value of the bank’s assets and other assumptions adjusted for their risk, which is called the risk-weighted exposure amount (REA). The requirement is calculated for credit risks, market risks, and operational risks.
Pillar 2
Banks must hold capital that adequately covers all risks to which they are or may be exposed. To ensure that a bank knows which risks it can be exposed to, there are rules set out in the Banking and Financing Business Act (2004:297) that require a bank to identify, measure, govern, internally report, and exercise control over the risks associated with the bank’s business.
The banks must evaluate their capital need for non-Pillar 1 risks in what is called the Internal Capital Adequacy Assessment Process (ICAAP) and determine their total capital need. The SFSA conducts a supervisory review and evaluation process (SREP) for the bank’s governance structures, processes and procedures related to its ICAAP and assesses the bank’s risks and capital needs. After an SREP, the SFSA decides on an additional own funds requirement and provides guidance on additional own funds. The bank’s and the SFSA’s risk and capital assessments are both parts of the Pillar 2 framework.
Combined buffer requirement
Requirements for maintaining different types of capital buffers are set out in the Capital Buffers Act (2014:966). A bank may use the buffers, although only in specific circumstances and subject to restrictions.
Capital conservation buffer
Banks must hold a 2.5% capital conservation buffer in addition to the minimum own funds requirements and the additional own funds requirements. The buffer is an additional layer of capital that the bank should be able to use to cover losses without breaching the minimum capital requirements and additional capital requirements.
Capital buffer for systemically important banks
The SFSA evaluates annually which of the Swedish banks are systemically important and which must hold a buffer designed to provide extra protection to mitigate negative effects that problems in the bank could cause in the financial system. Systemically important banks must hold an institution-specific capital buffer of 1%.
Systemic risk buffer
This buffer must protect against systemic risks that are not covered by other capital requirements. Every other year the SFSA reviews the systemic risk buffer and which banks are subject to it. Banks subject to the requirement must hold a systemic risk buffer of 3%.
Countercyclical capital buffer
During periods of strong economic growth and high credit growth, banks should build up capital buffers that they can then draw upon during periods of financial uncertainty. The objective of the countercyclical capital buffer is to enhance the banks’ resilience and prevent future financial crises. The SFSA sets the countercyclical capital buffer quarterly based on the current economic conditions.
Liquidity Requirements
Since 1 January 2018, binding EU regulations apply in full (CRR and the liquidity coverage requirement regulation (EU) 61/2015 (LCR)). These set out the following requirements:
Quantitative requirement for liquidity coverage (Pillar 1)
The EU regulation imposes a 100% Liquidity Coverage Ratio (LCR) requirement, meaning that an institution must have a sufficient amount of liquid assets to withstand actual and simulated cash outflows during a stressed period of 30 days.
The Pillar 1 requirement in EU regulation is not expressed in individual currency levels, but the regulation imposes a general requirement that the currency composition of the liquidity buffer should align with the net outflows per currency. If there is an imbalance between the currency composition of the liquidity buffer and the net outflows in individual currencies, the supervisory authority may require a bank to limit the imbalance by setting limits on the proportion of liquid assets in one currency that a bank can count towards covering liquidity outflows in another currency.
Quantitative requirement for the stable net financing ratio (Pillar 1)
In addition to the binding minimum requirement for the LCR, there has been a binding requirement for the stable net financing ratio (NSFR) in EU regulations since 2021. The NSFR requirement means that a company must have sufficient stable funding to cover its financing needs over a one-year horizon under both normal and stressed conditions. The NSFR requirement in EU regulations is set at 100%.
Risk Management
The SFSA’s regulations and general guidelines (FFFS 2014:1) regarding governance, risk management and control at credit institutions apply to Swedish banks and impose an obligation on banks to ensure they have an appropriate, transparent organisational structure with a clear allocation of functions and areas of responsibility that ensure sound and efficient governance of the undertaking and enable the SFSA to conduct efficient supervision.
Banks need to have a risk management framework containing the strategies, processes, procedures, internal rules, limits, controls and reporting procedures required to ensure that the company may, on an ongoing basis, identify, measure, govern, internally report and exercise control of the risks to which it is or could perceivably become exposed.
Banks must further have a procedure for regularly reporting the risks that exist or which could perceivably arise in the operations to the board of directors and the risk committee, if such has been appointed, the managing director and other functions that require such information, so that they receive reliable, current and complete reports in a timely manner.
A bank must set clear boundaries (limits and mandates) for the person who is to make decisions within the framework of the company’s risk appetite.
Swedish Developments
In November 2022, the Swedish Central Bank (SCB) published a report on banks’ transparency requirements and Pillar 3. The report highlights a growing but still insufficient understanding of the impact of climate change on living conditions and the economic system. It emphasises the critical gap in knowledge about climate change and the financial system’s role. This gap is particularly concerning given the potential for significant negative impacts on the financial system and the crucial role the financial sector can play in mitigating and managing the effects of climate change.
For several consecutive previous years, the SFSA has had sustainable finance as a prioritised area of supervision, such as the risk of greenwashing or not fully taking climate-related risks into account when assessing risks in financial activities. Even though sustainability was not specifically mentioned as a prioritised area for supervision in 2024, it is evident that the SFSA has continued to focus on this.
For example, as part of a common supervisory activity initiated by ESMA, the SFSA started an in-depth analysis in September 2024, focusing on how Swedish banks and investment firms take consumers’ preferences on sustainability into account when providing investment advice and portfolio management.
A key development in Sweden with regard to the ESG regulatory framework is that the implementation of the Corporate Sustainability Reporting Directive (CSRD) was delayed, and the national rules started applying from 1 July 2024 instead of 1 January 2024. As a consequence, most large companies (depending on the financial year) that are first to report will not have to do so until 2026, for the financial year of 2025.
EU Developments
The regulatory framework for ESG-related issues is growing in the financial sector. Although the main focus so far has been on channelling investments into sustainable finance projects, there are several initiatives also affecting the banking sector.
The sector-agnostic European Sustainability Reporting Standards (ESRS) developed by the European Commission’s expert group, the European Financial Reporting Advisory Group (EFRAG), came into force and started applying from 1 January 2024. During 2024, EFRAG also published its XBRL Taxonomy for the first set of ESRS, which enables digital tagging.
In December 2023, the EBA responded to the European Commission’s request for advice on green loans and mortgages by proposing a voluntary EU green loan label, addressing the currently limited share of green lending in the banking sector. The proposal recommended a flexible framework based on the EU Taxonomy while maintaining alignment with environmental objectives, suggesting that the label should provide clear information about long-term benefits of energy-efficient investments and available financial support schemes. Additionally, the EBA recommended incorporating green mortgage concepts into the Mortgage Credit Directive, including energy performance certificates in pre-contractual information and enhancing related competencies. These recommendations, developed from a survey of 83 credit institutions across 27 EEA countries, aim to boost green lending, particularly in building renovation and SME sectors, to help achieve the EU’s sustainability objectives.
In June 2024, the European Supervisory Authorities (ESAs) outlined their unified approach to addressing greenwashing. The EBA’s final report specifically highlighted a concerning increase in greenwashing cases in 2023 (+21.1% globally, +26.1% in EU), emphasising its growing impact on banks, investment firms, and payment service providers. While the EBA believes the current regulatory framework provides adequate foundations to address greenwashing, they recommended that institutions implement specific measures at both entity and product levels to ensure accuracy and clarity in sustainability claims, and that competent authorities continue their supervisory efforts. The ESAs acknowledged that effectively combating greenwashing requires global co-operation and interoperable sustainability disclosure standards, with a focus on maintaining market confidence and investor trust as the financial sector transitions toward sustainability.
National legislative measures related to DORA
As of 17 January 2025, the rules set out in Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) will apply within the Union, meaning that the vast majority of financial undertakings, in particular including undertakings operating under the Swedish Banking and Financing Business Act (SFS 2004:297), will be subject to DORA. Together with the DORA Regulation, amendments were made to several EU directives in the field of financial markets by Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector (the Amending Directive). For Sweden, DORA and the Amending Directive mean that certain national legislative measures need to be taken to ensure necessary implementation and enforcement. Against this background, the Swedish government has proposed several legislative measures, which since 15 August 2024, are undergoing a consultation procedure with the Council on Legislation (Lagrådet).
The said proposals for legislative measures consist of proposals for legislative amendments to adapt Swedish law to the regulatory framework of DORA, such as amendments to avoid overlapping regulation, and proposals to introduce a new law with supplementary provisions to DORA. The proposed new law contains, among other things, provisions on responsible authorities for threat-based penetration tests, the SFSA’s supervisory powers, interventions and sanctions in the event of breaches of DORA, and fees to finance the SFSA’s and the Swedish Central Bank’s (Riksbanken) activities under DORA. The proposed legislative amendments include the Banking and Financing Business Act (SFS 2004:297) and mainly concern clarifications on compliance with the applicable rules in DORA and certain intervention powers for the SFSA. The proposed powers of intervention stipulate that the SFSA shall intervene against any member of the board of directors of a credit institution or its managing director, or the deputy of any of them, if the credit institution has failed to comply with its obligations under any of Articles 5-10, 11(1)-11(10), 12-14, 16(1), 16(2), 17, 18(1), 18(2), 19(1), 19(3), 19(4), 23-25, 26(1)-26(8), 27, 28(1)-28(8), 29, 30(1)-30(4), 31(12) or 45 of DORA.
Furthermore, on 4 September 2024, the SFSA published a consultation draft containing a proposal for new regulations setting out rules on the technical format in which undertakings must report major ICT-related incidents under Article 19(1) DORA, notify significant cyber threats under Article 19(2) DORA, and report information on third-party ICT service providers under Article 28(3) DORA (Information Register) and when this information must be provided. According to the proposal, undertakings must report the Information Register by 28 February 2025, and annually by the same date.
The main upcoming regulatory developments are outlined below.
Sweden
EU
Engelbrektsplan 1
Box 7225
103 89 Stockholm
Sweden
+46 8 20 40 11
info@harvestadvokat.se www.harvestadvokat.seIntroduction
In recent years, the Swedish financial sector has been subject to several new regulations as well as supervisory activities affecting the market and the financial institutions conducting business operations in Sweden. In this respect, three specific areas will be highlighted.
Firstly, the sustainable finance framework has been in focus for quite some time and continues to be a main area of relevance, not only from a regulatory standpoint, but also from a business perspective.
Secondly, recent court rulings on credit assessments have highlighted the requirements for creditors to obtain sufficient information when granting consumer loans.
Lastly, the Swedish Financial Supervisory Authority (SFSA) has continued to exercise a high degree of supervisory oversight, leading to the imposition of significant sanctions and the adoption of evolving practices within the financial market.
The Sustainable Finance Regulatory Framework
Sustainability practices in Sweden
Sweden has a long history in sustainable finance, as demonstrated by the pervasive commitment among its financial institutions to integrate sustainability principles into their daily operations and corporate identities.
In the asset management sector, fund managers have voluntarily disclosed their funds’ sustainability profiles, responding to the growing consumer appetite for sustainable asset management. However, since the implementation of the Sustainable Finance Disclosure Regulation (SFDR) on 10 March 2021, the integration of even more stringent sustainability considerations into investment processes for financial products, particularly funds, has progressed at a relatively moderate pace. As the regulatory landscape is quite complex, asset managers have struggled with correctly implementing and handling the disclosure requirements.
The banking sector in Sweden has long been attuned to sustainability, evident in products like green mortgages and sustainability-linked loans. In recent years, banks have significantly expanded their sustainability departments, mirroring a broader industry trend. Despite these efforts, a discernible gap remains between the asset management sector and the loan operations of Swedish banks in terms of sustainability integration. The surge in customer interest in “green” banking solutions extends beyond private customers, indicating both a need for further improvements and the potential to generate business value in this area.
Activities by the regulator
The SFSA has long prioritised sustainability issues, and the introduction of the SFDR has further propelled the SFSA to take a leading role in international efforts aimed at standardising reporting for all companies (ie, not only financial institutions). Even though sustainability was not explicitly mentioned as a prioritised area for supervision in 2024, it is evident that the SFSA has continued to focus on this.
For example, in March 2024, the SFSA made a public statement saying that financial market participants must accelerate their sustainability efforts. The statement particularly emphasised the need for improved competency in sustainability issues at all organisational levels, better risk identification related to climate change, and stronger board engagement, acknowledging that while new regulations are complex, this should not prevent companies from taking action on existing requirements. Also, in September 2024, as part of a common supervisory activity initiated by ESMA, the SFSA initiated in-depth analysis focusing on how Swedish banks and investment firms take consumers’ preferences on sustainability into account when providing investment advice and portfolio management.
Furthermore, in June 2024, the SFSA announced that it is conducting an in-depth analysis of how larger credit institutions disclose sustainability risk information, following the EBA 2022 requirements for standardised reporting. The analysis focuses on seven Swedish institutions that have issued securities in public markets, examining both their annual reports and Pillar 3 reporting under capital adequacy regulations, which includes standardised templates for metrics like the Green Asset Ratio (GAR). While the implementation of these templates is being phased in through 2024, with the first supervisory reporting due in June 2024, the SFSA’s analysis aims to assess how this sustainability information can be systematically used in supervision and verify consistency across different reporting channels. Although this internal analysis will not involve direct communication with supervised entities, findings will be shared individually with affected banks through supervisory dialogue, with the possibility of public reporting if the conclusions are deemed of general interest.
The SFSA has also identified climate transition risks in Swedish banks’ loan portfolios through an analysis matching banks’ lending to individual companies with emissions data from companies participating in the EU’s Emissions Trading System (EU ETS). While the analysis shows that banks’ overall lending to companies in the EU ETS is limited, the SFSA has emphasised that banks need to continue incorporating climate risks into their risk management and lending practices for financial stability. The study, which used the Swedish Central Bank’s (Riksbanken) credit database and EU ETS data, acknowledges its limitations due to restricted data availability and suggests that total transition risks are likely higher than indicated, prompting the SFSA to follow up with affected banks and incorporate findings into future reviews of banks’ transition plans.
The Corporate Sustainability Reporting Directive
A major regulatory cloud on the horizon, not only for financial institutions, is the Corporate Sustainability Reporting Directive (the CSRD). This directive initially applies to large listed companies. Subsequently, all other large companies and, eventually, all listed companies, barring micro-cap companies, will be brought under its purview in the coming years. However, the Swedish implementation of the directive was delayed and the national rules started applying from 1 July 2024 instead of 1 January 2024. As a consequence, most large listed companies (depending on the financial year) that are first to report will not have to do so until 2026, for the financial year of 2025.
The CSRD will impose comprehensive standardised sustainability reporting obligations in accordance with the European Sustainability Reporting Standards (the ESRS) developed by the European Financial Reporting Advisory Group (EFRAG). The ESRS will include twelve general (two cross-cutting and ten topical standards relating to environmental, social and governance) and 41 sector-specific standards. The directive’s broad scope means that even entities not immediately subject to these requirements – notably, businesses other than large listed companies who are first in line for compliance – should begin their preparatory efforts at the earliest opportunity to ensure alignment with these upcoming regulations.
However, Swedish companies should be relatively well prepared for the coming reporting obligations. The main reason for this is that Sweden implemented the current Non-Financial Reporting Directive (the NFRD, which is to be replaced by the CSRD) with a so-called gold plating, meaning that companies with an average of more than 250 employees over the last two financial years are subject to reporting, as opposed to the more generous criteria of more than 500 employees in the NFRD (the NFRD is a so-called minimum harmonisation directive). As such, many larger companies are already used to providing sustainability reports. However, it is important to note that under the CSRD, these reports will need to adhere to new and more extensive standards of reporting.
Looking ahead
The upcoming Corporate Sustainability Due Diligence Directive (the CSDDD) is a crucial piece of legislation in the realm of ESG, holding significant implications for market practitioners. The CSDDD complements the CSRD with rules on how companies should conduct due diligence on their operations and supply chains to mitigate adverse impacts on the environment and human rights. This information is integral to the reporting requirements of the CSRD.
Summary
To summarise, early adoption of ESG in business models has given Swedish financial companies somewhat of a head start in further integrating sustainability into their organisations. Also, the proactive implementation of the previous reporting obligations under the NFRD has equipped some larger companies to handle the more comprehensive reporting requirements that will be introduced with the CSRD. Furthermore, the SFSA is continuing to be active in its supervisory activities. These increased supervisory measures have, thus far, been broadly focused, allowing these authorities to gauge the financial industry’s progress and adaptation to the evolving sustainability landscape.
Sufficient Information in Credit Assessments
Background
In 2022, the SFSA imposed administrative fines on two Swedish banks, Svea Bank AB and Resurs Bank AB, for failing to obtain sufficient information to assess their customers’ creditworthiness. The fines amounted to SEK50 and 45 million respectively (approximately EUR4.4 and 3.9 million).
The sufficient information requirement is stated in the Consumer Credit Directive 2008/48/EC and has been implemented in Sweden through the Credit Consumer Act without any further specification of the information to be collected in order to be considered sufficient.
The SFSA’s decisions
The SFSA claimed that Svea Bank AB did not have a complete picture of its customers’ financial situation since the bank had not considered all of its customers’ debt and expenses, but merely such information that had been provided in external credit reports.
As regards Resurs Bank AB, the SFSA claimed that the information was insufficient since the bank had failed to carry out sufficient checks on the income information provided by the customers.
Court rulings
The banks appealed the SFSA’s decisions to the Administrative Court, which in both cases determined that the banks’ procedures at the time were based on extensive verified information regarding their customers’ financial situation. Also, the Administrative Court stated that the actual outcome of a lender’s credit check is also relevant for assessing whether the collected information is sufficient or not. As a result, the court concluded that the SFSA’s decisions to issue remarks together with administrative fines were not justified and should therefore be annulled. The SFSA appealed the Administrative Court’s rulings in the cases to the Administrative Court of Appeal. The Administrative Court of Appeal granted the SFSA’s appeals of the Administrative Court’s rulings and established the SFSA’s decisions against Resurs Bank AB and Svea Bank AB. The banks have appealed the rulings to the Supreme Administrative Court.
The new Consumer Credit Directive
The Swedish government is aiming to publish its plans to implement the newly adopted and revised Consumer Credit Directive in October 2024. The new directive has a broader scope, further marketing, information and credit assessment requirements, as well as rules on credit advisory services and staff proficiency.
Conclusion
The cases against Resurs Bank AB and Svea Bank AB, and the rulings in the various instances, demonstrate that it is still not clear what information lenders need to obtain and assess before approving a credit according to the Consumer Credit Act. To this date, it remains to be seen whether the Supreme Administrative Court allows leave to appeal in the rulings. However, the size of the administrative fines from the SFSA shows that the SFSA is serious about its consumer protection agenda. Moreover, the SFSA has announced that it will continue to review, for example, the credit assessments of consumer credit institutions, with a particular focus on consumer credit institutions that largely provide high-cost credit since such credit often leads to payment problems. Furthermore, the SFSA has, during 2024, initiated investigations of several financial institutions to examine how the institutions assessed consumers’ ability to repay their loans. There is thus a high level of activity from many different actors, not least the SFSA, to curb over-indebtedness in Sweden.
Supervisory Activities on AML/CFT Compliance
Background
The SFSA has continued to be very active with supervisory activities regarding AML/CFT. In recent years, the SFSA has initiated several investigations into the AML/CFT routines and processes at financial institutions to prevent money laundering and terrorist financing. Several of these investigations are still ongoing and concern banks as well as Swedish branches of banks that are licensed in other countries within the EEA.
A couple of recent sanction decisions made by the SFSA will now be looked at more closely.
Decision regarding Aros Kapital AB (credit market company) monitoring and the use of risk models
In December 2023, the SFSA issued a warning and imposed a SEK45 million (approximately EUR4.1 million) administrative fine on the Swedish credit market company Aros Kapital AB. The decision concerned the company’s compliance in several areas, including AML/CFT, where the SFSA focused on the company’s general risk assessment, risk assessment of customers, routines for the validation process and measures for customer due diligence.
The SFSA reviewed, among other things, the company’s general risk assessment, documentation regarding the company’s model for risk assessment of customers, routines for the validation process as well as routines and guidelines regarding risk assessment of customers and customer due diligence measures.
Furthermore, the SFSA reviewed a large number of customer files with associated documentation. The SFSA selected customer files where, during the investigation period, the customers had generated alarms in the company’s transaction monitoring system or had been reported to the Police Authority for suspicious transactions or activities. In addition, the SFSA reviewed files for customers who were associated with one or more of the high-risk factors that Aros Kapital AB had indicated in its general risk assessment.
With regard to the AML/CFT regulations, the SFSA identified shortcomings in the company’s general risk assessment, risk assessment of customers and measures for customer due diligence.
Decision regarding Loomis Sverige AB (payment institution)
In June 2024, the SFSA issued a remark and imposed a SEK40 million (approximately EUR3.6 million) administrative fine on the Swedish payment institution Loomis Sverige AB. The SFSA investigated the company’s compliance with certain central provisions in the AML/CFT regulations in its enumeration activities. The investigation showed that the company had violated several requirements.
Loomis Sverige AB had deficiencies in its general risk assessment, which is of central importance to the work of preventing money laundering. The assessment of geographical risks was insufficient and the company had not sufficiently considered which customers were engaged in cash-intensive businesses and the risks associated with them.
Furthermore, the company’s risk assessments of customers were insufficient, as the company had not made individual assessments of whether the customers run cash-intensive businesses and what risks are associated with that type of operation. There were also deficiencies in the company’s basic and enhanced customer due diligence measures. In some cases, the company had not collected any information at all about its business relationships. During the investigation period, Loomis Sverige AB had handled cash deposits of SEK11.7 billion from foreign banks, but had not taken sufficient measures to check the origin of these funds.
Summary
The SFSA has continued to actively supervise financial institutions with regard to AML/CFT compliance, resulting in hefty sanctions. Also, the SFSA’s position on general risk assessments has advanced. These are both clear signals that financial institutions need to make their AML/CFT procedures a high priority to avoid being subject to fines and reputational risk.
Engelbrektsplan 1
Box 7225, 103 89 Stockholm
Sweden
+46 8 20 40 11
info@harvestadvokat.se www.harvestadvokat.se