Key Laws and Regulations Governing the Swedish Banking Sector

A substantial portion of Swedish banking regulations is derived from EU directives and regulations, reflecting Sweden’s membership in the European Union. However, the primary domestic legislation governing the banking sector in Sweden is the Banking and Financing Business Act (SFS 2004:297). This Act covers various aspects, including rules related to authorisation, governance, operations, corporate provisions, credit assessment, ownership, and supervision.

In terms of financial soundness, the Capital Requirements Regulation ((EU) 575/2013) (as amended by Regulation (EU) 2019/876 (CRR II)) (CRR) is directly applicable. Supplementing this regulation are two additional pieces of legislation: the Credit Institutions and Securities Companies (Special Supervision) Act (SFS 2014:968) and the Capital Buffers Act (SFS 2014:966), implementing the Fourth Capital Requirements Directive (2013/36/EU) (as amended by Directive (EU) 2019/878 (CRD V)) (CRD).

For recovery and resolution matters, the Resolution Act (SFS 2015:1016) is the pertinent national legislation implementing the Bank Recovery and Resolution Directive (2014/59/EU) (as amended by Directive (EU) 2019/879 (BRRD II)) (BRRD).

Other laws and regulations applicable to the banking sector, depending on specific services offered, include:

• Money Laundering and Terrorist Financing (Prevention) Act (SFS 2017:630);
• Payment Services Act (SFS 2010:751);
• Electronic Money Act (SFS 2011:755);
• Securities Market Act (SFS 2007:528);
• Investment Funds Act (SFS 2004:46);
• Alternative Investment Fund Managers Act (SFS 2013:561);
• Mortgage Business Act (SFS 2016:1024);
• Certain Consumer Credit-related Operations Act (SFS 2014:275);
• Insurance Distribution Act (SFS 2018:1219);
• Consumer Credit Act (SFS 2010:1846);
• Debt Collection Act (SFS 1974:182);
• Purchase and Servicing of Non-Performing Credit Agreements Act (SFS 2023:714);
• Deposit Business Act (SFS 2004:299);
• Covered Bonds (Issuance) Act (2003:1223); and
• Act (2023:254) on the availability of certain products and services.

The Swedish Financial Supervisory Authority (SFSA) also issues regulations and general guidelines that complement fundamental rules. Regulations are binding and require compliance, while general guidelines offer recommendations for adherence to binding provisions.

Regulators

Supervision of Swedish banks involves multiple authorities: the SFSA, the Swedish Central Bank (Riksbanken), the Swedish National Debt Office (Riksgälden), and the Ministry of Finance (Finansdepartementet). These entities collectively form the Financial Stability Council, a forum for discussing financial stability and crisis measures. Decisions, however, are made independently by the government and relevant authorities.

SFSA

The SFSA is responsible for micro- and macro-level supervision of banks and conducts on-site inspections and requests information to analyse and control operations. It also monitors systemic risks, such as financial imbalances in the credit market.

Swedish Central Bank

With a mandate to promote a stable financial system, the Central Bank focuses on maintaining a secure payment system and addressing potential financial crises. Regular monitoring includes analysis of risks to the financial system’s stability, encompassing payment systems, major banking groups, borrower profiles, and macroeconomic developments.

Swedish National Debt Office

Tasked with managing banks in crisis and overseeing the deposit insurance scheme, the Swedish Debt Office plays a critical role in financial stability.

Ministry of Finance

Responsible for formulating laws and regulations applicable to the financial system, the Ministry of Finance plays a key role in shaping the legal framework for the banking sector.

Types of Licences

Banking and financing operations, with certain exceptions, may only be conducted after obtaining authorisation from the SFSA. The prerequisites for conducting banking or financing business are set out by the Banking and Financing Business Act (2004:297) and the Banking and Financing Business Ordinance (2004:329). Special rules for savings banks are set out in the Savings Banks Act (1987:619) and for members’ banks in the Members’ Banks Act (1995:1570).

Definitions

Banking business encompasses:

• payment services via general payment systems; and
• receipt of funds which, following notice of termination, are available to the creditor within not more than 30 days.

Financing business encompasses:

• accepting repayable funds from the public; and
• granting loans, providing guarantees for loans or, for financing purposes, acquiring claims or granting rights of use in personal property (leasing).

Foreign Banks

Credit institutions (which include both banks and credit market undertakings) domiciled in an EEA country may conduct business in Sweden either through a branch or by providing services in Sweden from their home country. Credit institutions domiciled in a non-EEA country may conduct business in Sweden through a branch or a representation office.

Activities and Services Covered

A bank may engage in a broad range of activities, which include, inter alia:

• borrowing funds (for example, by accepting deposits from the general public or issuing bonds or other comparable debt instruments);
• granting and brokering loans (for example, in the form of consumer credit and loans secured by charges over real property or claims);
• participating in financing (for example, by acquiring claims and leasing personal property);
• providing payment services pursuant to the Payment Services Act (SFS 2010:751);
• providing means of payment;
• issuing guarantees and assuming similar obligations;
• participating in the issuance of securities;
• providing financial advice;
• holding securities in safekeeping;
• conducting letters of credit operations;
• providing bank safety deposit services;
• engaging in currency trading;
• providing investment services and activities subject to the conditions prescribed in the Securities Market Act (SFS 2007:528);
• providing credit information subject to the conditions prescribed in the Credit Information Act (SFS 1973:1173); and
• issuing electronic funds pursuant to the provisions of the Electronic Money Act (SFS 2011:755).

This list is merely illustrative; consequently, a bank may conduct other financing operations, as well as operations that have a natural connection to financing.

Conditions for Authorisation

A licence to conduct financing business may be granted to Swedish limited companies and co-operative associations. Such entities are referred to as credit market undertakings. A licence to conduct banking business may be granted to Swedish limited liability companies, co-operative associations, and savings banks.

Other general conditions that need to be fulfilled in order to have a licence granted include:

• the articles of association contain the specific provisions required, taking into consideration the scope and nature of the planned operations;
• there is reason to assume that the planned business will be conducted in accordance with the provisions of banking regulation and other statutes that govern the company’s operations;
• the holder or anticipated holder of a qualified holding in the company is deemed suitable to exercise a significant influence over the management of a bank;
• any person who is to serve on the company’s board of directors or serve as managing director, or be an alternate for any of the aforesaid, possesses sufficient insight and experience to participate in the management of a bank and is otherwise suitable for such duties;
• the board of directors as a whole has sufficient expertise and experience to run the company; and
• an initial capital which, at the time of the decision regarding a licence, corresponds to not less than EUR5 million.

When assessing a holder’s suitability, their reputation and financial strength will be considered. It shall also be taken into consideration as to whether there is reason to believe that:

• the holder will impede the bank’s ability to operate in compliance with the requirements that regulate the business; or
• the holding has a connection with, or can increase the risk of, money laundering or terrorist financing.

Filing Documents

The Banking and Financing Business Ordinance (2004:329) lays down the formalities for applications and the information that should be included. This is further outlined in the SFSA’s general guidelines (FFFS 2011:50) regarding an application for authorisation to conduct banking or financing business, which stipulate that the application shall include the following:

• articles of association; and
• a business plan.

The business plan should contain, and append to the plan, the information set out below:

• an organisational chart;
• outsourcing agreements;
• a group or ownership chart;
• documentation for ownership and management assessment;
• annual reports, interim reports, forecasts and lending instructions;
• guidelines and instructions regarding risk management, customer protection, ethical rules, events of material significance, measures against money laundering and financing of terrorism and audit function;
• a description of operations;
• a detailed description of the operations to be conducted; the description should, inter alia, contain:
1. a general outline (organisational chart) regarding the manner in which the operations are organised;
2. a general description of the areas of operation and functions;
3. information regarding the number of employees, broken down by various areas of operation and functions; and
4. a description of the responsibilities and positions of employees with special responsibility for a particular function or area of operation; and
• information regarding the manner in which IT operations will be organised, the systems used and the strategy which may be relevant; information should also be provided regarding how the company intends to organise and structure the responsibility for IT support and information security.

Application Process

The original application and one copy should be submitted to the SFSA. An additional copy should be furnished to the company’s auditor. Applicants must pay a SEK 1,500,000 fee in conjunction with the application.

Once the application has reached the SFSA, it becomes a matter and is assigned a reference number. An administrator is then appointed as responsible for the matter and confirmation that the SFSA has received the application is sent out.

After the application fee is paid, the administrator conducts a formal review to verify that the application is complete. If there are any formal deficiencies, the SFSA will request supplementary information. Once the application is deemed formally complete, the SFSA initiates a review of the material documentation to assess whether the conditions for the authorisation are met. During the handling process, the SFSA may also request supplementary information before a decision is reached.

Provided that the application is formally complete and the fee has been paid, the SFSA will make a decision within six months.

Requirements Governing Change in Control

Prior to the acquisition of a qualified holding of shares, an application for authorisation to acquire shares must be submitted to the SFSA.

A “qualifying holding” is defined as a direct or indirect holding that represents 10% or more of the capital or of the voting rights, or which makes it possible to exercise a significant influence over the management (eg, through a shareholder agreement). Authorisation is also required when a direct or indirect holding increases above a prescribed percentage of 20%, 30% or 50%, or when it causes the undertaking to become a subsidiary. A notification shall be made to the SFSA if the holding falls below one of the mentioned thresholds (10%, 20%, 30% or 50%).

Authorisation must be obtained prior to the acquisition. Where the acquisition has occurred as a result of a division of joint marital property, testamentary disposition, corporate distribution, or any other similar measure, consent shall instead be required for the acquirer to retain the shares of participating interests. The acquirer shall thereupon apply for consent within six months of the acquisition.

Restrictions

There are currently no specific restrictions on private ownership or geographical restrictions on foreign ownership of Swedish banks. However, in December 2023, Sweden introduced a new legislation, the Screening of Foreign Direct Investments Act (the “FDI Act”), implementing the EU Screening Regulation (Regulation (EC) 2019/452). The FDI Act introduced a screening regime for certain foreign direct investment transactions. The purpose of such screening is to examine whether the relevant foreign investment may harm national security or public order. Any investment falling under the FDI Act must receive approval, or a decision to take no further action, from the screening authority before closing.

Factors to be Considered

Authorisation shall be granted for an acquisition where the acquirer is deemed suitable to exercise a significant influence over the management of a bank and it can be assumed that the anticipated acquisition is financially sound. Consideration shall be taken of the acquirer’s likely impact on the business of the bank.

In conjunction with the assessment, the acquirer’s reputation and financial strength shall be taken into consideration. It shall also be taken into consideration whether:

any person who, as a result of the acquisition, will become a member of the board of directors of the credit institution or act as managing director or act as an alternate for either of the foregoing has sufficient insight and experience to participate in the management of a bank and is also otherwise suitable for such a task, as well as whether the board of directors, taken as a whole, has sufficient expertise and experience to run the institution;

there is reason to believe that the acquirer will impede the credit institution’s ability to operate in compliance with statutes regulating the business of the bank; and

there is reason to believe that the acquisition is connected to, or may increase the risk of, money laundering or terrorist financing.

Information to Include in the Application

The SFSA’s regulations regarding ownership, ownership management and management assessment in credit institutions (FFFS 2023:13) set out the information that a company must submit to the SFSA in conjunction with ownership assessments. These regulations apply during ongoing ownership assessments, but are not applicable at the time of applying for authorisation. During the authorisation phase, the following applies: the Commission Delegated Regulation (EU) 2022/2580 of 17 June 2022 supplementing Directive 2013/36/EU of the European Parliament and of the Council with regard to regulatory technical standards that specify the information to be submitted in a credit institute’s authorisation application and the factors that can prevent competent authorities from conducting efficient supervision.

The information to be submitted includes:

• information about the acquirer;
• registration certificate;
• financial position (including annual reports);
• information about the board of directors and senior management;
• description of the ownership chain;
• relations and interests;
• information about the acquisition;
• financing of the acquisition; and
• business plan and detailed information about the acquisition.

As a part of the ownership assessment, the SFSA collects information from, for example, the Swedish Police, the Swedish Companies Registration Office, the Swedish Tax Agency, the Swedish Enforcement Authority and firms that provide credit assessments.

Application Process

A decision of the SFSA regarding an authorisation for an acquisition shall be issued within 60 working days of the confirmation being sent (the evaluation period). Where the SFSA requests supplementary information, the evaluation period may be extended. The SFSA shall be deemed to have given consent to the acquisition if the authority has not issued a decision on the application during the evaluation period. The fee is currently SEK33,000.

Governance Rules

The main corporate governance rules applicable to banks are set out in the SFSA’s regulations and general guidelines (FFFS 2014:1) regarding governance, risk management and control. The guidelines on internal governance issued by the European Banking Authority (EBA) are also applicable (EBA/GL/2021/05) in relation to banks’ governance arrangements, including their organisational structure and the corresponding lines of responsibility, processes to identify, manage, monitor and report all risks they are or might be exposed to, and the internal control framework. Due to domestic legislation being incompatible with the guidelines in a few areas, some provisions are not applicable (nomination committee and independent board members).

The main governance rules are summarised below.

General organisational requirements

The company shall ensure that it has an appropriate, transparent organisational structure with a clear allocation of functions and areas of responsibility that ensure sound and efficient governance of the undertaking and enable the SFSA to conduct efficient supervision.

The responsibility of the board of directors and the managing director

When the board of directors sets the company’s strategies, it must consider the company’s long-term financial interests, the risks it currently faces or may face, and the capital required to address them. Board members shall have a sound knowledge and understanding of the company’s organisational structure and processes to ensure they are consistent with the decided strategies. Board members shall be thoroughly familiar with and knowledgeable about the operations and the nature and scope of the risks.

The board of directors or the managing director shall regularly review and assess the efficiency of the organisational structure, procedures, measures, methods, etc, as established by the company to comply with laws and other statutes regulating operations that are subject to authorisation. The board of directors or managing director shall also take appropriate measures to address any deficiencies therein.

Ethical rules

The company shall conduct its operations in an ethically responsible and professional manner and maintain a sound risk culture.

Conflicts of interest in the operations

The company shall identify and address any conflicts of interest that exist or could arise in its operations. The company shall have internal rules specifying how it addresses conflicts of interest. The internal rules shall be appropriate, taking into account the size and organisation of the company, as well as the nature, scope, and complexity of the operations.

Risk management

The company shall have a risk management framework containing the strategies, processes, procedures, internal rules, limits, controls and reporting procedures required to ensure that the company may, on an ongoing basis, identify, measure, govern, internally report and exercise control of the risks to which it is or could perceivably become exposed.

Control functions

The company shall have a risk control function, a compliance function and an internal audit function. The control functions shall, in organisational terms, be separate from each other. In smaller companies with less complex operations, both the risk control and compliance functions can be combined.

Outsourcing arrangements

The company shall establish internal rules for managing its outsourcing agreements. It shall exercise due skill, care, and diligence when entering into, managing, and terminating outsourcing agreements related to work or functions of significant importance to its operations.

Regulatory Approval of Appointment

The main requirements applicable to senior management are set out in the Banking and Financing Business Act (SFS 2004:297) which stipulates that any person who is to serve on the board of directors or serve as managing director, or be an alternate for any of the aforesaid, possesses sufficient insight and experience to participate in the management of a bank and is otherwise suitable for such duties and the board of directors as a whole has sufficient expertise and experience to run the company.

Swedish banks are also, except for certain provisions, subject to the joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body (ESMA35-36-2319 and EBA/GL/2021/06) and key function holders, which further outline the requirements regarding the suitability of members of the management body.

An application regarding suitability assessment must be filed with the SFSA in connection with appointing a new person or making changes to the following positions in the bank:

• chairman of the board;
• board members;
• alternate board members; and
• managing director or deputy managing director, that is, the person serving in the managing director’s stead.

As a part of the suitability assessment, the SFSA collects information from the Swedish Police, the Swedish Companies Registration Office, the Swedish Tax Agency, the Swedish Enforcement Authority and firms that provide credit assessments. Other information and documents that need to be included in the application are:

• information about the person subject to the suitability assessment;
• employment history and senior management positions held;
• CV that contains relevant information about education, work experience and other roles;
• qualifying ownership;
• relations and interests; and
• reputation.

A decision of the SFSA shall be issued within 60 working days, provided that the application is complete and the fee of SEK18,000 has been paid.

For every change to the board of directors, the company must assess whether the board as a whole has the requisite knowledge and experience to manage the company.

Accountability

In terms of accountability, the bank’s board of directors is ultimately responsible for ensuring compliance with regulations governing banking operations.

The SFSA may intervene against a person who is a member of a bank’s board of directors, its managing director, or an alternate for any such person, where the bank has violated certain obligations pursuant to the bank’s business. An intervention may only take place where the infringement is serious and the person in question caused it intentionally or through gross negligence.

In addition, senior management may also have to compensate damages caused to the company, the shareholders or other persons due to infringements of the Banking and Financing Business Act (SFS 2004:297) and the Companies Act (SFS 2005:551) – provided, however, that the damages are caused intentionally or negligently.

General

The remuneration policies and practices of banks licensed in Sweden are governed by the SFSA’s regulations (FFFS 2011:1) on remuneration structures for credit institutions, investment firms, and fund management companies licensed to conduct discretionary portfolio management.

The regulation stipulates that the board of the bank shall establish a documented remuneration policy that is in line with and promotes sound and effective risk management and counteracts excessive risk-taking behaviour. The remuneration policy shall encompass all employees.

The board of directors shall decide on:

• remuneration to senior management;
• remuneration to employees who are primarily responsible for any of the firm’s control functions; and
• measures to enable a review of how the firm’s remuneration policy is being applied.

The decision of the board of directors shall, where applicable, comply with decisions made by the Annual General Meeting with regard to the company’s remuneration.

The total variable remuneration shall not limit the company’s ability to maintain, or, as needed, strengthen, a sufficient capital base. The control function shall annually review the company’s remuneration structure for compliance with the remuneration policy.

Remuneration Structure

Where a company’s remuneration contains variable components, it shall ensure that the fixed and variable components are appropriately balanced. The fixed components shall represent a sufficiently large portion of the employee’s total remuneration that the variable components can be set at zero.

The performance assessment for calculating variable remuneration components will primarily focus on risk-adjusted profit measures. This assessment will take into account both current and future risks, as well as the actual costs of capital and the liquidity needed for business activities.

Specially Regulated Staff

Senior management and employees in the following categories of staff are identified as specially regulated staff:

• employees in strategic management positions;
• employees responsible for control functions;
• risk takers; and
• employees whose total remuneration is equal to or exceeds the total remuneration of any of the members of senior management.

A risk taker is an employee belonging to a category of staff whose professional activities can have a material impact on the firm’s risk level. This normally refers to employees who can:

• enter into agreements;
• take positions on behalf of the firm; or
• otherwise affect the firm’s risks.

Variable remuneration to specially regulated staff shall be based on both the employee’s performance and the overall performance of both the business unit and the company. Both financial and non-financial criteria shall be considered in assessing the employee’s performance. The variable compensation for this category may not exceed the fixed compensation.

The company shall ensure that at least 40% of the variable remuneration to specially regulated staff, whose variable remuneration over a period of one year totals at least SEK100,000, is deferred over a period of not less than three to five years before it is paid or the right of ownership passes to the employee. The company shall also defer at least 60% of variable remuneration for members of senior management and other employees who are members of the firm’s specially regulated staff with particularly high variable remuneration.

A significant bank shall ensure that at least 50% of the variable remuneration to a member of senior management consists of the firm’s shares, participations or instruments linked to the firm’s shares or participations, or other instruments that fulfil the conditions for Tier 1 capital contributions. Where appropriate and possible, the company shall allow the variable remuneration components within the meaning of the foregoing.

A significant bank shall ensure that the shares, participations, and other instruments are subject to restrictions such that the employee may not exercise control over the instruments for at least one year, or longer, depending on the bank’s long-term interests, after the ownership rights to the instruments have passed to the employee. This applies regardless of whether the variable remuneration has been deferred or not.

The company shall ensure that deferred variable remuneration components are paid or passed to the employee only to the extent justified by the financial situation and the performance of the company, the business unit in question, and the employee. The deferred portion of the remuneration may also be cancelled in full for the same reasons.

Breaching the Requirements

Where a bank violates the requirements in the foregoing, the SFSA has the authority to, and shall, intervene. Depending on the specific circumstances at hand, the board of directors may also be liable for damages.

The main AML and CTF legislation in Sweden is the Money Laundering and Terrorist Financing (Prevention) Act (SFS 2017:630), transposing the fourth EU Anti-Money Laundering Directive ((EU) 2015/849) (as amended by the fifth EU Anti-Money Laundering Directive (2018/843/EU)). This is further accompanied by the SFSA’s regulations (FFFS 2017:11) regarding measures against money laundering and terrorist financing.

The regulations impose a range of obligations on banks including:

• general risk assessment and routines;
• customer due diligence;
• monitoring and reporting;
• collaboration against money laundering and terrorist financing;
• processing of personal data; and
• internal monitoring and reporting of suspected infringements.

In addition, banks in Sweden should adhere to the EBA’s guidelines on the use of remote customer onboarding solutions (EBA/GL/2022/15), the EBA’s guidelines on the role of AML/CFT compliance officers (EBA/GL/2022/05) as well as the EBA’s guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risks associated with individual business relationships and occasional transactions (EBA/GL/2021/02), which have been amended by the EBA’s guidelines regarding crypto assets and crypto service providers (EBA/GL/2024/01).

Banks are also required to comply with various international financial sanctions issued by the EU and the United Nations.

The Swedish deposit insurance scheme was introduced in 1996 and the responsible competent authority is the Swedish National Debt Office. The deposit insurance scheme has been extended on several occasions and today all deposits in banks and credit market institutions are covered.

Deposit insurance applies to all private persons (including minors), as well as companies and other legal persons, such as the estate of a deceased person. However, financial institutions and public and local authorities are not eligible for compensation.

All types of accounts are covered by the deposit insurance regardless of whether they are restricted or free to withdraw. However, individual pension accounts are not covered. Deposit insurance also does not apply to bank money orders (cashier’s cheques) because these fall outside the definition of deposits under the Deposit Insurance Act (SFS 1995:1571).

For client accounts, the main rule is that every underlying individual owner of the money receives compensation up to the maximum amount covered. A client account is an account in which a company has deposited money for several customers in a single account.

If the account is protected by deposit insurance, the depositor is entitled to receive compensation equal to the amount deposited, including interest, up to either the date the institution was declared in default or the date the decision to activate the deposit guarantee scheme was made. The insurance provides compensation of up to SEK1,050,000 per depositor. If an account is opened in two or more persons’ names, each person is counted separately.

The deposit insurance scheme is financed by contributions from the member banks and institutions, which are invested in a fund. The fees are calculated based on a number of risk indicators and the institute’s guaranteed deposits as of 31 December of the previous year. The institute’s fee is also affected by the fact that the total fee must amount to 0.1% of total guaranteed deposits. Based on the risk indicators, a risk score is calculated for each institute. Based on the risk score, the institutes are then divided into different risk classes. The institution’s risk class and size of guaranteed deposits then determine which fee the institution must pay.

Duty of Confidentiality

An individual’s relationship with a bank may not be disclosed without authorisation (this includes both physical and legal persons). Bank confidentiality covers all information exchanged between the individual and the bank, whether written or oral. This also includes whether or not a certain individual is an actual customer at the bank.

However, the duty of confidentiality is not strict, and exceptions can be made when:

• there is a statutory obligation;
• there is a duty to the public to disclose;
• the interests of the bank require disclosure; or
• the disclosure is made with the customer’s express or implied consent.

For example, the Swedish Parental Code (SFS 2008:913) contains provisions regarding the obligation of banks to provide information to the chief guardian. A bank is also obliged to disclose information regarding an individual’s relations with the bank where such information is requested by the investigating officer in the course of an investigation pursuant to the provisions regarding preliminary investigations in criminal actions, by the public prosecutor in a matter pertaining to legal assistance in criminal actions, on application by another country or an international court, or in a matter of recognition and execution of a European Information Order.

Additional statutory obligations to provide information on individuals’ relationships with banks include, inter alia:

• suspicion of money laundering or terrorist financing;
• market abuse or other crimes;
• bankruptcy proceedings;
• a request by another state or international court;
• a European arrest warrant; or
• a request from the SFSA, the Swedish Tax Agency or the Swedish Enforcement Authority.

Violation of bank secrecy is, depending on the relevant circumstances, punished by:

• public sanctions;
• criminal sanctions;
• civil sanctions; or
• disciplinary sanctions.

Capital Requirements

The capital requirements in Sweden are based on principles set by the Basel Committee, which have been implemented through EU capital adequacy regulations, Swedish laws, and SFSA regulations. The principles contain minimum own funds requirements (Pillar 1), additional own funds requirements (Pillar 2), and combined buffer requirements.

Pillar 1

Banks measure their risks and calculate minimum own funds requirements in accordance with the rules and calculation models set out in the EU Capital Requirements Regulation (575/2013/EU).

The minimum own funds requirement is 8% of the value of the bank’s assets and other assumptions adjusted for their risk, which is called the risk-weighted exposure amount (REA). The requirement is calculated for credit, market and operational risks.

Pillar 2

Banks must hold capital that adequately covers all risks to which they are or may be exposed. To ensure that a bank knows which risks it may be exposed to, the Banking and Financing Business Act (2004:297) requires a bank to identify, measure, govern, internally report, and exercise control over the risks associated with its business.

The banks must evaluate their capital requirements for non-Pillar 1 risks through the Internal Capital Adequacy Assessment Process (ICAAP) and determine their total capital requirements. The SFSA conducts a supervisory review and evaluation process (SREP) for the bank’s governance structures, processes and procedures related to its ICAAP and assesses the bank’s risks and capital needs. After an SREP, the SFSA determines an additional own funds requirement and provides guidance on it. The bank’s and the SFSA’s risk and capital assessments are both parts of the Pillar 2 framework.

Combined buffer requirement

Requirements for maintaining different types of capital buffers are set out in the Capital Buffers Act (2014:966). A bank may use the buffers, although only in specific circumstances and subject to restrictions.

Capital conservation buffer

Banks must hold a 2.5% capital conservation buffer in addition to the minimum own funds requirements and the additional own funds requirements. The buffer is an additional layer of capital that the bank should be able to use to cover losses without breaching minimum or additional capital requirements.

Capital buffer for systemically important banks

The SFSA evaluates annually which Swedish banks are systemically important and which must hold a buffer to provide extra protection against the negative effects that problems in the bank could cause in the financial system. Systemically important banks must hold an institution-specific capital buffer of 1%.

Systemic risk buffer

This buffer must protect against systemic risks that are not covered by other capital requirements. Every other year, the SFSA reviews the systemic risk buffer and the banks subject to it. Banks subject to the requirement must hold a systemic risk buffer of 3%.

Countercyclical capital buffer

During periods of strong economic growth and rapid credit growth, banks should build capital buffers they can draw upon during periods of financial uncertainty. The objective of the countercyclical capital buffer is to enhance the banks’ resilience and prevent future financial crises. The SFSA sets the countercyclical capital buffer quarterly based on the current economic conditions.

Liquidity Requirements

Since 1 January 2018, binding EU regulations apply in full (CRR and the liquidity coverage requirement regulation (EU) 61/2015 (LCR)). These set out the following requirements:

Quantitative requirement for liquidity coverage (Pillar 1)

The EU regulation imposes a 100% Liquidity Coverage Ratio (LCR) requirement, meaning that an institution must maintain sufficient liquid assets to withstand actual and simulated cash outflows during a stressed period of 30 days.

The Pillar 1 requirement in EU regulation is not expressed in individual currency levels; rather, it imposes a general requirement that the liquidity buffer’s currency composition align with net outflows by currency. If there is an imbalance between the currency composition of a bank’s liquidity buffer and the net outflows in individual currencies, the supervisory authority may require the bank to address this imbalance. This may involve setting limits on the proportion of liquid assets in one currency that the bank can use to cover liquidity outflows in another currency.

Quantitative requirement for the stable net financing ratio (Pillar 1)

Since 2021, the EU regulations have included a binding requirement for the stable net financing ratio (NSFR) in addition to the minimum binding requirement for the liquidity coverage ratio (LCR). The NSFR requirement means that a company must have sufficient stable funding to cover its financing needs over a one-year horizon under both normal and stressed conditions. The NSFR requirement in EU regulations is set at 100%.

Risk Management

The SFSA’s regulations and general guidelines (FFFS 2014:1) regarding governance, risk management and control at credit institutions apply to Swedish banks and impose an obligation on banks to ensure they have an appropriate, transparent organisational structure with a clear allocation of functions and areas of responsibility that ensure sound and efficient governance of the undertaking and enable the SFSA to conduct efficient supervision.

Banks need to have a risk management framework containing the strategies, processes, procedures, internal rules, limits, controls and reporting procedures required to ensure that the company may, on an ongoing basis, identify, measure, govern, internally report and exercise control of the risks to which it is or could perceivably become exposed.

Banks must further have a procedure for regularly reporting the risks that exist or which could perceivably arise in the operations to the board of directors and the risk committee, if such has been appointed, the managing director and other functions that require such information, so that they receive reliable, current and complete reports in a timely manner.

A bank must set clear boundaries (limits and mandates) for the person who is to make decisions within the framework of the company’s risk appetite.

Swedish Developments

For several consecutive years, the SFSA has prioritised sustainable finance as a key area of supervision, focusing on risks such as greenwashing and the failure to fully consider climate-related risks in financial assessments.

For example, on 15 September 2025, the SFSA released a new supervisory report examining how Swedish banks are incorporating climate risks into their stress testing frameworks. The report highlights a significant shift in the financial sector’s approach to sustainability and risk management. In anticipation of upcoming EU regulations requiring banks to assess their resilience to long-term ESG risks starting in January 2026, the SFSA asked banks to include a climate-related scenario in their 2024 stress tests. The goal was to evaluate how far banks have come in integrating climate risks and to prepare them for future regulatory demands (the EBA’s guidelines on the management of ESG risks [EBA/GL/2025/01]).

The SFSA concludes by stressing the importance of continued development in this area. Banks are expected to align their climate stress testing with materiality assessments and comply with the forthcoming regulations. The SFSA will continue to monitor progress as part of its ongoing supervisory activities, viewing climate stress testing as a crucial tool to enhance the financial sector’s resilience to climate-related risks.

EU Developments

The regulatory framework for ESG-related issues has been growing in the financial sector. Although the main focus so far has been on channelling investments into sustainable finance projects, several initiatives are also affecting the banking sector.

For example, as mentioned above, the EBA’s guidelines on the management of ESG risks (EBA/GL/2025/01), published by EBA in January 2025, establish a comprehensive framework for financial institutions to identify, measure, manage, and monitor ESG risks. These guidelines aim to embed ESG considerations into governance structures, strategic planning, and risk management systems, ensuring institutions are resilient to sustainability-related challenges. Key requirements include regular materiality assessments (annually for most institutions, biennially for smaller, non-complex ones), robust data collection, and scenario-based methodologies to evaluate ESG impacts across traditional risk categories like credit, market, and operational risks. Institutions must also develop transition plans aligned with the EU’s climate neutrality goals by 2050, including clear targets and milestones. The guidelines apply from January 2026 for most institutions and from January 2027 for smaller entities, with a proportionality principle allowing tailored approaches based on size and complexity. Also, the Corporate Sustainability Reporting Directive (CSRD), initially intended to start applying to large listed companies from 1 January 2024, with the first reporting obligation in 2025 for the financial year of 2024 (and subsequent years for all other large companies and, eventually, all listed companies except micro-cap companies), has been “stopped”. The Omnibus package proposed by the European Commission in January 2025 includes a “stop the clock” mechanism, under which the CSRD reporting requirements for large companies and listed SMEs (second- and third-tier) are delayed by two years. The purpose of the legislative proposal is to streamline rules in areas such as sustainable finance, corporate sustainability reporting, due diligence, and the EU Taxonomy, with the goal of cutting administrative costs by 25% for all businesses and 35% for SMEs.

Key changes in the Omnibus package include narrowing the scope of the CSRD to only cover large companies with over 1,000 employees and significant turnover or balance sheet totals, thereby removing around 80% of companies from its requirements. A voluntary SME reporting standard will be introduced to shield smaller firms from excessive data requests. The proposal also simplifies the European Sustainability Reporting Standards (ESRS), eliminates the obligation for sector-specific standards, and maintains a limited assurance level for sustainability reports.

Another piece of legislation relevant to Swedish banks is the EU Green Bond Regulation (2023/2631), which entered into force at the end of 2024. The regulation has introduced a robust framework for issuing bonds labelled as European Green Bonds (EuGBs), aiming to strengthen trust and transparency in sustainable finance. For banks, this regulation provides a clear and credible pathway to raise capital for environmentally sustainable projects. To qualify as an EuGB, 100% of the bond proceeds must be allocated to activities aligned with the EU Taxonomy, with a limited flexibility allowance of up to 15% for projects not yet covered by the taxonomy. Issuers are required to publish a pre-issuance factsheet verified by an independent reviewer, followed by annual allocation reports and environmental impact disclosures throughout the bond’s lifecycle. All documentation must be publicly accessible for at least one year after the bond matures. The regulation also establishes a supervisory framework for external reviewers, managed by ESMA, to ensure consistency and prevent greenwashing. Although voluntary, the EuGB label is designed to become the gold standard for green bonds, helping banks demonstrate alignment with EU climate goals and attract sustainable investment.

National Legislative Measures Related to DORA

As of 17 January 2025, the Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) has applied across the Union. The vast majority of financial undertakings are now subject to DORA.

In Sweden, legislative measures to complement the Digital Operational Resilience Act (DORA) and the related Amending Directive (EU) 2022/2556 have advanced over the past year. This progress includes the enactment of Law 2024:1278, which provides additional provisions for DORA. The new law grants the Swedish Financial Supervisory Authority (SFSA) and the Central Bank clear supervisory and enforcement powers under DORA.

The supplementary act sets out:

• the designation of responsible authorities for threat-led penetration testing (TLPT) and related oversight;
• SFSA’s powers to impose administrative fines, issue injunctions and require remediation in the event of DORA breaches;
• cooperation arrangements between the SFSA and the Central bank; and
• fee-financed models for supervisory costs connected to DORA oversight.

In addition, amendments to the Banking and Financing Business Act  (2004:297) and other sectoral laws now clarify that institutions must comply with DORA’s provisions on ICT risk management, incident reporting, third-party risk governance and information sharing. The intervention provisions authorise the SFSA to act against members of the board of directors or senior management if an institution fails to comply with key obligations set out in DORA.

In parallel, the SFSA has actively begun implementing its supervisory approach. In March–April 2025, the SFSA circulated extensive questionnaires to banks and other financial institutions to assess their DORA readiness, focusing on ICT risk frameworks, incident management and third-party registers. The authority has indicated that the findings will inform the first targeted DORA inspections during 2026.

In March 2025, institutions were also required for the first time to submit the Information Register under DORA, reporting all third-party ICT service providers. Many institutions encountered challenges in consolidating group-wide data and determining the scope of “ICT services” and subcontractors. The SFSA subsequently issued technical guidance and adjustments to the reporting in May 2025.

Overall, by late 2025, Sweden’s legal and supervisory framework for DORA implementation is largely in place, with an extensive package of new and amended regulations and guidelines issued by the SFSA. The SFSA has transitioned from preparatory oversight to active supervisory follow-up, and the coming year is expected to mark the start of on-site inspections and further harmonisation between DORA, the forthcoming Cybersecurity Act implementing NIS2, and EBA’s extended guidelines on third-party risk management.

The main upcoming regulatory developments are outlined below.

Sweden

In October 2025, the Swedish government submitted its proposal for a new Cybersecurity Act (prop. 2025/26:28) to implement the EU’s NIS2 Directive, signalling a major upgrade in the regulatory regime governing network and information system security. The proposed law covers both public authorities and private operators in designated sectors and mandates risk-based security measures, supply-chain and continuity obligations, incident reporting to a supervisory authority, and fresh enforcement powers including fines and leadership bans. Although the law is scheduled to enter into force on 15 January 2026, banks and other financial institutions – which already face overlap with DORA and ICT risk regimes – should already be reviewing their incident-management frameworks, supplier contracts and governance structures. The trend points to a tighter cybersecurity compliance landscape in Sweden, aligned with broader digital-resilience efforts across the EU.

EU

The European Union’s overhaul of the payment services framework is now entering the trialogue phase, with the draft PSD3 and PSR (Payment Services Regulation) reaching the negotiating table in mid-2025. The package aims to combat fraud, enhance interoperability (especially mobile and offline channels), extend open banking provisions, increase transparency of fees and strengthen national supervisory powers. Although full implementation is not anticipated until 2027 or later, Swedish banks and payment service providers should already be initiating gap analyses and readiness programmes covering fraud prevention, strong customer authentication, third-party contracting and cross-border payments. The forthcoming regime emphasises operational resilience, consumer protection and competitive payment markets across the EU. The forthcoming Financial Data Access Regulation (FiDA) marks a major evolution in the EU’s digital finance agenda. Building on the open banking model established under PSD2, the regulation expands data-sharing requirements to include the banking, investment, insurance, and pension sectors. Agreements reached by the Council in December 2024 have paved the way for implementation in 2027, with transitional periods allowing institutions to adapt. Swedish banks and finance groups should already be mapping data flows, modernising API infrastructures and reviewing third-party access arrangements in preparation for the new regime. While not yet in force, FiDA underscores the structural shift towards open finance, with increased consumer data rights, intensified competition from fintechs and technology firms, and a renewed focus on data governance and system interoperability.

The EBA’s forthcoming guidelines on third-party risk will extend the scope of outsourcing regulation beyond ICT services under the DORA, to encompass a broader array of function- and service-provider relationships. The draft consultative guidelines, open until 8 October 2025, anticipate new requirements on governance (including board oversight of third-party arrangements), comprehensive third-party registers, enhanced exit and continuity plans for “critical or important functions”, and a wider set of institutions in scope, including MiCAR-authorised issuers of asset referenced tokens, investment firms and non-bank creditors (under the mortgage credit directive). Swedish banks and financial institutions should begin reviewing their contracts, outsourcing policies and supplier registers now, ensuring readiness for the two-year implementation phase following final publication.

The EU Banking Package (CRR3/CRD6) entered into force on 9 July 2024, following its publication in the Official Journal on 19 June 2024.

During 2025, banks and supervisors have focused on implementation and transitional preparations ahead of the main application date, 1 January 2025, for CRR III. The package strengthens the risk-based capital framework, introduces an output floor, refines credit-, market-, and operational-risk approaches, and embeds ESG-risk considerations into prudential supervision. The European Commission confirmed in 2025 that the Fundamental Review of the Trading Book (FRTB) will apply from 1 January 2027, following the one-year postponement announced in 2024 and formalised through a delegated act adopted in April 2025.

For Sweden, legislative work to transpose CRD VI is ongoing. The Government’s memorandum “EU:s bankpaket” was published in May 2025, aiming for entry into force on 11 January 2026, with rules on third-country branches becoming applicable from 11 January 2027. The proposed new legislation establishes new governance, fit-and-proper and sustainability-risk requirements for banks and investment firms.

By late 2025, EU institutions and national authorities are transitioning from legislative adoption to supervisory implementation, as banks finalise internal models, ESG data integration, and disclosure processes ahead of the first CRR III reporting cycle in 2026.