Fintech 2020 Comparisons

Last Updated March 02, 2020

Law and Practice


Hannes Snellman Attorneys Ltd is a Nordic law firm with 300 outstanding lawyers and other professionals based in Finland and Sweden. It advises leading international and local corporations across all business sectors. The firm regularly advises fintech companies, and other actors within the financial sector, in areas such as regulatory work, including all the different Swedish Financial Supervisory Authority (SFSA) licences, as well as market regulations. Hannes Snellman also advises on transactional work, including capital raises and advising lenders or asset managers in their customer-phasing activities, as well as assisting in IT agreements, outsourcing, technology, telecommunications, data protection, e-commerce and innovation.

The Swedish fintech market is vibrant; in particular around payment services, where there are several large players such as Klarna and iZettle that have also inspired other service providers. Other interesting fintech business sectors include crowdfunding and peer-to-peer lending (eg, Trine or Lendify), consumer credit, comparison, and procurement assistance tools for different financial services (for example, Lendo, which brokers consumer credit from banks and other lenders).

So far, the least active area for independent fintech companies is probably insurance.

The general level of digitalisation is high in Sweden and, in particular, within financial services for both companies and consumers. Swedish customers, with few exceptions, expect to be able to cover virtually all of their banking needs digitally and often through mobile solutions. The main Swedish banks introduced a digital ID (Bank-ID) already in 2003. This ID is currently held by 8.2 million Swedes, meaning 98.7% of all Swedes between 21 and 50 years old but is also widely used even by elderly people. Bank-ID is issued to Swedish persons by banks and is used to log in to internet bank accounts but is also accepted by many other companies and many Swedish authorities for on-line services.

In Stockholm, the financial capital of the Nordic countries, many cafés and shops stopped accepting cash payments several years ago and the central bank is working on a project to launch an official e-currency.

The full implementation of the EU’s second Payment Services Directive (2015/2366) (PSD2) by September 2019 has created new opportunities for fintech solutions to compete with traditional banking. We therefore expect a lot of activity within the areas of payment services and information exchange to continue in the near future, since the development of the new business opportunities created by PSD2 are still at an early stage.

Recently there has been a lot of focus from the regulators on consumer credit, in particular on credit assessment, information to be provided to consumers and the necessity of taking on debt being a deliberate choice of the consumer. Fintech companies working within the consumer credit sphere should pay close attention to this development as adjustments to procedures and marketing might have to be made.

There are different types of players in the Swedish fintech market. There are the legacy players, which are, for instance, established banks, payment services providers and insurance companies.

Fintech players have at least three different was to relate to legacy players. They can co-operate with the legacy players through subcontracting or other co-operation models (eg, the developers of mobile applications used by large banks or AI companies co-operating with banks to provide a robo-adviser to their clients). Other fintech players try more actively to disrupt legacy players and compete with their services and for their customers with new digital interfaces and, typically, lower costs (eg, Klarna or Avanza). A third strategy is to place themselves between the customers and the legacy players (eg, loan brokers such as Lendo or other fintech companies using the opportunities in open banking). This can be beneficial for the legacy players but is often seen more as a disruptor changing the dynamics of the market.

While there is an increase of new players, the legacy players, especially the largest banks, are also active in the Swedish fintech market. Some of the largest banks have developed the most used applications for electronic identification and mobile payments in Sweden; BankID and Swish. The legacy players are also investing in up-and-coming fintech companies (eg, P.F.C., Kaching, Asteria, and Tink).

The main regulatory regimes applicable to fintech companies are the ones regulating the following services and require licences pursuant to the following legislation:

  • banking or financing services – licence pursuant to the Banking and Financing Business Act (2004:297) (CRR and CRD IV);
  • operating securities business – licence pursuant to the Securities Market Act (2007:528) (MiFID II);
  • payment services – licence pursuant to the Payment Services Act (2010:751) (PSD2);
  • issuing electronic money – licence pursuant to the Electronic Payment Act (2011:775);
  • conducting insurance business – licence pursuant to the Insurance Business Act (2010:2043);
  • distributing insurances – licence and registration pursuant to the Insurance Distribution Act (2018:1219);
  • conducting fund operations – licence pursuant to the UCITS Act (2004:46); and
  • managing alternative investment funds – licence pursuant to the Alternative Investment Fund Managers Act (2013:561).
  • issuing or brokering mortgages to consumers – licences pursuant to the Mortgage Business Act (2016:1024);
  • receiving funds from the public via deposits or the issuance of bonds – register pursuant to the Deposit Business Act (2004:299);
  • issuing or brokering loans to consumers – licence pursuant to the Certain Consumer Credit-related Operations Act (2014:275); and
  • carrying out currency trading or other financial operations – register pursuant to the Certain Financial Operations Act (1996:1006).

Depending on the business model of the fintech company in question, different regulatory regimes are applicable. Regulatory regimes in Sweden are for the most parts implementations of EU Directives. The more relevant regimes are the ones implementing, for example, PSD2 and the Markets in Financial Instruments Directive 2014 (MiFID II).

The regulatory regimes applicable in Sweden cover financial activities, not technologies, and as such, they do not differentiate between fintech business models and other business models.

Financial services not subject to regulation implementing EU legislation are regulated by local regimes. Sweden has introduced local regimes covering consumer credit institutions and mortgage institutions. These regimes apply for credit provided or brokered to consumers. Certain financial service providers and currency traders are not covered by other regimes and must register with the Swedish Financial Supervisory Authority (SFSA) as financial institutions.

Within the various areas covered by fintech, there are regulations covering pricing, primarily within the consumer credit and securities markets, including investment advice.

As previously mentioned, the regulatory regime in Sweden authorises financial activities, not technologies, and as such, does not differentiate between fintech business models and other business models. A case-by-case assessment is therefore required in order to assess what regulatory regime is applicable to different types of fintech business models.

However, fintech companies usually begin with a lighter licence more suited for their initial service or product and might upgrade that licence as their activities grow and diversify.

Having a banking licence most likely means that the possessor does not require any other licence in order to conduct any new financial operations, even if they must comply with additional requirements for new products and services. 

Typically, the requirements are the same for all players with the same licence. However certain banks are considered, pursuant to Directive 2013/36/EU, to be other systemically important institutions (O-SIIs) and are consequently subject to higher capital requirements.

In March 2017, the SFSA received an assignment from the government to investigate how it could meet the issues and needs of companies developing innovative financial services. As in most other European countries, the SFSA decided not to offer a regulatory sandbox and instead established an innovation centre. The innovation centre opened in March 2018 and serves as the first point-of-contact for companies, regarding questions on rules, processes and principles applicable to the financial sector and fintech innovations.

There are several supervisory authorities active within the Swedish financial market of which the most important are described below.

The SFSA (Finansinspektionen) is the main supervisory authority for the Swedish financial market, authorising and monitoring, for example, banks and other credit institutions, securities companies and fund management companies, stock exchanges, and insurance companies and brokers. The SFSA is accountable to the Ministry of Finance and was established in 1991 through the merger of former banking and insurance supervisory bodies.

However, since Sweden is a member of the EU, EU authorities such as the EBA, ESMA and Eiopa can also issue guidelines and technical standards in areas with directly applicable EU legislation or harmonised national legislation.

Sweden is not a member of the European Banking Union.

As specifically regards the offer of consumer credit and consumer insurance products, and the marketing of financial advice and banking/insurance products in general, the Swedish Consumer Agency (Konsumentverket) is the supervising authority and issues regulations and general guidelines on such matters. It is headed by the Consumer Ombudsman (Konsumentomudsmannen) who represents the collective consumer interest and pursues legal action in court.

The Data Protection Authority (Datainspektionen) supervises compliance with the GDPR regardless of industry sector as well as entities in the business of debt collection and credit reference agencies. It should also be noted that the business of pawnbrokers is supervised by the respective County Administrative Board (Länsstyrelsen).

The Swedish Crime Authority (Ekobrottsmyndigheten) is a specialised authority within the public prosecution service tasked with fighting money laundering, insider trading and other economic crimes and with a co-ordinating responsibility for the activities of other agencies in this field.

In Sweden there is no general prohibition on outsourcing of regulated functions. However, under the Banking and Financing Business Act (2004:297), credit institutions may outsource their regulated functions only on condition that: (i) the institution remains liable towards the customer; (ii) the supplier performs the outsourced function in a controlled and safe manner; and (iii) the institution, despite the outsourcing, can continue to fulfil its regulatory obligations. In short, this means, for example, that the institution must contractually restrict use of subcontractors and ensure that the SFSA is able to access and audit the outsourced activity. The credit institution must also report the outsourcing activity and submit the contract to the SFSA. Similar principles apply under the Insurance Business Act (2010:2043) for insurance companies.

Further details are outlined in the SFSA’s regulations and general guidelines, primarily FFFS 2014:1 regarding governance, risk management and control at credit institutions which, for example, stipulates that certain principles must be agreed in the contract if the regulated entity wishes to outsource work or functions that are of “material significance” to the regulated business.

Since September 2019, credit institutions, investment firms, payment institutions and electronic money institutions have had to comply with the new EBA Guidelines on outsourcing arrangements requiring specific terms and conditions when a critical or important function is outsourced. Simply described, the EBA Guidelines on outsourcing arrangements further describe and detail the more high-level requirements of FFFS 2014:1. The SFSA considers the EBA’s guidelines equivalent to its own regulations and general guidelines and has stated that the guidelines should be applied by all regulated entities supervised by the SFSA (ie, also, for example, insurance companies).

The same rules will apply if the function is outsourced to another regulated entity but, from a practical point of view, it is generally a smoother process in such cases as the supplier itself typically has better knowledge of the regulatory framework and understanding of the compliance issues that may arise.

The SFSA and the Swedish Consumer Agency (referred to in 2.6 Jurisdiction of Regulators) are the two main regulators enforcing Swedish law in relation to fintech companies. The SFSA is the main supervisory and licensing authority while the Swedish Consumer Agency mainly supervises companies in order to safeguard consumer interests.

At the end of 2019, the SFSA publicised that they had opened sanctions cases against two of the largest banks in Sweden (Skandinaviska Enskilda Banken AB and Swedbank AB). Both sanctions cases are in connection with the SFSA’s investigations into the banks’ governance and control of measures to combat money laundering in the banks’ subsidiaries in the Baltic states.

In 2015 both Nordea and Handelsbanken were ordered to pay administrative fines due to non-compliance with anti-money laundering rules, resulting in fines in the amount of SEK50 million and SEK35 million, respectively.

While they are uncommon, sanctions against fintech companies, which are not legacy players, usually lead to remarks, warnings, smaller fines or the revocation of their licence.

The GDPR and the Act on Supplementary Provisions to the GDPR (2018:218), apply regardless of industry sector (ie, also in relation to credit institutions and other regulated entities as well as to the innovating fintech entities that do not act under SFSA's authority and the financial regulatory framework). Naturally, these players are forced to take, for example, the GDPR principle of “privacy by design” into consideration in their offerings so that the regulated entities are able to comply with the GDPR requirements. 

The SFSA has issued regulations and general guidelines (FFFS 2014:5) regarding information security, IT operations and deposit systems applying to credit institutions and investments firms. The regulations require the relevant entities to work in a structured and methodical manner with information security. Further, it regulates governance and procedures for the IT operations and establishes requirements on the security of deposit systems. From 1 March 2018, the regulations also apply to entities with authorisation to conduct clearing operations according to Chapter 19 of the Securities Market Act (2007:528).

In addition to the SFSA’s regulations, under the new EBA Guidelines on outsourcing arrangements, certain IT security issues need to be addressed in the contract when a critical or important function of a regulated entity is outsourced (see 2.7 Outsourcing of Regulated Functions for further discussion). The EBA Guidelines on outsourcing arrangements also refer to certain privacy issues and, in essence, require compliance with the GDPR.

Moreover, the implementation of national Swedish legislation based on the NIS Directive (Directive (EU) 2016/1148) may affect regulated entities as well as technology providers and requires, for example, incident reporting of certain events. In the case of a security incident relating to personal data, the regulated entity may have to report the incident separately both under the GDPR and the NIS-legislation.

Regulated entities, primarily credit institutions, may also be affected by the Protective Security Act (2018:585), which entered into force in April 2019. It applies to anyone conducting security-sensitive operations aiming to protect Sweden against, for example, espionage and terrorist offences and imposes the implementation of certain security arrangements and procedures that may also affect technology providers.

Swedish anti-money laundering regulation implementing Directive 2015/849 of 20 May 2015 apply to fintech activities (eg, banks, registered financial institutions, consumer credit institutions or payment services). As such, there are requirements to conduct, among other things, risk assessments on how their services could be used for money laundering or terrorism financing as well as conducting customer due diligence. Entities must apply customer due diligence when establishing a business relationship or, when there isn’t an established business relationship, when carrying out an occasional transaction that amounts to more than EUR15,000 or a transfer of funds that amounts to more than EUR1,000.

Regulated entities may use social media and similar tools to market their businesses. These tools are not regulated, as such, but, naturally the GDPR and the Marketing Practices Act (2008:486) will have a great impact on their activities. As regards the marketing aspect, the Consumer Agency has issued regulations and general guidelines on the use of social media, stressing that it must be clear that the post is a marketing activity and that the user must be able to immediately understand this.

There is also a specific law, the Responsibility for Electronic Bulletin Boards Act (1998:112), under which the provider of, for example, a site where the user can publish text, images or sound has a duty to supervise the site and remove certain content, including material that is obviously infringing on copyright. 

There are several industry associations that monitor, and often engage in, legislative initiatives and regulatory changes. For example, the Swedish Banker’s Association (Bankföreningen), which is a member of the European Banking Federation, represents banks and other financial institutions nationally as well as internationally, working closely with regulators and policymakers in Sweden and Europe.

The Swedish Financial Technology Association (SweFinTech) was founded in 2017 to gather the Swedish fintech community together and enable co-operation with relevant government officials, authorities and other business organisations.

We do not see, to any large extent, regulated entities offering non-financial products. Within the securities market certain services are not regulated, as such, but can be offered as ancillary services. 

Many financial services are, however, offered as one element in another product or service; most commonly insurance or credit that is sold to insure or finance a purchase. Such credit can, in many instances, be offered by the seller even if it is not under supervision. However, if a specialised creditor is offering the service it will typically be under the supervision of the SFSA.

There is no specific legislation in relation to robo-advisers under Swedish law. The Swedish legislation on the securities market, based on MiFID II, applies for regulated investment advice so specialised robo-advisers must apply for an investment firm licence and it is mostly the price, accessibility and interface with the customer that changes, not the asset management services as such.

It is popular among Nordic banks to offer robo-advisers as a low-cost alternative to ordinary consumers. For example, Nordea is offering their robo-adviser Nora and Danske Bank has a robo-adviser called June.

Please see 7.7 Issues Relating to Best Execution of Customer Trades. The same rules apply to robo-advisers as to other investment firms.

There is specific regulation governing loans to consumers, and in Sweden the definition of a consumer includes that it is always a natural person – never a company. Swedish regulation of loans, therefore, does not distinguish between small businesses and other types of business. Loans to business are generally unregulated. However, if the contract is unclear it is typically interpreted to the detriment of the party providing the contract (in this case of lending to small businesses – the lender). Furthermore, Section 36 of the Contracts Act (1915:218) does provide that a contract can be modified or set aside if it contains an unconscionable term. Swedish courts rarely use this provision in business-to-business contracts, but Swedish courts may be more inclined to apply this provision in relation to contracts between sole proprietorships and larger companies/financial institutions.

Loans to consumers are regulated by the Consumer Credit Act (2010:1846). The act set out, among other things, the creditors’ obligations to provide the consumer certain information and to conduct credit assessment, when and if the consumer is obligated to pay interest and fees, as well as the consumers' rights when the creditor has transferred the credit to someone else. Due to the increase of short-term loans to consumers in recent years, the Consumer Credit Act now includes provisions limiting the interest, and other costs of credit, that the creditor can charge for high-cost credit.

Lending to consumers might also require a licence under the Certain Consumer Credit-related Operations Act (2014:275) while lending to businesses does not require a licence unless the lender accepts repayable funds from the public. Lending might also in some cases require a registration with the SFSA under the Certain Financial Operations Act (1996:1006).

Lending to consumers requires credit assessments as set out in the Swedish Consumer Credit Act and guidelines and case law.

Typically, this process has been highly dependent on credit information services regulated by the Swedish Credit Information Act, requiring a licence from the Swedish Data Protection Authority. Also, information is often obtained from the customer (although this is perceived as cumbersome) and from internal sources. Traditionally the banks have therefore had a lot of information about existing customers to assist in their credit assessments.

Currently, the Swedish Consumer Agency are about to publish new guidelines on consumer credit and, according to a draft published in autumn 2019, they are trying to regulate what information lenders can base their credit assessments on – such as income and actual and assumed costs of living – so that those lenders can then make a “left to live on” calculation to assess credit worthiness. The draft also specifies when information should be requested directly from the consumer. The Swedish Consumer Agency tried, some years ago, in court to impose similar requirements on H&M, the fashion retailer, when allowing credit purchases online. The agency lost that case but argues the requirements apply for forms of consumer credit other than credit purchases of everyday products in limited amounts. This is currently a hot topic within consumer lending in Sweden.

Online lenders fund their loans by borrowing from others, issuing bonds, receiving equity from investors, taking deposits from the public, securitisations or facilitating peer-to-peer lending.

Financing loans by taking deposits or other repayable funds from the public requires a licence as a credit institution from the SFSA.

In order for brokers of peer-to-peer lending to disburse the payments of the loans from the lenders to the borrowers, they must be licensed to operate as a payment institution in accordance with the Payment Services Act (2010:751). However, as such, they are unable to obtain funding by taking deposits or other repayable funds from the public.

If the broker only matches the lender with the borrower and does not administer the payments from the lenders to the borrowers, only registration as a financial institution with the SFSA in accordance with the Certain Financial Operations Act (1996:1006) is required. If the borrower is a consumer, such brokering requires a licence with the SFSA as a consumer credit institution in accordance with the Certain Consumer Credit-related Operations Act (2014:275). Brokers of peer-to-peer lending are either under the full supervision of the SFSA or at least subject to rules on, inter alia, anti-money laundering measures, disclosure, and ownership and management assessments.

Traditional banks also give online credit directly or through comparison platforms such as Lendo, and it is easy in Sweden to obtain loans online without having to meet face to face with a bank’s officer.

The traditional Nordic banks often participate in syndicated loans and also syndicate loans arranged by them. Also, some insurance companies and other alternative lenders increasingly participates in syndicated loans.

Online and fintech lending is, however, often in smaller amounts and typically not syndicated. If the original lender wants to offload the balance sheet, such loans can be sold as a portfolio or part of a securitisation.

Providing payment services is a regulated activity to be carried out by a payment institution, or it can be offered by credit institutions or e-money institutions. Once licensed, they can use existing payment methods or develop alternative or new ones.

Many fintech solutions do use existing payment solutions but the regulations do not impose a particular technology, or a typical payment process, and new methods can therefore be developed.

Cross-border payments and remittances by themselves are quite unregulated in Sweden. Anyone acting as an intermediary in connection with cross-border payments exceeding SEK150,000, usually banks and payment service providers, must notify the Swedish Tax Agency of the payment.

Sweden has extended the application of Regulation (EC) No 924/2009 as regards certain charges on cross-border payments in the Union and currency conversion charges, apart from Articles 6, 7 and 8, to its national currency. Charges levied by Swedish payment service providers in respect of cross-border payments of up to EUR50,000 must be the same as the charges levied by that payment service provider for corresponding national payments of the same value an in the same currency (Article 3.1).

The regulation of funds does not differentiate between fintech companies and other companies. Funds are primarily regulated by the UCITS Act (2004:46) and the Alternative Investment Fund Managers Act (2013:561), which implements Directive 2009/65/EC and Directive 2011/61/EU into Swedish law. Apart from the mentioned acts, funds are regulated by the SFSA’s regulation and, regarding alternative investment funds (AIFs), the Commissions Delegated Regulation (EU) No. 231/2013.

Fund administrators are not defined under Swedish law. Regulated actors are fund managers and depositaries. The managers and depositaries of undertakings for collective investment in transferable securities (UCITS) and AIFs may delegate to third parties the tasks of carrying out functions on their behalf. The delegation is subject to multiple requirements and limitations.

Delegation concerning portfolio management or risk management of an AIF can only be conferred on entities which are authorised for discretionary portfolio management or registered as asset managers and subject to supervision. Similar restrictions apply in regard to delegation of management of an UCITS by a Swedish management company. Regarding other services or functions, the fund administrator might, depending on the services or functions delegated, require a licence.

In order to delegate to a fund administrator, the fund manager must, in accordance with the UCITS Act (2004:46) and the Alternative Investment Fund Managers Act (2013:561) (depending on which act is applicable), inter alia, reserve the right to supervise the delegated functions. In connection with delegation of management of the assets of a Swedish UCITS, the agreement must contain guidelines for the investment of the fund assets and the right to review and amend such guidelines.

Apart from the above, the contractual terms when delegating to fund administrators should, in general, include, inter alia, terms imposing the obligation of having adequate systems (eg, IT) in place and making it possible for the fund manager to comply with applicable regulatory legislation. Liability provisions, in cases of data breaches, are also important.

Fund managers and the depositaries are the traditional “gatekeepers”. They are both subject to anti-money laundering regulation. They must therefore conduct customer due diligence and report suspicious activities. If the regulated entities delegate to other administrators, they must provide the delegate with appropriate reporting systems to report suspected violations.

Market and trading platforms are defined at EU level. According to the Markets in Financial Instruments Directive 2014/65/EU, MiFID II, there are three permissible trading platforms. These are regulated markets, multilateral trading facilities (MTF platforms) and organised trading facilities (OTF platforms).

There are two regulated markets in Sweden, Nasdaq Stockholm and NGM Equity. A regulated market is defined as a multilateral system within the EEA which brings together, or facilitates the bringing together of, multiple third parties buying and selling interests in financial instruments – regularly within the system and in accordance with its non-discretionary rules – in a way that results in a contract.

An MTF platform (eg, Nasdaq First North, Nordic MTF and Spotlight Stock Market) is a multilateral system within the EEA which brings together multiple third-parties buying and selling interests in financial instruments – in the system and in accordance with non-discretionary rules – in a way that results in a contract.

An OTF platform is a multilateral system within the EEA which is not a regulated market or an MTF and within which multiple third-parties buying and selling interests in bonds, structured finance products, emission allowances or derivatives are able to interact in the system in a way that results in a contract.

Authorisation from the SFSA is, in most cases, required to run a regulated market or a trading platform. The regulatory regime for such platforms is primarily regulated in the Securities Market Act (2007:528) and in the regulations and guidelines issued by the SFSA. Each respective platform provider also has their own rules governing the specific requirements that must be met for the listing of securities on the platform.

The same regulatory regime, pursuant to the Securities Market Act (2007:528), applies to different asset classes. However, the trading regime differs slightly for the listing of shares and bonds. Furthermore, there is currently no specific regulation that applies to crypto-assets in Sweden.

The emergence of cryptocurrency exchanges has not led to any specific changes in the applicable regulation in this area of the law. The regulator has maintained its general stance to stay neutral towards new technologies and solutions. Under national Swedish legislation, cryptocurrency exchanges facilitating the trade of virtual currencies (ie, crypto-assets intended to be used solely as a means of payment) are currently equated with providing financial services subject to registration with the SFSA under the Certain Financial Operations (Reporting Duty) Act (1996:1006). The applicable rules and regulations for the facilitation of the trade of other types of crypto-assets has not been clarified by the Swedish regulator nor tried before the courts. However, exchanges facilitating the trade of other types of crypto-asset would likely be deemed as subject to prior authorisation from the SFSA under the Securities Market Act (2007:528).

The Securities Market Act (2007:528), the marketplace and the trading platforms together establish the requirements that must be met for admission to list securities.

In general, the listing standards applicable in Sweden require that the issuer and the securities to be issued comply with the applicable law. The securities have to be freely transferable and the listing application has to include all shares in the specific class of shares. Furthermore, the issuer has to publish accounting records. The issuer must also show that it has a financial situation that is suitable to the nature of the securities. The board of directors must also have sufficient competence and experience to lead and control a listed company. In addition, companies traded on European regulated markets must draw-up and publish a prospectus in accordance with applicable information requirements pursuant to the Prospectus Regulation ((EU) Regulation 2017/1129). Once the prospectus is approved by the relevant authority, in Sweden the SFSA, it must be published. Only thereafter can the placement phase begin.

The EBA has published a strategy for fintech that seeks to focus on, inter alia, analysing processes of approval for newly established companies and consumer trends. The purpose is to co-ordinate supervision at an EU-level. There are no other listing standards agreed upon by the industry other than the rules set out by each marketplace respectively and the guidelines adopted by the SFSA.

The rules regarding order-handling are found in MiFID II and have been implemented in the Securities Market Act (2007:528). Pursuant to the regulation, investment firms authorised to execute orders on behalf of clients must implement procedures and arrangements which provide for the prompt, fair and expeditious execution of client orders. Guidelines for order-handling shall be presented by investment firms operating in Sweden.

Please see 4.3 Sources of Funds for Loans regarding licence and authorisation from the SFSA.

Regarding crowdfunding, there are currently no specific rules or regulations applicable in Sweden. The Swedish government presented a proposal for a Regulation on crowdfunding in 2018 where the need for a regulation that applies to peer-to-peer platforms was expressed. The proposal has not resulted in a law.

MiFID II stipulates that investment firms shall “take all sufficient steps to obtain, when executing orders, the best possible result for their clients taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order.” Similar rules have been implemented under the Securities Market Act (2007:528). Factors other than price and costs shall only be taken into account to the extent they contribute to the best possible result for the client. The provision aims to give clients the best possible result.

MiFID II stipulates a prohibition against investment firms receiving any remuneration, discounts, or non-monetary benefits for routing client orders to a specific trading or execution venue, unless the requirements applicable to the incentive system or the obligations on conflicts of interest are complied with. Information on all costs and associated charges, including third-party payments, shall be provided to the client. The national Swedish legislation is in accordance with the regulation in MiFID II.

The Swedish regulation for high frequency and algorithmic Trading is based on MiFID II, which as of 2017 is implemented in Swedish legislation. However, similar rules have been applied on a non-binding basis since May 2012 through the ESMA guidelines regarding automatic trading (Esma/2012/122), which was adopted by the SFSA as general advice. The current, binding regulation is set forth in the Securities Market Act (2007:528) (mainly Chapter 8 Sections 23 and 24 of said law), which include a definition of algorithmic trading in line with MiFID II as well as rules regarding efficient systems and risk control to secure that the relevant institute’s trading system is resistant and has sufficient capacity. The system shall have the thresholds, limits and filter required to prevent inaccurate orders and necessary to ensure that the system does not create disorder on the market. Furthermore, there are no distinctions or different regulatory regimes between asset classes.

A participant in high frequency and algorithmic trading is subject to the regulatory regime of MiFID II and its implementation into Swedish national law if the participant is an entity covered by MiFID II. The scope of MiFID II is wider compared to MiFID I and includes investment firms, market operators, data reporting services providers, and third-country firms providing the investment services of performing investment activities through the establishment of a branch in the EU. A new entity covered by MiFID II is the OTF, in which multiple third parties can buy and sell interests in, inter alia, bonds and structured finance instruments.

The requirements to become a market maker is set out in the market maker agreement between the market maker and the market. Each market has its own requirements. Furthermore, MiFID II sets out rules for investment firms that use algorithmic trading in a market making strategy. These rules are implemented into the Securities Market Act (2007:528) and include the requirement of efficient systems and controls in order to fulfil the market maker's obligation as well as the requirement to enter into a written binding agreement with the trading venue that regulates the market making strategy in question.

The best execution of trades in relation to algorithmic trading on Swedish markets also stems from MiFID II and the technical standards adopted by the European Commission. In short, best execution of trades regarding algorithmic trading includes setting out clear lines of accountability, effective procedures for the communication of information within the investment firm and a separation of tasks and responsibilities to makes sure that unauthorised trading cannot be concealed. Furthermore, staffing obligations, such as ensuring that the certain persons have relevant and sufficient knowledge of the trading system and algorithms as well as the investment firm’s legal obligations are included.

With regard to high frequency and algorithmic trading, there is no regulatory distinction in the relevant Swedish regulation between funds and dealers.

Payment for order flow is prohibited under Swedish law as a result of MiFID II. When implementing MiFID II, questions were raised regarding the impact of such a prohibition. A trade-off was made between a potential decrease in investor counselling and consumer protection, with the result that the adopted legislation went further than the minimum requirements set out in MiFID II in order to ensure consumer protection. One who claims to provide independent counselling cannot accept and keep compensation from a third party. Furthermore, the investment firms must inform their clients whether the consultation is independent and if it is based on a broad analysis of different investment alternatives if they are going to provide continuous consultation.

It is not mandatory for financial research platforms to apply for authorisation from the SFSA to conduct their business. Neither are financial research platforms under the supervision of the SFSA.

The spreading of rumours or other unverified information as well as disclosures of inside information may have a considerable negative impact on the market. Market manipulation is unlawful in the financial markets and regulated under the Market Abuse Regulation 596/2014/EU (MAR). Furthermore, the mere attempt to manipulate the market is unlawful. This behaviour is sanctioned in the national Swedish legislation, the Securities Market (Market Abuse Penalties) Act (2016:1307).

In Sweden there is no specific regulation pertaining to financial research platforms. However, the spreading of inside information is unlawful pursuant to the MAR.

There are no specific regulations requiring platform providers to act as gatekeepers under Swedish law.

The Insurance Business Act (2010:2043) (IBA) and the Solvency II Regulation constitute the main legal framework applicable to insurance, and reinsurance, business in Sweden. In addition, the Insurance Contracts Act (2005:104) (ICA) must be adhered to if the insurance contract is governed by Swedish law. The ICA stipulates various provisions which are mandatory in favour of the policyholder, its assignee, the insured and its beneficiaries. There are also regulations and general guidelines issued by, for example, the SFSA.

A Swedish company may conduct insurance businesses only if authorised by the SFSA as further regulated by the IBA. Authorisation is only granted to a company limited by shares (aktiebolag), a mutual insurance undertaking (ömsesidigt försäkringsbolag) or an insurance association (försäkringsförening). An application will be granted if the applicant is deemed to satisfy the requirements governing insurance operations.

The IBA differentiates between two main categories of insurance: life and non-life, and within each main category there are numerous type classes depending on what is insured under the policy.

It should also be noted that, when offering insurance products towards consumers, certain information requirements apply under consumer protection legislation.

Providers of regtech products and services are not regulated, as such, under Swedish law.

However, given the type of product or service they provide, they must ensure that their solution enables compliance with the relevant applicable regulatory framework. Regulated entities typically also expect, and will contractually oblige, the solution-provider to keep up with regulatory changes and adapt the solution accordingly.

Legislation that may affect regtech solution-providers more directly includes the implementation of national Swedish legislation based on the NIS Directive (Directive (EU) 2016/1148) stipulating requirements on data security and incident reporting, eg, for certain providers of digital services.

To the extent a regulated entity’s use of a regtech solution would qualify as outsourcing under the EBA Guidelines on outsourcing, that regulated entity needs to comply with these guidelines (see 2.7 Outsourcing of Regulated Functions for further discussion).

Providers of regtech solutions do not have a regulated function as gatekeepers. Hence, they are not obliged by law to, for example, monitor their customers or their use of the service. Nevertheless, they may be contractually bound to do so in relation to the regulated entity by, for example, solution functionality.

Legacy players in Sweden have shown interest towards blockchain technology and other distributed ledger technology (DLT) solutions. However, no solutions have been officially launched at time of writing. For instance, Nasdaq Stockholm, together with a consortium of several banks, have since 2017 been piloting the so-called ”Nordic Fund Ledger”, a private DLT ledger, in order to develop a jointly owned and governed common infrastructure between the market players as a way to streamline the settlement relating to the trade of fund units and related payments. The platform is expected to go live in 2020.

The Swedish regulator and the SFSA have, for the most part, remained silent on the subject of blockchain technology. Except for mentioning the potential implications of blockchain technology in a few reports, no concrete proposals or initiatives have been put forward. However, the SFSA has issued statements in relation to the trade of virtual currencies, warning consumers of the risks involved in investing in initial coin offerings. Furthermore, the courts in Sweden have examined the legal implications of crypto-assets, although merely in the context of criminal law and taxation. The Swedish regulatory landscape in relation to blockchain and crypto-assets is therefore currently highly unregulated.

Neither the Swedish regulator nor the SFSA has yet indicated how crypto-assets should be classified. The classification of crypto-assets has instead been left to interpretation under existing rules and regulations. Therefore, the classification of crypto-assets in Sweden would have to be determined on a case-by-case basis. From a taxation perspective, the Swedish Supreme Administrative Court has ruled that Bitcoins, or crypto-assets with similar characteristics, cannot be equated with other means of payment or securities, instead they are classified as “other assets” under applicable Swedish rules governing capital gains tax. It is uncertain whether this ruling can be used as a reference in respect of the classification of other crypto-assets or in relation to rules and regulations governing the financial services industry. Similarly, the Swedish central bank, Riksbanken, concluded in 2018 in one of its economic commentary publications, that virtual currencies should not be equated with other means of payment. However, as mentioned, virtual currencies are equated with other means of payment pursuant to the Certain Financial Operations (Reporting Duty) Act (1996:1006). Thus, it is still uncertain how crypto-assets are to be classified under Swedish law, as there is no common stance from the regulator, the SFSA or the courts.

No specific rules or regulations exist in Sweden that govern issuers of crypto-assets. Instead, as with the classification of crypto-assets, it is left to interpretation under existing rules and regulations. In general, initial coin offerings of virtual currencies are deemed to be unregulated, however, it is currently uncertain whether such initial offerings would be subject to registration with the SFSA pursuant to the Certain Financial Operations (Reporting Duty) Act (1996:1006), in the same way as providers of crypto-asset exchanges would be. It is further uncertain how the regulator and the SFSA would respond to issuances of other crypto-assets backed by equity or other similar assets. Provided that the issued assets would be equated as securities, such initial offerings would fall under applicable rules and regulations for public offerings of securities, such as the Prospectus Regulation ((EU) 2017/1129) and the Financial Instruments Trading Act (1991:980).

This issue has not arisen in Sweden.

This issue has not arisen in Sweden.

See 12.3 Classification of Blockchain Assets regarding the classification of crypto-assets, including virtual currencies.

Several of blockchain technology’s key features conflict with overarching elements in recent privacy regimes. One potential conflict is present in the disparity between the GDPR’s data-controller requirements, which centralise the responsibility for data processing to an identifiable data controller, and blockchain technology’s distributed and decentralised peer-to-peer structure that results in single responsible actors being replaced with several entities. Furthermore, while the immutability of data stored on a blockchain maintains data integrity, it risks contravening, inter alia, the principles of purpose limitation and data minimisation under the GDPR. Other examples of tension with blockchain technology relate to identifiability of data subjects, data transfers, territorial applicability and data subject rights under the GDPR. To avoid excessively restricting the use and development of blockchain technology, further regulatory guidance addressing the current legal uncertainties is highly anticipated.

Prior to the PSD2 being implemented, several fintech companies offered services based on access to information relating to loans, payments and other financial information that the customer wanted his or her bank to provide. However, the banks were reluctant and cautious about how, or whether, to hand out the information making certain comparison services difficult to offer to the customer without getting the information directly from him or her, or screen scraping.

The aim of the PSD2 was to provide the bank customer (ie, the holder of an online payment account) with a secure and easy way to provide (and revoke) his or her consent to sharing the account information required for certain service providers, being licensed either as payment initiation service providers or account information service providers. It thereby offers such service providers an opportunity to access customer information in a structured and secure way through common application programming interfaces (APIs). 

The obligation for financial institutions to make customer or product data available to third parties under PSD2 has been implemented without change in Sweden.

These APIs, and strong customer identification, was supposed to go live on 14 September 2019 and formally did. However, according to fintech companies seeking to obtain the relevant information, the APIs are still not including all relevant information at time of writing (the beginning of 2020). An example given by a market participant is that they are not getting the full customer name or other means to identify the customer. Therefore, a large number of market participants still rely on screen scraping or other means rather than having switched to fully relying on the APIs even if the banks see an increased use of the APIs, though still mostly in test mode.

The development of open banking and access to the banks' data has just started but as the APIs get established, the market participants will be able to focus more on developing new products and services within this field. 

PSD 2 has forced banks to provide access to their data to companies providing payment initiation services or account information services if the relevant customer has consented and on the condition that the company that accesses and uses the data applies the customer authentication procedure required by the bank. According to statistics (SCB, 2019-11-01, Finansiell ID-Teknik), 97.4% of the Swedes aged between 21 and 50 use the “Bank-ID” application on their smart phone and it is generally considered as a standard and preferred method for customer authentication, in particular for payment services. Hence, customer authentication is generally not a controversial or problematic issue in Sweden. Naturally, it is important that companies that access data through open banking understand that, under the GDPR, it is regarded as the data controller of such data and the legal implications thereof.

Hannes Snellman Attorneys Ltd

Kungsträdgårdsgatan 20
P.O. Box 7801
111 47 / 103 96 Stockholm

+46 760 000 000

+46 (0) 8 679 85 11
Author Business Card

Law and Practice in Sweden


Hannes Snellman Attorneys Ltd is a Nordic law firm with 300 outstanding lawyers and other professionals based in Finland and Sweden. It advises leading international and local corporations across all business sectors. The firm regularly advises fintech companies, and other actors within the financial sector, in areas such as regulatory work, including all the different Swedish Financial Supervisory Authority (SFSA) licences, as well as market regulations. Hannes Snellman also advises on transactional work, including capital raises and advising lenders or asset managers in their customer-phasing activities, as well as assisting in IT agreements, outsourcing, technology, telecommunications, data protection, e-commerce and innovation.