Fintech 2022 Comparisons

Last Updated March 24, 2022

Law and Practice


Advokatfirman Vinge KB is one of the largest full-service law firms in Scandinavia and is highly regarded for its multidisciplinary approach within the fintech space. As part of a full-service firm, Vinge’s fintech team can advise its clients across the industry on the formation of a company, its regulatory compliance and first financial licence, and later assist with large financing and transaction matters. Swedish fintech regulation comes from several regimes – from the EU to the Swedish Financial Supervisory Authority, government agencies and industry organisations. The regulations are comprehensive and change frequently, as the authorities keep pace with the innovative and legally complex services offered by fintech companies, start‑ups and legacy players. Vinge's Stockholm-based fintech team includes several internationally recognised lawyers specialised in financial regulation, the GDPR, tax and intellectual property, among other areas.

Fintech Companies

Sweden is a technologically advanced country known for producing numerous start-up companies within fintech where products span areas including banking services, payment settlement services, lending, cryptocurrency and biometrics. In terms of fintech, Sweden has produced companies such as Klarna, Tink, iZettle, Spotify, Trustly, Safello and BehavioSec, among several others. The Swedish fintech industry is still growing rapidly, and multiple fintech companies have emerged in areas such as loan consolidation, peer-to-peer lending and loans to individuals without permanent employment. The private equity industry continues to show a great deal of interest in young Swedish fintech companies.

The "E-krona"and Swish

The use of digital payments has increased significantly over the last few years and many companies no longer accept cash. Sveriges Riksbank (the Swedish Central Bank) is furthermore currently investigating an electronic currency, referred to as the “E-krona”. This project, however, is still in an early development phase and no official decision has been made. A committee has been formed to investigate a general transition towards digitalisation of currency and will publish its statement on 30 November 2022, at the latest.

In 2012, six of the largest banks in Sweden co-developed an electronic real-time payment system named Swish, which is now used by around seven million people in Sweden. Swish is accessed through an application for mobile devices (and certain other electronic devices with similar operating systems) that enables end-users to make payments electronically. Payment using Swish is often possible (and used) in consumer purchases. Swish is also a very common method for transferring funds between individuals and is, by way of example, often used when expenses are shared (eg, payments for meals). To access Swish, the user must be an existing customer with one of the banks linked to Swish, and each bank is responsible for the offers and terms for the service provided to their customers. Furthermore, a BankID is required to use Swish.


A Swedish BankID is the most commonly used method of electronic identification in Sweden for both individuals and companies. BankID is an electronic ID document comparable to a passport, driver's licence and other physical ID documents. The BankID is considered an advanced electronic signature under Swedish law and the eIDAS Regulation, and qualifies as a method for safe customer authorisation under PSD2. The BankID was created through co-operation and networking between banks operating in Sweden. The BankID can (in addition to signing documents) be used as electronic identification where the person’s identity is guaranteed by the bank that issued that person’s BankID. The BankID software can be used on multiple devices, including mobile phones.

P27 Nordic Payments

The Swedish banks Handelsbanken, SEB and Swedbank have a joint initiative, together with the Danish bank Danske Bank and the Finnish banks Nordea and OP Financial Group, to explore the possibility of establishing a pan-Nordic payment infrastructure for domestic and cross-border payments in the Nordic currencies and the Euro. This common infrastructure is called P27 Nordic Payments and is intended to enable real-time domestic and cross-border payments to be carried out quickly and easily through a common platform. Their vision is to establish the first integrated region for domestic and cross-border payments in multiple currencies within the Nordics.

Financial Regulation

As the fintech industry grows, so does the amount and level of detail within financial regulation. The supervisory authorities have, inter alia, increased their monitoring of consumer lending and put a greater emphasis on credit assessments. Furthermore, on 1 July 2020 new consumer credit regulations were introduced which forbid companies to present credit purchase as the default payment option.


The COVID-19-related government support in Sweden (eg, state guarantees for new bank financing to otherwise viable small and medium-sized enterprises facing difficulties owing to the pandemic) is now in the process of being withdrawn.

The small-to-medium fintech companies in Sweden cover a wide range of business models, including mobile payment applications, banking services, payment settlement services, lending, cryptocurrency, biometrics, fundraising applications, crowdfunding platforms, factoring and platforms facilitating the sale and purchase of goods between individuals. The legacy players, such as banks and insurance companies, generally adapt either by creating their own customised version of newly invented fintech solutions or through co-operation with and integration of smaller players and their services. Consequently, fintech companies have a wide array of possible market approaches to choose from. 

Certain fintech players have achieved fast enough growth and market expansion to directly compete with legacy players. By way of example, Klarna (a Swedish fintech company founded in 2005) now employs around 3,500 people, has a full banking licence and a 10% market share of Europe’s e-commerce payment service.

Other fintech players avoid direct competition with banks and instead choose a co-operative intermediary role. Lendo (a Swedish fintech company founded in 2007), for example, focuses on consumer credit intermediation by way of offering consumers a platform where they can obtain multiple competing loan offers from banks, commonly referred to as “loan comparison”. The credit intermediation market has seen significant growth over the past years and Lendo now also has operations in Norway, Finland, Denmark, Austria and Spain. Multiple competing credit intermediation firms have emerged in Sweden as of late. 

In terms of regtech, computer programs are protected as copyrighted works and a vast array of solutions is being developed by both small and large players.

Depending on the business model, fintech companies may become subject to one or several licensing or registration requirements. Below is a list of the most common activities in the Swedish fintech industry:

  • payment services – licence or registration pursuant to the Payment Services Act (PSA);
  • insurance distribution – licence and registration pursuant to the Insurance Distribution Act (IDA);
  • consumer credit origination or intermediation – licence pursuant to the Consumer Credit (Certain Operations) Act (CCCOA);
  • issuance of electronic money – licence or registration pursuant to the Electronic Money Act (EMA);
  • consumer mortgage origination or intermediation – licences pursuant to the Mortgage Business Act (MBA);
  • banking or financing services – licence pursuant to the Banking and Financing Business Act (SBFBA);
  • securities business – licence pursuant to the Securities Market Act (SMA);
  • insurance business – licence pursuant to the Insurance Business Act (IBA);
  • fund operations – licence pursuant to, eg, the UCITS Act (UCITS Act);
  • alternative investment fund management – licence or registration pursuant to the Alternative Investment Fund Managers Act (AIFM Act);
  • cryptocurrency trading – registration pursuant to the Certain Financial Operations Act (CFOA); and
  • currency trading or other financial operations – registration pursuant to the Certain Financial Operations Act (CFOA).

The Swedish Financial Supervisory Authority or SFSA (Finansinspektionen) has also issued various regulations supplementing the above acts. Certain financial services that are not subject to licence requirements are still subject to a requirement to register with the SFSA.

Compensation models vary a great deal within the fintech industry. The regulation of such depends on the business model and the licence held by the company. There is, by way of example, an interest ceiling on consumer credits and late payment fees. 

The main difference in regulation is that legacy players are usually subject to far more regulatory requirements. This is especially the case for banks and insurance companies where, inter alia, capital requirements are triggered. In their early stages, fintech players often offer only one product and, to reduce the costs associated with licence applications and compliance, they generally apply for the lightest possible licence.

The fintech players that eventually grow larger, gradually apply for additional licences as they launch new products. Eventually some of them, eg, Klarna (described in 2.1 Predominant Business Models) obtain a full banking licence. 

In March 2018 the SFSA introduced the SFSA Innovation Centre, which is a step in the Swedish government’s plan to establish a good business environment for fintech companies. The Innovation Centre is meant to serve as a first point of contact for companies where they can raise questions regarding the applicable regulation for new business models and innovations within fintech. Sweden does not have a regulatory sandbox regime and the Innovation Centre serves to mitigate the resulting difficulties for fintech companies.

The following supervisory authorities are those most relevant for fintech business models.


The SFSA is the central financial supervisory authority in Sweden. The SFSA answers to the Swedish Ministry of Finance (Finansdepartementet) and is tasked with supervising and monitoring the financial markets and all businesses with operations that are subject to a financial licence or registration requirement. 

By way of example, the required licences described in 2.2 Regulatory Regime are issued by the SFSA. In addition to the licensing process, the SFSA is also responsible for handling companies’ regulatory reporting (which differs on a case-by-case basis, depending on the licence held by the company).

The Swedish Consumer Agency (SCA)

The Swedish Consumer Agency or SCA (Konsumentverket) is tasked with safeguarding consumer interests. It is headed by the Consumer Ombudsman (Konsumentombudsmannen) which represents consumer interests when pursuing legal action in court. The SCA is, inter alia, very active in monitoring the marketing of consumer credit and insurance products.

Additional consumer protection activities under the SCA’s mandate include ensuring the safety of products and services, monitoring compliance with consumer legislation (including marketing towards consumers) and providing consumers with independent advice and information.

The Swedish Authority for Privacy Protection (SAPP)

The Swedish Authority for Privacy Protection or SAPP (Integritetsskyddsmyndigheten) is a public supervisory authority responsible for monitoring compliance with the GDPR. The SAPP issues regulations and guidelines for the usage and processing of personal data. Its mandate encompasses all GDPR-related issues in Sweden and is not limited to the Swedish financial industry. The SAPP carries out inspections and can issue fines in accordance with the GDPR. The SAPP (unlike the SFSA) is generally not responsible for business licences, with certain exceptions such as debt collection activities, the provision of credit references and credit information services.

The Swedish Economic Crime Authority (SECA)

The Swedish Economic Crime Authority or SECA (Ekobrottsmyndigheten) is a public prosecution authority responsible for fighting economic crime such as tax evasion, false accounting, money laundering, embezzlement, insider trading and market abuse. The SECA co-operates with other agencies and organisations to carry out crime prevention, intelligence gathering and prosecution.


The European Banking Authority (EBA), the European Securities Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) guidelines and technical standards are applicable in Sweden.

There are multiple legal requirements with respect to outsourcing of regulated functions. Albeit subject to some variation, companies with regulated functions (including most fintech companies) are required to exercise the requisite skill, care and diligence when entering into, managing and terminating outsourcing arrangements. The rights and obligations of the outsourcing company and the service provider must be clearly documented in an outsourcing agreement. If a company intends to outsource a significant part of its licensed operations, the company is required to notify the SFSA in advance and to provide the SFSA with a copy of the relevant outsourcing agreement.

Gatekeeping liability may vary to a great extent depending on the fintech providers’ business model. In addition to being responsible for the marketing on their websites and in their apps (including GDPR aspects), they are generally also subject to anti-money laundering (AML) provisions. 

Sanctions against smaller fintech companies usually lead to remarks, warnings, administrative fines and/or the revocation of their SFSA licence. In the case of fintech operations carried out by legacy players, sanctions generally consist of fines. Significant sanctions by the SFSA are uncommon, but in 2020 the two banks, Swedbank and SEB, were issued administrative fines in the amount of SEK4 billion and SEK1 billion, respectively, due to non-compliance with Swedish legislation on AML. In 2022, Trustly received a warning and administrative fine of SEK130 million.

The SFSA publicly announces its investigations regardless of whether the investigation results in a sanction.

The SCA is active in monitoring consumer lending businesses and insurance mediation, among others. The SCA’s fines are, however, much lower than those of the SFSA.


The GDPR and the Act on Supplementary Provisions to the GDPR apply regardless of industry sector (ie, also in relation to credit institutions, other regulated entities and to the innovative fintech entities that are not subject to SFSA supervision and the financial regulatory framework). Naturally, these players are forced to take, for example, the GDPR principle of “privacy by design” into consideration in their offerings so that the regulated entities are able to comply with the GDPR requirements.


The SFSA has issued regulations and general guidelines regarding information security, IT operations and deposit systems which apply to credit institutions and investment firms. The regulations require the relevant entities to work in a structured and methodical manner with information security. Furthermore, it regulates corporate governance, procedures for IT operations, and establishes requirements on the security of deposit systems. Since 1 March 2018, the regulations have also applied to entities with authorisation to conduct clearing operations.


In addition to the SFSA’s regulations, under the new EBA Guidelines on Outsourcing Arrangements ("Outsourcing Guidelines"), certain IT security issues need to be addressed in the contract when a critical or important function of a regulated entity is outsourced (see 2.7 Outsourcing of Regulated Functions). The Outsourcing Guidelines also address certain privacy issues and, in essence, require compliance with the GDPR.

Swedish Legislation Based on the NIS Directive

Moreover, the implementation of national Swedish legislation based on the NIS Directive may affect regulated entities as well as technology providers and requires, for example, incident reporting of certain events. In the case of a security incident relating to personal data, the regulated entity may have to report the incident separately both under the GDPR and the NIS Directive.

The Protective Security Act

Regulated entities, primarily credit institutions, may also be affected by the Protective Security Act, which came into force in April 2019. It applies to anyone conducting security-sensitive operations aiming to protect Sweden against, for example, espionage and terrorist offences, and imposes the implementation of certain security arrangements and procedures that may also affect technology providers.

The Swedish Money Laundering and Terrorist Financing Prevention Act

The Swedish Money Laundering and Terrorist Financing Prevention Act (implementing the Fourth Anti-Money Laundering Directive 2015/849/EU) (AML Act) applies to fintech operations (eg, banks, registered financial institutions, consumer credit institutions and payment services). As such, there are requirements to conduct, among other things, risk assessments on how their services could be used for money laundering and terrorism financing, in addition to conducting customer due diligence. Entities must conduct customer due diligence measures when establishing a business relationship or, in the absence of an established business relationship, when carrying out an occasional transaction that amounts to more than EUR15,000, or a transfer of funds that amounts to more than EUR1,000.

Companies that are licensed by or registered with the SFSA, and a significant number of companies and other professionals outside the financial sector, are obliged to prevent money laundering and financing of terrorism by complying with the AML Act and subsequent regulations. Pursuant to the AML Act and the SFSA’s supplementary regulations, companies are required to adopt internal AML procedures.

The SFSA is tasked with ensuring that financial companies adhere to the AML regulations. The County Administrative Board (Länstyrelsen) supervises companies and professionals outside the financial sector.

The Swedish Penal Code

Bribery is criminalised under the Swedish Penal Code, which is applicable to all Swedish companies. Most financial companies are required to adopt ethical guidelines setting out, inter alia, the company’s procedures to combat bribery. 

While the main supervision of industry participants is performed by regulators, industry participants also generally appoint an auditor for their business activities. In addition, the Swedish market also has a tradition of engagement by industry participants other than regulators in the development of industry practices and standards. Some of the associations for industry participants are the Swedish Banker’s Association (Bankföreningen), the Swedish Securities Markets Association (Svensk Värdepappersmarknad), the Swedish Investment Fund Association (Fondbolagens förening) and the Swedish Insurance Society (Svenska Försäkringsföreningen). The Swedish Fintech Association also aims to provide a communication platform for the fintech community and, inter alia, to maintain a dialogue with the Swedish authorities regarding new regulations. 

Business models with a conjunction of regulated and unregulated products and services are rare. In general, companies appear hesitant to offer both regulated and unregulated services or products from the same company, as it may be problematic from a regulatory perspective. There are, however, many instances where “higher” and “lighter” regulated products are provided together. By way of example, subcontractors are sometimes used by banks as intermediaries of consumer credits and insurance. Such intermediary does not require a full licence as an originator of loans or as an underwriter of insurance. 

Regulated fintech companies are required to comply with the Swedish anti-money laundering regime, including adopting relevant AML policies based on the AML risks associated with the products and services offered by the company. The company must carry out Know Your Customer-controls of any new clients. It should be noted that the Swedish FSA has recently declared that payment institutions offering online payments may have to treat the end users (the payer) as customers and not limit its KYC-controls to the merchants (the payee). Unregulated companies that are not covered by the Swedish Money Laundering and Terrorist Financing Prevention Act do not have to comply with the AML regime. However, many companies do include AML-risks in their compliance programmes.

There is no specific regulation of automated investment advice in Sweden. The SFSA defines automated investment advice as personal advice regarding financial instruments that is provided without (or with limited) human interaction. In Sweden, automated investment advice (eg, robo-advisers) constitutes regulated investment advice under the SMA and is subject to all the substantive provisions of the Swedish MiFID II implementation, including the SFSA’s regulations regarding investment services and activities. 

Several Swedish legacy players, such as banks, have included robo-advisers in their businesses. Robo-advisers are today mainly used for providing advice regarding the allocation of pension savings and private savings in UCITS.

Robo-advisers are subject to the same rules as traditional advisers.

Swedish regulation does not, in terms of the regulation of providing loans, categorise different legal entities based on size or type of business. However, there are significant differences in the regulation of consumer loans and loans to businesses.

Consumer Lending

Consumer lending is regulated through, inter alia, the CCA, which includes provisions relating to sound lending practices, marketing of consumer loans, credit assessments, information required prior to concluding loan agreements, and in relation to the documentation of loan agreements, interest, fees and repayment of loans, among others. In order to offer or originate consumer loans, authorisation from the SFSA is required under, for example, the CCCOA (should the company solely provide or act as an intermediary in relation to consumer loans), the SBFBA (should the company instead be considered a credit institution, as defined in the Capital Requirements Regulation) or the MBA (should the company solely provide consumer loans in the form of mortgages and be considered a housing credit institution).

Consumer Credits

Consumer credits are subject to rules regarding so-called high-cost credits, defined as credits granted to consumers having an interest rate of 30% above the reference rate (as determined by the Swedish Central Bank) and which do not primarily relate to a credit purchase or residential immovable property. The maximum amount of interest, as well as any default interest, that may be charged under a credit agreement may not be 40% or more above the reference rate, and the maximum amount of fees under a credit agreement may not exceed the credit amount.

All marketing of consumer credits is subject to requirements regarding moderation and restraint. Pursuant to the Swedish government's preparatory works, it is stipulated that the marketing should be as neutral and factual as possible and may not be intrusive (such as targeting certain types of possible consumers via digital means). The marketing should also be balanced so that the credit is not disproportionately highlighted, which could reduce the consumer’s ability to make a well-founded decision.

Loan origination is regulated under the SBFBA and in subsequent regulations and guidelines issued by the SFSA and the SCA. The SFSA and the SCA have in recent years raised demands on lenders’ investigation of creditworthiness prior to entering into loan agreements with consumers. Furthermore, the loan agreements must comply with the CCA. 

An originator financing loans through repayable funds from the public must obtain a licence as a credit institute under the SBFBA. Common types of funding for loan originators include investments from investors, issuance of bonds, facility agreements, peer-to-peer lending or securitisation using SPVs. Companies participating in financing, for example, by way of acquiring claims (invoice trading) are required to register their operations with the SFSA (by way of notification to the SFSA) and are further obliged to comply with provisions relating to, for example, AML, and undergo ownership and management assessments.

There is currently no specific regulation of crowdfunding under Swedish law. Certain crowdfunding schemes may, however, fall within the scope of the general financial services framework. In the case of equity-based crowdfunding, the Swedish Companies Act prohibits Swedish private limited liability companies and/or their shareholders from attempting to sell shares, subscription rights, debentures or warrants issued by the company to the public. The Crowdfunding Regulation came into force on 9 November 2020 and will apply from 10 November 2021. It will provide a harmonised framework for crowdfunding service providers. Swedish legislation with supplementary provisions is currently under development. 

On 18 February 2021 the SFSA stated that companies which fund their lending through the issuance of bonds must apply for a financing business licence under the SBFBA, unless the bonds are subject to a transferability restriction preventing the bonds from, at any point, being acquired by the public. 

Larger loans (such as, for financing of company acquisitions or large-scale business) are often underwritten using loan syndication, and Swedish legacy players (such as the larger banks and insurance companies) commonly participate in the syndication of loans.

Smaller loans, such as consumer lending carried out by fintech companies, are generally financed using facility agreements with a legacy player or through the use of SPV securitisation. 

In principle, payment processors may use either existing payment rails or implement new ones. They would, however, be required to obtain a licence from the SFSA, to operate as a payment institution under the PSA, an electronic money institution under the EMA or as a credit institution under the SBFBA.

There is little detailed regulation of cross-border payments and remittances in Sweden. Although not directly linked to any of the payment service provider licences, a company which acts as an intermediary for cross-border payments exceeding SEK150,000 must, pursuant to Swedish tax law, report the transaction to the Swedish Tax Agency (Skatteverket). A company can be deemed to constitute an intermediary even though the company does not technically execute the payment itself.

Swedish investment funds are mainly regulated through the UCITS Act and the AIFM Act. Fund administration is not defined under Swedish law and fund administration services are generally unregulated. It is, however, a prerequisite to have a regulatory licence to conduct certain administrative services, such as depositary services. Depositary services include monitoring a fund’s cash flow, ensuring that all payments made by investors upon subscription of units or shares in a fund have been received and that all the cash of the fund has been booked in the correct cash account. Furthermore, depositary services also include safe-keeping of a fund’s financial instruments and other assets. These services are regulated by the above-mentioned acts. Additionally, if a Swedish custodian is delegated custody functions or where the fund administration services include trade settlement, the relevant entity must be authorised in accordance with the SMA.

Pursuant to the UCITS Act and the AIFM Act, the management of Swedish UCITS and AIFs, the sale and redemption of units in a fund, depositary services and the administrative measures relating thereto may only be conducted if the company is licensed by the SFSA. Foreign EEA management companies authorised in their respective home state are able to rely on passporting to carry out operations in Sweden.

Fintech companies would not generally fall within the scope of any of the above regulatory regimes.

Fund managers are responsible for their compliance with the regulatory framework in relation to services provided to the fund manager by the fund administrator. Therefore, where relevant, fund managers should include provisions on service levels, standards of IT security and obligations imposed to ensure that they are compliant with applicable regulatory and other legislation. Some contracts with fund administrators would furthermore be encompassed by the regulatory framework for funds concerning outsourcing. Where this is the case, the fund manager must, inter alia, ensure that:

  • the provider will perform its duties efficiently and in accordance with agreed service levels;
  • the provider has proficient knowledge and competence with regards to the assignment;
  • the provider will co-operate with the SFSA in relation to the outsourced function; and
  • the fund administration contract contains a termination clause ensuring termination without affecting the continuity and quality of the fund’s business.

For fund administration in the form of depositary services, as described in 6.1 Regulation of Fund Administrators, the fund manager must appoint the depositary which will be governed by a written contract pursuant to the AIFM Act and the UCITS Act, as applicable. There are statutory requirements for the contracts to govern the flow of information deemed necessary to allow the depositary to perform its functions for the fund, as well as detailed requirements in Article 83 of Delegated Regulation (EU) 231/2013 in relation to AIFs and Article 2 of Delegated Regulation 2016/438 in relation to UCITS. This contract will, inter alia, contain descriptions of the services to be provided by the depositary and the procedures to be adopted for each type of asset in which the fund may invest and which shall then be entrusted to the depositary, and a description of the way in which the depositary’s functions are to be performed and the procedures ensuring that the fund manager is enabled to review the performance of the depositary.

The legal definitions of trading platforms and the regulation thereof are based on MiFID II, implemented through the SMA in Sweden. In addition, there are regulations and guidelines issued by the SFSA. Furthermore, each trading platform provider also has its own rules governing the specific requirements that must be met for the listing of securities on the trading platform. The three types of permissible trading platforms in Sweden are regulated markets (reglerade marknader), multilateral trading facilities (MTF platforms) (multilaterala handelsplattformar) and organised trading facilities (OTF platforms) (organiserade handelsplattformar).

Regulated Markets

Nasdaq Stockholm (operated by Nasdaq Stockholm AB) is the primary securities exchange in the Nordic countries, where more than 300 companies are listed for trading. Main Regulated Equity (operated by Nordic Growth Market NGM AB, which is owned by the Börse Stuttgart Group) is a regulated market for shares, bonds, debentures and structured products.

Multilateral Trading Facilities

There are three MTF platforms in Sweden which are designed for fast-growing small and medium-sized companies: First North (operated by Nasdaq Stockholm AB), Nordic SME (operated by Nordic Growth Market NGM AB), and Spotlight Stock Market (operated by ATS Finans AB).

Organised Trading Facilities (OTF)

There are currently no OTF platforms based in Sweden.

The SMA generally applies for all asset classes. However, there is no specific regulation for cryptocurrency and there are slightly different rules for the trading of shares and the trading of bonds.

There is no comprehensive regulation of cryptocurrency exchanges in Sweden and it is not expected that a domestic regime will be introduced due to the proposed, but not yet approved, harmonised regulation on Markets in Crypto-Assets, from the European Commission. Nonetheless, business operations consisting of the management of, or trading in, virtual currency must be registered with the SFSA under the CFOA, in order to comply with the Swedish AML/CFT regime, as implemented following the enforcement of the 5th AML/CFT Directive. This requirement encompasses business operations conducting exchange between virtual currencies (eg, bitcoin and ether) and fiat currencies or other virtual currencies.

Where a cryptocurrency would qualify as a financial instrument, the extensive legal framework encompassing business activities involving these instruments would apply, including the SMA, the Prospectus Regulation, the Market Abuse Regulation and the Short Selling Regulation, among others.

Listing standards are set by the operator of the trading platform, the SMA and the SFSA’s regulations. The issuance of shares in, by way of example, a Swedish limited liability company (aktiebolag) requires statements from the board of directors and evidence of payment. Share issues must be registered with the Swedish Companies Registration Office or SCRO (Bolagsverket) and will also require an issuer agent to handle settlement of the shares to the subscribers.

Several form requirements apply in relation to the SCRO, Euroclear Sweden (the central securities depository in Sweden) and the relevant marketplace. The listing process is subject to an approval process from the relevant marketplace, which generally includes various forms requiring execution and documentation being provided. Prior to the application and the admission to trading on a marketplace, the company must first change the company category to a Swedish public limited liability company (publikt aktiebolag) and introduce a record clause. The company must then register its shares with Euroclear Sweden which includes, inter alia, a KYC process. Additionally, companies with shares traded on a regulated market are required to publish a prospectus in accordance with the Prospectus Regulation. The prospectus must be submitted for review and approval by the SFSA before being published.

Under the SMA, companies licensed to execute orders on behalf of clients must, inter alia, have systems and procedures in place which enable the prompt, efficient and fair execution of clients’ orders. Furthermore, the company must have guidelines stipulating how the company will achieve the best possible result in its execution. The guidelines must regularly be reviewed and updated and must include specific instructions for each type of financial instrument.

Companies which facilitate peer-to-peer or marketplace lending (consisting of loan intermediation or brokering) are regulated by and require authorisation pursuant to the CCCOA, which contains regulations on, inter alia, AML and loan intermediation. If the company is also responsible for the transaction of funds between lenders and borrowers (including keeping funds on a client account), the operations would instead require authorisation pursuant to the PSA. The PSA imposes additional requirements in relation to, for example, own funds, information and technical processes for the execution of payment transactions.

See 7.5 Order Handling Rules. Unless there is a particular reason to deviate, customer trades must also be executed in the order in which they were received.

Under the SMA, investment firms may only accept remuneration or equivalent benefits from a third party if these are designed to improve the quality offered to the customer and do not impede the investment firm’s ability to act honourably, fair and professionally in relation to the customer’s interests. Furthermore, prior to providing the service to the customer, the investment firm must disclose the existence of such third-party remuneration to the customer.

The basic principles of market integrity in Sweden are based on good practice in the stock market (god sed på värdepappersmarknaden) and the Swedish Securities Council (Aktiemarknadsnämnden) is responsible for issuing rulings and guidelines for what constitutes such practice. Furthermore, insider trading and market abuse are prohibited through the Market Abuse Regulation (MAR) and the Swedish implementation of the Market Abuse Directive (MAD).

Sweden has implemented its regulation of high-frequency and algorithmic trading in line with MiFID II through the SMA and there are no separate regulatory regimes for different asset classes. Companies that conduct algorithmic trading must report this to the SFSA and to the authority in charge of supervising the relevant trading platform. Furthermore, companies are required to:

  • have efficient systems and risk measurements in place which are tailored for that particular type of trading (such systems must be able to ensure that the trading system is sufficiently resilient, has adequate capacity, that trading limits are enforced and that wrongful trades are not made);
  • ensure that their trading systems cannot be used in conflict with the MAR and the rules of the relevant trading platform;
  • have in place adequate contingency plans; and
  • document such plans and preparations so that they may be reviewed by the SFSA.

Companies engaging in high-frequency and algorithmic trading must also document all the above systems, plans and preparations so that the SFSA and the authority in charge of supervising the relevant trading platform may review these.

Companies that conduct algorithmic trading in the capacity of market makers are subject to the regulations described in 8.1 Creation and Usage Regulations. Furthermore, each trading platform provider has its own set of rules and the market maker must, pursuant to the SMA, enter into a written agreement with the provider which clearly dictates the obligations of the market maker. The agreement must include clauses regulating at what times the company may act as market maker, what potential exceptions apply to the agreed times, the market maker's obligation to make firm quotes in the competitive process such that the market is provided with liquidity on a regular and predictable basis, and the incentives offered in the form of rebates, etc. The market maker must also have sufficient systems and controls to comply with the obligations set out in the aforementioned agreement. Furthermore, the market maker must publish information regarding the quality of its execution of transactions on a yearly basis.

There is no regulatory distinction between funds and dealers.

Programmers who develop and create trading algorithms and other electronic trading tools are not in themselves regulated.

Financial research and the publication thereof is not subject to any financial regulation or authorisation requirements as such, unless it includes, for example, the provision of critical benchmarks as defined in the Benchmark Regulation. 

Market manipulation, attempted market manipulation (including the spreading of rumours and other unverified information) and dissemination of insider information is unlawful pursuant to the MAR and is punishable under the Swedish Securities Market (Market Abuse Penalties) Act. 

Pursuant to the Electronic Bulletin Boards Act, a platform (eg, in the form of a website) provider has a responsibility to supervise the platform and to remove posts that contain threats or promote violence, racism or copyright infringement, among others. For rules regarding insider information, see 9.2 Regulation of Unverified Information.

The industry participants within underwriting (as opposed to within the distribution of insurance) consist of licensed insurance companies which are regulated by, inter alia, the Insurance Business Act, the Insurance Contracts Act and EU regulations such as Solvency II, as well as various regulations and guidelines issued by the SFSA.

Insurance intermediaries are subject to, inter alia, the Swedish Insurance Distribution Act, the Insurance Distribution Ordinance and the SFSA’s Insurance Regulations and General Guidelines.

The two main categories are life insurance (livförsäkring) and non-life insurance (skadeförsäkring). Furthermore, a distinction is also made between consumer and non-consumer customers, where consumers enjoy additional consumer protection provisions. 

There is no special regulation of regtech providers in Sweden and consequently they are only regulated where they are subject to any of the existing financial regulatory frameworks.

If, pursuant to the legislation governing the regulated user, usage of the regtech solution qualifies as outsourcing (see 2.7 Outsourcing of Regulated Functions), the contractual terms would, in addition to general industry practice, be dictated by financial regulation. To what extent the provisions are regulated would however depend on, inter alia, the licence held by the user of the regtech product or service.

While there are several small players on the Swedish market conducting business operations with technologies and services based on blockchain technology, there have not been any major launches by traditional players in Sweden of new platforms, systems or products based on blockchain.

Handelsbanken is co-operating with the Swedish Central Bank in the digital currency project (discussed under 1.1 Evolution of the Fintech Market) to assess how the digital currency could be integrated into existing banking payment systems. While this shows that traditional players are expected to play an important role in the potential implementation of the digital currency, there has been debate as to whether the E-krona will have an eroding effect on the traditional deposit-financing of commercial banks.

There are currently no specific rules or legal guidelines for blockchain and distributed ledger technology. As discussed in 1.1 Evolution of the Fintech Market, the Swedish Central Bank has an ongoing project concerning the establishment of a digital currency called the E-krona. The latest report released on this project covers the technical and legal questions arising through the use of blockchain technology. The report concluded that, inter alia, the technological solution must be investigated further and that a parallel network for payments by the Swedish Central Bank based on blockchain technology would create a more robust payment infrastructure, as it could function simultaneously to and independently of the ordinary payment system.

There is no specific legal classification available for blockchain assets. As such, any asset based on blockchain technology would need to be categorised on a case-by-case basis under the existing rules and regulations, where applicable.

There are currently no specific provisions governing issuers of blockchain assets or ICOs in Sweden. In the event that blockchain assets qualify as financial instruments under the SMA, the issuers may become subject to, for example, the SMA, the AIFM Act, AML provisions and/or the Prospectus Regulation, depending on the nature of the assets involved and the issuing thereof.

There is no particular Swedish legislation targeting blockchain asset trading platforms. The CFOA does, however, govern trading in virtual currencies and in many cases, where the blockchain assets are virtual currencies (as defined in the CFOA), they would be encompassed by said act. Likewise, should a blockchain asset be considered a financial instrument pursuant to the SMA, the Swedish implementation of MiFID II governing trading venues would apply.

Funds that invest in blockchain assets are not subject to any additional blockchain-specific regulation.

As discussed under 12.3 Classification of Blockchain Assets, there are no rules specifically targeting blockchain assets, and as explained in 7.3 Impact of the Emergence of Cryptocurrency Exchanges, the Swedish CFOA does contain provisions governing business operations consisting of the management of, or trading in, virtual currencies. Under the CFOA, a virtual currency is a digital representation of value which is not issued or guaranteed by a central bank or public authority; is not necessarily attached to a legally established currency; and does not have the legal status of currency or money, but which is accepted as a means of exchange and can be transferred, stored and traded electronically. The SFSA has indicated that both bitcoin and ether are virtual currencies under the CFOA.

Sweden does not have any specific regulation of decentralised finance (DeFi) platforms and GDPR is directly applicable in Sweden. As in other jurisdictions and EU bodies, there is uncertainty in Sweden regarding whether it is possible to fulfil the GDPR’s requirements regarding, inter alia, the responsibility of data controllers and the necessary capability of minimising, modifying and erasing data where needed.

As with other crypto-assets NFTs are not subject to separate regulation under the Swedish financial regime. Apart from when a crypto-asset would be considered an asset encompassed by the scope of other regulatory frameworks (such as a financial instruments covered by MiFID II or electronic money covered by the EMD II), the only rules specifically targeting crypto-assets in Sweden is the requirement for providers of exchange services between virtual currencies and fiat currencies and custodian wallet providers to register with the Swedish Financial Supervisory Authority. However, given that virtual currencies are defined as to only encompass virtual currencies which does not possess a legal status of currency or money but is accepted by natural or legal persons as a means of exchange, it is unlikely to cover NFTs.


Sweden has implemented PSD2 and it has generally had a positive impact on companies providing open banking solutions, opening up more areas of the banking system for innovative companies. While Sweden initially implemented PSD2 without any changes, the legislator has since introduced rules stipulating that online payments by consumers may not offer credit as the first payment alternative, nor should that be the default option where there is an option to pay in other ways. This rule was introduced in July 2020 in order to mitigate a further increase in household debt.


The use of Application Programming Interfaces (APIs) is likely to increase and, as a result, there will be an increase in new services related to this. The transition to providing APIs was subject to much debate in the media and there were concerns regarding how payment account information may come to be used.

Protection of Personal Information by Third Parties

There have been some concerns regarding whether the protection of personal information will be sufficient once this is disseminated to third parties by banks, given that many third-party applications are provided by smaller actors with significantly fewer resources to combat cyber-attacks. Such companies are, however, still subject to GDPR and should not therefore strive to be in possession of such information unless sufficient systems are in place.

The Legality of Screen-Scraping Information

There has furthermore been an active debate in the media, involving the SFSA, traditional wholesale banks and fintech companies, about the legality of screen-scraping information held by banks, other than information on payment accounts. The discussion has been exacerbated by the lack of guidance provided by the SFSA on how the rules should be interpreted. However, after having received indications that some account service providers do not provide APIs and that some third-party service providers that use APIs are not compliant with Delegated Regulation 2018/389, the SFSA published a general clarification on the requirements in relation to information on payment accounts.

Third-party service providers must use the APIs made available by the account providing service providers and account service providers must supply APIs that are compliant with the above-mentioned delegated regulation. This debate will likely continue until the SFSA takes a clearer position or until the question reaches and is ruled upon in a court of law.

Advokatfirman Vinge KB

Smålandsgatan 20
PO Box 1703
Stockholms Län
SE-111 87

+46 10 614 30 00

+46 10 614 31 90
Author Business Card

Law and Practice in Sweden


Advokatfirman Vinge KB is one of the largest full-service law firms in Scandinavia and is highly regarded for its multidisciplinary approach within the fintech space. As part of a full-service firm, Vinge’s fintech team can advise its clients across the industry on the formation of a company, its regulatory compliance and first financial licence, and later assist with large financing and transaction matters. Swedish fintech regulation comes from several regimes – from the EU to the Swedish Financial Supervisory Authority, government agencies and industry organisations. The regulations are comprehensive and change frequently, as the authorities keep pace with the innovative and legally complex services offered by fintech companies, start‑ups and legacy players. Vinge's Stockholm-based fintech team includes several internationally recognised lawyers specialised in financial regulation, the GDPR, tax and intellectual property, among other areas.