Fintech 2021

Last Updated March 18, 2021


Law and Practice


BBA//Fjeldco is the result of a merger of two of the leading corporate law firms in Iceland, BBA and Fjeldco. The merged firms have, since 1998, been leading in the field of mergers and acquisitions, capital markets, banking and corporate finance, energy and PFI projects, as well as general corporate and commercial matters. BBA//Fjeldco has provided advice on many of Iceland’s biggest and most complicated financing and M&A deals, as well as the country’s most important PFI and energy projects. The firm has over 25 specialised business lawyers, with qualifications in Iceland, England, France and New York. BBA//Fjeldco has offices in Reykjavik and London, together with operations in France.

In recent years, the finance industry has changed rapidly in Iceland with fintech solutions at the forefront of those changes. Fintech solutions are provided by the three largest commercial banks in Iceland, as well as other independent businesses. Icelanders are generally considered to have a high adoption rate towards new solutions in the financial industry, for example with the online banking which quickly became the norm for Icelanders.

All of the banks have an online presence and online banking apps. The apps are all being widely used by Icelanders. A very high percentage of online banking users also use specific electronic certificates to log in to their online banks. The banks have also offered instant loans with the borrowing process conducted solely by electronic means and interest rates based on the borrower’s credit score.

In January 2018, the Association of Fintech Companies was established as a lobbying group to improve the current operating environment for fintech companies in Iceland. In August of 2018, the Fintech Cluster was also established to strengthen innovation within the field and co-operation. Also, worth mentioning, in December 2018, a fintech research centre was established within the University of Reykjavík.

Of course, these are only a few noteworthy fintech trends of the past year but, as can be seen, the overall focus of fintech businesses in Iceland seems to be on making the banking experience as user-friendly as possible and improving certain banking functions. Other factors, such as peer-to-peer lending, have yet to have as much of an impact on the market.

The largest segment of fintech, in terms of participants, has been related to open banking and solutions, with add-ons such as consumer credit.

The predominate business of fintech enterprises has been aimed at consumers and aimed or marketed towards facilitating ease of service, this applies to both independent fintech firms and legacy players offering fintech solutions (either in their own name or through subsidiaries/affiliates).

As a result, a majority of the stand-alone participants income derives from consumers as transactional fees.

In general, fintech businesses need to operate within the general financial regulatory framework much like other financial businesses. There is no specific legislation aimed at fintech activities and, therefore, the relevant fintech business must align itself to the existing legal framework. The key legislation, in this regard, includes the Act on Financial Undertakings, the Securities Act and the Payment Services Act.

The Payment Services Act awaits the implementation of Directive (EU) 2015/2366, PSD II, which is expected to occur late 2021 or early 2022. Additionally the market in financial instruments directive awaits full implementation. Further, companies wishing to provide financial services are subject to the supervision of the FSA and generally must obtain operating licences/authorisations from the FSA to provide their services.

Iceland implements most of its financial regulatory framework from the EU, through its participation of the European Economic Area (EEA).

As mentioned, compensation is predominantly in the form of transactional fees which are direct fees charged on the users, which in most cases are consumers. Indirect fees are also applicable in some cases but are more an ancillary income stream where the fintech industry participant can use data as an ancillary income stream either through targeted ads or consumer behaviour.

Legacy players and fintech industry participants are subject to the same regulations as there are no specific fintech regulations applicable in Iceland. Therefore, the regulatory regime applicable to both types of parties is determined by the operations of the party and whether such operations extend into regulated sectors or not. Certain parties, such as operators of cryptocurrency exchanges (discussed in more detail below) are subject to a specific set of regulations which does not apply to others.

The Central Bank of Iceland, Financial Supervision (FSA) has set up a specific Fintech Help Desk. The Fintech Help Desk assists those who provide, or aim to provide, new financial services classified as fintech. The Fintech Help Desk operates as an internal fintech task force, within the FSA, assisting individuals and companies with regulatory issues or business-specific questions. It is intended to support and promote communication with fintech parties and analyse whether the financial services in question are in accordance with the applicable law and regulations; as well as whether any licences and/or authorisations are required.

The procedure operates in a way that a fintech party sends the “FSA Fintech Questionnaire” to the Fintech Help Desk and then receives a response from the FSA within ten business days. Subsequently, the relevant fintech party may receive counselling from the Fintech Help Desk by phone (maximum 30 minutes) or request a meeting in person with the fintech task force (maximum one hour).

As concerns regulatory sandboxes, they have not been implemented in Iceland. However, the White Paper on the Future of Iceland's Financial System does suggest it as one measure to deal with the rapid fintech innovation. To do so, changes to the regulatory framework would be required to authorise the FSA to grant exemptions in those cases.

In relation to financial, insurance or securities regulatory matters, the FSA is the sole regulatory party in Iceland, however, certain aspects of the operations of industry participants may be subject to regulatory oversight by other parties, namely the Data Protection Authority in relation to data protection and privacy matters.

The same rules apply to the outsourcing of regulated function by fintech industry participants as legacy players. It’s important to note that outsourcing does not entail outsourcing of the responsibility for the relevant regulated function as that responsibility remains with the fintech industry participant/legacy player. Therefore, outsourcing cannot be used to limit or reduce responsibility/liability.

Outsourcing must conform with the FSA’s guidelines on outsourcing which include the inter alia the European Banking Authorities guidelines on outsourcing (EBA/GL/2019/02). The aforementioned guidelines provide for, in certain instances, mandatory contractual requirements. Such requirements include audit and access provisions, contingency plans, termination and data privacy/protection and confidentiality provisions.

Gatekeeping liability for fintech providers varies heavily depending on the extent of their operations.

A fintech platform can be limited to certain functions which does not trigger any gatekeeping liability as such liability rests with either other fintech platforms or legacy players.

The primary gatekeeping liability which can come into play is related to AML requirements and parties which provide certain services are required to conduct an AML check. Such parties include payment institutions, e-money institutions and parties which offer cryptocurrency exchange into either e-money or other currency.

The most significant enforcement action undertaken by the FSA relates to the company Aktiva. Aktiva intended to operate a platform for peer-to-peer lending. The FSA concluded that Aktiva had been operating as a payment service provider without having the relevant licences, see the Payment Service Act (based on PSD I). The FSA suspended Aktiva’s operations immediately and Aktiva has since refocused its business.

The primary regulation applicable to both types of participants, ie, legacy players and fintech industry participants, is privacy and data protection regulation.

The regulatory framework concerning data protection in Iceland, is mainly based on secondary legislation from the EU. Iceland regulates the collection, use and transmission of personal data with the Act on Data Protection and Processing No 90/2018 (“Act on Data Protection”) which implements the General Data Protection Regulation No 2019/679 (GDPR). The Icelandic Data Protection Authority (DPA) is the governmental authority responsible for monitoring the application of the Act on Data Protection and administrative regulations based on it.

The Act on Data Protection applies to all fintech businesses, much like other businesses, and is especially meaningful within the fintech market as many of these businesses often deal with personal information such as individuals’ financial information. The Act on Data Protection applies to the processing of personal data on behalf of a data controller or a data processor established in Iceland irrespective of whether the processing is conducted within the EEA. Further, the Act on Data Protection also applies to data subjects located in Iceland irrespective of whether the data controller or data processor is located within the EEA when either services or goods are provided to a data subject within the EEA or when the behaviour of a data subject conducted within the EEA is monitored.

The Act on Data Protection also cover the transfer of personal data out of Iceland. The transfer of personal data to a country which does not provide an adequate level of personal data protection is generally prohibited, or dependent on exemptions. The Act on Data Protection offers certain points for consideration when assessing whether the level of personal data protection is at an adequate level or not.

Cybersecurity and software development is not specifically regulated.       

There are no requirements for industry participants to be subject to review by parties other than regulators, therefore such review is voluntary and has not become industry practice as of yet.

Regulated entities, whether fintech industry participants or legacy players are subject to the same restrictions as regards ancillary or additional operations. Regulated entities which do provide non-regulated services generally do so in the same legal entity if such services directly connected to the regulated activities.

Ancillary operations can be undertaken provided they fall within a normal continuation of the regulated operations. In addition, the FSA must be notified of such operations. The FSA can require that such operations are undertaken via a subsidiary and not through the same legal entity. Generally, ancillary operations which may have an adverse impact on the regulated entity, such as increase financial or operational risk, will be required to be operated in a separate legal entity.

To better explain what constitutes ancillary services, software development for the purposes of updating or maintaining a platform operated by the regulated entity does not constitute ancillary operations however should those software development services be sold to a third party they would be deemed ancillary services.

Robo-advisers have not been introduced in an advisory capacity. Obligations imposed on advisors (irrespective of asset class) are largely the same, there is an obligation of impartiality, setting for information in a clear and understandable manner, reducing and informing clients of any potential conflict of interest. Additionally, marketing material in relation to certain asset classes may require specific disclosure and disclaimers, such as marketing material in relation to UCITS funds require disclosures and disclaimers on previous performance, marketing material in relation to loans require details on actual costs and effective interest rates, etc.

Robo-advisers have not yet been widely introduced in Iceland with regards to securities transactions and therefore no implementation history exists. The lack of implementation may be related to the fact that there is generally a significant language barrier in implementing new technical solutions into an environment which requires the use of Icelandic. Additionally most financial institutions offer the possibility to place orders through their online banking solutions for the most common securities.

The use of robo-advisers will not have any impact on the best execution requirements. Therefore, a fundamental issue related to robo-advisers is proper recordation of the client orders and proper execution of those orders. However, those issues always apply whether or not robo-advisers are used.

Granting of loans to corporate entities is subject to the same regulatory regime irrespective of whether such entities are SMEs or large corporates. However, consumer lending is subject to stricter regulation than corporate lending.

General consumer lending is regulated by the Act on Consumer Loans which inter alia requires provision of information prior to lending, a credit assessment and debt service assessment on the borrower, mandatory contractual terms, prepayment rights, maximum annual percentage rate of charge (APRC), etc. It should be noted that not all lending arrangements are subject to the aforementioned act and a debt service assessment is not required if the loan amount is less than ISK2 million.

Consumer mortgage lending is further regulated by the Act on Consumer Mortgages. That act contains similar requirements as the Act on Consumer Loans but in addition provides for a maximum percentage of loan to value which can be provided to consumers.

As to today, fintech has not extended beyond consumer credit and has not had any impact on corporate lending in Iceland and no large scale lending takes place through or via a fintech industry participant. 

This is not applicable in Iceland.

Sources of funds varies as the different sources have different regulatory implications.

The difference is best illustrated by comparing lender raised capital to taking deposits. If the source of the funds is lender raised capital that does not in itself trigger any regulatory licence requirement however taking deposits will automatically trigger a full banking licence requirement. A full banking licence is cumbersome and extremely difficult or impossible to receive for fintech start-ups and, therefore, deposit funded loans are used by legacy players through their fintech solutions.

As illustrated in 2.9 Significant Enforcement Actions, peer-to-peer lending operations have been deemed to constitute payment services resulting in a regulatory licence requirement under the Payment Services regulations.

Securitisation has not been used as a source of funds in Iceland to fund loans granted via fintech solutions. Legacy players have issued covered bonds which include mortgages which have been granted utilising in part fintech solutions but as mortgages require paper original documents the whole process is not completed via fintech solutions.

As mentioned, no large-scale lending occurs through or via a fintech industry participant (or through a fintech solution) therefore no syndication occurs.

Payment processors are not required to use existing payment rails and may create or implement new ones.

The implementation of new payment rails may, however, have regulatory effects especially if further participants are onboarded onto the new payment rails. In such cases the participation in the payment rails must be offered on the basis of subjective, non-discriminatory rules and the payment rails must not inhibit the ability to protect against certain risks and measures must be taken to protect the financial and operational stability of the payment rails.

Iceland has adopted Cross-Border Payment Regulation which impacts charges on cross-border payments across the EU. However, the application of the regulation is limited as it only applies to euro transfers. It is unclear when the CBPR2 will be implemented in Iceland.

Under Icelandic law, funds can only be operated by fund administrators or management companies which are regulated. Effectively there are three types of such funds which are authorised under Icelandic law, undertakings for collective investment in transferable securities (UCITS funds), investment funds and alternative investment funds (AIFs). In that regard, it should be noted that Iceland has implemented the applicable EU regulations on UCITS funds and the alternative investment fund managers directive.

The first two mentioned are subject to strict limitations on what such funds invest in but the last mentioned has greater discretion to invest in non-listed securities and assets.

AIF management companies are all subject to regulation, however, there is a financial threshold which determines a registration requirement or operating licence requirement. Management companies which operate funds which total assets exceed EUR100 million (in case of leveraged funds) or EUR500 million (in case of non-leverage funds which are not subject to redemption) require an operating licence while others are subject to registration.

Those which only require registration are subject to less stringent regulation.

Please provide a response, even if it is relevant in your jurisdiction, see 4.2 Underwriting Processes.

From a regulatory perspective there are three different types of marketplaces/exchanges:

  • regulated markets which are subject to the strictest level of regulations and can only be operated by a regulated stock exchange;
  • multilateral trading facilities (MTFs), which can be operated by entities with a full banking licence or a appropriate securities firm licence; and
  • cryptocurrency exchanges whose operators are regulated.

The primary difference in regulated markets and MTFs is the level of regulation by the operators of the markets and the level of disclosure obligations placed on issuers, MTFs are more suited to smaller issuers as the disclosure obligations and market requirements are less than apply to regulated markets.

There are currently operated markets for shares and bonds and three cryptocurrency exchange.

Currently, its debatable whether certain asset classes fall under the definition of financial instrument such as cryptocurrency. However, all assets which fall under the definition of financial instruments (shares, bonds, bills, derivatives, etc) is subject to the same regulatory regime, the act on Securities Transactions.

The emergence of cryptocurrency exchanges resulted in such platforms becoming subject to regulation. Operators of such exchanges are subject to registration with the FSA and must operate within a specific regulatory framework. However, it should be noted that, aside from AML requirements, legal framework is neither extensive or cumbersome. The FSA has the authority to deny registration if the operator does not conform with AML requirements.

Listing standards are determined by the stock exchange which operates the regulated market on which the relevant asset is being listed. However, what those requirements can be is subject to regulation. The requirements are to be clear and transparent and aim to ensure that the relevant asset can be traded in a fair, organised and effective manner.

The regulated markets and MTFs operated in Iceland have broadly similar listing requirements which aimed to ensure the above and have an emphasis on tradability and effective trading of the relevant asset and effective pricing.

Order handling rules relate to best execution of client orders. The order handling rules require that the best possible result for the client is sought taking into account price, costs, spend, likelihood of completion of transaction, scope of transaction, nature of transaction and other relevant factors. However, in case of specific client instructions, those instructions are to be followed.

Procedures are required to be put in place to ensure best execution practices and the FSA monitors order handling.

As previously mentioned, only certain types of trading platforms are authorised under Icelandic law and peer-to-peer platforms have not yet been established in Iceland and it is unclear whether such platforms comply with Icelandic law. Such platforms have therefore not had any significant impact in Iceland.

Order handling rules predominantly regard best execution requirements.

Issues have not been many related thereto, at least in recent years, but have for the most part related to whether sufficient clarity in instructions was made and whether such instructions where expediently executed.

Parties engaging in and authorised to conduct securities transactions are subject to good conduct of business rules. The rules do not specifical regulate fees but fees for services are required to be set forth in a clear and understandable manner.

The rules therefore inhibit, even though they do not expressly prohibit, the ability to impose or charge fees which are contrary to good business practices.

Market integrity principles are mainly related to market abuse and insider trading.

Market abuse has several elements such as:

  • transactions or orders to trade which give, or are likely to give, false or misleading signals as to the supply of, demand for or price;
  • transactions or orders to trade which employ fictitious devices or any other form of deception or contrivance; and
  • dissemination of information, news or rumours which give, or are likely to give, false or misleading information or signals.

Insider trading applies when a party is in possession of insider information. Insider information is sufficiently precise information which has not been made public, relating directly or indirectly to issuers of financial instruments, the financial instruments themselves or other aspects, and which would be likely to have a significant impact on the market price of the financial instruments if made public.

Market manipulation and insider trading are criminal offences which are punishable by up to six years in prison.

MiFID II has not yet been fully implemented into Icelandic law therefore there is currently no regulation specifically dealing with the creation and usage of high-frequency and algorithmic trading technologies.

Once MiFiD II has been implemented high-frequency and algorithmic trading will be regulated however currently it is unclear to what extend but expected to be fully in line with MiFiD II.

Parties which are authorised to conduct securities transactions can function as market makers, which applies irrespective of the method of trading. Market makers are required to notify the relevant market on which the market maker operates of the obligation to act as a market maker in relation to specific securities. The obligation applies whether the party acts as a market maker for its own account or the account of the issuer of the securities. Acting as a market maker will therefore require a notification to the regulated market and will be publicly disclosed.

As mentioned, there is no regulation specifically dealing with high-frequency or algorithmic trading, therefore there is no distinction between funds or dealers

Programmers and programming relating to algorithms and other electronic trading tools is not specifically regulated in Iceland.

Financial research platforms as such are not regulated however once it constitutes public investment advice is becomes a regulated activity.

Such parties are not, however, subject to registration but there are requirements placed on parties which provide public investment advice, such as presenting information fairly, disclosing potential conflicts of interest, make a clear distinction between facts and speculations or projections, ensure that sources of information are sound, etc.

The providers of public investment advice are subject to supervision by the FSA.

Unverified information is regulated and the spreading of unverified information may constitute market abuse.

Content/conversation curation is not specifically required by law. The planning of pump and dump schemes, spreading inside information, etc, on platforms could be deemed market manipulation and therefore individual engaging in such activity may be subject to criminal proceedings.

Significant efforts have been made by local insurance companies toward far greater automation and self-service through either online portals or mobile apps in which certain insurance policies can be acquired and certain insurance claim process in relation to can be fully completed, ie, from making the claim to pay-out to the insured party. This trend is likely to continue as the insurance companies are under certain pressure to reduce operating costs.

Insurance is effectively divided into two sets of regulated operations, life insurance and non-life insurance. Each type of insurance requires different operating licences. As a result legacy players on the insurance market operate life insurance operations in a separate legal entity (a wholly owned subsidiary) while the non-life insurance operations are generally in the parent.

Life insurance covers all manner of life insurance and is specifically regulated due the different nature of risk involved and to ensure segregation for the protection of the insured parties interest.

The category of non-life insurance is therefore very broad and extends from common form property insurance to financial loss.

The regulatory requirements placed on both types of operators is largely the same.

Regtech providers aren’t specifically regulated and if their operations are limited to regtech they should not become regulated. However should their operations extend beyond regtech regulation may come into play.

Despite regtech not being specifically regulated utilising regtech solutions may fall under the scope of outsourcing meaning that the regtech customer may require mandatory contract provisions, etc.

Regtech is not widely used in Iceland and there is no industry standard as to contractual terms.

However as mentioned above as utilising regtech solutions mandatory contract provisions may come into play to assure performance such as audit and access provisions, right of access, data location, etc. Adequate termination provisions and contingency plans must also be in place.

Blockchain has not been implemented by traditional player to any extent.

Local regulators’ have not yet publicly embraced or denounced blockchain as such and have not issued any guidance, proposals or interpretations.

However, is should be noted that the FSA has granted an e-money issuer licence to the company Monerium which utilises blockchain, therefore the FSA has acknowledged the use of blockchain in regulated activities. In fact, the licence was the first e-money licence granted to a party utilising blockchain.

Blockchain assets are not specifically classified in Icelandic law and currently there is no guidance from the FSA on how it would treat or classify blockchain assets.

However, the FSA would likely have regard underlying characteristics of the blockchain asset and whether the relevant asset is structured and tradeable in a way, that resembles common financial instruments.

Should the FSA determine that a blockchain asset is a financial instrument, that blockchain asset, its sale, marketing etc. would become subject to the same rules and regulations as apply to more common forms of financial instruments in general.

Assuming that a blockchain asset would be categorised as a financial instrument the issuer would become subject to the same set of rules as generally apply to issuers of financial instruments.

An initial sale of such assets could result in the requirement to issue a prospectus. A prospectus is required under Icelandic law in case of a public offering which exceeds EUR8 million. Iceland has implemented Regulation (EU) 2017/1129, which applies to prospectus which are required to be published in connection with public offerings.

Depending on the type of blockchain asset the issuer may be subject to continuing disclosure requirements and market manipulation rules and insider trading rule could come into play as well.

Blockchain asset trading platforms are regulated insofar as they constitute regulated markets or multilateral trading facilities, ie, are subject to the same regulations as applies to trading platforms with more conventional assets. In addition, if the blockchain asset constitutes virtual currency (or cryptocurrency) such exchanges are regulated.

However, there is no specific legislation by the mere virtue of the fact that the assets traded thereon are blockchain assets.

Funds that invest in blockchain assets can only be operated as AIFs.

Managers of AIFs are regulated as previously mentioned. Their authority to invest in blockchain assets is not limited per se but are required to have an investment strategy in place and ensure risk management in relation to that investment strategy. Additionally the FSA can limit investment strategies if it deems so necessary.

Virtual currencies are defined as any type of virtual funds which are neither e-money or currency.

Virtual currency therefore stands apart from blockchain assets as such assets are not defined in Icelandic law.

Virtual currencies are, however, not specifically regulated and their position within the existing financial regulatory framework is somewhat unclear aside from the fact that the operation of a virtual currency (or cryptocurrency) exchanges is regulated.

Decentralised finance is not specifically dealt with in regulation, depending on the type of financial transaction conventional financial regulation may apply such as regulation applicable to insurance intermediaries, securities brokers, etc.

As previously mentioned above, PDS2 has not yet been implemented into Icelandic law. Icelandic law does not directly impact open banking and cannot be said to neither support nor specifically inhibit open banking.

PSD2 and its pending implementation has, however, had the impact that domestic financial institutions have on their own initiative supported and commenced open banking without any legal requirement.

Banks have generally coped well with data privacy and data security and have not, at least publicly, raised huge concerns with open banking. However, as open banking is not yet legally required banks have a greater possibility to regulate access by inter alia conducting due diligences before providing access and reviewing data security and privacy protocols to limit risk of any data privacy and data security issues.


Katrínartún 2
19th floor
105 Reykjavík

+354 5500500
Author Business Card

Law and Practice


BBA//Fjeldco is the result of a merger of two of the leading corporate law firms in Iceland, BBA and Fjeldco. The merged firms have, since 1998, been leading in the field of mergers and acquisitions, capital markets, banking and corporate finance, energy and PFI projects, as well as general corporate and commercial matters. BBA//Fjeldco has provided advice on many of Iceland’s biggest and most complicated financing and M&A deals, as well as the country’s most important PFI and energy projects. The firm has over 25 specialised business lawyers, with qualifications in Iceland, England, France and New York. BBA//Fjeldco has offices in Reykjavik and London, together with operations in France.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.