The fintech market in Finland is relatively young but has evolved rapidly over recent years. Traditionally, the market has been dominated by lending businesses and peer-to-peer platforms, but some of these firms have now taken the next step and are upgrading their licences to become credit institutions.

The investment and wealth management scene is still awaiting a breakthrough, but this is not expected to happen during the next 12 months.

Advances in technologies such as artificial intelligence, blockchain and quantum computing continue to drive innovation in the fintech sector. There is also rapid development in crypto-asset business. However, the local regulation is somewhat hindering multinational companies in entering the Finnish market due to local registration requirements.

The Finnish market has experienced development in the digital currency market, evidenced by the release of the first and only fully regulated EU stablecoin on the Ethereum blockchain (EUROe).

The following verticals predominate in Finland:

• payments;
• financial software;
• financing;
• data and analytics;
• application programming interfaces (APIs) and platforms;
• wealth management;
• investing;
• customer service and acquisition;
• security and compliance;
• insurtech;
• cryptocurrencies; and
• blockchain.

Due to the lack of fintech-specific regulation, the regulation applicable to fintech companies is contingent on the business model undertaken. Thus, the regulatory regime applicable to fintech companies comprises the general regulations applicable to financial institutions.

In Finland, financial regulation mainly derives from EU law and thereby consists of, inter alia, the following.

• The Capital Requirements Regulation and the Capital Requirements Directive are applicable to credit institutions, investment firms, portfolio management companies, central institutions of amalgamations of deposit banks, holding companies of credit institutions, holding companies of investment firms and parent companies of financial and insurance conglomerates.
• The second Markets in Financial Instruments Directive (MiFID II) is applicable to investment service providers, market operators (including the trading venue maintained by them), central counterparties and data reporting service providers.
• The second Payment Services Directive (PSD2) has been transposed in Finland in two parts by way of amendments to the Payment Services Act (PSA, 290/2010) and the Payment Institutions Act (PIA, 297/2010). For the most part, these amendments entered into force on 13 January 2018. Apart from certain minor details, the scope of application for the PSA and the PIA is identical, meaning that both acts apply to companies engaging in the following payment services:
1. services related to depositing or withdrawing funds in/from a payment account;
2. the management and offering of payment accounts;
3. the execution of payment transactions by means of credit transfer, transfer of funds to a service provider’s payment account, direct debit or payment card, or via another payment instrument;
4. issuing a payment instrument;
5. the acceptance and processing of a payment transaction based on an agreement with the payee that results in a transfer of funds to the payee;
6. money remittance;
7. payment initiation service; and
8. account information service.
• Fintech entities seeking to enter the payments market ought to note that payment services may only be provided by a service provider that meets the requirements of the PIA and has been authorised by the Finnish Financial Supervisory Authority (FIN-FSA). The FIN-FSA must be notified about the initiation of the offering of account information services. The requirements for payment information services providers are higher – they must be authorised and have an initial and ongoing capital of at least EUR50,000.
• The General Data Protection Regulation (GDPR) – in Finland, the provisions of the GDPR have been further clarified and supplemented in the Data Protection Act (DPA, 1050/2018), the application of which is consistent with Article 2 of the GDPR. However, deviating from what is stated in the GDPR, the DPA also applies to the processing of personal data in the course of an activity that falls outside the scope of EU law and to the processing of personal data by member states when carrying out activities that fall within the scope of Chapter 2 of Title V of the Treaty on European Union.
• The Packaged Retail and Insurance-Based Investment Products Regulation (PRIIPs) applies to service providers producing and offering PRIIPs products to retail investors. These include banks, insurance companies, management companies and alternative investment fund managers, and bond issuers. Therefore, certain fintech companies that engage in such activity – such as those in the payments, financing, wealth management, investing and insurtech sectors – fall liable to the regulatory requirements set forth in the PRIIPs, meaning that they must, inter alia, prepare a key information document for each PRIIPs product that they offer to retail investors. The definition of “retail investor” derives from MiFID II and, accordingly, means an investor other than a professional client. “Professional clients” and “non-professional clients” have been further clarified in Chapter 1, Section 23 of the Investment Services Act (ISA, 747/2012).
• AML – the prevention of money laundering and terrorist financing is based on international standards. Specifically, the purpose is to ensure that uniform customer due diligence procedures are observed in the global financial markets. Consequently, in this respect, the EU’s Anti-Money Laundering Directives, which have been implemented in the national legislation of Finland, derive from the Financial Action Task Force's recommendations. In Finland, the AML provisions have been put forth in the Act on Preventing Money Laundering and Terrorist Financing (the AML Act, 444/2017). Finland has implemented Directive (EU) 2018/843 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (the “Fifth Anti-Money Laundering Directive”); to some extent, this is broader than the Directive requires.
• The Virtual Currency Providers Act (VCPA, 572/2019) applies to business operations of virtual currency providers. According to the Act, virtual currency providers are virtual currency issuers, virtual currency exchange services and wallet providers. The VCPA is based on the Fifth Anti-Money Laundering Directive. The VCPA currently applies to cryptocurrency business that is supervised by the FIN-FSA. The European Markets in Crypto-Assets Regulation ((EU) 2023/1114 – MiCA) entered into force on 29 June 2023 and establishes a harmonised regime for crypto-assets at an EU level. The regulation is applied after gradual transition periods, rather than immediately. The authority supervising compliance with MiCA in Finland will be regulated separately at a later date.

• Crowdfunding is regulated by the Finnish Act on the Provision of Crowdfunding Services (APCS, 203/2022). Crowdfunding service providers must be authorised by the FIN-FSA in accordance with the APCS and Regulation (EU) 2020/1503 on European crowdfunding service providers for business.

Depending on the business model undertaken, fintech companies may require authorisation, registration or notification. Authorities granting authorisations include the European Central Bank, the FIN-FSA, the Regional State Administrative Agency, the Ministry of Finance and the Ministry of Social Affairs and Health, as well as the government.

The different compensation models vary widely depending on the chosen business model and the technical means through which the products and services are offered. Generally, when targeting the consumer, the Finnish Consumer Protection Act (CPA, 38/1978) and the sector-specific legislation set a tight regulatory framework regarding the disclosure rules.

On a general level, regulation between fintech companies and legacy players does not differ due to the fact that no specific regulation applies to fintech companies. Instead, fintech companies are governed under the same financial regulatory requirements that apply to legacy players. Naturally, the principle of proportionality will be applied and serves to the favour of smaller fintech companies.

Finland does not have a regulatory sandbox. The Finnish legislation does not allow regulators to grant exemptions from peremptory regulation, so any potential and forthcoming regulatory sandboxes would need to be assembled via legislation. However, the FIN-FSA has a Fintech Helpdesk service that enables fintech companies to approach the FIN-FSA with their licensing questions. Through these channels, fintech companies can easily and promptly receive (non-binding) advice as to whether their business or services meet the licensing requirements.

National Supervisory Authorities

Regulatory jurisdiction in the Finnish financial sector is split across four authorities.

FIN-FSA

The most prominent national authority for the supervision of Finland’s financial and insurance sectors is the FIN-FSA, which supervises the following entities, among others:

• banks;
• payment institutions;
• crowdfunding companies;
• virtual currency providers;
• insurance and pension companies as well as other companies operating in the insurance sector;
• investment firms;
• fund management companies; and
• the Helsinki Stock Exchange.

The FIN-FSA is also responsible for promoting compliance with good practice in financial markets and for disseminating general knowledge about the markets. It is regulated by the Finnish Act on the Financial Supervisory Authority (878/2008).

Supervision of traders who provide consumer credits and brokers of peer-to-peer loans was transferred from the Regional State Administrative Agency for Southern Finland to the FIN-FSA on 1 July 2023.

Regional State Administrative Agency for Southern Finland

The Regional State Administrative Agency for Southern Finland is responsible for lower-level supervision of the financial sector (ie, supervision that is not in the scope of the FIN-FSA), such as debt collection.

The Regional State Administrative Agencies are governed by the Finnish Act on Regional State Administrative Agencies (896/2009).

Finnish Competition and Consumer Authority (FCCA)

In conjunction with the Regional State Administrative Agencies, the FCCA has jurisdiction over business operations in which instant and consumer credits are being offered. According to the Act on the Finnish Competition and Consumer Authority (the FCCA Act, 661/2012), the sphere of authority of the FCCA includes the implementation of competition and consumer policies and the protection of the consumer’s economic and legal position.

Office of the Data Protection Ombudsman (ODPO)

Although not merely specific to the financial sector, the fourth national supervisory authority is the ODPO, which supervises compliance with data protection legislation – ie, the Finnish DPA and the GDPR.

European Supervisory Authorities

Since Finland is a member of the EU, the European Supervisory Authorities (ESAs) also have jurisdiction. The ESAs consist of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA), which, together with the FIN-FSA, provide micro-prudential supervision.

Whilst the ongoing supervision of financial institutions remains with the national supervisory authorities, the jurisdiction of the ESAs is enforced through level 2 or level 3 measures.

Pursuant to Articles 10 and 15 of ESA Regulation (EU) No 1095/2010, the ESAs have the authority to develop level 2 measures by means of draft regulatory technical standards (RTS) and implementing technical standards (ITS). The draft RTS and ITS can be submitted to the Commission by the ESAs upon the approval of the board of supervisors of the respective ESA by way of a qualified majority.

In accordance with Article 16 of the ESA Regulations, level 3 measures consist of guidelines and recommendations addressed to the competent authorities and financial institutions or financial market players by the ESAs. Similar to RTS and ITS, guidelines are to be approved by the board of supervisors of the respective ESA by way of a qualified majority.

According to Article 16(3) of the ESA Regulations, competent national authorities and financial institutions or financial market players must make every effort to comply with the guidelines. Both the guidelines and the recommendations are to be applied on a comply-or-explain basis, meaning that failure to adhere to said recommendation/guideline requires notifying the respective ESA and providing an explanation for non-compliance within two months of the issuance of the guideline or recommendation.

Traditionally, Finland has implemented these EU guidelines quite effectively and to their full extent. The practical implementation is often done by a simple local guideline, where a reference is made to an EU-level guideline. This method gives the foreign fintech companies more comfort since they can rely on the fact that Finland has implemented the EU-level guidelines correctly and without any gold plating.

Regulated functions can be outsourced subject to certain conditions being satisfied. The provisions on outsourcing regulated functions are stipulated in the Regulations and guidelines 1/2012 issued by the FIN-FSA and the EBA Guidelines on outsourcing arrangements. However, virtual currency providers should note that the issuance of virtual currency cannot be outsourced entirely to an agent.

Investment Services

Investment firms, credit institutions and fund management companies may outsource their authorised investment services only to entities that are licensed to engage in the practice of investment services. With regard to credit institutions and fund management companies, critical functions may only be outsourced where doing so does not materially interfere with risk management, internal supervision or the functioning of business operations.

Payment Institutions

Similar to institutions offering investment services, payment institutions may outsource substantial functions of their payment services where doing so does not materially weaken their internal supervision.

Once payment institutions have outsourced their services, they must ensure the adequacy of the resources and the professionalism, financial functioning and expertise of the outsourced operator; they must also have procedures in place to assess the performance of the outsourced operator. In order to meet their due diligence requirement, payment institutions must ensure, for example, that the outsourced operator has the necessary skills, resources and operating licences required by law to provide the service. In addition, payment institutions must ensure that the outsourced operator has arranged for an adequate level of internal supervision and risk management.

When outsourcing payment services to an agent, payment institutions are held liable for the agent’s operations.

Certain fintech entities are subject to the Finnish AML Act and must therefore comply with the regulations set forth therein. These requirements include that they actively monitor their client relationships and undertake due diligence procedures prior to forming customer relationships.

As far as is known, no significant enforcement actions have been undertaken against fintech companies, but some enforcement actions have been undertaken against legacy players.

For instance, on 25 August 2022, S-Bank Plc received an administrative fine from the FIN-FSA for errors in reporting on derivative contracts. S-Bank Plc had failed in its obligation to ensure that information on all derivative contracts it had concluded was reported to a trade repository as required by Regulation (EU) No 648/2012 on OTC derivatives, central counterparties and trade repositories (EMIR).

On 13 September 2021, the FIN-FSA imposed a penalty payment of EUR1.65 million on S-Bank Plc for omissions in the detection of suspicious transactions. Accordingly, S-Bank Plc had neglected its obligations to monitor its customers’ trading, as required under Article 16 of the EU’s Market Abuse Regulation.

Another enforcement action was publicised on 2 July 2021, in which the FIN-FSA withdrew the investment firm authorisation of Privanet Securities Ltd with immediate effect after it detected several serious omissions and violations in the firm's activities. The legal authority of the FIN-FSA to withdraw the investment firm licence derives from Section 26 of the Financial Supervisory Authority Act, according to which authorisation may be withdrawn where essential statutory conditions under which authorisation was granted no longer exist or where the activities of a supervised entity constitute a material breach of the provisions governing financial markets.

In a more recent case, on 27 January 2023 the FIN-FSA withdrew Nada express osk’s registration under the PIA, due to deficiencies in compliance with anti-money laundering regulation, about which Nada express osk had already received a penalty payment but failed to correct its actions.

In another recent case, on 6 June 2023 the FIN-FSA prohibited Ermitage Partners Oy from offering investment services without a licence, as it classified the firm's receipt and transmission of orders as investment services.

The implications of non-financial services regulations do not differ between fintech companies and legacy players, since such legislation applies irrespective of industry sector.

GDPR

For instance, with regard to privacy, the GDPR harmonises national data privacy laws throughout the EU and applies to the processing of personal data. Thus, companies collecting, storing and using personal data will fall within the scope of the GDPR, irrespective of the sector in which they are engaged. The implications for non-compliance are similar: failure to adhere to the requirements set forth in the GDPR may result in severe fines, with a maximum penalty of EUR20 million or 4% of annual worldwide turnover, whichever is higher.

Cybersecurity

Legislation to protect electronic communications networks has also been introduced in the EU by means of the Directive on Security Network and Information Systems (the “NIS Directive”). National legislation in line with the NIS Directive and the obligations thereof entered into force on 9 May 2018 and has been implemented into the Regulations and guidelines on operative risk management 8/2014 issued by the FIN-FSA.

The regulation and guidelines apply to credit institutions, investment firms, alternative investment fund managers, UCITS management companies, holding companies of credit institutions and investment firms, central institutions of amalgamations of deposit banks and payment institutions (“supervised entities”). Accordingly, supervised entities must notify the FIN-FSA without undue delay of any significant interruptions and errors that they have noticed in the services provided to clients or in payment systems and information systems.

Another relevant source of non-financial services regulation is the Guidelines on ICT and security risk management issued by the EBA on 29 November 2019, which apply to payment service providers, credit institutions and investment firms. The guidelines stipulate the measures that financial institutions are required to take to manage their ICT and security risks, as well as requirements on holding information on ICT systems.

Outsourcing to Cloud Services

The Guidelines on outsourcing to cloud service providers issued by ESMA and the EIOPA are also relevant in this regard. Both guidelines apply to cloud outsourcing arrangements entered into, renewed or amended on or after 31 July 2021. Financial institutions falling within the scope of the guidelines must ensure that their cloud outsourcing arrangements comply with said guidelines. In its Regulations and guidelines 4/2021, the FIN-FSA recommends that investment firms, credit institutions providing investment services, alternative investment fund managers and alternative investment fund depositaries, among others, comply with the guidelines issued by ESMA. Furthermore, the FIN-FSA stated in 2020 that it complies with the EIOPA’s guidelines in its supervisory work.

Besides regulators, Finance Finland (FFI) reviews the activities of industry participants within the Finnish financial sector. FFI represents banks, life and non-life insurers, employee pension companies, finance houses, fund management companies and securities dealers operating in Finland. It actively participates in raising awareness amongst decision-makers of any potential impacts that might ensue from regulation, and provides expert opinions on legislative processes. The organisation of FFI is divided into five groups, of which the Infrastructure and Security group is concerned with fintech.

The Fintech Finland Association – a neutral, non-profit organisation – is another relevant party reviewing the activities of fintech companies – for instance, by actively promoting the interests of the Finnish fintech industry.

The offering of unregulated products or bundling them together with regulated products and/or services is not that common in Finland. If such offering does exist, it is mainly conducted by a regulated entity due to regulatory concerns.

The Finnish AML Act imposes a variety of obligations upon obliged entities, including:

• “know your customer” procedures;
• record-keeping;
• ongoing monitoring; and
• identifying beneficial owners.

In accordance with the AML Act, obliged entities are financial market players such as fintech entities engaging in payments and financing, wealth managers, fund companies and virtual currency providers.

Know Your Customer

Obliged entities must identify their customers prior to forming permanent customer relationships. However, obliged entities will also be required to identify their customers when forming occasional customer relationships if the conditions set forth in the AML Act are fulfilled.

If an obliged entity fails to identify its customer to the extent stipulated in the AML Act, it will be prohibited from forming a customer relationship and carrying out the business operation, and from maintaining the business relationship.

Depending on the customer, obliged entities must identify their customers by means of a simplified or enhanced due diligence procedure.

Government Decree 929/2021 lays down the due diligence procedures that must be undertaken when identifying customers, particularly in relation to simplified and enhanced due diligence procedures.

The AML Act does not necessarily apply to many unregulated fintech companies, but its applicability should be assessed in detail before excluding the services and/or products outside the scope of the AML Act.

Sanctions Regulation and National Freezing Orders

The FIN-FSA's Regulations and Guidelines 4/2023 on customer due diligence related to compliance with sanctions regulation and national freezing orders entered into force on 1 March 2024 and impose new requirements on various financial entities. Regulations and Guidelines are provided on the organisation of the supervised entity’s activities, assessment of risks related to sanctions, customer due diligence, sanctions screening, asset freezing, third-country sanctions and reporting.

There is no national regulation that applies specifically to robo-advisers in Finland. Instead of asset classes, what is more critical from a regulatory standpoint is the type of service being offered. For instance, robo-advisers offering investment services fall within the scope of the general requirements applicable to investment firms set forth in MiFID II and the provisions thereof that have been implemented nationally.

Article 5(1) of MiFID II requires the provision of investment services to be subject to prior authorisation. The requirements regarding the authorisation of investment services have been implemented nationally into the ISA, pursuant to which the investment firm authorisation shall be granted by the FIN-FSA for the provision of investment services or for the practice of engaging in investment activities. The “provision of investment services” means that it is not the investment firm that needs to be authorised, but rather the investment services offered. Therefore, since new services require authorisation, robo-advisers require authorisation. In other words, the ISA enables investment firms to use robo-advisers for the provision of investment services – ie, investment advice and portfolio management – subject to having received prior authorisation.

Moreover, as MiFID II is technology neutral by not prescribing how such investment services are to be offered, the FIN-FSA cannot reject authorisation solely on the basis that the investment services are being offered via a robo-adviser.

Considering the fact that investment services in Finland have been digitalised for a while, robo-advisers are not as established in Finland as one might expect. There are currently three robo-advisers implemented by legacy players in Finland:

• with regard to legacy players, Nordea has implemented Nora, which is a robo-adviser providing investment advice upon the completion of a questionnaire;
• OP Financial Group has also implemented a robo-adviser, OP Investment Partner, which is a digital investment adviser on OP-mobile and, accordingly, invests in responsible companies by only including companies that are among the best in their sector in terms of ESG-related issues; and
• independent robo-advisory firm Evervest Ltd was first acquired by Taaleri Group and thereafter by Aktia Bank, which is now running the digital services.

With regard to the robo-advisers specified in 3.2 Legacy Players' Implementation of Solutions Introduced by Robo-advisers, there are no issues in relation to the best execution of customer trades, since they do not execute orders per se. Instead, the requirements applicable to investment firms briefly mentioned in 3.1 Requirement for Different Business Models apply.

Nevertheless, issues regarding the best execution of customer trades will arise for robo-advisers engaging in, for example, payment transmission and the execution of payment orders, for which the requirements applicable to investment firms apply.

In Finland, the difference in the regulation of loans provided to different entities is mainly threefold.

First, the activity of providing loans that are financed via repayable funds received from customer deposits is defined as credit institution operations, in accordance with the Act on Credit Institutions (ACI), which lays down the provisions stipulating the right to engage in the practice of credit institution operations. Accordingly, in order to engage in credit institution operations, authorisation is required through the FIN-FSA. However, in this regard, the ACI does not make a distinction between the provision of loans to small and other types of businesses; it merely lays down the general prerequisites applicable to businesses engaging in credit institution operations, none of which are concerned with the business type of the borrower or its size.

Secondly, unlike businesses engaging in credit institution operations, businesses providing loans without the use of repayable funds are not governed under the ACI. However, businesses providing consumer credits and peer-to-peer loan brokers must register with the FIN-FSA, which supervises their operating practices, such as sales, marketing and lending principles, in the same way as other lenders.

Moreover, as the Finnish legal system is based upon the notion of freedom of contract, the provision of loans in Finland remains fairly unregulated and, to a large extent, parties are free to agree on the terms they wish to incorporate into their contracts. Thus, similar to businesses engaging in credit institution operations, there are no significant differences in the regulation of loans provided to small or other types of businesses.

Conversely, however, consumer loans are governed under the CPA, meaning that there are, of course, substantial differences between the provision of loans to consumers and companies. Although the Finnish legal system is based upon the notion of freedom of contract, the notion is subject to certain exceptions, such as in consumer sales that encompass consumer protection. With regard to consumer loans specifically, this is evident in Chapter 7, Section 5 of the CPA, according to which all such terms that conflict or deviate from said chapter’s provisions in a way that is detrimental to the consumer shall be deemed null and void. Consequently, unlike in the provision of loans to companies whereby the interest rate is open to negotiation, the interest rate in conjunction with the cost of credit in consumer loans is capped pursuant to Section 17a of Chapter 7.

In Finland, industry participants are obliged to conduct a creditworthiness assessment prior to granting consumer credit, pursuant to Chapter 7, Section 14 of the CPA. Moreover, according to Section 16a of said chapter, industry participants may only grant consumer credit where the creditworthiness assessment indicates that the obligations deriving from the credit agreement are likely to be fulfilled in accordance with what is required under the credit agreement.

The creditworthiness assessment is to be based upon information relating to the consumer’s income and other information relating to the financial condition of the consumer. In other words, the law does not specify how the underwriting process is to be taken per se, but rather stipulates the information that needs to be reviewed prior to granting consumer credit. As of 1 April 2024, the creditworthiness assessment should be based on information retrieved from the positive credit register, as well as other information.

To satisfy their obligation, industry participants generally resort to reviewing the credit information of the consumer. Since the use and processing of credit information is governed under the Credit Information Act (CIA, 527/2007), industry participants fall within the scope of the CIA in addition to the CPA. The consequence for consumer credit providers is threefold:

• they are to ensure adequate privacy protection whilst processing credit information;
• they are obliged to assess the creditworthiness of consumers in light of correct and appropriate information; and
• they are to advance good practice of credit information.

With regard to the provision of loans to businesses, no creditworthiness assessment is required by law. Nevertheless, for obvious reasons, industry participants generally prefer to review the credit information of all borrowers even where doing so is not required under law.

Peer-to-Peer

Online lenders may fund their loans by facilitating peer-to-peer lending, which refers to the provision of loans between private individuals or companies without the involvement of a bank or another financial institution. In such a case, the online lender may facilitate peer-to-peer lending by, for instance, providing a platform for the parties involved in the peer-to-peer transaction; in other words, the borrower and the lender engage in an electronic money transfer via an intermediary – in this case, the online lender.

The legal and regulatory consequences depend on whether the online lender merely connects the peer-to-peer parties with its platform or whether it also administers the payments between the parties. Where online lenders facilitate to consumers credits granted by someone other than credit providers referred to in Chapter 7 or 7a of the CPA, their operations require registration with the FIN-FSA as a peer-to-peer intermediary. Administering the payments will, in turn, amount to money remittance, which, pursuant to the PSA, is a payment service and thereby renders the online lender a payment service provider. In this case, the PIA will also apply, and the online lender will be required to seek authorisation from the FIN-FSA as a payment institution.

Lender-Raised Capital

Online lenders may also fund their lending by borrowing funds from other lenders. By doing so, however, the online lender will be deemed to be a credit institution in accordance with Directive (EU) No 575/2013 and the ACI, and will therefore be required to comply with the provisions set forth therein. In order to engage in practices pertinent to credit institutions, the online lender will need to file for authorisation with the FIN-FSA prior to commencing said lending activities. Other legal and regulatory implications of lender-raised capital lending include that the online lender must ensure it has sufficient capital of its own, pursuant to Directive (EU) No 575/2013.

Repayable Funds

As is the case with lender-raised capital, and as stated in 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities, companies that finance their lending activities via repayable funds are deemed to engage in credit institution operations and will thus fall within the scope of Directive (EU) No 575/2013 and the ACI.

In contrast to legacy players engaging in the syndication of large loans, small consumer credit loans provided by fintech entities are generally not syndicated.

The provision of payment services is regulated under the PSA and the PIA, neither of which specifies the payment rails to be taken when providing payment services. Instead, they stipulate the conditions that need to be fulfilled in the provision of payment services. Therefore, payment processors are free to create and implement new payment rails on the condition that they comply with the PSA and PIA. However, in order to engage in the practice of payment services, a payment processor will need to be authorised by the FIN-FSA as a payment institution or a credit institution.

At the EU level, payments and remittances are regulated under PSD2. The European Commission’s motive for establishing PSD2 was to harmonise the regulation of cross-border payments and remittances within the EU.

The provisions of PSD2 have been implemented nationally in Finland via the PSA and the PIA. Minor differences in the applicable disclosure duties between domestic and cross-border payments and remittances are evident in the PSA in cases where the service provider of the payee or the payer is located outside the European Economic Area. Besides this, neither the PSA nor the PIA separately addresses cross-border payments and remittances. Consequently, the national regulation of cross-border payments and remittances remains, to a large extent, undetailed in Finland.

Finland is also a member of the Single Euro Payments Area (SEPA), a payment-integration initiative of the EU that seeks to improve the efficiency of cross-border payments. SEPA enables customers to make cashless euro payments in a similar manner to that of national payments across the European Union as well as a number of non-EU countries.

Fund administrators are not subject to separate regulation as such and are not defined under Finnish law. Funds and fund managers, on the other hand, are regulated by means of Directive (EU) 2009/65/EC on the co-ordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities and Directive 2011/61/EU on Alternative Investment Fund Managers.

The provisions of Directive (EU) 2009/65/EC have been nationally implemented in the Act on Common Funds (ACF, 213/2019), and the provisions of Directive 2011/61/EU have been nationally implemented in the Act on Alternative Investment Fund Managers (AIFMA, 162/2014).

As far as is known, no regulation is currently imposed on agreements between fund managers and fund administrators.

The regulation on trading venues derives from MiFID II and covers regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs). MTFs and OTFs are regulated nationally via Chapter 5 of the Act on Trading in Financial Instruments (1070/2017), which provides the general requirements applicable to both trading venues. According to Section 1 of Chapter 5, in addition to the stock exchange, only investment firms, credit institutions and third-country branches may maintain MTFs and OTFs in Finland.

In general, different asset classes do not have different regulatory regimes in Finland; rather, regulatory regimes are separated by the provision of certain services. For instance, offering investment services, regardless of the asset classes offered, requires an entity to be licensed under the MiFID II regime. Furthermore, an organiser of MTF or OTF can only be a credit institution, an investment firm, a branch of a licensed third-country company or a stock exchange.

However, there are some regulatory differences – eg, between securities and other financial instruments. Financial instruments as a category includes securities and financial instruments that are listed in the ISA. There is also some specific regulation on the issuance of securities, which is mainly contained in the Securities Market Act (SMA, 746/2012).

The emergence of cryptocurrencies has impacted the regulatory regime in Finland, and virtual currencies in general have been regulated by the VCPA since April 2019. The VCPA concerns cryptocurrency exchange, and a virtual currency exchange service is defined as any natural or legal person that undertakes the following, on a business or professional basis:

• exchanges virtual currency into legal tender or another virtual currency, as a service;
• exchanges either virtual currency for another commodity, or another commodity for virtual currency, as a service; or
• maintains a marketplace in which its customers can engage in the above activities.

Generally, all cryptocurrency providers will require registration with the FIN-FSA for the purposes of providing cryptocurrency-related services in Finland. Pursuant to the VCPA, each merchant that intends to provide virtual currency-related services in Finland needs to be registered in the register of virtual currency providers maintained by the FIN-FSA, subject to specific requirements. However, this obligation does not apply to a merchant that provides virtual currency services within a limited network, or that provides them occasionally in connection with other professional activities that require some other authorisation, registration or prior approval. Virtual currency providers include virtual currency exchange services and marketplaces. Therefore, cryptocurrency exchange platforms are regulated and need to be registered as virtual currency providers with the FIN-FSA, as required by the VCPA.

Furthermore, it should be noted that cryptocurrency providers will need to be licensed by the FIN-FSA (as opposed to registration) when MiCA becomes applicable.

The issuance of securities to the public is regulated by the SMA. Listed companies also have to comply with the Limited Liability Companies Act (624/2006). A company applying for listing must be prepared to fulfil its statutory disclosure obligation from the date on which it submits its application to be listed on the stock exchange. The information disclosed by a listed company must be timely, consistent and reliable. Factors related to the disclosure obligation are often reflected in other listing conditions, such as the fulfilment of qualitative capabilities required for listing, the company’s obligation to apply the International Financial Reporting Standards or the corporate governance of the company.

MTFs are more lightly regulated trading venues than regulated markets (stock exchanges). Requirements for issuers of financial instruments admitted to trading on an MTF are lighter in relation to disclosure obligations and operating history than for issuers of financial instruments whose financial instruments are traded on a regulated market.

In addition to regulatory obligations, listed companies must comply with the rules of the stock exchange or MTF. The rules, guidance and other information of Nasdaq Helsinki Ltd (Helsinki Stock Exchange and First North Growth Market Finland) and for companies planning a listing are available on the website of the stock exchange. Regulations by the FIN-FSA also need to be complied with. The Finnish Foundation for Share Promotion has published a guidebook on listing.

The applicability of order handling rules depends on the type of services a market participant provides. Market participants that are regulated under MiFID II and the ISA and that execute orders are subject to order handling rules. The Act on Trading in Financial Instruments imposes specific order handling requirements for stock exchanges, MTFs and OTFs.

In accordance with the ISA, an investment firm that provides execution of orders as an investment service shall execute client orders without undue delay. An investment firm may not let the interests of another client or its own interests influence the execution of a client order. An investment firm shall execute comparable client orders sequentially and in a prompt, fair and expeditious manner. The obligation of the investment firm to publish a limit order issued by the client shall be governed by the provisions of the Act on Trading in Financial Instruments.

Traditionally, the Finnish market has been dominated by peer-to-peer platforms, which require registration with the FIN-FSA as a peer-to-peer intermediary. Online lenders may facilitate peer-to-peer lending by, for instance, providing a platform for the parties involved in the peer-to-peer transaction; in other words, the borrower and the lender engage in an electronic money transfer via an intermediary – in this case, the online lender. Sambla Group AB has acquired several smaller competitors over the past year.

The legal and regulatory consequences depend on whether the online lender merely connects the peer-to-peer parties with its platform or whether it also administers the payments between the parties. Both cases require registration with the FIN-FSA as a peer-to-peer intermediary. Administering the payments will, in turn, amount to money remittance, which, pursuant to the PSA, is a payment service and thereby renders the online lender a payment service provider. In this case, the PIA will also apply, and the online lender will be required to seek authorisation from the FIN-FSA as a payment institution.

Issues regarding the best execution of customer trades will arise for market participants engaging in payment transmission and the execution of payment orders, for example. The requirements applicable to investment firms in relation to best execution also apply to these market participants engaging in such activities.

In the EU, payment for order flow (PFOF) is considered to be in contrast to the requirements set out in MiFID II. ESMA has considered that PFOF causes a clear conflict of interest between the firm and its clients, because it incentivises the firm to choose the third party offering the highest payment rather than the best possible outcome for its clients when executing their orders. Therefore, ESMA has advised market participants under the MiFID II regime to thoroughly assess whether they are able to comply with MiFID II when receiving PFOF. This advice is also followed in Finland.

As financial markets have become increasingly global, giving rise to new trading platforms and technologies, the EU has aimed to strengthen its market abuse regime. The Act on Trading in Financial Instruments sets out the basic principles and requirements for using the central securities depository and the central counterparty, aiming to ensure that the co-operation does not endanger trading integrity. Besides, there are no fintech-specific principles on market integrity or market abuse.

Algorithmic trading is regulated under Chapter 7a of the ISA, and there is no distinction between asset classes.

In principle, there is no regulation according to which market makers should register as market makers in Finland. However, if a market maker begins to trade on its own account, it becomes subject to provisions under the ISA and should be licensed as an investment company. The provisions of the ISA do not apply if the market maker trades on its own account as an ancillary activity.

Algorithmic trading is regulated under Chapter 7a of the ISA, according to which the provisions on algorithmic trading apply to all trading parties. Trading parties are defined as investment service providers or other persons authorised by a stock exchange or a multilateral trading operator to trade on the trading platform in question. Chapter 7a of the ISA does not contain any distinction between funds and dealers.

As far as is known, no regulation is imposed upon programmers and programming at present.

MiCA entered into force in June 2023 and imposed new requirements upon crypto-asset services, including when part of crypto-asset activities or services is performed in a decentralised manner. Where crypto-asset activities or services are provided in a fully decentralised manner without any intermediary, they do not fall within the scope of MiCA.

Otherwise, there is no relevant regulation on DeFi.

Financial research platforms are not subject to registration as such when their principal activity is to provide relevant information to market participants. However, if financial research platforms were to be engaged in other activity, such as offering investment advice, they would be regulated entities under the ISA and would need to apply for a licence.

Pursuant to the ISA, licensed investment companies are permitted to produce and disseminate investment research, financial analysis and other corresponding general recommendations relating to transactions in financial instruments. Participants are subject to registration, notification or licensing based on the type of services they provide, as described in 2.2 Regulatory Regime.

The spreading of rumours or unverified information is not regulated as such, but many provisions govern the provision of misleading or untruthful information. For instance, the ISA, AIFMA, VCPA, SMA, ACI and PIA contain prohibitions on providing misleading or untruthful information, especially in relation to marketing. The CPA also includes such a provision, which is applicable to all relationships towards consumer customers.

The manipulation of markets and offences concerning information on the securities market are sanctioned under the Criminal Code of Finland.

As far as is known, no controls are used by financial information platforms in order to avoid pump and dump schemes, the spreading of inside information or other types of unacceptable behaviour. However, one option would be to have a clause on the matter in the terms and conditions of the platform or the forum, so that the platform has the right to delete unacceptable information. The FIN-FSA can request a police investigation into suspected crimes committed on conversation platforms.

Industry participants must comply with the general principles of the insurance regulation and good insurance practice in their underwriting processes. For instance, pursuant to general principles of risk selection in insurance drawn up by Finance Finland, no group of people may be placed in an unequal or inferior position due to their gender, race, ethnicity, religion, conviction, disability, age or sexual orientation. There are, however, acceptable reasons for treating different groups of people in a different manner.

In Finland, insurance providers are generally regulated under the Insurance Companies Act (521/2008), which provides the legal framework for the operation of life and non-life insurance companies. The Insurance Contracts Act (543/1994) and the Act on Insurance Distribution (234/2018) also apply. However, life insurance companies are subject to further regulation, as specified in the aforementioned legislation, in relation to their investments, with which they have to comply. There is also separate legislation in place for transport insurance and workers’ compensation.

In significant contrast to the general approach at the EU level, non-life insurance companies are also fully subject to anti-money laundering legislation in Finland, so have to comply with all the requirements set out in the Finnish AML regime as obliged entities.

There is no specific regulation regarding regtech companies; the decisive factor in respect of regulation is the services that they provide.

The Digital Operational Resilience Act (EU) 2022/2554 (DORA) will apply broadly to different kinds of ICT arrangements within the financial industry as of 17 January 2025. Among other things, DORA regulates key contractual provisions to be included in the contractual arrangements between financial entities and ICT third-party service providers. According to DORA, when negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the use of standard contractual clauses developed by public authorities for specific services.

The traditional players have not been eager to implement blockchain in their services/product offering. However, the fintech labs of some major players are investigating new opportunities with blockchain technologies.

The local regulators have not been active in introducing regulation.

From the Finnish law perspective, blockchain assets are categorised as virtual currency under the VCPA. However, virtual currencies are not categorically classified as financial instruments or securities but may be considered as such based on their nature. Therefore, a blockchain asset may be classified as a financial instrument or a security based on its nature, and this has to be analysed on a case-by-case basis.

Virtual currency exchange services are responsible for determining the nature of each virtual currency admitted to trading and should assess, in particular, whether each virtual currency is a transferable security or other financial instrument referred to in the ISA.

The securities market legislation is technology neutral. The virtual currency to be issued via an initial coin offering may also fall within the scope of the definition of a security or financial instrument. A security is negotiable and issued, or meant to be issued, to the public together with several other securities with similar rights. The FIN-FSA, for instance, uses a list of questions in assessing whether virtual currencies are considered to be securities. If a virtual currency is considered to be a security, regulation applicable to issuing a security must be complied with.

The issuers of blockchain assets are subject to the VCPA. Virtual currency provision refers to the issuance of a virtual currency, a virtual currency exchange service and its marketplace, as well as a custodial wallet service. Therefore, issuers of blockchain assets as virtual currency providers must be registered in the register of virtual currency providers maintained by the FIN-FSA.

As described in 12.3 Classification of Blockchain Assets, the regulation of initial sales depends on how the blockchain assets are classified. If the blockchain assets are not classified as financial instruments or securities, the market participant must still adhere to the VCPA and, for instance, to the general provisions on consumer protection.

As virtual currency provision refers to a virtual currency exchange service and its marketplace, such blockchain asset trading platforms must register as virtual currency providers with the FIN-FSA in accordance with the VCPA. However, there is an exemption to the registration if the virtual currency services are provided within a limited network.

Furthermore, the FIN-FSA has considered that an exchange service that accepts fiat currency from buyers or transmits fiat currency to sellers must give due consideration to regulations concerning payment services (as per PSD2) that may become applicable depending on the business model. Similarly, if the trading platform provides services that fall under MiFID II, it should adhere to the regulations set out therein.

As far as is known, there is no specific regulation on funds that invest in virtual currencies, including blockchain assets. However, in accordance with the ACF, common fund activity shall refer to the raising of funds from the public for their joint investment and the investment thereof mainly in financial instruments, as well as the management of a common fund and the marketing of units.

As virtual currencies are not necessarily classified as financial instruments, it should be considered that common funds may not, in principle, invest in blockchain assets. However, alternative investment funds do not have such a strict categorisation and are able to invest quite freely. Therefore, alternative investment funds could, in theory, invest in blockchain assets, although the FIN-FSA has been somewhat reluctant towards such applications.

Please refer to 12.3 Classification of Blockchain Assets.

Please refer to 8.5 Decentralised Finance (DeFi).

There is no Finnish guidance available on the classification of NFTs. According to the VCPA, the definition of virtual currency refers to a value in electronic form that:

• has not been issued by a central bank or other public authority and is not legal tender;
• a person may use as a means of payment; and
• can be transmitted, stored and exchanged electronically.

As the definition requires that the virtual currency may be used as a means of payment, it is not clear whether NFTs should be excluded from the scope of the VCPA and, similarly, the registration obligation thereunder. Considering the nature of NFTs and given that NFTs are not high-risk products (at least compared to other cryptocurrency-related services), it could be argued that NFTs are not within its scope. However, since the FIN-FSA has taken rather strict views and interpretations regarding various crypto products and services, there is a risk that it would take the view that NFTs are within the scope of the VCPA if there is at least a theoretical possibility the NFT could be used as a means of payment.

The FIN-FSA has further emphasised that, instead of using vague prefixes on tokens, it would be important for the issuer to include its assessment of the nature of the token in its marketing material, such as whether it is a virtual currency or a security. The same token can be both a virtual currency and a security or another financial instrument.

Furthermore, the above approach is subject to change, given that the VCPA is currently under review within the EU-level regulation implementation process. MiCA generally excludes NFTs from its scope. However, fractional parts of an NFT will not be considered “non-fungible”, nor will the issuance of NFTs in a large series or collection.       

PSD2 requires account servicing payment service providers (ASPSPs) to allow payment users to make use of payment initiation service providers and payment account information service providers to obtain payment services. In Finland, the open banking requirements have been transposed into the PSA. Commission Delegated Regulation (EU) 2018/389 sets more specific rules for dedicated interfaces.

ASPSPs have been required to remove any obstacles identified within the shortest possible time and without undue delay (EBA/OP/2020/10). The European Data Protection Board (EDPB) has released guidelines regarding certain challenges in respect of the need for data subjects to remain in full control of their personal data (Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR).

The EDPB has set specific guidelines related to the payment user’s consent, the processing of a silent party’s data, the processing of special categories of personal data under PSD2 and data minimisation. For instance, pursuant to the EDPB’s Guidelines 06/2020, explicit consent in line with the GDPR is needed for the processing of personal data under PSD2.

It is understood that banks and the authorities are still working on possible solutions to comply with the EDPB’s guidelines, such as “consent dashboards”.

While specific details may vary, common elements of fraud in this sector include:

• false representation – providing inaccurate information or misrepresenting facts to deceive individuals or entities involved in financial transactions;
• identity theft – illegally using someone else's identity, personal information or financial details for fraudulent purposes, often to gain unauthorised access to accounts or to conduct transactions;
• forgery and counterfeiting – creating fake documents, signatures or financial instruments to deceive others and gain access to funds or assets; and
• phishing and spoofing – employing deceptive tactics, such as fraudulent emails, websites or communications, to trick individuals into disclosing sensitive financial information.

In 2023, the FIN-FSA's supervisory priority was the security of mobile and online banking, along with addressing payment services abuses and the corresponding compensation process. A thematic assessment by the FIN-FSA specifically delved into the practices and compensation procedures related to the misuse of payment services within banks' interactions with consumer-customers during the same year. The FIN-FSA has not indicated a specific focus on addressing fraud through its supervisory actions for 2024.