The fintech market in Finland has evolved rapidly over recent years, with the focus shifting from quantity to quality. Traditionally dominated by lending businesses and peer-to-peer (P2P) platforms, the market has seen some firms take the next step by upgrading their licences to become credit institutions or payment/e-money institutions. There has been a rapid increase in services offered to SMEs, while the investment and wealth management scene is still awaiting a breakthrough.

Advances in technologies such as artificial intelligence, blockchain and quantum computing continue to drive innovation in the fintech sector, with a focus on enhancing existing services. There is also rapid development in crypto-asset business, boosted by a newly implemented unified framework for crypto-assets.

The following verticals predominate in Finland:

• payments;
• financial software;
• financing;
• data and analytics;
• application programming interfaces (APIs) and platforms;
• wealth management;
• investing;
• customer service and acquisition;
• security and compliance;
• insurtech;
• crypto-assets; and
• blockchain.

Due to the lack of fintech-specific regulation, the regulation applicable to fintech companies is contingent on the business model undertaken. Thus, the regulatory regime applicable to fintech companies comprises the general regulations applicable to financial institutions.

In Finland, financial regulation derives mainly from EU law and thereby consists of, inter alia, the following.

• The Capital Requirements Regulation and the Capital Requirements Directive are applicable to:
1. credit institutions;
2. investment firms;
3. portfolio management companies;
4. central institutions of amalgamations of deposit banks;
5. holding companies of credit institution;
6. holding companies of investment firms; and
7. parent companies of financial and insurance conglomerates.
• The second Markets in Financial Instruments Directive (MiFID II) is applicable to:
1. investment service providers;
2. market operators (including the trading venue maintained by them);
3. central counterparties; and
4. data reporting service providers.
• The second Payment Services Directive (PSD2) has been transposed in Finland in two parts by way of amendments to the Payment Services Act (PSA, 290/2010) and the Payment Institutions Act (PIA, 297/2010). For the most part, these amendments entered into force on 13 January 2018. Apart from certain minor details, the scope of application for the PSA and the PIA is identical, meaning that both acts apply to companies engaging in the following payment services:
1. services related to depositing or withdrawing funds in/from a payment account;
2. the management and offering of payment accounts;
3. the execution of payment transactions by means of credit transfer, transfer of funds to a service provider’s payment account, direct debit or payment card, or via another payment instrument;
4. issuing a payment instrument;
5. the acceptance and processing of a payment transaction based on an agreement with the payee that results in a transfer of funds to the payee;
6. money remittance;
7. payment initiation service; and
8. account information service.
• Fintech entities seeking to enter the payments market should note that payment services may only be provided by a service provider that meets the requirements of the PIA and has been authorised by the Finnish Financial Supervisory Authority (FIN-FSA). The FIN-FSA must be notified about the initiation of the offering of account information services. The requirements for payment information services providers are higher – they must be authorised and have an initial and ongoing capital of at least EUR50,000.
• The General Data Protection Regulation (GDPR) – in Finland, the provisions of the GDPR have been further clarified and supplemented in the Data Protection Act (DPA, 1050/2018), the application of which is consistent with Article 2 of the GDPR. However, deviating from what is stated in the GDPR, the DPA also applies to the processing of personal data in the course of an activity that falls outside the scope of EU law, and to the processing of personal data by member states when carrying out activities that fall within the scope of Chapter 2 of Title V of the Treaty on European Union.
• The Packaged Retail and Insurance-Based Investment Products Regulation (PRIIPs) applies to service providers producing and offering PRIIPs products to retail investors. These include banks, insurance companies, management companies and alternative investment fund managers, and bond issuers. Therefore, certain fintech companies that engage in such activity – such as those in the payments, financing, wealth management, investing and insurtech sectors – fall liable to the regulatory requirements set forth in the PRIIPs, meaning that they must, inter alia, prepare a key information document for each PRIIPs product that they offer to retail investors. The definition of “retail investor” derives from MiFID II and, accordingly, means an investor other than a professional client. “Professional clients” and “non-professional clients” have been further clarified in Chapter 1, Section 23 of the Investment Services Act (ISA, 747/2012).
• AML – the prevention of money laundering and terrorist financing is based on international standards. Specifically, the purpose is to ensure that uniform customer due diligence procedures are observed in the global financial markets. Consequently, in this respect, the EU’s Anti-Money Laundering Directives, which have been implemented in the national legislation of Finland, derive from the Financial Action Task Force's recommendations. In Finland, the AML provisions have been put forth in the Act on Preventing Money Laundering and Terrorist Financing (the AML Act, 444/2017). Finland has implemented Directive (EU) 2018/843 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (the “Fifth Anti-Money Laundering Directive”); to some extent, this is broader than the Directive requires.
• The European Markets in Crypto-Assets Regulation ((EU) 2023/1114 – MiCAR) entered into force on 29 June 2023 and establishes a harmonised regime for crypto-assets at an EU level. The Finnish Act on Crypto-Asset Service Providers and Markets in Crypto-Assets (ACASP, 402/2024) came into force in Finland on 30 June 2024, replacing the previous Virtual Currency Providers Act (572/2019). Among other things, ACASP governs the transition periods for the application of MiCAR to various crypto-asset service providers in Finland, and designates the FIN-FSA as the national authority responsible for overseeing compliance with MiCAR.
• Crowdfunding is regulated by the Finnish Act on the Provision of Crowdfunding Services (APCS, 203/2022). Crowdfunding service providers must be authorised by the FIN-FSA in accordance with the APCS and Regulation (EU) 2020/1503 on European crowdfunding service providers for business.

Depending on the business model undertaken, fintech companies may require authorisation, registration or notification. Authorities granting authorisations include the European Central Bank, the FIN-FSA, the Regional State Administrative Agency, the Ministry of Finance and the Ministry of Social Affairs and Health, as well as the government.

The different compensation models vary widely depending on the chosen business model and the technical means through which the products and services are offered. Generally, when targeting the consumer, the Finnish Consumer Protection Act (CPA, 38/1978) and the sector-specific legislation set a tight regulatory framework regarding the disclosure rules.

On a general level, regulation between fintech companies and legacy players, such as banks, does not differ due to the fact that no specific regulation applies to fintech companies. Instead, fintech companies are governed under the same financial regulatory requirements that apply to legacy players, depending on the scope of their operations and the types of services they provide. Naturally, the principle of proportionality will be applied and serves to the favour of smaller fintech companies.

Finland does not have a regulatory sandbox. The Finnish legislation does not allow regulators to grant exemptions from peremptory regulation, so any potential and forthcoming regulatory sandboxes would need to be assembled via legislation. However, the FIN-FSA has a Fintech Helpdesk service that enables fintech companies to approach the FIN-FSA with their licensing questions. Through these channels, fintech companies can easily and promptly receive (non-binding) advice as to whether their business or services meet the licensing requirements.

Regulatory jurisdiction in the Finnish financial sector is split across four authorities.

FIN-FSA

The most prominent national authority for the supervision of Finland’s financial and insurance sectors is the FIN-FSA, which supervises the following entities, among others:

• banks;
• payment institutions;
• crowdfunding companies;
• virtual currency providers;
• insurance and pension companies, as well as other companies operating in the insurance sector;
• investment firms;
• fund management companies; and
• the Helsinki Stock Exchange.

The FIN-FSA is also responsible for promoting compliance with good practice in financial markets and for disseminating general knowledge about the markets. It is regulated by the Finnish Act on the Financial Supervisory Authority (878/2008).

Supervision of traders who provide consumer credits and brokers of P2P loans was transferred from the Regional State Administrative Agency for Southern Finland to the FIN-FSA on 1 July 2023.

The Regional State Administrative Agency for Southern Finland

The Regional State Administrative Agency for Southern Finland is responsible for lower-level supervision of the financial sector (ie, supervision that is not in the scope of the FIN-FSA), such as debt collection. The Regional State Administrative Agencies are governed by the Finnish Act on Regional State Administrative Agencies (896/2009).

Finnish Competition and Consumer Authority (FCCA)

In conjunction with the Regional State Administrative Agencies, the FCCA has jurisdiction over business operations in which instant and consumer credits are being offered. According to the Act on the Finnish Competition and Consumer Authority (the FCCA Act, 661/2012), the sphere of authority of the FCCA includes the implementation of competition and consumer policies and the protection of the consumer’s economic and legal position.

Office of the Data Protection Ombudsman (ODPO)

Although not specific to the financial sector, the fourth national supervisory authority is the ODPO, which supervises compliance with data protection legislation – ie, the Finnish DPA and the GDPR.

European Supervisory Authorities

Since Finland is a member of the EU, the European Supervisory Authorities (ESAs) also have jurisdiction. The ESAs consist of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA), which, together with the FIN-FSA, provide micro-prudential supervision.

Whilst the ongoing supervision of financial institutions remains with the national supervisory authorities, the jurisdiction of the ESAs is enforced through level 2 or level 3 measures.

Pursuant to Articles 10 and 15 of ESA Regulation (EU) No 1095/2010, the ESAs have the authority to develop level 2 measures by means of draft regulatory technical standards (RTS) and implementing technical standards (ITS). The draft RTS and ITS can be submitted to the Commission by the ESAs upon the approval of the board of supervisors of the respective ESA by way of a qualified majority.

In accordance with Article 16 of the ESA Regulations, level 3 measures consist of guidelines and recommendations addressed to the competent authorities and financial institutions or financial market players by the ESAs. Similar to RTS and ITS, guidelines are to be approved by the board of supervisors of the respective ESA by way of a qualified majority.

According to Article 16(3) of the ESA Regulations, competent national authorities and financial institutions or financial market players must make every effort to comply with the guidelines. Both the guidelines and the recommendations are to be applied on a comply-or-explain basis, meaning that failure to adhere to said recommendation/guideline requires notifying the respective ESA and providing an explanation for non-compliance within two months of the issuance of the guideline or recommendation.

Traditionally, Finland has implemented these EU guidelines quite effectively and to their full extent. The practical implementation is often done by a simple local guideline, where a reference is made to an EU-level guideline. This method gives the foreign fintech companies more comfort since they can rely on the fact that Finland has implemented the EU-level guidelines correctly and without gold plating.

Generally, Finnish regulators do not issue no-action letters. They provide guidance to financial market participants seeking clarity on how regulations apply to specific situations or business models, but these responses are usually non-binding. See also 2.5 Regulatory Sandbox.

Regulated functions can be outsourced subject to certain conditions being satisfied. The provisions on outsourcing regulated functions are stipulated in the Regulations and guidelines 1/2012 issued by the FIN-FSA and the EBA Guidelines on outsourcing arrangements.

Investment Services

Investment firms, credit institutions and fund management companies may outsource their authorised investment services only to entities that are licensed to engage in the practice of investment services. With regard to credit institutions and fund management companies, critical functions may only be outsourced where doing so does not materially interfere with risk management, internal supervision or the functioning of business operations.

Payment Institutions

Similar to institutions offering investment services, payment institutions may outsource substantial functions of their payment services where doing so does not materially weaken their internal supervision.

Once payment institutions have outsourced their services, they must ensure the adequacy of the resources and the professionalism, financial functioning and expertise of the outsourced operator; they must also have procedures in place to assess the performance of the outsourced operator. In order to meet their due diligence requirement, payment institutions must ensure, for example, that the outsourced operator has the necessary skills, resources and operating licences required by law to provide the service. In addition, payment institutions must ensure that the outsourced operator has arranged for an adequate level of internal supervision and risk management.

When outsourcing payment services to an agent, payment institutions are held liable for the agent’s operations.

Crypto-Asset Service Providers

Under Article 73 of MiCAR, crypto-asset service providers (CASPs) can outsource functions, but they remain fully responsible for compliance with MiCAR. Outsourcing must not compromise their ability to meet regulatory obligations, weaken internal controls nor hinder supervision by competent authorities. The CASP must ensure that outsourcing arrangements are governed by a written agreement setting out the rights and obligations of both parties, including provisions that allow supervisory authorities to access relevant data. The CASP must continuously monitor the outsourced activities and take necessary steps to mitigate risks arising from the arrangement.

Certain fintech entities are subject to the Finnish AML Act and must therefore comply with the regulations set forth therein. These requirements include that they actively monitor their client relationships and undertake due diligence procedures prior to forming customer relationships. Furthermore, investment service providers and CASPs must ensure that the investor/client is suitable to receive certain services.

As far as is known, no significant enforcement actions have been undertaken against fintech companies, but some enforcement actions have been undertaken against legacy players.

For instance, on 25 August 2022, S-Bank Plc received an administrative fine from the FIN-FSA for errors in reporting on derivative contracts. S-Bank Plc had failed in its obligation to ensure that information on all derivative contracts it had concluded was reported to a trade repository as required by Regulation (EU) No 648/2012 on OTC derivatives, central counterparties and trade repositories (EMIR).

On 13 September 2021, the FIN-FSA imposed a penalty payment of EUR1.65 million on S-Bank Plc for omissions in the detection of suspicious transactions; S-Bank Plc had neglected its obligations to monitor its customers’ trading, as required under Article 16 of the EU’s Market Abuse Regulation.

Another enforcement action was publicised on 2 July 2021, in which the FIN-FSA withdrew the investment firm authorisation of Privanet Securities Ltd with immediate effect after it detected several serious omissions and violations in the firm's activities. The legal authority of the FIN-FSA to withdraw the investment firm licence derives from Section 26 of the Financial Supervisory Authority Act, according to which authorisation may be withdrawn where essential statutory conditions under which authorisation was granted no longer exist or where the activities of a supervised entity constitute a material breach of the provisions governing financial markets.

In a more recent case, on 27 January 2023 the FIN-FSA withdrew Nada express osk’s registration under the PIA, due to deficiencies in compliance with anti-money laundering regulation. Nada express osk had already received a penalty fine for these deficiencies but had failed to correct its actions.

In another recent case, on 6 June 2023 the FIN-FSA prohibited Ermitage Partners Oy from offering investment services without a licence, as it classified the firm's receipt and transmission of orders as investment services.

Moreover, a pending investigation is ongoing for the biggest bank in Finland, OP Group; no final decision has yet been issued by the FIN-FSA.

The implications of non-financial services regulations do not differ between fintech companies and legacy players, since such legislation applies irrespective of industry sector.

GDPR

For instance, with regard to privacy, the GDPR harmonises national data privacy laws throughout the EU and applies to the processing of personal data. Thus, companies collecting, storing and using personal data will fall within the scope of the GDPR, irrespective of the sector in which they are engaged. The implications for non-compliance are similar: failure to adhere to the requirements set forth in the GDPR may result in severe fines, with a maximum penalty of EUR20 million or 4% of annual worldwide turnover, whichever is higher.

Cybersecurity

Legislation to protect electronic communications networks has also been introduced in the EU by means of the Directive on Security Network and Information Systems (the “NIS Directive”). National legislation in line with the NIS Directive and the obligations thereof entered into force on 9 May 2018 and has been implemented into the Regulations and guidelines on operative risk management 8/2014 issued by the FIN-FSA.

The Regulations and guidelines apply to credit institutions, investment firms, alternative investment fund managers, UCITS management companies, holding companies of credit institutions and investment firms, central institutions of amalgamations of deposit banks and payment institutions (“supervised entities”). Accordingly, supervised entities must notify the FIN-FSA without undue delay of any significant interruptions and errors that they have noticed in the services provided to clients or in payment systems and information systems.

Another relevant source of non-financial services regulation is the Guidelines on ICT and security risk management issued by the EBA on 29 November 2019, which apply to payment service providers, credit institutions and investment firms. The guidelines stipulate the measures that financial institutions are required to take to manage their ICT and security risks, as well as requirements on holding information on ICT systems.

Outsourcing to Cloud Services

The Guidelines on outsourcing to cloud service providers issued by ESMA and the EIOPA are also relevant in this regard. Both guidelines apply to cloud outsourcing arrangements entered into, renewed or amended on or after 31 July 2021. Financial institutions falling within the scope of the guidelines must ensure that their cloud outsourcing arrangements comply with said guidelines. In its Regulations and guidelines 4/2021, the FIN-FSA recommends that investment firms, credit institutions providing investment services, alternative investment fund managers and alternative investment fund depositaries, among others, comply with the guidelines issued by ESMA. Furthermore, the FIN-FSA stated in 2020 that it complies with the EIOPA’s guidelines in its supervisory work.       

Besides regulators, Finance Finland (FFI) reviews the activities of industry participants within the Finnish financial sector. FFI represents banks, life and non-life insurers, employee pension companies, finance houses, fund management companies and securities dealers operating in Finland. It actively participates in raising awareness amongst decision-makers of any potential impacts that might ensue from regulation, and provides expert opinions on legislative processes. The organisation of FFI is divided into five groups, of which the Infrastructure and Security group is concerned with fintech.

The Fintech Finland Association (a neutral, non-profit organisation) is another relevant party reviewing the activities of fintech companies – for instance, by actively promoting the interests of the Finnish fintech industry.

The offering of unregulated products or bundling them together with regulated products and/or services is not that common in Finland. If such offering does exist, it is mainly conducted by a regulated entity due to regulatory concerns.

The Finnish AML Act imposes a variety of obligations upon obliged entities, including:

• “know your customer” procedures;
• record-keeping;
• ongoing monitoring; and
• identifying beneficial owners.

In accordance with the AML Act, obliged entities are financial market players such as fintech entities engaging in payments and financing, wealth managers, fund companies and CASPs.

Know Your Customer

Obliged entities must identify their customers prior to forming permanent customer relationships. However, obliged entities will also be required to identify their customers when forming occasional customer relationships if the conditions set forth in the AML Act are fulfilled.

If an obliged entity fails to identify its customer to the extent stipulated in the AML Act, it will be prohibited from forming a customer relationship and carrying out the business operation, and from maintaining the business relationship.

Depending on the customer, obliged entities must identify their customers by means of a simplified or enhanced due diligence procedure. Government Decree 929/2021 lays down the due diligence procedures that must be undertaken when identifying customers, particularly in relation to simplified and enhanced due diligence procedures.

The AML Act does not necessarily apply to many unregulated fintech companies, but its applicability should be assessed in detail before excluding the services and/or products outside the scope of the AML Act.

Sanctions Regulation and National Freezing Orders

The FIN-FSA's Regulations and Guidelines 4/2023 on customer due diligence related to compliance with sanctions regulation and national freezing orders entered into force on 1 March 2024 and imposed new requirements on various financial entities. Regulations and Guidelines are provided on the organisation of the supervised entity’s activities, assessment of risks related to sanctions, customer due diligence, sanctions screening, asset freezing, third-country sanctions and reporting.

In its 2019 country assessment of the prevention of money laundering and terrorist financing, the FATF identified several areas for Finland to improve. Since then, Finland has made significant progress in enhancing its compliance with the FATF’s standards by amending its anti-money laundering and sanctions rules, and is no longer subject to the enhanced follow-up process. Today, Finland is either compliant or largely compliant on most of the recommendations issued by the FATF.

Reverse solicitation is available when offering financial products or services cross-border to Finland. Information/services/products provided to the Finnish client/prospect must be limited to the products or services specifically requested by the prospect/client (ie, the content of the information provided must stay within the reverse-solicitation continuum). The marketing and offering of new services/products to existing clients would not be regarded as genuine reverse solicitation.        

There is no national regulation that applies specifically to robo-advisers in Finland. Instead of asset classes, what is more critical from a regulatory standpoint is the type of service being offered. For instance, robo-advisers offering investment services fall within the scope of the general requirements applicable to investment firms set forth in MiFID II and the provisions thereof that have been implemented nationally.

Article 5(1) of MiFID II requires the provision of investment services to be subject to prior authorisation. The requirements regarding the authorisation of investment services have been implemented nationally into the ISA, pursuant to which the investment firm authorisation shall be granted by the FIN-FSA for the provision of investment services or for the practice of engaging in investment activities. The “provision of investment services” means that it is not the investment firm that needs to be authorised, but rather the investment services offered. Therefore, since new services require authorisation, robo-advisers require authorisation. In other words, the ISA enables investment firms to use robo-advisers for the provision of investment services (ie, investment advice and portfolio management), subject to having received prior authorisation.

Moreover, as MiFID II is technology-neutral by not prescribing how such investment services are to be offered, the FIN-FSA cannot reject authorisation solely on the basis that the investment services are being offered via a robo-adviser.

The same principles apply when offering crypto-asset services under MiCAR, such as providing advice or portfolio management on crypto-assets (where the assets do not qualify as financial instruments) via robo-adviser.

Considering the fact that investment services in Finland have been digitalised for a while, robo-advisers are not as established in Finland as one might expect. There are currently three robo-advisers implemented by legacy players in Finland:

• with regard to legacy players, Nordea has implemented Nora, which is a robo-adviser providing investment advice upon the completion of a questionnaire;
• OP Financial Group has also implemented a robo-adviser, OP Investment Partner, which is a digital investment adviser on OP-mobile and, accordingly, invests in responsible companies by only including companies that are among the best in their sector in terms of ESG-related issues; and
• independent robo-advisory firm Evervest Ltd was first acquired by Taaleri Group and thereafter by Aktia Bank, which is now running the digital services.

With regard to the robo-advisers specified in 3.2 Legacy Players' Implementation of Solutions Introduced by Robo-Advisers, there are no issues in relation to the best execution of customer trades, since they do not execute orders per se. Instead, the requirements applicable to investment firms briefly mentioned in 3.1 Requirement for Different Business Models apply.

Nevertheless, issues regarding the best execution of customer trades will arise for robo-advisers engaging in, for example, payment transmission and the execution of payment orders, for which the requirements applicable to investment firms (or CASPs, where applicable) apply.

In Finland, the difference in the regulation of fiat currency loans provided to different entities is mainly threefold.

First, the activity of providing loans that are financed via repayable funds received from customer deposits is defined as credit institution operations, in accordance with the Act on Credit Institutions (ACI), which lays down provisions stipulating the right to engage in the practice of credit institution operations. Accordingly, in order to engage in credit institution operations, authorisation is required through the FIN-FSA. However, in this regard, the ACI does not make a distinction between the provision of loans to small and other types of businesses; it merely lays down the general prerequisites applicable to businesses engaging in credit institution operations, none of which are concerned with the business type of the borrower or its size.

Secondly, unlike businesses engaging in credit institution operations, businesses providing loans without the use of repayable funds are not governed under the ACI. However, businesses providing consumer credits and P2P loan brokers must register with the FIN-FSA, which supervises their operating practices, such as sales, marketing and lending principles, in the same way as other lenders.

Moreover, as the Finnish legal system is based upon the notion of freedom of contract, the provision of loans in Finland remains fairly unregulated and, to a large extent, parties are free to agree on the terms they wish to incorporate into their contracts. Thus, similar to businesses engaging in credit institution operations, there are no significant differences in the regulation of loans provided to small or other types of businesses.

Conversely, however, consumer loans are governed under the CPA, meaning that there are, of course, substantial differences between the provision of loans to consumers and companies. Although the Finnish legal system is based upon the notion of freedom of contract, the notion is subject to certain exceptions, such as in consumer sales that encompass consumer protection. With regard to consumer loans specifically, this is evident in Chapter 7, Section 5 of the CPA, according to which all such terms that conflict or deviate from said chapter’s provisions in a way that is detrimental to the consumer shall be deemed null and void. Consequently, unlike in the provision of loans to companies whereby the interest rate is open to negotiation, the interest rate in conjunction with the cost of credit in consumer loans is capped pursuant to Section 17a of Chapter 7.

In Finland, industry participants are obliged to conduct a creditworthiness assessment prior to granting consumer credit, pursuant to Chapter 7, Section 14 of the CPA. Moreover, according to Section 16a of said chapter, industry participants may only grant consumer credit where the creditworthiness assessment indicates that the obligations deriving from the credit agreement are likely to be fulfilled in accordance with what is required under the credit agreement.

The creditworthiness assessment is to be based upon information relating to the consumer’s income and other information relating to the financial condition of the consumer. In other words, the law does not specify how the underwriting process is to be taken per se, but rather stipulates the information that needs to be reviewed prior to granting consumer credit. As of 1 April 2024, the creditworthiness assessment has largely been based on information retrieved from the positive credit register, as well as other information. The use of (and reporting to) this register is mandatory.

To satisfy their obligation, industry participants generally resort to reviewing the positive and negative credit information of the consumer and, where deemed necessary, obtaining additional information, such as employment details. Since the use and processing of credit information is governed under the Act on the Positive Credit Register (739/2022) and the Credit Information Act (527/2007), industry participants fall within the scope of these acts in addition to the CPA. The consequence for consumer credit providers is threefold:

• they are to ensure adequate privacy protection whilst processing credit information;
• they are obliged to assess the creditworthiness of consumers in light of correct and appropriate information; and
• they are to advance good practice of credit information.

With regard to the provision of loans to businesses, no creditworthiness assessment is required by law. Nevertheless, for obvious reasons, industry participants generally prefer to review the credit information of all borrowers even where doing so is not required under law. However, the positive credit register will be extended to private traders between late 2025 and early 2026.

Peer-to-Peer

Online lenders may fund their fiat currency loans by facilitating P2P lending, which refers to the provision of loans between private individuals or companies without the involvement of a bank or another financial institution. In such a case, the online lender may facilitate P2P lending by, for instance, providing a platform for the parties involved in the P2P transaction; in other words, the borrower and the lender engage in an electronic money transfer via an intermediary – in this case, the online lender.

The legal and regulatory consequences depend on whether the online lender merely connects the P2P parties with its platform or whether it also administers the payments between the parties. Where online lenders facilitate credits to consumers that were granted by an entity other than a credit provider referred to in Chapter 7 or 7a of the CPA, their operations require registration with the FIN-FSA as a P2P intermediary. Administering the payments may, in turn, amount to money remittance, which, pursuant to the PSA, is a payment service and thereby renders the online lender a payment service provider. In this case, the PIA will also apply, and the online lender will be required to seek authorisation from the FIN-FSA.

Lender-Raised Capital

Online lenders may also fund their fiat currency lending by borrowing funds from other lenders. By doing so, however, the online lender will be deemed to be a credit institution in accordance with Directive (EU) No 575/2013 and the ACI, and will therefore be required to comply with the provisions set forth therein. In order to engage in practices pertinent to credit institutions, the online lender will need to file for authorisation with the FIN-FSA prior to commencing said lending activities. Other legal and regulatory implications of lender-raised capital lending include that the online lender must ensure it has sufficient capital of its own, pursuant to Directive (EU) No 575/2013.

Repayable Funds

As is the case with lender-raised capital, and as stated in 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities, companies that finance their fiat currency lending activities via repayable funds are deemed to engage in credit institution operations and will thus fall within the scope of Directive (EU) No 575/2013 and the ACI.

In contrast to legacy players engaging in the syndication of large fiat currency loans, small consumer credit loans provided by fintech entities are generally not syndicated.

The provision of payment services is regulated under the PSA and the PIA, neither of which specifies the payment rails to be taken when providing payment services. Instead, they stipulate the conditions that need to be fulfilled in the provision of payment services. Therefore, payment processors are free to create and implement new payment rails on the condition that they comply with the PSA and PIA. However, in order to engage in the practice of payment services, a payment processor will need to be authorised by the FIN-FSA as a payment institution or a credit institution.

At the EU level, payments and remittances are primarily regulated under PSD2. The Instant Payments Regulation (EU) 2024/886 aims to accelerate the roll-out of instant payments and covers credit transfers denominated in euros within the EU. In addition to PSD2, it amends several EU regulations and is expected to be implemented into Finnish law in 2025.

In addition to general legal requirements under PSD2, as transposed into the PSA and the PIA, cross-border payments are subject to specific information-reporting requirements under the Act governing the information-reporting requirement (659/2023), which implements Council Directive (EU) 2020/284. In Finland, the information shall be reported to the Finnish Tax Administration, which will deliver the collected information to the European Commission’s Central Electronic System of Payments.

Finland is also a member of the Single Euro Payments Area (SEPA), a payment-integration initiative of the EU that seeks to improve the efficiency of cross-border payments.

Furthermore, money remittance activities, particularly those of the Hawala type, are generally considered to pose a high risk of money laundering and terrorist financing. In recent years, the FIN-FSA has strengthened its supervisory measures for these companies, imposed penalty payments on those that fail to comply with the anti-money laundering and sanctions regulation, and even revoked the registration of some money remittance service providers.

The regulation on trading venues derives from MiFID II and covers regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs). MTFs and OTFs are regulated nationally via Chapter 5 of the Act on Trading in Financial Instruments (1070/2017), which provides the general requirements applicable to both trading venues. According to Section 1 of Chapter 5, in addition to the stock exchange, only investment firms, credit institutions and third-country branches may maintain MTFs and OTFs in Finland.

MiCAR governs the operation of trading platforms for crypto-assets. A crypto-asset trading platform is a regulated entity under MiCAR that facilitates the trading of crypto-assets in a multilateral system that brings together multiple third-party buying and selling interests. These platforms must be authorised as CASPs and comply with strict operational, organisational and prudential requirements.

In general, different asset classes do not have different regulatory regimes in Finland; rather, regulatory regimes are separated by the provision of certain services. For instance, offering investment services, regardless of the asset classes offered, requires an entity to be licensed under the MiFID II regime. Furthermore, an organiser of MTFs or OTFs can only be a credit institution, an investment firm, a branch of a licensed third-country company or a stock exchange.

However, there are some regulatory differences – eg, between securities and other financial instruments. Financial instruments as a category includes securities and financial instruments that are listed in the ISA. There is also some specific regulation on the issuance of securities, which is mainly contained in the Securities Market Act (SMA, 746/2012). Furthermore, where the assets do not qualify as financial instruments but rather as crypto-assets, MiCAR governs the provision of services related to such assets.

The emergence of crypto-assets has impacted the regulatory regime in Finland, mainly due to EU legislation governing crypto-asset exchanges. Operating trading platforms for crypto-assets or facilitating the exchange of crypto-assets for funds or other crypto-assets requires authorisation from the FIN-FSA under MiCAR and the ACASP.

Please also refer to 10.5 Regulation of Blockchain Asset Trading Platforms.

The issuance of securities to the public is regulated by the SMA. Listed companies also have to comply with the Limited Liability Companies Act (624/2006). A company applying for listing must be prepared to fulfil its statutory disclosure obligation from the date on which it submits its application to be listed on the stock exchange. The information disclosed by a listed company must be timely, consistent and reliable. Factors related to the disclosure obligation are often reflected in other listing conditions, such as the fulfilment of qualitative capabilities required for listing, the company’s obligation to apply the International Financial Reporting Standards or the corporate governance of the company.

MTFs are more lightly regulated trading venues than regulated markets (stock exchanges). Requirements for issuers of financial instruments admitted to trading on an MTF are lighter in relation to disclosure obligations and operating history than for issuers of financial instruments whose financial instruments are traded on a regulated market.

In addition to regulatory obligations, listed companies must comply with the rules of the stock exchange or MTF. The rules, guidance and other information of Nasdaq Helsinki Ltd (Helsinki Stock Exchange and First North Growth Market Finland) and for companies planning a listing are available on the website of the stock exchange. Regulations by the FIN-FSA also need to be complied with. The Finnish Foundation for Share Promotion has published a guidebook on listing.

The applicability of order handling rules depends on the type of services a market participant provides. Market participants that are regulated under MiFID II and the ISA and that execute orders are subject to order handling rules. The Act on Trading in Financial Instruments imposes specific order handling requirements for stock exchanges, MTFs and OTFs.

In accordance with the ISA, an investment firm that provides execution of orders as an investment service shall execute client orders without undue delay. An investment firm may not let the interests of another client or its own interests influence the execution of a client order. An investment firm shall execute comparable client orders sequentially and in a prompt, fair and expeditious manner. The obligation of the investment firm to publish a limit order issued by the client shall be governed by the provisions of the Act on Trading in Financial Instruments.

Traditionally, the Finnish market has been dominated by P2P platforms, which require registration with the FIN-FSA as a P2P intermediary. Online lenders may facilitate P2P lending by, for instance, providing a platform for the parties involved in the P2P transaction; in other words, the borrower and the lender engage in an electronic money transfer via an intermediary – in this case, the online lender.

The legal and regulatory consequences depend on whether the online lender merely connects the P2P parties with its platform or whether it also administers the payments between the parties. Both cases require registration with the FIN-FSA as a P2P intermediary. Administering the payments may, in turn, amount to money remittance, which, pursuant to the PSA, is a payment service and thereby renders the online lender a payment service provider. In this case, the PIA will also apply, and the online lender will be required to seek authorisation from the FIN-FSA.

In the EU, payment for order flow (PFOF) is considered to be in contrast to the requirements set out in MiFID II. ESMA has considered that PFOF causes a clear conflict of interest between the firm and its clients, because it incentivises the firm to choose the third party offering the highest payment rather than the best possible outcome for its clients when executing their orders. Therefore, ESMA has advised market participants under the MiFID II regime to thoroughly assess whether they are able to comply with MiFID II when receiving PFOF. This advice is also followed in Finland.

As financial markets have become increasingly global, giving rise to new trading platforms and technologies, the EU has aimed to strengthen its market abuse regime. The Act on Trading in Financial Instruments sets out the basic principles and requirements for using the central securities depository and the central counterparty, aiming to ensure that the co-operation does not endanger trading integrity. Besides, there are no fintech-specific principles on market integrity or market abuse.

Algorithmic trading is regulated under Chapter 7a of the ISA, and there is no distinction between asset classes.

In principle, there is no regulation according to which market makers should be licensed or otherwise register as market makers in Finland. However, if a market maker begins to trade on its own account, it becomes subject to provisions under the ISA and should be licensed as an investment company. The provisions of the ISA do not apply if the market maker trades on its own account as an ancillary activity.

Algorithmic trading is regulated under Chapter 7a of the ISA, according to which the provisions on algorithmic trading apply to all trading parties. Trading parties are defined as investment service providers or other persons authorised by a stock exchange or a multilateral trading operator to trade on the trading platform in question. Chapter 7a of the ISA does not contain any distinction between funds and dealers.

As far as is known, no regulation is imposed upon programmers and programming at present.

Industry participants must comply with the general principles of insurance regulation and good insurance practice in their underwriting processes. For instance, pursuant to general principles of risk selection in insurance drawn up by FFI, no group of people may be placed in an unequal or inferior position due to their gender, race, ethnicity, religion, conviction, disability, age or sexual orientation. There are, however, acceptable reasons for treating different groups of people in a different manner.

In Finland, insurance providers are generally regulated under the Insurance Companies Act (521/2008), which provides the legal framework for the operation of life and non-life insurance companies. The Insurance Contracts Act (543/1994) and the Act on Insurance Distribution (234/2018) also apply. However, life insurance companies are subject to further regulation, as specified in the aforementioned legislation, in relation to their investments, with which they have to comply. There is also separate legislation in place for transport insurance and workers’ compensation.

In significant contrast to the general approach at the EU level, non-life insurance companies are also fully subject to anti-money laundering legislation in Finland, so have to comply with all the requirements set out in the Finnish AML regime as obliged entities.       

There is no specific regulation regarding regtech companies; the decisive factor in respect of regulation is the services that they provide.

The Digital Operational Resilience Act (EU) 2022/2554 (DORA) became applicable in Finland broadly to different kinds of ICT arrangements within the financial industry as of 17 January 2025. Among other things, DORA regulates the key contractual provisions to be included in the contractual arrangements between financial entities and ICT third-party service providers. According to DORA, when negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the use of standard contractual clauses developed by public authorities for specific services.

The traditional players have not been eager to implement blockchain in their services/product offering. However, the fintech labs of some major players are investigating new opportunities with blockchain technologies.

The local regulators have not been active in introducing regulation.

Under Finnish law, crypto-assets are classified in accordance with MiCAR. Blockchain-based assets are generally treated as crypto-assets that are either asset-referenced tokens (ARTs), electronic money tokens (EMTs) or crypto-assets other than ARTs or EMTs.

Crypto-assets are not automatically categorised as financial instruments or securities; however, their classification depends on their specific characteristics. A blockchain asset may be deemed a financial instrument or security based on its nature, requiring a case-by-case analysis. This analysis considers that securities market legislation is technology-neutral. For example, the FIN-FSA uses a set of questions to evaluate whether a crypto-asset qualifies as a security.

If crypto-assets are deemed financial instruments/securities, they fall outside the scope of MiCAR and are instead governed by other EU legislation applicable to financial instruments/securities.

The issue, public offer and seeking admission to trading of blockchain assets are subject to MiCAR.

Issuing a crypto-asset means, in practice, creating a new crypto-asset. Issuing ARTs and EMTs requires authorisation from the FIN-FSA. Furthermore, as EMTs are deemed to be electronic money, they may only be issued by authorised credit institutions or electronic money institutions. An issuer of ARTs and EMTs usually also acts as an offeror to the public or as a person seeking admission to trading, which requires publishing a crypto-asset white paper, namely an information document containing mandatory disclosures. However, offering to the public or seeking admission to trading of ARTs and EMTs does not require authorisation if the offeror or the person seeking admission to trading is a different person than the issuer. Offering to the public or seeking admission to trading of ARTs or EMTs on behalf of the issuer requires the written consent of the issuer. Regardless of such an arrangement, the issuer of the ART or EMT retains the obligation to draw up a crypto-asset white paper.

Issuance, offering to the public or seeking admission to trading of crypto-assets other than ARTs and EMTs does not require authorisation. However, MiCAR contains some other requirements for public offerors and persons seeking admission to trading of these crypto-assets. The main requirement is the obligation to draw up a crypto-asset white paper.

As described in 10.3 Classification of Blockchain Assets, the regulation of initial sales depends on how the blockchain assets are classified. When the issued crypto-asset qualifies as a financial instrument as defined in MiFID II, Finnish securities laws apply to the offer instead. In such cases, the issuer must comply with securities legislation, including the obligation to publish a prospectus approved by the FIN-FSA before offering the securities to the public.

Operating trading platforms for crypto-assets such as blockchain assets or facilitating the exchange of crypto-assets for funds or other crypto-assets requires authorisation from the FIN-FSA under MiCAR.

Regarding secondary market trading, MiCAR captures transactions both through intermediaries and P2P when such activities qualify as crypto-asset services. If intermediaries facilitate trading, they are subject to authorisation and operational requirements under MiCAR. However, users with self-hosted wallets can hold their private keys and digital assets while directly sending or receiving assets in a P2P manner. In such cases, neither the wallet software provider nor the wallet itself effectuates transactions on the user’s behalf and is not required to obtain authorisation (as there is no crypto-asset service provider involved). Notwithstanding, although P2P transactions generally fall outside MiCAR’s primary regulatory focus, they may still trigger regulatory obligations if the platform or facilitator undertakes intermediary-like functions, such as providing custody services or order matching.

MiCAR does not explicitly regulate staking, as the term itself is not mentioned within the regulation. This absence has led to interpretative challenges regarding its applicability to staking services. However, the provision of staking services may involve elements that fall within MiCAR’s scope. For instance, if a service provider engages in the custody or administration of crypto-assets or private keys on behalf of clients, these activities could trigger authorisation requirements under MiCAR.

In addition, EBA and ESMA have recently highlighted potential risks associated with crypto-asset staking, suggesting that certain aspects of staking services could trigger regulatory requirements. The FIN-FSA has not issued any further guidance or regulations regarding staking services.

MiCAR does not apply to the lending and borrowing of crypto-assets, but this is subject to applicable national law. Under Finnish law, to the extent that no repayable funds are raised from the public (only licensed credit institutions have the right to engage in credit institution activity, which means business operations where repayable funds are received from the public and credit or other financing is offered for own account), the provision of loans and other similar financing to corporate customers is generally permissible in Finland. This applies also in relation to crypto-assets.

However, the lending of crypto-assets to consumers is subject to obtaining a separate right. This would, for example, mean obtaining a payment or credit institution licence or, if no such a licence is obtained, a registration under the Finnish Act on the Registration of Certain Credit Providers and Credit Intermediaries, as described in 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities.

MiFID II does not provide a single overarching definition of derivatives or financial instruments, but instead lists examples of contracts that qualify as financial instruments. These contracts derive their value from an underlying asset and can be settled either in cash or through the delivery of the underlying asset. ESMA has indicated that crypto-assets can act as underlying instruments for derivative financial instruments. ESMA has also stated that certain crypto-assets can themselves qualify as derivatives. Entities offering crypto-asset derivatives must determine whether their products fall within the definition of financial instruments and possibly comply with MiFID II’s regulatory framework.

MiCAR expressly excludes crypto-assets that qualify as financial instruments. However, where the derivatives qualify as crypto-assets but not financial instruments, the entity offering such assets or services related to such assets is subject to MiCAR’s regulatory framework.

The regulation of decentralised finance (DeFi) depends on the extent to which a service is genuinely decentralised. Under MiCAR, crypto-asset services that are provided in a completely decentralised manner and thus without an intermediary do not fall within the scope of regulation.

However, MiCAR does not automatically exempt all DeFi platforms. If a party facilitates the trading of crypto-assets in a manner that involves some form of control, governance or influence over the platform, regulators may view them as an intermediary. In such cases, they could be subject to the same regulatory requirements as centralised crypto-asset service providers. Therefore, simply operating under the label of DeFi does not necessarily mean a service is outside the regulatory perimeter. The degree of decentralisation and the presence of any entity that exercises control or facilitates transactions will be key factors in determining whether and how regulation applies.

As far as is known, there is no specific regulation on funds that invest in crypto-assets, including blockchain assets.

Directive (EU) 2009/65/EC on the co-ordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) has been implemented nationally in the Finnish Act on Common Funds (ACF, 213/2019). In accordance with the ACF, common fund activity shall refer to the raising of funds from the public for their joint investment and the investment thereof mainly in financial instruments, as well as the management of a common fund and the marketing of units.

As crypto-assets are not necessarily classified as financial instruments, it should be considered that common funds may not, in principle, invest in blockchain assets. However, alternative investment funds do not have such a strict categorisation and are able to invest quite freely. Therefore, alternative investment funds could, in theory, invest in blockchain assets, although the FIN-FSA has been somewhat reluctant towards such applications.

Please refer to 10.3 Classification of Blockchain Assets.

Under MiCAR, the regulatory treatment of non-fungible tokens (NFTs) depends on their specific characteristics rather than their mere classification as “non-fungible”. MiCAR generally excludes NFTs from its scope if they are truly unique and not issued in a manner that makes them interchangeable or functionally similar to traditional financial instruments or crypto-assets. However, if NFTs are issued in large series or collections with characteristics that suggest they are fungible or have an investment-like nature, they may be captured by MiCAR’s regulatory perimeter. Furthermore, where NFTs qualify as financial instruments, their issuance is subject to the MiFID II regulatory framework instead of MiCAR.

PSD2 requires account servicing payment service providers (ASPSPs) to allow payment users to make use of payment initiation service providers and payment account information service providers to obtain payment services. In Finland, the open banking requirements have been transposed into the PSA. Commission Delegated Regulation (EU) 2018/389 sets more specific rules for dedicated interfaces.

ASPSPs have been required to remove any obstacles identified within the shortest possible time and without undue delay (EBA/OP/2020/10). The European Data Protection Board (EDPB) has released guidelines regarding certain challenges in respect of the need for data subjects to remain in full control of their personal data (Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR).

The EDPB has set specific guidelines related to the payment user’s consent, the processing of a silent party’s data, the processing of special categories of personal data under PSD2 and data minimisation. For instance, pursuant to the EDPB’s Guidelines 06/2020, explicit consent in line with the GDPR is needed for the processing of personal data under PSD2.

It is understood that banks and the authorities are still working on possible solutions to comply with the EDPB’s guidelines, such as “consent dashboards”.

While specific details may vary, common elements of fraud in this sector include:

• false representation – providing inaccurate information or misrepresenting facts to deceive individuals or entities involved in financial transactions;
• identity theft – illegally using someone else's identity, personal information or financial details for fraudulent purposes, often to gain unauthorised access to accounts or to conduct transactions;
• forgery and counterfeiting – creating fake documents, signatures or financial instruments to deceive others and gain access to funds or assets; and
• phishing and spoofing – employing deceptive tactics, such as fraudulent emails, websites or communications, to trick individuals into disclosing sensitive financial information.

In the past, the FIN-FSA's supervisory priority has been the security of mobile and online banking, as well as addressing abuses in payment services and the corresponding compensation processes. However, the FIN-FSA has not specifically indicated a focus on fraud through its supervisory actions for 2025. Nevertheless, phishing (including smishing and vishing) fraud has caused the largest losses in the Finnish financial sector in recent years. Investment scams, such as those involving cryptocurrency exchange services, are also prevalent. The number of managing director scams has also been on the rise.

The allocation of liability between the service provider and the customer is assessed on a case-by-case basis. For example, according to the PSA, the payment service user’s liability for unauthorised payment transactions is generally limited to EUR50, unless they have acted intentionally or with gross negligence. Gross negligence refers to extremely serious carelessness that clearly demonstrates a reckless attitude towards the security risks associated with the management and use of payment instruments. In such cases, the conduct of the payment instrument holder must clearly and significantly deviate from the standard of care expected.

In many cases where the service provider has been held liable for an unauthorised payment transaction, the information provided in the text message (eg, concerning payment confirmation or activation code) sent to the customer by the service provider prior to the incident has been deemed insufficient. Furthermore, recent court decisions have shifted more responsibility for implementing preventative measures against payment fraud onto the service providers. These measures include, for example, taking additional actions to suspend abnormal payments.