General

Sweden has a thriving fintech market and is considered to be one of Europe’s largest fintech communities. It was estimated in 2021 that there were a total of 509 fintech companies in Sweden. These include Klarna and iZettle within the payment and transfer category, and Zmarta and Lendo within the capital debt and equity category, amongst others. Some characteristics of the market that have helped the development of the fintech market are solid banks with strong liquidity, a high degree of digitalisation and a strong talent supply.

The Economic Landscape

As with many industries, the fintech industry in Sweden has been affected by the war in Europe and its consequences over the past few years.

The COVID-19 pandemic contributed to the continued high interest in investing in fintech companies due to the accelerated digital development that took place during that period. In 2021, there was also an increased interest in raising capital through IPOs on one of the Swedish trading platforms. However, the Swedish FinTech Association (the “Association”) stated in their annual report that, although the market was focusing on growth in 2021, during 2022 the demands on profitability increased, and companies were having issues raising capital. The Association stated that 2023 would also likely be a year of ups and downs for industry participants on the Swedish fintech market, but also that harder times can lead to new innovations on the market.

New Legislation 

The EU has placed great emphasis on promoting innovation within the Union. The regulatory intensity is largely driven by its approach to digital governance, balancing innovation with fundamental rights and fair market conditions. Since 2020, the EU has been working on a digital finance package, which includes legislative proposals on open finance such as a framework for financial data access and modernising the third Payment Service Directive (PSD3), the Digital Operational Resilience Act (DORA) and the new framework for crypto-assets, the Markets in Crypto-Assets Regulation (MiCA).

Another important piece of EU legislation that will potentially have a major impact on the Swedish fintech market is the AI Act. The Association noted in its annual market report in 2024 that 73% of fintech companies in 2023 were using AI. The AI Act will be fully applicable from August 2026; however, some parts of the regulation, such as the prohibition of AI systems with an unacceptably high risk and the regulation of general-purpose AI, will apply in 2025.

The Swedish fintech industry includes a wide range of business models. The main areas in which Swedish fintech companies operate, and which currently dominate the Swedish fintech industry, are:

• payment and transfer – eg, bill payments, domestic transfers, neobanks, transaction accounts and international transfers;
• wealth and cash management – eg, crowdfunding equity, debt investment, execution only, investment advisory, robo-advisory, marketplace, private equity and savings accounts;
• capital debt and equity – eg, consumer lending, crowdfunding and real estate mortgage lending;
• regtech – financial crime, actor management, e-identification, market transaction reporting, legal tech, etc;
• innovation accounting – eg, invoice trading, invoice management, payment monitoring, payment reminders, brokers and debt management; and
• insurtech – eg, claims management and processing, risk detection and prevention, underwriting and reinsurance, personalisation (insurance wallets, financial partners), on-demand insurance and product insurance.

Fintech companies in Sweden are subject to a wide range of laws and regulations. The exact regulations depend primarily on the type of business that the individual fintech company operates. Sweden does not have a specific fintech regime that applies to all fintech companies. 

Most fintech companies are subject to authorisation or registration requirements and are supervised by the Swedish Financial Supervisory Authority (SFSA).

Some examples of regulations that apply to different fintech business models follow:

• the Payment Services Act (PSA), applicable to payment services – licence or registration requirement;
• the Consumer Credit Operations Act (CCOA), applicable to consumer credit origination and intermediation – licence requirement (proposed to be repealed in 2025);
• the Mortgage Business Act (MBA), applicable to consumer mortgage origination and intermediation – licence requirement;
• the Crowdfunding Regulation, applicable to crowdfunding – licence requirement;
• the Certain Financial Operations Act (CFOA), applicable to cryptocurrency trading, currency trading and other financial operations – registration requirement; 
• the Electronic Money Act (EMA), applicable to the issuance of electronic money – licence or registration requirement;
• the Banking and Financing Business Act (SBFBA), applicable to banking and financing services – licence requirement;
• the Securities Market Act (SMA), applicable to securities business – licence requirement;
• the Insurance Distribution Act (IDA), applicable to insurance distribution – licence and registration requirement;
• the Insurance Business Act (IBA), applicable to insurance business – licence requirement;
• the UCITS Act, applicable to fund operations – licence requirement;
• the Alternative Investment Fund Managers Act (the “AIFM Act”), applicable to alternative investment fund management – licence or registration requirement;
• DORA, applicable to financial entities and providers of information and communication technology (ICT) services to financial entities; and
• MiCA, applicable to crypto-asset issuance – licence requirement.

In addition to the foregoing, general regulations such as data protection regulations, cybersecurity regulations, the AI Act and regulations regarding measures against money laundering and terrorist financing will be applicable to most fintech business models.

Lastly, the SFSA also issues various regulations and guidelines clarifying and supplementing the above-mentioned Acts.

Compensation and remuneration models vary between the different fintech business models and according to the regulations that apply to such business models.

For example, consumer lending businesses will normally charge customers interest and various fees, while asset management services may charge the customers transaction fees, advisory fees, commission fees or fees for premium features. 

Most regulated fintech companies will be subject to extensive disclosure requirements relating to compensation.

During the last few years, the SFSA has focused its supervisory activities on certain compensation models, particularly on those that involve third-party commission, which are believed to have inherent conflicts of interest. There has also been a focus on lending business models involving consumer loans with high cost and high interest, which has led to the introduction of a cost and interest rate ceiling in Sweden.

Fintech companies and legacy players that conduct the same type of regulated businesses will, in general, be subject to the same regulations.

However, legacy players often have more extensive and complex business models, which subjects them to more regulatory requirements. Consequently, fintech companies can benefit from less regulatory requirements by providing more streamlined business models or a more limited number of products and services. 

On the other hand, many rules and regulations that apply to fintech business models were not constructed with fintech industry participants in mind, but rather based on the more traditional business models carried out by legacy players. This has caused challenges for fintech companies when applying such rules and regulations to their more streamlined and tech-based business models.

The SFSA has not implemented a regulatory sandbox that allows fintech companies to live test innovations or business models in a sandbox environment.

Instead, the SFSA has instituted the Innovation Center, which aims to provide information and offer guidance to companies that want to provide innovative products and services on the Swedish market. The Innovation Center arranges seminars and industry meetings on innovation in the financial sector.

Within the framework of the Innovation Center, the SFSA co-operates with, among others, the Swedish central bank, the BIS Innovation Hub Nordic Centre, Vinnova, the Swedish Authority for Privacy Protection (the “Privacy Protection Authority”), the Swedish Fintech Association, Stockholm Fintech Week and AI Sweden. The Innovation Center is also active in international groups with innovation focus within the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), the European Securities and Markets Authority (ESMA), the International Organization of Securities Commissions (IOSCO) and the European Forum for Innovation Facilitators.

The Privacy Protection Authority provides in-depth guidance to innovation projects in the form of dialogue-based guidance, in which the Authority highlights grey area issues regarding data protection and privacy. The Privacy Protection Authority refers to this approach as a regulatory sandbox and states that the method can reduce uncertainty among innovation actors and contribute to privacy-friendly innovation, which in turn can lead to sustainable digitalisation. To participate, a declaration of interest must be submitted to the authority in advance, and the potential participants shall meet certain criteria. 

The Swedish Companies Registration Office, the Swedish Tax Agency, the Swedish Public Employment Service and the Privacy Protection Authority have initiated work on a pilot AI regulatory sandbox. The aim of the project is, among other things, to increase knowledge about how AI regulatory sandboxes should be established and function in Sweden. The pilot released its first interim report in June 2024.

Main Swedish Regulators

The SFSA is the supervisory authority that authorises and supervises companies operating regulated activities on the financial market. The SFSA’s mission is to contribute to a stable financial system characterised by high confidence, well-functioning markets and a high level of consumer protection, as well as sustainability. The SFSA monitors and analyses trends in the financial market, assesses the risks and control systems in financial companies and supervises compliance with statutes, ordinances and other regulations. The SFSA furthermore issues regulations and guidelines and contributes to discussions regarding whether existing legislation needs to be amended.

The Swedish Consumer Agency (the “Agency”) is specifically tasked with safeguarding consumer interests. The Agency is headed by the consumer ombudsman, who may represent consumer interests in relation to businesses as well as pursue legal action in court. The Agency’s responsibilities include receiving and following up complaints from consumers, providing guidance and information to consumers, identifying consumer issues in different markets, etc.

The Swedish Authority for Privacy Protection is an authority tasked with ensuring the protection of personal privacy. This is done by informing and training those who process personal data, ensuring that applicable laws are complied with and exerting influence so that new legislation contains rules that aim to protect privacy. The Agency may also issue sanctions against companies who do not comply with applicable data protection rules.

The Swedish Economic Crime Authority is responsible for fighting economic crime such as embezzlement, insider trading, tax fraud and the like.

EU Regulators

Sweden is a member of the EU. The three European supervisory authorities (ESAs; the EBA, ESMA and EIOPA) issue guidelines and technical standards that are applicable in Sweden and co-operate with the Swedish competent authorities to harmonise financial supervision in the EU.

Regulatory “no-action” letters are used in various jurisdictions, for example the USA, to confirm that a relevant regulator will not take enforcement action against a person or company for failure to comply with a specific obligation.

The SFSA does not issue formal no-action letters, nor binding advance ruling in authorisation cases. There is one exception to this: the SFSA, for a fee, will issue binding advance rulings on whether a planned activity constitutes insurance business. 

The ESAs – ESMA, EBA and EIPOA – have the power to issue a type of no-action letter in accordance with their founding regulations. While the founding regulations do not give the ESAs the power to unilaterally reform or suspend EU legislation, they provide the ESAs with the authority, inter alia, to issue non-binding recommendations for amendments to EU law.

Most financial companies, including fintech companies, are subject to extensive rules and requirements concerning how they can outsource their services and functions.

The requirements regarding outsourcing differ slightly between various companies depending on which rules are applicable. However, in general, when it comes to the outsourcing of critical or important functions and services, companies must exercise due skill, care and diligence when entering into, managing and terminating the outsourcing arrangement, and when choosing a service provider. 

Certain regulated companies, such as banks, credit market companies and investment firms, are obligated to notify the SFSA in connection with certain types of outsourcing. 

As of 17 January 2025, when DORA came into force, specific risk management requirements also apply to providers of outsourced ICT services.

The outsourcing of activities to companies outside of the EU presents a greater geopolitical risk. In these cases, the SFSA has underlined the importance of applying risk-mitigating measures to ensure that the outsourcing does not increase the risks for the outsourcing company’s own business or in any way limit national authorities’ ability to carry out effective supervision.

There are no clear and specific rules that mean that fintech companies are always deemed gatekeepers. Any responsibility for the activities on a fintech company’s platform will depend on the business model and the type of operations that the company operates.

During the last several years, sanctioning cases brought by the SFSA have been heavily focused on violations of anti-money laundering (AML) regulations. There have been several sanction cases in this area during 2022, 2023 and 2024, some of which have concerned fintech companies, specifically in the payment services area. The violations identified by the SFSA have concerned, among other things, deficiencies in risk assessment of customers, procedures and guidelines for customer due diligence and the monitoring of customers. The fines issued by the SFSA have been well over SEK100 million.

During 2024, the SFSA imposed a SEK500 million fine on a major fintech bank for violations of Swedish AML regulations. In 2023, the SFSA imposed a SEK850 million fine against a large Swedish bank. The investigation against the bank was initiated by the SFSA in conjunction with an IT-related incident in 2022, and the SFSA found that the bank had not had satisfactory internal control when it changed its IT system.

Other sanctions imposed by the SFSA during 2022, 2023 and 2024 include the revoking of authorisations, warnings and summons for the company in question to cease their business activities.

The Swedish Consumer Agency (the “Agency”) is also active in its supervision, initiating cases both on its own initiative and after receiving complaints. Supervision by the Agency may result in fines, but in other cases the Agency encourages the company in question to address the deficiencies themselves and report which changes have been made. If the Agency is satisfied with the changes, the case will be closed.

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) applies to all industries, including financial services. Hence, financial service providers shall always comply with the provisions on privacy regulation in accordance with the GDPR.

Cybersecurity

Some financial services providers are subject to regulations on cybersecurity. In October 2024, the revised Network and Information Systems Directive (EU) 2016/1148 (NIS2) replaced the previous version of the Directive (NIS), applying to an expanded scope of providers. In addition, Directive (EU) 2022/2557 on the Resilience of Critical Entities (CER) has entered into force. The NIS2 and CER will be implemented in Sweden through the new Swedish Cybersecurity Act, which is expected to enter into force in 2025.

Additionally, on 17 January 2025, DORA became applicable. DORA regulates operational resilience in the financial sector.

Intellectual Property Rights

Financial service providers, particularly fintech software developers, shall always consider various regulations on intellectual property rights as well as marketing practices regulations. 

The AI Act

The EU AI Act will apply to technologies utilising AI. The regulation categorises AI systems into different levels, namely unacceptable, high-risk and low-risk systems. AI with unacceptable risk will be prohibited, while high-risk systems will be permissible under strict obligations. AI systems employed in applications designed to make decisions regarding access to specific services, such as creditworthiness, have been proposed to be classified as high-risk AI. There is currently an implementation period, with parts of the Act coming into force at different times. As of February 2025, the prohibition on AI with unacceptable risk will apply.

The supervision of regulated financial companies, including fintech companies, is mainly carried out by public regulators.

There are several industry associations on the financial market, such as the Swedish Securities Markets Association, the Swedish Banker’s Association, Insurance Sweden and the Swedish Investment Fund Association. Most industry associations do not supervise their members but rather represent them and strive to contribute to a sound and efficient financial market, and to promote sound and proportional regulations.

In 2017, a specific industry association for fintech companies, the Swedish FinTech Association, was founded. The mission of the Swedish FinTech Association is to increase the understanding of fintech of both decision-makers and authorities by initiating meetings, contributing to consultation responses and speaking to relevant government officials. The Swedish FinTech Association has as members fintech companies operating in the following areas: payments and transfers, lending, wealth and cash management, cloud services and regtech, crowdfunding and blockchain, investment, trading and advisory.

Most financial companies are obliged to have a certified auditor who is tasked with reporting suspected crimes under, for instance, the Penal Code, the Tax Crimes Act and the Money Laundering Crimes Act.

For a number of financial companies, such as investment firms, credit institutions and insurance companies, there are various regulations that limit or prevent the provision of unregulated products and services in conjunction with regulated activities.

Regulated and unregulated products and services are not bundled to any greater extent on the financial market. However, some regulated companies may work together with co-operative partners to provide unregulated products and services, while others decide to enter the market with a “lighter authorisation”.

For instance, start-up insurtech companies may enter the market by becoming a tied insurance intermediary instead of applying for authorisation as an insurance company. Similarly, a company that intends to provide fintech services that are regulated as investment services may enter the market by becoming a tied agent (to an investment firm) rather than applying for authorisation from the SFSA.       

AML and sanctions rules and regulations impact fintech companies to a great extent. AML has been a focus area for the SFSA’s supervision and sanctioning activities for the last several years.

The Anti-Money Laundering and Counter Terrorist Financing Act (the “AML Act”) and the connected AML regulations from the SFSA apply to the absolute majority of regulated fintech companies in Sweden.

Fintech companies that are subject to the AML Act and the AML regulations must carry out AML risk assessments and adopt appropriate AML policies, covering areas such as know-your-customer controls, risk classifications and customer and transaction monitoring.       

On 30 December 2024, the Regulation (EU) 2023/1113 on Revised Transfer of Funds (TFR) aimed at preventing money laundering and terrorist financing became applicable. The revision has an extended scope, covering transfers of crypto-assets. Furthermore, the SFSA has announced that it will apply the updated EBA Guidelines (EBA/GL/2024/01) on risk factors for money laundering and terrorist financing regarding crypto-assets and crypto-service providers.

Sweden became a member of the Financial Action Task Force (FATF) in 1990. By being a member of the FATF, Sweden has undertaken to implement the standards imposed by the FATF into the Swedish legal system.

Certain regulations have specific reverse solicitation rules. One example of this is the reverse solicitation provision applicable to investment services set out in Article 42 of the Markets in Financial Instruments Directive (MiFID) II. Another example is ESMA’s guidelines on reverse solicitation under the MiCA. For other financial firms, there are no clear reverse solicitation rules, which means that the circumstances under which reverse solicitation may occur must be decided on a case-by-case basis.

There are no specific legal definitions of "robo-adviser“ or “robo-portfolio manager” in Sweden.

Companies that provide robo-advisory services or robo-portfolio management services in relation to financial instruments must be authorised by the SFSA to provide investment advice or portfolio management in accordance with the SMA.

Different financial instruments would normally not require different business models and would in general be subject to the same authorisation requirement and ongoing regulatory demands.

Companies that provide robo-advisory services or robo-portfolio management services in relation to crypto-assets must normally be authorised by the SFSA in accordance with MiCA, unless the company is exempt from such authorisation requirement under MiCA.

The initial development in the robo-adviser area was to a large extent driven by niche actors. However, established actors such as banks and existing investment firms entered the market at a relatively early stage, and several of the major banks as well as internet banks have now implemented robo-adviser and robo-portfolio management services in their business models. Robo-business models range from offering full-scale private financial advice that covers the customer’s entire finances to only offering simpler so-called sorting services.

Robo-advisors and robo-portfolio managers are subject to the same best execution rules as traditional actors.

The SFSA’s supervisory focus in this area has largely been the same as for traditional investment advice business models. In other words, the supervisory focus has been on, among other things, commission-based remuneration models, suitability assessments, conflict of interest and customer information.

General

Most consumer and business lending in Sweden is provided by banks or credit market companies that are authorised in accordance with the SBFBA.

A company that intends to provide credits to businesses must only be registered with the SFSA, while a company that intends to provide or intermediate loans to consumers must be authorised by the SFSA. 

Consumer Loans

Up until 2025, the provision or intermediation of consumer credits required authorisation according to the CCOA or the SBFBA. However, the Department of Finance issued a memorandum in May 2024 proposing that the CCOA shall be repealed from 1 July 2025 (subject to certain transitional provisions). If the proposal enters into force, the provision and intermediation of consumer credits will require authorisation as a credit institute under the SBFBA. 

Consumer lending is subject to the consumer protection provisions in the Consumer Credits Act (CCA).

The CCA implements, inter alia, the EU directive on credit agreement for consumers. The rules include requirements for the provision of information prior to the conclusion of credit agreements, marketing information, credit assessment, documentation of credit agreements, interest and fees, the consumer’s right of withdrawal etc.

High-Cost Credits

The CCA also includes rules on high-cost credits. These rules do not stem from the Consumer Credit Directive but rather from national Swedish legislation. The rules were introduced as a reaction to issues relating to increasing indebtedness among consumers a result of so-called instant loans. These loans are easily accessible and can be taken out through, for instance, short message service (SMS); therefore, they have historically been marketed toward financially vulnerable consumers.

When marketing high-cost credits, the creditor must separately disclose that the marketing relates to such credits. The creditor must also provide information on the risks relating to indebtedness and where the consumer may seek support with budget and debt-related matters.

The government, in a government bill issued in September 2024, proposed that some of the stricter requirements that apply to high-cost credits (eg, the interest rate cap and the cost cap) shall apply to all consumer credits. The changes are proposed to enter into force on 1 March 2025 (subject to certain transitional provisions).

Consumer Mortgages

The provision or intermediation of mortgages to consumers require authorisation in accordance with either the SBFBA or the MBA. These Acts, and the CCA, contain consumer protection provisions that apply to consumer mortgages.

Loan origination is regulated by the SBFBA and the CCA, and by regulations and guidelines issued by the SFSA and the Swedish Consumer Agency.

Loans to consumers must be preceded by a creditworthiness assessment to ensure that the consumer has the ability to repay the loan. The CCA and the SFSA’s general guidelines regarding consumer credits contain extensive consumer protection provisions, including the requirement for good lending practices and detailed provisions for creditworthiness assessments.

The source of funds for loans varies between the different market actors.

The primary sources of funds for banks and credit market companies authorised under the SBFBA are deposits from the public and the issuance of various securities, including covered bonds. Other actors may utilise lender-raised capital as a source of funds, and lending-based crowdfunding platforms normally source funds via investments from consumers and/or private businesses.

Larger banks in Sweden structure and arrange syndicated loans for corporate clients. Such loans could, for example, be arranged for company acquisitions or commercial real estate transactions.

Peer-to-peer lending platforms, and other lending platforms, may diversify the individual loans provided on their platforms between several lenders or investors to spread the risks for individual borrowers. 

Payment processors may use existing payment rails or payment systems, or implement new ones. A company that wishes to provide payments services must be authorised in accordance with PSA, the SBFBA or the EMA.

Sweden currently lacks an explicit regulatory framework for cross-border payments and remittances. However, tax provisions may apply dependent on the specific nature of each transaction.

The Swedish central bank has been part of Project Icebreaker, a collaboration with the central banks of Israel and Norway, as well as the Bank for International Settlements (BIS) Innovation Hub Nordic Centre. The initiative explored the possibility of cross-currency payments utilising virtual currencies between the central banks. The final report of the project, highlighting both the advantages and the challenges of the system, was published in March of 2023.

AML remain a key focus for Swedish regulators.

Permissible Trading Platforms

The definition of “trading platform” (trading venue) can be found in the SMA, which is an implementation of MiFID II. As the definition comes from EU law, only trading platforms that are within the EEA are covered. When referring to trading platforms outside of the EEA, terms such as “corresponding trading platforms in a third country” or similar are used.

The definition of “trading platform” in the SMA encompasses the following three types of platforms, which are permissible in Sweden.

• Regulated markets: there are currently two regulated markets in Sweden: Nasdaq Stockholm and NGM.
• Multilateral trading facility (MTF) platforms: There are currently three MTF platforms in Sweden – First North, Nordic MTF and Spotlight Stock Market. MTF platforms are trading systems organised by an exchange or by an investment firm that normally have lower requirements than regulated markets, such as in the area of disclosure of information.
• Organised trading facility (OTF) platforms: OTF platforms are similar to MTF platforms. However, OTF platforms may not arrange trading in stocks and similar equity instruments. There are currently no authorised OTF platforms based in Sweden.

The main legislation for all financial instrument asset classes is the SMA.

MiCA classifies crypto-assets into three categories: e-money tokens, asset-referenced tokens and other crypto-assets.

Sweden has historically not had any comprehensive regulation of cryptocurrency exchanges or other crypto-asset-related operations. However, this changed when MiCA entered into force in Sweden in December 2024.

The aim of MiCA was to establish uniform rules for crypto-assets on the EU market. MiCA covers crypto-assets not previously regulated by, for instance, the SMA. Undertakings that have previously engaged in unregulated activities relating to crypto-assets will now have to apply for authorisation and implement systems to ensure compliance with the new regulatory requirements.

MiCA offers an option for member states to implement transitional measures in accordance with a grandfathering clause. The clause allows entities already providing crypto-asset services (eg, operation of a trading platform for crypto-assets) in accordance with applicable national law to continue to do so until 1 July 2026 or until they are granted or refused a MiCA authorisation.

The SMA contains rules for the admission of shares and other financial instruments on regulated markets or other trading platforms. Securities exchanges that operate regulated markets are obligated to have clear and openly reported rules for admission to trading, and financial instruments may, in general, only be admitted to trading if conditions exist for fair, orderly and efficient trading.

Each regulated market or MTF publishes its own set of listing rules that apply for admissions to trading on the respective trading platform. For share listings, such listing rules commonly include, among other things, the following requirements:

• profitability and financial ability;
• that the shares are freely transferable and registered with a central securities depository (CSD);
• a sufficient number of shares in public ownership and requirements for the minimum number of shareholders; 
• the appointment of a certified auditor and the application of certain accounting standards;
• capacity within the company to supply information to the market; and 
• requirements relating to the board of directors and management, including rules relating to the composition and independence of the board of directors, as well as competence and good repute for board members and management.

The SMA and a number of EU regulations contain extensive rules regarding order handling and best execution. In general, when executing a client’s order, an investment firm shall take all measures necessary to attain the best possible result for the client in respect of, inter alia, price, cost, etc. The investment firm must also have in place systems and guidelines to enable the institution to attain the best possible result for the client.

When the use of peer-to-peer lending started to grow in Sweden, companies that arranged such platforms were not clearly regulated and supervised by the SFSA.

It was later established that companies that facilitate peer-to-peer lending platforms by providing or intermediating credits to consumers must be authorised in accordance with the CCOA. As noted in the foregoing, the Department of Finance has proposed that the CCOA shall be repealed from 1 July 2025 (subject to certain transitional provisions). Peer-to-peer lending platforms that provide or intermediate consumer loans must thereafter be authorised in accordance with the SBFBA. 

Certain peer-to-peer business models that facilitate payments have been authorised pursuant to the PSA. 

Crowdfunding platforms that relate to financial instruments must be authorised either under the EU Crowdfunding Regulation or the SMA. 

Peer-to-peer lending platforms and other lending-based crowdfunding platforms have increased the availability of consumer credits on the market, which has in turn increased the consumer risks involved in these types of products. The SFSA has for the last several years identified over-indebtedness as one of the highest-priority consumer risks on the financial market. 

Payment for order flow is regulated by the Markets in Financial Instruments Regulation (MiFIR). Article 39a of MiFIR stipulates that investment firms that are acting on behalf of retail clients or certain professional clients are prohibited from receiving any fee, commission or non-monetary benefit from any third party for executing orders from those clients on a particular execution venue or for forwarding orders of those clients to any third party for their execution on a particular execution venue.

The prohibition against payment for order flow does not apply to rebates or discounts on the transaction fees of execution venues, if such rebates or discounts are permitted under the approved and public tariff structure of a trading venue and as long the rebates or discounts exclusively benefit the client. Such discounts or rebates may not result in a monetary benefit to the investment firm.

In addition to the foregoing, according to the SMA and supplementing regulations issued by the SFSA, investment firms may accept fees or commissions, or other non-monetary benefits, from a third party only if the payment or benefit is designed to enhance the quality of the relevant service and does not impair the investment firm’s ability to act honestly, fairly and professionally in accordance with the best interest of the client. Further, prior to the provision of the service, the investment firm must also disclose the existence, nature and amount of such payment or benefit. Portfolio managers and independent investment advisors are subject to a complete ban under the SMA on receiving third-party commission.       

Market abuse violations are regulated by the EU Market Abuse Regulation (MAR) and the Swedish Market Abuse Penalties Act. These Acts contain, among other things, prohibitions against insider dealing, market manipulation and unlawful disclosure of inside information. Furthermore, MAR contains requirements for public disclosure of inside information, as well as rules for insider lists and the reporting of managers’ transactions. MAR and the Market Abuse Penalties Act are supervised by the SFSA and the Swedish Economic Crime Authority (Ekobrottsmyndigheten; EBM).

The Swedish Securities Council (the “Council”; Aktiemarknadsnämnden) has been instituted to promote good practice on the Swedish stock market and does so through rulings, advice and information. The Council is part of the self-regulation system on the stock market under The Association for Generally Accepted Principles in the Securities Market. When the Council interprets what constitutes good practice in a specific matter, it often involves supplementing an existing regulatory framework by assessing aspects that are not explicitly regulated already or issuing rulings on situations for which no regulation currently exists. 

All financial instruments, regardless of the asset class, are subject to the SMA, which contains the main Swedish rules relating to high-frequency and algorithmic trading.

An investment firm that applies algorithmic trading must inform the SFSA.

In addition, investment firms that engage in algorithmic trading must have effective systems and risk controls that are adapted to the specific trading operation, and which are sufficient to ensure, inter alia, that the trading systems cannot be used for purposes contrary to the MAR or to the rules of any trading platform to which the company is affiliated. Algorithmic traders must also have effective business continuity arrangements in place to deal with disruptions to their trading systems and shall ensure that those systems are fully tested and adequately monitored.

Companies engaged in algorithmic trading must document the measures they have taken in accordance with the above-mentioned systems and risk measurements so that the SFSA can monitor the company’s compliance with the SMA.

Further requirements apply to investment firms that use algorithmic high-frequency trading.

An investment firm that engages in algorithmic trading as part of a market-making strategy is subject to certain rules in the SMA.

Any such market maker must:

• execute its market-maker strategy continuously during a fixed proportion of trading hours of the trading venue so that liquidity is provided to the trading venue in a regular and predictable manner;
• enter into a written agreement with the operator of the trading platform, which includes the market maker’s obligations; and
• implement effective systems and controls to ensure that the institution always fulfils its contractual obligations with the platform operator.

Market makers are obligated to maintain accurate and chronological records of all their placed or executed orders, and of prices quoted on trading venues. The company shall make these records available to the SFSA upon request.

Furthermore, market makers must publish information on the quality of their execution of transactions. The information shall be published at least once a year and shall be made available free of charge.

The rules regarding algorithmic trading, high-frequency trading and market making set out in the SMA apply to investment firms.

Individual programmers that merely design and develop trading algorithms and other electronic trading tools are not subject to supervision or regulatory oversight. However, investment firms that utilise such programmes will have an obligation to ensure that such programmers have sufficient knowledge and experience to program the tools and will also be responsible for the use and functioning of the tools.

Insurance underwriting is the process of evaluating risks to determine if the insurance company is able to issue insurance policies and the pricing of such policies.

In their underwriting activities, insurance companies must adhere to, for example, the IBA and the Swedish Insurance Contracts Act. These Acts contain provisions that largely cover the life span of an insurance policy, from inception until termination.

The manufacturing of insurance products is also governed by the IDA and by Delegated Regulation (EU) 2017/2358 regarding product oversight and governance.

Insurance regulations generally distinguish between life insurance and non-life insurance. For example, different capital requirements apply for life insurers and non-life insurers, and only life insurance operations are in scope of the Swedish Anti-Money Laundering Act.

There are also noteworthy differences in regulation and treatment depending on whether an insurance policy is issued to a consumer or to a company.

Sweden currently lacks regulations that explicitly target regtech. Depending on the nature of the services offered, regtech providers may have to adhere to various financial regulations. Additionally, some general regulatory frameworks for technology may apply. For instance, the AI Act may be applicable if the regtech application incorporates AI.

When a financial service firm outsources services to a regtech provider, it must comply with the outsourcing rules that apply to its operations. These regulations must be considered and incorporated into contractual terms to ensure the provider’s performance and accuracy. See 2.8 Outsourcing of Regulated Functions for more details.

The SFSA has expressed that blockchain and distributed database technology has potential and that such techniques could be used within a number of sectors, for example to increase efficiency in share trading and to increase resilience against cyber-attacks. At the same time, the SFSA has been clear that it sees a number of challenges with crypto-assets, not only related to investor protection but also to fraud, money laundering and terrorist financing.

In 2017, the Swedish Central Bank decided to investigate whether issuing a central bank digital currency (e-krona) would be feasible. The proportion of the Swedish public using cash as payment has been steadily decreasing over the last few years. The Swedish central bank has stated that the e-krona could be a potential option to ensure that the general public has secure access to state-guaranteed money. The e-krona is not a cryptocurrency.

Some traditional players on the financial market still have a slightly sceptical attitude toward cryptocurrency due to the fact that it can be linked to many common forms of investment fraud.

Sweden currently lacks explicit regulation governing blockchain technology. However, aligning with the EU digital finance package, two new EU regulations have been integrated into the legal framework and are applicable in Sweden:

• Regulation (EU) 2023/1114 (MiCA); and
• Regulation (EU) 2022/858, establishing a pilot regime for market infrastructure based on distributed ledger technology (the “DLT Regulation”).

In conjunction with the EU regulations, the Swedish government has adopted a complementary Act with additional provisions to MiCA and introduced a proposal with supplementary provisions to the DLT Regulation.

MiCA divides crypto-assets into three categories: e-money tokens, asset-referenced tokens and other crypto-assets.

While crypto-assets would not normally be considered financial instruments, the evaluation of whether a crypto-asset or blockchain asset qualifies as a financial instrument must be made on a case-by-case basis.

If a blockchain asset is classified as a financial instrument, the issuer would be subject to the provisions of the SMA.

If the blockchain asset is a crypto-asset, the EU regulation MiCA, which covers both issuers and providers of crypto-assets, applies. MiCA contains various provisions regulating the issuance of crypto-assets.

There is no specific regulation on blockchain asset trading platforms in Sweden.

If the blockchain asset is classified as a financial instrument, the SMA and other financial regulations will apply. If the blockchain asset is classified as a crypto-asset, the provisions in MiCA will apply. 

Trading in virtual currencies is further regulated by the CFOA.

There is no specific regulation on staking services relating to cryptocurrencies in Sweden. However, depending on the situation, staking services may fall under the provisions in MiCA.

There is no specific regulation on lending services relating to cryptocurrencies in Sweden.

The offering of cryptocurrency derivatives is not explicitly regulated in Sweden. However, ESMA has stated that derivatives where the underlying asset is cryptocurrencies may be considered a financial instrument, making the SMA applicable.

Decentralised finance (DeFi) aims to decentralise many of the financial activities within the financial system, which are traditionally based on intermediaries or central systems. Activities in this field are growing rapidly, and Sweden stands at the forefront of digitalisation and new innovations, earning recognition when it comes to DeFi. While there are ongoing projects on DeFi platforms, there is currently no specific regulatory framework in place for DeFi in Sweden.

Funds that invest in blockchain assets would be subject to relevant fund rules. Note that the SFSA stated in early 2024 that, at this time, they are not likely to authorise funds investing in crypto-assets. The absence of consumer protection regulation for crypto-assets means that cryptofunds are currently considered too risky.

Virtual currencies are digital representations of a value that are accepted as a means of payment that can be transferred, stored and traded electronically, although they are not issued or guaranteed by a central bank. Virtual currencies are not necessarily linked to an established currency and do not have the legal status of a currency.

Although non-fungible tokens (NFTs) are based on blockchain technology similar to cryptocurrencies, NFTs do not fall within the scope of MiCA. There is currently no explicit regulation on NFTs in Sweden.   

Regulated Methods

The primary regulation that allows access to customer data for third-party financial service providers is the second Payment Service Directive (PSD2), which has been implemented into Swedish law through the PSA.

Additionally, a financial service provider can access data with the consent of a data subject, in accordance with the GDPR.

Unregulated Methods

Examples of unregulated methods used for accessing personal data include screen scraping and reverse engineering. Some providers have developed supplementary methods for accessing personal data, known as APIs. However, the SFSA have stated that APIs are currently not sufficiently widespread or comprehensive to be included under the term “open banking”.

The concerns raised about open banking have particularly centred on consumer and privacy protection. In response to these issues, the EU published a proposal on a framework for financial data access, known as the open finance framework, on 28 June 2023. The primary purpose of the proposed regulation is to establish clear and well-defined rights and obligations related to the management of customer data sharing within the financial sector.

The open finance framework outlines rules for accessing, sharing and utilising certain categories of customer data in financial services. The overarching goal of the proposal is to enhance and ensure consumer and privacy protection in the evolving landscape of open banking. If the proposed regulation successfully comes into effect, it will be legally applicable in Sweden. 

The average Swedish consumer is in many ways reliant on digital tools to carry out day-to-day tasks such as banking through, for instance, BankID. In some cases, BankID is the only way to electronically identify oneself when using certain services. As consumers become more and more reliant on digital experiences, fraudsters are coming up with new and innovative ways of exploiting this vulnerability.

Market participants such as banks, the Swedish central bank, the SFSA, etc, are making efforts to ensure that consumers are aware of the common frauds. For instance, Swedish banks have started an initiative called Svårlurad! (the direct translation of which is “difficult to deceive!”). This initiative includes information about frauds and scams, including common scenarios and how consumers can protect themselves if they are a victim of fraud. The SFSA actively and regularly issues warnings relating to investment fraud and collaborates closely with the industry to counter fraud. 

The SFSA regularly issues warning relating to investment fraud. 

Further, both the Swedish Consumer Agency and the SFSA have issued repeated warnings related to initial coin offerings and trading in crypto-assets. Coin offerings and crypto-assets currently lack explicit regulation, particularly concerning consumer protection, and are deemed high-risk financial products.

The SFSA has also issued warnings and information about fraud related to the misuse of BankID.

On 31 October 2024, the SFSA issued a report with a number of measures that the SFSA and financial institutions can take to counter fraud.

Fintech service providers’ possible responsibility for losses due to investment fraud or other fraudulent activities must be analysed in each individual case.