Fintech in Sweden 2024

Fintech in Sweden 2024

Fintech in Sweden 2024

FINTECH 2024

SWEDEN

Emma Stuart-Beck, Nicklas Thorgerzon, Caroline Krassén, Anton Sjökvist

(Vinge)

FINTECH LANDSCAPE AND INITIATIVES

General innovation climate

  1. What is the general state of fintech innovation in your jurisdiction?

During its long history of fintech innovation, Sweden has produced companies such as Klarna, iZettle, Trustly, Tink, BehavioSec and Safello, to name a few. Innovation is diverse, and fintech products span areas such as banking services, payment and payment-settlement services, lending, biometrics and cryptocurrency. The private equity industry has a great appetite for Swedish fintech companies and the Swedish fintech industry is still growing rapidly. Multiple fintech companies have emerged within, inter alia, consumer lending and the Swedish housing credit market. The Swedish Financial Supervisory Authority (SFSA) has recently increased its focus on consumer lending and credit assessment.

In the wake of the economic uncertainties brought on by global events such as the war in Ukraine, the European energy crises and inflation, investors have become more cautious. This heightened risk aversion can be particularly challenging for fintech start-ups, which often rely on their ability to attract large upfront investments to develop technology and establish a market presence.

Despite the potential regulatory and market challenges, the outlook for the Swedish fintech industry remains positive. With a strong track record of innovation and a supportive ecosystem of investors, entrepreneurs, and government agencies, Sweden is well-positioned to continue driving fintech innovation in Europe and beyond.

Government and regulatory support

  1. Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?

The Swedish government has expressed interest in supporting and promoting the development of the Swedish fintech sector. During the second half of 2022, the Swedish Authority for Privacy Protection conducted their first pilot with a regulatory sandbox where they provided in-depth guidance to a specific innovation initiative on how the data protection legislation should be interpreted and applied. The work resulted in a public report where reasoning and assessments are summarized to enable learning for a broader audience. The sandbox was set up on the initiative of a report authored by a recently established Swedish government committee with the mission to help the government identify policy challenges, contribute to reducing uncertainty surrounding existing regulations, and accelerate policy development linked to the fourth industrial revolution technologies. While no similar sandbox has been implemented for financial regulations in general it does indicate a substantial and growing understanding at the regulator for the Swedish fintech industry. The SFSA has moreover introduced the SFSA Innovation Centre, which serves to act as a point of contact for fintech companies and to facilitate a dialogue with the SFSA. Further, the Innovation Centre is intended to provide guidance on applicable regulations for new financial services products and fintech start-ups.

FINANCIAL REGULATION

Regulatory bodies

  1. Which bodies regulate the provision of fintech products and services?

The Swedish Financial Supervisory Authority (SFSA) generally acts as the competent regulator responsible for the ongoing supervision of fintech products and services and for the issuance of supplementary regulations and formal guidance. The SFSA is responsible for ensuring that the business of (regulated) fintech companies is carried out in accordance with applicable laws and regulations, and the SFSA publicly announces when it is investigating a particular company for possible infringements.

All marketing activities that have the purpose of furthering the sale of any product in Sweden, including fintech products of various nature, are subject to the Marketing Practices Act (2008:486) (MPA), which requires, for example, that marketing is carried out in accordance with generally accepted marketing practices. The Swedish Consumer Agency, which includes the Consumer Ombudsman, is the primary authority responsible for ensuring that marketing material is compliant with the MPA.

The Swedish Authority for Privacy Protection (SAPP) is the supervisory authority responsible for monitoring compliance with EU Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR) and supplementing regulations related thereto. The SAPP issues guidelines and regulations for the usage and processing of personal data and has become increasingly important for fintech companies as fintech services are often data-heavy. The SAPP’s mandate includes all GDPR-related issues in Sweden. The SAPP may inspect companies and can issue fines under the GDPR.

Regulated activities

  1. Which activities trigger a licensing requirement in your jurisdiction?

The following activities could trigger a licensing requirement:

  • consumer lending and mediation;
  • mortgage lending, mediation or advising;
  • lending, factoring and invoice discounting in combination with accepting repayable funds from the public;
  • deposit-taking;
  • management of alternative investment funds (AIFs) or undertakings for collective investment in transferable securities (UCITS);
  • insurance mediation;
  • issuance of electronic money;
  • provision of crowdfunding services;
  • provision of payment services; and
  • activities under EU Regulation (EU) No. 575/2013 (Capital Requirements Regulation).

Further, a license is required for offering the services and products covered by Directive 2014/65/EU (Markets in Financial Instruments Directive II) (MiFID II), such as the reception and transmission of orders in relation to one or more financial instruments, the execution of orders on behalf of clients, dealing on own account, portfolio management, advising on investments in financial instruments, underwriting of financial instruments or placing of financial instruments on a firm commitment basis, and placing of financial instruments without a firm commitment basis.

The following activities could trigger a registration requirement:

  • currency exchange;
  • management or trading in virtual currencies;
  • lending and mediation of credits to non-consumers as well as leasing and provision of guarantees and similar commitments (if not combined with accepting repayable funds from the public);
  • issuing of means of payments;
  • participating in securities issues;
  • providing economic advice;
  • safe custody services;
  • operating a cryptocurrency trading platform; and
  • foreign exchange trading.

Consumer lending

  1. Is consumer lending regulated in your jurisdiction?

Yes, consumer lending is regulated through, inter alia, the Consumer Credit Act (2010:1846), which includes relevant provisions relating to, among other things, sound lending practices, marketing of consumer loans, credit assessments, information prior to the conclusion of and in relation to the documentation of loan agreements, interest, fees and repayment of loans.

To offer or provide consumer loans, the relevant company is required to be authorized by the SFSA under the Consumer Credit (Certain Operations) Act (2014:275) (CCCOA) (should the company solely provide or act as an intermediary in relation to consumer loans), the Swedish Banking and Financing Business Act (2004:297) (SBFBA) (should the company instead, given the operations carried out, be considered a credit institution (as defined in the EU Capital Requirements Regulation or the Housing Credit Operations Act (2016:1024) (HCOA) (should the company solely provide, act as an intermediary in relation to or provide advice regarding consumer loans in the form of mortgages).

Sweden has rules regarding high-cost credits, which are defined as credits granted to consumers that have an interest rate of 30 percentage points above the reference rate according to the Interest Act (1975:635), as determined by the Swedish Central Bank, and that do not primarily relate to a credit purchase or residential immovable property.

The high-cost credits include certain caps where:

  1. the maximum amount of interest, as well as any default interest, that may be charged under a credit agreement may not exceed 40 percentage points above the aforementioned reference rate; and
  2. the maximum amount of fees under a credit agreement may not exceed the credit amount.

For the purposes of (2), fees are defined as costs for the credit (comprising the aggregate amount of interest rate, credit fees and other costs that the consumer is obliged to pay under the loan, inclusive of necessary costs for valuation but excluding notarization fees), default interest and costs pursuant to the Compensation for Collection Costs Act (1981:739), comprising costs that the creditor has incurred for measures taken for the purposes of obtaining payment including, for example, payment reminders and collection demands.

The marketing of consumer credits is also subject to certain requirements regarding moderation and restraint. These rules include an explicit requirement for all such marketing to be moderate. This requirement is applicable to all types of consumer credits and, thus, not solely to high-cost credits (as defined above).

The authorities have paid more attention to the moderation requirement recently, and it is clear that a comprehensive assessment of all relevant circumstances will be made. In particular, the authorities and courts will assess:

  • whether the credit is presented in a way that misleads the consumer about the financial consequences of the credit or brings the consumer to make an unfounded decision to enter into a credit agreement;
  • whether the credit is presented as a carefree solution to the consumer’s financial problems; and
  • whether the credit is neutral in a way that enables the consumer to decide whether the credit is favorable or not.

Pursuant to the Swedish government preparatory works, it is stipulated that the marketing should be as neutral and factual as possible and may not be intrusive (by way of, e.g, targeting certain types of possible consumers via digital means). The marketing should also be balanced in the sense that certain terms of the credit should not be disproportionately highlighted, thereby reducing the consumer’s ability to make a well-founded decision.

In 2020, the SFSA introduced new consumer credit regulations that forbid payment service providers from presenting credit purchase as the first payment option, or to have it set as the default payment option for online purchases where an option to pay the goods or service directly is also available.

Secondary market loan trading

  1. Are there restrictions on trading loans in the secondary market in your jurisdiction?

There are no particular restrictions on trading loans in the secondary market in Sweden. However, on 18 February 2021, the SFSA stated that lenders that fund their lending by issuing bonds must now apply for a financing business license under the SBFBA unless the bonds are subject to a transfer restriction preventing them from being acquired by the public.

Collective investment schemes

  1. Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.

Collective investment undertakings are regulated through the UCITS Act (2004:46), stipulating that the management of a Swedish UCITS, the sale and redemption of units in the fund and administrative measures relating thereto may only be conducted following authorization from the SFSA (with foreign European Economic Area management companies authorized in their respective home state being able to rely on passporting regulations to carry out operations in Sweden).

Fintech companies would generally not fall within the scope of the above-mentioned regulatory regime.

Alternative investment funds

  1. Are managers of alternative investment funds regulated?

Yes, alternative investment fund managers (AIFMs) are regulated through the Alternative Investment Fund Managers Act (2013:561) (AIFMA), implementing Directive 2011/61/EU (Alternative Investment Fund Managers Directive) (AIFMD). Small AIFMs (namely, AIFMs managing AIFs below the thresholds specified in article 3(2) of the AIFMD) may be exempted from the licensing requirements but must register with the SFSA and may not passport the registration into any other EU member state.

Similar to the case in relation to UCITS, fintech companies would generally not fall within the scope of the AIFMA.

Peer-to-peer and marketplace lending

  1. Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.

Companies facilitating peer-to-peer or marketplace lending, comprising loan intermediation or brokering, are regulated by and require authorization pursuant to the CCCOA (if the borrowers are consumers) or the HCOA (if the borrowers are consumers and the loans relate to purchases of residential immovable property). Both the CCCOA and the HCOA contain regulations on, for example, anti-money laundering measures (AML), sound practices for loan intermediation operations, and ownership and management assessments.

Business operators providing those services to borrowers that are not consumers are required to register their operations with the SFSA (by way of notification to the SFSA) in accordance with the Certain Financial Operations (Reporting Duty) Act (1996:1006) (CFORDA) and comply with provisions relating to, for example, AML, as well as undergo ownership and management assessments. Should the relevant company also be responsible for the transactions of funds between lenders and borrowers (including keeping funds on a client account, or similar), the operations would instead fall under and require authorization pursuant to the Payment Services Act (2010:751) (PSA), which imposes additional requirements relating to, for example, own funds and information and technical processes relating to the execution of payment transactions.

Crowdfunding

  1. Describe any specific regulation of crowdfunding in your jurisdiction.

Regulation (EU) 2020/1503 on Crowdfunding Service Providers (the Crowdfunding Regulation) establishes a harmonized framework for crowdfunding service providers in the European Union. Particular for the Swedish market as regards the Crowdfunding Regulation is that, due to the prohibition in the Companies Act (2005:551) for Swedish private companies or shareholders from attempting to sell shares or subscription rights in the company or debentures or warrants issued by the company to the public, shares in such companies would not be admitted instruments for crowdfunding purposes as referred to in the Crowdfunding Regulation.

Invoice trading

  1. Describe any specific regulation of invoice trading in your jurisdiction.

In accordance with the CFORDA, a company participating in financing, for example, by acquiring claims (invoice trading), is required to register its operations with the SFSA (by way of notification to the SFSA), and it is further obliged to comply with provisions relating to, for example, AML, and to undergo ownership and management assessments.

A public inquiry relating to the Swedish implementation of Directive (EU) 2021/2167 on credit servicers and credit purchasers was published in January 2023, suggesting inter alia regulations of the secondary market of non-performing loans.

Payment services

  1. Are payment services regulated in your jurisdiction?

Yes. Payment services are regulated under Directive (EU) 2015/2366 (Second Payment Services Directive) (PSD2), which has been implemented into Swedish law through the PSA. The PSA regulates services enabling cash to be place on or withdrawn from a payment account as well as all the operations required for operating a payment account, execution of payment transactions, issuing of payment instruments, acquiring of payment transactions, money remittance, payment initiation services and account information services.

Open banking

  1. Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?

As required per PSD2, the PSA requires account servicing payment service providers to allow account information service provider access to a payment accounts. Sweden has not gone beyond PSD2 as regards the rights to data.

Robo-advice

  1. Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.

There is no specific regulation of automated investment advice in Sweden. The SFSA defines automated investment advice as personal advice regarding financial instruments that is provided without, or with limited, human interaction. In Sweden, automated investment advice (e.g, robo-advice) constitutes regulated investment advice under the Securities Markets Act (2007:528), implementing MiFID II, and is consequently subject to all the substantive provisions of the Swedish MiFID II implementation, including the SFSA’s regulations regarding investment services and activities (2017:2).

Insurance products

  1. Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?

Yes, if the selling and marketing is classified as ‘insurance distribution’. Insurance distribution is regulated under the Insurance Distribution Act (2018:1219) (IDA) implementing Directive (EU) 2016/97 (Insurance Distribution) (IDD). The IDD is a minimum harmonization directive, enabling member states to impose stricter regulation. The IDA includes the same definition of ‘insurance distribution’ and the same exemptions from regulation as the IDD. Typically, marketing that is not covered by the scope of the IDA is characterized by the fact that it is not possible for a potential customer to, directly or indirectly, take out an insurance in connection with the marketing measure. If an insurance can be taken out in connection with the marketing measure, it will constitute insurance distribution unless the exemptions of ancillary insurance distribution apply. Sweden has imposed stricter regulations regarding third-party remunerations, conditions for providing advice on a fair and personal analysis, certain marketing prohibitions and information to a customer on remuneration. The stricter regulatory framework introduced by the IDD regarding insurance-based investment products also applies to the distribution of pension insurance that is exposed to market volatility.

Credit references

  1. Are there any restrictions on providing credit references or credit information services in your jurisdiction?

Yes. Credit references and credit information services are regulated under the Credit Information Act (1973:1173) and the Credit Information Regulation (1981:955). A license from the SAPP is required when carrying out credit-rating operations in Sweden.

CROSS-BORDER REGULATION

Passporting

  1. Can regulated activities be passported into your jurisdiction?

Yes. An undertaking that has been authorized in its home EU member state may, as a general rule, passport such authorization into Sweden, where the Swedish legislation is based on EU law.

Requirement for a local presence

  1. Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?

An undertaking that has been authorized in its home EU member state may, as a general rule, passport such authorization into Sweden, where the Swedish legislation is based on EU law. However, in relation to activities that fall under the Consumer Credit (Certain Operations) Act, a Swedish license is required (namely, passporting is not available).

SALES AND MARKETING

Restrictions

  1. What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?

Marketing of financial services falls under the Marketing Act (2008:486) (MPA), which applies to all marketing activities that have the purpose of furthering the sale of any product or service in Sweden, including, for example, the distribution of brochures and other marketing materials and electronic marketing activities (if primarily directed to Swedish entities or individuals). The MPA provides that all marketing must be consistent with good marketing practice and be fair and reasonable towards the person to whom or to which it is directed.

Good marketing practice is defined in the MPA as generally accepted business practices or other established norms aimed at protecting consumers and traders in the marketing of products. Thus, all marketing must be designed and presented in such a way as to make it apparent that it constitutes marketing and the party responsible for the marketing shall be clearly indicated. Statements or other descriptions that are or may be misleading may not be used. Marketing that contravenes good marketing practice is regarded as unfair if it appreciably affects or probably affects the recipient’s ability to make a well-founded transaction decision.

In relation to financial services, and to comply with ‘good marketing practice’ for the purposes of the MPA, among other things:

  • placements of capital or returns should not be described in terms such as ‘safe’, ‘guaranteed’ or similar value judgements if it cannot be verified that it is guaranteed that an investor’s capital will be repaid or that a given return will be earned;
  • the return earned during a particularly successful period on an investment product should not be highlighted in a way that gives a distorted overall impression of the performance of the investment product;
  • words such as ‘secure’ and similar value judgements should not be used for marketing purposes if they are not placed in a relevant context;
  • unconditional words expressing value, such as ‘best’, ‘biggest’ and ‘leading’, should not be used if the claim is not capable of verification; and
  • if an investment product involves risk, it should always be made clear when marketing the product that an investment in the product involves risk.

In addition, the marketing of funds is further specifically regulated through the Swedish Investment Fund Association’s guidelines, which – albeit not being hard law – are considered as codifying good marketing practices in Sweden in respect of the marketing of undertakings for collective investment in transferable securities.

CRYPTOASSETS AND TOKENS

Distributed ledger technology

  1. Are there rules or regulations governing the use of distributed ledger technology or blockchains?

There are no rules or guidelines specifically addressing the use of distributed ledger technology, but general rules and regulations, such as anti-money laundering (AML) regulations and consumer protection, where applicable, must be complied with. The Swedish Financial Supervisory Authority (SFSA) has, in a report from March 2016, identified distributed ledger or blockchain technology as an area of interest for the supervisor and where it is expected that rules and regulations need to be adopted in the future. If the distributed ledger technology or blockchains include personal data, general requirements under EU Regulation (EU) 2016/679 (General Data Protection Regulation) and Swedish data protection laws will be applicable.

Cryptoassets

  1. Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?

There is currently no generally accepted definition of cryptoassets in Swedish regulations, nor is there a generally applicable regulatory framework available. Further, the Swedish legislator is unlikely to introduce a more comprehensive national framework given the thorough regulations proposed in the European Commission’s Regulation of Markets in Crypto-assets.

The Certain Financial Operations (Reporting Duty) Act (1996:1006) (CFORDA) does, however, contain some provisions explicitly covering certain activities with virtual currencies that would generally encompass cryptoassets. Pursuant to the preparatory works of the CFORDA, virtual currencies shall generally be understood as they are defined in Directive (EU) 2018/843 (Fifth Anti-Money Laundering Directive), namely, as a digital representation of value that is not issued or guaranteed by a central bank or a public authority, not necessarily attached to a legally established currency and not possessing a legal status of currency or money, but that is accepted by natural or legal persons as a means of exchange and that can be transferred, stored and traded electronically. The SFSA has stated on its website that this would include bitcoin and ether.

The activities covered by the CFORDA are the management of, or the trading in, virtual currencies. This would, for example, be the exchange of virtual currencies for fiat currencies or other virtual currencies, or the provision of custodian wallets for virtual currencies. The significance is that these activities would be subject to a registration requirement, mainly so that they would be covered by the Swedish AML regime. However, an assessment would also need to be made to determine whether the activities and cryptoassets involved would qualify for any of the other regulatory frameworks available. As such, depending on the activities and the nature of the cryptoassets involved, the Securities Markets Act (SMA), the Electronic Money Act (2011:755) (EMA) or the Payment Services Act (2010:751) (PSA) could apply.

The SFSA has shown an increased interest in the subject of cryptoassets lately and has warned consumers from acquiring such assets twice during 2021, as well as produced a report about financial instruments with cryptoassets as underlying assets (tracker certificates), due to the risks involved for consumers in investing in such assets. Therein, the SFSA has highlighted that there is a current lack of protection for consumers in transactions involving cryptoassets as most of those are unregulated. In addition, the SFSA arranged for a meeting with market participants in May 2021 to have a dialogue regarding the development of the market of cryptoassets and what possibilities and challenges are associated therewith. The SFSA’s interest in the subject is only likely to increase going forward as trading in cryptoassets increases.

Token issuance

  1. Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?

There is no specific regulation of digital currency exchanges or brokerages but activities involving the exchange of virtual currencies for other virtual currencies or fiat currencies would normally be subject to the CFORDA. Where the provider of the digital currency exchange performs payment services as part of the exchange, the PSA would also be applicable. Depending on the activities provided and the nature of the digital currency involved, the activities could also be encompassed by the SMA or the EMA.

ARTIFICIAL INTELLIGENCE

Artificial intelligence

  1. Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?

There is no specific regulation of automated investment advice in Sweden. The Swedish Financial Supervisory Authority (SFSA) defines automated investment advice as personal advice regarding financial instruments that is provided without, or with limited, human interaction. In Sweden, automated investment advice (e.g, robo-advice) constitutes regulated investment advice under the Securities Markets Act and is consequently subject to all the substantive provisions of the Swedish implementation of Directive 2014/65/EU (Markets in Financial Instruments Directive II), including the SFSA’s regulations regarding investment services and activities (2017:2). If the use of artificial intelligence would include decisions based solely on automated processing of personal data, including profiling, this would be subject to the requirements in article 22 of EU Regulation (EU) 2016/679 (General Data Protection Regulation).

CHANGE OF CONTROL

Notification and consent

  1. Describe any rules relating to notification or consent requirements if a regulated business changes control.

Consent from the Swedish Financial Supervisory Authority (SFSA) is required where a legal or natural person intends to directly or indirectly acquire a qualified holding in a regulated business.

The holding is considered qualified when the acquirer directly or indirectly receives 10 percent or more of the votes or shares, or otherwise is enabled to exercise significant influence over the management of the regulated business. Additional consent is required if the ownership amounts to or exceeds 20, 30 or 50 percent of the votes or shares.

The consent requirement, generally referred to as an ‘ownership assessment’, means that the SFSA will examine all qualified owners in the envisaged ownership chain. The process is rather extensive, and the exercise involves collating and producing a substantial amount of information (including documentation that supports the financing of the transaction). Each person included in the management body (comprising board members, the chief executive officer and the deputies thereof) of an entity subject to assessment must complete and sign an application, including responding to questions regarding, for example, previous criminal proceedings.

SFSA consent must be obtained prior to the transaction. The SFSA has an expected processing period for the applications of 60 business days, with a possible extension of 20 business days if the SFSA requests additional information during the assessment process.

FINANCIAL CRIME

Anti-bribery and anti-money laundering procedures

  1. Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?

Companies licensed by or registered with the Swedish Financial Supervisory Authority (SFSA) and a significant number of companies and other professionals outside the financial sector are obligated to prevent money laundering and financing of terrorism by complying with the Money Laundering and Terrorist Financing Prevention Act (2017:630) and subsequent regulations. Pursuant to the anti-money laundering (AML) regulations, companies are required to adopt internal AML procedures. Companies launching initial coin offerings would be subject to these requirements to the extent their operations would be covered by any of the relevant rules under, for example, the Certain Financial Operations (Reporting Duty) Act and the Securities Markets Act.

The SFSA is tasked with ensuring that the financial companies adhere to the AML regulations. The County Administrative Board supervises companies and professionals outside the financial sector.

Bribery is criminalized under the Penal Code (1962:700), which is applicable to all types of Swedish companies. Most financial companies are required to adopt ethical guidelines setting out, inter alia, the company’s procedures to combat bribery.

Guidance

  1. Is there regulatory or industry anti-financial crime guidance for fintech companies?

Yes. The SFSA has adopted regulations and guidelines in respect of AML, setting out the detailed provisions applicable for relevant companies.

DATA PROTECTION AND CYBERSECURITY

Data protection

  1. What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

EU Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR) and the Swedish Act on Supplementary Provisions to the GDPR (2018:218) generally apply to the processing of personal data by data controllers established in Sweden. The main requirements relating to the processing of personal data include the following:

  • personal data may only be processed (namely, collected, used and stored) if there are legal grounds (namely, consent) for the processing. However, there are several exemptions from the requirement of consent (e.g, where the processing is necessary to fulfil a contract or a legal obligation or is necessary to pursue a legitimate interest of the data controller, unless this interest is overridden by the interest of the registered person to be protected against undue infringement of privacy);
  • certain fundamental requirements must be met (e.g, personal data must be adequate, relevant and non-excessive in relation to the purpose of the processing and must not be kept longer than necessary);
  • data subjects must, as a general rule, be informed of the processing of their personal data, and data subjects have certain rights (e.g, right of access, rectification, erasure and data portability);
  • processing of sensitive personal data and criminal offence data may only be performed in limited circumstances. In general, consent from the person concerned is required for sensitive data. As a general rule, it is prohibited to process criminal offence data (there are a few exemptions, for example, regarding whistle-blowing systems, where it is permitted to process criminal offence data under certain conditions);
  • there are specific requirements that must be met in the case of the export of personal data to countries outside the European Union or the European Economic Area (e.g, consent or model clause agreements may justify such export);
  • a data controller must take appropriate technical and organizational measures to protect personal data. Data processing agreements must be entered into with data processors;
  • the GDPR also includes requirements regarding, inter alia, the appointment of data protection officers, personal data breaches, data protection by design and by default, records of processing activities, data protection impact assessments, consultation and cooperation with the data national protection authority; and
  • the GDPR applies to pseudonymized data but not to fully anonymized data (namely, where it is not possible to directly or indirectly identify an individual by any means).

Cybersecurity

  1. What cybersecurity regulations or standards apply to fintech businesses?

Under the GDPR, controllers must have ‘appropriate technical and organizational measures’ in place to ensure a level of security appropriate to the risk. There is, therefore, no prescribed level of security, but analysis must be carried out to ascertain what level of security is appropriate to the type of processing of personal data being carried out.

Directive (EU) 2016/1148 on security of network and information systems (NIS Directive) has been implemented into Swedish law (2018:1174) and supplemented by a regulation (2018:1175). These acts impose cybersecurity requirements for digital services providers and operators of essential services. Companies in the finance industry that are deemed as operators of essential services within the banking or financial market infrastructure are covered by these acts and are, therefore, obliged, among other things, to:

  • notify the Swedish Financial Supervisory Authority immediately;
  • demonstrate a systematic and risk-based approach to matters regarding information security; and
  • report incidents to the Swedish Civil Contingencies Agency.

OUTSOURCING AND CLOUD COMPUTING

Outsourcing

  1. Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?

There are multiple legal and regulatory requirements in respect of outsourcing by financial services companies, including, inter alia:

  • the Swedish Banking and Financing Business Act (2004:297);
  • the Consumer Credit (Certain Operations) Act (2014:275);
  • the Swedish Securities Markets Act (2007:528);
  • the Electronic Money Act (2011:755);
  • the Payment Services Act (2010:751);
  • the Swedish Financial Supervisory Authority (SFSA) regulations;
  • detailed provisions set out in EU Delegated Regulation (EU) 2017/565 and the European Banking Authority (EBA) Guidelines on Outsourcing Arrangements (EBA/GL/2019/02); and
  • questions and answers provided by the SFSA on the application of the EBA guidelines.

The provisions are subject to some variation, but in general impose that financial services companies are required to exercise the requisite skill, care and diligence when entering into, managing and terminating outsourcing arrangements. Further, the rights and obligations of the financial services company and the services provider must be clearly documented in an outsourcing agreement. If the financial services company intends to outsource a significant part of the licensed operations, or activities that have a natural connection with financial operations or their support functions, the financial services company is required to notify the SFSA thereof in advance and also provide the SFSA with a copy of the relevant outsourcing agreement.

The SFSA requires outsourcing agreements to be in writing and to regulate clearly the rights and obligations of the financial services company and the third-party service provider. The SFSA further expects the financial services company to be able to assess and monitor how well the third-party service provider is carrying out its duties and to terminate the agreement should the third-party service provider lack the skills, capacity and authorizations required by law to reliably and professionally perform the outsourced duties and manage risks related to these duties.

Cloud computing

  1. Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?

The EBA Guidelines, applicable for institutions, electronic money institutions and payment institutions, offer guidance in respect of outsourcing to cloud service providers and have integrated and replaced the previously issued EBA Recommendations on Outsourcing to Cloud Service Providers (EBA/REC/2017/03). On 18 December 2020, the European Securities and Markets Authority issued its Final Guidelines on Outsourcing to Cloud Service Providers for, inter alia, investment firms and credit institutions that carry out investment services and activities.

INTELLECTUAL PROPERTY RIGHTS

IP protection for software

  1. Which intellectual property rights are available to protect software, and how do you obtain those rights?

Computer programs are protected as copyrighted works in accordance with the Copyright Act (1960:729) (CA). Copyright protection arises automatically, and there is, thus, no registration procedure for obtaining copyright protection.

Software-implemented inventions and business methods can be registered and protected as patents if they meet all the necessary requirements. Computer program code or mere business methods, however, cannot be patented in Sweden, but a technical invention that includes a business method, or which is implemented or can be implemented by a computer program, can be patentable.

IP developed by employees and contractors

  1. Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?

In general, intellectual property developed during the course of employment vests with the employee unless explicitly transferred to the employer. However, the employer has a more or less extensive right to acquire or utilize the intellectual property depending on the category of intellectual property and the category of the invention as well as the provisions in the applicable employment or collective bargaining agreements. There are also specific statutory provisions concerning certain intellectual property. Below is a summary of the general principles regarding an employer’s rights to inventions developed by its employees.

According to the CA, copyright in a computer program created in the course of employment is automatically transferred to the employer unless otherwise agreed in, for example, the employment agreement. However, the scope of the concept of ‘computer program’ is not clear under Swedish law. Therefore, it is recommended that employers include an appropriate clause in the employment agreement that explicitly transfers all rights to the employer.

It should be noted that there are some new provisions in the CA regarding employees right to fair compensation after transfer of copyright works to the employer, employees right to subsequent information about the transferred copyright works and employees right to terminate an agreement through which a copyright work has been transferred to the employer. However, these new provisions do not apply to copyright in computer programs.

An employer has certain rights to patentable inventions developed by its employees. Those inventions are divided into three categories, and the employer’s rights differ between the categories:

  • inventions developed by employees that are employed to conduct research and development work, and which are developed within the scope of employment, may be acquired or utilized by the employer;
  • inventions developed within the employer’s line of business but developed by an employee that is not employed to conduct research and development work maybe utilized by the employer, and the employer has priority over others in acquiring ownership of the invention; and
  • inventions developed within the employer’s line of business but developed without any connection to the employment may be acquired by the employer, with priority over others, if agreed upon with the employee.

Collective bargaining agreements (if applicable) may also contain provisions on employers’ rights to intellectual property developed by employees similar to the three categories described above.

In relation to contractors and consultants, the main rule is that all rights in results vest in the originator. This means that a company must explicitly acquire the rights to those results through agreements with the originator. The inclusion of appropriate intellectual property clauses in the agreement with contractors and consultants are, thus, essential.

Joint ownership

  1. Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?

The Swedish legislation does not fully regulate the matter of joint ownership of intellectual property. Only the CA regulates the matter explicitly, whereby the main rule is that co-authors have a joint right to the copyright-protected work. The same should reasonably also apply to the other categories of intellectual property.

Unless agreed otherwise between the co-owners, the Act on Joint Ownership (1904:48) (AJO) is applicable. The AJO states that consent from all co-owners is necessary for all decisions concerning the management of the jointly owned property. All co-owners are, however, entitled to sell their share in the jointly owned intellectual property without consent from the other owners.

In light of this, co-owners of intellectual property are restricted from utilizing, licensing, charging or assigning the intellectual property in whole without the other co-owner’s consent. The co-owners must, thus, settle the joint ownership and agree on how to use and manage the intellectual property to avoid uncertainty.

Trade secrets

  1. How are trade secrets protected? Are trade secrets kept confidential during court proceedings?

Protection for trade secrets is granted through the Trade Secrets Act (2018:558) (TSA). For the purposes of the TSA, trade secrets are defined as information concerning the business or operational circumstances in a trader’s business, which is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question, which the trader has taken reasonable measures to keep confidential and the disclosure of which is likely to cause damage to the trader from a competition perspective. Trade secrets cannot be registered for protection, and the only statutory protection for such information is granted under the TSA.

Court proceedings, as well as all evidence and other information submitted to the court, are generally public in Sweden. However, for information concerning the business or operational circumstances, the parties may request secrecy when submitting information or during the proceedings as well as afterwards. However, a Swedish court is not required to adhere to such request, and there is no way of knowing whether the court will grant a request of secrecy in advance.

Branding

  1. What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

The general provisions for the protection of trademarks and trade symbols are provided in the Trademarks Act (2010:1877). A trade symbol can be registered for protection in Sweden if it is distinctive (namely, capable of distinguishing goods or services of one business activity from those of another). A trademark registered for protection in the European Union also grants protection in Sweden. Exclusive rights to a trade symbol may also be obtained, without registration, if the symbol is considered established on the market. A trade symbol is deemed established on the market if it is known by a significant part of the relevant public as an indication of the goods or services that are being offered under it.

New businesses can either perform searches themselves in relevant public databases for trademarks identical or similar to the trademarks they intend to use (e.g, in the Swedish Patent and Registration Office’s database, which covers both Swedish and EU trademarks) or engage a trademark attorney to assist with such preliminary investigations.

General branding can be protected by the Marketing Act (2008:486). The Act protects against unfair competition and can, thus, inter alia, protect a business against other businesses taking unfair advantage of the reputation associated with the first business, including its trademark, business name or other distinctive marks.

Remedies for infringement of IP

  1. What remedies are available to individuals or companies whose intellectual property rights have been infringed?

There are numerous remedies available when suing an alleged infringer in court. For example, preliminary injunctions and prohibitions under penalty of a fine as well as damages for infringement, loss of profit and impaired goodwill are available in all Swedish intellectual property laws. Infringements committed intentionally or through gross negligence can also result in fines or imprisonment.

COMPETITION 

Sector-specific issues

  1. Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

There are no specific competition rules for fintech companies. The general Swedish competition rules, which are based on EU competition law, apply. The rapid growth of the Swedish fintech industry in recent years has given rise to many new payment solutions and increased competition between the old and the new. Although we have seen issues relating, inter alia, to the interoperability between the traditional banking systems and the new digital solutions, case law regarding the application of the competition rules in the fintech industry is still limited.

TAX

Incentives

  1. Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

There are no special Swedish tax incentives for fintech companies or investors to encourage innovation and investment in the fintech sector in Sweden.

Increased tax burden

  1. Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

No.

IMMIGRATION

Sector-specific schemes

  1. What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

There are no specific immigration schemes available for fintech businesses to recruit skilled staff, nor are there any special regimes specific to the technology or financial sectors. Whether a work permit is required for the specific role is subject to a case-by-case assessment. The main rule under Swedish law is that for a citizen of a non-EU country to be able to work and reside in Sweden, a work permit and a residence permit are required. EU citizens are, however, entitled to work in Sweden without any kind of permit. Swiss citizens are entitled to work in Sweden without a work permit, but are still required to apply for a residence permit (if the stay is longer than three months).

Certain other categories of employees may also temporarily work in Sweden without a specific work permit, provided that certain requirements are fulfilled. For example, a work permit is not required for individuals employed by a multinational corporate group where the employees will undergo practical training, on-the-job training or other in-service training at a company in Sweden that is part of the group (a maximum aggregate period of three months over a period of 12 months). In the absence of any of the aforementioned exemptions, all non-EU citizens must obtain a work permit to be entitled to work in Sweden.

The application procedure is generally the same for all applicants regardless of occupation or industry. Applications are assessed by the Swedish Migration Agency (MA), and the application processing time varies. It currently takes six to nine months for the MA to examine a complete first-time application registered through the regular queue. There are, however, particular certified firms (such as certain law firms) with access to the MA’s fast-track system when applying for work permits on behalf of a client company and its employees. Certified firms are entitled to a significantly shorter turnaround time (10 days for complete first-time applications). In cases where the employer is not bound by a collective bargaining agreement and the concerned Swedish trade union does not oppose the absence thereof, the official fast-track turnaround time is 60 days.

UPDATE AND TRENDS IN FINTECH IN SWEDEN

Current developments

  1. Are there any other current developments or emerging trends to note?

The Swedish National Bank has, further, owing to the marginalization of cash usage in Sweden, initiated a pilot project to construct a technical platform for the e-krona, based on distributed ledger technology. A committee was appointed to investigate a general transition towards the digitalization of currency in Sweden but has advised against adopting an e-krona. In addition, the Nordic P27 project, aiming to form the world’s first integrated region for domestic and cross-border payments in multiple currencies through a common payments infrastructure, has been shut down.

Following recent developments in the global financial markets, it has proven more difficult for fintech firms and start-ups to raise capital. This may eventually lead to more consolidations and an increased focus on cost savings rather than expansion. Although the market developments in recent years have led to consolidations, mergers and several start-ups facing a more challenging environment racing capital. Sweden in general – and Stockholm in particular – are still vibrant for fintech companies, and the coming years may provide for further developments on the Swedish fintech scene.

* The information in this chapter was accurate as of June 2023.

If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)

You can also download the .docx version here.

Rate this post

“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”

NT INTERNATIONAL LAW FIRM