The fintech market in Finland is relatively young but has evolved rapidly during the past year. Traditionally, the market has been dominated by the lending business and peer-to-peer platforms but now some of these firms have taken the next step and are upgrading their licences into a credit institution, and, hence, Finland will have two new neo-banks in 2022.

The investment and wealth management scene is still waiting for its breakthrough. However, this is not expected to happen during the next 12 months.

There is also rapid development in crypto-asset business. However, the new local regulation is somewhat hindering multinational companies in entering the Finnish market due to local registration requirements.

The verticals that predominate in Finland are the following:

• payments;
• financial software;
• financing;
• data and analytics;
• application programming interfaces (APIs) and platforms;
• wealth management;
• investing;
• customer service and acquisition;
• security and compliance;
• insurtech;
• cryptocurrencies; and
• blockhain.

Due to the lack of fintech-specific regulation, the regulation applicable to fintech companies is contingent on the business model undertaken. Thus, the regulatory regime applicable to fintech companies comprises the general regulations applicable to financial institutions.

In Finland, financial regulation mainly derives from EU law and thereby consists of, inter alia, the following.

• The Capital Requirements Regulation (CRR) and the Capital Requirements Directive (CRD) – applicable to credit institutions, investment firms, portfolio management companies, central institutions of amalgamations of deposit banks, holding companies of credit institutions, holding companies of investment firms and parent companies of financial and insurance conglomerates.
• The second Markets in Financial Instruments Directive (MiFID II) – applicable to investment service providers; market operators, including the trading venue maintained by them; central counterparties; and data reporting service providers.
• The second Payment Services Directive (PSD 2) – in Finland, PSD 2 has been transposed in two parts by way of amendments made to the Payment Services Act (PSA, 290/2010) and the Payment Institutions Act (PIA, 297/2010). For the most part, these amendments entered into force on 13 January 2018. Apart from certain minor details, the scope of application for the PSA and the PIA is identical, meaning that both acts apply to companies engaging in the following payment services:
1. services related to depositing or withdrawing funds in/from a payment account;
2. management and offering of payment accounts;
3. execution of payment transactions by means of credit transfer, transfer of funds to a service provider’s payment account, direct debit or payment card, or via another payment instrument;
4. issuing a payment instrument;
5. the acceptance and processing of a payment transaction based on an agreement with the payee that results in a transfer of funds to the payee;
6. money remittance;
7. payment initiation service; and
8. account information service.

Fintech entities seeking to enter the payments market ought to note that payment services may only be provided by a service provider that meets the requirements of the PIA and has been authorised by the Finnish Financial Supervisory Authority (FIN-FSA). The FIN-FSA must be notified about initiating the offering of account information services. The requirements for payment information services providers are higher; they must be authorised and have an initial and ongoing capital of at least EUR50,000.

• The General Data Protection Regulation (GDPR) – in Finland, the provisions of the GDPR have been further clarified and supplemented in the Data Protection Act (DPA, 1050/2018). The application of the DPA is consistent with Article 2 of the GDPR; however, deviating from what is stated in the GDPR, the DPA also applies to the processing of personal data in the course of an activity that falls outside the scope of EU law and to the processing of personal data by member states when carrying out activities that fall within the scope of Chapter 2 of Title V of the Treaty on European Union.
• The Packaged Retail and Insurance-Based Investment Products Regulation (PRIIPs) – applies to service providers producing and offering PRIIPs products to retail investors. These include banks, insurance companies, management companies and alternative investment fund managers, and bond issuers. Thus, certain fintech companies that engage in the aforementioned activity – such as those in the payments, financing, wealth management, investing and insurtech sectors – fall liable to the regulatory requirements set forth in the PRIIPs, meaning that they must, inter alia, prepare a key information document for each PRIIPs product that they offer to retail investors. The definition of "retail investor" derives from MiFID II and, accordingly, means an investor other than a professional client. "Professional clients" and "non-professional clients" have been further clarified in Chapter 1, Section 23 of the Investment Services Act (ISA, 747/2012).
• AML – the prevention of money laundering and terrorist financing is based on international standards. Specifically, the purpose is to ensure that uniform customer due diligence procedures are observed in the global financial markets. Consequently, in this respect, the EU’s Anti-Money Laundering Directives, which have been implemented in the national legislation of Finland, derive from the Financial Action Task Force's recommendations. In Finland, the AML provisions have been put forth in the Act on Preventing Money Laundering and Terrorist Financing (the “AML Act”, 444/2017). Finland has implemented Directive (EU) 2018/843 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (the "Fifth Anti-Money Laundering Directive"); to some extent, broader than the Directive requires.
• The Virtual Currency Providers Act (VCPA, 572/2019) – applies to business operations of virtual currency providers. According to the Act, virtual currency providers are virtual currency issuers, virtual currency exchange services and wallet providers. The VCPA is based on the Fifth Anti-Money Laundering Directive.
• Crowdfunding – crowdfunding is regulated by the Finnish Crowdfunding Act (CA, 734/2016). Crowdfunding service providers must be registered by the FIN-FSA as a “crowdfunding intermediary” in accordance with the CA, unless they have a licence for certain other services.

Depending on the business model undertaken, fintech companies may require authorisation, registration or notification. Authorities granting authorisations comprise the European Central Bank, the FIN-FSA, the Regional State Administrative Agency, the Ministry of Finance and the Ministry of Social Affairs and Health, as well as the government.

The different compensation models vary widely depending on the chosen business model but also the technical means through which the products and services are offered. Generally, when targeting the consumer, the Finnish Consumer Protection Act (CPA, 38/1978) sets a tight regulatory framework regarding the disclosure rules.

On a general level, regulation between fintech companies and legacy players does not differ due to the fact that no specific regulation applies to fintech companies. Instead, fintech companies are governed under the same financial regulatory requirements applicable to legacy players. Naturally, the principle of proportionality will be applied and serves to the favour of smaller fintech companies.

Finland does not have a regulatory sandbox. The Finnish legislation does not allow for regulators to grant exemptions from peremptory regulation. Therefore, any potential and forthcoming regulatory sandboxes would need to be assembled via legislation. However, the FIN-FSA has a Fintech Helpdesk service that enables fintech companies to approach the FIN-FSA with their licensing questions. Through these channels, the fintech companies may easily and promptly receive (non-binding) advice as to whether their business or services fall under the licensing requirements.

Regarding national regulators, the jurisdiction of regulators in the Finnish financial sector consists of four authorities.

FIN-FSA

The most prominent national authority for the supervision of Finland’s financial and insurance sectors is the FIN-FSA. The entities that the FIN-FSA supervises include the following:

• banks;
• payment institutions;
• crowdfunding companies;
• virtual currency providers;
• insurance and pension companies as well as other companies operating in the insurance sector;
• investment firms;
• fund management companies; and
• the Helsinki Stock Exchange.

Furthermore, the FIN-FSA is responsible for promoting compliance with good practice in financial markets and disseminating general knowledge about the markets. The FIN-FSA is regulated by the Finnish Act on the Financial Supervisory Authority (878/2008).

Regional State Administrative Agencies

The Regional State Administrative Agencies are responsible for lower-level supervision of the financial sector, such as:

• consumer small loans (that is, loans that are granted to consumers within a short time to the due date of the credit);
• peer-to-peer lending; and
• debt collection.

The Regional State Administrative Agencies are governed by the Finnish Act on Regional State Administrative Agencies (896/2009).

Finnish Competition and Consumer Authority

The Finnish Competition and Consumer Authority (FCCA) has, in conjunction with the Regional State Administrative Agencies, jurisdiction over business operations in which instant and consumer credit are being offered. According to the Act on the Finnish Competition and Consumer Authority (the “FCCA Act”, 661/2012), the sphere of authority of the FCCA includes the implementation of competition and consumer policy, and the protection of the consumer’s economic and legal position.

Office of the Data Protection Ombudsman

Although not merely specific to the financial sector, the fourth national supervisory authority is the Office of the Data Protection Ombudsman (ODPO), which supervises compliance with data protection legislation; that is, the Finnish DPA and the GDPR.

European Supervisory Authorities

Additionally, since Finland is a member of the EU, authorities belonging to the European Supervisory Authorities (ESAs) have jurisdiction. The ESAs consist of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA), which, together with the FIN-FSA, provide micro-prudential supervision.

Whilst the ongoing supervision of financial institutions remains with the national supervisory authorities, the jurisdiction of the ESAs is enforced through level 2 or level 3 measures.

Pursuant to Articles 10 and 15 of ESA Regulation (EU) No 1095/2010, the ESAs have the authority to develop level 2 measures by means of draft regulatory technical standards (RTS) and implementing technical standards (ITS). The draft RTS and ITS can be submitted to the Commission by the ESAs upon the approval of the board of supervisors of the respective ESA by way of a qualified majority.

Furthermore, in accordance with Article 16 of the ESA Regulations, level 3 measures consist of guidelines and recommendations addressed to the competent authorities and financial institutions or financial market players by the ESAs. Similar to RTS and ITS, guidelines are to be approved by the board of supervisors of the respective ESA by way of a qualified majority.

According to Article 16(3) of the ESA Regulations, competent national authorities and financial institutions or financial market players must make every effort to comply with the guidelines. Additionally, both the guidelines and recommendations are to be applied on a comply or explain basis, meaning that failure to adhere to the said recommendation/guideline requires notifying the respective ESA together with an explanation for non-compliance within two months of the issuance of the guideline or recommendation.

Traditionally, Finland has implemented these EU guidelines quite effectively and to their full effect. The practical implementation is often done by a simple local guideline, where a reference is made to an EU-level guideline. This method gives the foreign fintech companies more comfort since they can rely on the fact that Finland has implemented the EU-level guidelines correctly and without any gold plating.

Regulated functions can be outsourced subject to satisfying certain conditions. The provisions on outsourcing regulated functions are stipulated in the Regulations and guidelines 1/2012 issued by the FIN-FSA and the EBA Guidelines on outsourcing arrangements. However, virtual currency providers should note that the issuance of virtual currency cannot be entirely outsourced to an agent.

Investment Services

Investment firms, credit institutions and fund management companies may outsource their authorised investment services only to entities licensed to engage in the practice of investment services. With regard to credit institutions and fund management companies, critical functions may only be outsourced where this does not materially interfere with risk management, internal supervision, and the functioning of business operations.

Payment Institutions

Similar to institutions offering investment services, payment institutions may outsource substantial functions of their payment services where this does not materially weaken their internal supervision.

Once payment institutions have outsourced their services, they must ensure the adequacy of the resources, professionalism, financial functioning, and expertise of the outsourced operator and they must also have procedures in place to assess the performance of the outsourced operator.

In order to meet their due diligence requirement, payment institutions must ensure, for example, that the outsourced operator has the necessary skills, resources and the necessary operating licences required by law to provide the service. Additionally, payment institutions must ensure that the outsourced operator has arranged for an adequate level of internal supervision and risk management.

When outsourcing payment services to an agent, payment institutions are held liable for the agent’s operations.

Certain fintech entities are subject to the Finnish AML Act and must therefore comply with the regulations set forth therein. These requirements include that they actively monitor their client relationships and undertake due diligence procedures prior to forming customer relationships.       

Although the author is unaware of any significant enforcement actions undertaken against fintech companies, some enforcement actions have been undertaken against legacy players.

For instance, the FIN-FSA imposed, on 13 September 2021, a penalty payment of EUR1,650,000 on S-Bank Plc for omissions in the detection of suspicious transactions. Accordingly, S-Bank Plc had neglected its obligations to monitor its customers’ trading, as is required under Article 16 of the EU’s Market Abuse Regulation.

Another enforcement action was publicised on 2 July 2021, in which the FIN-FSA withdrew the investment firm authorisation of Privanet Securities Ltd with immediate effect after the FIN-FSA detected several serious omissions and violations in the activities of Privanet Securities Ltd. The legal authority of the FIN-FSA to withdraw the investment firm licence derives from Section 26 of the Financial Supervisory Authority Act, according to which, authorisation may be withdrawn where essential statutory conditions under which authorisation was granted no longer exist or the activities of a supervised entity constitute a material breach of the provisions governing financial markets.

The implications of non-financial services regulations do not differ between fintech companies and legacy players since such legislation applies irrespective of industry sector.

GDPR

For instance, with regard to privacy, the GDPR harmonises national data privacy laws throughout the EU and applies to the processing of personal data. Thus, companies collecting, storing and using personal data will fall within the scope of the GDPR, irrespective of the sector they are engaged in. The implications for non-compliance are likewise similar; failure to adhere to the requirements set forth in the GDPR may result in severe fines, whereby the maximum penalty may be EUR20 million or 4% of annual worldwide turnover, depending on which is higher.

Cybersecurity

Legislation to protect electronic communications networks has also been introduced in the EU by means of the Directive on Security Network and Information Systems (the “NIS Directive”). National legislation in line with the NIS Directive and the obligations thereof entered into force on 9 May 2018 and has been implemented into the Regulations and guidelines on operative risk management 8/2014 issued by the FIN-FSA. The said regulation and guidelines apply to credit institutions, investment firms, alternative investment fund managers, holding companies of credit institutions and investment firms, central institutions of amalgamations of deposit banks and payment institutions (“supervised entities”). Accordingly, supervised entities must notify the FIN-FSA without undue delay of any significant interruptions and errors that they have noticed in the services provided to clients as well as in payment systems and information systems.

Furthermore, another relevant source of non-financial services regulation is the Guidelines on ICT and security risk management issued by the EBA on 29 November 2019, which apply to payment service providers, credit institutions and investment firms. The guidelines stipulate the measures that financial institutions are required to take to manage their ICT and security risks as well as requirements on holding information on ICT systems.

Outsourcing to Cloud Services

The Guidelines on outsourcing to cloud service providers issued by the ESMA on 10 May 2021 are also a relevant regulation to note in this regard. The guidelines apply to cloud outsourcing arrangements entered into, renewed or amended on or after 31 July 2021. Financial institutions falling within the scope of the guidelines must ensure that their cloud outsourcing arrangements comply with the guidelines by 31 December 2022. The FIN-FSA, in its Regulations and guidelines 4/2021, recommends that investment firms, credit institutions providing investment services, alternative investment fund managers and alternative investment fund depositaries, among others, comply with the guidelines.       

Besides regulators, Finance Finland (FFI) reviews the activities of industry participants within the Finnish financial sector. The FFI represents banks, life and non-life insurers, employee pension companies, finance houses, fund management companies and securities dealers operating in Finland. The FFI actively participates in raising awareness amongst decision-makers of any potential impacts that might ensue from regulation and provides expert opinions to legislative processes. The organisation of the FFI is divided into five groups, of which the Infrastructure and Security group is concerned with fintech.

Additionally, the Fintech Finland Association – a neutral, non-profit organisation – is another relevant party reviewing the activities of fintech companies by, for instance, actively promoting the interests of the Finnish fintech industry.

The offering of unregulated products or bundling them together with regulated products and/or services is not that common in Finland. In the event that such offering does exist, it is mainly conducted by a regulated entity due to regulatory concerns.        

The Finnish AML Act imposes a variety of obligations upon obliged entities. Accordingly, these obligations include:

• knowing your customer;
• record-keeping;
• ongoing monitoring; and
• identifying beneficial owners.

In accordance with the AML Act, obliged entities are the financial market player; for example, fintech entities engaging in payments and financing, wealth managers, fund companies and virtual currency providers.

Know your Customer

Obliged entities must identify their customers prior to forming permanent customer relationships. However, obliged entities will also be required to identify their customers when forming occasional customer relationships if the conditions set forth in the AML Act are fulfilled.

If an obliged entity fails to identify its customer to the extent stipulated in the AML Act, the obliged entity will be prohibited from forming a customer relationship and carrying out the business operation, as well as maintaining the business relationship.

Depending on the customer, obliged entities must identify their customers by means of a simplified or enhanced due diligence procedure.

Government Decree 929/2021 lays down the due diligence procedures that must be undertaken when identifying customers. Simplified due diligence procedures are applicable.

The AML Act is not necessarily applicable for many unregulated fintech companies. The applicability of the AML Act should, however, be assessed in detail before excluding the services and/or products outside the scope of the AML Act.

No national regulation specifically applicable to robo-advisers exists in Finland. Hence, instead of asset classes, what is more critical from a regulatory standpoint is the type of service being offered. For instance, robo-advisers offering investment services fall within the scope of the general requirements applicable to investment firms put forth in MiFID II and the provisions nationally implemented thereof.

Article 5(1) of MiFID II requires that the provision of investment services be subject to prior authorisation. The requirements regarding authorisation of investment services have been implemented nationally into the Finnish Act on Investment Services (ISA, 747/2012). Pursuant to the ISA, the investment firm authorisation shall be granted by the FIN-FSA for the provision of investment services or for the practice of engaging in investment activities. The “provision of investment services” means that it is not the investment firm that needs to be authorised; instead, it is the investment services offered. Hence, since new services require authorisation, robo-advisers require authorisation. In other words, the ISA enables investment firms to use robo-advisers for the provision of investment services – that is, investment advice and portfolio management – subject to having received prior authorisation.

Moreover, as MiFID II is technology neutral by not prescribing how such investment services are to be offered, the FIN-FSA cannot reject authorisation solely on the basis that the investment services are being offered via a robo-adviser.

Considering the fact that investment services in Finland have been digitalised for a while, robo-advisers are not as established in Finland as one might expect. Currently, there are three robo-advisers implemented by legacy players in Finland.

With regard to legacy players, Nordea has implemented Nora, which is a robo-adviser providing investment advice upon the completion of a questionnaire. OP Financial Group has also implemented a robo-adviser, OP Investment Partner, which is a digital investment adviser on OP-mobile. Accordingly, the OP Investment Partner invests in responsible companies by only including companies that are among the best in their sector in terms of ESG-related issues. For the third, the independent robo-advisory firm Evervest Ltd was first acquired by Taaleri Group and thereafter by Aktia Bank, which is now running the digital services.

With regard to the robo-advisers specified in 3.2 Legacy Players' Implementation of Solutions Introduced by Robo-Advisers, no issues in relation to best execution of customer trades arise, since they do not execute orders per se. Instead, the requirements applicable to investment firms briefly mentioned in 3.1 Requirement for Different Business Models apply to the aforementioned.

Nevertheless, issues regarding best execution of customer trades will arise for robo-advisers engaging in, for example, payment transmission and the execution of payment orders. In such a circumstance, the requirements applicable to investment firms apply to robo-advisers engaging in such activities.

In Finland, the difference in the regulation of loans provided to different entities is mainly threefold.

Firstly, the activity of providing loans that are financed via repayable funds received from customer deposits is, in accordance with the Act on Credit Institutions (ACI), defined as credit institution operations. The ACI lays down the provisions stipulating the right to engage in the practice of credit institution operations. Accordingly, in order to engage in credit institution operations, authorisation is required through the FIN-FSA. However, in this regard, the ACI does not make a distinction between the provision of loans to small and other types of businesses. The ACI merely lays down the general prerequisites applicable to businesses engaging in credit institution operations, none of which are concerned with the business type of the borrower or its size.

Secondly, unlike businesses engaging in credit institution operations, businesses providing loans without the use of repayable funds are not governed under the ACI. Therefore, they do not, for instance, require authorisation from the FIN-FSA (but a permit from the lower-level regulator, the Regional State Administrative Agency, in the case of consumer lending). Moreover, as the Finnish legal system is based upon the notion of freedom of contract, the provision of loans in Finland remains fairly unregulated and parties are, to a large extent, free to agree on the terms they wish to incorporate into their contracts. Thus, similar to businesses engaging in credit institution operations, no significant differences in the regulation of loans provided to small or other types of businesses exist.

Conversely, however, consumer loans are governed under the CPA, meaning that there are, of course, substantial differences between the provision of loans to consumers and companies. Although the Finnish legal system is based upon the notion of freedom of contract, the notion is subject to certain exceptions, such as in consumer sales that encompass consumer protection within them. Specifically, with regard to consumer loans, this is evident in Chapter 7, Section 5 of the CPA, according to which, all such terms that conflict or deviate from the said chapter’s provisions in a way that is detrimental to the consumer shall be deemed null and void. Consequently, unlike in the provision of loans to companies whereby the interest rate is open to negotiation, the interest rate in conjunction with the cost of credit in consumer loans is capped pursuant to Section 6 of the said chapter.

In Finland, industry participants are obliged to conduct a creditworthiness assessment prior to granting consumer credit pursuant to Chapter 7, Section 14 of the CPA. Moreover, according to Section 16a of the said chapter, industry participants may only grant consumer credit where the creditworthiness assessment indicates that the obligations deriving from the credit agreement are likely to be fulfilled in accordance with what is required under the credit agreement.

The creditworthiness assessment is to be based upon information relating to the consumer’s income and other information relating to the financial condition of the consumer. In other words, the law does not specify how the underwriting process is to be taken per se, but rather stipulates the information that needs to be reviewed prior to granting consumer credit.

To satisfy their obligation, industry participants generally resort to reviewing the credit information of the consumer. Since the use and processing of credit information is governed under the Credit Information Act (CIA, 527/2007), this means that, in addition to the CPA, industry participants fall within the scope of the CIA. The consequence of the aforementioned for consumer credit providers is threefold:

• they are to ensure adequate privacy protection whilst processing credit information;
• they are obliged to assess the creditworthiness of consumers in light of correct and appropriate information; and
• they are to advance good practice of credit information.

With regard to the provision of loans to businesses, no creditworthiness assessment is required by law. Nevertheless, for obvious reasons, industry participants generally prefer to review the credit information of all borrowers even where this is not required under law.

Peer-to-Peer

Online lenders may fund their loans by facilitating peer-to-peer lending, which refers to the provision of loans between private individuals or companies without the involvement of a bank or another financial institution. In such a case, the online lender may facilitate peer-to-peer lending by, for instance, providing a platform for the parties involved in the peer-to-peer transaction. In other words, the borrower and the lender engage in an electronic money transfer via an intermediary; in this case, the online lender.

The legal and regulatory consequences depend on whether the online lender merely connects the peer-to-peer parties with its platform or whether it also administers the payments between the parties. Both cases require registration with the Regional State Administrative Agency as a peer-to-peer intermediary. Administering the payments will, in turn, amount to money remittance, which, pursuant to the PSA, is a payment service and thereby renders the online lender as a payment service provider. In such a case, the PIA will also become applicable and the online lender will be required to seek authorisation with the FIN-FSA as a payment institution.

Lender-Raised Capital

Online lenders may also fund their lending by borrowing funds from other lenders. By doing so, however, the online lender will be deemed to be a credit institution in accordance with Directive (EU) No 575/2013 and the ACI and will therefore be required to comply with the provision set forth therein. In order to engage in practices pertinent to credit institutions, the online lender will need to file for authorisation with the FIN-FSA prior to commencing the said lending activities. Other legal and regulatory implications that lender-raised capital lending entails include that the online lender must ensure it has sufficient capital of its own pursuant to Directive (EU) No 575/2013.

Repayable Funds

As is the case with lender-raised capital, and as stated in 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities, companies that finance their lending activities via repayable funds are deemed to engage in credit institution operations and will thus fall within the scope of Directive (EU) No 575/2013 and the ACI.

In contrast to legacy players engaging in the syndication of large loans, small consumer credit loans provided by fintech entities are generally not syndicated.

The provision of payment services is regulated under the PSA and the PIA. Neither of the acts specifies the payment rails to be taken when providing payment services. Instead, they stipulate the conditions that need to be fulfilled in the provision of payment services. Therefore, payment processors are free to create and implement new payment rails on the condition that these comply with the PSA and PIA. However, in order to engage in the practice of payment services, a payment processor will need to be authorised with the FIN-FSA as a payment institution or a credit institution.

At the EU level, payments and remittances are regulated under PSD 2. The European Commission’s motive for establishing PSD 2 was to harmonise the regulation of cross-border payments and remittances within the EU.

The provisions of PSD 2 have been implemented nationally in Finland via the PSA and the PIA. Minor differences in the applicable disclosure duties between domestic and cross-border payments and remittances are evident in the PSA in cases where the service provider of the payee or the payer is located outside the European Economic Area. Besides the aforementioned, neither the PSA nor the PIA separately addresses cross-border payments and remittances. Consequently, the national regulation of cross-border payments and remittances remains, to a large extent, undetailed in Finland.

Finland is also a member of the Single Euro Payments Area (SEPA), a payment-integration initiative of the EU that seeks to improve the efficiency of cross-border payments. SEPA enables customers to make cashless euro payments in a similar manner to that of national payments across the European Union as well as a number of non-EU countries.

Fund administrators are not subject to separate regulation as such and are not defined under Finnish law. Funds and fund managers, on the other hand, are regulated by means of Directive (EU) 2009/65/EC on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) and Directive 2011/61/EU on Alternative Investment Fund Managers (AIFMD).

The provisions of UCITS have been nationally implemented in the Act on Common Funds (ACF, 48/1999) and the provisions of AIFMD in the Act on Alternative Investment Fund Managers (AIFM, 162/2014).

The author is unaware of any existing regulation imposed upon agreements between fund managers and fund administrators.

The regulation on trading venues derives from MiFID II and consists of regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs). MTFs and OTFs are regulated nationally via Chapter 5 of the Act on Trading in Financial Instruments (1070/2017), which provides for the general requirements applicable to both trading venues. According to Section 1 of the aforementioned chapter, in addition to the stock exchange, only investment firms, credit institutions and third-country branches may maintain MTFs and OTFs in Finland.

In general, different asset classes do not have different regulatory regimes in Finland and regulatory regimes are rather separated by the provision of certain services. For instance, offering investment services, regardless of the offered asset classes, requires an entity to be licensed under the MiFID II regime. Furthermore, an organiser of MTF or OTF can only be a credit institution, an investment firm, a branch of a licensed third-country company or a stock exchange.

However, there are some regulatory differences; for example, between securities and other financial instruments. Financial instruments as a category includes securities and financial instruments that are listed in the ISA. Additionally, there is some specific regulation on the issuance of securities, which is mainly regulated in the Securities Market Act (SMA, 746/2012).

The emergence of cryptocurrencies has impacted the regulatory regime in Finland and virtual currencies in general have been regulated from April 2019 by the VCPA. The VCPA concerns cryptocurrency exchange and a virtual currency exchange service is defined as any natural or legal person that, on a business or professional basis exchanges as a service virtual currency into legal tender or another virtual currency, exchanges as a service (i) virtual currency for another commodity or (ii) another commodity for virtual currency, or maintains a marketplace in which its customers can engage in the activities referred to in points (i) and (ii) of this paragraph.

Generally, all cryptocurrency providers will require registration with the FIN-FSA for the purposes of providing cryptocurrency-related services in Finland. Pursuant to the VCPA, each merchant that intends to provide virtual currency-related services in Finland needs to be registered in the register of virtual currency providers maintained by the FIN-FSA, subject to specific requirements. However, this obligation does not apply to a merchant that provides virtual currency services (i) within a limited network or (ii) occasionally in connection with other professional activities that require some other authorisation, registration or prior approval.

Virtual currency providers include virtual currency exchange services and marketplaces. Therefore, cryptocurrency exchange platforms are regulated and need to be registered as virtual currency providers with the FIN-FSA, as required by the VCPA.

The issuance of securities to the public is regulated by the SMA. Listed companies also have to comply with the Limited Liability Companies Act (624/2006). A company applying for listing must be prepared to fulfil its statutory disclosure obligation from the date on which the company submits its application to be listed on the stock exchange. The information disclosed by a listed company must be timely, consistent and reliable. Factors related to the disclosure obligation are often reflected in other listing conditions, such as the fulfilment of qualitative capabilities required for listing, the company’s obligation to apply the International Financial Reporting Standards or the corporate governance of the company.

In addition to regulatory obligations, listed companies must comply with the rules of the stock exchange or MTF. The rules, guidance and other information of Nasdaq Helsinki Ltd (Helsinki Stock Exchange) for companies planning a listing are available on the website of the stock exchange. Furthermore, regulations by the FIN-FSA need to be complied with. The Finnish Foundation for Share Promotion has also published a guidebook on listing.

The applicability of order handling rules depends on the type of services a market participant provides. Market participants regulated under MiFID II and the ISA who execute orders are subject to order handling rules. The Act on Trading in Financial Instruments imposes specific order handling requirements for stock exchanges, MTF and OTF.

In accordance with the ISA, an investment firm that provides execution of orders as an investment service shall execute the client orders without undue delay. An investment firm may not let the interests of another client or its own interests influence the execution of the client order. An investment firm shall execute comparable client orders sequentially and in a prompt, fair and expeditious manner. The obligation of the investment firm to publish a limit order issued by the client shall be governed by the provisions of the Act on Trading in Financial Instruments.

Traditionally, the Finnish market has been dominated by peer-to-peer platforms, which require registration with the Regional State Administrative Agency as a peer-to-peer intermediary. Online lenders may facilitate peer-to-peer lending by, for instance, providing a platform for the parties involved in the peer-to-peer transaction. In other words, the borrower and the lender engage in an electronic money transfer via an intermediary; in this case, the online lender.

The legal and regulatory consequences depend on whether the online lender merely connects the peer-to-peer parties with its platform or whether it also administers the payments between the parties. Both cases require registration with the Regional State Administrative Agency as a peer-to-peer intermediary. Administering the payments will, in turn, amount to money remittance, which, pursuant to the PSA, is a payment service and thereby renders the online lender as a payment service provider. In such a case, the PIA will also become applicable and the online lender will be required to seek authorisation with the FIN-FSA as a payment institution.

Issues regarding best execution of customer trades will arise for market participants engaging in, for example, payment transmission and the execution of payment orders. In such a circumstance, the requirements applicable to investment firms in relation to best execution apply to these market participants engaging in such activities.

Payment for order flow (PFOF) is considered in the EU to be in contrast with the requirements set out in MiFID II. The ESMA has considered that PFOF causes a clear conflict of interest between the firm and its clients, because it incentivises the firm to choose the third party offering the highest payment, rather than the best possible outcome for its clients when executing their orders. Therefore, the ESMA has advised market participants under the MiFID II regime to thoroughly assess whether they are able to comply with MiFID II when receiving PFOF. This advice is also followed in Finland.        

As financial markets have become increasingly global, giving rise to new trading platforms and technologies, the EU has aimed to strengthen its market abuse regime. The Act on Trading in Financial Instruments sets out basic principles and requirements for using the central securities depository and the central counterparty, aiming to ensure that the co-operation does not endanger trading integrity. Besides, there are no fintech-specific principles on market integrity or market abuse.

Algorithmic trading is regulated under ISA Chapter 7a, and there is no distinction between asset classes.

In principle, there is no regulation according to which market makers should register as market makers in Finland. However, if a market maker begins to trade on its own account, it becomes subject to provisions under the ISA and should be licensed as an investment company. The provisions of the ISA do not apply if the market maker trades on its own account as an ancillary activity.

Algorithmic trading is regulated under Chapter 7a of the ISA, according to which, the provisions on algorithmic trading apply to all trading parties. Trading parties are defined as investment service providers or other persons authorised by a stock exchange or a multilateral trading operator to trade on the trading platform in question. Chapter 7a of the ISA does not contain any distinction between funds and dealers.

The author is unaware of any existing regulation imposed upon programmers and programming.

Financial research platforms are not subject to registration as such when their principal activity is providing relevant information to market participants. However, if financial research platforms were to be engaged with other activity, such as offering investment advice, they would be regulated entities under the ISA and would need to apply for a licence. Licensed investment companies are permitted, pursuant to the ISA, to produce and disseminate investment research, financial analysis and other corresponding general recommendations relating to transactions in financial instruments. Participants are subject to registration, notification or licensing based on the type of services they provide, as described in 2.2 Regulatory Regime.

Spreading rumours or unverified information is not regulated as such. However, many provisions govern providing misleading or untruthful information. For instance, the ISA, AIFM, VCPA, SMA, ACI and PIA entail prohibitions on providing misleading or untruthful information, especially in relation to marketing. Furthermore, the CPA includes such a provision, which is applicable to all relationships towards consumer customers.

Additionally, manipulating markets and offences concerning information on the securities market are sanctioned under the Criminal Code of Finland.

The author is unaware of controls that financial information platforms utilise in order to avoid pump and dump schemes, spreading inside information or other types of unacceptable behaviour. However, an option would be to have a clause on the matter in the terms and conditions of the platform or the forum, so that the platform has the right to delete unacceptable information. The FIN-FSA can make a request for police investigation of suspected crimes committed in the conversation platforms.

There is no insurtech-specific regulation regarding underwriting processes but the general insurance regulation is applicable.

In Finland, insurance providers are generally regulated under the Insurance Companies Act (521/2008), which provides the legal framework for the operation of life and non-life insurance companies. However, life insurance companies are subject to further regulation in relation to their investments, which they have to comply with. Additionally, there is separate legislation in place for transport insurance and workers’ compensation.

As a significant contrast to the general approach at the EU level, non-life insurance companies are also fully subject to anti-money laundering legislation in Finland. Hence, they have to comply with all the requirements set out in the Finnish AML regime as obliged entities.

There is no specific regulation regarding regtech companies but the decisive factor in respect of regulation is the services that they provide.

There is no specific regulation or general industry customs in place for contractual terms to assure performance and accuracy. Careful project planning and documenting necessary clauses as negotiated in the contract should provide a good baseline to assure performance and accuracy.

The traditional players have not been eager to implement blockchain in their services/product offering. However, some major players do have their fintech labs investigating new opportunities with blockchain technologies.

The local regulators have not been active in introducing regulation.

From the Finnish law perspective, blockchain assets are categorised as virtual currency under the VCPA. However, virtual currencies are not categorically classified as financial instruments or securities but may be considered such based on their nature. Therefore, a blockchain asset may be classified as a financial instrument or a security based on its nature, which has to be analysed on a case-by-case basis.

Virtual currency exchange services are responsible for determining the nature of each virtual currency admitted to trading and should assess, in particular, whether each virtual currency is a transferable security or other financial instrument referred to in the ISA.

The securities market legislation is technology neutral. The virtual currency to be issued via an initial coin offering may also fall within the scope of the definition of a security or financial instrument. A security is negotiable and issued, or meant to be issued, to the public together with several other securities with similar rights. The FIN-FSA, for instance, uses a list of questions in assessing whether virtual currencies are considered to be securities. If a virtual currency is considered to be a security, regulation applicable to issuing a security must be adhered to.

The issuers of blockchain assets are subject to the VCPA, as explained in the earlier sections. Virtual currency provision refers to the issuance of a virtual currency, a virtual currency exchange service and its marketplace, as well as a custodial wallet service. Therefore, issuers of blockchain assets as virtual currency providers must be registered in the register of virtual currency providers maintained by the FIN-FSA.

As described in 12.3 Classification of Blockchain Assets, the regulation of initial sales depends how the blockchain assets are classified. If the blockchain assets are not classified as financial instruments or securities, the market participant must still adhere to the VCPA and, for instance, to the general provisions on consumer protection.

As virtual currency provision refers to a virtual currency exchange service and its marketplace, such blockchain asset trading platforms must register as virtual currency providers with the FIN-FSA in accordance with the VCPA. However, there is an exemption to the registration if the virtual currency services are provided within a limited network.

Furthermore, the FIN-FSA has considered that if an exchange service accepts fiat currency from buyers or transmits fiat currency to sellers, it must give due consideration to regulations concerning payment services (as per PSD2) that may become applicable depending on the business model. Similarly, if the trading platform provides services that fall under MiFID II, it should adhere to the regulations set out therein.

The author is unaware of any specific regulation on funds that invest in virtual currencies, blockchain assets included. However, in accordance with the ACF, common fund activity shall refer to the raising of funds from the public for their joint investment and the investment thereof mainly in financial instruments, as well as the management of a common fund and the marketing of units.

As virtual currencies are not necessarily classified as financial instruments, it should be considered that common funds may not, in principle, invest in blockchain assets. However, alternative investment funds do not have such a strict categorisation and are able to invest quite freely. Therefore, alternative investment funds could, in theory, invest in blockchain assets. However, the FIN-FSA has been somewhat reluctant towards such applications.

Please refer to 12.3 Classification of Blockchain Assets.

The author is not aware of any relevant regulation in this regard.        

There is no Finnish guidance available on the classification of NFTs. According to the VCPA, the definition of virtual currency refers to a value in electronic form:

• that has not been issued by a central bank or other public authority and is not legal tender;
• that a person may use as a means of payment; and
• that can be transmitted, stored and exchanged electronically.

Given that the definition requires that the virtual currency may be used as a means of payment, it is not clear whether NFTs should be excluded from the scope of the VCPA and, similarly, the registration obligation thereunder. Considering the nature of NFTs and given that NFTs are not high-risk products (at least compared to other cryptocurrency-related services), it could be argued that NFTs are not within its scope. However, since the FIN-FSA has taken rather strict views and interpretations regarding various crypto products and services, there is a risk that the FIN-FSA would take the view that NFTs are within the scope of the VCPA if there is at least a theoretical possibility to use the NFT as a means of payment.

The FIN-FSA has further emphasised that instead of using vague prefixes on tokens, it would be important for the issuer to include in its marketing material its assessment of the nature of the token, such as whether it is a virtual currency or a security. The same token can be both a virtual currency and a security or another financial instrument.

Furthermore, the above approach is subject to change, especially because of potential developments in EU-level regulation. It is understood that a draft proposal for the EU Regulation on Markets in Crypto-assets includes regulations that would apply to NFTs in certain cases.

PSD 2 requires account servicing payment service providers (ASPSPs) to allow payment users to make use of payment initiation service providers (PISPs) and payment account information service providers (AISPs) to obtain payment services. In Finland, the open banking requirements have been transposed to the PSA. Commission Delegated Regulation (EU) 2018/389 sets more specific rules for dedicated interfaces.

ASPSPs have been required to remove any obstacles identified within the shortest possible time and without undue delay (EBA/OP/2020/10). The European Data Protection Board (EDPB) has released guidelines regarding certain challenges in respect of the need that the data subjects remain in full control of their personal data (Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR).

The EDPB has set specific guidelines; eg, related to the payment user’s consent, processing of a silent party’s data, the processing of special categories of personal data under PSD 2 and data minimisation. For instance, pursuant to the EDPB’s Guidelines 06/2020, explicit consent in line with the GDPR is needed for the processing of personal data under PSD 2.

It is understood that banks and the authorities are still working on possible solutions, such as “consent dashboards”, to comply with the EDPB’s guidelines.