FINLAND Law and Practice Contributed by: Olli Kiuru, Jere Lehtimäki and Essi Hietaoja, Waselius
firm’s receipt and transmission of orders as invest - ment services. Moreover, a pending investigation is ongoing for the biggest bank in Finland, OP Group; no final decision has yet been issued by the FIN-FSA. Most recently, on 23 May 2025 the FIN-FSA imposed a joint penalty payment of EUR7.6 million on S-Bank Plc for failures in the bank’s operational risk manage - ment. Connected to the same failures, on 8 Septem - ber 2025 the Deputy Data Protection Ombudsman and the Sanctions Board at the ODPO imposed a fine of EUR1.8 million for failure to ensure data security. The bank has appealed against both decisions and they are therefore not yet legally binding. 2.11 Implications of Additional, Non- Financial Services Regulations The implications of non-financial services regulations do not differ between fintech companies and legacy players, since such legislation applies irrespective of industry sector. GDPR For instance, with regard to privacy, the GDPR har - monises national data privacy laws throughout the EU and applies to the processing of personal data. Thus, companies collecting, storing and using personal data will fall within the scope of the GDPR, irrespective of the sector in which they are engaged. The implications for non-compliance are similar: failure to adhere to the requirements set forth in the GDPR may result in severe fines, with a maximum penalty of EUR20 mil - lion or 4% of annual worldwide turnover, whichever is higher. Cybersecurity Legislation to protect electronic communications net - works has also been introduced in the EU by means of the Directive on Security of Network and Informa - tion Systems (the “NIS Directive”). National legisla - tion in line with the NIS Directive and the obligations thereof entered into force on 9 May 2018 and has been implemented into the Regulations and guidelines on operational risk management 8/2014 issued by the FIN-FSA.
The Regulations and guidelines apply to credit insti - tutions, investment firms, alternative investment fund managers, UCITS management companies, holding companies of credit institutions and invest - ment firms, central institutions of amalgamations of deposit banks and payment institutions (“supervised entities”). Accordingly, supervised entities must notify the FIN-FSA without undue delay of any significant interruptions and errors that they have noticed in the services provided to clients or in payment systems and information systems. Another relevant source of non-financial services reg - ulation is the Guidelines on ICT and security risk man - agement issued by the EBA on 29 November 2019, which apply to payment service providers, credit insti - tutions and investment firms. The guidelines stipulate the measures that financial institutions are required to take to manage their ICT and security risks, as well as requirements on holding information on ICT systems. Outsourcing to Cloud Services The Guidelines on outsourcing to cloud service pro - viders issued by ESMA and the EIOPA are also rel - evant in this regard. Both guidelines apply to cloud outsourcing arrangements entered into, renewed or amended on or after 31 July 2021. Financial institu - tions falling within the scope of the guidelines must ensure that their cloud outsourcing arrangements comply with said guidelines. In its Regulations and guidelines 4/2021, the FIN-FSA recommends that investment firms, credit institutions providing invest - ment services, alternative investment fund managers and alternative investment fund depositaries, among others, comply with the guidelines issued by ESMA. Furthermore, the FIN-FSA stated in 2020 that it com - plies with the EIOPA’s guidelines in its supervisory work. 2.12 Review of Industry Participants by Parties Other Than Regulators Besides regulators, Finance Finland (FFI) reviews the activities of industry participants within the Finnish financial sector. FFI represents banks, life and non- life insurers, employee pension companies, finance houses, fund management companies and securities dealers operating in Finland. It actively participates in raising awareness amongst decision-makers of any
272 CHAMBERS.COM
Powered by FlippingBook