SWEDEN Law and Practice Contributed by: Robert Karlsson, Helena Rönqvist, Caroline Landerfors and Vilma Slättegård, Magnusson Law
applying risk-mitigating measures to ensure that the outsourcing does not increase the risks for the out - sourcing company’s own business or in any way limit national authorities’ ability to carry out effective super - vision. 2.9 Gatekeeper Liability There are no clear and specific rules that mean that fintech companies are always deemed gatekeepers. Any responsibility for the activities on a fintech com - pany’s platform will depend on the business model and the type of operations that the company engages in. 2.10 Significant Enforcement Actions During the last several years, sanctioning cases brought by the SFSA have been heavily focused on violations of anti-money laundering (AML) regulations. There have been several sanction cases in this area during the period 2022–25, some of which have con - cerned fintech companies, specifically in the payment services area. The violations identified by the SFSA have concerned, among other things, deficiencies in risk assessment of customers, procedures and guide - lines for customer due diligence and the monitoring of customers. The fines issued by the SFSA have been well over SEK100 million. During 2024, the SFSA imposed a SEK500 million fine on a major fintech bank for violations of Swedish AML regulations. In 2023, the SFSA imposed a SEK850 million fine against a large Swedish bank. The inves - tigation against the bank was initiated by the SFSA in conjunction with an IT-related incident in 2022, and the SFSA found that the bank had not had satisfactory internal control when it changed its IT system. Other sanctions imposed by the SFSA during 2022–25 include the revoking of authorisations, warnings and summons for the company in question to cease their business activities. The Swedish Consumer Agency (the “Agency”) is also active in its supervision, initiating cases both on its own initiative and after receiving complaints. Supervision by the Agency may result in fines, but in other cases the Agency encourages the company in question to address the deficiencies themselves and
report which changes have been made. If the Agency is satisfied with the changes, the case will be closed. 2.11 Implications of Additional, Non- Financial Services Regulations The General Data Protection Regulation The General Data Protection Regulation (GDPR) applies to all industries, including financial services. Hence, financial service providers shall always comply with the provisions on privacy regulation in accord - ance with the GDPR. Cybersecurity Some financial services providers are subject to regulations on cybersecurity. In October 2024, the revised Network and Information Systems Directive (EU) 2016/1148 (NIS2) replaced the previous version of the Directive (NIS), applying to an expanded scope of providers. In addition, Directive (EU) 2022/2557 on the Resilience of Critical Entities (CER) has entered into force. The NIS2 and CER will be implemented in Sweden through the new Swedish Cybersecurity Act, which entered into force on 15 January 2026. Additionally, on 17 January 2025, DORA became applicable. DORA regulates operational resilience in the financial sector. Intellectual Property Rights Financial service providers, particularly fintech soft - ware developers, shall always consider various regu - lations on intellectual property rights as well as mar - keting practices regulations. The AI Act The EU AI Act will apply to technologies utilising AI. The regulation categorises AI systems into different levels, namely unacceptable, high-risk and low-risk systems. AI with unacceptable risk will be prohibit - ed, while high-risk systems will be permissible under strict obligations. AI systems employed in applica - tions designed to make decisions regarding access to specific services, such as creditworthiness, have been proposed to be classified as high-risk AI. The Act includes an implementation period, with parts of the Act coming into force at different times. The AI Act will become fully applicable on 2 August 2026. In addi - tion, there is currently ongoing work on a proposal for
787 CHAMBERS.COM
Powered by FlippingBook