Fintech 2025

FINLAND Law and Practice Contributed by: Olli Kiuru, Mia Rintasalo and Essi Hietaoja, Waselius

doing so does not materially weaken their inter - nal supervision. Once payment institutions have outsourced their services, they must ensure the adequa - cy of the resources and the professionalism, financial functioning and expertise of the out - sourced operator; they must also have proce - dures in place to assess the performance of the outsourced operator. In order to meet their due diligence requirement, payment institutions must ensure, for example, that the outsourced operator has the necessary skills, resources and operating licences required by law to provide the service. In addition, payment institutions must ensure that the outsourced operator has arranged for an adequate level of internal super - vision and risk management. When outsourcing payment services to an agent, payment institutions are held liable for the agent’s operations. Crypto-Asset Service Providers Under Article 73 of MiCAR, crypto-asset service providers (CASPs) can outsource functions, but they remain fully responsible for compliance with MiCAR. Outsourcing must not compromise their ability to meet regulatory obligations, weaken internal controls nor hinder supervision by com - petent authorities. The CASP must ensure that outsourcing arrangements are governed by a written agreement setting out the rights and obli - gations of both parties, including provisions that allow supervisory authorities to access relevant data. The CASP must continuously monitor the outsourced activities and take necessary steps to mitigate risks arising from the arrangement. 2.9 Gatekeeper Liability Certain fintech entities are subject to the Finnish AML Act and must therefore comply with the

regulations set forth therein. These requirements include that they actively monitor their client relationships and undertake due diligence pro - cedures prior to forming customer relationships. Furthermore, investment service providers and CASPs must ensure that the investor/client is suitable to receive certain services. 2.10 Significant Enforcement Actions As far as is known, no significant enforcement actions have been undertaken against fintech companies, but some enforcement actions have been undertaken against legacy players. For instance, on 25 August 2022, S-Bank Plc received an administrative fine from the FIN-FSA for errors in reporting on derivative contracts. S-Bank Plc had failed in its obligation to ensure that information on all derivative contracts it had concluded was reported to a trade repository as required by Regulation (EU) No 648/2012 on OTC derivatives, central counterparties and trade repositories (EMIR). On 13 September 2021, the FIN-FSA imposed a penalty payment of EUR1.65 million on S-Bank Plc for omissions in the detection of suspi - cious transactions; S-Bank Plc had neglected its obligations to monitor its customers’ trading, as required under Article 16 of the EU’s Market Abuse Regulation. Another enforcement action was publicised on 2 July 2021, in which the FIN-FSA withdrew the investment firm authorisation of Privanet Securi - ties Ltd with immediate effect after it detected several serious omissions and violations in the firm’s activities. The legal authority of the FIN- FSA to withdraw the investment firm licence derives from Section 26 of the Financial Super - visory Authority Act, according to which authori - sation may be withdrawn where essential statu-

228 CHAMBERS.COM

Powered by