FINLAND Law and Practice Contributed by: Olli Kiuru, Mia Rintasalo and Essi Hietaoja, Waselius
tory conditions under which authorisation was granted no longer exist or where the activities of a supervised entity constitute a material breach of the provisions governing financial markets. In a more recent case, on 27 January 2023 the FIN-FSA withdrew Nada express osk’s registra - tion under the PIA, due to deficiencies in com - pliance with anti-money laundering regulation. Nada express osk had already received a pen - alty fine for these deficiencies but had failed to correct its actions. In another recent case, on 6 June 2023 the FIN- FSA prohibited Ermitage Partners Oy from offer - ing investment services without a licence, as it classified the firm’s receipt and transmission of orders as investment services. Moreover, a pending investigation is ongoing for the biggest bank in Finland, OP Group; no final decision has yet been issued by the FIN-FSA. 2.11 Implications of Additional, Non- Financial Services Regulations The implications of non-financial services reg - ulations do not differ between fintech compa - nies and legacy players, since such legislation applies irrespective of industry sector. GDPR For instance, with regard to privacy, the GDPR harmonises national data privacy laws through - out the EU and applies to the processing of personal data. Thus, companies collecting, storing and using personal data will fall within the scope of the GDPR, irrespective of the sec - tor in which they are engaged. The implications for non-compliance are similar: failure to adhere to the requirements set forth in the GDPR may result in severe fines, with a maximum penalty of
EUR20 million or 4% of annual worldwide turno - ver, whichever is higher. Cybersecurity Legislation to protect electronic communications networks has also been introduced in the EU by means of the Directive on Security Network and Information Systems (the “NIS Directive” ). National legislation in line with the NIS Directive and the obligations thereof entered into force on 9 May 2018 and has been implemented into the Regulations and guidelines on operative risk management 8/2014 issued by the FIN-FSA. The Regulations and guidelines apply to credit institutions, investment firms, alternative invest - ment fund managers, UCITS management com - panies, holding companies of credit institutions and investment firms, central institutions of amalgamations of deposit banks and payment institutions ( “supervised entities” ). Accordingly, supervised entities must notify the FIN-FSA without undue delay of any significant interrup - tions and errors that they have noticed in the ser - vices provided to clients or in payment systems and information systems. Another relevant source of non-financial services regulation is the Guidelines on ICT and secu - rity risk management issued by the EBA on 29 November 2019, which apply to payment ser - vice providers, credit institutions and investment firms. The guidelines stipulate the measures that financial institutions are required to take to manage their ICT and security risks, as well as requirements on holding information on ICT systems. Outsourcing to Cloud Services The Guidelines on outsourcing to cloud service providers issued by ESMA and the EIOPA are also relevant in this regard. Both guidelines apply
229 CHAMBERS.COM
Powered by FlippingBook