SWEDEN Law and Practice Contributed by: Robert Karlsson, Helena Rönqvist, Caroline Landerfors and Vilma Slättegård, Magnusson Law
cases. There is one exception to this: the SFSA, for a fee, will issue binding advance rulings on whether a planned activity constitutes insurance business. The ESAs – ESMA, EBA and EIPOA – have the power to issue a type of no-action letter in accordance with their founding regulations. While the founding regulations do not give the ESAs the power to unilaterally reform or suspend EU legislation, they provide the ESAs with the authority, inter alia, to issue non-binding recom - mendations for amendments to EU law. 2.8 Outsourcing of Regulated Functions Most financial companies, including fintech companies, are subject to extensive rules and requirements concerning how they can out - source their services and functions. The requirements regarding outsourcing differ slightly between various companies depending on which rules are applicable. However, in gen - eral, when it comes to the outsourcing of critical or important functions and services, companies must exercise due skill, care and diligence when entering into, managing and terminating the outsourcing arrangement, and when choosing a service provider. Certain regulated companies, such as banks, credit market companies and investment firms, are obligated to notify the SFSA in connection with certain types of outsourcing. As of 17 January 2025, when DORA came into force, specific risk management requirements also apply to providers of outsourced ICT ser - vices. The outsourcing of activities to companies out - side of the EU presents a greater geopolitical
risk. In these cases, the SFSA has underlined the importance of applying risk-mitigating measures to ensure that the outsourcing does not increase the risks for the outsourcing company’s own business or in any way limit national authorities’ ability to carry out effective supervision. 2.9 Gatekeeper Liability There are no clear and specific rules that mean that fintech companies are always deemed gate - keepers. Any responsibility for the activities on a fintech company’s platform will depend on the business model and the type of operations that the company operates. 2.10 Significant Enforcement Actions During the last several years, sanctioning cases brought by the SFSA have been heavily focused on violations of anti-money laundering (AML) regulations. There have been several sanc - tion cases in this area during 2022, 2023 and 2024, some of which have concerned fintech companies, specifically in the payment services area. The violations identified by the SFSA have concerned, among other things, deficiencies in risk assessment of customers, procedures and guidelines for customer due diligence and the monitoring of customers. The fines issued by the SFSA have been well over SEK100 million. During 2024, the SFSA imposed a SEK500 mil - lion fine on a major fintech bank for violations of Swedish AML regulations. In 2023, the SFSA imposed a SEK850 million fine against a large Swedish bank. The investigation against the bank was initiated by the SFSA in conjunction with an IT-related incident in 2022, and the SFSA found that the bank had not had satisfactory internal control when it changed its IT system. Other sanctions imposed by the SFSA during 2022, 2023 and 2024 include the revoking of
789 CHAMBERS.COM
Powered by FlippingBook