• Financial regulator: Finanstilsynet – The Danish Financial Supervisory Authority
  Finanstilsynet is the financial regulatory authority of the Danish government responsible for the regulation of financial markets in Denmark.
• Data protection authority: Datatilsynet – The Danish Data Protection Authority
  Datatilsynet is an independent authority that supervises compliance with the rules on protection of personal data.

• Largest banks: Danskebank, Nykredit, Nordea Danmark, Jyske Bank, Sybank (Source: The Banker)
• Central bank: Danmarks Nationalbank is the central bank of Denmark, and was established in 1818. It is a non-eurozone member of the European System of Central Banks.
• Currency: Danish krone (DKr)

8 questions in collaboration with Caroline Bruyant Bonde, head of Bird & Bird’s Finance & Financial Regulation group in Denmark, associate Christian Guldager Petersen, and associate Sophie Amalie Hein.

1. Who are the main regulators for financial services in Denmark and how would you describe their appetite for regulation?

The main financial regulator in Denmark is the Danish Financial Supervisory Authority (Finanstilsynet).

Finanstilsynet supervises banks, mortgage credit institutes, pension and insurance companies, investment funds and investment firms, payment service and fintech firms and ensures compliance with financial legislation.

Finanstilsynet is generally a proactive regulator that aims to ensure financial institutions are robust and efficient and that they contribute to the country’s economy while continuing to comply with all relevant financial legislation. Its approach can be described as risk-based, consumer-oriented and consistent with international standards, primarily those of the European Union. Finanstilsynet is also firmly committed to keeping pace with the technological development in the financial sector.

The Danish Data Protection Authority (Datatilsynet) oversees compliance with data protection legislation, including in relation to financial services.

2. What are the main sources of regulatory laws in your jurisdiction?

In Denmark, the main sources of financial regulation are Danish laws and executive orders as well as guidelines from Finanstilynet.

EU level 1 and 2 legislation is generally applicable and valid in Denmark. However, directives may be subject to local adaptations when implemented into Danish law. Guidelines from the EU financial supervisory authorities are also generally applicable in Denmark, including guidelines from the EBA, ESMA and EIOPA.

Generally, each type of financial service is governed by its own primary piece of legislation. However, the Danish Financial Business Act (lov om finansiel virksomhed) applies to most types of financial businesses and can be considered as generally applicable. The same applies to the Danish Anti-Money Laundering Act (hvidvaskloven).

In addition, AIFMs are governed by the Danish Alternative Investment Fund Managers Act (lov om forvaltere af alternative investeringsfonde), UCITS by the Danish Investment Companies and Investment Services and Activities Act (fondsmæglerselskabsloven), capital markets by the Danish Capital Markets Act (kapitalmarkedsloven), payment services by the Danish Payment Services Act (betalingstjenesteloven) and so forth. To a wide extent these local Danish laws implement the equivalent EU law with local adaptations.

3. How can firms outside Denmark do financial services business in your country?

Regulated firms established outside Denmark in Europe can generally do business in Denmark on a cross-border basis without the need for local authorization by making use of the passporting rules under applicable EU legislation. This option applies to firms registered in the European Economic Area (EEA).

Firms not registered in the European Economic Area (EEA) (“third countries”) will often have to register in Denmark in order to obtain authorization or registration for the provision or marketing of financial services. However, in some cases third country firms can obtain a license to perform activities in Denmark subject to certain conditions. Such third country licenses are, inter alia, available to AIFMs.

Firms outside Denmark looking to conduct financial services business may register in Denmark by either establishing a Danish subsidiary owned by the foreign company and operating under Danish law, or by starting a branch as an extension of the foreign company operating under Danish law, as well as the laws of the country where the foreign company is based.

4. What types of activities require a license in your jurisdiction?

Most financial activities require a license or a registration, including but not limited to:

• taking deposits from the public;
• underwriting and offering insurance;
• providing services as a mortgage credit institute;
• brokering and executing securities transactions;
• managing investment funds;
• providing investment services and investment activities; and
• providing payment and e-money services.

5. What are your top three enforcement fines, and can you briefly explain why the firms were censured?

1. In 2022, Denmark’s largest bank, Danske Bank, was fined DKr 4.7 billion ($654m) for a breach of the Danish Anti-Money Laundering Act and the Danish Financial Business Act in connection with its former Estonian branch. At the time the fine was issued, it was by far the largest connected with money laundering in the history of Denmark.
2. In 2024, another Danish bank, Jyske Bank, was fined DKr 26m ($3.6m) for a breach of the same Act, including inadequate customer due diligence procedures and not fulfilling its obligations for reviewing certain clients.
3. In 2024, the Danish Data Protection Agency filed a police report against a Danish IT supplier, Netcompany, recommending a minimum fine of DKr 15m ($2.2m). This recommendation was based on Netcompany’s failure to implement adequate technical and organization measures, as required by Article 32 of the GDPR, and its failure to conduct a data protection impact assessment, as mandated by Article 35 of the GDPR. 

6. What is the regulatory attitude to crypto? 

The Danish Financial Supervisory Authority has previously taken a cautious approach to crypto, issuing public warnings against trading and investing in cryptoassets. However, the incoming EU crypto legislation, particularly MiCAR, and the broadening experience and exposure of the Finanstilsynet to this ecosystem will likely lead to a more formal, rule-based stance.

Prior to the adoption of MiCAR, Finanstilsynet had announced that cryptocurrency, as a general rule, was not categorized as either a currency or a security or financial instrument under the applicable financial regulatory regime in Denmark. As such, there were no specific regulations applying to cryptocurrency or any underlying blockchain technology. However, crypto assets could be financial instruments or securities, provided they possessed the characteristics of such. In this context financial regulation was deemed to be ‘technology neutral’.

In addition to the implications of MiCAR, companies providing cryptoasset services must be aware of other applicable legislation such as AML rules, general Danish marketing rules, contractual regimes, EU General Data Protection Regulation (GDPR), consumer protection rules etc when providing these in Denmark.

7. Where does business stand on ESG? 

Denmark has for a long time been at the forefront of the sustainability agenda. ESG is primarily regulated by EU law as applicable in Denmark, which includes the Sustainable Finance Disclosure Regulation (SFDR), the Taxonomy Regulation (TR) and the Corporate Sustainability Reporting Directive (CSRD) as implemented in the Danish Financial Statements Act (årsregnskabsloven).

However, in practice, the ESG reporting regime in Denmark has faced some issues. A number of Danish companies have been found to be non-compliant with the relevant reporting requirements and some cases of greenwashing have also been identified with the companies in question fined by the regulators. The Danish authorities have signalled that ESG will continue to be a priority.

8. What is your government’s position on data privacy? What are the biggest concerns?

The processing of personal data in Denmark is governed by the EU’s GDPR, along with the Danish Data Protection Act (databeskyttelsesloven), and relevant sector-specific regulations.

Datatilsynet is proactive in enforcing GDPR rules, particularly concerning reported personal data breaches, complaints, and inspections initiated at their discretion. The Danish Data Protection Agency actively monitors specific data protection infringements, for example when these are uncovered by the public or by news reporters, and initiates inspections whenever this is deemed necessary.

Each year, the Danish Data Protection Agency announces a number of focus areas. However, inspections are not confined to these specified areas.

The Danish Data Protection Agency has no authority to impose administrative fines directly. Instead, it files a police report and recommends a fine level. The Danish prosecution service then manages the case in court, where the courts ultimately determine the fine, taking into account their findings and the Danish Data Protection Agency ‘s recommendation.

To date, the Danish Data Protection Agency has filed over 30 police reports, with recommended fine levels ranging from DKr 50,000 to DKr 15,000,000 ($6,962 – $2,088,370).

Supervisory priorities 2025

Datatilsynet has announced that the protection of children, supervision of digital tracking in real life, and the use of AI in the healthcare sector are some of its new supervisory priorities for 2025.

The continuing expansion and development of AI has long been on the Datatilsynet’s radar, but the focus for 2025 will be specifically on the risks of AI and generative AI in the health sector.

AI is increasingly being used in this area, and even though the technology offers many opportunities for advances and improvements it also creates new risks and can potentially harm public interests and rights according to Datatilsynet. Especially when it is used in supporting decision making connected with patient treatment.

“The use of such solutions, especially in the healthcare sector, entails major risks for citizens with significant consequences,” the regulator indicates.

The authority will also carry out an experiment with Finanstilsynet on how both authorities can supervise data controllers, given their separate set of rules and objectives. 

---

Data protection

In June 2024, the Nordic data protection authorities in Denmark, the Faroe Islands, Finland, Iceland, Norway, Sweden and Åland came to a new agreement to join forces on children’s data protection in gaming, Al, and administrative fines.

---

In August 2024, 200 Danish websites were found to be collecting data without the consent of users. The randomly selected sites were all found to be using tracking technologies such as pixel monitoring and cookies without the visitors’ consent.

• 42.2% of the sites had deployed unclassified cookies – or tracking technologies – that were not classified by overall purpose;
• 27.6% lacked the required information in their cookie banner, and did not disclose if the data was shared with third parties, nor did they disclose the overall purposes of the tracking;
• 18.1% did not have a cookie banner, and users could therefore not consent or decline the tracking cookies.

---

Rise of personal data breaches

New cases of breaches of personal data security increased by 8.2% in 2023, according to the Danish Data Protection Authority. During the year, the authority received 9,537 cases of possible personal data security breaches, more than half of its total cases. The number of personal data breaches reported in 2022 was 8,816.

Before GDPR was established, the authority estimated it received about 4,000 cases of breaches of personal data security a year. Since 2020, that number has more than doubled.

Money laundering

In September 2023, a report by the International Monetary Fund (IMF) found that Nordic and Baltic banks should take efforts to strengthen their anti-money-laundering and counter-terrorism financing supervision framework further.

However, according to Transparency International’s 2023 Corruption Perceptions Index, Denmark continues to be ranked as one of the least corrupt countries globally

---

Basic payment accounts failures

In August 2024, five of nine Danish banks were found to be failing to comply with basic payment accounts rules, which led to injunctions against Coop Bank, Arbejdernes Landsbank, Sparekassen Jylland-Fyn, Lån og Spar Bank, and Lunar Bank. The investigation began in 2023 after evidence was presented suggesting that many Danish citizens still had problems obtaining the statutorily mandated basic payment account. At the conclusion of the investigation Finanstilsynet found “a lot to correct” in this area.

---

Whistleblower scheme

During 2023, the authority also carried out an information campaign to increase awareness of the whistleblower scheme which it started just over two years ago. In total, 149 reports were sent in, up 28% from 2022, covering wellbeing and the working environment, harassment, financial fraud and surveillance.

Of all the reports, 147 were processed, and Datatilsynet found grounds in 48 (33%) to take further action with relevant authorities, including two cases that were referred to the police.

The report also revealed the highest total number of newly created cases to date with 18,062 in 2023, an increase of almost 7% compared to 16,896 cases in 2022.

In addition to breaches of personal data security, the total also included cases connected to:

• administration etc;
• hearings on legislative proposals etc;
• inquiries;
• complaints;
• supervision;
• international affairs;
• competence according to other legislation; and
• permits etc.

Cases involving an international angle have also increased, especially since EU GDPR began to apply in May 2018. For 2023, cases were up 4.2%, with 974 inquiries in total.

Cybersecurity

In early June 2024, the Danish Centre for Cyber Security (CFCS) raised the country’s threat level for destructive cyber attacks from ‘low’ to ‘medium’ following Russia’s increased willingness to use hybrid tactics and destructive cyber attacks against European NATO member states.

CFCS also labelled both cyber espionage against Denmark and the threat of cyber crime as ‘very high’.

Threats of cyber activism against Denmark continue to be ranked as ‘high’, with the threat of destructive cyber attacks now assessed at ‘medium’.

The threat of cyber terrorism against the country itself is, however, labelled as ‘non-existent’.

Biodiversity in the Nordics: Denmark, Norway, Sweden, and Finland

Findings from Danske Bank’s report Navigating Biodiversity Impact: A review of 100 Nordic Companies show that for companies in the Nordics:

• 84% recognize biodiversity as a relevant risk and/or opportunity for the business.
• Less than 15% have concretely identified their specific impacts and dependencies on nature.
• 73% are having issues with the complexities of addressing biodiversity risks and establishing governance and credible targets.
• 75% have pledged to reduce their impact on nature.
• Danish companies are falling behind their Nordic peers with an average lower Biodiversity Management Quality score compared to the other countries.
• All are far from fulfilling the recommendations and guidance that the Taskforce on Nature-Related Financial Disclosures has set out.

“Despite its importance, integrating biodiversity into business models remains a challenge for most Nordic companies. The struggle stems partly from the absence of clear guidance and frameworks for adopting biodiversity targets in the past,” Danske Bank summarises.

• July 2024: Nordea, headquartered in Finland, was charged with AML failings on around DKr 26 billion ($3.8 billion) of transactions from its Russian clients between 2012 and 2015. The charges were brought by Denmark’s National Special Crime Unit (NSK), which found that the bank failed to properly investigate the Russian clients’ transactions, and ignored warnings about transactions at its exchange offices in Copenhagen in Denmark.
  “The indictment in the case is the most comprehensive regarding violations of the Money Laundering Act that we have seen in the banking sector in Denmark,” said Nathalie Ghiorzi Elias, head lawyer of NSK.
• January 2024: Netcompany was fined a record high DKr 15m ($2.2m) by the Danish Data Protection Authority for several cases in relations to its development of the digital mailbox mit.dk. According to the authority, Netcompany did not ensure a high enough level of security when developing this digital mailbox, nor did it have a consequence analysis prepared. The company also failed to have built appropriate security measures into the design of the solution itself.
• December 2022: Danske Bank paid $413m to settle charges by the SEC for misleading investors about the anti-money-laundering (AML) compliance program at its Estonian branch, and for failing to disclose the risks posed by the program’s significant deficiencies. High-risk customers, none of whom were residents of Estonia, used Danske Bank’s services to carry out billions of dollars in suspicious transactions through the financial systems of the US and other countries. This illicit activity allegedly occurred for a lengthy period between 2009 to 2016, and generated as much as 99% of the Estonian branch’s profits.

The materials on the GRIP website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Always consult a qualified lawyer for specific legal matters.