Rules Navigator

GRIP Country Guides: Finland

Graphic outlining Finland on a map.
Graphic: GRIP

GRIP

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

A first port of call for firms wishing to do financial services business in Finland. This guide covers regulation, compliance and best practice.

Regulators

  • Financial regulator: Finanssivalvonta (FIN-FSA) – The Finnish Financial Supervisory Authority
    The FIN-FSA is the financial regulatory authority responsible for the regulation of financial services in Finland. Since 2014, it has also been Finland’s national competent authority within European Banking Supervision.
  • Data protection authority: Tietosuojavaltuutetun toimisto – The Office of the Data Protection Ombudsman
    The Office of the Data Protection Ombudsman safeguards your rights and freedoms when processing personal data.

Banking ecosystem

  • Largest banks: Nordea Bank, OP Financial Group, Danske Bank, Handelsbanken, and Savings Banks Group. 
  • Central bank: The Bank of Finland, which is the country’s national monetary authority and central bank. It is also a part of the Eurosystem, which is responsible for monetary policy and other central bank tasks in the euro area.
  • Currency: Euro. Finland adopted the € on January 1, 2002, replacing its old currency the Finnish markka.

Expert snapshot

Eight questions in collaboration with Kristiina Lehvilä, senior counsel and head of Bird & Bird’s Banking and Finance Group in Finland.

1. Who are the main regulators for financial services in Finland and how would you describe their appetite for regulating the markets?

Finanssivalvonta, or the Financial Supervisory Authority (FIN-FSA), is the authority for supervision of Finland’s financial and insurance sectors.

The entities supervised by the authority include banks, insurance and pension companies, payment service providers and crypto-asset service providers, as well as companies operating in the insurance sector, investment firms, fund management companies and the Helsinki Stock Exchange.

The data protection authority is Data Protection Ombudsman, Tietosuojavaltuutetun toimisto.

Finland is a member of the European Union and European Union Regulations are directly applicable in Finland. 

2. What are the main sources of regulatory laws in your jurisdiction?

Substantially all EU financial regulations are applicable in Finland with few local adaptations.

In addition to EU legislation the primary sources of law with their underlying regulation are the:

  • Securities Markets Act (746/2012);
  • Act on Credit Institutions (610/2014);
  • Payment Services Act (290/2010);
  • Act on Payment Institutions (297/2010);
  • Act on Investment Services (747/2012);
  • Securities Markets Act (746/2012);
  • Act on Trading in Financial Instruments (1070/2017); and
  • Act on Preventing Money Laundering and Terrorist Financing (444/2017).

Guidance issued by EU regulators like EBA, ESMA, and EIOPA also serves as a significant source of information, influencing policy and decision-making across various important sectors.

3. How can firms outside Finland do financial services business in your country?

The establishment of a branch and the provision of services in Finland by a foreign EEA credit institution:

According to the Act on Credit Institutions, a foreign EEA credit institution may establish a branch in Finland or otherwise provide services in Finland, provided such services are covered by its authorization.

Pursuant the Act on Credit Institutions, a credit institution may establish a branch after the supervisory authority of the credit institution’s home country has notified FIN-FSA thereof.

The establishment of a branch and the opening of a representative office in Finland by a credit institution from a third country:

A credit institution from a third country may provide services from a branch established in Finland, provided that these services are included in the license granted to the branch.

A credit institution from a third country may also have a representative office in Finland.

Offering services cross-border without establishing a branch or representative office in Finland:

Banking and investment services may be provided in Finland cross-border without establishing a branch office or representative office by institutions licensed in an EU-country via passporting their respective licence to Finland under applicable EU regulations.

4. What types of activities require a license in your jurisdiction?

Operating or providing services in the financial markets is often regulated and subject to authorisation.

Authorities granting authorizations comprise the European Central Bank (ECB), the FIN-FSA, the Ministry of Finance and the Ministry of Social Affairs and Health as well as the Government. Depending on the business model, activities may require authorisation, registration or notification.

Authorisation is needed for:

  • credit institution activity;
  • activity of life, non-life and reinsurance companies;
  • the provision of investment service (investment firm);
  • the provision of payment services;
  • the provision of crypto-asset services;
  • fund management activity;
  • crowdfunding service provision;
  • securities and derivatives exchange activity;
  • central securities depository (CSD) activity;
  • employee pension company;
  • unemployment fund management; and
  • custodial activity.

Authorization or registration is needed for:

  • activity of alternative investment fund managers (AIFM); and
  • activity of payment institutions and electronic money institutions.

Registration is needed for:

  • mortgage credit intermediaries;
  • bondholders’ representative;
  • insurance agents;
  • insurance brokers;
  • virtual currency providers;
  • consumer credit providers and peer-to-peer loan brokers; and
  • debt collectors.

In addition a specific permission is needed for operating a DLT market infrastructure and a specific fundraising license is needed for fundraising operations. 

5. What are your top enforcement actions and briefly explain in a sentence or two why the firms were censured.

  1. The largest penalty payment imposed for data protection violations is the €2.4m ($2.5m) fine issued by the Sanctions Board of the Office of the Data Protection Ombudsman to Posti for its practices in the OmaPosti service which had violated data protection regulations. Posti had automatically created electronic OmaPosti mailboxes for customers without separately requesting permission for this effort.
  2. The largest penalty payment imposed by FIN-FSA is the penalty payment of €1.65m ($1.7m) to S-Pankki for failing to comply with the obligations relating to the monitoring arrangements of customer trading activities as required by the EU’s Market Abuse Regulation (EU MAR).
  3. The second largest penalty imposed by FIN-FSA is the penalty payment of €1.45m ($1.5m) to Afarak Group Plc for failures relating to disclosure of inside information and maintenance of insider lists.
  4. The Market Court of Finland ordered the Finnish Real Estate Management Federation and six companies in the real estate management sector to pay penalty payments totalling €4.93m ($5.1m) for nationwide collaboration in price-fixing in violation of the Competition Act.

6. What is the regulatory attitude to crypto? 

The EU MiCA Regulation has become applicable as of December 30, 2024. The Regulation requires crypto-asset service providers to comply, for the first time, with several requirements that are well-established in the financial markets. These requirements include, among other things, corporate governance, management competence, own funds, data transparency, information security, know-your-customer obligations under the anti-money-laundrering regime and management of conflicts of interests.

Finland is applying a six-month transitional period, which is among the shortest in the EU and the EEA. As of June 30, 2025, the provision of crypto-asset service and issuance of crypto assets will require a license.

The FIN-FSA has reminded the public of the risks related to crypto assets, and outlined that the customers of crypto-asset service providers are not protected in the event of a default of the service provider, and the operation is not covered by any investor protection fund.

7. Where does business stand on ESG? 

ESG is generally viewed as an important objective by most large businesses. The regulatory framework on sustainable finance consists of a broad collection of regulations applicable to companies that are active in the financial markets.

Finland is a member of the EU, and EU regulations related to ESG are applicable in Finland. Recently, the EU has introduced new ESG-related regulations, such as the CSRD and CSDDD.

The CSRD requires numerous companies to assess and report more comprehensively on the impacts of their operations on society and the environment. The CSDDD, in turn, imposes an obligation on companies to ensure respect for human rights and the environment not only in their own operations but throughout their entire value chain.

In its supervision of financial stability, the FIN-FSA monitors that supervised entities take into consideration in their operations sustainability risks as well as other risks. The information given to customers and investors on sustainability factors must be appropriate so that customers can make an informed assessment of the sustainability of products and services, and investors can, if they wish, make sustainable investment decisions.

8. What is your government’s position on data privacy? What are the biggest concerns?

The implementation of the EU General Data Protection Legislation (the GDPR) has been strict.

The current Government has, in its implementation programme, decided to overhaul national data protection legislation. The overhaul will repeal statutes that hinder the movement of information, the appropriate use of cloud computing or otherwise hinder the expedient organisation of public services. If necessary, the national room for manoeuvre provided by the GDPR will be used more extensively in the reforms.

As part of the overhaul, provisions on administrative fines for breaches of information security will be laid down in such a manner that they will apply equally to both the public and private sector.

The Government programme states that it will ensure that national legislation or its interpretation is not stricter than the requirements set by the EU, especially with regard to data protection and automated decision-making.

But the Government has acknowledged that adequate data protection as well as cyber security competence will be increasingly important in a digital environment.

Compliance

Happiest country #1

In 2024, Finland was once again ranked as the happiest country in the world by the UN World Happiness Report. The report reveals high levels of trust and freedom by the Finns in their society, including trusting neighbours, public officials and the government.

Finland has also consistently ranked among the best in the world for transparency and the perceived lack of corruption.

A study by the Finnish Happiness Institute also shows that the closeness to nature is another factor for happiness, where one is “never more than a 10-minute walk from a park or forest.”

Money laundering

In September 2023, a report by the International Monetary Fund (IMF) found that Nordic and Baltic banks should take efforts to strengthen their anti-money-laundering and counter-terrorism financing (AML/CFT) supervision framework further. And even though much has been done to identify countries where there is a high risk of money laundering, including investing in ML/TF risk models across the regions, some gaps still remain, such as those connected with advanced data collection and analysis.

Samu Kurri, Head of Department at FIN-FSA, welcomed the adoption of the new procedures: “At the FIN-FSA, we have made a lot of effort to identify ML/TF risks, but effective supervision is a continuous race against criminals. The monitoring of cross-border financial flows is an important area of development, since a significant proportion of money laundering is associated with international credit transfers.”

Crypto/money laundering

In December 2024, FIN-FSA reported that there’s still ‘significant risk’ around crypto asset service providers, with a ‘very significant’ risk for money laundering and terrorist financing. That includes the lack of customer due diligence, particularly when it comes to the difficulties of identifying parties in digital assets transfers and where they are located.

“Consequently, the provision of virtual asset services also carries the risk of criminally acquired funds being transferred globally and quickly via the services,” FIN-FSA says.

Market abuse

In March 2024, FIN-FSA reported more suspected abuse of inside information in Finland, and processed close to 200 supervision cases around securities market trading and disclosure obligations in 2023 – an increase of 50% on 2022.

A majority of the cases tackled concerns regarding abuse of inside information (145) and market manipulation (31).

Data

Data protection

In June 2024, the Nordic data protection authorities in Denmark, the Faroe Islands, Finland, Iceland, Norway, Sweden and Åland came to a new agreement to join forces on children’s data protection in gaming, Al, and administrative fines.

Technology

In 2021, Finland was ranked number eight as one of the worlds most innovative countries by Bloomberg Innovation Index. 

Cybersecurity

In October 2024, the Finnish Government announced a revised Cyber Security Strategy in response to the changed security environment after events such as the Covid-19 pandemic, Russia’s full-scale invasion of Ukraine, and Finland’s subsequent membership of NATO.

The revised strategy, which is extended to 2035, will be based on the following pillars:

  • a competent and innovative cyber ecosystem that allows experimentation;
  • society’s strong cyber resilience and operational reliability;
  • a robust model for national and international cooperation; and
  • a secured sovereignty and timely response to threats.

ESG

Biodiversity in the Nordics: Denmark, Norway, Sweden, and Finland

Findings from Danske Bank’s report Navigating Biodiversity Impact: A review of 100 Nordic Companies show that for companies in the Nordics:

  • 84% recognize biodiversity as a relevant risk and/or opportunity for the business.
  • Less than 15% have concretely identified their specific impacts and dependencies on nature.
  • 73% are having issues with the complexities of addressing biodiversity risks and establishing governance and credible targets.
  • 75% have pledged to reduce their impact on nature.
  • Danish companies are falling behind their Nordic peers with an average lower Biodiversity Management Quality score compared to the other countries.
  • All are far from fulfilling the recommendation and guidance that the Taskforce on Nature-Related Financial Disclosures has set out.

“Despite its importance, integrating biodiversity into business models remains a challenge for most Nordic companies. The struggle stems partly from the absence of clear guidance and frameworks for adopting biodiversity targets in the past,” Danske Bank summarises.

Notable regulatory actions and fines

  • December 2024: Sambla Group, a loan comparison service, was fined €950,000 ($980,218) for poor data security. The contents of its customers’ loan applications were accessible to third parties through the personal links intended for the customers only. The fine was brought by the Sanctions Board of the Office of the Data Protection Ombudsman, and the issue identified connected to lainaparkki.fi and rahoitu.fi loan comparison services. 
  • November 2024: Posti Jakelu Oy (Posti) was ordered to pay a €2.4m ($2.5m) fine by the Sanctions Board of the Finnish Data Protection Ombudsman for breaching GDPR with its Omaposti (Posti’s app for parcels and letters) service. Allegedly, the company illegally processed customer data when creating a new electronic mailbox for two million customers that had not requested the service.
  • May 2024: Verkkokauppa.com Oyj, a Finnish online retailer, was fined €856,000 ($930,175) by Tietosuojavaltuutetun toimisto, the Finnish Data Protection Ombudsman, for failing to define a storage period of its customer data – and was found to have been storing customer account data indefinitely. And in another violation of data protection provisions, customers were being forced to create customer accounts to make online purchases.
  • May 2023: BML Group, a subsidiary of Betsson AB and a Malta Gaming Authority licensee, was fined €2.4m ($2.6mm) by the Finnish police for engaging in widespread advertising that targeted Finland through multiple channels for an “extensive” period of time. The police also issued a prohibition order against BML Group’s marketing activities. The company was later added to the Finnish National Police Board’s payments black list, making all payments between its brands and players prohibited.

The materials on the GRIP website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Always consult a qualified lawyer for specific legal matters. 

, , , ,

You may also like