FINLAND: An Introduction to Fintech Legal

The Fintech Market

The fintech industry stands at the crossroads of innovation and regulation, continually reshaping the financial landscape. It is currently experiencing unprecedented growth globally, propelled by technological advancements and evolving consumer preferences, which are also influencing the fintech industry in Finland.

In terms of numbers, the Finnish fintech market has been growing, although the growth has stabilised somewhat in the past year. In 2024, there were over 210 fintech companies in Finland, and the total revenue of the Finnish fintech market has grown significantly. The majority of these fintech companies are involved in payments, while the second-largest group is financial software, with the two fields containing almost equal numbers of companies. A notable development during the past few years has been the rise of Generative AI, which is being increasingly used within the fintech industry, emphasising the importance of data regulation.

Fintech has matured to also offer opportunities of collaboration for start-ups and more established companies such as banks and other financial institutions. Market participants have found new ways to collaborate with smaller fintech companies, and co-operation between finance and technology industries has become the new norm. Co-operation is generally widely valued and has long roots in the industry sector in Finland.

Towards Open Finance and Enhanced Use of Data

Data and EU data regulations play a key role in the development of payment services and fintech services in Finland. The opportunities of open banking and the second Payment Services Directive (PSD2), which are based on opening customers’ payment account information to third parties with the customers’ consent, have been embraced on the Finnish market and are widely used today. Open finance is the next step in the evolution of fintech data services.

The Evolution of the Payment Services Directive

In 2023, the European Commission published its Financial Data Access and Payments package, ie, a proposal for the third Payment Services Directive (PSD3), the Payment Services Regulation (PSR) and for a Framework for Financial Data Access (FIDA). The overarching aim of the PSD3 initiative is to modernise the existing regulatory framework governing electronic payments. The multifaceted proposal introduces a suite of measures designed to:

• combat and mitigate payment fraud;
• enhance consumer rights;
• level the playing field between banks and non-banking entities;
• foster open banking; and
• improve the availability of cash.

These measures collectively strive to fortify consumer confidence and choice in electronic payments while ensuring a secure and transparent financial environment.

Central to the PSD3 and PSR proposals is a strategic focus on combating payment fraud, achieved through:

• increased collaboration among payment services providers;
• heightened consumer awareness;
• strengthened authentication rules;
• extended refund rights for fraud victims; and
• mandatory verification of payees’ IBAN numbers.

Furthermore, the proposal aims to level the competitive landscape by granting non-bank payment services providers access to EU payment systems, safeguarding their right to maintain a bank account.

As regards open banking, the proposal does not change the fundamental principles introduced by PSD2 but advances open banking by removing obstacles to service provision and enhancing customer control over payment data, ultimately fostering a dynamic market for innovative services. Simultaneously, it addresses the practical aspects of cash availability by permitting retailers to offer cash services without purchase requirements, and by providing clarity for independent ATM operators. The strengthening of harmonising and enforcement mechanisms underscores the proposal’s commitment to a uniform and robust regulatory framework, ensuring the secure execution of electronic payments across borders both in euro and in non-euro currencies within the EU. The proposal aims to strike a balance between safeguarding consumer rights and promoting a diverse and competitive landscape of payment services providers.

The Financial Data Space

In addition to PSD3 and PSR, the European Commission finally published its long-awaited open finance proposal in 2023, the Framework for Financial Data Access (FIDA). FIDA aims to create better quality, user-centric financial services and new more innovative data-driven business models in the financial sector by causing financial institutions to make certain customer data available to other financial institutions, authorised financial information service providers (FISPs) and the customer, at the customer’s request. FIDA would enable customer data sharing in the financial sector beyond payment account data. FIDA would also regulate, among other things:

• the management of customer permissions with new permission dashboards;
• the establishment of financial data sharing schemes (FDSSs), including mandatory participation in at least one FDSS; and
• the authorisation of FISPs, which are entities other than financial institutions that wish to engage in the data economy under FIDA by providing financial information services.

FIDA is an ambitious piece of legislation, and several open questions remain. Published on 28 June 2023, discussions around FIDA are slowly gaining more interest as the parties concerned develop a greater understanding of the full significance of the proposal.

However, as FIDA, PSD3 and PSR were not finalised before the new European Parliament was elected during spring 2024, the timetable and even content of these legislative acts are open to changes, as the position of the previous parliament is not binding on the new parliament. In the spirit of FIDA, fintechs that plan and execute ambitious open finance strategies and partner with financial institutions to rethink their business models are likely to succeed in a data-driven economy.

The Data Act and Data Privacy

Another major data trend in Finland has been the implementation of the Data Act and its effect on different market players. In the financial sector, insurance companies, in particular, are expected to benefit from the possibility of gaining the use of data of connected products. However, the Data Act will have a larger impact on the fintech sector as it sets forth rules on, among other things, data-sharing agreements and switching between data-processing services. The Data Act will be applied from 12 September 2025 (with minor derogations). Hence, practical preparations for the Act are ongoing for many and are expected to further accelerate when the date of applicability of the Act approaches.

As more data will be open for use, emphasis should also be placed on data protection and data privacy requirements, which have sometimes been a challenge for companies in the fintech sector. Now, fintech companies should be even more aware of data and prepare for future changes to their business operations brought in by the new regulations.

eIDAS2.0 and the EUDI Wallet

The second eIDAS Regulation (EU) 1183/2024, known as “eIDAS2.0”, introduces new comprehensive rules aimed at facilitating a secure and seamless Europe-wide digital identity framework by amending the first eIDAS Regulation (EU) 910/2014. The most notable change is that eIDAS2.0 introduces a new EU Digital Identity Wallet (EUDI Wallet), meaning an electronic authentication application that must be interoperable throughout the EU.

The Regulation came into force on 20 May 2024 and the European Commission is due to adopt technical implementing acts (containing technical specifications and procedures) in November 2024, after which the member states have 24 months to implement at least one EUDI Wallet. For the private sector, the implementation period is 36 months from the entry into force of these implementing acts. The Finnish Ministry of Finance has already set up a project to implement eIDAS2.0 and amend national legislation, where necessary.

For businesses and individuals, the eIDAS2.0 means upgrades to data processing and security. Firstly, the EU aims to minimise the processing of personal data and improve privacy and security (reducing identity theft and security breaches in the context of authentication) through eIDAS2.0. In addition, one of the main uses of the EUDI Wallet is the know-your-customer (KYC) process, as the wallet is intended to facilitate the business processes of financial institutions (and other bodies with a duty of knowing their customers) by providing reliable identification through an electronic and EU-wide interoperable application. For fintechs and other eID solution providers, the eIDAS2.0 presents huge business opportunities by encouraging private sector partners to develop digital wallets on the member states’ behalf. In addition, when implemented, an EU-wide eID solution will also enable fintechs and other actors providing solutions that require or leverage authentication to have better business opportunities through an interoperable EU-wide authentication ecosystem.

DORA – Strengthening Cyber-Resilience in the Financial Sector

In the context of the EU’s progress in the realm of open finance, it is imperative to underscore the necessity for fintech innovations and products to conform to robust financial regulation and operational risk management.

The Regulation on Digital Operational Resilience for the financial sector, "DORA", elevates cybersecurity and operational resilience legislation to the sector-specific level, taking into account the characteristic cybersecurity challenges and risk profiles inherent in financial services. Effective from 17 January 2025, DORA responds robustly to the escalating cyber-threats confronting the financial sector. It imposes an obligation on financial entities to prepare for, respond to and recover from diverse disruptions and threats related to information and communication technology. DORA represents a significant stride in EU financial regulation, establishing a harmonised and comprehensive framework for managing digital operational resilience, thereby safeguarding the stability of the financial sector and enhancing consumer protection. A pivotal aspect in the pursuit of a standardised open finance ecosystem is the pragmatic interaction between DORA and the forthcoming FIDA and PSD3, which will extend DORA’s ambit to encompass FISPs in the future. However, DORA alone has already raised some questions to be resolved on the national level, such as how the contractual requirements of information and communications technology risk management should be agreed when acquiring telecoms services from telecoms operators, as the Finnish telecoms regulations do not allow the audits that DORA enforces. The necessary national legislative amendments have not yet been approved by parliament and the Finnish Financial Authority’s guidelines on outsourcing, risk management and reporting are to be updated later on.

Legislative Framework for Markets in Crypto-Assets

Finland was early in regulating crypto-assets. However, the EU has become the first regulator to publish arguably the most comprehensive all-in-one crypto-regulatory regime. The Markets in Crypto-Assets Regulation, “MiCA”, came into force in June 2023 and will be fully applicable from 30 December 2024. MiCA creates a regulatory framework that lays down uniform requirements for offering and placing crypto-assets on the market, and requirements for crypto-asset service providers. As a regulation, MiCA will apply directly across the EU without any national implementation. MiCA will streamline the current national legislation in Finland and has required Finnish legislators to revoke the Finnish Act on Virtual Currency Providers (572/2019).

MiCA marks a pivotal milestone in the creation of consistent market rules for crypto-assets across the EU. This regulatory framework extends its purview to crypto-assets currently outside the scope of existing financial services legislation. Crucial provisions within MiCA address those issuing and trading crypto-assets, encompassing asset-reference tokens and e-money tokens, with a focus on transparency, disclosure, and the authorisation and supervision of transactions. MiCA also applies to other tokens, such as utility tokens. The overarching objective is to fortify market integrity and financial stability by subjecting public offers of crypto-assets to regulation, and by enhancing consumer awareness regarding associated risks.

MiCA allows entities providing crypto-asset services in accordance with national applicable laws before 30 December 2024 to continue to do so until 1 July 2026 or until they are granted or refused MiCA authorisation.

Sustainability

Fintechs are at the forefront of innovation and can help change not only business, but also the planet. Accordingly, it seems that increasingly more fintechs in Finland are focused on sustainability. At the same time, the financial sector generally leads the transition to a net-zero economy and more sustainable world – partly due to heavy EU regulation relating to sustainable finance.

Since 2018, the EC has been developing a comprehensive policy agenda on sustainable finance. Sustainable finance plays a key role in delivering the objectives of the European Green Deal. The regulatory framework on sustainable finance consists of regulations applicable to companies that are active in the financial markets, in particular, the Sustainable Finance Disclosures Regulation (SFDR) and the EU taxonomy, which provides a classification system for sustainable economic activities.

When financial institutions are faced with ESG compliance requirements, they will adopt corresponding requirements for their customers. ESG compliance will therefore become an integral part of corporate banking and will also be both a compliance requirement and a business opportunity for many fintech companies. In recent years, the EU has handed down sustainability regulations that also affect companies other than financial market participants. Both the Corporate Sustainability Reporting Directive (CSRD), which is currently being implemented in Finland, and the Corporate Sustainability Due Diligence Directive (CSDDD), which is still being negotiated in the EU, also affect all companies in Finland, at least indirectly.

In terms of future success in sustainability, fintech companies may have an advantage as their businesses are often built around digital processes.

Consumer Lending and the Positive Credit Register

The Finnish consumer lending market and legislation have been under scrutiny in recent years. The Consumer Ombudsman, one of the relevant supervisory authorities along with the Finnish Financial Supervisory Authority, has been particularly active in supervising consumer-lending practices in the Finnish market, and has imposed penalty payments based on non-compliant marketing and lending practices.

Creditworthiness assessments may become more efficient in Finland since the Positive Credit Register was introduced on 1 April 2024. The Positive Credit Register functions as a service for storing information on consumer loans and, to a certain extent, income, allowing creditors to assess a credit applicant’s repayment abilities more easily and reliably.

The consumer lending climate in Finland might be challenging for some fintech companies to adapt to, but it does encourage companies to make compliance an asset and to develop sustainable practices. Given the open approach to data in Finland, of which the Positive Credit Register is an example, the Finnish market can also provide opportunities in consumer lending.