Fintech landscape and initiatives

General innovation climate

What is the general state of fintech innovation in your jurisdiction?

During its long history of fintech innovation, Sweden has produced companies such as Klarna, iZettle, Trustly, Lendify, BehavioSec and Safello, just to name a few. The innovation is diverse and fintech products span areas such as banking services, payment and payment settlement services, lending, biometrics and cryptocurrency. The Swedish fintech industry is still growing rapidly and multiple fintech companies have emerged in, inter alia, the Swedish housing credit market. This phenomenon may indicate a structural change for housing loan origination in Sweden and a reduced market share for Sweden’s largest banks. However, the Swedish Financial Supervisory Authority (SFSA) has indicated plans to introduce additional regulations in this area and the longevity of the new market actors remains to be seen.

Government and regulatory support

Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?

The Minister for Financial Markets has expressed interest in setting up regulatory sandboxes where fintech start-ups may develop in an unregulated environment or only comply with a regulation-light regime, but the SFSA disagreed in a report published on 1 December 2017. In the same report, the SFSA proposed the introduction of the SFSA Innovation Centre. The Innovation Centre was opened on 16 March 2018 and serves to act as a point of contact for fintech companies and to facilitate a dialogue with the SFSA. Furthermore, the Innovation Centre is intended to provide guidance on applicable regulations for new financial services products and fintech start-ups.

Financial regulation

Regulatory bodies

Which bodies regulate the provision of fintech products and services?

The SFSA generally acts as the competent regulator responsible for ongoing supervision of fintech products and services and for the issuance of supplementary regulations and formal guidance. The SFSA is responsible for ensuring that the business of (regulated) fintech companies is carried out in accordance with applicable laws and regulations.

All marketing activities that have the purpose of furthering the sale of any product in Sweden, including fintech products of various nature, are subject to the Swedish Marketing Practices Act (2008:486 (MPA)), which requires, for example, that marketing is carried out in accordance with generally accepted marketing practices. The Swedish Consumer Agency (SCA), which includes the Consumer Ombudsman, is the primary authority responsible for ensuring that marketing material is compliant with the MPA.

Regulated activities

Which activities trigger a licensing requirement in your jurisdiction?

The following activities trigger a licensing requirement:

  • consumer lending;
  • mortgage lending;
  • consumer credit mediation;
  • lending in combination with accepting repayable funds from the public;
  • factoring and invoice discounting (when combined with accepting repayable funds from the public);
  • deposit taking (for deposits over 50,000 kronor);
  • management of alternative investment funds (AIFs) or undertakings for collective investment in transferable securities (UCITS);
  • foreign exchange trading;
  • insurance mediation;
  • provision of payment services; and
  • activities under the Capital Requirements Regulation No. 575/2013 (Capital Requirements Regulation).

A licence is furthermore required for offering the services and products covered by the Markets in Financial Instruments Directive 2014/65/EU (MiFID II), such as reception and transmission of orders in relation to one or more financial instruments, execution of orders on behalf of clients, dealing on own account, portfolio management, advising on investments in financial instruments, underwriting of financial instruments or placing of financial instruments on a firm commitment basis, and placing of financial instruments without a firm commitment basis.

The following activities trigger a registration requirement:

  • currency exchange;
  • deposit taking (for deposits up to 50,000 kronor); and
  • lending and credit mediation to non-consumers (if not combined with deposit taking).
Consumer lending

Is consumer lending regulated in your jurisdiction?

Yes, consumer lending is regulated through, inter alia, the Swedish Consumer Credit Act (2010:1846 (CCA)), which includes relevant provisions relating to, among other things, sound lending practices, marketing of consumer loans, credit assessments, information prior to concluding of and in relation to documentation of loan agreements, interest, fees and repayment of loans. In order to offer or provide consumer loans, the relevant company is required to be authorised by the SFSA, under, for example, the Swedish Consumer Credit (Certain Operations) Act (2014:275 (CCCOA)) (should the company solely provide or act as intermediary in relation to consumer loans) or the Swedish Banking and Financing Business Act (2004:297 (SBFBA)) (should the company instead, given the operations carried out, be considered a credit institution (as defined in the Capital Requirements Regulation)) or the Swedish Housing Credit Operations Act (2016:2014) (should the company solely provide consumer loans in the form of mortgages and be considered a housing credit institution).

Since 1 September 2018 new rules regarding high-cost credits apply, defined as credits granted to consumers having an interest rate of 30 percentage points above the reference rate according to the Swedish Interest Act (1975:635), as determined by the Swedish Central Bank, and that do not primarily relate to a credit purchase or residential immovable property.

Pursuant to the new rules, certain caps have been introduced whereby: (i) the maximum amount of interest, as well as any default interest, that may be charged under a credit agreement may not exceed 40 percentage points above the aforementioned reference rate; and (ii) the maximum amount of fees under a credit agreement may not exceed the credit amount. For the purposes of (ii), fees are defined as costs for the credit (comprising the aggregate amount of interest rate, credit fees and other costs that the consumer is obliged to pay under the loan, inclusive of necessary costs for valuation but excluding notarisation fees), default interest and costs pursuant to the Swedish Compensation for Collection Costs Act (1981:739), comprising costs that the creditor has incurred for measures taken for the purposes of obtaining payment including, for example, payment reminders and collection demands.

The marketing of consumer credits has previously been subject to certain requirements regarding moderation and restraint. The new rules also include an explicit requirement for all such marketing to be moderate. The new requirement is applicable to all types of consumer credits and thus not solely to high-cost credits (as defined above). It is not entirely clear what the meaning of moderation entails, and it remains to be seen how this requirement will be applied by Swedish courts and authorities in practice, but it is clear that a comprehensive assessment of all relevant circumstances would need to be made. Pursuant to the Swedish governmental preparatory works implementing the above changes, it is stipulated that the marketing should be as neutral and factual as possible and may not be intrusive (by way of, for example, targeting certain types of possible consumers via digital means). The marketing should also be balanced in the sense that certain terms of the credit should not be disproportionately highlighted, thereby reducing the consumer’s ability to make a well-founded decision.

Secondary market loan trading

Are there restrictions on trading loans in the secondary market in your jurisdiction?

There are no particular restrictions on trading loans in the secondary market in Sweden.

Collective investment schemes

Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.

Collective investment undertakings are regulated through the Swedish UCITS Act (2004:46), stipulating that the management of a Swedish UCITS, the sale and redemption of units in the fund, and administrative measures relating thereto may only be conducted following authorisation from the SFSA (with foreign EEA management companies authorised in their respective home state being able to rely on passporting regulations to carry out operations in Sweden). In relation to AIFs, see question 8. Fintech companies would generally not fall within the scope of the above-mentioned regulatory regime. For crowdfunding schemes, see question 10.

Alternative investment funds

Are managers of alternative investment funds regulated?

Yes, managers of AIFs are regulated through the Swedish AIFM Act (2013:561 (AIFMA)), implementing the Alternative Investment Fund Managers Directive 2011/61/EU (AIFMD). Small AIFMs (ie, AIFMs managing AIFs below the thresholds specified in article 3(2) of the AIFMD) may be exempted from the licensing requirements but must register with the SFSA and may not passport the registration into any other EU member state.

Similar as in relation to UCITS, fintech companies would generally not fall within the scope of the AIFMA.

Peer-to-peer and marketplace lending

Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.

Companies facilitating peer-to-peer or marketplace lending, consisting of loan intermediation or brokering, are regulated by and require authorisation pursuant to the CCCOA (which contains regulations on, for example, anti-money laundering measures, sound practices for loan intermediation operations, and ownership and management assessments). Should the relevant company also be responsible for the transactions of funds between lenders and borrowers (including keeping funds on a client account, or similar), the operations would instead fall under and require authorisation pursuant to the Swedish Payment Services Act (2010:751 (PSA)), which imposes additional requirements relating to, for example, own funds and information and technical processes relating to the execution of payment transactions.

Crowdfunding

Describe any specific regulation of crowdfunding in your jurisdiction.

There is currently no specific regulation of crowdfunding under Swedish law. Certain crowdfunding schemes may, however, fall within the scope of the general financial services framework. In the case of equity-based crowdfunding, the Swedish Companies Act (2005:551) prohibits a private company or a shareholder thereof from attempting to sell shares or subscription rights in the company or debentures or warrants issued by the company to the public.

In July 2016, the Swedish government appointed a special committee to analyse the need for further regulations with regard to, and in order to improve the legal and regulatory opportunities for, peer-to-peer and grassroots financing in Sweden. A legislative proposal was published in February 2018 that proposes the introduction of a new Swedish Financing Mediation Act (SFA). The SFA includes licensing requirements for the activities which fall within the scope of the SFA. Furthermore, the SFA will include provisions on operational requirements, supervision and sanctions. It is suggested that the SFSA will be the authority responsible for licensing, registration and supervision. Companies authorised under the SFA will be subject to the provisions of the Swedish Money Laundering and Terrorist Financing Prevention Act (2017:630 (SAML)), implementing the Fourth Anti Money Laundering Directive 2015/849/EU. The SFA will apply to business activities where the purpose is to - in exchange for payment - bring together natural or legal persons who intend to acquire financing from other natural or legal persons, where the financing is in the form of:

  • loan-based crowdfunding (credit granted by companies in exchange for payment, where the creditor is not licensed by the SFSA to conduct lending or loan mediation);
  • share-based crowdfunding (financing through the transfer of debt or ownership rights in the legal person seeking financing);
  • reward-based crowdfunding (financing through the offer to provide a service or commodity by the person seeking financing); or
  • donation-based crowdfunding (financing without an obligation for the person seeking financing to provide any payment or performance).

Licensing will mainly be required for share-based and loan-based crowdfunding. Companies that receive authorisation to mediate share-based or loan-based crowdfunding will be referred to as licensed capital mediators.

Invoice trading

Describe any specific regulation of invoice trading in your jurisdiction.

In accordance with the Swedish Certain Financial Operations (Reporting Duty) Act (1996:1006), a company participating in financing, for example by acquiring claims (invoice trading), is required to register its operations with the SFSA (by way of notification to the SFSA), and is further obligated to comply with provisions relating to, for example, anti-money laundering, and undergo ownership and management assessments.

Payment services

Are payment services regulated in your jurisdiction?

Yes, payment services are regulated under the Second Payment Services Directive (EU) 2015/2366 (PSD2), which has been implemented into Swedish law through the PSA. Money remittance, execution of payment transactions, acquisition of payment instruments, payment initiation and account information services are among the services currently regulated under the PSA.

Open banking

Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?

The obligation for financial institutions to make customer or product data available to third parties under PSD2 has been implemented without change in Sweden.

Insurance products

Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?

Yes, if the selling and marketing is classified as ‘insurance distribution’. Insurance distribution is regulated under the Swedish Insurance Distribution Act (2018:1219 (IDA)) implementing Directive (EU) 2016/97 on Insurance Distribution (IDD). The IDA entered into force in Sweden on 1 October 2018. The IDD is a minimum harmonisation directive, enabling member states to impose stricter regulation. The IDA includes the same definition of ‘insurance distribution’ and the same exemptions from regulation as the IDD. Sweden has, however, imposed stricter regulations regarding third-party remunerations, conditions for providing advice on a fair and personal analysis, certain marketing prohibitions and information to a customer on remuneration. The stricter regulatory framework introduced by the IDD regarding insurance-based investment products will also, with effect from 1 October 2019, be applied to distribution of pension insurance that is exposed to market volatility.

Credit references

Are there any restrictions on providing credit references or credit information services in your jurisdiction?

Yes, credit references and credit information services are regulated under the Swedish Credit Information Act (1973:1173) and the Swedish Credit Information Regulation (1981:955). A licence from the Swedish Data Protection Authority (DPA) is required when carrying out credit-rating operations in Sweden.

Cross-border regulation

Passporting

Can regulated activities be passported into your jurisdiction?

Yes, an undertaking that has been authorised in its home EU member state may, as a general rule, passport such authorisation into Sweden, where the Swedish legislation is based on EU law.

Requirement for a local presence

Can fintech companies obtain a licence to provide financial services in your jurisdiction without establishing a local presence?

See question 16. However, in relation to activities that fall under the CCCOA, a Swedish licence would be required (ie, passporting is not available).

Sales and marketing

Restrictions

What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?

Marketing of financial services falls under the MPA, which applies to all marketing activities that have the purpose of furthering the sale of any product or service in Sweden, including, for example, the distribution of brochures and other marketing materials and electronic marketing activities (if primarily directed to Swedish entities or individuals). The MPA provides that all marketing must be consistent with good marketing practice and be fair and reasonable towards the person to whom or which it is directed. Good marketing practice is defined in the MPA as generally accepted business practices or other established norms aimed at protecting consumers and traders in the marketing of products. Thus all marketing shall be designed and presented in such a way as to make it apparent that it constitutes marketing and the party responsible for the marketing shall be clearly indicated. Statements or other descriptions that are or may be misleading may not be used. Marketing that contravenes good marketing practice is regarded as unfair if it appreciably affects or probably affects the recipient’s ability to make a well-founded transaction decision.

In relation to financial services, and in order to comply with ‘good marketing practice’ for the purposes of the MPA, it can, for example, be noted that:

  • placements of capital or returns should not be described in such terms as ‘safe’, ‘guaranteed’ or similar value judgements if it cannot be verified that it is guaranteed that an investor’s capital will be repaid or that a given return will be earned;
  • the return earned during a particular successful period on an investment product should not be highlighted in a way that gives a distorted overall impression of the performance of the investment product;
  • words such as ‘secure’ and similar value judgements should not be used for marketing purposes if they are not placed in a relevant context;
  • unconditional words expressing value, such as ‘best’, ‘biggest’ and ‘leading’ should not be used if the claim is not capable of verification; and
  • if an investment product involves risk, it should always be made clear when marketing such product that an investment in the product involves risk.

In addition, marketing of funds is further specifically regulated through the Swedish Investment Fund Association’s guidelines, which - albeit not being hard law - are considered as codifying good marketing practice in Sweden as regards the marketing of UCITS.

Change of control

Notification and consent

Describe any rules relating to notification or consent requirements if a regulated business changes control.

Consent from the SFSA is required where a legal or natural person intends to directly or indirectly acquire a qualified holding in a regulated business.

The holding is considered qualified when the acquirer directly or indirectly receives 10 per cent or more of the votes or shares, or otherwise is enabled to exercise significant influence over the management of the regulated business. Additional consent is required if the ownership amounts to or exceeds 20, 30 or 50 per cent of the votes or shares.

The consent requirement, generally referred to as an ‘ownership assessment’, means that the SFSA will examine all qualified owners in the envisaged ownership chain. The process is rather extensive and the exercise involves collating and producing a substantial amount of information (including documentation that supports the financing of the transaction). Each person included in the management body (comprising board members, CEO and deputies thereof) of an entity subject to assessment would need to complete and sign an application, including responding to questions regarding, for example, previous criminal proceedings.

SFSA consent must be obtained prior to the transaction. The SFSA has an expected processing period of the applications of 60 business days, with a possible extension of 20 business days if the SFSA requests additional information during the assessment process.

Financial crime

Anti-bribery and anti-money laundering procedures

Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?

Companies licensed by or registered with the SFSA and a significant number of companies and other professionals outside the financial sector are obliged to prevent money laundering and financing of terrorism by complying with the SAML and subsequent regulations. Pursuant to the anti-money laundering (AML) regulations, companies are required to adopt internal AML procedures. For companies launching ICOs, see question 30.

The SFSA is tasked with ensuring that the financial companies adhere to the AML regulations. The County Administrative Board supervises companies and professionals outside the financial sector.

Bribery is criminalised under the Swedish Penal Code (1962:700), which is applicable to all types of Swedish companies. Most financial companies are required to adopt ethical guidelines setting out, inter alia, the company’s procedures to combat bribery.

Guidance

Is there regulatory or industry anti-financial crime guidance for fintech companies?

Yes, the SFSA has adopted regulations and guidelines with respect to AML, setting out the detailed provisions applicable for relevant companies.

Peer-to-peer and marketplace lending

Execution and enforceability of loan agreements

What are the requirements for executing loan agreements or security agreements? Is there a risk that loan agreements or security agreements entered into on a peer-to-peer or marketplace lending platform will not be enforceable?

Loan origination is regulated under the SBFBA and in subsequent regulations and guidelines issued by the SFSA and the SCA. The SFSA and the SCA have recently raised demands on lenders’ investigation of credit­worthiness prior to entering into loan agreements with consumers. Furthermore, the loan agreements are subject to the CCA.

The risk that loan agreements entered into on a peer-to-peer or marketplace lending platform would not be enforceable under Swedish law is minimal.

Assignment of loans

What steps are required to perfect an assignment of loans originated on a peer-to-peer or marketplace lending platform? What are the implications for the purchaser if the assignment is not perfected? Is it possible to assign these loans without informing the borrower?

Perfection of an assignment against third parties depends on whether the loan is represented by a negotiable (physical) promissory note or a non-negotiable promissory note. In the former scenario, the promissory note must be transferred to the assignee, whereas in relation to non-negotiable promissory notes, the borrower must be notified of the assignment, so that the debtor can solely make its payments to the assignee with discharging effect.

In the event the assignment is not perfected, the loan would be included in the bankruptcy estate of the assignor, in relation to which the assignee would only have a non-secured claim.

Securitisation risk retention requirements

Are securitisation transactions subject to risk retention requirements?

See question 25. Loans originated on a peer-to-peer lending platform may only be transferred without informing the borrower where the loan is represented by a negotiable promissory note.

Securitisation confidentiality and data protection requirements

Is a special purpose company used to purchase and securitise peer-to-peer or marketplace loans subject to a duty of confidentiality or data protection laws regarding information relating to the borrowers?

Yes. Provided that the company’s operations consist of providing credit to consumers (by way of purchasing loans), the company would generally have to be authorised by the SFSA, in accordance with, for example, the CCCOA, which would entail that a duty of confidentiality (similar to bank secrecy) would be imposed.

Provided that the company processes personal data as part of its operations, it would further, with respect to borrowers’ personal data, be subject to the EU General Data Protection Regulation (GDPR) and Swedish data protection laws.

Artificial intelligence, distributed ledger technology and crypto-assets

Artificial intelligence

Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?

There is no specific regulation of automated investment advice in Sweden. The SFSA defines automated investment advice as personal advice regarding financial instruments that is provided without, or with limited, human interaction. In Sweden, automated investment advice (eg, robo-advice) constitutes regulated investment advice under the Swedish Securities Markets Act (2007:528 (SMA)) implementing MiFID II and is consequently subject to all the substantive provisions of the Swedish MiFID II implementation, including the SFSA’s regulations regarding investment services and activities (2017:2). If the use of artificial intelligence would include decisions based solely on automated processing of personal data, including profiling, this be subject to the requirements in article 22 of the GDPR.

Distributed ledger technology

Are there rules or regulations governing the use of distributed ledger technology or blockchains?

There are no rules or guidelines specifically addressing the use of distributed ledger technology but general rules and regulations such as AML and consumer protection, where applicable, must be complied with. The SFSA has, in a report from March 2016, identified distributed ledger or blockchain technology as an area of interest for the supervisor and where it is expected that rules and regulations need to be adopted in the future. If the distributed ledger technology or blockchains would include personal data, general requirements under the GDPR and Swedish data protection laws will be applicable.

Crypto-assets

Are there rules or regulations governing the use of cryptoassets, including digital currencies, digital wallets and e-money?

Digital currencies, digital wallets and e-money are regulated under the PSA and the Swedish Electronic Money Act (2011:755 (EMA)), the SFSA’s regulations regarding institutions for electronic money and registered issuers (2011:49) and the SFSA’s regulations and general guidelines regarding institutions for electronic money and registered issuers (2010:3).

Digital currency exchanges

Are there rules or regulations governing the operation of digital currency exchanges or brokerages?

No. Digital currency does not constitute a financial instrument under the SMA and is therefore not subject to the Swedish implementation of the MiFID II provisions governing trading venues or brokerage.

Initial coin offerings

Are there rules or regulations governing initial coin offerings (ICOs) or token generation events?

There are currently no specific provisions governing ICOs in Sweden as these fall outside of the scope of the existing rules and hence outside of the regulated space. However, should the coins or tokens qualify as financial instruments under the SMA, the issuers may become subject to, inter alia, the SMA, the AIFMA, the Swedish implementation of the Prospectus Directive (2003/71/EC) and the SAML.

Data protection and cybersecurity

Data protection

What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

The GDPR and the Swedish Act on Supplementary Provisions to the GDPR (2018:218) generally apply to processing of personal data by data controllers established in Sweden. The main requirements relating to the processing of personal data include:

  • Personal data may only be processed (ie, collected, used and stored) if there is legal ground (ie, consent) for the processing. However, there are several exemptions from the requirement of consent (eg, where the processing is necessary in order to fulfil a contract or a legal obligation or necessary to pursue a legitimate interest of the data controller, unless this interest is overridden by the interest of the registered person to be protected against undue infringement of privacy).
  • Certain fundamental requirements must be met (eg, personal data shall be adequate, relevant and non-excessive in relation to the purpose of the processing and shall not be kept longer than necessary).
  • Data subjects shall, as a general rule, be informed of the processing of their personal data and data subjects have certain rights (eg, right of access, rectification, erasure and data portability).
  • Processing of sensitive personal data and criminal offence data may only be performed in limited circumstances. In general, consent from the person concerned is required for sensitive data. As a general rule, it is prohibited to process criminal offence data (there are a few exemptions, for example, regarding whistle-blowing systems, where it is permitted to process criminal offence data under certain conditions).
  • There are specific requirements that must be met in case of export of personal data to countries outside the EU or EEA (eg, consent or model clause agreements may justify such export).
  • A data controller must take appropriate technical and organisational measures in order to protect personal data. Data processing agreements must be entered into with data processors.
  • The GDPR also includes requirements regarding, inter alia, appointment of data protection officer, personal data breaches, data protection by design and by default, records of processing activities, data protection impact assessments, consultation and cooperation with the data national protection authority.
  • The GDPR applies to pseudonymised data, but not to fully anonymised data (ie, where it is not possible to directly or indirectly identify an individual by any means).
Cybersecurity

What cybersecurity regulations or standards apply to fintech businesses?

Under the GDPR, controllers must have ‘appropriate technical and organisational measures’ in place to ensure a level of security appropriate to the risk. There is therefore no prescribed level of security, but an analysis must be carried out to ascertain what level of security is appropriate to the type of processing of personal data being carried out.

Outsourcing and cloud computing

Outsourcing

Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?

In addition to outsourcing provisions of the MiFID II Commission Delegated Regulation 600/2014/EU, which is directly applicable in Sweden, there are multiple legal and regulatory requirements with respect to outsourcing by financial services companies including, inter alia, the SBFBA, the CCCOA, the SMA, the EMA, the PSA, the SFSA’s regulations (2010:3) and (2011:49).

The provisions are subject to some variation, but in general impose that financial services companies are required to exercise the requisite skill, care and diligence when entering into, managing and terminating outsourcing arrangements. Furthermore, the rights and obligations of the financial services company and the service provider must be clearly documented in an outsourcing agreement. If the financial services company intends to outsource a significant part of the licensed operations, or activities that have a natural connection with financial operations or their support functions, the financial services company is required to notify the SFSA thereof in advance and also provide the SFSA with a copy of the relevant outsourcing agreement.

Cloud computing

Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?

The DPA has issued general guidance with respect to the use of cloud computing. The guidance was issued prior to the GDPR, but we deem that it still may be relevant. According to the guidance, the data controller must, for example:

  • adopt a position regarding whether there is a risk that personal data may be processed for purposes other than the original ones;
  • adopt a position regarding whether the cloud service provider may disclose personal data to a country outside the EU or EEA and whether, in such a case, the transfer can be justified under the Swedish Personal Data Act;
  • carry out a risk and impact assessment in order to assess whether it is possible to appoint the cloud service supplier for processing of the envisaged personal data, what security level is appropriate and what security measures have to be taken in order to protect the personal data that is processed;
  • ensure that a detailed data processor agreement is entered into with the cloud provider; and
  • consider other legislation, such as confidentiality legislation.

The SFSA requires outsourcing agreements to be in writing and clearly regulate the rights and obligations of the financial service company and the third-party service provider. The SFSA further expects the financial service company to be able to assess and monitor how well the third-party service provider is carrying out its duties and to terminate the agreement should the third-party service provider lack the skills, capacity and authorisations required by law to reliably and professionally perform the outsourced duties and manage risks related to these duties.

Intellectual property rights

IP protection for software

Which intellectual property rights are available to protect software, and how do you obtain those rights?

Computer programs are protected as copyrighted works in accordance with the Swedish Copyright Act (1960:729 (CA)). The copyright protection arises automatically and there is thus no registration procedure for obtaining copyright protection. Software-implemented inventions and business methods can be registered and protected as patents if they meet all the necessary requirements. Program code or mere business methods, however, cannot be patented in Sweden, but a technical invention that includes a business method, or which is implemented or can be implemented by a computer program, can be patentable.

IP developed by employees and contractors

Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?

In general, the intellectual property developed during the course of employment vests with the employee, unless explicitly transferred to the employer. However, the employer has a more or less extensive right to acquire or utilise the intellectual property depending on the category of intellectual property and category of invention (see below) as well as the provisions in the applicable employment or collective bargaining agreements. There are also specific statutory provisions concerning certain intellectual property. Below is a summary of the general principles regarding an employer’s rights to inventions developed by its employees:

  • According to the CA, copyright in a computer program created in the course of employment is automatically transferred to the employer, unless otherwise agreed in, for example, the employment agreement. Note, however, that the scope of the ‘computer program’ concept is not clear under Swedish law. Therefore, it is recommended that employers include an appropriate clause in the employment agreement that explicitly transfers all rights to the employer.
  • An employer has certain rights to patentable inventions developed by its employees. Such inventions are divided into three categories and the employer’s rights differ between the categories:
    • inventions developed by employees that are employed to conduct research and development work, and which are developed within the scope of such employment, may be acquired or utilised by the employer;
    • inventions developed within the employer’s line of business but developed by an employee that is not employed to conduct research and development work may be utilised by the employer and the employer has priority over others in acquiring ownership of the invention; and
    • inventions developed within the employer’s line of business but developed without any connection to the employment may be acquired by the employer, with priority over others, if agreed upon with the employee.
  • In addition, collective bargaining agreements (if applicable) may also contain provisions on employers’ rights to intellectual property developed by employees similar to the three categories described above.

In relation to contractors and consultants, the main rule is that all rights in results vest in the originator. This means that a company must explicitly acquire the rights in such results through agreements with the originator. The inclusion of appropriate intellectual property clauses in the agreement with contractors and consultants are thus essential.

Joint ownership

Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?

The Swedish legislation does not fully regulate the matter of joint ownership of intellectual property. It is only the CA that explicitly regulates the matter whereby the main rule is that co-authors have a joint right to the copyright protected work. The same should reasonably also apply to the other categories of intellectual property. Unless agreed otherwise between the co-owners, the Swedish Act on Joint Ownership (1904:48 (AJO)) is applicable. The AJO states that consent from all co-owners is necessary for all decisions concerning the management of the jointly owned property. All co-owners are, however, entitled to sell their share in the jointly owned intellectual property without consent from the other owners. In light of this, co-owners of intellectual property are restricted from utilising, licensing, charging or assigning the intellectual property in whole without the other co-owner’s consent. The co-owners thus have to settle the joint ownership and agree on how to use and manage the intellectual property in order to avoid uncertainty.

Trade secrets

How are trade secrets protected? Are trade secrets kept confidential during court proceedings?

Protection for trade secrets is granted through the Swedish Trade Secrets Act (2018:558 (TSA)). For the purposes of the TSA, trade secrets are defined as information concerning business or operational circumstances in a trader’s business, which is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question, which the trader has taken reasonable measures to keep confidential and the disclosure of which is likely to cause damage to the trader from a competition perspective. Trade secrets cannot be registered for protection and the only statutory protection for such information is granted under the TSA.

Court proceedings as well as all evidence and other information submitted to the court are generally public in Sweden. However, for information concerning business or operational circumstances the parties may request secrecy when submitting information or during the proceedings as well as afterwards. However, a Swedish court is not required to adhere to such request and there is no way of knowing whether the court will grant a request of secrecy in advance.

Branding

What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

The general provisions for protection of trademarks and trade symbols are provided in the Swedish Trademarks Act (2010:1877). A trade symbol can be registered for protection in Sweden if it is distinctive (ie, capable of distinguishing goods or services of one business activity from those of another). A trademark registered for protection in the EU also grants protection in Sweden. Exclusive rights to a trade symbol may also be obtained, without registration, if the symbol is considered established on the market. A trade symbol is deemed established on the market if it is known by a significant part of the relevant public as an indication for the goods or services that are being offered under it.

New businesses can either perform searches themselves in relevant public databases for trademarks identical or similar to the trademarks they intend to use, for example, in the Swedish Patent and Registration Office’s database (which covers both Swedish and EU trademarks) or engage a trademark attorney to assist with such preliminary investigations.

It can also be noted that general branding can be protected by the MPA. The MPA protects unfair competition and can thus, inter alia, protect a business against other business taking unfair advantage of the reputation associated with the first business, including its trademark, business name or other distinctive marks.

Remedies for infringement of IP

What remedies are available to individuals or companies whose intellectual property rights have been infringed?

There are numerous remedies available when suing an alleged infringer in court. For example, preliminary injunctions and prohibitions under penalty of fine as well as damages for infringement, loss of profit and impaired goodwill are available in all Swedish intellectual property laws. Infringements committed intentionally or through gross negligence can also result in fines or imprisonment.

Competition

Sector-specific issues

Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

The rapid growth of the Swedish fintech industry in recent years has given rise to many new payment solutions and increased competition between the old and the new. For instance, we have recently seen issues relating to the interoperability between the traditional banking systems and the new digital solutions. Further, while it is hoped that new regulation, such as PSD2 and the Payments Account Directive 2014/92/EU, will result in lower transaction fees and spur further growth and competition, it may also lead to an increased focus on compliance, which could negatively affect innovation in the industry.

Tax

Incentives

Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

There are no special Swedish tax incentives for fintech companies or investors to encourage innovation and investment in the fintech sector in Sweden.

Increased tax burden

Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

No.

Immigration

Sector-specific schemes

What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

There are no specific immigration schemes available for fintech businesses to recruit skilled staff nor are there any special regimes specific to the technology or financial sectors. Whether a work permit is required for the specific role is subject to a case-by-case assessment. The main rule under Swedish law is that for a citizen of a non-EU country to be able to work and reside in Sweden, a work permit and a residence permit is required. EU citizens are, however, entitled to work in Sweden without any kind of permit. Swiss citizens are entitled to work in Sweden without a work permit, but are still required to apply for a residence permit.

Certain other categories of employees may also temporarily work in Sweden without a specific work permit, provided that certain requirements are fulfilled. For example, a work permit is not required for individuals employed by a multinational corporate group where such employees will undergo practical training, on-the-job training or other in-service training at a company in Sweden, which is part of the group (a maximum aggregate period of three months). In the absence of any of the aforementioned exemptions, all non-EU citizens must obtain a work permit to be entitled to work in Sweden.

The application procedure is generally the same for all applicants regardless of occupation or industry. Applications are assessed by the Swedish Migration Agency (MA) and the application processing time varies. It currently takes up to four months for the MA to examine a complete first-time application registered through the regular queue. There are, however, particular certified firms (such as certain law firms) with access to the MA’s fast-track system when applying for work permits on behalf of a client company and its employees. Certified firms are entitled to a significantly shorter turnaround time (10 days for complete first-time applications). In cases where the employer is not bound by a collective bargaining agreement and the concerned Swedish trade union does not oppose the absence thereof, the official fast-track turnaround time is 60 days.

Update and trends

Current developments

Are there any other current developments or emerging trends to note?

Current developments45 Are there any other current developments or emerging trends to note?

According to the Swedish Patent and Registration Office, Sweden is the number-one country in Europe (and number five globally, just after the US, China, South Korea and Japan) when it comes to applications for international patent within Industry 4.0 (ie, the fourth industrial revolution), which relates to the computerisation of technology. This includes the internet of things, cloud computing and data exchange in manufacturing technologies. The majority of Swedish international applications relate to core technology, which includes data communication, hardware and software. Furthermore, AI, geopositioning and safety technology are also growing areas.

Furthermore, a proposal referred to the Swedish Council on Legislation for consideration proposing the implementation of Directive (EU) 2016/2341 on the activities and supervision of institutions for occupational retirement provision (IORP II) in Swedish legislation was published on 16 May 2019. The suggested amendments are proposed to enter into force on 1 December 2019. The deadline for member states to implement IORP II was 13 January 2019.