FINTECH REPORT 2021 - World Law Group
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
FINTECH REPORT 2021
FINTECH REPORT 2021
03 Introduction
05 ProTechtive Security (Sw. Säkerhetsskydd)
– who does it concern?
13 The new EU Crypto Asset legislation (MiCA)
- are the Wild West days of Crypto about to
end?
17 Central Banks go Fintech – the BIS and the
Hub
21 The Swedish Data Protection Authority’s
focus on new technologies – what does it
mean for the FinTech sector?
24 NFT and copyright – complementary or at
odds?
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
1 2
• ProTechtive Security (Sw. Säkerhetsskydd) – who does it concern?
• The new EU Crypto Asset legislation (MiCA) - are the Wild West days of
Crypto about to end?
• Central Banks go Fintech – the BIS and the Hub
• The Swedish Data Protection Authority’s focus on new technologies – what
does it mean for the FinTech sector?
• NFT and copyright – complementary or at odds?
We hope you will enjoy it and we look forward seeing you at the Setterwalls FinTech
Forum this fall.
Yours sincerely,
Joacim Johannesson
Partner, and Head of Setterwalls’ FinTech team
Introduction
A strange year has passed since the last FinTech Report and of course most people
remember this as the year of lock downs and hardships (including statistics). However,
it is also a year were the operations of business and services, especially within the
financial sector, have been undergoing a huge digital transformation. Niche banks
and Fintech start-ups representing the frontier of tech and digital banking have
this year indeed challenged the establishment. Fintech unicorns, such as Klarna and
Trustly, are valued higher than most traditional companies and it now seems that
everyone is going for the ultimate IPO. Last but not least, crypto currencies and
NFT’s have almost overnight gained credibility and are the talk of the town and on
everyone’s lips.
In light of this, our FinTech Report 2021 has this year focused on things that we
believe are ”hot” and interesting reflecting the current COVID-19-era and what could
be good to know going forward. In addition, we will publish further articles after
the summer on other hot topic such as eIDAS (and electronical signatures) and
the use of biometric data in a GDPR-compliant way. Last but not least, we want to
give you a heads up that this year we will for sure have our most appreciated event
Setterwalls FinTech Forum taking place in October/November in Stockholm.
So without any further delay it is our pleasure to present the new issue of Setterwalls’
FinTech Report.
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
3 4
and IT-systems may well be in scope of the Protective Security Act (2018:585) (“the
Act”) and if so need to proactively analyse what measures to take. Further, as we
read preparatory works to the Act, it is not unlikely that there are operators vital for
Sweden’s security either unaware of their responsibilities or not applying the rules for
other reasons. Also, outsourced suppliers to operators conducting security-sensitive
activities could find themselves having to sign a protective security agreement (Sw.
säkerhetsskyddsavtal) which for instance could oblige them to conduct security
investigations of personnel. Such actors are also in scope for supervisory authorities’
supervision. Before we look closer at the recently published Government bill (prop.
2020/21:194), with proposed changes and amendments to the Act, we start with an
overview of the Act.
The Act
The concern of the Act is to protect those activities that are in greatest need of
protection, primarily against antagonistic attacks. The Act came into force April
1st 2019, replacing an older act on protective security. The Act applies to more
organisations than previously and to public as well as private operators of security-
sensitive activities. The Act aims to protect not only classified information but
security-sensitive activities in a wider scope and specifically pointing out information
and IT-systems. Financial services and systems can be vital for the public and also of
national importance and therefore in scope of the Act.
ProTechtive Security (Sw. Säkerhetsskydd) – who Operators of security sensitive activities must carry out a protective security
does it concern? analysis. The analysis is the starting point for planning and taking appropriate
protective security measures. The Act also contains rules on security investigations
Introduction of personnel, which aim at establishing the persons participating in security-sensitive
‘Protective security’ (Sw. “säkerhetsskydd”) means the protection of security-sensitive activities are loyal to the interests protected by the Act.
activities against espionage, sabotage, terrorist offences and other crimes. It aims
to safeguard those activities that are in greatest need of protection from a national One important rule of the Act obliges an operator, under certain circumstances,
perspective. We have seen an increased awareness regarding rules on protective to enter into a protective security agreement with a contractor. An outsourcing of
security and the question whether certain operations are in scope of the relevant rules security sensitive activities could be an example of a contractual relationship where
being raised more frequently. Protective security has received the highest attention the parties, besides the commercial agreement, also need to enter into a protective
from the legislator for the last couple of years and the Protective Security Act which security agreement. The aim of such an agreement is to, on a contractual basis,
came into force about two years ago is about to see its scope widened yet again. A provide the information or otherwise security-sensitive activity the same protection
broader approach for the Protective Security Act was to highlight the availability and as it enjoys with the operator (requiring security investigations of personnel, having
integrity aspects of information- and IT-systems. The financial system provide vital a protective security manager, no subcontracting without the operator’s consent
functions through such systems and organisations need to ask themselves whether etc.).
they are in scope of the Protective Security Act, and if they are, take appropriate
measures. In this article, we provide a brief summary of the Protective Security Since January 1st 2021 the Act contains rules on transfer of security-sensitive activities
Act and examine the recent Government bill, which for instance introduces new and certain property. The rules obliges a transferor to make a suitability assessment
powers of investigation for supervisory authorities, introduces new rules regarding from a protective security perspective of the transfer and consult with a consulting
protective security agreements and strengthens the role of an obligatory protective authority.
security manager.
The Protective Security Ordinance (2018:658) and the Swedish Security Service’s
It may concern you regulation on Protective Security (PMFS 2019:2) contains further and more detailed
Rules on protective security apply to activities that are of importance for Sweden’s rules on protective security.
security from a national perspective. Operators of financial services and information-
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
5 6
The recent Government bill – proposals for changes to the Act The security manager
On May 20th 2021 the Government adopted a Government bill with proposals for There are already some requirements regarding the protective security manager in
changes to the Act. In connection to making the bill public, Minister of the Interior the Protective Security Ordinance. The Government bill however entails a general
Mikael Damberg stated that security issues are high on the Government’s agenda. He requirement that the protective security manager must be directly subordinate
said that in recent years, the Government has developed extensive new regulations to the head of the operator’s operations (in a limited liability company the CEO).
in the area of security protection that have both modernized and strengthened The Government proposes to extend the responsibility of the protective security
the legal framework. However, according to Damberg, the development of security manager to include management and coordination of protective security activities
policy and certain events that have occurred have shown that there is a need for and to control that the operator conducts its business in accordance with the Act
further measures. This statement provides a background to the resent proposal. and adherent regulations. The responsibility of the protective security manager
according to the proposal cannot be delegated.
Important features of the proposal are:
Protective security agreements in more situations
• Protective security managers shall have a more prominent role in the protective The Government proposes to extend the obligation to conclude a protective security
security management. agreement in such a way that it also applies to procedures other than procurement
and other acquisitions. An operator who intends to carry out a procurement, enter
• Operators must enter into protective security agreements in more situations. into an agreement or initiate a cooperation or a collaboration1 with a contractor,
shall enter into a protective security agreement with the contractor if the operator
• Operators must make an assessment and test the appropriateness of through the procedure can gain access to classified information in the security
outsourcing and similar procedures which require protective security class confidential (Sw. konfidentiell) or higher, or to security-sensitive activities of
agreements, and in some cases consult with a supervisory authority. If a equivalent importance to Sweden’s security. The obligation applies to situations
procedure is unsuitable from a security point of view, the supervisory authority where the operator is supplier as well as purchaser. The Government also proposes
can decide that it may not be implemented and also intervene in an ongoing to clarify that the operator must also enter into a security protection agreement
procedure. with a subcontractor and that the operator shall enter into protective security
agreements before the counterparty can gain access to the security-sensitive
• Supervisory authorities are given investigative powers and the possibility to business or information.
order operators to take certain measures, subject to a conditional fine, and
decide on administrative sanctions against those who do not comply with the Procedures surrounding a protective security agreement
requirements of protective security legislation. There are already some rules on the procedures surrounding the entering into a
protective security agreement, especially for Government authorities. Because of
their limited scope the Government is of the opinion that the scope needs to be
widened. The Government proposes that before initiating a procedure that requires
a protective security agreement, an operator, including private operators, must carry
out a specific security assessment, identify which security-classified information
or other security-sensitive activities other parties can access and that requires
protection.2 Based on the specific security assessment the operator must make a
suitability assessment of the planned procedure. If the suitability assessment leads
to the conclusion that the procedure is inappropriate from a security point of view,
the operator shall not initiate the procedure.3
The Government also proposes an obligation for all operator’s to, under certain
circumstances, consult the relevant supervisory authority before it proceeds
with an outsourcing or other activity requiring a protective security agreement.
The obligation to consult a supervisory authority depends on the sensitivity of
the outsourced activity. Further, the supervisory authority is given the mandate
to prohibit the planned outsourcing or other activity which require a protective
1
The new rules do not apply to cooperations or collaberations between Government authorities,
2
The obligation to make a specific security assessment shall not however apply before entering into a security protection
agreement with a subcontractor.
3
There will be certain exemptions from these rules.
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
7 8
security agreement.4 Also, supervisory authorities will have the power to intervene
in an ongoing contractual relationship. If an ongoing procedure is unsuitable from a
protective security point of view, the supervisory authority will have the possibility
to, subject to a conditional fine, order the operator and its counterparty to take the
measures needed to prevent damage to Sweden’s security, finally to decide that the
procedure must be stopped.
Further powers for supervisory authorities
The protective security legislation currently does not contain any specific powers
for the exercise of supervision. A basic precondition for supervision of the security
protection is therefore that the supervised entities cooperate with the supervisory
authorities and comply with their instructions and recommendations. This is, as has
already become obvious, about to change.
We have already mentioned that supervisory authorities are given the mandate to
intervene in a planned or ongoing outsourcing or other procedures which require a
protective security agreement. The Government also proposes that the supervisory
authorities shall be given more powers for their effective supervision.
For instance, the Government proposes that an operator under supervision must,
upon request, provide the supervisory authority with the information needed
for supervision. The supervisory authorities shall have the right to, to the extent
necessary for their supervision, gain access to areas, premises and other spaces,
but not housing, which is used in activities subject to supervision. The supervisory
authorities shall also be able to order the person under supervision to provide
information and to provide access to premises and the like. The supervisory authority
may also decide to order an operator to take measures to fulfill its obligations
under the Act and regulations that have been issued under it. Such orders may be
combined with a conditional fine. So which are the supervisory authorities?
Supervision in the area of protective security is divided between different authorities.
The proposal also introduces a system of administrative sanctions. The supervisory For private operators in the financial sector and third party providers to such
authorities shall be able to decide on administrative sanctions for certain breaches operators the county administrative boards are responsible for the supervision at
of the Act and of regulations under the Act. For private operators, the Government present. The Government states that provisions on which authorities that are to be
proposes a maximum administrative fine of SEK 50 million. It will also be possible protective security supervisory authorities shall be decided through a Government
to decide on an administrative sanction against a shareholder who has not fulfilled ordinance. We expect that the Government will point out Finansinspektionen as
its obligation to consult prior to the transfer of shares in security-sensitive activities, the supervisory authority in the financial sector. For the purpose of supervising
has carried out such a transfer in violation of a prohibition, or has provided incorrect that operators abides by the Act and regulations under the Act, the supervisory
information in connection with the consultation. authority may also exercise supervision over the actors who operators have entered
into protective security agreements with.
Notification obligation
The Government proposes an obligation for operators to notify its supervisory Conclusions
authority of its security-sensitive activities. Anyone who conducts security-sensitive Banks, financial infrastructure companies and other institutions that may be in scope
activities shall, without delay, notify the supervisory authority. The same applies of the Act do best in carefully analyzing whether they conduct security-sensitive
when the security-sensitive activity has ceased. activities and if they conclude they do, take appropriate actions. They need to be
attentive to updates in the legislative landscape and for instance as it comes to
outsourcing of security-sensitive activities carefully consider the appropriate steps
to take to comply with the current and future legislation. The rules on protective
4
The Government explicitly states that even though there to some extent will be overlapping rules regarding banks’ outsourcing in security are not always easy to interpret.
the Banking and Financing Business Act (SFS 2004:297) (Sw. lagen om bank och finansieringsrörelse) there is no reason to make any
exemptions with regard to these rules. Banks which outsource any part of their business may therefore need to adapt to both rules
regarding protective security, and specific rules regulating their banking activity.
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
9 10
Further, parties contracting with operators regulated by the Act must pay attention
to the contractual obligations that might follow. Supervisory authorities may also
show interest in the parties’ relationship.
In comparison to administrative fines in the financial sector, the maximum
administrative fine proposed by the Government for breaches of the Act is low.
Yet, the incentives for complying with the Act should not only be connected to
the amount of a possible sanction, but to the interest the Act aims to protect, and
to the reputation risk a sanction could entail for an operator subject to a sanction.
We know being regulatory compliant is of great importance to the concerned
companies, which do not want the bad will of breaching legal requirements. One
should not expect less than that Finansinspektionen would approach its likely
assignment to come with the greatest sense of responsibility and take an active role
as a supervisory authority in the protective security field.
The new EU Crypto-asset legislation (“MiCA”) - are
the Wild West days of Crypto about to end?
1. Background
The Swedish Financial Supervisory Authority (the “SFSA”) issued a new warning in
relation to crypto-assets as recently as on the 24th of May. The warning was the latest
in a series of warnings from the SFSA and other authorities e.g. EBA and ESMA,
in relation to crypto-assets. The SFSA reminded that products based on crypto-
assets are not appropriate for most if not all consumers. According to the SFSA,
the consumer protection is inadequate and crypto-assets are difficult or impossible
to value in a reliable manner. The risk that a consumer will lose his invested money
is considerable. The SFSA also pointed out that these types of products are not
covered by the consumer protection legislation that other types of investments are.1
Agreeably, there is reason for concern over the risks crypto-assets pose for consumers.
As an example of how volatile the crypto market can be, the cryptocurrency dogecoin
lost more than a third of its price in early May, after Tesla chief and cryptocurrency
supporter Elon Musk called it a ’hustle’ during his guest-host spot on the ”Saturday
Night Live” comedy sketch TV show.2 Furthermore, there are significant risks in
relation to money laundering and terrorism financing due to lack of transparency in
many crypto-assets.
At the same time, there is no doubt that crypto-assets show significant potential as
a means to make financial services more efficient and that innovation in the crypto-
Tobias Björklund asset space cannot be overlooked.
SPECIALIST COUNSEL | STOCKHOLM
1
https://www.fi.se/sv/publicerat/nyheter/2021/se-upp-for-riskabla-produkter-med-kryptotillgangar/
2
https://www.reuters.com/technology/dogecoin-spotlight-cryptocurrency-backer-musk-makes-snl-appearance-2021-05-07/
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
11 12
2. Risks and uncertainties in the crypto-asset market today
As noted above, there are significant risks for consumers in relation to their
investments in crypto-assets since the crypto market can be highly volatile and
there is no consumer protection legislation in place that e.g. ensures consumers
access to sufficient information to make adequate investment decisions. Also, the
lack of appropriate legislation and transparency may attract less serious actors
to the crypto-asset market and increase the risk of fraud, money laundering and
terrorism financing.
In addition, the entrepreneurs who do want to run their business by the book may
struggle with the uncertainties of what is actually “right”, e.g. it is not always evident
if their crypto-asset services are considered to be regulated financial services and if
they need a license from a supervisory authority for their business.
In this respect, a key consideration of the legal qualification of crypto-assets is
whether they may qualify as financial instruments under the second Markets in
Financial Instruments Directive (“MiFID II”)3. This is due to that the existing EU financial
regulation establishes a comprehensive regulatory regime governing the execution
of transactions in financial instruments.4 Furthermore, crypto-assets may qualify as
electronic money under the sedond Electronic Money Directive (“EMD2”)5.6 If so,
such assets also qualify as “funds” under the second Payment Services Directive
(“PSD2”)7, which in turn may incur that a crypto-asset service provider is providing
payment services subject to license or registration requirement with the Financial
Supervisory Authority.
That being said, many crypto-assets and the services related to them fall out of
scope of EU financial services regulation altogether. The novelty of the crypto-asset
services in connection with the complexity of tech- and EU legal landscape however
gives rise to many uncertainties for the market actors.
3. How MiCA may improve the current situation
On the 24 September 2020 the European Commission adopted a new Digital Finance
Package, including e.g. a Digital Finance Strategy and legislative proposals on crypto-
assets, including the Markets in Crypto-Assets Regulation8 (“MiCA”) proposal. The
expressed intent from the Commission was to provide for a competitive EU financial
sector that gives consumers access to innovative financial products, while ensuring
consumer protection and financial stability.9
3
Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and
amending Directive 2002/92/EC and Directive 2011/61/EU
4
ESMA, Advice – Initial coin offerings and Crypto-Assets, 9 January 2019, ESMA50-157-1391, p. 18
5
Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and
prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and
repealing Directive 2000/46/EC
6
EBA, Report with advice to the European Commission on crypto-assets, 9 January 2019, p.14.
7
Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal
market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing
Directive 2007/64/EC
8
Proposal for a regulation of the European Parliament and of the Council on Markets in Crypto-Assets, and amending Directive (EU)
2019/1937.
9
https://ec.europa.eu/info/publications/200924-digital-finance-proposals_en
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
13 14
3.1 Purpose
MiCA covers such crypto-assets that fall outside existing EU financial services
legislation. MiCA has four general objectives. The first objective is one of legal
certainty. For crypto-asset markets to develop within the EU, there is a need for
a sound legal framework, clearly defining the regulatory treatment of all crypto-
assets that are not covered by existing financial services legislation. The second
objective is to support innovation. To promote the development of crypto-assets
and the wider use of Distributed Ledger Technology, it is necessary to put in place a
safe and proportionate framework to support innovation and fair competition. The
third objective is to instil appropriate levels of consumer and investor protection and
market integrity given that crypto-assets not covered by existing financial services
legislation present many of the same risks as more familiar financial instruments.
The fourth objective is to ensure financial stability. Crypto-assets are continuously
evolving. While some have a quite limited scope and use, others, such as the
emerging category of ‘stablecoins’, have the potential to become widely accepted
and potentially systemic.10
3.2 Creation of crypto-asset categories
Under MiCA various crypto-asset categories are created:
• Crypto-assets generally, as a “catch-all” category (e.g., bitcoins or ether)
• Utility Token (e.g. Filecoin token)
• ART – Asset-Referenced Token (e.g., Libra Basket Coin)
in their home member state. In addition, depending on the crypto-asset category,
• EMT – E-Money Token (e.g., USDC or Libra Euro). different regulatory requirements will apply for Issuers, e.g. an authorisation
requirement to issue ART.
ART and EMT pertains to what is commonly referred to as stablecoins, depending
on whether they are pegged by a single fiat currency (e.g., Euro, U.S. dollar, etc.) A Service Provider means any person whose occupation or business is the provision
(EMT), or are linked to several fiat currencies, commodities such as gold, or the of one or more crypto-asset services to third parties on a professional basis. Service
value of other crypto-assets (ART).11 Providers are subdivided into: i) Service Providers that provide crypto-asset trading
platforms; and ii) Service Providers involved in the placing of crypto-assets. Service
3.3 License- and regulatory requirements for crypto-asset issuers and service Providers will be required to be authorised in at least one EU member state. Provided
providers that such authorisation is received, the Service Provider can to passport their license
MiCA will also create a new European licensing regime for crypto-asset issuers12 across the EU subject to a notification procedure. MiCA sets out general requirements
(“Issuers”) and crypto-asset service providers13 (“Service Providers”) in relation to that Service Providers would need to comply with, such as requirements relating
the above crypto-asset categories. to outsourcing, the safeguarding of crypto-assets and organisational requirements.
In addition, specific requirements will apply, e.g. in relation to the custody and
An Issuer is a legal person who offers to the public any type of crypto-assets or seeks administration of crypto-assets on behalf of third parties and the exchange of
the admission of such crypto-assets to a trading platform for crypto-assets. Issuers crypto-assets into either cryptocurrency or fiat currency.
of ‘significant’ crypto-assets will be subject to supervision by the European Banking
Authority (“EBA”) while others will be supervised by their national competent There will be eight categories of crypto-asset services14 which will require a license for
authorities. Issuers must publish a white paper regarding the crypto-assets to be the Service Provider. The types of services will be a) the custody and administration
issued and send it in advance for notification to the financial supervisory authority of crypto-assets on behalf of third parties, b) the operation of a trading platform for
crypto-assets, c) the exchange of crypto-assets for fiat currency that is legal tender,
d) the exchange of crypto-assets for other crypto-assets, e) the execution of orders
10
MiCA, p. 2-3
11
https://law.stanford.edu/2021/01/12/new-crypto-rules-in-the-eu-gateway-for-mass-adoption-or-excessive-regulation/
12
See Article 3.6 MiCA.
13
See Article 3.8 MiCA. 14
See Artile 3.9 MiCA.
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
15 16
for crypto-assets on behalf of third parties, f) the placing of crypto-assets, g) the
reception and transmission of orders for crypto-assets on behalf of third parties,
and h) providing advice on crypto-assets.
4. Key takeaways
The possibility of clear allocation of crypto-assets to certain categories under MiCA
will undoubtedly remove much of the regulatory uncertainty that is at hand today.
Given that MiCA will be in the form of an EU Regulation, it will also provide for a fully
harmonized regulatory landscape in the EU for crypto-assets.
The new regulatory burden for Issuers and Service Providers that MiCA entails, may
to some extent impede innovation relating to crypto-assets, especially from smaller
actors in the market. Hence, it is not unlikely that fewer and larger actors, capable
of fulfilling internal governance requirements and setting of sufficient compliance
resources, will remain. On the other hand, the regulatory certainty for the entire EU
market will likely attract more actors yet.
Central Banks go Fintech – the BIS and the Hub
Tokenisation of green bonds, next generation FMI’s, regtech and open finance –
what does these modern day phenomenon have to do with a 353 year old central
bank? Everything, we learn when we acquire new insights of central banks pushing
the borders of Fintech innovation. The Bank for International Settlements, BIS,
in collaboration with the Riksbank, open an Innovation Hub Nordic Centre in
Stockholm on June 16th. We speak to Dilan Ölcer, project manager at the Riksbank
in relation to the new Hub Centre, who shares her thoughts on what affect the Hub
Centre may have on the Fintech scene in the Nordics and beyond, what interplay
one could expect with the industry going forward and of course, what’s on top of
her and the centre’s agenda this very moment.
Background
In the last year’s FinTech-report we mentioned that the Swedish central bank, the
Riksbank, had proposed to be a candidate for the BIS to establish an Innovation
Hub Centre in Sweden. To realise the Swedish-based Hub Centre the Sveriges
Riksbank Act (lagen [1988:1385] om Sveriges riksbank) needed to be amended
and in June last year BIS announced that it will establish an innovation Hub Centre
in Stockholm, the BIS Innovation Hub Nordic Centre. Together with the Riksbank,
and the central banks of Denmark, Iceland and Norway, BIS will work to deepen
the analysis of technological financial innovation of relevance for central banks.
BIS, in collaboration with the central banks, will inaugurate the Nordic Hub Centre
Andreas Löfholm on June 16th 2021.
COUNSEL | STOCKHOLM
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
17 18The Riksbank and BIS
The Swedish central bank is the oldest central bank in the world and in 2018 it
celebrated its 350 year anniversary. The Riksbank is an authority under the Swedish
parliament (the Riksdag) and its work entails issuing money and ensuring that they
retain their value over time. The Riksbank is also assigned to ensure that payments
in the economy can be made safely and efficiently.
There are a lot of “techy” things going on concerning payments and settlement for
the Riksbank. Last year the Riksbank agreed to join the Eurosystem’s TIPS payment
platform. The Riksbank, beginning spring 2022, will provide a new service, RIX-
INST, which will enable banks to make instant payments, round-the-clock, all year
round, in central bank money. The Riksbank has also been evaluating an “e-krona”,
a digital version of the currency it has issued for a few hundred years.
The Bank for International Settlements could be described as “the central banks’
central bank”. BIS mission is “to serve central banks in their pursuit of monetary
and financial stability, to foster international cooperation in those areas and to act
as a bank for central banks.”
Recognizing that technology-driven innovation in financial services is accelerating,
that the IT revolution has repercussions in multiple locations simultaneously and
that central banks can achieve economies of scale by working together, BIS,
together with central banks, has established an Innovation Hub.
(CBDCs), open finance, cyber security and green finance. For instance, in Singapore
The Innovation Hub
there is a project aiming to demonstrate the functionalities and feasibility of an
The mission of the Innovation Hub is to:
integrated regulatory data and analytics platform. The idea is that an integrated
platform would enable supervisors to digitally extract, query and analyse large and
• Identify critical trends in technology affecting central banking, and develop
diverse sources of structured and unstructured data that are relevant in real time
insights into these technologies that can be shared with the central
and to current events. In Hong Kong, one project aims to develop a prototype for
banking community.
the introduction of tokenised green bonds, giving greater access to retail investors.
This retail mobilisation, according to information from the BIS website, implies
• Develop public goods in the technology space geared towards improving
giving wider demand to a sustainable asset class with low risk characteristics as
the functioning of the global financial system.
well as fostering ownership and support of green projects.
• Serve as the focal point for a network of central bank experts on
The Nordic Innovation Hub Centre
innovation, with regular events to promote exchange of views and
The BIS Innovation Hub Nordic Centre will serve as a focal point for a network
knowledge-sharing.
of experts on innovation, for research on critical trends in financial technology
of relevance to central banks, and for promoting international cooperation to
Hub Centres have already opened in Hong Kong SAR, Singapore and Switzerland,
enhance the functioning of the global financial system. Located in Stockholm, the
opened in London June 11th and will, besides Stockholm, also open in Toronto
Nordic Centre will keep Denmark, Iceland, Norway and Sweden in the forefront
and Frankfurt/Paris. Thus, a mixture of locations, but they seem to share some
of research into digital solutions and analysis of fintech innovation according to
similarities. Being financial centres, having vibrant fintech ecosystems, and places
information from the Riksbank’s website.
where innovation and technological development is in the forefront.
We speak with Dilan Ölcer who tells us more about the Hub Centre, what it will do,
The Hub’s projects focus on six themes identified as being of critical importance
its current status and the future.
to the Hub and to the central banking community: suptech and regtech, next-
generation financial market infrastructures (FMIs), central bank digital currencies
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
19 20So Dilan, who are you? Dilan also makes it very clear that the Centres’ work are not taking place in a “central
- I work as an advisor at the Riksbank and I am project manager at the Riksbank bank vacuum”. Quite the contrary. The idea is to work closely with the private
to lead the work of establishing the Hub Centre from the Riksbank’s side. I was sector and the academia. On this theme, it is evident from the BIS website that
also responsible for the Riksbank’s candidacy for the Hub Centre. Hub Centre projects not only involve the central banking community. Regarding
one project we read about for instance, on international settlements using multi-
Dilan points out that it is not the Riksbank that is ultimately responsible for the CBDC:s, the financial industry and the blockchain ecosystem is contributing to
new Hub Centre, it is BIS that is in charge of the establishment and the future work collaborative work. Another example involving the private industry is the G20
of the Centre. TechSprint, a global long-form hackathon series, that the BIS Innovation Hub
annually co-hosts with the G20 Presidencies.
Focus areas
Dilan explains that none of the Centres are confined to work on just one or a few Stockholm and the Nordics – an ecosystem that fosters innovation
of the focus themes described above. Each Centre can work on any of the focus According to Dilan, Stockholm and the Nordics provide an ecosystem that fosters
themes. It is not however likely that a Centre will do work on all themes at the innovation. Since the Hub Centres engage the private sector, the Nordic Hub
same time. Centre can benefit from being located in a surrounding where relevant ideas in the
field are born and developed. The decision to establish a Hub Centre in Stockholm,
BIS and the central banks concerned are currently discussing initial focus areas, according to Dilan, shows that the Nordic countries are far ahead as it comes to
or projects, for the Nordic Hub Centre, but Dilan is not able to share any details digitalization and innovation. The Nordic societies, says Dilan, are also keen to
regarding such discussions. adapt to new technological innovations.
The objective of the Nordic Hub Centre Dilan also points to the interest of the Swedish parliament and government to
Dilan tells us that the main objective of all Hub Centres is to come up with solutions promote the sector. For the Riksbank, it is important to develop and keep pace
and developments which primarily will enhance central bank activities. Yet, as with what is happening in the society to provide the best services expected of it
evident to us from the focus themes, what the Hub Centres are concerned with is and to remain a relevant central bank.
not very different from what the private industry is up to.
Even though the Nordic region itself provides its own “ecosystem”, the Nordic Hub
Centre will not be confined to work in relation to actors in the region. The Nordic
Centre will work in close collaboration with the other Hub Centres and can come
to collaborate with private actors from other parts of the world. Dilan also call on
Swedish companies who are interested in the work of the Hub Centre not only to
focus on the Nordic Centre, there is reason to look for what’s happening in the
other Hub Centres and engage in their work where possible.
Laws and regulations
Dilan points out that legal aspects are not the main focus for the Hub Centres.
It is not a strategic goal in itself to push regulation. The Hub Centres focus on
technology and its practical applications. Yet, Dilan says, the legal aspect is very
important in the development of technology in general. With 63 central banks as
members, the BIS is very well placed for leading global discussions that can shape
the financial system.
Over one year of work from the “home office” for many of us, tech companies
closing down offices and a high tech Hub pushing digital frontiers, with a physical
establishment – is it needed in this day and age?
Dilan tells us that employees of the Nordic Hub Centre, around 10 people, will
potentially come from anywhere in the world. They all however need to move to,
and actually live in, Stockholm during their time working for the Centre. Dilan says
she sees added value with a physical focal point. To become a part of the Swedish
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
21 22society she says, the Centre’s representatives need to be here in person. Even
though innovation has made physical meetings less necessary, Dilan believes that
actually meeting other actors and partners (private companies and authorities
etc.) is vital for the work of the Centre in the region. Of course, at the same time
a lot of the Centre’s work and meetings, especially with other Hub Centres, will be
purely digital.
Dilan, finally, it sounds like you have a very interesting job?
- This is incredibly exciting work! We hope for great solutions and results,
beneficial for the Swedish society, but also for other societies around the globe.
Closing remarks
Setterwalls has been providing advice to the Fintech sector for many years. This
has given us deep insights in the buzzing ecosystem of Nordic Fintech. It does not
come as a surprise to us that Stockholm was chosen to host the BIS Innovation
Hub Centre. Stockholm attracts and foster talent, and talents have a place to grow
and develop in Stockholm. In Sweden and the Nordics we have a world-class and
affordable digital infrastructure and stable pro-business environment. We truly
believe that the Hub Centre will add on yet another layer to Stockholm’s, and the
Nordic region’s, already multifaceted and dynamic tech-scene. For us, this is the
centre of gravity, the place to be, and where to look for what’s hot and what’s not. The Swedish Data Protection Authority’s focus
Lastly, of course, we wish Dilan and her colleagues working with the BIS Innovation
on new technologies – what does it mean for the
Hub Centre the best of luck going forward! FinTech sector?
Three years have passed since the GDPR entered into force, forming the start of a
major society wide privacy overhaul that is still ongoing today. Now, the Swedish
authority for privacy protection (IMY) has summarised the latest technology and
privacy developments in Sweden in a recent report, setting out the road ahead for
the future supervisory initiatives. In this article, we look into the IMY’s report and
how its findings could impact the Fintech industry.
In Sweden, the Fintech sector has seen a significant growth and development over
the last few years. These developments could be attributed to a combination of
important factors where the Swedish market stands out: a major and well established
banking and finance presence; a large amount of highly competitive technology
companies with ongoing developments; a highly connected society in general and
banking sector in particular; experienced and willing local investors with a strong
track record in both tech and financial services; and, perhaps most important,
several tech and Fintech unicorns coming out of Sweden since the early 2000’s.
With this beneficial environment, the Swedish market seems ripe for adaptions
of new technologies in the Fintech sector. However, this raises the question if the
sector’s maturity and ability as regards compliance with data protection regulations
can match the challenges that such new tech may bring.
In a recent report, the IMY has summarised the last few years tech and privacy
Tobias Björklund developments on the Swedish market and the authority’s plans to tackle these
SPECIALIST COUNSEL | STOCKHOLM and future developments over the coming years. In this report, special emphasis is
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
23 24placed on the ongoing developments in new technologies and an enhanced privacy
enforcement in several areas is identified as key to meet the coming technology
developments and to create a fair and level playing field for all actors on the market.
The IMY’s analysis and agenda is not only of general interest, but may also specifically
apply to some key areas of particular relevance for the Fintech sector.
Below, we summarise some key findings in the IMY’s report and conclude what this
could mean for the Fintech sector in Sweden over the coming years.
Exponential technology developments must be met with equal focus on privacy
The world is currently going through the fourth industrial revolution, where the new
technology, at its core, is about creating, collecting, using and sharing data. This
brings a massive potential for various kinds of personal data processing - where
the more powerful the technological developments, the higher the potential for
extensive and intrusive personal data processing.
With this in mind, the IMY notes that the technical developments are constantly
ongoing at an increasingly rapid pace. In fact, according to the IMY, the rate of
technical improvements is exponential with technical capacity doubling every
second year.
To keep up with this massive technical progress, the IMY sees it as essential to make
significant efforts in ensuring a corresponding level of developments in privacy (both
raising compliance and adapting requirements to the new technologies). It is also value that could be mined by using AI technology. Such use could, according to
imperative that such efforts are initiated soon, since established technologies that the IMY, be relevant for the Fintech sector in for example automated analysis or
don’t have sufficient levels of privacy considered in their design could be severely decision systems, or in security or behavioural analyses for predictions on financial
difficult and costly to amend later on – where business models established on these opportunities or risks. However, such processing could also be particularly revealing
technologies, but in a non-compliant way, may also have strong incentives to resist of fundamental information on individuals’ behaviours, interests, patterns, etc. – all
or avoid any later changes, even if these are driven by privacy concerns. of which could be very sensitive from an integrity perspective and might even entail
risks to individuals rights under applicable financial regulations. For these reasons,
So where do the IMY see the major technology developments and corresponding the IMY will aim to have a particular focus on use of AI systems and to ensure that
privacy challenges in the years to come? Here, the IMY identifies 16 areas of new common practice and enforcement will be made for an improved and continued
technology where the IMY sees a particular privacy impact potential. Below, we compliance with privacy requirements.
mention a few of these technologies that are of particular relevance in the Fintech
industry. You scrape my web, I scrape yours
Web scraping is something that already occurs to a large extent – where software
The power of Artificial Intelligence applications uses various kinds of tools to automatically collect data presented online
The developments in Artificial Intelligence are seen as one of the main potentials or in connected services. However, the IMY notes that when used in combination
for the future, as well as one of the main challenges from a privacy perspective. AI with AI, the privacy implications could be extensive. Particularly, large datasets
technology enables especially powerful collection and analysis of large amounts of could be collected from various sources in a complex way that could be very
data, to the extent that relatively benign data could be processed by AI in such a difficult for the relevant data subject to overview in a transparent manner. Moreover,
way that it could become very sensitive from a privacy perspective. According to where a powerful AI could provide extremely powerful insights this could lead to
the IMY, it will be imperative to ensure sufficient transparency, accountability and very intrusive processing of the individual’s personal information. A combination of
lawful basis for use of AI-solutions - areas where there are particular challenges and these technologies could therefore not only be very powerful but also entail a high
privacy risks. potential risk from a data protection perspective.
For the Fintech sector, AI solutions are of particular interest due to the vast For the Fintech sector, this could be particularly relevant when combining the
amount of data available in the financial systems. This provides a trove of potential already huge amount of financial data with other kinds of data available for web
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
25 26scraping. There could also be issues of lack of control of data, if advanced web
scraping technologies are combined with powerful AI to obtain insights on other
financial actors’ users. Here, the IMY sees particular risk and therefore a higher need
for a focused regulatory supervision.
Cloud services
In the last couple of years, we have seen a massive increase in the use of cloud
services, both for combinations and use of external cloud based services (as
opposed to traditional licensing) and also for a decentralised and scalable hosting
of an organisation’s data or infrastructure. The IMY notes that this technology has
significantly improved the efficiency and scalability in IT-systems and services in a
mostly positive way.
In financial services, the new and versatile cloud solutions makes it possible to take
further advantage of the large amounts of data collected and processed as part of
its operations and to quickly develop and implement new services in a more agile
way than before.
However, few have missed the controversial and complex regulatory situation
for cloud services, which has brought a significant amount of uncertainty on
how to use this technology in a compliant manner. Particularly, regulations in the
EBA Guidelines on Cloud Services and subsequent Guidelines on Outsourcing
have increased requirements for financial actors’ use of cloud services in its IT-
infrastructure. Additionally, last year’s ruling in the Schrems II case resulted in
significant uncertainties as regards use of cloud services from the major providers.
Together, these created a severely complex regulatory landscape with significant
hurdles to overcome for any fully compliant use of cloud services in the financial
sector.
But there are perhaps good news to come for cloud compliance. Recently, the first
Code of Conduct for Cloud providers was approved by the Belgian data protection
authority - simplifying compliance when using cloud services. Hopefully, this will
pave the way for further initiatives, which may be sector specific, facilitating the use
of these new technologies in a compliant way.
Particular focus on the “problematic” Adtech market
The IMY singles out and puts a specific focus on the Adtech market, which has come
under scrutiny in several recent decisions and reviews around Europe. As such, the
IMY labels the sector as “problematic” with severely complex and non-transparent
use of personal data, which could lead to high risks for individuals’ rights according
to the IMY. In general, the IMY states that the Adtech industry is systematically in
breach of fundamental parts of applicable data protection laws.
For the Fintech industry, this may pose particular challenges when interacting
with Adtech providers as these services are often essential for any business and
therefore hard to completely avoid. In this regard, such interactions may however
pose a larger risk for Fintech players – since they are often exposed to more severe
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
27 28on how to interpret and apply the definition of personal data to information in a
distributed ledger, how to assign the responsibility as a personal data controller in
such a decentralised system and how to comply with requirements of minimization
of personal data, processing, purpose and storage when data in a blockchain is
normally used continuously for verification of ongoing transactions and thus cannot
be removed once included. The IMY stresses on the importance of continued
development and clarifications on how to apply privacy laws on new technologies,
and new developments in these areas are to be expected.
Extensive compliance deficiencies remain
During the recent years, the IMY has made a number of examinations of the general
GDPR compliance level in Sweden. From these reviews, the IMY’s overall assessment
is that although much work has been done, there are still general and extensive
deficiencies in the companies’ GDPR compliance. Notably, the IMY observes that
many companies still lack in establishing a systematic and continuous compliance
work which results in the non-compliance of the fundamental principles of the GDPR,
legal basis for processing, insufficient security measures or data subjects’ rights and
more. Additionally, the IMY notes that it has likely received far too few requests
for prior consultations, indicating that companies do not perform Data Protection
Impact Assessments to the extent required.
With this general lack of full compliance, the IMY notes that some sectors have
nevertheless come farther than others in establishing a higher degree of data
protection compliance. Among those performing better in this regard are both
the financial and tech sectors. However, the IMY states that these industries often
sanctions and are more sensitive to reputational/trust damage. The IMY notes that undertake extensive and potentially sensitive personal data processing, which
some users of Adtech services are different providers of financial services and that, warrants this higher general degree of compliance. The IMY also notes that one of
as such, these are also responsible for personal data processed when using the the main concerns among citizens is how information regarding their financial data
Adtech service. Thus, if the Adtech industry poses a systematic compliance risk, this is processed and how payment card details is used, why there is still more work to
could entail severe compliance risks for Fintech actors and potentially also affect be done also in these sectors.
other regulatory aspects of a Fintech player. Since the Adtech sector will be under
particularly scrutiny by the IMY in the coming years, the Fintech sector should do New efforts to raise the compliance level
well to review any interactions or uses of the services such Adtech suppliers provide. The IMY sets out an ambitious plan for its work ahead for the coming years.
Blockchain technologies As one important part to tackle the challenges with these new technologies, the
Technologies based on blockchain solutions have been gaining momentum over the authority has received additional funding to perform activities and initiatives to
last couple of years, and with that there has also been an increase focus on whether raise the knowledge and compliance levels in the areas of technical innovations,
these technologies can be designed and used in a way that is GDPR compliant. The developments and applications. This will require a deeper communication with
IMY notes that blockchain technologies can be used in a wide range of applications, the affected organisations, and will hopefully lead to constructive and clarifying
with everything from Central Bank Digital Currencies, decentralised finance (defi) materials on how to combine the new technologies with a high degree of protection
solutions, smart contracts and secure processing of sensitive information. Blockchain for personal data. And, to further bolster innovation in combination with privacy
applications may thus both entail inherent compliance issues that may be difficult compliance, the IMY also considers to establish a regulatory sandbox-operation
to overcome as well as improve information security to the benefit of some privacy where new technologies could be tried out.
aspects.
The IMY also aims to take a leading role among its European counterparts in
It has been noted in a number of reports that there are several uncertainties preparation of guidelines and recommendations in these areas of new technologies
regarding how some central aspects of the GDPR shall be applied and interpreted for identified, in particular for technology that is of importance from a Swedish
blockchain technology and infrastructure. Particularly, many questions are unsolved perspective. This will for example regard AI, IoT and biometry.
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
29 30Perhaps most importantly, as regards its enforcement operations, the IMY will shift
the focus of its compliance supervision from a previous risk based model, where high
risk areas were specifically targeted for supervisory actions, to a complaint based
model, where supervision and enforcement will be primarily based on complaints
from the public. So for the future, companies should expect individuals complaints
to be more of a focus for Swedish operations with personal data processing – and
should consider to adjust its operations and customer support thereafter.
To sum up
To match the exponential technology developments, the Swedish supervisory
agency IMY will take its operations into a higher gear. This will hopefully lead to
significant clarifications on GDPR compliance for the cutting edge of technology
developments, but it will likely also lead to a considerable increase in new rules and
guidelines as well as supervisory review and enforcement.
In conclusion, equally exciting and challenging times lie ahead, especially in the
Fintech field where the stars could align for innovative utilizations of the vast
amount of data that exists. But to be able to gain the advantage that this provides,
companies must also address the privacy issues related to such technologies, even
if no clear route for compliance may be available (due to lack of clarifications from
the governing bodies). This requires for the Fintech company a strong foundation
in routines, structure and organisation. Otherwise and without such a foundation,
Fintech companies might find themselves left in the dust of other actors – either
because of lack of implementation speed due to privacy investments made too late NFTs and copyright – complementary or at odds?
or from effective enforcement due to user complaints. So when enforcements from
complaints will likely be more common companies should beware that the biggest Introduction
cost in any data protection enforcement might not be the fine, but instead the cost The trade of non-fungible tokens (NFTs for short) has lately garnered quite a lot of
of loss in consumer trust to use the service that they provide. attention and interest, likely in part due to the high selling price of some NFTs. It
should be uncontroversial to state that an item represented by or linked to an NFT
can be protected by copyright law while some won’t. And while the purpose of NFTs
is to give the owner a strong and exclusive right to the NFT itself, such ownership
does not entail ownership of the copyright to the linked item. In this article we will
touch upon a few possible challenges related to the conflict of ownership of an NFT
and ownership of copyright to the linked item.
What rights do NFTs grant the owner?
Practically any item can be linked to an NFT and thanks to the NFTs basis in blockchain
technology it is virtually impossible to counterfeit NFTs. An NFT is unique and NFT
transactions are traceable (each new transaction is subsequently ordered in blocks
which are added to the already existing chain). In other words, an NFT is a unique
digital asset that is versatile and transactions are recorded and transparent. These
qualities lend to numerous possibilities for the use of NFTs. For instance, an NFT
linked to a digital artwork can ensure the buyer that the purchase relates to an
authorised copy of the artwork, or a company could sell an NFT and link it to a
virtual representation of a physical object. The NFT will, simplified, act like a digital
certificate of authenticity for said objects. That being said, ownership of an NFT
Niklas Follin does not equal ownership of any copyright to the linked object.
SENIOR ASSOCIATE | STOCKHOLM
SETTERWALLS - FINTECH REPORT 2021 SETTERWALLS - FINTECH REPORT 2021
31 32You can also read
