In Finland, the primary regulator for fintechs is the Finnish Financial Supervisory Authority (“FIN-FSA”), which acts as the general regulator for financial industry activities requiring licensing or registration. Additional oversight is provided by the Data Protection Ombudsman and the Finnish Competition and Consumer Authority.

Since Finland is a member of the EU, the European Supervisory Authorities (“ESAs”) also have jurisdiction. The ESAs consist of the European Banking Authority (“EBA”), the European Insurance and Occupational Pensions Authority (“EIOPA”) and the European Securities and Markets Authority (“ESMA”), which, together with the FIN-FSA, provide micro-prudential supervision. Whilst the ongoing supervision of financial institutions remains with the national supervisory authorities, the jurisdiction of the ESAs is enforced through level 2 or level 3 measures.

Due to the lack of fintech-specific regulation, the regulation applicable to fintechs is contingent on the business model undertaken and does not differ from legacy players. Thus, the regulatory regime applicable to fintechs comprises the general regulations applicable to financial institutions.

The escalating volume of regulatory measures, coupled with heightened compliance standards, has notably surged, substantially elevating the operational costs for fintech enterprises. This surge in regulatory requirements has consequently created barriers to entry for new players, impeding their ability to enter the market seamlessly.

Notably, this regulatory landscape exerts particular pressure on consumer lending companies, as the national implementation of the Consumer Rights Directive will enter into force on 19 June 2026 and the Consumer Credit Directive on 20 November 2026. The amendments necessitate a review of the operational framework, a reassessment of credit assessment processes as well as advertising strategies and consumer protection measures. As the implementation deadline approaches, institutions must evaluate and adapt their compliance frameworks by reviewing applicable regulatory licenses and registrations, updating terms and conditions, lending policies, enhancing customer communication and ensuring staff training aligns with new regulatory expectations.

Additionally, rising costs and competition in the sector, combined with the economic uncertainty in global markets, may hinder smaller fintech companies from scaling or attracting investment. Addressing these challenges will be critical for sustaining the sector’s growth.

Fintech companies can be required to be licensed or registered to operate in Finland, depending on the nature of their activities. Those providing regulated financial services must obtain appropriate licenses or registrations. Regulated services include, namely, payment services, credit institution activity, consumer and P2P lending or intermediation, investment services and crypto-asset services.

Payment services falling under the scope of the Act on Payment Institutions (297/2010, the “PIA”) include activities such as execution of payment transactions, money remittance, issuance of electronic money and issuance of payment instruments. The activity of providing loans that are financed via repayable funds received from customer deposits falls under the Act on Credit Institutions (610/2014, the “ACI”). Unlike businesses engaging in credit institution operations, businesses providing consumer credits and P2P lending without the use of repayable funds as well as P2P intermediation are regulated under the Act on the Registration of Certain Credit Providers and Credit Intermediaries (186/2023).

The Act on Investment Services (747/2012, the “ISA”) governs investment services, including the reception and transmission or execution of orders, investment advice and portfolio management. Crypto-asset services, however, are governed by the scope of the Regulation (EU) 2023/1114 of the European Parliament and of the Council (the “MiCAR”). Regulated crypto‑asset services include the custody and administration of crypto‑assets on behalf of clients, the operation of a crypto‑asset trading platform, exchange services between crypto‑assets and funds or other crypto‑assets, and the execution or reception and transmission of orders relating to crypto‑assets. Digital assets custody refers to the safekeeping or control of clients’ crypto‑assets which triggers requirement to obtain an authorization as a crypto-asset service provider.

Since Finland is an EU Member State, authorised fintechs can take advantage of the passporting regime, allowing them to provide services across the entire European Economic Area (EEA) using their licence from Finland.

In Finland and the EU, there is currently no true omnibus or cross‑functional fintech licence that would allow a single authorisation to cover multiple, unrelated regulated activities. Regulation continues to rely on a function‑based licensing approach, requiring separate authorisations depending on the regulated activity. EU law has so far avoided introducing a single bespoke fintech licence covering multiple financial and technology‑driven activities, favouring harmonisation of rules rather than consolidation of licences.

Finland does not have a regulatory sandbox or digital-testing frameworks. The Finnish legislation does not allow regulators to grant exemptions from peremptory regulation, so any potential and forthcoming regulatory sandboxes would need to be assembled via legislation.

Instead, Finland has adopted a more guidance‑based and supervisory‑dialogue‑oriented approach. The FIN-FSA advises service providers (including fintechs) via its Innovation HelpDesk service which provides informal regulatory guidance to service providers on how existing financial regulation may apply to new technologies or business models. This enables fintech companies to approach the FIN-FSA with their licensing questions and fintech companies can easily and promptly receive (non-binding) advice as to whether their business or services meet the licensing requirements.

From a practical perspective, this model has contributed to reducing regulatory uncertainty at an early stage of product development, which can indirectly support faster market entry by helping firms structure their offerings in line with applicable licensing and compliance requirements from the outset. However, unlike formal regulatory sandboxes in some other jurisdictions, the Finnish framework does not involve live testing with regulatory exemptions or tailored authorisations, nor does it generate easily quantifiable metrics on reduced time‑to‑market or capital formation.

In Finland, fintechs are supervised primarily by the FIN‑FSA within the same legal and supervisory framework as traditional financial institutions, with supervision calibrated based on the nature of the regulated activity, risk profile and scale of operations rather than the use of technology as such. For fintechs operating cross‑border within the EU, supervision is typically organised on a home‑state basis under passporting regimes, complemented by close cooperation and information exchange between national competent authorities. For cross-border operations, supervisory adaptation is primarily seen in enhanced supervisory cooperation and in more standardised, structured reporting and risk-based oversight.

Embedded finance models are typically assessed through the licensing perimeter and the allocation of responsibilities across providers, agents and outsourced partners, with a particular focus on operational resilience, third‑party risk, customer protection and AML/CTF where relevant.

In Finland, MiCAR is already applicable as the transitional period ended on 30 June 2025. The regulatory assessment of tokenization is primarily driven by classification under MiCAR and securities legislation. Blockchain-based assets are generally treated as crypto-assets that are either asset-referenced tokens (“ARTs”), electronic money tokens (“EMTs”) or crypto-assets other than ARTs or EMTs. Crypto-assets are not automatically categorised as financial instruments or securities; however, their classification depends on their specific characteristics. A blockchain asset may be deemed a financial instrument or security based on its nature, requiring a case-by-case analysis. This analysis considers that securities market legislation is technology-neutral. For example, the FIN-FSA uses a set of questions to evaluate whether a crypto-asset qualifies as a security.

If crypto-assets are deemed financial instruments/securities, they fall outside the scope of MiCAR and are instead governed by other EU legislation applicable to financial instruments/securities. The legal landscape for tokenisation of real-world assets in Finland is uncertain as the classification of assets is unclear. Due to the uncertainty, the Finnish tokenisation market remains undeveloped.

The regulation of decentralised finance (DeFi) depends on the extent to which a service is genuinely decentralised. Under MiCAR, crypto-asset services that are provided in a completely decentralised manner and thus without an intermediary do not fall within the scope of regulation. However, MiCAR does not automatically exempt all DeFi platforms. If a party facilitates the trading of crypto-assets in a manner that involves some form of control, governance or influence over the platform, regulators may view them as an intermediary. In such cases, they could be subject to the same regulatory requirements as centralised crypto-asset service providers. Therefore, simply operating under the label of DeFi does not necessarily mean a service is outside the regulatory perimeter. The degree of decentralisation and the presence of any entity that exercises control or facilitates transactions will be key factors in determining whether and how regulation applies.

Under MiCAR, stablecoins are expressly classified as either ARTs or EMTs, depending on the stabilisation mechanism. Therefore, stablecoins fall within the scope of MiCAR.

In Finland, crypto-asset service providers (“CASPs”) are required to obtain authorisation from the FIN-FSA. Entities authorised and supervised by the FIN-FSA are classified as obliged entities and they are thus required to comply with AML/CFT laws and rules. The FIN-FSA has assessed the sector’s overall money laundering and terrorist financing risk as significant. Anonymous crypto-asset accounts, and accounts enabling anonymization or obfuscation of transactions (including through anonymity-enhancing coins), are prohibited.

Regulation (EU) 2023/1113 (the Travel Rule Regulation) applies to transfers of crypto-assets — including those executed via crypto-ATMs — where at least one CASP is involved. Unlike fund transfers, there is no minimum amount threshold: travel-rule obligations apply to all crypto-asset transfers regardless of value and regardless of whether the transfer is domestic or cross-border. The originating CASP must ensure each transfer is accompanied by verified originator and beneficiary information, transmitted securely before or simultaneously with the transfer. The beneficiary CASP must detect missing or incomplete data and apply risk-based procedures, including rejecting, returning or suspending transfers, where required information is absent before making assets available. The Travel Rule Regulation does not apply to purely peer-to-peer transfers with no CASP involvement or to proprietary transfers between CASPs acting on their own behalf.

Transfers involving a CASP on at least one side fall within scope even where the counterparty uses a self-hosted address. The EBA Guidelines (EBA/GL/2024/11) recognize such transfers related to self-hosted wallets as inherently higher risk. CASPs must identify whether a self-hosted address is involved using blockchain analytics or direct customer inquiry, collect originator/beneficiary information from their customer, and, for transfers at or above EUR 1,000, verify ownership or control of the self-hosted address using at least one technical method. CASPs may whitelist verified addresses for subsequent transactions. Risk-based mitigating measures must be applied to all self-hosted address transfers and suspicions must be reported.

In Finland, no additional national prudential or reserve requirements have been introduced beyond those set out in the MiCAR. MiCAR itself represents a significant new prudential framework for stablecoin issuers, introducing detailed reserve‑of‑assets, liquidity, segregation and own‑funds requirements for issuers of ARTs and EMTs, with enhanced obligations for ‘significant’ stablecoins. Crypto‑asset custodians are subject to MiCAR’s general prudential and safeguarding requirements but are not required to maintain stablecoin‑style reserves.

Finnish regulators are highly focused on all three areas. Regarding data privacy in the financial sector, Finland’s Data Protection Ombudsman imposed during 2025 substantial GDPR fines for two credit institutions amounting to EUR 865,000 and EUR 1,800,000. Neither decision is legally binding yet. Even though the fines were not directed to fintechs, they demonstrate the latest supervisory practice on GDPR enforcement in the financial sector in Finland.
Regarding trends in cybersecurity, the EU Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) has been applied since 17 January 2025. The FIN-FSA has announced that its supervisory priorities for DORA are ICT and information-security risk management, ICT incident reporting and third-party ICT provider oversight. In 2025, the FIN-FSA required threat-based penetration testing for 11 supervised entities and directed oversight of 19 critical third-party service providers.

In supervision of operational resilience, the FIN-FSA has continued to target inspections on customer due diligence and sanctions compliance. The FIN-FSA has announced that one of its main focuses is supervision of digital resilience and security of digital services.

To meet AML obligations, companies must adopt a structured and proactive compliance program. This begins with understanding applicable laws and staying updated on regulatory changes. A robust program requires assessing risks associated with customer types, services and geographic locations. Automated tools are necessary to be used for monitoring transactions and sanctions lists. A compliance officer should oversee these efforts, supported by clear policies, regular employee training and documented procedures.

Due to Finland’s membership in European Union, there are no significant obstacles for work-related immigration from EU Member States. Non-EU/EEA nationals must apply for a residence permit if they intend to stay in Finland – for purposes other than tourism – for more than 90 days. There are several grounds for applying for a residence permit.

While changes to immigration frameworks such as the U.S. H‑1B visas have increased the complexity of talent mobility globally, Finnish fintechs are able to leverage from Finland’s pro‑immigration policy for skilled workers. The Finnish Government has stated that it invests in promoting work-based immigration in many ways. The revised Talent Boost programme will, for example, promote the availability of experts and streamline residence permit processes. In addition, effective from the beginning of 2026, the foreign expert tax regime provides a flat tax rate of 25% on salary income instead of the normal progressive rates for those foreign employees who have not been residents in Finland within the last five calendar years preceding the commencement of their employment in Finland.

Finland does not have a separate digital nomad visa and remote work is not deemed valid ground for a residence permit in Finland making working for foreign fintechs very complicated for foreigners staying Finland. Finnish fintechs are monitoring their development in the EU and Asia as a potential supplementary means of engaging remote talent. In practice, any engagement of employees working under digital nomad visas typically requires careful analysis of tax and employment laws and regulatory risks.

Geopolitical developments have heightened sanctions‑related compliance risks for fintechs. In its 2026 thematic review, the FIN‑FSA found that sanctions‑screening systems often struggle when EU sanctions lists are updated, creating acute risk immediately after new listings enter into force. As sanctions become binding immediately upon publication, the FIN‑FSA has stressed that screening systems must be updated without delay. Even short update lags can create a critical risk window in which sanctioned parties may execute prohibited transactions. The FIN‑FSA emphasises real‑time list updates, robust name‑matching (including variants) and continuous testing, particularly for cross‑border payment and instant‑payment services.

Differences between the EU and U.S. sanctions regimes create additional structural compliance challenges for cross‑border fintechs. EU sanctions, implemented through directly applicable EU regulations, are primarily territorial and preventive, whereas U.S. sanctions administered by Office of Foreign Assets Control (OFAC) have a centralized, executive-driven character and broad extraterritorial reach where a U.S. nexus exists (e.g., USD transactions, U.S. banks or U.S. based services). For fintechs reliant on cross‑border payments and third‑party infrastructure, these divergences complicate sanctions screening and governance. Conflicts between EU and U.S. sanctions expectations, illustrated by the EU Blocking Statute and related case law, can force difficult compliance trade‑offs and business‑continuity decisions for internationally active fintechs.

Due to Finland’s membership in European Union, there are no significant obstacles for intra-company transfers of EU/EEA nationals to Finland or Finnish employees to other EU Member States. Non-EU/EEA nationals would need a residence permit to stay in Finland for more than 90 days even when coming to Finland in an intra-company transfer.

Immigration rules can affect the timing and structuring of fintech market entry, particularly where the business depends on key non‑EU personnel or launches across several jurisdictions. In Finland, non-EU/EEA nationals generally require a residence permit for work. While accelerated options (such as Fast Track, EU Blue Card and start‑up permits) are available, processing times still require early planning and can delay the effective start of operations. This is especially relevant where local management presence is expected for regulatory reasons.

In multi‑jurisdictional launches, differing immigration regimes and processing timelines across EU Member States may lead to staggered market entry. Overall, immigration rules rarely prevent entry but can influence speed, staffing choices and operating model if not addressed early.

Under the Finnish Copyright Act (404/1961), software codes forming the algorithms and the software, are, as a rule, protected by copyright. Copyright protects the expression of the software (source code and object code) but does not cover the underlying ideas or algorithms.

When open-source components are incorporated into proprietary algorithms or smart-contract code, fintech companies must audit the applicable licences carefully. Copying of program code is only permitted where those actions are indispensable for achieving interoperability between independently created programs, where the necessary information was not previously readily available, and where the actions are limited to the parts of the original program necessary for that purpose. Information obtained on that basis may not be used for any purpose other than achieving interoperability of the independently created program, given to third parties beyond what interoperability requires, or used to develop a substantially similar program or for any other act infringing copyright.

The patentability of a fintech innovation is evaluated same as any other industries’ innovation. Under the Finnish Patent Act (550/1967), patent is eligible for registration when the invention is new, involves an inventive step, and is capable of industrial application. Additionally, the invention must not fall under exclusions such as discoveries, scientific theories, artistic creations, business methods, or computer programs as such. According to the Finnish Patent Act an invention is not considered to be “programs for computers as such”. Thus, in principle, a mere software as such is not patentable, but if a software program is part of a device or system that solves a technical problem, it may be patentable if it is also novel and inventive. An invention implemented by a software may also be patentable. The Patent Act also provides that a mathematical method or algorithm as such cannot be patented, but if the algorithm is applied to a technical problem, the invention may be patentable as a technical solution. Also, purely financial or business methods are not patentable unless they are combined with a technical solution.

Fintech companies should consider protecting proprietary algorithms and software-related solutions as trade secrets. This requires that the information is kept confidential and appropriate measures under the Finnish Trade Secret Act (595/2018) are taken to prevent unauthorized access. The Finnish legislation offers protection against the unlawful acquisition, use, or disclosure of trade secrets. To protect proprietary algorithms, access should be strictly limited on a need-to-know basis. Non-disclosure agreements (NDAs) must be utilized with employees, partners, and contractors to ensure confidentiality. Additionally, robust physical and digital security measures should be implemented to prevent unauthorized access. Acquiring a trade secret is not unlawful if done by independent discovery or by observing, studying, disassembling, or testing a product made available to the public or lawfully in the possession of a person who is not under any obligation to restrict acquisition. Core proprietary logic should therefore remain off-chain wherever possible.

Trade secrets are usually a form of protection that complements copyright. In addition, a trade secret protects an invention until a patent application is filed. Where fintech algorithms or smart-contract systems incorporate AI, documentation and transparency obligations apply under the EU AI Act (Regulation (EU) 2024/1689) and its Finnish supplementing legislation, the Act on the Supervision of Certain AI Systems (1377/2025), which entered into force on 1 January 2026. Generally, explanation of outcomes and risk factors are required rather than disclosure of the underlying source code or precise model weights. Where regulators do require technical documentation (as under the EU AI Act for high-risk systems), fintechs should seek to submit this information under confidentiality undertakings or under protective orders.

The most efficient way for protecting brand identity in the Finnish market is to seek trademark and/or design protection for brand elements that can be protected as a trademark or as a design.

In relation to only trademarks, under the Finnish Trademarks Act (544/2019) and similarly under the EU trademark regulation, trademark protection may be obtained for example for words, logos, slogans, colors, sounds and for multimedia signs as long as they are distinctive and represented in a clear and a precise matter. The distinctiveness of a trademark means that the mark can distinguish a product or a service and indicate its origin. A mark is not considered distinctive if it describes the kind, quality, quantity, purpose, value, or geographical origin of the goods or services; if it has become a commonly used name in trade for a good or service; or if it otherwise lacks distinctiveness in trade.. Descriptive or generic marks are not inherently eligible for a trademark protection unless they have acquired distinctiveness through use, which may be difficult to prove. Descriptive terms are left free for all parties to use.

A trademark should also not be confusingly similar or identical to earlier registered or established trademarks. A holder of an earlier mark may oppose to the registration of a later filed application. In Finland, the Finnish authority examines earlier rights automatically before the mark is registered and refuses the registration if there are identical or similar national or EU trademarks or registered company names.

Trademark registration may be obtained as a national right through the Finnish Patent and Registration Office (PRH), as an international registration designating Finland through WIPO’s application or by filing an application with the European Union Intellectual Property Office (EUIPO) that covers all EU member states. Obtaining a registration grants its holder an exclusive right to use the trademark and excludes others from using an identical or similar right that could be regarded as confusingly similar. Trademark holders should also be aware that a registered trademark may be cancelled for non-use if it is not put to genuine use within five years of registration, or if use is interrupted for five consecutive years without proper justification. Equally, passivity carries risk as failure to act against a later mark used in good faith within five years of becoming aware of it may result in the marks being required to coexist.

Contacting a professional legal counsel before applying trademark rights is highly recommended. Once trademark registration is obtained, it should be used consistently in its registered form in all marketing materials. Consistent use of the trademarks strengthens the brand identity and provides evidence of active use of the registered marks if disputes arise.

In the context of AI-generated brand impersonation, the trademark infringement framework described above applies directly: the use of a sign that is identical or confusingly similar to a registered trademark in the context of AI-generated content or synthetic media constitutes trademark infringement, regardless of the technological means by which it is produced.

Beyond trademark law, the EU AI Act (Regulation (EU) 2024/1689) introduces specific obligations directly relevant to AI-generated impersonation and deepfakes. Companies whose brands are targeted by AI-generated impersonation should therefore both enforce trademark rights against the infringing use of their marks through injunctions and compensation claims, and where applicable, report non-compliant AI-generated deepfake content to the competent supervisory authority.

The foundation for managing these challenges lies in clearly defining IP ownership through contracts. For instance, where applicable, agreements should specify that all IP created by third-party developers is owned by the fintech, as no automatic transfer occurs. Where IP is jointly developed, it is jointly owned by all creators, and no co-owner may grant licences or transfer the right without the consent of the others. Thus, agreements must clearly outline ownership rights, including provisions on licensing, commercialisation, and revenue sharing.

To further protect their interests, fintechs should include IP assignment clauses in contracts, requiring developers to assign any IP created during their engagement to the company. For employees in Finland, the position is different: if a computer program and a work directly related to it are created in the performance of duties arising from an employment relationship, copyright in the computer program and the work transfers to the employer. It is also important to differentiate between pre-existing IP and newly created IP to avoid misunderstandings. Conducting regular IP audits before entering into partnerships can help identify existing IP and ensure there are no conflicts.

Confidentiality is another critical aspect, and non-disclosure agreements (NDAs) should be used to protect sensitive ideas, trade secrets, and proprietary information shared during collaborations. In situations where full ownership of IP is impractical, negotiating exclusive or perpetual licenses can provide the flexibility needed to use third-party contributions without compromising future operations.

Engaging professional legal counsel is highly recommended to draft robust contracts and ensure compliance with both local and international IP laws.

To prevent and address potential IP infringements in Finland, fintech companies must take a proactive and strategic approach. Companies should obtain and maintain registered rights, including patents, trademarks, and design rights, while also understanding their non-registrable rights, such as copyrights and trade secrets.

Knowledge of existing rights provides strong background for monitoring the market and possibility to identify potential infringements. Companies may use third party provided monitoring databases to track unauthorized use of their IP or copycats as well as educate the employees to understand the IP owned by the company and possible infringement cases. In addition, well-drafted IP clauses in all contracts, including contracts with employees, contractors and partners, reduce the risk of future disputes and help ensure that IP created in the course of work is properly assigned to the company.

When infringement occurs, companies should act promptly by evaluating the overall situation and possible actions. A cease-and-desist letter is typically the first step, and in many cases resolves matters without litigation. If court action is required, the correct forum depends on the type of right concerned. For trademarks and patents, the Market Court has exclusive jurisdiction over IP infringement matters, while private law claims under the Trade Secrets Act are examined in the relevant District Court or in the Market Court depending on the case.

Companies should also be aware of the important interim remedies available. For trade secrets, the court can issue an interim injunction before a final resolution, if the claimant demonstrates it is probable that the secret exists, the claimant holds the right, and infringement is occurring or imminent.

Enforcement strategies differ across jurisdictions, and this answer is limited to Finland. Collaboration with legal experts helps companies to stay informed and to enforce their rights effectively.

The Finnish framework is built on general, territorially scoped IP statutes, supplemented by EU law and international agreements.

A fintech’s software code qualifies for copyright protection as a literary work where the connecting factors are satisfied, but infringement occurring wholly outside Finland is governed by the law of the country where the infringing act takes place. Where source code is copied and executed in multiple countries simultaneously, a Finnish rights holder must in principle pursue separate claims under each applicable national law.

On the patent side, alongside the Market Court, the Unified Patent Court (UPC) also handles European patent matters under the UPC Agreement. Finland’s participation in the UPC system is the most significant cross-border development in patent enforcement for fintech companies as European patents with unitary effect can now be enforced in a single action across all UPC contracting states.

The most practically significant tool that Finnish law offers for situations where an infringer operating across or outside Finnish borders cannot be directly identified or sued is by targeting a Finnish-based intermediary when applicable.

Finnish law has not addressed legislatively that decentralised fintech products typically have no single identifiable operator and no single jurisdiction of operation, as the territorial assumptions that underpin each of the relevant Finnish statutes presuppose an identifiable defendant in an identifiable jurisdiction. Fintech companies relying on Finnish law must therefore work within the existing framework by structuring contractual relationships carefully, preserving evidence of reasonable protective measures as required for trade secret protection, obtaining multi-jurisdictional IP registrations where possible, and pursuing coordinated enforcement strategies across all relevant jurisdictions with local counsels, rather than relying on any Finnish-specific cross-border mechanism to address the problem comprehensively.

Finnish copyright law applies to programs made by Finnish nationals or persons habitually resident in Finland, and to works first published in Finland or published abroad and then in Finland within thirty days. Outside these connecting factors, the law of the place where infringement occurs governs.

A fintech licensing its software to a counterparty in multiple countries should structure separate territorial licences precisely, specifying which rights are granted in each jurisdiction, under which law, and with which courts having jurisdiction to resolve disputes. Where licensing into EU jurisdictions, the Software Directive (2009/24/EC) has harmonised the mandatory user rights that Finnish law reflects.

Since algorithms and AI model architecture sit outside copyright, limited protection for such ideas is provided by trade secret rules. Under the Trade Secrets Act, protection requires that the holder has taken reasonable measures to maintain secrecy, meaning strict access controls, confidentiality classifications, and NDAs must be in place before licensing to any counterparty. For fintechs licensing proprietary algorithms, model architectures, or data pipelines that do not attract copyright protection, it is thus imperative to ensure that the contractual confidentiality and access-restriction regimes are adequate.

Most importantly, as legal provisions vary significantly across different jurisdictions, a local counsel is needed in each jurisdiction to ensure compliance and control.

Under the EU AI Act (Regulation (EU) 2024/1689), fintechs must classify their AI systems within a risk-based framework that prohibits certain AI practices, imposes extensive requirements on “high-risk” systems, and sets transparency duties for limited-risk AI systems. Depending on the actual use cases and closer details, AI systems in underwriting (e.g. creditworthiness assessment and credit scoring) are typically deemed high-risk systems under the AI Act. Whether robo-advisory constitutes a high-risk system depends on the specific use case, as robo-advisory is not automatically deemed as high-risk under the AI Act. Specific AI systems used to detect fraud in the provision of financial services are also carved out from the high-risk category.

Under the AI Act, key obligations applicable to fintechs include requirements on lifecycle risk management, data governance, technical documentation, logging and traceability, transparency, human oversight, and appropriate accuracy and cybersecurity controls. As an example, where AI interacts directly with customers and unless it is obvious from the circumstances – as might be the case in robo-advisory – transparency obligations require informing users that they are interacting with an AI system.

In Finland, the AI Act is supplemented by the Act on the Supervision of Certain Artificial Intelligence Systems (1377/2025). The national supplementary law focuses in particular on the designation of competent authorities, supervision, and sanctions.

In practice, fintechs can demonstrate regulatory compliance of AI systems by robust governance and control structures, including ethical policies, appropriate data governance and management practices, technical documentation, e.g. on non-discriminatory rules of the algorithm, record-keeping, human oversight, and staff training. This means that several layers of documented evidence may be required. It should be noted, however, that the precise requirements and evidence layers differ depending on whether the system is classified as high-risk under the EU AI Act.

General compliance of automated systems should be built on a continuously maintained risk-management framework that identifies foreseeable risks with targeted controls and testing. For bias mitigation, fintechs shall document data governance by assessing dataset suitability, and demonstrate that training, validation, and test data are relevant, representative, and aligned to the intended operating context. For explainability, where an AI system qualifies as high-risk under the AI Act, it must be supported by clear instructions and be sufficiently transparent so that users can interpret outputs and use them appropriately. For high-risk AI systems, operational accountability must include technical capability for automatic event logging to ensure traceability over the system’s lifecycle.

Automated decisioning shall be continuously evaluated so that necessary human intervention can be performed. Moreover, automated decision-making and profiling are in particular subject to restrictions and informing obligations governed under the GDPR. Accordingly, fintechs shall ensure that internal data protection documents demonstrate the consideration that has been given to automated credit and AML decisioning systems.

Fintechs must be able to demonstrate that automated models are calibrated to relevant risk drivers and that monitoring methods are sufficient for the system’s intended purpose and operating context. The automated systems shall be explainable with clear, traceable decision rules, feature documentation, and rationale for thresholds being used.

When training proprietary AI models on financial data, fintechs are advised to implement strict confidentiality measures. These measures include establishing internal policies on handling confidential information, properly labelling sensitive documents, using non-disclosure agreements, restricting access to confidential data, training employees on confidentiality practices, and maintaining robust information security protocols. Fintechs may protect their AI technology and data sets from IP infringement by seeking patent protection to inventions that fulfil the criteria for patentability and shall also be well aware of other potentially existing non-registrable rights such as copyright and trade secrets.

Regarding data protection, fintechs shall perform necessary assessments to ensure that the data used for training does not violate the GDPR. Essentially, there shall be lawful basis to use the data for training, the processing shall be limited to the actual training purpose, and ongoing evaluation shall be arranged so that any necessary adjustments on training data can be implemented when necessary.

To minimize risk in data-sharing, fintechs shall conclude robust agreements with parties that have access to the training data. The data-sharing agreements shall clearly define roles and responsibilities, set clear limitations for allowed data usage, and ensure that the training data is not transferred outside of the allowed environment. Financial liabilities shall be clearly outlined in agreements to cover any data breach or unauthorised use of data.

The regulatory treatment of AI-driven investment and credit decision tools depends critically on the exact nature of the service being offered. The ISA and MiFID II framework apply where the activity constitutes a regulated “investment service”, such as investment advice or portfolio management. Where ISA and MiFID II apply, core requirements apply e.g. companies must act honestly, fairly, and professionally in the client’s best interests and must not use false or misleading information in marketing. ESMA’s MiFID II suitability guidelines explicitly define “digital investment advice” as advice or portfolio management delivered wholly or partly via an automated or semi-automated system and emphasise that companies must understand and maintain proper oversight of underlying algorithms where automated tools are used.

Where the service is consumer credit, the Finnish Consumer Protection Act (“CPA”) applies. The CPA imposes responsible lending duties, including avoiding misleading marketing and providing sufficient, clear explanations to enable the consumer to assess the suitability of the product for their needs and financial situation. A careful creditworthiness assessment is also required before concluding a credit agreement. Where the credit-decisioning tool (e.g. creditworthiness assessment) involves automated processing of personal data in connection with the consumer’s creditworthiness assessment, the lender must inform the consumer of this and of the consumer’s right to receive a clear and comprehensible explanation of the assessment, to present their own view to the lender, and to request review of the creditworthiness assessment and the decision concerning the credit application.

On the AI regulation side, AI systems used for creditworthiness assessment constitute high-risk use cases under the AI Act, triggering extensive governance, data quality, documentation, traceability, and information obligations. AI-driven investment tools are not automatically deemed as high-risk AI systems, but a case-by-case assessment shall be conducted.

In summary, the specific rules from the relevant overarching framework depend significantly on the type of service provided and the manner in which it is delivered to the end user. Companies must carefully map their AI tools to the correct regulatory regime before deployment.

An emerging liability theory concerns negligent AI governance in high-risk use cases, particularly creditworthiness assessment, and fintechs might face enforcement exposure where lifecycle risk management, targeted mitigations, and testing for consistent compliant performance are absent. Failure in the supervision of AI systems exposes fintechs to enforcement or civil litigation, for example when fintechs cannot demonstrate effective human oversight, appropriate logging, and controls for accuracy, robustness, and cybersecurity. To avoid liabilities, in certain high risk deployment scenarios, particularly where fundamental rights risks are elevated, deployers of creditworthiness AI systems may be required to conduct a fundamental rights impact assessment prior to deployment and, where applicable, notify the competent supervisory authority.

To build a defensible risk management framework, fintechs should implement comprehensive risk management strategies. The foundation is in data governance, clear roles and responsibilities for data ownership and processes for identifying and resolving data quality issues at the source. When using external data sources, due diligence is essential to verify the reliability and quality of the data provided.

Integrating AI into business processes requires careful review, particularly at critical decision points, where human oversight should be incorporated. Multidisciplinary teams, including data scientists, IT and database administrators, business representatives, and risk and compliance professionals, are vital to ensuring a well-rounded approach to AI risk management. Establishing robust governance and control structures further supports compliance and minimizes legal risks.

In practice, enforcement exposure is most likely to be framed as negligent AI governance, where fintechs cannot evidence alignment with the requirements reflected in Articles 9 (risk management), 10 (data governance), 12 (record-keeping), 14 (human oversight) and 15 (accuracy, robustness and cybersecurity) of the AI Act.

In the past year, a notable example of fintech‑driven disruption in Finland has been the expansion of card-based payment application MobilePay into a contactless payment solution, enabling consumers to use MobilePay for everyday purchases in grocery stores and other physical merchants. This shift was made possible by EU‑driven opening of Apples iPhone NFC access, and it has strengthened embedded payments in retail by allowing MobilePay to function as a default mobile wallet.

Furthermore, a notable example of embedded finance is the strategic collaboration between Alisa Bank and Nordea Bank, under which Alisa Bank provides invoice financing directly to Nordea’s entrepreneur clients using its digital platform. The partnership embeds working‑capital financing into Nordea’s business banking offering, enabling faster conversion of receivables into cash and tighter integration with financial management software. This illustrates how Finnish banks may leverage fintech partners to deliver modular, technology‑driven financing solutions without building them fully in‑house.

The EU’s proposed Financial Data Access Regulation (“FiDA”) has significant potential to accelerate fintech innovation by establishing a harmonised open‑finance framework that enables secure, consent‑based sharing of financial data across sectors and borders. By extending data‑access rights beyond payments to areas such as lending, investments, insurance and crypto‑assets, FiDA could lower entry barriers, support scalable cross‑border business models and enhance competition across the EU.