Focus on protective security compliance increases – what to expect from the SFSA?

With increasing threats to information-, physical- and personnel security, especially in times of escalating geopolitical instability, Sweden has strengthened its regulatory framework regarding protective security. The Protective Security Act (Sw. Säkerhetsskyddslagen (2018:585)), which came into force about three years ago, has seen its scope widened several times and has entailed an increased awareness amongst operators within the financial sector on the importance of security issues. In this article, we focus on the new supervisory structure within the area of protective security in the financial sector and provide our thoughts on what could be expected from the Swedish Financial Supervisory Authority (Sw. Finansinspektionen) (the “SFSA”).

The reform of the supervisory structure

In the 2021 issue of Setterwalls’ FinTech Report we focused on the Protective Security Act and a then recent Government Bill with proposed changes to it.[1] The proposals in the Bill were later adopted and came into force on December 1st 2021. As mentioned in our 2021 report, one of the important features of the Government Bill was that supervisory authorities were given investigative powers and the possibility to order operators to take certain measures subject to a conditional fine. The supervisory authorities were also given the power to decide on administrative sanctions against those that do not comply with the requirements of the protective security framework.

Aside from these features, another important proposal in the Government Bill that was also adopted and came into force on December 1st 2021 was the changes to the supervisory structure. The Government Bill mentioned that several shortcomings in the security inspection activities had been identified, some of which were related to the design of the supervisory structure. Examples of those shortcomings were that the supervision carried out was generally limited and some supervisory authorities did not carry out any supervision at all. It had also been found that some supervisors lacked the necessary factual and supervisory knowledge. On this basis, the Government considered that a reform of the supervisory structure was needed. There was also a need for a broad increase in ambition and knowledge in the area of protective security supervision.[2]

A new supervisory authority for the financial sector

Since the changes to the Protective Security Act came into force on December 1st 2021, the supervision has been carried out on a sectoral basis. For the financial sector, the SFSA is the supervisory authority and it thus supervise individual Swedish operators, as well as corresponding foreign operators established in Sweden, and actors with whom the operators have concluded security protection agreements.[3]

The SFSA has the power to issue regulations on protective security, which supplement the regulations of the Security Service (Sw. Säkerhetspolisen). Within its area of supervision, the SFSA also has a responsibility to provide guidance on protective security, decide on placement in security class 2 and 3 and to apply for register control on behalf of the operator in respect of employees or other persons participating in security sensitive activities.

More active supervision (and less guidance)?

The protective security supervision that previously has been essentially advisory and supportive can now be expected to change in nature to a more disciplinary supervision. This means that the SFSA can be expected to focus on supervising whether operators are compliant with the protective security legislations and, if not, impose sanctions. We have noted that the SFSA is strengthening its resources to carry out an adequate supervision and has also decided on new regulations with regard to protective security.

Yet, the Government has previously emphasised that it is the task of the supervisory authority to help operators, through regulations, recommendations and guidance, in their work with e.g. assessing whether they are covered by the Security Protection Act, when security protection agreements are to be drawn up and how security protection analyses are to be conducted.[4] This is also evident from the Protective Security Ordinance which states that the supervisory authorities shall provide guidance on protective security within their respective supervisory areas.[5]

Our experience is that this type of advisory role does not directly correspond to the SFSA’s regular role in other areas of supervision, where the authority is not always particularly inclined to provide guidance. It is therefore not clear exactly how the SFSA will design supervision in the area of protective security. One could however expect that it will differ from the supervision methodology in the SFSA’s traditional areas, the question is however to what extent.

The SFSA’s new regulation

The SFSA’s new regulation[6] (the “Regulations”) aim to streamline the authority’s supervision of the operators and at the same time facilitate for the operators to fulfil certain obligations under the protective security framework. The Regulations apply to operators that conduct security sensitive activities according to the Protective Security Act and that are part of the SFSA’s supervisory area. The Regulations enters into force on December 1st 2022.

According to the protective security framework, operators are obliged to notify various circumstances to the supervisory authority, and it is the practical aspects of those obligations that the Regulations deal with. According to the Regulations, an operator must use a specific form provided by the SFSA for the following purposes:

• Notification that an operator is conducting security sensitive activities or that the security sensitive activities have ceased.
• Notification that the operator intends to enter into a security agreement.
• Notification of joint consultation.
• Request for a decision on placement in a security class.

To conclude

Sweden has strengthened its regulatory framework on protective security and since the end of last year the SFSA is the authority responsible to focus specifically on the compliance level of those operators that conduct security sensitive activities in the financial sector.

It will indeed be interesting to learn how the SFSA takes on the supervisory role in this new field and to what level there will be room for guidance when the supervision can be expected to change to more disciplinary in nature. One should not expect less than that the SFSA will approach its new assignment with the greatest sense of responsibility and take an active role as a supervisory authority. We know being regulatory compliant is of greatest importance to the concerned companies. It is therefore of great importance that banks, financial infrastructure companies and other operators that may be in scope of the Protective Security Act carefully analyse whether they conduct security sensitive activities and, if they conclude they do, take appropriate actions including ensuring that they follow pertinent legal requirement and keep up to date with the SFSA’s guidance.

[1] Setterwalls’ FinTech Report 2021, ProTechtive Security (Sw. Säkerhetsskydd) – who does it concern?

[2] Prop. 2020/21:194, p. 74 ff

[3] Chapter 8 Section 1 in the Protective Security Ordinance (2021:995)

[4] Prop. 2020/21:194, p. 76 ff

[5] Chapter 8 Section 12 in the Protective Security Ordinance (2021:995)

[6] The Swedish Financial Supervisory Authority’s Regulations on Protective Security, FFFS 2022:17