FAQ

The requirements to the application depend on the type of license it concerns. Normally, the application shall include at least the following:

1. Documentation on the incorporation of the institution
2. Articles of association
3. Organisation and business plan for the first three financial years
4. Information about the ownership and management structure
5. Information about owners with qualifying holdings (≥ 10 percent of the capital or voting rights), including about their suitability
6. Information about the board of directors and the management of the institution, including compliance with the fit and proper requirements
7. Information about the governance and control system
8. Information of how the institution shall obtain the capital required to meet the capital requirements for the business covered by the business plan
9. Information about the capital structure and capital adequacy of the institution, and forecast budget for the financial situation in each of the three first operating years
10. Budgets for establishment costs and administration costs
11. Budgets for profit and loss account, balance sheet and cash flow analysis for each of the first three operating years
12. Information of any financial group that the institution is part of
13. Information about the operating set up and procedures for the business and the services that the institution shall provide
14. The measures to comply with the requirements pursuant to the Anti Money Laundering legislation

All licence applications shall be sent to Finanstilsynet who either prepares a response for final decision by the Ministry of Finance or makes a decision itself under the mandate provided  by the ministry. The authority to grant the license is delegated from the Ministry of Finance to Finanstilsynet, unless for cases of significance and/or principal character. The decision on an application for a license pursuant to the Financial Institutions Act and the Securities Trading Act, shall be communicated to the applicant within six months after receipt of the application. For applications for license as a payment institution or electronic money institution, the time limit is three months. The same time limit applies to an application for a license as an AIF manager.

As from 1 December 2016, Finanstilsynet introduced a fee of NOK 30 000 for processing applications for payment institutions and electronic money institutions. A receipt for the paid fee shall be enclosed to the application. More information about the payment of the fee on the website of Finanstilsynet:

PSD 2 is a revised Payment Services Directive, which entered into force in EU 13 January 2018. PSD 2 provides the legal foundation for the further development of a better integrated internal market for electronic payments within the EU. It puts in place comprehensive rules for payment services, with the goal of making international payments (within the EU) as easy, efficient and secure as payments within a single country.  It also seeks to open up payment markets to new entrants leading to more competition, greater choice and better prices for consumers. PSD 2 introduces two new payment services:

• Payment initiation services, which is a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider. This service will enable the customers to pay directly from their bank account via a third party in order to make an online purchase, instead of using a payment card.
• Account information services, which is an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider. This service will provide customers with a consolidated view of their bank accounts and enable them to access them by online login.

Provision of services in Norway from abroad

Institutions licensed in another EEA state, may be able to engage in similar regulated activities in Norway without applying for a new license in Norway, but through a passporting system.

Institutions entitled to passport

In order to be entitled to use the passporting system, the institution must be licensed as one of the following:

• Credit institution or financial institution pursuant to the Capital Requirements Directive
• Insurance or pension undertaking pursuant to the Solvency II Directive
• Payment institution pursuant to the Payment Services Directive
• Electronic money institution pursuant to the Electronic Money Directive
• Investment firm pursuant to MiFID
• Manager for alternative investment funds pursuant to AIFMD
• Manager for UCITS and other securities funds pursuant to UCITS
• Insurance intermediary pursuant to the Insurance Intermediary Directive

The passporting process

The exact process for passporting into Norway depends on the EEA directive that you are passporting under and the legislation in the EEA state that you are established. However, a passporting application generally involves:

• An application or notification to your home state supervisor which informs them that you want to passport into Norway, the activities you want to passport, and whether you want to establish a branch or provide the services cross-border. The requirements that apply to this notification are set by the home state supervisor.
• The home state supervisor notifies Finanstilsynet that you want to passport and providing the relevant details with Finanstilsynet.
• Response/confirmation from Finanstilsynet about the passport. If Finanstilsynet does not respond within a prescribed period (usually 2 months), you can automatically start providing your services in Norway after that period.

GDPR (EU’s General Data Protection Regulation) is EU’s new framework for data protection. GDPR will replace the Data Protection Directive 95/46/EC and will come into effect from 28 May 2018 (also in Norway). The purpose of the GDPR is to i.a. harmonize data privacy laws across Europe, and to protect and empower all EU citizens’ data privacy. GDPR applies to all businesses established in the EU/EAA that processes personal data and also to businesses outside the EU/EEA that offers goods or services to data subjects in the EU or monitors their behaviour to the extent that the behaviour takes place in the EU. GDPR continues to a great extent the requirements that applies today, such as general requirements to processing of personal data, data subjects’ rights, routines regarding deletion etc. However, also new and significantly stricter requirements will apply, such as:

• an obligation to appoint a data protection officer for i.a. businesses where the core activities involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of special categories of personal data;
• a requirement to carry out data protection impact assessments if proposed activities are likely to result in a high risk to the rights and freedoms of individuals, in particular, through the use of new technologies;
• a requirement to notify the Data Inspectorate about data breaches within undue delay and, where feasible within 72 hours, and to notify the data subjects concerned without undue delay;
• new rights for data subjects, such as data portability, the right to object to processing, the right to be forgotten and to prevent profiling;
• a requirement to implement privacy by design and default in systems, i.a. in IT systems;
• more detailed information requirements to data subjects about the businesses’ processing of personal data;
• more detailed requirements to the content in data processing agreements with data processors;
• documentation of GDPR compliance; and
• penalties for unlawful processing of personal data will increase significantly with maximum penalties of 4% annual global turnover or up to EUR 20 Million (whichever is higher).