General compliance requirements
The legislation regarding each of the regulated activities contains the compliance requirements applicable to the institutions licensed to engage in that specific activity. There are however some general requirements which apply to most of the regulated entities.
The following are the main financial regulatory requirements applying to regulated undertakings:
- Prohibition against engaging in other business
- Prudent operation and good business practice, including governance arrangements and internal routines and procedures, internal control mechanisms, outsourcing etc
- Independent control functions
- Regular assessment of risk and overall need for capital
- Minimum requirements to own funds
- Prudent liquidity management and liquidity reserves
- Prudent asset management
- Maximum exposure to a single counterparty
- Suitability requirements to owners of qualifying holdings
- Fit and proper requirements to the board of directors and the management of the institution
- Requirements to the composition of the board of directors
- Requirements to the tasks and responsibilities of the board of directors and the general manager
- Limitations on the possibility for the management and board of directors to hold positions in other financial institutions and institutions with business relationship to the institution as well as for the management to engage in other business activities
- Duty of confidentiality
- Regulation of granting of credit to employees and board members
- Safeguarding requirements to the customers’ funds
- Requirements to the organisation of the dealing with customers
- Reporting to Finanstilsynet
Banks, insurance undertakings and other financial institutions regulated by the Financial Institutions Act, as well as investment firm are subject to the most exhaustive compliance requirements, including most of the requirements listed above. Certain financial institutions like electronic money institutions and payment institutions are exempted from some of the requirements in the Financial Institutions Act. There are also some regulated entities, such as insurance mediators, which are subject to considerably less compliance requirements.
Initial capital and capital requirements
There are minimum requirements for the start-up capital in most regulated entities, but the level of the requirements depends on the type of license. The minimum requirements to the initial capital is an amount in NOK corresponding to
- EUR 5 million for banks, mortgage companies and financing companies
- EUR 350,000 for electronic money institutions
- EUR 20,000 for payment institutions offering only money remittance
- EUR 50,000 for payment institutions offering only execution of payment transactions where the consent of the payer is given by means of any telecommunication, digital or IT device
- EUR 125,000 for payment institutions offering the other payment services
- EUR 3,7 million for life insurance undertakings
- EUR 2,5 million for other insurance undertakings, but EUR 3,7 million if the undertaking underwrites liability insurances connected to motor vehicles, aircraft or vessels or other liability insurances, or credit or guarantee insurance
- EUR 730,000 for investment firms
- EUR 125,000 for management companies for securities funds EUR 125,000 for external alternative investment fund managers
- EUR 300,000 for internally managed alternative investment funds
Additionally, the above mentioned institutions are subject to minimum requirements for own funds that apply at all times. The rules regarding minimum requirements on own funds and the calculation basis for the minimum requirements are different depending on the type of license and appear from the legislation applicable to the relevant institution.
The conditions for and requirements applicable in case of outsourcing of activities and functions to other service providers appear from the legislation applicable to the licensed institution.
Financial institutions may delegate to a third party the operation of parts of its business which is not core activities, unless such delegation is on a scale or in a manner not considered prudent or it makes the supervision of the delegated business or the institution’s overall business difficult. Core activities may not be outsourced.
Different rules may apply to other institutions such as investment firms and fund management companies. For example, investment firms are allowed to outsource some core activities (certain investment services) to a tied agent (link til tied agent).
Generally, the institutions remain responsible for the outsourced activities, including for risk management and internal control. There must be a written agreement with the service provider, which must ensure
- the institution access and control rights with respect to the outsourced activities, and
- Finanstilsynet access to information about and supervision of the activities where Finanstilsynet finds this necessary.
The institution must also ensure that the organisation possesses sufficient competence to manage the outsourcing agreement.
Most of the regulated entities shall notify Finanstilsynet when it enters into an outsourcing agreement and in case of change of service provider. The notification shall be given at least 60 days prior to implementation of the agreement or the change of the agreement or service provider. The notification duty does not apply to outsourcing of administrative and operational related tasks, including support functions, and to information and communication technology (ICT) activities not comprised by the ICT regulations.
For investment firms, management companies for securities funds and managers of alternative investment funds, the legislation applicable to such specific entities contain specific notification requirements.
The ICT Regulations apply to regulated institutions’ ICT systems of importance to the institutions’ business, and contain specific provisions with respect to outsourcing. In case of outsourcing, the service provider shall be contractually committed to supplying services that are consistently compliant with the ICT regulation. The outsourcing requirements also applies for the use of Internet Service Providers, cloud services and file sharing services.
Safeguarding of funds in payment institutions and electronic money institutions
Funds that a payment institution or an electronic money institution has received from customers, shall be segregated from the assets of the institution and be identified in such a way that the funds cannot be subject to execution of claim from other creditors of the institution. Alternatively, the funds may be guaranteed by an insurance institution or bank, which do not belong to the same group as the payment institution or electronic money institution.
Funds received by an electronic money institution by way of payment through a payment instrument, do not have to be safeguarded before they are credited to the electronic money institution’s payment account, or otherwise made available to the electronic money institution. The funds shall nevertheless be safeguarded no later than five banking days after the receipt of the electronic money to which the payment pertained.
Funds received by payment institutions shall be safeguarded at no later than the end of the business day after the receipt of the funds. The same applies to funds received by electronic money institutions which are not related to issue of electronic money.
The safeguarding requirements appear from the Financial Institutions Act section 13-18 and the Financial Institutions Regulations section 13-3.
Processing of personal data –in general
The Personal Data Act apply to the processing of personal data wholly or partly by automatic means, and other processing of personal data which form part of or are intended to form part of a personal data filing system, and all forms of video surveillance, cf. the Personal Data Act Section 3 first paragraph.
The Personal Data Act contains provisions concerning i.a.
- basic requirements for the processing of personal data (Section 11);
- conditions for processing general personal data (Section 8), and sensitive personal data (Section 9);
- rights of the data subject (Chapter III and IV);
- data security (Section 13) and internal control (Section 14);
- the data processor’s right of disposition over personal data (Section 15);
- transferring personal data to foreign countries (Section 29 and 30); and
- requirements to licence (Section 33) and notification (Section 31).
Notification and application for a licence
A notification to the Norwegian Data Inspectorate is required by the data controller before processing personal data by automatic means, or establishing a manual personal data filing system which contains sensitive personal data.
Notification shall be given not later than 30 days prior to commencement of processing. The Data Inspectorate shall give the controller a receipt of notification.
Notification form (which also can be done electronically.
Application for license
If the data controller process sensitive personal data, the data controller must apply to the Data Inspectorate for a licence cf. the Personal Data Act Section 33. Sensitive personal data is defined as information relating to:
- racial or ethnic origin, or political opinions, philosophical or religious beliefs,
- the fact that a person has been suspected of, charged with, indicted for or convicted of a criminal act,
- sex life,
- trade-union membership.
Licence form (which also can be done electronically.
Exceptions from the licensing and notification obligations
Certain types of processing are exempt from the licensing and notification obligations in accordance with the Personal Data Regulation Chapter 7 II – IV, for instance:
- Processing of personal data concerning customers, subscribers and suppliers shall be exempt from the obligation to give notification as long as this is as part of the administration and fulfilment of contractual obligations. The same shall apply to data concerning a third person which is necessary for the fulfilment of contractual obligations, cf. the Personal Data Regulation Section 7-7.
- The requirement to obtain a licence does not apply to the processing of sensitive personal data which have been volunteered by the data subject, cf. the Personal Data Act Section 33.
- The processing of sensitive personal data relating to customers shall be exempt from the obligation to obtain a licence in the event that the data subject has consented to the registration and processing of the sensitive data, and the data are necessary for the fulfilment of a contractual obligation. Personal data may only be processed as a necessary part of the administration and fulfilment of contractual obligations, cf. the Personal Data Regulation Section 7-14.
- Processing personal data as part of the required investigation and reporting obligation under the Money Laundering Act, cf. Regulation 13 March 2009 No. 302 on measures against money laundering and terrorist financing, etc., is exempted from the license obligation and from the notification obligation as long as:
- only information obtained from the institution’s investigations under the Money Laundering Act is processed; and
- personal information is processed for the purposes of the Money Laundering Act and its related regulations, cf. the , cf. the Personal Data Regulation Section 7-21 b.
Requirement to apply for a license for certain businesses
The following is subject to licensing pursuant to the Personal Data Act:
- Personal data processing by providers of insurance services (cf. the Act on Insurance Activity) for the purpose of customer administration, invoicing and the implementation of insurance contracts cf. the Personal Data Regulation Section 7-2, cf. the Personal Data Act Section 33.
- Personal data processing by banks and financial institutions (cf. the Norges Bank Act, the Norwegian State Housing Bank Act, the Financial Institutions Act) for the purpose of customer administration, invoicing and the implementation of banking cf. the Personal Data Regulation Section 7-3, cf. the Personal Data Act Section 33.
- An enterprise processing personal data for credit information purposes. The same applies to credit information for persons other than natural persons, cf. the Personal Data Regulation Section 4-5, cf. the Personal Data Act Section 33.