Regulations amending governance, risk management and control at credit institutions (FFFS 2024:28)

Finansinspektionen’s Regulatory Code Publisher: Acting Chief Legal Counsel Sophie Degenne, Finansinspektionen, Sweden, www.fi.se ISSN 1102-7460 This translation is furnished solely for information purposes. Only the printed version of the regulation in Swedish applies for the application of the law. 1 Regulations amending Finansinspektionen’s regulations and general guidelines (FFFS 2014:1) regarding governance, risk management and control at credit institutions; decided on 18 December 2024. Finansinspektionen prescribes pursuant to Chapter 5, section 2, point 5 of the Banking and Financing Business Ordinance (2004:329) in respect of Finansinspektionen’s regulations and general guidelines (FFFS 2014:1) regarding governance, risk management and control at credit institutions in part that Chapter 2, section 2 shall be repealed, in part that Chapter 1, sections 1 and 3 and Chapter 5, section 4 shall have the following wording, and in part that a new section, Chapter 1, section 1a, shall be inserted with the following wording. Chapter 1 Section 1 These regulations apply to the following undertakings:

1. banking companies,
2. savings banks,
3. members’ banks,
4. credit market companies, and
5. credit market associations. The regulations shall also apply to the investment services and activities of such undertakings, with the exception of the provisions in – Chapter 2, sections 1, 8 and 9, – Chapter 3, sections 3 and 4, – Chapter 4, sections 3–6, – Chapter 5, sections 1–3, – Chapter 8, section 1 and section 3, points 2, 3, 6 and 7, – Chapter 9, section 4 and section 5, point 9, and – Chapter 10. FFFS 2024:28 Published on 27 December 2024

FFFS 2024:28 2 In its investment services and activities, the undertaking shall not apply Chapter 6, section 6, point 4 to the compliance function. Provisions regarding the independence of the compliance function are set out in Article 22(3) of the delegated regulation for MiFID II. The regulations, in accordance with that set out in Chapter 3, section 4 of the Special Supervision of Credit Institutions and Investment Firms Act (2014:968), shall be applied at group or subgroup level. Section 1a The provisions in Chapters 2 and 3 do not apply for the management of ICT risks in accordance with Chapter II of the DORA Regulation. The provisions set out in Chapter 5 do not apply to the management of ICT risks in accordance with Chapters II–V of the DORA Regulation. The provisions set out in Chapter 10 do not apply to outsourcing agreements subject to Chapter V of the DORA Regulation. Section 3 In these regulations and general guidelines the terms and expressions shall mean the following:

1. Delegated Regulation for MiFID II: Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive.
2. DORA Regulation: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
3. EEA: European Economic Area
4. Remuneration committee: The same as in Finansinspektionen’s regulations (FFFS 2011:1) regarding remuneration systems in credit institutions.
5. Function: a unit or a department comprising one person or several people upon whom it is incumbent to perform one or several tasks within the operations.
6. Internal rules: policy and governance documents, guidelines, instructions or other written documents through which an undertaking governs its operations.
7. Control function: a function for risk control, compliance or internal audit.
8. Limit: an established limit for risk exposure pertaining to e.g. a specific customer, customer group, market or product.
9. Risk management framework: the undertaking’s strategies, processes, procedures, internal rules, limits, controls and reporting procedures that constitute a framework for the undertaking’s risk management.
10. Risk appetite: level and orientation of the undertaking’s risks that are acceptable for achieving the strategic goals of the undertaking.
11. Risk exposure: a measure of the risk to which an undertaking is exposed at a certain point in time.

FFFS 2024:28 3 12. Risk culture: professional values, attitudes and behaviour that are of crucial significance to how an undertaking manages its risks. 13. Risk strategy: a strategy for assuming, steering and exercising control of the risks to which the undertaking is or could become exposed. 14. Capital Requirements Regulation: Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012. 15. Outsourcing agreement: an agreement between an undertaking and a service provider according to which the service provider performs a process, a service or an activity which would otherwise have been performed by the undertaking itself. 16. Senior management: The same as in Finansinspektionen’s regulations (FFFS 2011:1) regarding remuneration systems in credit institutions. Chapter 5 Section 4 An undertaking, when it introduces new or materially altered products, services, markets, and processes, and in the event of major changes in the undertaking’s operations and organisation, shall efficiently and appropriately manage the risks that may arise in connection therewith.

---

These regulations shall enter into force on 17 January 2025. DANIEL BARR Agneta Blomquist