1 Legal and enforcement framework
1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?
Fintech is not a regulated activity in itself and no regulations specifically created for the fintech space have been introduced in Norway. However, the practice of the Norwegian regulators is evolving to adapt to the application of new technologies. In general, an entity must not carry on regulated activity in Norway unless it is authorised or exempt. The Norwegian Financial Undertakings Act of 10 April 2015 and supplementary regulations set out the public law aspects of the licensing and operation of financial entities. If products and/or services involve financial activities (e.g. deposit taking, lending, payment services, e-money, foreign exchange services, insurance and mediation, securities trading) which require regulatory authorisation, the entity must be authorised by the Norwegian Financial Supervisory Authority (Norwegian FSA), or the Ministry of Finance in exceptionally important cases.
The private law aspects of fintech products and services are regulated by the Financial Contracts Act of 25 June 1999. Norway also has extensive consumer protection legislation.
In addition, the fintech space is governed by the Information Communication and Technology Regulation and the EU General Data Protection Regulation (GDPR), together with other consumer protection regulations.
Norway is not a member of the European Union, but is part of the slightly wider European Economic Area (EEA). As part of the EEA, Norway has incorporated the EU institutional legislation that establishes the foundations for the EU-EEA single passporting licencing regime, which is also available to start-ups in the fintech space.
1.2 Do any special regimes apply to specific areas of the fintech space?
Lending (both retail and corporate) is a regulated activity (unless exempt) in Norway. An entity that offers lending products on a digital platform directed at the Norwegian market must be authorised to conduct such business by the Norwegian FSA.
Norway has a special regime governing peer-to-peer lending. A peer-to-peer lending platform is deemed to be a loan intermediary. Norwegian crowdlending platforms include Kameo (Nordic footprint), Kredd, Funding Partner, Dealflow, Perx and Monner. A loan intermediary is an independent intermediary that mediates between borrowers and lenders, and helps them to negotiate and conclude a loan agreement. The loan agreement must be entered into between the lender and the borrower. The loan intermediary cannot itself provide any funds or assume any risk for loss in the loans that are mediated. A lender is restricted to lending out in total NOK 1 million over a peer-to-peer lending platform without being subject to the licensing requirement. The relevant regulations for loan intermediaries are set out in Section 2-18 of the Financial Undertaking Act and Chapter 5 of the Financial Contracts Act. Loan intermediaries are also subject to suitability requirements. This area is still evolving and further regulation of crowdlending platforms is expected in the Norwegian market.
Further, in general, the loan intermediary regulations are not harmonised with EU law (i.e., there is no single passport regime for brokers and agents). Legislative work is therefore ongoing in Norway to regulate the loan intermediary role to cover not only loan intermediation of housing loans, but also in general; this will impact on digital platforms in this space.
In the payment area, rules on the approval of payment systems are also set out in the Payment System Act of 1999, in addition to the EU Second Payment Services Directive.
1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
The Norwegian FSA regulates entities that offer financial services and products in the retail and wholesale markets. It oversees all regulated sectors in Norway, including information communication and technology (ICT) and anti-money laundering compliance. It deals with application processes and provides regulatory guidance to supervised entities, as well as conducting inspections and thematic supervision.
If the Norwegian FSA discovers a breach of the finance legislation, it will instruct the relevant entity to change its practices accordingly. Depending on the type of breach and the circumstances, the Norwegian FSA can issue an administrative order or a fine. It can also report criminal charges to the police, but it is up to the prosecuting authority to take further action.
The Norwegian Data Protection Authority (NDPA) is responsible for enforcing applicable laws and regulations in relation to the processing of personal data. The NDPA is entrusted with investigative and corrective powers, including the power to undertake on-site audits, and to issue public warnings, reprimands and orders to carry out specific remedy activities. The NDPA may issue administrative fines under Article 83 of the GDPR of the higher of up to €20 million or, in the case of an undertaking, up to 4% of its total worldwide turnover in the preceding year, depending on the nature of the infringement. Fines can be imposed in combination with other sanctions. Breach of the GDPR is not subject to criminal sanctions in Norway.
1.4 What is the regulators' general approach to fintech?
The regulators have the same level of expectations of fintech companies as of any established entity. In our experience, the often lengthy application processes to obtain authorisations, licences and permits, and the difficulties in obtaining appropriate guidance on new areas, present real challenges for fintech companies in Norway. In general, the attitude of the Norwegian FSA is that it does not want to pick the winners and losers in the industry. It has set up a guidance service relating to financial technology and regularly posts information online to assist fintech companies. The Ministry of Finance has also delegated the task of establishing a regulatory sandbox for fintech companies to the Norwegian FSA. The purpose of the sandbox is to assist new fintech players with little experience of the financial regulatory framework, allowing them to test innovative products, services and technologies on a limited number of customers under the supervision of the regulator. The aim is to establish the sandbox before the end of 2019 and the program is recently being published. The entities applying to be part of the regulatory sandbox must apply new innovate technology and the service or product must be to the benefit to the consumers or to the financial system.
1.5 Are there any trade associations for the fintech sector?
There is no overarching trade association for the fintech sector in Norway. Finance Innovation is a fintech organisation within the Norwegian Centre of Expertise cluster programme, which focuses on the entire fintech ecosystem. Sector groups such as the Norwegian Crowdfunding Association and the Oslo Blockchain Cluster are relevant for entities that apply blockchain technology. ICT Norway and Finance Norway are also working to improve the overall framework for the finance sector, including the fintech regulatory sandbox, as well as creating networking opportunities for industry players through events and other forums.
2 Fintech market
2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?
In our view, the payments sector (e.g., Vipps, Payer, Finte, Vippicash, ZTL Payments, Meawallet, Bill Kill) and the financial infrastructure sector (eg, Neonmics, Zeipt) are the most embedded in the Norwegian market. Vipps is one of the most successful fintech entities and has become an important part of the digital banking system in Norway, especially within the consumer market. Historically, Norway has been at the forefront of digital banking and financial infrastructure – not least thanks to the development of common financial infrastructure and a secure electronic identification and signature solution through BankID, which is used across the finance and public sector. The BankID issued by one bank is automatically accepted by another bank or the public. This environment has created strong talent pools and several fintech start-ups are now emerging.
Many new banks have also emerged on the Norwegian market (eg, Monobank, Aprilia Bank, Nordic Corporate Bank), focused mainly on small and medium-sized corporates and new intermediate platforms (e.g. Capassa). The aim is to modernise the customer experience and develop new services for a generally under-serviced segment. New banks and finance entities are also taking advantage of real-time credit assessments in new ways (eg, those offered by Enin and Mito.AI).
Wealth management (eg, Quantefolio, Kron, Norquant), securities trading (eg, Monetær, Huddlestock) and capital raising (eg, Spleis, Spare, MyShare.live, Around, Funderbeam, Investio) players are also well established in the Norwegian fintech space.
2.2 What products and services are offered?
New payment and account services are being developed on the basis of the Second Payment Services Directive. New providers of aggregator (platform) services are connecting and facilitating players in the market. New digital services are also being offered in the accounting sector (eg, Luca Labs, Fiken, Lucidtech), and in the digital banking and open banking sectors. Credit assessments are also being refined through artificial intelligence technology, with more holistic monitoring of debtors and integration with accounting systems. New community-based digital platforms are also being developed, combining the features of a social network with product and service offerings. Finally, cryptocurrency exchanges and wallet services are also being developed and offered by Norwegian fintech companies.
2.3 How are fintech players generally structured?
Fintech players are often structured as private limited liability companies, whose founders are the majority shareholders.
2.4 How are they generally financed?
Initial investment in fintech players may be provided by family and friends of the founders and other high-net-worth individuals – often known as ‘business angels' – in return for an equity stake. This seed investment is often used to fund the establishment and early growth of the business, before larger investment becomes available. Investors may also provide know-how and expertise to assist in the company's development. Seed investors typically will not require the same controls over the business as, for example, venture capital providers. Various incubators and accelerators in the Norwegian market offer support, facilities and funding for start-ups, often in return for an equity stake. These include Finstar, Start-up Lab and TheFactory.
Crowdfunding has also been introduced in the Norwegian market and may be appropriate for early-stage fintech companies. Funding platforms include Around, Deal Flow, Myshare.live and Funderbeam.
Fintech companies can also apply for soft funding from Innovation Norway. Innovation Norway is the Norwegian government's most important channel for promoting innovation and the development of Norwegian enterprises and industry. It supports companies in developing their competitive advantage and enhancing innovation. It also provides services for start-ups, such as mentoring and start-up grants.
2.5 How are they positioned within the broader financial services landscape?
Recently, there has been increasing focus on the importance of innovation and job creation by fintech companies. Politicians hope to make the Norwegian economy less dependent on oil and natural resources. The fintech scene has grown rapidly in the last couple of years. Many accelerators and incubators have been established in the country's big cities. Banks and corporates are also setting up their own innovation programmes and participating in accelerators to monitor developments. Banks are collaborating with selected start-ups to cooperate and develop their businesses. At the same time, however, there appears to be a lack of risk capital available for early-stage start-ups, which is slowing down innovation and growth.
2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?
Our general impression is that fintech companies do not outsource their back-office functions, with the exception of cloud-based IT system platforms and accounting services. In our view, there is no developed Norwegian market for start-ups to access back-office functions. The country's accelerators and incubators have partners which offer services to start-ups, often on favourable terms. The legal implications of outsourcing is that all outsourcing arrangements that involve the processing of personal data must comply with the EU General Data Protection Regulation (see question 5.1), as well as the Information Communication and Technology Regulation (see question 5.2).
3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)
(a) Internet (e-commerce)
The provision of internet access is governed by the Norwegian Electronic Communications Act of 4 July 2003. Internet access is considered an electronic communications service (ECS). In general, no licence is required to offer ECS in Norway. However, ECS providers must register with the Norwegian Communications Authority prior to offering ECS in Norway. The Norwegian Electronic Communications Act imposes a net neutrality obligation, which implies that ECS providers cannot discriminate their services based on different types of internet traffic.
Norway implemented the EU E-commerce Directive through the E-commerce Act of 23 May 2003. Under the E-commerce Act, it is mandatory, among other things:
- to provide certain information about the e-commerce provider;
- to make available all legal terms and conditions applicable to a service prior to entering into an agreement;
- to meet technical requirements as regards the purchase process; and
- to meet requirements regarding access to and filing of electronic contracts.
Norway has also implemented the EU Distance Selling Directive through the Withdrawal Act of 20 June 2014. Among other things, this recognises the right of a consumer to withdraw from a contract (unless a service is carried out on the instruction of the consumer prior to expiry of the withdrawal period). The Withdrawal Act also imposes an obligation to provide information about the service prior to entering into an agreement. All mandatory information under the Withdrawal Act must be provided in Norwegian if a service is targeted at Norwegian consumers.
Norway also has a specific regulation issued under the Discrimination Act of 16 June 2017, which sets out the requirements regarding the design of websites targeted at the general public. At a minimum, the design of a website shall comply with the Web Content Accessibility Guidelines 2.0 (WCAG 2.0)/NS/ISO/IEC 40500:2012, at Level A and AA. The Norwegian regulations will probably be revised when the EU Web Accessibility Directive is implemented (scheduled for mid-2020).
(b) Mobile (m-commerce)
The answers provided under question 3.1(a) also apply to m-commerce.
(c) Big Data (mining)
The main statute to consider with regard to big data and data mining is the Norwegian Act on Personal Data, which implements the EU General Data Protection Regulation (GDPR) (see question 5.1). Specific issues to consider when processing big data include documenting the legal grounds for data processing and demonstrating compliance with the purpose limitation principle. The Norwegian Data Protection Authority (NDPA) further recommends conducting a data processing impact assessment in connection with the implementation of big data and artificial intelligence (AI).
(d) Cloud computing
For details on the GDPR, see question 5.1. In addition to the requirements set out by the GDPR, cloud computing is subject to sector-specific regulations concerning cloud computing under the Information Communication and Technology Regulation (see question 5.2).
(e) Artificial intelligence
AI is first and foremost governed by the GDPR. The use of AI must comply with the fundamental principles of the GDPR. According to guidance issued by the NDPA, it is important to consider the privacy by design obligation under Article 25 of the GDPR when developing and using AI. Furthermore, AI used as part of automated decision making or profiling must comply with Article 22 of the GDPR. ‘Profiling' is defined in Article 4 of the GDPR as: "Any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements." Recital 71 of the GDPR also refers to examples of automated decision making "such as automatic refusal of an on-line credit application". The GDPR does not prohibit AI advancements, but these must be designed to comply with the GDPR. The NDPA recommends that a data processing impact assessment be conducted in connection with the use of AI.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
Norwegian law is technology neutral, so there is no legal obstacle to the application of blockchain technology. A regulated finance entity applying blockchain technology must comply with the requirements set out in the Information Communication and Technology Regulation, including conducting risk assessments and taking measures to mitigate risks and uphold contingency and emergency plans for its IT operations. It must also comply with the requirements set out by the GDPR.
Providers of exchange services between virtual currencies and fiat currencies, as well as wallet services, are obliged to register with the Norwegian Financial Services Authority (FSA) under the anti-money laundering regime. No harmonised single licence and passporting regime applicable for exchange service platforms is available within the European Economic Area. This means that all traders and virtual currency exchange and wallet platforms offering their services as a business in Norway must register with the Norwegian FSA. Appropriate anti-money laundering routines must be established and a suitability assessment conducted. The Norwegian FSA requires that all transactions be subject to ongoing customer due diligence and sanction controls, under a risk-based approach. The provision of exchange services between virtual currencies only is unregulated and is not subject to a duty to register with the Norwegian FSA.
4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.
(a) Crowdfunding, peer-to-peer lending
A loan intermediary is an independent intermediary that mediates between borrowers and lenders to help them negotiate and conclude a loan agreement. The loan agreement must be entered into between the lender and borrower themselves. The loan intermediary cannot itself provide any funds or assume any risks for losses in mediated loans. Loan intermediaries are regulated by Section 2-18 of the Financial Undertaking Act and Chapter 5 of the Financial Contracts Act. On 1 June 2019 a new provision on debt-based crowdfunding entered into force in the form of Section 2-18 of the Financial Undertakings Regulation of 9 December 2016. Loan intermediaries are also subject to suitability requirements. This area is still evolving and further regulation of crowdlending platforms is expected.
(b) Online lending and other forms of alternative finance
Many banks offer various online lending products. A widely used common digital ID and signature solution facilitates digital banking in Norway. In general, the provision of credit on a commercial basis to a customer, whether corporate or individual (no distinction is made in law), is usually a regulated activity. The legal definition of ‘financing activity' is broadly scoped. One of the issues with lending is ensuring compliance with consumer protection regulations – for example, obtaining correct and sufficient information from the lender before granting the loan, conducting an appropriate credit assessment and complying with mandatory contractual terms. On 12 February 2019 the Ministry of Finance published a new regulation on prudent consumer lending practices. The new regulation sets out detailed rules on debt servicing capacity, maximum debt to income and amortisation, including a requirement on five-year instalment payments.
(c) Payment services (including marketplaces that route payments from customers to suppliers (eg. Uber and AirBnb)
To the extent that an entity holds customers' funds as part of the payment chain, the Norwegian FSA will most likely consider that it is conducting a payment service which is subject to the licencing requirement, unless exempt. Online merchants often offer third-party payment solutions instead of offering payment services themselves. Where a Norwegian business provides payment services as a commercial activity, it will require authorisation by the Norwegian FSA under the Financial Undertakings Act. In order to obtain authorisation, an applicant must meet certain criteria, in line with EU regulations, including in relation to its business plan, initial capital, processes and procedures for safeguarding client funds, sensitive data, information and communications technology requirements and compliance with the anti-money laundering legislation.
A foreign currency exchange service is a regulated service in Norway. A foreign exchange service can be offered by a bank, credit institution, financial institution, e-money provider or holder of a payment licence. Sector-specific regulations apply to foreign currency exchange services under the Norwegian Exchange Register Act of 28 May 2004. Currency exchange transactions above a certain threshold must be reported and stored in the Foreign Currency Exchange Register, which is administered by the customs authorities. Often, it is the banks and card companies that report transactions.
Trading services are regulated under the Norwegian Securities Trading Act of 2007, which incorporates the EU Markets in Financial Instruments Directive II (MiFID II) Regulation. Compliance with the MiFID II Regulation is demanding for fintech companies. There is no particular regime applicable to fintech companies in this space. A couple of new fintech players have set up new digital platforms (eg, Huddlestuck) or deployed new AI technology (Quantefolio) to distinguish themselves from established firms in this space.
(f) Investment and asset management
The Norwegian Securities Fund of 2009, the Alternative Investment Fund Act of 2014 and the Norwegian Securities Trading Act of 2007 apply to fund structures and asset management, depending on the set-up. No particular regime is applicable to fintech companies in this space. There are also challenges for fintech companies seeking to enter this area due to the complex regulation. However, some fund structures are investing in new sectors, new technology is being made available to investors (eg, Quantfolio) and some fintech companies are endeavouring to make saving more attractive and fun for the retail segment (eg, Dream).
(g) Risk management
Banks, credit institutions and other finance entities are subject to risk management rules and internal control requirements. As a result of these increasing requirements, the industry is demanding better tools to manage, monitor and report risk. A couple of fintech companies have emerged in the area of compliance and risk management.
There are no specific regulations on roboadvice in Norway. The general approach is that providers of IT platforms and enabling tools used by others are not considered to provide regulated services themselves. In addition, the law is technology neutral, in the sense that providers of regulated services (including roboadvicing in the area of investment advice) must fulfil the legal requirements for that service.
Offering insurance is a regulated activity in Norway. The provision of non-life insurance and life insurance requires a licence from the Norwegian FSA. Sector-specific regulations are set out in the Act on Insurance Business of 2005 and the Financial Undertakings Act of 2015. Insurance distribution currently falls under the Norwegian Act on Insurance Distribution of 2005; however, the Norwegian government is working on the incorporation of the Insurance Distribution Directive into Norwegian law. At present, insurers appear to be focused on digitalisation and improvement of the customer experience. However, there appears to be little genuine innovation in the insurance sector in Norway – although there are a few examples of new concepts (eg, Tribe Insurance and Cloud Insurance (software as a service)), and new players (Tillit Forsikring and Tribe Forsikring).
5 Data security and cybersecurity
5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?
Norway has implemented the General Data Protection Regulation (GDPR) through the Data Protection Act of 15 June 2018. Under the GDPR, fintech companies (as data controllers) must ensure that all data is processed in accordance with the fundamental data privacy principles set out in Article 5 (ie, lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality). Fintech entities must also comply with the principle of privacy by design set out in Article 25. As mentioned in questions 3.3 and 3.6, fintech companies are likely to be subject to the obligation to conduct a data protection impact assessment in accordance with Article 35 if the processing activity is likely to present significant risks to the rights of natural persons. If the risks revealed in the impact assessment are considered to be significant, in the absence of measures taken by the controller to mitigate them, the data controller must consult with the Norwegian Data Protection Authority prior to commencing processing activities. If a fintech company (as data controller) uses a data processor, it must ensure that the data processing agreement complies with Articles 28 and 29 of the GDPR. Prior to engaging a data processor, the data controller should conduct a risk assessment of the data processor to ensure that the appointment is within an acceptable level of risk.
5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?
Article 32 of the GDPR obliges both data controllers and data processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing activity. Under the Information Communication and Technology Regulation, sector-specific requirements also apply to the use of information and communication technology in the financial sector.
The Information Communication and Technology Regulation obliges entities in this sector to implement written procedures to ensure the stable operation of IT systems. In addition to their reporting obligations under the GDPR, they are obliged to notify the Norwegian Financial Services Authority of certain events such as security breaches.
Norway has also passed a proposal for a new act that will implement EU Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. It is not yet certain when the act will enter into force.
6 Financial crime
6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?
Sections 337 to 341 of the Norwegian Criminal Act of 20 May 2005 relate to money laundering and Sections 378 to 389 relate to corruption; the act also includes other provisions on various forms of financial crime.
The Norwegian Anti-money Laundering (AML) Act of 1 June 2018 and its accompanying regulation implement the Fourth and (partly) Fifth EU AML Directives. The AML Act sets out extensive requirements relating to customer due diligence (know your customer) and monitoring, as well as a duty to report suspicious activities to the Norwegian authorities. Customer due diligence verification is based on, among other things, a valid proof of identity and verification of beneficial owners. Anyone that breaches the obligations set out in the AML Act, either wilfully or through gross negligence, may be subject to fines or, in severe circumstances, imprisonment for up to one year.
The Norwegian Financial Services Authority has issued guidance (Circular 8/2019) on the AML Act. The AML Act applies to most companies doing business in the financial sector, including fintech companies.
On 15 October 2018, exchange services of virtual currency providers and custodian wallet providers were made subject to the requirements of the AML Act, and such entities must now be registered with the Norwegian authorities.
7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?
Fintech companies and technologies have significantly affected the competitive landscape. The competition authorities have raised concerns over the challenges presented by these technologies. As the fintech sector is a young and evolving market, the competition authorities have questioned whether the existing competition regulations are sufficient to address the challenges foreseen, and whether traditional analysis of market shares and definitions can adequately capture the dynamics of the fintech market.
Generally, online platforms, access to customer data, standardisation and inter-operability can provide insight in the market behaviour and strategy of competitors, and may thus raise concerns of collusion or other anti-competitive behaviour. For instance, the structure of blockchain makes possible the implementation of more complex collusive agreements, making it easier to detect – and potentially to retaliate against – deviations from collusive agreements. Further, in relation to online payment service providers, competition concerns could arise in relation to access to the data of bank account users, particularly where such access is refused by a bank with a dominant position. Competition and developments relating to mobile payments systems are being monitored, as competition concerns may arise in relation to the granting of access to communication technology to other online payment providers.
Fintech companies have the potential to benefit consumers, as new technologies may reduce costs, increase efficiency and enhance transparency. They can also capture bank information, which is considered important to increase competition and innovation, and thus create opportunities for businesses and consumers.
8.1 How is innovation in the fintech space protected in your jurisdiction?
Innovation in the fintech space may be protected under different Norwegian laws relating to the protection of IP rights, as well as laws that prevent the misuse of confidential information (trade secrets). Norway is also a party to several IP treaties. Most of the Norwegian legislation relating to the protection of IP rights is based on and/or harmonised with EU law through the Agreement on the European Economic Area.
Patents: Patents are protected under the Patents Act of 15 December 1967. Patents rights are granted by the Norwegian Industrial Property Office (NIPO). To obtain patent protection, the invention must meet the criteria of novelty, inventive step and industrial application. Patents are valid for 20 years from the filing date. Patents filed with the European Patent Office (EPO) may also be granted effect in Norway through a validation process, as Norway is a member of the EPO. Norway is also party to the Patent Cooperation Treaty, which allows for a simplified application process in several countries.
Copyright: Copyright is protected under the Copyright Act of 15 June 2018. Original literary and artistic works may obtain copyright protection. There is no registration of copyright in Norway and protection is achieved upon creation of the work. Source codes and object codes of software may thus obtain protection through copyright.
Trademarks: Trademarks are protected under the Trademarks Act of 26 March 2010. Trademark protection is granted either by use or by registration. Trademarks are registered with NIPO and can be obtained for words, slogans, names, logos, figures and images, letters, numbers, packaging, sounds, movements and combinations thereof. Trademarks must be distinctive and be suitable to distinguish the goods and services of one entity from those of others. European trademarks do not cover Norway; however, the holder of a European trademark may apply for a Norwegian trademark with priority from its European trademark. A trademark is valid for 10 years and may be renewed for further 10-year periods thereafter.
Designs: Designs, such as the design of a website, are protected under the Design Act of 14 March 2003. A design right is granted by NIPO and is valid for five years; it may be renewed for further five-year periods thereafter, up to a maximum of 25 years.
Trade secrets and know-how: Section 28 of the Marketing Control Act of 9 January 2009 provides that: "A person who has obtained knowledge or possession of a trade secret in connection with an employment or business relationship or a position of trust shall not exploit the secret unlawfully in the course of trade." In determining whether information qualifies as a trade secret, three criteria will be considered:
- whether the information is deemed secret information;
- whether the information has a commercial value; and
- whether reasonable steps must have been taken to keep the information secret.
Norway is in the process of passing legislation that will implement the EU Trade Secret Directive. Under this legislation, trade secrets will be afforded broader protection which is more akin to traditional IP rights such as patents, trademarks and copyright.
8.2 How is innovation in the fintech space incentivised in your jurisdiction?
Various incubators and accelerators in the Norwegian market offer support, facilities and funding for start-ups, often in return for an equity stake.
Innovation Norway is the Norwegian government's most important channel for promoting innovation and the development of Norwegian enterprises and industry. Innovation Norway supports companies in developing their competitive advantage and enhancing innovation. It also provides services for start-ups, including mentoring and grants.
Eligible enterprises may also avail of tax credits in respect of qualifying research and development expenditure through the SkatteFUNN tax credit scheme. Broadly, eligible small and medium-sized enterprises may obtain a credit of up to 20% of qualifying expenditure (18% for larger enterprises). If the credit exceeds the tax payable, the excess is paid out in cash. Certain amendments to the scheme were proposed in the 2020 National Budget.
Norway has two tax incentives aimed specifically at start-ups. First, certain investors may claim deductions against taxable income in respect of equity investments in qualifying start-ups. The deduction is available only to private individuals, and the deductible amount is capped at NOK 500,000 per investor and NOK 1.5 million in total. The scheme is subject to numerous requirements with respect to the investee company's scale and operations.
The second scheme applies to employment-related options over shares in qualifying start-ups. It allows employees to defer (a portion of) gains on the exercise of options until future disposal of the acquired shares. As above, the scheme is narrow in its scope and application.
9 Talent acquisition
9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?
The Working Environment Act of 2005 is the main employment statute. Employees enjoy strong protection and the threshold for dismissal is high. A dismissal must be objectively justified on the basis of circumstances relating to the company or the employee. In the event of dismissal, the employee has an unconditional right to dispute the dismissal in court. As a rule, the employee will be entitled to remain in his or her position while the case is pending, and to work and receive salary during this period. Termination without valid cause is void and entitles the employee to reinstatement and/or compensation.
9.2 How can fintech companies attract specialist talent from overseas where necessary?
Employees from outside the European Union/European Economic Area must generally apply for a residence permit for skilled workers. There is no minimum wage applicable to fintech companies. However, in order to obtain a residence permit, the salary cannot be lower than the standard salary for the relevant occupation in Norway. If the position requires a master's degree, the salary must be at least NOK 428,200 per year before tax. If the position requires a bachelor's degree, the salary must be at least NOK 397,100 per year before tax.
10 Trends and predictions
10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
See question 2. Although the Norwegian market is small, the fintech sector has seen rapid growth and more than 100 companies are now operating in this space. Investment vehicles are also being established, which will hopefully fuel further growth in this sector.
Some fintech companies have become household names (eg, Vipps, Auka, Deal Flow, Enin Payer, Quantfolio, Fiken, Tribe). However, based on the number of deals and the value of investment capital, it appears that there has been less activity in the sector in 2019 than in 2018. The full impact of the Second Payment Services Directive has yet to be realised in the payment sector and in the area of open banking; we anticipate significant new developments here in the next 12 months. We also expect:
- disruption in the accounting sector, with the establishment of a new generation of accounting firms;
- continued growth in the crowd segment;
- further integration of the offering of exchange services for cryptocurrencies and wallet providers into the fiat economy, with less friction in this segment; and
- new regulations in relation to financial services, crowdlending, loan intermediation and consumer protection.
11 Tips and traps
11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?
The Norwegian market is transparent, with an open attitude and many accelerators and hubs which foster innovation. Banks are collaborating with fintech companies, although the establishment of such relationships can take time. Fintech companies should be proactive but patient when dealing with established players. Like many EU member states, Norway has demanding regulatory regimes which make compliance and legal support important to navigate. Challenges include the slow pace at which the Norwegian regulators process applications and the fact that guidance in new areas is not well advanced. The access to risk capital is limited, but will hopefully improve in the years to come.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.