Banks and other financing activity

Analysis and monitoring

In order to identify risks that affect the institutions, Finanstilsynet monitors and analyses the real economy, financial markets and developments in individual industries and entities. The analyses are partially based on reporting from the institutions during the year. In 2024, reports published on Finanstilsynet's website included: 

• quarterly reports on institutions’ profitability, credit risk, financial position, etc.
• quarterly reports on banks' solvency and liquidity
• quarterly reports on banks’ losses and non-performing exposures
• quarterly reports on institutions' compliance with the Lending Regulations
• semi-annual reports on financial stability (Risk Outlook)
• semi-annual reports on developments in consumer loans
• semi-annual reports on fraud and fraud statistics
• annual survey of banks’ lending practices for residential mortgages
• annual risk and vulnerability analysis of the financial sector's use of ICT (RVA)

Supervision

Finanstilsynet’s supervision is risk-based. Supervisory activities in 2024 were prioritised on the basis of reporting from the institutions, analyses of risks and vulnerabilities and notifications received about institutions and markets.

In 2024, Finanstilsynet conducted 43 inspections at banks, mortgage companies and finance companies. Topics covered at the inspections included credit risk, internal governance, consumer protection, ICT risk and compliance with the anti-money laundering (AML) legislation. In addition, Finanstilsynet has followed up institutions that for various reasons have elevated risk levels.

In addition, Finanstilsynet carried out thematic inspections at 25 payment and electronic money institutions. The inspections focused on how the institutions handle client funds, including the extent to which these funds are protected in the event of foreclosure.

Finanstilsynet assessed 17 recovery plans for banks in 2024.

Follow-up of capital adequacy

Finanstilsynet monitors the institutions’ capital adequacy. Pillar 1 applies to all institutions and sets minimum and buffer requirements for own funds in per cent of risk-weighted assets. The Pillar 2 requirements are set individually for each institution in the form of a separate Pillar 2 decision (SREP), and cover risks that are not, or only partially, covered by the minimum and buffer requirements under Pillar 1.

Systemically important institutions are subject to an additional buffer requirement depending on their size and their market share of lending in Norway. In 2024, SpareBank 1 Sør-Norge ASA was also defined as a systemically important institution.

Eight Norwegian banks with associated mortgage companies and four subsidiaries of international banks have received permission from Finanstilsynet to use internal models to determine risk-weighted assets to calculate credit risk under Pillar 1 credit risk (IRB models). In 2024, Finanstilsynet approved the application of an IRB bank, subject to certain terms and conditions, to implement changes in its internal model. The bank appealed the decision, and the appeal is being considered by the Ministry of Finance.

In 2024, Finanstilsynet set 46 Pillar 2 requirements for Norwegian institutions. The decisions were based on the methodology for assessing risk and capital requirements described in Circular 3/2022. The decisions are published on Finanstilsynet's website (in Norwegian only). Finanstilsynet participates in supervisory colleges with other national financial supervisory authorities in the EEA and was involved in reviewing Pillar 2 requirements for six foreign institutions.

Supervision of corporate governance

Credit risk is a key risk factor for banks. In light of macroeconomic developments, Finanstilsynet placed particular emphasis on assessing credit risk in banks' corporate market portfolios in 2024. This included a review of banks' credit assessments, compliance with internal and external guidelines, risk appetite and loss allowances. Banks' exposure to losses is a key element in Finanstilsynet's follow-up of credit risk. There is a risk that some banks will underestimate future losses. Finanstilsynet also checked that the banks have established appropriate credit strategies with a clearly defined risk appetite.

Supervision of consumer protection

In 2024, the transfer of portfolios between banks and the merger of entities posed challenges for customers who were planning to transfer share savings accounts to other service providers. Due to delays, the deadline of ten business days for moving accounts to a new provider was exceeded. The transfer of share savings accounts involves several players and still requires manual processes, which means that institutions may face capacity challenges in the event of a large increase in transfer requests. In 2024, Finanstilsynet followed up the institutions involved and also held meetings with, among others, the trade organisations.

During the year, Finanstilsynet followed up a number of banks, mortgage companies and finance companies to make sure that they corrected errors in the process of collecting outstanding claims and returned funds that had been incorrectly collected to affected customers. This process will continue in 2025.

Supervision of anti-money laundering and counter terrorist financing measures

Supervisory activity in 2024 included the institutions' customer due diligence measures and ongoing monitoring of customer relationships, risk assessments, investigation of suspicious circumstances and reporting to Økokrim (the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime). Inspections revealed shortcomings in the institutions’ risk assessments, procedures and training.

In 2024, Finanstilsynet initiated a thematic inspection of how the risk of terrorist financing in banks is handled. The inspection encompasses ten banks. Finanstilsynet cooperated with Økokrim and the Norwegian Police Security Service (PST) when preparing for the thematic inspection. The report from the thematic inspection will be published in 2025.

In autumn 2024, Finanstilsynet initiated an AML/CFT inspection of agents for a foreign payment institution that provides money transfer services via a network of agents in Norway. The inspection addressed agents' handling of customer due diligence requirements, ongoing monitoring of customer relationships, investigation of suspicious circumstances and reporting to Økokrim. The report from the inspection will be published in 2025.

In 2024, Finanstilsynet strengthened its cooperation with PST, Økokrim and the police districts on preventing and detecting money laundering and terrorist financing, and has entered into an agreement whereby employees may be on secondment at Økokrim's response centre.

A separate supervisory college (cooperation between national financial supervisory authorities) on the subject of anti-money laundering was established for DNB in 2024.

Supervision of ICT risk

The supervision of ICT risk in 2024 focused on outsourcing of ICT activities, emergency preparedness and continuity and ICT security.

In 2024, Finanstilsynet received notifications from institutions on 365 serious or critical ICT incidents. There were no ICT incidents that impacted financial stability.

Finanstilsynet collaborated with Norges Bank on testing cyber security in the financial sector (TIBER-NO). The testing is voluntary, and two banks completed the test in 2024.  
Finanstilsynet processed 188 notifications of ICT outsourcing in 2024.

Structural changes and other administrative matters

In 2024, Finanstilsynet granted six permissions to merge savings banks and one licence to establish a savings bank foundation. Two permissions were granted for the merger between a Norwegian bank and a foreign bank, with the foreign banks as acquiring banks.

In 2024, Finanstilsynet granted one new licence to operate as a bank and one new licence to operate as a finance company.

During the year, several assessments were made as to whether members of the board of directors and management, or qualified owners of financial institutions, are suited for the role.

Follow-up of the Credit Intermediation Act

In 2024, Finanstilsynet granted 25 licences as credit intermediaries to financial agents and one licence as a credit intermediary to a financial broking house. In addition, 35 undertakings are licensed to mediate loans to businesses. More than 2 000 ancillary credit intermediaries sent Finanstilsynet requests for registration to in 2023 and 2024.

Emergency preparedness and crisis management

Finanstilsynet is designated as the Norwegian resolution authority. Ten banks have been identified as having critical functions, which means that a liquidation of the bank could threaten financial stability. In 2024, Finanstilsynet made decisions on Minimum Requirements for Own Funds and Eligible Liabilities (MREL) for the individual banks and prepared resolution plans for several of the banks.

In 2024, it was decided to increase the selection of banks that will be subject to MREL requirements, and more medium-sized banks will have to meet such requirements in 2025. There will be fewer and simpler requirements for these banks, and they will have greater freedom to decide how the requirements are to be met and less extensive reporting requirements.

In 2024, banks were asked to prioritise the following areas: MREL, liquidity and funding during recovery and resolution, management information systems (MIS) for valuation and operationalisation of the recovery and resolution strategy.

Nordic-Baltic crisis management exercise

In autumn 2024, Finanstilsynet participated in an exercise together with the authorities in the Nordic and Baltic countries responsible for financial stability. The exercise was about handling a hypothetical financial crisis centred around three fictitious banks with cross-border operations. Nearly 450 people representing relevant authorities participated in the crisis exercise. From Norway, the Ministry of Finance and Norges Bank also took part. The purpose of the exercise was to test communication, information sharing and cooperation between the authorities in a situation of uncertainty and time pressure. The subject of the exercise was a crisis scenario in which the fictitious banks went through three stages that are relevant when handling problems in individual banks: (1) from normal operations to recovery measures and the handling of liquidity problems, (2) from recovery to resolution where the authorities take control of the bank, and (3) banks' re-entry into the market following a resolution process. The exercise provided useful learning that is now being followed up.

Financial Infrastructure Crisis Preparedness Committee (BFI)

In 2024, Finanstilsynet and BFI paid particular attention to entities that support important functions, including critical functions in society identified by the Norwegian Directorate for Civil Protection (DSB).

BFI will, as in previous years, establish and publish a separate annual report on its work.

Nordic-Baltic exercise on operational resilience – cyber security

As a follow-up to the ‘Northern Bastion Resilience Exercise’ in Finland in autumn 2023, Finanstilsynet participated in a series of sub-exercises with representatives from the Nordic and Baltic countries in 2024. From Norway, the Ministry of Finance and Norges Bank also took part. The purpose of the exercises was to strengthen cooperation in the Nordic and Baltic countries to increase the operational digital resilience of the financial sector. The exercises tested cross-border communication, information sharing and cooperation between authorities to maintain business continuity in the sector. Based on experience from the exercises, it was decided to establish a Nordic-Baltic working group for operational digital resilience.

Systemic ICT risk

Operational ICT incidents and cyber attacks can affect the financial system and threaten financial stability if there are vulnerabilities in the system. Finanstilsynet and Norges Bank are working together to develop a framework and process for assessing systemic ICT risk for the Norwegian financial system. In 2024, the framework was further developed in dialogue with representatives from the industry. Experience from the project will be used during a pilot phase in 2025.

Preparedness in the digital payment system

A working group with representatives from Norges Bank, the Ministry of Finance and Finance Norway is assessing the preparedness of the electronic payment system in Norway. In 2024, the group reviewed the current payment system, and the need for measures both within and outside the existing payment solution was assessed. In 2025, the group will present a concrete plan for the implementation and follow-up of recommended measures.

National framework for managing ICT security incidents

A sectoral response environment (SRE) for handling ICT security incidents is a key element in the Norwegian National Security Authority's (NSM) framework for handling such incidents. Finanstilsynet has been designated as sectoral response environment in the financial market area together with Nordic Financial CERT (NFCERT). In 2024, Finanstilsynet provided input to NSM's proposal for a revised national framework for handling ICT security incidents.

Regulatory development

Lending Regulations

In 2024, Finanstilsynet responded to a number of inquiries from the industry and other stakeholders concerning the Lending Regulations.

In the course of the year, Finanstilsynet, on commission from the Ministry of Finance, drew up a consultation document proposing changes to the Lending Regulations. After the consultation, the Ministry of Finance decided, for the most part, to retain the Lending Regulations in line with Finanstilsynet's proposal, but lowered the down payment requirement for new residential mortgages from 15 to 10 per cent and adjusted the debt servicing capacity requirement for fixed-rate loans.

Capital Requirements Directive and Regulation (CRD and CRR)

In 2024, Finanstilsynet prepared a consultation document on the implementation of expected EEA rules corresponding to CRR3 in Norwegian law. The consultation document included changes to the standardised approach for estimating credit risk and changes to the framework for internal risk models for estimating credit risk (IRB models). Finanstilsynet proposed certain adjustments to the risk weights for commercial and recreational property under the standardised approach and increased minimum levels for IRB banks' risk weights for residential and commercial property. On 6 December 2024, the Ministry of Finance adopted regulatory amendments that are largely in line with Finanstilsynet's proposal.

New rules in the CRR/CRD Regulations on how Finanstilsynet shall determine Pillar 2 requirements and expectations regarding the Pillar 2 guidance entered into force in July 2024.

In the course of the year, Finanstilsynet prepared a consultation document proposing changes to Norwegian regulations to harmonise them with the EU-wide rules in the EU’s sixth Capital Requirements Directive (CRD 6). The consultation document was sent to the Ministry of Finance on 17 January 2025. The primary purpose of CRD 6 is to further harmonise the supervisory framework for banks, etc. in order to strengthen the internal market for banking services.

New rules on digital operational resilience for the financial sector (DORA)

In 2024, Finanstilsynet participated in working groups under the auspices of the European Supervisory Authorities to develop supplementary provisions to the EU-wide regulation DORA. DORA came into force in the EU in January 2025.

New rules on cyber security for providers of economically important services

The Cyber Security Act is intended to ensure that institutions of particular importance to society meet basic requirements for cyber security. The Act will enter into force in 2025. In the autumn of 2024, Finanstilsynet sent its response to the Ministry of Justice and Public Security regarding proposed regulations to the Cyber Security Act. Certain institutions supervised by Finanstilsynet may be designated as providers of economically important services and will thus be encompassed by these rules.

Payment Services Directive (PSD2)

During 2024, Finanstilsynet, in cooperation with the Ministry of Justice and Public Security, surveyed how the EU regulation PSD2 has been implemented in Norwegian law, and this work will continue in 2025. The results will be reported to the EFTA Surveillance Authority (ESA).

About interchange fees and combined payment cards

The regulations on interchange fees in card schemes are based on the EU regulation on interchange fees for card-based payment transactions (Interchange Fee Regulation). In autumn 2024, Finanstilsynet published a statement on its understanding of the rules for so-called combined payment cards. The introduction of terms and conditions, solutions, etc. preventing payees from informing payers about their preferred payment instrument will be in violation of the regulations.

Consumer protection

On commission from the Ministry of Finance, Finanstilsynet reported on consumer protection in the financial market area in 2024. Its report were to be taken into consideration in the work on the new Financial Supervision Act. Finanstilsynet described the overall regulation and supervision of consumer rights in the financial area. It also proposed various measures to enable Finanstilsynet to help strengthen consumer rights, inter alia through increased cooperation with the Consumer Authority and further developing consumer information on its website.

AML legislation and the Sanctions Act

In 2024, Finanstilsynet submitted several consultative statements concerning proposed amendments to the current AML legislation in Norway, such as a proposal to define players in the art industry as obliged entities under the AML legislation, to establish a register for beneficial owners, to offer asylum seekers ‘prepaid cards’ and to introduce administrative fines for law firms.

During the year, Finanstilsynet also submitted a consultative statement concerning the Ministry of Foreign Affairs' proposal for a new statutory provision on confidentiality in the Sanctions Act.

In June, the EU adopted new rules on preventing and detecting money laundering and terrorist financing (sixth AML package). During 2024, Finanstilsynet was involved in preparations for the new regulations under the auspices of the European Banking Authority (EBA). This included drawing up supplementary rules and making preparations for the new European supervisory authority in this area, the EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA). In autumn 2024, the Ministry of Finance appointed a working group to assess how the rules should be implemented in Norway. Finanstilsynet is represented on the working group.

Report on competition in the banking market

On commission from the Ministry of Finance, Finanstilsynet prepared a report in 2024 on competition in the Norwegian banking market. The report contains an overview and assessment of the competitive situation in the Norwegian banking market, as well as proposed measures to strengthen customer mobility and competition.

In Finanstilsynet’s opinion, there is effective competition in the Norwegian banking market. There are a significant number of banks operating in Norway, and most households have access to several banks. It is relatively easy for banking customers to transfer mortgages and deposits between banks. At the same time, certain aspects of the markets may restrict competition. The banking market in Norway is dominated by one large bank, a few large branches of Nordic banks and the largest regional savings banks. The banking market is also characterised by high start-up costs, partly as a result of extensive regulations. At the same time, there are signs that banks' use of product packages may contribute to weakening competition for deposits.