The operating environment of the financial sector has for years been dynamic and changing. Subdued economic growth and prolonged geopolitical tensions kept risks in the sector at an elevated level. In this environment, the strong solvency of our supervised entities is the primary protective factor and will remain central to our supervision.

Cyber security increasingly important

Geopolitical tensions, combined with the changes brought about by digitalisation and artificial intelligence (AI), are making cyber security an increasingly important part of our supervision.

The Digital Operational Resilience Regulation (DORA)¹ will compel many financial actors to regularly test their cyber security and resilience to cyber incidents. A significant new element is that the Regulation also extends to IT partners providing services to the financial sector.

Towards the end of the year under review, cyber security was shaken, in particular, by an exceptionally large-scale denial of service attack targeting a supervised entity and by cable failures in the Baltic Sea. Our supervised entities report cyber incidents to us immediately and also provide us with an incident report after the incident has ended. We work closely with supervised entities during incidents, but we allow them to focus on rectifying the situation and we only address any shortcomings after the situation has been resolved.

By strengthening resilience in advance, we minimise the impact of such attacks or damage on our society and at the same time mitigate the effectiveness of criminal actions.

The importance of cyber security and related resilience applies to all the sectors we supervise. Last year, led by the ECB, we tested cyber resilience in the banking sector, and this year we will extend this nationally to other supervised sectors.

Making the fraudster’s work more difficult

The biggest vulnerability factor in cyber security is people, however. During the year, we observed a rise in the number of various scams. Even the supervisor’s name has been used in scam attempts.

The growing popularity of virtual currencies has led to an increase in investment-type scams. The entry into force of virtual currency regulations² has, however, imposed new registration obligations on virtual currency providers. Even after this, it is essential to exercise particular vigilance with investments involving crypto assets, because once a scam takes place, there is generally little scope for restitution.

Banks must also take more responsibility for preventing fraud by making it as difficult as possible for fraudsters. It is important for banks and other actors to build protections against fraud into their services: for example, bank transfer restrictions set by customers themselves are possible within the framework of current legislation.

Teaching people to recognise scams is also important. At a joint event for high school students, held with the Financial Literacy Centre and the Bank of Finland, we talked about recognising scams as well as the need for healthy suspicion when faced with “good offers”.

AI is a good tool in the hands of responsible actors. Its use is increasing, and the new AI Act will also extend oversight to this field. Unfortunately, AI is also fuelling crime and making it increasingly easier to produce fraud-oriented content.

Stakeholder trust provides a strong foundation for our work

The stakeholder survey we conducted in autumn 2024 showed that the trust our stakeholders, and particularly our supervised entities, hold in us is excellent. This provides a strong foundation for our supervision, as only a trusted supervisor can, in accordance with its statutory duties, ensure stability and confidence in the financial sector it supervises.

We also received good feedback that dialogue with the FIN-FSA is effective and that our operations are professional and have evolved for the better. Nearly 90 per cent of respondents were satisfied with the FIN-FSA’s communication and interaction, which, according to the survey, are considered to be expert and useful.

Our strategy for 2023–2025 made proactivity and predictability a priority. We still have room for improvement in these areas, although we are already heading in the right direction.

A predictable and proactive supervisor

Much has already been done. For three years in a row, the FIN-FSA has published its focus areas for supervision for the coming year, so that supervised entities know what is particularly important to the us. The use of supervision calendars specific to individual supervised entities will also be harmonised.

We have long published the key findings of our thematic reviews of the supervised entity sector, but this spring we will start to publish summaries of inspections of individual supervised entities. This will bring predictability to the whole supervised entity sector, as knowledge of the supervisor’s areas of emphasis will grow. At the same time, the effectiveness of supervision will increase, as the findings of an individual inspection may provide guidance to the entire sector. Our predictability will also be enhanced by active communication and events arranged for supervised entities.

We have improved our predictability through, for example, operating environment analyses. AI is also enhancing the utilisation of data and thus supervision overall. A number of AI utilisation projects are under way, aimed at improving the coverage and quality of supervision.

Soundness of supervised entities’ activities must be maintained in a changing operating environment

Proactivity and predictability also play a key role because our supervised entities are themselves responsible for ensuring that their activities comply with the law. Contrary to what is often assumed, we do not approve or reject individual actions of supervised entities. Instead, we monitor that a supervised entity’s governance, risk management, processes and expertise are at a level that ensures compliance with the law.

For this reason, the soundness of supervised entities’ governance was a focus area of our supervision last year, and it remains so this year. It underlies everything and ensures the legality and soundness of a supervised entity’s activities.

Due to the uncertainty of the operating environment, preparing for less favourable developments than forecast and managing IT and cyber risks continue to be focus areas of our supervision. Regulation and greater incidence of environmental disasters are also keeping sustainability issues at the centre of our supervision: supervised entities must prepare for the associated risks and, moreover, provide accurate and regulatory-compliant information on sustainability issues in their own activities.

Changes in the operating environment, new regulations and, for example, the rise of AI are also bringing changes to our own activities. We are developing the expertise of our personnel in these areas. A leadership survey conducted at the end of the year reported that our personnel feel that support for professional development is at a good level. This is vital because expert personnel are the most important factor in ensuring effective supervision.

I would like to thank all FIN-FSA personnel for the past year.

Helsinki, 3 March 2025

Tero Kurenmaa

^{1 Digital Operational Resiliency Act, DORA.
2 Markets in Crypto-Assets Regulation, MiCA.}