Sweden's Financial Supervisory Authority has issued a legal position on how the Security Protection Act should be interpreted, concluding that the security protection officer is part of a firm’s operational activities and therefore subject to the same internal control requirements that apply to the rest of the operational business. The clarification is relevant for banks and other financial firms, including equivalent foreign firms established in Sweden, that conduct security-sensitive activities and are therefore generally expected to have a security protection officer. For credit institutions within the scope of the act, the security protection officer and their work must be monitored, controlled and reviewed by the firm’s risk control, compliance and internal audit functions.
Finansinspektionen 2025-12-10
Sweden's Financial Supervisory Authority clarifies internal control expectations for firms’ security protection officers under the Security Protection Act
Sweden's Financial Supervisory Authority clarified that under the Security Protection Act, the security protection officer is part of a firm's operations and subject to internal control requirements. This applies to banks, financial firms, and equivalent foreign firms in Sweden conducting security-sensitive activities. Credit institutions must ensure the officer's work is monitored by risk control, compliance, and internal audit functions.