.svg)
The Finnish Financial Supervisory Authority (FSA) will operate under a renewed supervisory strategy for 2026 to 2028, centred around delivering effective and risk-based supervision. From 2026, supervisory priorities will place particular emphasis on the operational reliability of digital services and on preparing supervised entities for extreme economic and market phenomena. Alongside these annual priorities, the FSA will continue its ongoing monitoring of solvency, good governance and compliance with codes of business conduct.
For 2026, the FSA has planned 35 new inspections and 24 thematic assessments, a slight increase from 2025, when 33 inspections and 18 thematic assessments were conducted. As financial services continue to digitise, the FSA needs deeper, more frequent on-site and thematic reviews to assess operational resilience standards. A modest increase suggests a measure of strengthening supervisory depth rather than a signal of systemic concern.
The inspections and thematic reviews on the following areas will be conducted on banks:
- Credit risk.
- Preventing money laundering and terrorist financing, particularly through the practice of enhanced due diligence.
- Interest rate risk.
- Compliance with environmental, social and governance (ESG) guidelines.
- Codes of business conduct, regarding instant payments and dispute resolution.
- Capital stress tests.
- Operational risk.
There is a significant focus on anti-money laundering (AML) in the inspections and thematic reviews planned to be conducted on payment institutions, particularly in the following areas:
- Compliance with the Payment Institutions Act and money laundering regulations, regarding the risk assessment undertaken by these entities.
- Customer due diligence.
The strategy also includes the planned inspections for the investment and consumer credit sector.
The bigger picture
A closer comparison of the 2025 and 2026 supervisory strategies shows that the FSA is responding to the same underlying risk landscape, but with a material shift in focus from embedding new regulatory requirements to assessing the resilience of institutions under highly unlikely negative scenarios.
In 2025, supervisory priorities were framed primarily around structural and regulatory change. Heightened geopolitical uncertainty and changes in the regulatory environment underpinned a broad focus on operational and financial preparedness, ICT and cyber risks, outsourcing, ESG risks and the increasing use of artificial intelligence. Much of this agenda was driven by the implementation of new regulatory regimes, notably Regulation (EU) 2022/2554 (DORA) and Regulation (EU) 2024/1689 (EU AI Act).
By contrast, the 2026 strategy builds on these foundations but places them within a tail-risk-based strategy, which is a highly unlikely but negative scenario, such as the explicit reference to a potential loss of trust in US investment targets. Rather than focusing on firm-level compliance with prudential or conduct rules, the FSA is signalling concern about global confidence shocks that could rapidly transmit to Finnish institutions through market exposures. This moves supervision towards assessing whether institutions can withstand abrupt crisis events, rather than meeting baseline regulatory expectations. This reflects a move from implementation risk to survivability risk.
Although geopolitical risk was already an implied influencer of strategy in 2025, the 2026 strategy is more explicit in identifying Russia’s war of aggression and its hybrid influence as concrete supervisory concerns. The specific reference to hybrid threats highlights increased vulnerability to cyberattacks, operational disruption and interference with critical digital infrastructure, elevating cyber risk from a technology issue to a core financial-stability concern. This helps to explain why operational resilience has become a headline supervisory priority in 2026, as opposed to being treated as one risk category among many.
The explicit inclusion of decreased US market confidence and Russian hybrid threats underscores a supervisory mindset concerned about global interconnectedness and non-linear risk transmission, rather than regulatory change alone. In simple terms, the FSA recognises that modern financial markets are highly integrated, and volatility in US markets can affect investor sentiment in Europe and hybrid threats such as cyberattacks can impair operational continuity without warning. The FSA recognises that shocks do not spread smoothly and predictably, and this is reflected in its renewed strategy to better prepare firms for them.
AML remains a common priority, but in 2026 with a focus on evolution. In 2025, AML supervision in financial services was concentrated on sanctions compliance, aligned with geopolitical developments and the enforcement of restrictive measures. On January 29, 2026, the FSA published the results of the thematic review on sanctions screenings by supervised entities and found:
- Screening systems failed to detect names associated with national freezing orders, doing so poorly or not at all.
- Delays were found in the updating of the sanctions list of up to 24 hours.
- Outsourcing system maintenance resulted in poorer results than when maintenance was handled in-house.
The shift in 2026 towards enhanced due diligence and risk assessments does not signal a deprioritisation of sanctions, but can be understood as a supervisory response to the limitations of sanctions screening as a standalone control. Sanctions failures often reflect deeper structural issues, which include insufficient understanding of customer risk or weak beneficial ownership identification. Rather than an over-reliance on lists, identifiers and known risk indicators, the focus on enhanced due diligence and risk assessment frameworks is a preventive measure. This allows institutions to identify emerging risks before they materialise into sanctions breaches.
This change in approach also reflects concerns about operational resilience, where the sanctions thematic review exposed vulnerabilities linked to outsourcing and inadequate screening systems. This underscores that AML effectiveness is dependent on resilient operational arrangements and governance. By elevating enhanced due diligence and risk assessments in 2026, the FSA is implicitly testing where AML frameworks are sufficiently implemented on the frontline in the event of disruptions, cyber incidents or system failures.
The FSA’s 2026 priorities are an escalation in supervisory ambition compared with the agenda set in 2025. The strategy remains grounded in ensuring operational resilience in uncertain environments, as well as ensuring that governance, AML controls, digitalisation and risk management frameworks are capable of mitigating emerging risks. This reflects stability in supervisory expectations, but with a sharper emphasis on extreme geopolitical scenarios, indicating that the threshold for acceptable preparedness has increased.
Why should you care?
For financial service and payment service providers, understanding the transmission channels of these geopolitical shocks is essential for maintaining operational resilience. Although the FSA has framed significant confidence shocks as remote possibilities, the actions of neighbouring Nordic counterparts suggest a different reality. For example, pension funds in Denmark and Sweden, AkademikerPension and Alecta, have already executed strategic withdrawals from the United States markets, due to decreased policy predictability and increasing US debts.
The consistent discourse regarding Greenland's status and associated threats serves as a catalyst for a broader shift in US-European relations that could rapidly be transmitted through market exposures. In January 2026, President Trump intensified pressure to acquire Greenland as part of the US territory, while threatening to use military force. Trump has said the US would impose tariffs on several European countries, including the UK, until an agreement to cede the island is reached. Given the precedent set by Danish and Swedish firms, Finnish firms must recognise that the “rare” events described by the FSA are already active considerations for regional peers and be prepared for such events.
Vixio’s verdict
Looking ahead, the FSA’s renewed strategy signals a supervisory posture that is increasingly forward-looking and stress-oriented, shaped by high-impact risks rather than regulatory change. Although the FSA describes certain geopolitical shocks as low-probability events, their inclusion within the supervisory strategy indicates that they are being treated as potential high-impact risks requiring preparation. It reflects a precautionary approach to supervision, whereby firms are expected to consider severe but uncertain scenarios as part of prudent risk management. By incorporating these risks into its strategy, the FSA is reinforcing the importance of resilience planning without signalling that market disruption is anticipated.
Operational resilience emerges as the unifying thread across prudential, AML, conduct and digital risk supervision. The emphasis on enhanced due diligence, robust risk assessments, outsourcing controls, ICT reliability and crisis preparedness indicates that the FSA views resilience as a prerequisite for market confidence and consumer protection.
The strategy reflects a clear shift towards ensuring financial stability in an environment characterised by geopolitical uncertainty, hybrid threats and non-linear risk transmission. The FSA is positioning supervision around loss-of-trust scenarios that could rapidly undermine the Finnish financial system. It can be expected that the threshold for acceptable preparedness will be higher, and resilience under extreme conditions will be the benchmark against which institutions will be judged.
