Country Overview
Ranked by a 2021 study as the most cybersecure country in the world,1 Denmark has prioritized cybersecurity alongside ambitious digitalization goals. The country’s Digital Growth Strategy, launched in January 2018, allocates EUR 134 million a year (approximately USD $159 million)—up until 2025—towards digital initiatives. The strategy aims to bolster Denmark’s reputation as a strong digital economy and society, with initiatives seeking to attract foreign tech companies, tap into emerging technologies like AI and big data, strengthen cybersecurity and further incorporate digital technologies into citizens’ and companies’ routines. With its social and political stability, wealth and tech-friendly populace, Denmark is well on its way to achieving its mission and solidifying its status as a global innovation hub.
The rapid rise of fintech in Demark has further contributed to its digital transformation. Fintech has increasingly integrated into the financial sector, driving competition and innovation in the Nordic country. Government initiatives like the Fintech Forum and FT Lab, a regulatory sandbox, have been instrumental in ensuring the sector is well-supported.
Although the COVID-19 pandemic powered a 3.3% contraction in Denmark’s GDP, its post-COVID recovery has been strong and swift—with a forecasted GDP expansion of 2.8% in 2021.2 This resilient landscape will draw startups away from harder-hit European hubs, especially as the Danish recovery package includes noteworthy financial support for SMEs.
The Danish 2021 digital agenda focuses on strengthening AML measures, the digital economy and post-pandemic recovery. The NemID digital identity will be replaced by the MitID, an upgraded digital identity infrastructure that will phase out the old one by 2022. The Project 27 (P27) initiative—a collaboration between Danish, Finnish and Swedish banks which seeks to establish the globe’s first real-time, cross-border and cross-currency payment system—has stalled, but could revolutionize the payments industry at its expected launch in 2022. Denmark has already abandoned the idea of a central bank digital currency following a 2016-17 study.
As MitID is being rolled out, Denmark along with the other EU member states are preparing for the EU’s European Digital Identity wallets as part of eIDAS reform. It remains to be seen what happens with MitID. A likely scenario is that MitID could be enhanced to conform to the EU digital wallet scheme. At the time of this report’s publishing date it is unclear.
Financial Regulatory Authorities
Central Bank: Danmarks Nationalbank is the central bank of Denmark. A non-eurozone member of the European System of Central Banks, it is responsible for issuing currency and ensuring monetary stability.
Data Protection Agency: The Danish Data Protection Agency (Datatilsynet) oversees compliance with protection of personal data rules.
The Danish Financial Supervisory Authority (Finanstilsynet or DFSA) is responsible for the regulation of financial markets in Denmark.
Policy, Laws and Regulations
Amended Executive Order on Reporting Information in Risk Assessment per Money Laundering Act Goes into Effect, 01 July 2021
The executive order on “Reporting information for use in the Danish Finanstilsynet's risk assessment of companies and persons covered by the Money Laundering Act” was amended and went into effect. The executive order was expanded to apply to virtual asset service providers (VASPS), which include digital wallet providers, cryptocurrency exchanges and banks handling cryptoassets. A February 2021 Financial Action Task Force (FATF) report on Denmark’s progress in strengthening its AML/CFT framework noted that the country had resolved most of the technical deficiencies identified in a 2017 Mutual Evaluation Report. However, FATF downgraded Denmark to “partially compliant” on a recommendation pertaining to the regulation of new technologies, with regard to compliance requirements for VASPs. The agency critiqued Denmark’s lack of action in identifying unregistered VASPs and in excluding from its scope exchanges between or more types of virtual asset, transfers of virtual assets and financial services related to an issuer’s offer and/or sale of virtual assets. The amended executive order is a key step in ensuring full compliance with the FATF’s recommendation and strengthening AML measures as cryptocurrencies surge in popularity. Both the EU and individual member states are rapidly expanding regulatory frameworks to apply to virtual currencies, as with the 5AMLD and MiCA.
Hvidbjerg Bank Completes First Payment Utilizing New Digital Identity Infrastructure, 12 May 2021
Hvidbjerg Bank and BEC Financial Technologies conducted the first payment utilizing MitID, the long-awaited digital identity infrastructure that will replace NemID. MitID, which will be more flexible and secure than its predecessor, is an app that can be used for approving logins and payments. Once MitID has been sufficiently tested, it will launch across Denmark, with a six-month transition period until NemID is completely phased out. Due to delays, the solution will most likely be ready in summer 2022.
Data Protection Agency Updates Guidelines on Consent, 09 May 2021
The Danish Data Protection Agency published its updated guidelines on consent, per the processing of personal data under the EU’s General Data Protection Regulation (GDPR). The updates include the clarification that, “It is now clear that public authorities cannot, in principle, process personal data on the basis of consent.” Indeed, the guidelines stress that consent is merely one of “several equal legal bases that the data controller can use to process personal data,” so the giving of consent does not supersede these other means. The guidelines provide further guidance on determining legal consent.
Financial Supervisory Authority Issues Report on AML and Technology Project, 28 April 2021
The Danish Financial Supervisory Authority (DFSA) published a report on an AML and technology (AML/TEK) project, which proposes seven initiatives in support of streamlined customer due diligence procedures. The project’s overarching theme is improved cooperation and communication between sectors in combating money laundering. The seven initiatives include:
- 1. Support for the establishment of a common shared infrastructure in undertaking KYC measures, with a focus on dialogue and decision-making in ensuring compliance with the Money Laundering Act
- 2. Creation of a mechanism for the validation of company data in the Central Business Register
- 3. Use of the MitID digital identity solution in identity verification
- 4. Creation of a digital solution in undertaking PEP (politically exposed person) screenings
- 5. Inter-sector collaboration in the identification of generalized scenarios regarding transaction monitoring
- 6. Greater access to government data
- 7. Sharing of risk flags
The proposals have been issued for a public consultation.
Proposal on Supplemental Provisions to the Regulation on ENISA, 23 February 2021
The Ministry of Trade and Industry introduced the L 174 Proposal, which adds supplemental provisions to the Regulation on ENISA (European Union Agency for Cybersecurity) on cybersecurity certification of information and communication technologies and repeals Regulation (EU) No 526/2013. Unanimously adopted, the proposal establishes a European scheme for cybersecurity in Denmark. Danish companies must obtain certification for their products, services and processes that rely on information and communication technologies. The Danish Safety Technology Authority will conduct the certification process, and has the power to revoke certifications if requirements are not met.
Danish Act on Payments Published in Official Gazette, 27 November 2020
The Danish Act on Payments, which supplements the Revised Payment Services Directive (PSD2), outlines the requirements for issuers of electronic money and providers of payment services to apply for a license with the Financial Supervisory Authority. Companies providing credit information services must also apply for a license with the DFSA through a similar, but less rigorous, process. Upon receipt of a license, companies providing credit information will be treated as payment service companies and must comply with the Payments Act. The act allows for better accommodation of an increasing variety of players in the rapidly evolving payments industry, especially as fintech companies flock to Denmark and the Nordic region.
In response to questions on the implementation of the Payments Act, the Danish Financial Supervisory Authority and the Danish Competition and Consumer Authority published guidelines on Section 63, on 11 February 2021. Section 63 outlines a requirement for banks to give payment institutions access to payment account services so that the institutions can perform transactions. The guidelines stress the importance of this access and the role of payment institutions in strengthening competition. Although Section 63 does not prevent banks from terminating payment institutions’ access to payment account services, such terminations must not be conducted on an arbitrary basis.
Financial Supervisory Authority Publishes Guidance on Prevention of Money Laundering and Terrorist Financing Act, 02 November 2020
The DFSA published its revised guidelines on the Money Laundering Act. Changes include a more a stringent KYC process, reporting obligations to companies’ boards of directors and modifications for obtaining and verifying identity evidence of beneficial owners. The guidelines also address the technical infrastructure of APIs, which can limit the amount of information viewable to payment initiating service providers (PISPs), such as the identity of the payer. PISPs must still monitor and assess customers’ transactions for money laundering risks. Although PISPs do not pose as high a risk for money laundering in comparison with other payment service providers, they are still obligated to conduct a risk assessment of the customer relationship. Companies providing account information services (AISPs) do not fall under the purview of the Money Laundering Act.
Although Denmark has traditionally enjoyed a low rate of financial crimes, Danske Bank and Nordea nevertheless face investigations over lapses in their respective AML frameworks. With the increase of pandemic-driven financial crime and a rapid growth in sophisticated criminal methods, Denmark is especially keen on bolstering its AML/CFT measures.
In conjunction with seven other Nordic and Baltic countries, Denmark has entered into an agreement with the International Monetary Fund (IMF), which has been tasked with conducting an assessment of the region’s ML/TF landscape. It is expected to deliver its results and recommendations in mid-2022.
New National Strategy for Cyber and Information Security, 16 November 2020
Denmark published the terms of reference for its new national strategy for cyber and information security, which is expected to be released in 2021. The four overarching principles include management anchoring and competence building, robustness and resilience, cooperation and organization, and international efforts and contributions. This focus on a harmonized, cross-sector approach has been increasingly adopted across the EU and individual member states.
Reference:
1. Bischoff, Paul. “Which countries have the worst (and best) cybersecurity?” Comparitech, 24 March 2021. https://www.comparitech.com/blog/vpn-privacy/cybersecurity-by-country/.
2. “The economic context of Denmark.” Nordea. https://www.nordeatrade.com/se/explore-new-market/denmark/economical-context.
*DISCLAIMER: This information is OneSpan's interpretation of the compliance requirements as of the date of publication. Please note that not all interpretations or requirements of the applicable laws are well-settled and its application is fact- and context-specific. The information contained in this document should not be relied upon as legal advice or to determine how the law applies to your business or organization. We encourage you to seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. OneSpan does not accept liability for the contents of these materials.
Last updated: November 2021