The Norwegian Interbank Clearing System (NICS) - the backbone of interbank settlement in Norway - is technically operated by Mastercard Payment Services Infrastructure (Norway) AS, a wholly owned subsidiary of Mastercard. The system that calculates net positions among Norwegian banks and transmits settlement results to Norges Bank five times daily runs on infrastructure managed by a US-headquartered card scheme.
This arrangement is not new, but its implications have sharpened. Norges Bank's Financial Infrastructure Report 2025 devoted unusual attention to concentration risk, warning that "dependence on only a few key providers is the case for a number of critical functions in the Norwegian financial infrastructure" and that the growing complexity of provider corporate structures "makes it difficult for authorities and system operators to maintain an overview of providers' risk exposure."
The Nordic payment infrastructure ownership map has undergone a quiet transformation over the past decade. What was once a landscape of domestically owned, bank-consortium-operated clearing houses has become a region where the most critical processing functions sit with a small number of international technology companies. Understanding this shift matters for anyone assessing systemic risk, regulatory policy, or operational resilience in Northern Europe.
How Mastercard Became Norway's Clearing Processor
The story begins with Nets, the Danish-Norwegian payment processor that for decades operated the core clearing infrastructure across the Nordic region. Nets ran NICS in Norway, Nets Denmark handled Danish clearing, and the company provided card processing across the region.
In 2019, Mastercard agreed to acquire Nets' real-time account-to-account (A2A) payments business for EUR 2.85 billion. The deal closed in March 2021 and included Nets' clearing operations, including the contract to operate NICS. The acquired entity was rebranded as Mastercard Payment Services Infrastructure (MPSI).
Bits AS, the Norwegian bank-owned entity that owns and governs NICS, outsourced technical operations to MPSI. In 2024, MPSI assumed full operational responsibility for NICS, replacing the transitional arrangements that had been in place since the Mastercard acquisition.
The result: a system that processes every interbank payment in Norway - salary payments, tax transfers, pension disbursements, utility bills - runs on infrastructure managed by a subsidiary of the world's second-largest card network.
The Broader Nordic Concentration Map
Norway's NICS-MPSI arrangement is not an outlier. Across the Nordic region, payment processing has consolidated into a small number of providers:
Mastercard (via MPSI): Operates NICS clearing in Norway. Through the Nets A2A acquisition, Mastercard also gained Betalingsservice (Danish direct debit), Danish interbank clearing infrastructure, and the underlying technology for Vipps MobilePay's payment processing.
Nexi Group: Acquired Nets' merchant services and issuer processing businesses in 2021 (the part of Nets that Mastercard did not buy). Nexi processes card transactions for banks across the Nordic region and operates significant parts of the Danish and Finnish card processing infrastructure.
Worldline: Through its 2020 merger with Ingenico and subsequent acquisitions, Worldline provides terminal infrastructure and acquiring services across the Nordics. Its recent partnership with Vipps MobilePay for in-store payments extends its reach further.
The net effect: three international companies - two headquartered in the EU (Nexi in Italy, Worldline in France) and one in the US (Mastercard) - collectively process the majority of Nordic payment transactions, from interbank clearing to card issuing to merchant acquiring.
Why Norges Bank Is Concerned
Norges Bank's 2025 Financial Infrastructure Report articulated several specific concerns about this concentration:
Systemic single points of failure: When multiple critical functions depend on the same provider, a single operational disruption can cascade across the entire payment ecosystem. The report noted that NICS experienced two "severe operational disruptions" in 2024, though it attributed these to broader systemic factors rather than provider-specific failures.
Jurisdictional complexity: International providers operate through chains of subsidiaries and subcontractors, often subject to regulation in different jurisdictions. The report warned that this complexity "makes it difficult for authorities and system operators to maintain an overview of providers' risk exposure." A decision made at Mastercard's headquarters in Purchase, New York, could affect the operational parameters of Norway's clearing system.
Cloud concentration: The report flagged the financial sector's growing dependence on cloud services, noting that "the market is dominated by a few multinationals." Nordic banks increasingly run core banking and payment processing on cloud infrastructure provided by AWS, Microsoft Azure, and Google Cloud - adding another layer of concentration atop the payment processor layer.
Limited domestic alternatives: The consolidation wave has reduced the number of credible domestic or Nordic providers capable of operating critical payment infrastructure. If a relationship with an international provider fails or becomes untenable, there are few ready alternatives.
The Sovereignty Dimension
The geopolitical context has amplified these concerns. Russia's invasion of Ukraine in 2022 prompted a broader reassessment of critical infrastructure dependencies across the Nordic-Baltic region. Sweden's Riksbank mandated offline payment capability by July 2026 specifically because a scenario where digital payment infrastructure becomes unavailable - whether through cyberattack, physical disruption, or provider failure - is no longer theoretical.
For a country like Norway - a NATO member sharing a border with Russia, with a nearly cashless economy where electronic payments process over 99 percent of retail transactions - the question of who controls the clearing infrastructure is a national security consideration, not just a regulatory one.
Norges Bank has imposed conditions on the MPSI arrangement: physical infrastructure, including data centres and local network infrastructure, must remain in Norway, and a contingency arrangement with physical infrastructure has been established in Sweden. These are meaningful safeguards, but they address the data residency question rather than the operational control question.
The P27 Counterfactual
The failed P27 initiative - which would have created a Nordic-owned, bank-consortium-operated cross-border clearing house - represents the path not taken. Had P27 succeeded, the Nordics would have had a domestically controlled clearing infrastructure processing domestic and cross-border payments across Sweden, Denmark, Norway, and Finland.
P27's failure in 2023, driven by conflicting stakeholder interests and the loss of critical mass when Swish volumes were excluded, means that no Nordic-owned alternative exists for the functions now performed by international providers. The irony is that P27 was partly designed to address exactly the concentration risk that Norges Bank now warns about.
What Mitigations Exist
Nordic regulators have several tools at their disposal, though none fully resolves the concentration challenge:
Contractual safeguards: Requirements for data residency, local staffing, and contingency infrastructure, as Norges Bank has imposed on MPSI. These limit geographic risk but do not address operational dependence.
Regulatory oversight: The European Digital Operational Resilience Act (DORA), which applies to EU/EEA financial entities and their critical ICT providers, creates a framework for supervising concentration risk at systemically important providers. Nordic regulators can designate critical third-party providers for direct oversight.
Domestic fallback: Norway's requirement for physical infrastructure in-country and contingency arrangements in Sweden provides a basic domestic fallback. But operating a complex clearing system requires not just hardware but also specialist staff, software, and institutional knowledge - capabilities that may not be easily replicated domestically.
European alternatives: As Nordic countries migrate settlement to the Eurosystem's TARGET platform (Denmark already on T2/TIPS, Norway in dialogue with the ECB), the settlement layer moves to central bank infrastructure. But clearing - the pre-settlement calculation of net positions - remains with commercial providers.
Implications for Practitioners
For banks and PSPs operating in the Nordics, the concentration of payment processing creates practical considerations:
Operational risk assessment: Treasury and operations teams need to map their full dependency chain - not just which systems they connect to, but who operates those systems, and who provides services to the operators. A bank's NICS connectivity may ultimately depend on Mastercard's global operational stability.
Business continuity planning: Contingency plans that assume the clearing system will always be available need updating. The 2024 NICS disruptions demonstrate that even well-operated systems experience outages.
Vendor diversification limits: In a concentrated market, diversification options are limited. If your clearing runs through MPSI, your cards through Nexi, and your terminals through Worldline, switching any one provider requires significant migration effort with few alternative suppliers.
The Nordic payment infrastructure concentration is an example of a broader global trend: as payment processing industrialises and economies of scale drive consolidation, the number of entities that national payment systems depend on shrinks. The efficiency gains from consolidation are real, but so are the systemic risks - and the tension between the two is one of the defining regulatory challenges in European payments.
Sources: Norges Bank - Financial Infrastructure Report 2025; Bits AS - Management of NICS by MPSI; Mastercard - Completes Acquisition of Nets A2A Business; Flagship Advisory Partners - P27 Lessons Learned.