Professional Documents
Culture Documents
2021 Fintech Book
2021 Fintech Book
2021 Fintech Book
2021
Contributing editors
Angus McLean and Penny Miller
Fintech
tom.barnes@lbresearch.com
Subscriptions
Claire Bagnall
2021
claire.bagnall@lbresearch.com
Published by
Law Business Research Ltd Contributing editors
Meridian House, 34-35 Farringdon Street
London, EC4A 4HL, UK Angus McLean and Penny Miller
The information provided in this publication Simmons & Simmons LLP
is general and may not apply in a specific
situation. Legal advice should always
be sought before taking any legal action
based on the information provided. This
information is not intended to create, nor
does receipt of it constitute, a lawyer– Lexology Getting The Deal Through is delighted to publish the fifth edition of Fintech, which is
client relationship. The publishers and available in print and online at www.lexology.com/gtdt.
authors accept no responsibility for any Lexology Getting The Deal Through provides international expert analysis in key areas of
acts or omissions contained herein. The law, practice and regulation for corporate counsel, cross-border legal practitioners, and company
information provided was verified between directors and officers.
June and August 2020. Be advised that this Throughout this edition, and following the unique Lexology Getting The Deal Through format,
is a developing area. the same key questions are answered by leading practitioners in each of the jurisdictions featured.
Our coverage this year includes new chapters on Australia, Brazil, Denmark, Egypt, Liechtenstein,
© Law Business Research Ltd 2020 Malta, New Zealand and Turkey.
No photocopying without a CLA licence. Lexology Getting The Deal Through titles are published annually in print. Please ensure you
First published 2016 are referring to the latest edition or to the online version at www.lexology.com/gtdt.
Fifth edition Every effort has been made to cover all matters of concern to readers. However, specific
ISBN 978-1-83862-339-5 legal advice should always be sought from experienced local advisers.
Lexology Getting The Deal Through gratefully acknowledges the efforts of all the contribu-
Printed and distributed by
tors to this volume, who were chosen for their recognised expertise. We also extend special
Encompass Print Solutions
thanks to the contributing editors, Angus McLean and Penny Miller of Simmons & Simmons LLP,
Tel: 0844 2480 112
for their continued assistance with this volume.
London
August 2020
www.lexology.com/gtdt 1
© Law Business Research 2020
Contents
Introduction5 Indonesia102
Angus McLean and Penny Miller Winnie Rolindrawan and Harry Kuswara
Simmons & Simmons LLP SSEK Legal Consultants
Australia6 Ireland109
Michael Bacina, Andrea Beatty, Tim Clark, Will Fennell, Sarah Johnson, Liam Flynn and Lorna Smith
Tim O’Callaghan and Andrew Rankin Matheson
Piper Alderman
Japan117
Belgium17 Akihito Miyake, Ken Kawai, Tomoyuki Tanaka and Asako Matsuo
Vincent Verkooijen, Jérémie Doornaert, Martin Carlier, Anderson Mori & Tomotsune
Dimitri Van Uytvanck and Marc de Munter
Simmons & Simmons LLP Kenya125
John Syekei, Dominic Indokhomi, Irene Muthoni and Mercy Mwaniki
Brazil28 Coulson Harney Advocates
Nei Zelmanovits, Thais De Gobbi, Pedro Nasi, Vicente Braga,
Érica Yamashita, Diego Gualda, Vinicius Costa and Alina Miyake Liechtenstein134
Machado Meyer Advogados Thomas Nägele and Thomas Feldkircher
NÄGELE Attorneys at Law
China39
Jingyuan Shi Malta142
Simmons & Simmons LLP Leonard Bonello and James Debono
Ganado Advocates
Denmark48
Rasmus Mandøe Jensen and Christian Scott Uhlig Netherlands150
Plesner Advokatpartnerselskab Aron Berket, Jeroen Bos and Marline Hillen
Simmons & Simmons LLP
Egypt57
Mohamed Hashish New Zealand 161
Soliman, Hashish & Partners Derek Roth-Biester and Megan Pearce
Anderson Lloyd Lawyers
Germany64
Christopher Götz, Dang Ngo, Elmar Weinand, Eva Heinrichs, Singapore170
Felix Biedermann, Janine Marinello, Jochen Kindermann, Grace Chong, Jason Valoti, Calvin Tan, Benedict Tan, Marcus Teo,
Martin Gramsch and Sascha Kuhn Ng Aik Kai, Sun Zixiang, Low Si Rong and Seah Ern Xu
Simmons & Simmons LLP Simmons & Simmons JWS
2 Fintech 2021
© Law Business Research 2020
Contents
Sweden203
Emma Stuart-Beck, Caroline Krassén, Anton Sjökvist, Mikaela Lang,
Henrik Schön, Trine Osen Bergqvist, Nicklas Thorgerzon,
Karl-Hugo Engdahl, Maria Schultzberg, Viveka Classon
and Malin Malm Waerme
Vinge
Switzerland212
Clara-Ann Gordon and Thomas A Frick
Niederer Kraft Frey
Taiwan220
Abe T S Sung and Eddie Hsiung
Lee and Li Attorneys at Law
Turkey230
Cigdem Ayozger Ongun and Begum Erturk
SRP-Legal Law Firm
www.lexology.com/gtdt 3
© Law Business Research 2020
Introduction
Angus McLean and Penny Miller
Simmons & Simmons LLP
What’s old is new dealing with young fintech firms in the future, not to mention inves-
With the excitement surrounding the potential for financial technology tors. The next few years will present the ultimate test for the energy,
to change the world and transform lives over the past few years, it resourcefulness and adaptability of the entrepreneurs who will have
is worth remembering that financial innovation has been with us for to navigate their businesses through these unprecedented headwinds.
some time. From the invention of money before the beginning of written
history to the advent of the double-entry accounting method in Korea A broad church
during the Goryeo dynasty and its adoption by the Medici family in the You know that fintech has penetrated the public consciousness when the
14th century, fintech has come a long way. portmanteau enters the dictionary for the first time. Last year, Merriam
However, in recent years it has it has been difficult to open a news- Webster defined fintech as ‘products and companies that employ newly
paper (or a news aggregator) without reading about the promise of developed digital and online technologies in the banking and financial
artificial intelligence, distributed ledger technology, cloud computing services industries’. It should be clear from this definition that fintech
and ever-cheaper computer power. is a broad church. It encompasses businesses of all sizes, from the
Combined with the creation of new business models, the increasing founder writing the first lines of code to some of the largest companies
democratisation of technical education, significant investment and in the world. It also encompasses a wide variety of technologies and
public policy and regulatory support, the fintech sector has experienced business models. Fintech products and services now exist across the
remarkable growth. There can never have been a better time to be a entire financial services sector, including:
fintech-focused entrepreneur, financier, investor, policy maker, tech- • payments processing and networks;
nologist or (whisper it quietly) lawyer. • crypto-assets;
• mobile wallets and remittances;
Challenging times • retail investing and secondary markets;
Is all that about to change though? Like every industry, the fintech • capital markets and institutional trading;
sector has been heavily affected by the covid-19 pandemic. Some sub- • core banking and infrastructure;
sectors within the industry, such as digital asset and payments firms, • wealth management;
have benefited from increased volumes of business. However, many • personal finance and saving;
have struggled both from a business perspective and from the wider • digital banking;
effect the pandemic has had on the global economy. In particular, the • real estate lending and investing;
economic uncertainty created by the pandemic has had a big impact on • financial regulation and compliance;
the ability of fintech firms to raise new investment at the same levels • insurance;
(and valuations) as previously possible. Despite numerous support • payroll and benefits;
packages launched by governments around the globe, this trend looks • credit scores and analytics; and
likely to continue in the short term at least. • personal and business lending.
When taken together with the impact of the accounting scandal
that has embroiled the German payments firm Wirecard, the fintech While there are significant differences between the legal issues affecting
sector looks to be in the eye of a perfect storm of challenges. For a businesses operating across this diverse universe of sub-sectors, this
young industry that has only every enjoyed the tailwinds of a largely publication seeks to address the most pressing issues that we see in
supportive regulatory and policy environment and enthusiastic inves- our day-to-day practice, advising firms in all of these areas.
tors, the double shock of these two very significant events could well
reshape the sector. The public failure and alleged mismanagement of Fintech 2021
one of the biggest names in sector looks likely to be the fintech indus- This publication is intended to provide a user-friendly resource to help
try’s ‘ENRON moment’. fintech entrepreneurs and their advisers and investors around the
How the various stakeholders respond will be key to the longer- world navigate the often complex key legal and regulatory issues on
term prospects for the sector. There is no doubt that events at Wirecard which we are most often asked to advise.
have already had an impact on the level of regulatory scrutiny that is Now, more than ever, understanding the legal and regulatory
being imposed on fintech firms. That trend is only likely to continue landscape on which you operate is paramount to success. We hope this
as regulators and policymakers begin to look at the sector with a new edition serves as a valuable reference point wherever you are on your
perspective. It will also inevitably affect the approach of counterparties fintech journey.
www.lexology.com/gtdt 5
© Law Business Research 2020
Australia
Michael Bacina, Andrea Beatty, Tim Clark, Will Fennell, Sarah Johnson, Tim O’Callaghan
and Andrew Rankin
Piper Alderman
FINTECH LANDSCAPE AND INITIATIVES be made available from 1 July 2020, with consumer data relating to
mortgages and personal loans to be made available from 1 November
General innovation climate 2020. However, the Australian Competition and Consumer Commission
1 What is the general state of fintech innovation in your (ACCC) has given non-major banks and credit unions temporary exemp-
jurisdiction? tion to begin sharing product reference data from those dates on the
basis that covid-19 has caused widespread delays and resource real-
The Australian fintech sector continues to rapidly evolve, as entities locations at banks.
work together to transform the industry and reshape the provision On 7 February 2020, the Hon Karen Andrews announced the
of financial services in the wake of covid-19. Recognising the size Department of Industry, Innovation and Science’s National Blockchain
and scope of the opportunity for Australian consumers and business Roadmap, which identifies opportunities for Australia to capitalise on
arising from fintech, the federal government established a Senate economic opportunities presented by blockchain technologies. The
Select Committee on Financial Technology and Regulatory Technology Department of the Treasury is due to publish its report on initial coin
in late 2019, to which there have been over 160 public submis- offerings, arising from a consultation held in early 2019.
sions to date.
FINANCIAL REGULATION
Government and regulatory support
2 Do government bodies or regulators provide any support Regulatory bodies
specific to financial innovation? If so, what are the key 3 Which bodies regulate the provision of fintech products and
benefits of such support? services?
6 Fintech 2021
© Law Business Research 2020
Piper Alderman Australia
In general, these activities include any product or service with a predom- Collective investment schemes
inant investment character and any dealing in that product or service. In 7 Describe the regulatory regime for collective investment
addition, the federal government announced in May 2020 that litigation schemes and whether fintech companies providing alternative
funders would be required to hold an AFSL. finance products or services would fall within its scope.
Activities relating to the following credit products constitute
carrying on a credit activity and require an ACL: Collective investment arrangements usually fall within the scope of the
• credit contracts; Corporations Act definition of a ‘managed investment scheme’ (MIS).
• credit services (ie, credit assistance and acting as an intermediary); An arrangement or scheme will be an MIS if:
• consumer leases; • people contribute money or money’s worth as consideration to
• mortgages; and acquire interests to benefits produced by the scheme (whether the
• guarantees, both as the credit provider or as a person that performs rights are actual, prospective or contingent, and whether they are
the obligations, or exercises the rights, of a credit provider. enforceable);
• any of the contributions are pooled or used in a common enter-
Lending is regulated only if it is to an individual or strata corporation prise to produce financial benefits or benefits consisting of rights
predominantly: or interests in property for the members who hold interests in the
• for personal, domestic or household purposes; scheme; and
• to purchase, renovate or improve residential property for invest- • members of the scheme do not have day-to-day control of the
ment purposes; or operation of the scheme (regardless of whether they have voting
• to refinance credit that has been provided wholly or predominantly or other similar rights).
to purchase, renovate or improve residential property for invest-
ment purposes. The definition of an MIS is deliberately broad and can include arrange-
However, some exceptions apply. ments that would not traditionally be considered an investment.
Examples include class action litigation, collective buying schemes,
Taking money on deposit (other than as a part payment for goods or digital token offerings meeting the above definition, lottery syndicates
services) and making advances of money amounts to banking business and time share schemes.
and will require an authorised deposit-taking institution (ADI) licence. After being announced in the 2016–17 Federal Budget, the regula-
tory framework for a new corporate collective investment vehicle (CCIV)
structure is yet to be settled but is expected to include:
www.lexology.com/gtdt 7
© Law Business Research 2020
Australia Piper Alderman
• that a CCIV must be a public company, structured as an umbrella • have their financial reports audited once they raise A$3 million
fund with sub-funds, each of which may hold different assets and or more from CSF offers; and
have different investment strategies; • comply with the related party transaction rules that apply to
• that a CCIV must be operated by a corporate director that is an public companies.
Australian public company and holds an AFSL with CCIV authori-
sation; and Other obligations applicable to CSF offers include:
• that a retail CCIV must separate out investor funds using a licensed • an investor cap of A$10,000 per year per company for retail
depositary with authorisation to provide deposit services to CCIVs, investors;
and this depository will hold the assets of the CCIV on trust and • a CSF offer document containing minimum information; and
provide oversight of the operations of the CCIV. • a five-day cooling-off period for investors.
The CCIV is designed to encourage the entry of new and alternative In addition, CSF offers must be made by the holder of an AFSL or on a
service providers into the Australian market by providing an interna- platform operated by a CSF intermediary holding an AFSL.
tionally recognisable investment structure and making compliance
processes simpler for Australian fund managers seeking to offer prod- Invoice trading
ucts overseas. 11 Describe any specific regulation of invoice trading in your
At present, given the broad definition of an MIS, fintech entities jurisdiction.
making an offering that are at risk of being considered an MIS must
obtain an AFSL and meet disclosure requirements to offer their product. In general, credit facilities (including any kind of financial accommoda-
tion provided by one person to another) are not financial products, so
Alternative investment funds trading in debts is not subject to the AFSL regime. As far as the struc-
8 Are managers of alternative investment funds regulated? ture of a factoring arrangement may cause it to be an over-the-counter
‘derivative’ as defined in the Corporations Act (which ordinarily requires
Collective investment undertakings that do not provide investors with an AFSL to deal in), specific licensing relief is available under the ASIC
day-to-day control over the operation of the investment will generally Corporations (Factoring Arrangements) Instrument (2017/794) in some
be considered an MIS and as a result the provider will need to hold circumstances.
an AFSL. Funds offering specific asset classes, such as hedge fund or
property products, may be subject to additional licensing and disclosure Payment services
obligations. 12 Are payment services regulated in your jurisdiction?
Peer-to-peer and marketplace lending The provision of a purchased payment facility (PPF) or being the holder
9 Describe any specific regulation of peer-to-peer or of stored value for a PPF is deemed to be carrying on banking business.
marketplace lending in your jurisdiction. Consequently, providers of PPFs (eg, digital wallet services) must obtain
an ADI authorisation from APRA. However, the authorisation granted
Australia has no specific legislation dealing with peer-to-peer lending. is typically subject to a condition limiting them to providing PPFs and
However, the investment aspect of these marketplaces will often be preventing them from lending money (other than incidental advances to
structured as an MIS regulated by the Corporations Act, requiring that customers in the course of providing a PPF).
the operator hold an AFSL.
The provision of consumer credit is regulated under the NCCP Open banking
Act, requiring an operator to hold an ACL. The NCCP Act and the NCC 13 Are there any laws or regulations introduced to promote
contain consumer protection provisions requiring an operator to assess competition that require financial institutions to make
whether credit is unsuitable to a consumer before providing it. Credit customer or product data available to third parties?
provided for investment purposes, business purposes or to non-natural
persons is not regulated by the NCCP Act but may be subject to the ASIC On 5 February 2020, the ACCC published the Competition and Consumer
Act if it is provided to small businesses. (Consumer Data Right) Rules. These Rules require Australia’s four
Additional advertising guidance has been published by ASIC for major banks to share product reference data with accredited data recip-
marketplace lending products. ients, and give legislative force to consumer data sharing obligations in
banking. The Rules were meant to become mandatory from 1 July 2020,
Crowdfunding however it has been pushed back three months until 1 October 2020 due
10 Describe any specific regulation of crowdfunding in your to the covid-19 pandemic.
jurisdiction.
Robo-advice
Australia’s regulatory framework for equity-based crowd-sourced 14 Describe any specific regulation of robo-advisers or other
funding (CSF) allows eligible companies to raise up to A$5 million companies that provide retail customers with automated
using CSF. access to investment products in your jurisdiction.
CSF offers can be made only by ‘eligible’ CSF companies, including:
• unlisted public companies with less than: While there is not specific regulation of robo-advisers, ‘robo-advice’
• A$25 million in consolidated gross assets; and is defined in the Australian Securities and Investment Commission
• A$25 million in annual revenue; and (ASIC) Regulatory Guide 255 as the provision of financial product advice
• proprietary companies that: using algorithms and technology and without the direct involvement
• maintain a minimum of two directors; of a human adviser. Where that robo-advice is generating general or
• prepare annual financial and directors’ reports in accordance personal financial product advice, that advice will be a financial service
with accounting standards; under the Corporations Act, unless an exemption applies.
8 Fintech 2021
© Law Business Research 2020
Piper Alderman Australia
To the extent that AI or robo-advice is used to provide a desig- SALES AND MARKETING
nated service under the Anti-money Laundering and Counter-Terrorism
Financing Act 2006 (Cth), the business providing that service – even if Restrictions
automated – will likely have reporting obligations to AUSTRAC. 19 What restrictions apply to the sales and marketing of
financial services and products in your jurisdiction?
Insurance products
15 Do fintech companies that sell or market insurance products A person will be conducting financial and related activities whenever
in your jurisdiction need to be regulated? they publish advertisements in Australia that are reasonably likely to
induce Australians to acquire a financial service or product. Marketing
In general, a person carrying on a life or general insurance business a product itself may constitute an Australian financial services licence-
must be authorised by APRA to conduct business and hold an AFSL, regulated activity, unless an exemption applies.
unless an exemption applies. Persons other than insurers that sell or The Australian Securities and Investment Commission Act provides
market insurance products must hold an AFSL unless a specific exemp- for consumer protection surrounding advertising and marketing of finan-
tion applies. Persons that sell or market home contents or personal and cial services, including prohibitions on misleading or deceptive conduct.
domestic property insurance products with an insured value less than Advertisements and promotional material in respect of credit prod-
A$50,000 may be eligible for 12-month licensing relief under the regula- ucts must comply with the National Consumer Credit Protection Act
tory sandbox exemption in the ASIC Corporations (Concept Validation 2009 (Cth). This includes a requirement to include a credit licensee’s
Licensing Exemption) Instrument 2016/1175. Australian credit licence number on all printed ads.
Advertisements and promotional material in respect of finan-
Credit references cial products must comply with the Corporations Act. This includes a
16 Are there any restrictions on providing credit references or requirement to include the identity of the issuer or the seller, confir-
credit information services in your jurisdiction? mation that a product disclosure statement (PDS) is available and a
statement that a person should consider the PDS in deciding whether to
Subject to the Privacy Act 1988 (Cth), only credit reporting agencies are acquire or to continue to hold a product.
authorised to collect, collate and disclose consumer credit reporting The Australian advertising industry also self-regulates via industry
information to credit providers. There are no restrictions on commer- standards.
cial credit references or commercial credit information, subject to
privacy law. CHANGE OF CONTROL
www.lexology.com/gtdt 9
© Law Business Research 2020
Australia Piper Alderman
represented as a percentage of the total number of voting shares inter- In 2017, amendments to the AML/CTF Act required that digital currency
ests in the relevant entity. 'Associate' is also broadly defined to include: exchanges be registered with AUSTRAC.
• subsidiaries, holding companies and sibling entities controlled by The main provisions regarding anti-bribery are included in federal
the same ultimate holding company; and state or territory legislation, including the Criminal Code Act 1995
• persons with whom the relevant person enters, or proposes to (Cth). Federal legislation prohibits bribing foreign and Commonwealth
enter, into an agreement for the purpose of controlling or influ- public officials, and state or territory legislation prohibits some private
encing the composition of the target's board or its affairs; and and commercial bribery practices. There is currently no specific bribery
• a person with whom the relevant person acts, or proposes to act, in legislation in place in Australia.
relation to the target's affairs.
Guidance
Under the Financial Sector (Shareholdings) Act 1998 (Cth), a person 22 Is there regulatory or industry anti-financial crime guidance
may not acquire more than 20 per cent of the voting shares or practical for fintech companies?
control of Australian banks, other authorised deposit-taking institutions
and Australian insurers without the approval of the federal Treasurer. There is currently no guidance specific to fintech companies.
The restrictions also apply to Australian and foreign holding companies
of these financial sector companies. PEER-TO-PEER AND MARKETPLACE LENDING
Under the Foreign Acquisitions and Takeovers Act 1975 (Cth), there
are restrictions on foreign persons acquiring a substantial interest (ie, Execution and enforceability of loan agreements
more than 20 per cent (individually) or 40 per cent (collectively)) in 23 What are the requirements for executing loan agreements or
Australian companies without the approval of the Foreign Investment security agreements? Is there a risk that loan agreements
Review Board. The constitutions of some Australian companies (particu- or security agreements entered into on a peer-to-peer or
larly those privatised by the federal and state governments) also contain marketplace lending platform will not be enforceable?
restrictions on foreign shareholdings.
There are several exceptions to the takeover prohibition, which Loan and security agreements may be executed by companies either
allow a person to obtain voting power of more than 20 per cent if they with or without a common seal in accordance with section 127 of the
fall within the terms of the permitted exception. The most commonly Corporations Act. Subject to the formulation of a loan agreement, and
relied on exceptions include: state or territory requirements for the execution of deeds (where an
• making a takeover offer; interest in land can only be granted or disposed of by deed), these agree-
• obtaining the approval of members of the target; ments may be executed electronically in accordance with the Electronic
• obtaining control by means of a scheme of arrangement; Transactions Act 1999 (Cth) and equivalent state or territory legislation.
• 'creeping' (ie, acquiring no more than 3 per cent of the voting power The same requirements apply to peer-to-peer or marketplace lending
in any six-month period); platforms. There have recently been amendments made to state, terri-
• underwriting; or tory and federal legislation to provide more certainty around electronic
• making the acquisition through an upstream company listed on an signatures for deeds or for witnessing remotely in response to the
approved foreign financial market. social distancing requirements of covid-19.
10 Fintech 2021
© Law Business Research 2020
Piper Alderman Australia
Artificial intelligence The AML/CTF Rules may be updated by the CEO of AUSTRAC and do not
27 Are there rules or regulations governing the use of artificial require Parliament to change underlying legislation. Where a business
intelligence, including in relation to robo-advice? wishes to offer a service of converting fiat currency to digital currency, it
will be providing a designated service under the AML/CTF Act and that
‘Robo-advice’ is defined in the Australian Securities and Investment business will be required to be registered as a digital currency exchange
Commission (ASIC) Regulatory Guide 255. (DCE) with AUSTRAC unless an exemption applies. This is expected to
The obligations that apply to the provision of traditional financial be expanded in the future to capture conversion services from digital
product advice and digital advice are functionally identical. For example, currency to digital currency.
no Australian financial services licence (AFSL) is required for the Over 300 digital currency exchanges are registered in Australia.
provision of factual information. However, if robo-advice is generating For businesses that plan to issue or offer to deal in digital assets
general or personal financial product advice, that advice will be a finan- or crypto-assets, the starting point is to determine if the crypto-assets
cial service under the Corporations Act, unless an exemption applies. or tokens are financial products within the definition of the Corporations
ASIC has provided specific relief from holding a licence to providers Act. If so, a business issuing crypto-assets will be required to hold an
of generic financial calculators under Regulatory Guide 167 and the AFSL. A business offering to deal in crypto-assets, such as by operating
ASIC Instrument 2016/207. A ‘generic financial calculator’ is defined as a market, must also obtain an AFSL if it is dealing with, giving advice or
a facility, device, table or thing used to make general calculations and providing intermediary services for crypto-assets that constitute finan-
that does not advertise a specific product. cial products.
To the extent that AI or robo-advice is used to provide a desig- If a business is offering payment services, such as accepting crypto-
nated service under the Anti-money Laundering and Counter-Terrorism assets and making payments, assuming the crypto-asset is not a financial
Financing Act 2006 (Cth) (the AML/CTF Act), the business providing that product, the business will still be providing a ‘non-cash payment facility’
service – even if automated – may have reporting obligations to the as defined in section 763D of the Corporations Act, and the entity will be
Australian Transaction Reports and Analysis Centre (AUSTRAC). required to hold an AFSL unless an exemption applies (Regulatory Guide
185 provides for a low value NCP exemption that many fintech businesses
Distributed ledger technology rely on). Digital wallets in Australia will most likely constitute non-cash
28 Are there rules or regulations governing the use of payment facilities. The non-cash payment facility concept in Australia is
distributed ledger technology or blockchains? broadly analogous to the e-money regulatory system in Europe.
Finally, if digital assets stored by a business are financial products,
There are no specific rules or regulations governing the use of distrib- that business must ensure that it holds the appropriate custodial and
uted ledger technology or blockchain. depository authorisations under an AFSL.
ASIC’s INFO 219 sets out an assessment tool for businesses to
identify whether an AFSL may be required for distributed ledger tech- Digital currency exchanges
nology-based (DLT) services. This tool includes a set of factors to be 30 Are there rules or regulations governing the operation of
considered by the business, such as: digital currency exchanges or brokerages?
• Which DLT platform is being used?
• How it will be run? The conversion of fiat currency to a crypto assets is a designated service,
• How does it work? requiring registration as a DCE with AUSTRAC. To register as a DCE, a
• How is the DLT using data? business must prepare an AML/CTF programme and meet specified
• How the DLT affects others? threshold and suspicious transaction reporting obligations.
In addition to the need to register with AUSTRAC, if a DCE is issuing
ASIC’s view is that many DLT token offerings will likely be a managed tokens that are financial products (eg, via an initial exchange offering
investment scheme (MIS), and that fintech providers that offer market or listing a token from an initial coin offering if the tokens constitute
infrastructure or clearing and settlement will likely require licensing or an financial products), the exchange will need to hold an AFSL to deal in
exemption. To date there has been no case law deciding if this is correct. The those tokens and may need a market authorisation. Digital currency or
Department of the Treasury’s ICO Review report is overdue for publication. crypto-payment services will require an AFSL unless they fall under an
The offering of digital currency conversion services in the course of exemption such as the low value exemption.
operating a digital currency exchange business will require an operator Depending on the exchange’s structure, and how digital assets are
(including one located offshore) to register with AUSTRAC. cleared or settled, an exchange may be operating a clearing settlement
www.lexology.com/gtdt 11
© Law Business Research 2020
Australia Piper Alderman
facility and, as a result, be required to hold a clearing and settlement • notify APRA of material information security incidents (separate to
facility licence under Part 7.3 of the Corporations Act. notifiable data breach obligations under the Privacy Act 1988 (Cth)).
Initial coin offerings Fintech businesses dealing with APRA-regulated entities may still need
31 Are there rules or regulations governing initial coin offerings to be cognisant of CPS 234, as APRA-regulated entities must meet the
(ICOs) or token generation events? requirements of CPS 234 even if their information assets are managed
by third parties.
In May 2019, ASIC updated its INFO 225 guidance in relation to initial ASIC’s Regulatory Guide 255 – Providing Digital Financial Product
coin offerings (ICOs). ASIC considers that there is a high risk that most Advice to Retail Clients sets out requirements that Australian financial
ICOs or token generation events will be considered MISs requiring the services licensees that provide certain digital financial product advice
responsible entity to hold an AFSL. ASIC expects entities that do not should follow to protect against malicious cyber activity.
have an AFSL to be able to justify a conclusion that their token or ICO is
not a financial product. OUTSOURCING AND CLOUD COMPUTING
Unfortunately, INFO 225 still does not provide clear guidance on
how entities can undertake a token offering that is compliant with the Outsourcing
obligations of an MIS operated by an AFSL holder in relation to matters 34 Are there legal requirements or regulatory guidance with
such as custody or secondary trading of crypto-assets or provide respect to the outsourcing by a financial services company of
any categories of crypto-token that will not be considered financial a material aspect of its business?
products.
The Australian Securities and Investments Commission’s (ASIC)
DATA PROTECTION AND CYBERSECURITY Regulatory Guide 104 – Licensing: Meeting the General Obligations sets
out guidance of ASIC’s expectations for Australian financial services licen-
Data protection sees outsourcing their functions. In particular, while they can outsource
32 What rules and regulations govern the processing and their functions, they cannot outsource their responsibilities as a licensee
transfer (domestic and cross-border) of data relating to and remain responsible for complying with licensee obligations.
fintech products and services? Certain Australian Prudential Regulatory Authority-regulated
(APRA) financial institutions are required to comply with prudential
While there are no legal requirements or regulatory guidance relating standards on outsourcing (CPS 231) and related guidelines. Separate
to personal data that is aimed specifically at fintech businesses, all prudential standards (SPS 231 and HPS 231) apply to registrable super-
are subject to the obligations of the Privacy Act, including a notifiable annuation entity licensees and private health insurers respectively.
data breach reporting requirement. The Privacy Act is concerned with These mandatory standards set out requirements on how material busi-
the protection of personal information, which includes an individual’s ness activity can be outsourced.
identity or information from which an individual’s identity can be ascer- A ‘material business activity’ is an activity that has the potential, if
tained. Additional protections are required when businesses deal with disrupted, to have a significant impact on the APRA-regulated institution
prescribed sensitive information that includes certain health-related or its ability to manage risks effectively.
information. The notifiable data breach reporting requirements require The principal requirements under these prudential standards are:
that processes be put in place by businesses to address data breaches, • having a board-approved policy for the outsourcing of material
including reporting certain data breaches to the Office of the Australian business activities and monitoring of outsourcing arrangements;
Information Commissioner. • having an agreement with any outsourced service provider
involving a material business activity that addresses, at a minimum,
Cybersecurity certain matters in CPS 231 (including matters relating to owner-
33 What cybersecurity regulations or standards apply to fintech ship, storage and control of data);
businesses? • consulting APRA before entering into any offshoring arrangement
involving a material business activity; and
There are no overarching regulations or standards on cybersecurity in • notifying APRA as soon as possible after entering into an
Australia. However, there are certain regulatory standards and guide- outsourcing agreement involving a material business activity, but
lines that offer guidance. no later than 20 business days after the execution of an outsourcing
The Australian Prudential Regulatory Authority (APRA) has issued agreement.
several mandatory standards and regulatory guidelines concerning
cybersecurity and cloud computing as they relate to businesses In addition, APRA has issued several mandatory standards and regu-
providing financial services, superannuation and insurance. These latory guidelines concerning cloud computing, including standards on
include prudential standards on outsourcing (CPS 231, SPS 231 and business continuity management (CPS 232 and SPS 232) and informa-
HPS 231), business continuity management (CPS 232 and SPS 232), tion security (CPS 234).
information security (CPS 234) and related regulatory guidelines.
CPS 234 took effect from 1 July 2019 and applies to certain Cloud computing
APRA-regulated entities. Among other things, CPS 234 requires ARPA- 35 Are there legal requirements or regulatory guidance with
regulated entities to: respect to the use of cloud computing in the financial services
• clearly define information security-related roles and responsibilities; industry?
• maintain appropriate information security capability commensu-
rate with the size and extent of threats to their information assets; APRA has issued various mandatory standard and regulatory guide-
• implement appropriate controls to protect their information assets lines regarding cloud computing, including prudential standards on
and ensure their effectiveness through systematic testing and outsourcing (CPS 231, SPS 231 and HPS 231), business continuity
assurance; and management (CPS 232 and SPS 232) and information security (CPS 234).
12 Fintech 2021
© Law Business Research 2020
Piper Alderman Australia
INTELLECTUAL PROPERTY RIGHTS An employer will own intellectual property developed by an employee
during the course of their employment – unless the employment
IP protection for software contract stipulates otherwise – and where the material giving rise to
36 Which intellectual property rights are available to protect the IP rights was created as part of the duties for which the employee
software, and how do you obtain those rights? was employed. Where an employee’s duties involve the development of
intellectual property, their employment contract should refer to these
The three main forms of IP protection for software in Australia are copy- duties and specify that IP rights in material created by the employee will
right, patents and confidentiality. be owned by the employer.
New intellectual property developed by contractors or consultants
Copyright will generally be owned by the contractor or consultant unless there is
Computer programs as defined under the Copyright Act 1958 (Cth) a written assignment to the contrary.
qualify for protection under copyright law as literary works, provided An employee, contractor or consultant that has assigned the IP
that the requirements for copyright subsistence are met. There is no rights in materials that they have created will continue to retain their
registration requirement in Australia. moral rights, which are provided for in Part IX of the Copyright Act 1968
Copyright law requires a computer program to be attributable to (Cth). Individuals have the following rights that last for the same period
an author and not reproduced or copied from another source. As the as copyright protection (generally 70 years):
copyright owner will usually be the authors who created or developed • to be identified as the author of the work;
the source code of the software, fintech businesses must ensure that • not to have authorship of their work falsely attributed; and
when third-party software developers are commissioned, the engage- • integrity of authorship (ie, the right not to have their work subjected
ment agreement stipulated that copyright in the software is assigned to to derogatory treatment).
the fintech entity. Copyright will generally vest in the employer where
an individual has developed the computer program in the course of Individuals cannot assign, transfer or sell their moral rights, but may
their employment duties. The duration of the copyright protection for consent to their moral rights being infringed, provided that the consent
published works is usually 70 years from the death of the author of the relates to specified acts or omissions or specified types of acts or omis-
copyright work. sions. An employee can also provide a broad consent to their employer
covering any acts or omissions in relation to all works created by the
Patents employee during their employment.
In Australia, two types of patent can be granted, the traditional
standard patent providing 20 years of protection and an innovation Joint ownership
patent providing eight years of protection. The innovation patent has a 38 Are there any restrictions on a joint owner of intellectual
faster and cheaper application process and less stringent patentability property’s right to use, license, charge or assign its right in
requirements, but has been reviewed, and will be abolished from 25 intellectual property?
August 2021.
An invention must meet the requirements of Patents Act 1990 (Cth) The rights of a joint owner of intellectual property differs according to
to receive patent protection. Specifically, the patent must be a patent- the type of intellectual property.
able subject matter that is new, useful, involves an innovative step (in Unless there is an agreement to the contrary, co-owners of copy-
respect of innovation patents) or inventive step (in respect of standard right material own the copyright as tenants in common in equal shares
patents) and satisfies other formality requirements. and not as joint tenants. A co-owner may not do or authorise any act
The requirement of patentable subject matter must be satisfied comprised in the copyright of a work, including reproducing the copyright
for business methods implemented by a computer program. In general, materials, granting a licence to a third party or charging or assigning
a separate result beyond the typical working of a computer must be any right in this copyright, without the consent of the co-owner. The
achieved for a business method implemented in or by a computer non-consenting owner is entitled to an injunction against the infringing
process to be patentable. The mere use of well-known and understood co-owner and licensee preventing these unauthorised acts.
functions of computers for implementing business methods is insuffi- A joint owner of a patent is entitled to an equal undivided share in
cient for patent protection. that patent, unless there is an agreement to the contrary. Therefore, a
Finally, certain aspects of software, including software-imple- joint owner may use the patent for their own benefit without accounting
mented inventions or business methods, may also be protected by to the other joint owner or owners, but may not grant a licence under,
imposing confidentiality obligations on customers and keeping those or assign an interest in, the patent without the consent of the other joint
aspects a trade secret of the business. owner or owners.
www.lexology.com/gtdt 13
© Law Business Research 2020
Australia Piper Alderman
There is no legislation that specifically protects trade secrets. However, Registered IP rights are each governed by a different legislative scheme,
section 183 of the Corporations Act 2001 (Cth), which requires that a for example:
current or former director, officer or employee of a corporation does not • the Copyright Act 1968;
improperly use the information to gain an advantage for themselves or • the Designs Act 2003;
others or cause detriment to the organisation, is sufficiently broad to • the Patents Act 1990; and
cover trade secrets. • the Trademarks Act 1995.
Trade secrets are also protected by equitable principles relating to
breach of confidence. A breach of confidence requires that: In general, the Federal Court of Australia is the most appropriate court
• an obligation of confidence exists in relation to specific information; to initiate proceedings for infringement of IP rights, particularly for
• the information disclosed is of a confidential nature; registered rights or actions brought under the Australia Consumer Law,
• the information was received in circumstances importing an obli- as the legislative schemes that govern those rights are federal acts.
gation of confidence; The court has the power to award various remedies in IP infringe-
• there is an actual or threatened misuse of the information without ment proceedings, including:
the disclosing party’s consent; and • injunctive relief (both interim and final injunctions may be awarded);
• the breach resulted in the disclosing party suffering damage. • an Anton Piller order (ie, search and seizure order);
• damages or account of profits;
The courts may make orders to protect trade secrets contained in discov- • declaratory relief;
ered documents or documents produced by a third party. The court will • costs; and
weigh the risk of inadvertent or accidental disclosure and the likely loss • additional damages in circumstances of flagrancy of the
against the extent to which a party’s ability to seek advice and provide infringement.
instructions may be hampered if a claim for confidentiality is upheld.
The limitation period for bringing infringement proceedings is six years.
Branding However, the courts will be less inclined to assist when an applicant has
40 What intellectual property rights are available to protect delayed bringing infringement proceedings.
branding and how do you obtain those rights? How can It is not uncommon for the respondent to cross claim with an
fintech businesses ensure they do not infringe existing action to revoke the registered right of the applicant (eg, on the grounds
brands? that the registration does not conform with the requisite requirements
of registration). The owner of the registered right should carefully
Branding elements are usually protected by trademark registration. examine the validity of the registration before threatening infringement
A trademark is a badge of origin or a sign used to distinguish goods proceedings.
and services from those of others, including: The recipient of a threat of infringement is entitled to initiate legal
• product names; proceedings to seek orders that the threats are groundless and seek
• tag lines; injunctive relief to prevent further threats from being made. In general,
• logos; proceedings initiated on the basis of groundless threats will be unsuc-
• aspects of packaging; and cessful once the applicant issues proceedings.
• colours, sounds and scents.
COMPETITION
Trademark registration provides exclusive rights to use, license and sell
the trademark for an initial period of 10 years, which continues indefi- Sector-specific issues
nitely provided the renewal fees are paid every 10 years. 42 Are there any specific competition issues that exist with
An application to register a trademark is made with IP Australia. respect to fintech companies in your jurisdiction?
Assuming no objections or oppositions, the process takes approximately
seven months. The Australian Federal Government recently implemented an ‘open
As a practical measure, before choosing a trademark applicants banking regime’, whereby consumers have a general right to control
should ensure that the domain name (web URL), social media names their data pursuant to the Treasury Laws Amendment (Consumer Data
(eg, Facebook page or Twitter handle) and business name are available. Right) Act 2019 (Cth) (the Consumer Data Right).
Unregistered trademarks can be protected by establishing that the Australian Treasurer, Hon Josh Frydenberg MP, in his second
use of the same or a similar trademark by a person is likely to mislead reading speech on the Treasury Laws Amendment (Consumer Data
others to believe that the person is somehow connected with the appli- Right) Bill 2019, stated that:
cant (ie, misleading and deceptive conduct in breach of the Australian
Consumer Law) or amounts to passing off. This requires the applicant to The consumer data right … will drive competition… For consumers,
prove that they have reputation in the trademark to such an extent that improved access to data will support better price comparison
the use of the trademark by someone else would be misleading. services, taking into account their unique circumstances, and
To ensure that applicants do not infringe the rights of a third party’s promote more convenient switching between products and
existing brands, they should: providers…
• search the Australian Trade Marks Register for any similar regis-
tered trademarks; and After several delays in implementing the Consumer Data Right, on 5
• conduct a general market knowledge enquiry to identify any unreg- February 2020, the Australian Competition and Consumer Commission
istered trademarks that may have a reputation. made the Competition and Consumer (Consumer Data Right) Rules
14 Fintech 2021
© Law Business Research 2020
Piper Alderman Australia
2020, which were subsequently revised on 19 June 2020 (as amended, Australia has an R&D tax incentive designed to encourage compa-
the Rules). nies to invest in R&D activity. The tax incentive is in the form of two tax
Pursuant to the Rules: offsets that apply to eligible R&D expenditure, namely:
• certain obligations regarding banks’ product data became a statu- • a 43.5 per cent refundable tax offset for the first A$100 million
tory requirement for the Australia and New Zealand Banking Group of eligible expenditure for certain eligible entities whose aggre-
Limited, Commonwealth Bank of Australia, National Australia Bank gated turnover is less than A$20 million and provided they are not
Limited and Westpac Banking Corporation (together, the ‘big four’ controlled by income tax exempt entities; and
banks) on 6 February 2020 and were to be a requirement for non- • a 38.5 per cent non-refundable tax offset for the first A$100 million
major banks from 1 July 2020; however, the ACCC has granted a of eligible expenditure for all other eligible entities, which may be
three-month exemption until 1 October 2020 because of the impact carried forward.
of the covid-19 pandemic;
• the disclosure of consumer data to accredited persons commenced The Taxpayer Alert 2017/5 sets out the view of the Australian Taxation
for the big four banks from 1 July 2020 and is currently scheduled Office in relation to R&D claims on software development projects.
to commence for non-major banks on 1 November 2020; and
• the balance of the obligations will be rolled-out progressively Increased tax burden
between 1 July 2020 and 30 June 2022. 44 Are there any new or proposed tax laws or guidance that
could significantly increase tax or administrative costs for
Fintech companies are also subject to the competition law prohibitions fintech companies in your jurisdiction?
contained in the Competition and Consumer Act 2010 (Cth) (CCA). The
CCA prohibits various forms of anti-competitive practices, including the There are no new or proposed laws or guidance specifically affecting
misuse of market power, exclusive dealing (including third line forcing), fintech companies.
resale price maintenance and cartel conduct. The Australian Consumer
Law contained in Schedule 2 of the CCA provides consumer protection IMMIGRATION
in the form of:
• general prohibitions against conduct that is likely to mislead or Sector-specific schemes
deceive or that is unconscionable; 45 What immigration schemes are available for fintech
• specific prohibitions against unfair practices including false or businesses to recruit skilled staff from abroad? Are there
misleading representations on goods or services; and any special regimes specific to the technology or financial
• an ability for Australian Courts to declare unfair contract terms sectors?
contained in standard form consumer contracts to be void, such
that they are unenforceable. There are no immigration schemes specific to the technology or finan-
cial sectors. The following visa options may be open to skilled workers
TAX recruited from overseas by fintech businesses:
• Temporary Work (Short Stay Specialist) (subclass 400) visa: for
Incentives three to six months in a highly specialised job;
43 Are there any tax incentives available for fintech companies • Temporary Skill Shortage (subclass 482) visa: for up to four years,
and investors to encourage innovation and investment in the for workers sponsored by their employer and whose occupa-
fintech sector in your jurisdiction? tion is on the Australian government’s list of skilled occupations
or the employer has a labour agreement with the Australian
Australia has many tax concessions applicable to fintech companies. government; and
The early-stage investment company (ESIC) regime provides that a • Employer Nomination Scheme (subclass 186) visa: permanent, for
company must be recently incorporated and not have incurred expendi- workers nominated by their employer and whose occupation is on
ture or generated income over certain limits in the preceding income the Australian government’s list of skilled occupations.
year. The company must meet either a 100-point or a principles-based
innovation test. If the company qualifies as an ESIC, investors qualify for UPDATE AND TRENDS
a 20 per cent non-refundable carry forward tax offset. The amount of the
tax offset is 20 per cent of the amount paid for the shares to a maximum Current developments
of A$200,000. Investors also enjoy no capital gains tax for the first 10 46 Are there any other current developments or emerging
years of their holding of the shares. trends to note?
Australia also has concessions for start-up companies in relation
to employee share schemes. In general, any discount an employee The key emerging trend is a renewed focus from the federal govern-
receives on shares or options or rights is treated as assessable income. ment on the opportunities fintech provides, and the potential upsides for
However, under this concession, start-up companies can offer (without Australian consumers and the broader economy. Following the volume
the discount being taxed): of submissions to the Senate Select Committee, and the subsequent
• shares with a discount to market value of no more than 15 changes to the economy, the Committee is requesting further submis-
per cent; or sions on what support is necessary in the short-, medium- and long
• rights or options with an exercise price being the market value of a term, including post-recovery, focusing on solutions that can be deliv-
share when the right or option is acquired. ered swiftly by government and the private sector.
In calculating the market value of a share, the company can use a net
tangible asset valuation method. This allows a fintech entity with, for
example, a large IP or goodwill element to issue equity at a significant
discount to employees.
www.lexology.com/gtdt 15
© Law Business Research 2020
Australia Piper Alderman
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
While there has not been any government initiatives specifically Michael Bacina
mbacina@piperalderman.com.au
targeted at the fintech sector in response to covid-19, the federal and
state governments have implemented various legislative changes, Andrea Beatty
stimulus packages and relief programmes generally. FinTech Australia, abeatty@piperalderman.com.au
a member organisation that advocates for fintech issues in Australia, Tim Clark
has published a short guide of the various available government assis- tclark@piperalderman.com.au
tance programs specifically for fintech businesses. We have, however,
Will Fennell
summarised two key developments below.
wfennell@piperalderman.com.au
Electronic signatures
Widespread social distancing requirements have restricted the ability
for entities to rely on ‘wet signatures’, and has caused an increase
in entities seeking to rely on electronic signatures. The Electronic
Transactions Amendment (COVID-19 Witnessing of Documents)
Regulation 2020 (NSW) allows a broad range of documents to be signed
electronically and remotely. In New South Wales, this means that docu-
ments can be witnessed through an audiovisual link, providing relief to
those who cannot physically sign or witness documents. At the federal
level, the government has introduced the Corporations (Coronavirus
Economic Response) Determination (No. 1) 2020, which modifies the
legislative requirements regarding meetings and execution of company
documents to facilitate electronic methods.
16 Fintech 2021
© Law Business Research 2020
Belgium
Vincent Verkooijen, Jérémie Doornaert, Martin Carlier, Dimitri Van Uytvanck and Marc de Munter
Simmons & Simmons LLP
Although the Belgian fintech ecosystem is currently booming (over The Financial Services and Markets Authority (FSMA) and the National
the years, the number of start-ups active in the financial sector with a Bank of Belgium (NBB) are generally the bodies responsible for regu-
predominantly technological approach has increased steadily), Belgian lating the provision of fintech products and services in Belgium.
fintech companies that have reached a size large enough to play in the
big league can still be counted on the fingers of one hand. In effect, Regulated activities
Belgian fintech companies have a tendency to rely more on organic 4 Which activities trigger a licensing requirement in your
growth and to focus for longer periods on the local market, taking jurisdiction?
more time to cross the Belgian border. Transforming all these prom-
ising start-ups into scale-ups capable of competing on the international A large number of financial activities trigger licensing requirements
scene is therefore a major challenge that requires stronger support and in Belgium. The following providers of financial services are regulated
financing. (among others): credit institutions, certain lenders, stockbroking and
investment firms, fund management companies, payment institutions,
Government and regulatory support e-money institutions, and insurance and reinsurance firms.
2 Do government bodies or regulators provide any support The supervision of financial institutions in Belgium is organised
specific to financial innovation? If so, what are the key according to a ‘twin peaks’ model, by which the competences are
benefits of such support? shared between two autonomous supervisors: the NBB and the FSMA.
Each regulator has a specific set of objectives. The NBB is the principal
No. However, a Belgian fintech platform called B-Hive was launched in prudential supervisor for (among others) banks, insurance companies,
January 2017 to support fintech start-ups. The Belgian federal govern- stockbroking firms, payment and e-money institutions, on both a macro-
ment – by means of the federal investment fund – and a number of major and micro-level. The FSMA is responsible for supervising the financial
banks, insurers and market infrastructure players support the project. markets and the information circulated by companies, certain catego-
B-Hive has recently set up hubs in New York, London and Tel Aviv. ries of financial service providers (including investment firms and fund
In addition, both the National Bank of Belgium and the Financial management companies) and intermediaries, compliance by financial
Services and Markets Authority (FSMA) offer fintech companies the institutions with conduct of business rules and the marketing of finan-
opportunity to enter into direct contact with them through a dedicated cial products to the public. The Federal Public Services Economy, small
‘fintech portal’ available on their websites. The purpose of the Fintech and medium-sized enterprises (SMEs), Self-employed and Energy (FPS
Contact Point is to support a dialogue between the regulator and fintech Economy) also has certain supervisory powers (eg, consumer credit,
companies whereby the regulator aims to get back to the firms within payment services).
three business days and to assist them in understanding the applicable Only credit institutions may receive deposits from the public in
regulatory framework. This facility can be used, for example, for any Belgium or solicit the public in Belgium in view of receiving deposits.
project relating to crowdfunding, distributed ledger technology, virtual Credit institutions are regulated by the Belgian Act of 25 April 2014
currencies, application programming interfaces or alternative distribu- relating to the status and supervision of credit institutions and stock-
tion models. broking firms. Besides deposit-taking, the majority of the activities
Finally, a sectorial association called Fintech Belgium has been listed under Annex I of the Capital Requirements Directive may only
created, regrouping around 100 Belgian fintech companies. be carried out by licensed entities, are subject to specific regulations,
or both. Certain lenders are also subject to local supervision (eg,
consumer lenders, consumer mortgage lenders). Commercial lending
(on a stand-alone basis) does not require a licence but specific rules of
conduct apply where lending to SMEs. These rules of conduct include
a duty of rigour, a duty of information and a right of prepayment for the
enterprise. SMEs are individual or legal entities pursuing an economic
purpose in a sustainable manner or liberal professions (eg, lawyers
and notaries) that have no more than one of the following criteria in
www.lexology.com/gtdt 17
© Law Business Research 2020
Belgium Simmons & Simmons LLP
their last and penultimate closed financial year: 50 employees on an Receivables in respect of consumer loans may only be transferred
annual basis, annual turnover of €9 million and total balance sheet of to a limited number of assignees (including credit institutions, regulated
€4.5 million. lenders, credit insurers and a specific category of collective investment
All investment services contemplated by the second Markets in scheme designed for making investments in receivables, the société
Financial Instruments Directive are regulated and may only be carried d’investissement en créances or vennootschap voor belegging in schuld-
out by duly licensed entities. Investment services include reception vorderingen). The transfer of consumer mortgage loans is also subject
and transmission of orders, execution of orders, proprietary trading, to specific rules.
portfolio management, investment advice, underwriting and placing
of financial instruments and operation of multilateral trading facilities, Collective investment schemes
where they are carried out in respect of financial instruments such 7 Describe the regulatory regime for collective investment
as transferable securities (shares, bonds, puts or calls on shares or schemes and whether fintech companies providing alternative
bonds, etc), money market instruments, units in collective investment finance products or services would fall within its scope.
undertakings (UCITS), derivative contracts and instruments. Dealing in
foreign exchange spot and forward contracts (on one’s own account or In Belgium, collective investment schemes (CISs) and the management
as agent) is also regulated in Belgium. Investment services are carried of CISs are regulated entities and activities respectively. In general, a
out by (Belgian or foreign) investment firms. Belgian investment firms CIS is any entity whose purpose is the collective investment of financial
can be set up either as stockbroking firms (subject to the Act of 25 April means collected from investors through an offer of financial instruments.
2014 on alternative investment firms and their managers) or portfolio The persons participating in the scheme (the investors) must not have
management and investment advice firms (subject to the Act of 25 day-to-day control over the management of the property. Furthermore,
October 2016 on investment firms and services). the contributions of the participants and the profits or income out of
The Act of 3 August 2012 implemented the Undertakings for which payments are to be made to them must be pooled and the prop-
Collective Investments in Transferable Securities Directive and regu- erty managed as a whole.
lates UCITS funds, UCITS management companies and funds investing Whether a fintech company will fall within the scope of this regime
in receivables. The Act of 19 April 2014 has implemented the Alternative will depend on the exact nature of its business. Fintech companies that
Investment Fund Managers Directive (AIFMD) and regulates alternative manage assets on a pooled basis on behalf of investors should give
investment funds and their managers. particular consideration to whether they may be operating a CIS. Fintech
Payment services institutions and e-money institutions are regu- companies that are geared more towards providing advice or payment
lated by the Act of 11 March 2018, which implemented the second services may be less likely to operate a CIS, but should nonetheless
Payment Services Directive (PSD2) in Belgium. Insurance and rein- check this and have regard to their other regulatory obligations.
surance companies are ruled by the Act of 13 March 2016. Insurance
contracts are regulated by the Act of 4 April 2014. Alternative investment funds
Intermediaries in banking and investment services, insurance 8 Are managers of alternative investment funds regulated?
intermediaries and consumer credit intermediaries are also subject to
local supervision. Managers of alternative investment funds are regulated in Belgium under
It is an offence to carry out any of the above regulated financial the AIFMD, which was implemented in Belgium by the Act of 19 April
services in Belgium without being duly licensed by or registered with 2014 relating to alternative investment funds and their managers, imple-
the relevant regulator, subject to applicable EU passporting rules. menting royal decrees and circulars and guidance issued by the FSMA.
18 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Belgium
www.lexology.com/gtdt 19
© Law Business Research 2020
Belgium Simmons & Simmons LLP
banks, firms specialising in consumer credit or mortgage loans and SALES AND MARKETING
credit card issuers).
Furthermore, regulated lenders have an obligation to consult Restrictions
the CICR in the process of assessing the borrower’s creditworthiness. 19 What restrictions apply to the sales and marketing of financial
Credit data to be reported in the CICR include the debtor’s or co-debtor's services and products in your jurisdiction?
identification details, the characteristics of the credit contract and the
details of the overdue debt. Financial products (such as investment products, savings products
The CCCR records information on credits granted to legal persons and insurance products)
(enterprises) and natural persons (individuals) in connection with their Marketing materials for financial products are governed by Royal Decree
business activity. Participation in the CCCR is mandatory for some finan- dated 25 April 2014 and Financial Services and Markets Authority (FSMA)
cial institutions, including: guidance, which regulate the advertising of financial products where
• credit institutions established in Belgium and licensed by the distributed to retail clients. ‘Marketing materials’ means any communi-
NBB (also branches incorporated under foreign law established cation designed specifically to promote the acquisition of the product,
in Belgium); irrespective of the medium used or the method of dissemination.
• finance-lease companies established in Belgium and licensed by The general requirements are that:
the FPS Economy; • the information included in the marketing materials shall not be
• factoring companies established in Belgium; and misleading or incorrect;
• insurance companies established in Belgium and licensed for • only information relevant for the Belgian market should be presented;
classes 14 (guarantee insurance) and 15 (credit insurance) • it is recommended to translate the marketing materials into French
by the NBB. or Dutch as there is a general requirement that the marketing mate-
rials must be understandable by a retail investor (also, technical
Participants have to report each month to the CCCR all informa- terms should be avoided or, if it is impossible to avoid using technical
tion on any current contract (granted amounts) and non-repayments. terms, they should be explained in a way that is easily understand-
Participants, debtors as well as other central credit offices abroad may able for a retail client where these terms appear);
consult the data recorded in the CCCR. • the marketing materials should not emphasise the potential benefits
of the product without also giving a fair, balanced and visible indica-
CROSS-BORDER REGULATION tion of the risks, limits or conditions applicable to the product;
• the marketing materials should not disguise, mitigate or conceal
Passporting important items, mentions or warnings;
17 Can regulated activities be passported into your jurisdiction? • the marketing materials should not highlight characteristics that are
not relevant or that are of little relevance for a sound understanding
All financial services benefiting from European passporting rights of the nature and the risks of the product;
may be provided by EEA firms licensed in their home country under • the information conveyed in the marketing materials should be in
one of the EU single market directives (eg, the Banking Consolidation line with the information in the prospectus or any other contractual
Directive, Capital Requirements Directive, Solvency II, Markets in or pre-contractual information; and
Financial Instruments Directive (MiFID II), Insurance Mediation • any advertisement should be clearly recognisable as such.
Directive, Insurance Distribution Directive, Mortgage Credit Directive,
Undertakings for Collective Investments in Transferable Securities Furthermore, detailed guidance is provided by the FSMA for the marketing
Directive, Alternative Investment Fund Managers Directive, Payment materials to comply with the non-misleading information principle.
Services Directive or E-Money Directive) either on a cross-border Detailed content requirements apply. The presentation of performance
basis without a permanent establishment in Belgium or through a figures is also highly regulated.
Belgian branch.
To exercise this right, the firm must first provide notice to its home Consumer credit
regulator. The directive under which the EEA firm is seeking to exercise The Belgian Code of Economic Law contains provisions on advertising,
passporting rights will determine the conditions and processes that the (pre-contractual) information requirements, misleading and aggressive
firm has to follow. commercial practices and unfair contract terms.
Furthermore, under certain conditions and limits, non-EEA firms All advertising setting out the interest rate or the costs of the credit
may be authorised to provide investment services (as defined under must be drafted in a clear, summarised and explicit way, and contain
MiFID II) either on a cross-border basis in Belgium or through a specific legal information that must be illustrated by a representative
Belgian branch. example. Advertising must also include the warning: ‘Be aware, borrowing
money costs money’. Some advertising practices are also prohibited –
Requirement for a local presence for example, encouraging consumers to regroup their existing credits,
18 Can fintech companies obtain a licence to provide financial emphasising the ease and speed by which credit can be obtained and
services in your jurisdiction without establishing a local such like.
presence?
CHANGE OF CONTROL
The Belgian regulator only grants licences to companies established in
Belgium. However, EEA fintech firms may exercise passporting rights Notification and consent
to provide services in Belgium. Under certain conditions and limits, 20 Describe any rules relating to notification or consent
non-EEA firms may also be authorised to provide (MiFID) investment requirements if a regulated business changes control.
services on a cross-border basis in Belgium or through a Belgian branch.
Shareholders intending to hold (directly or indirectly) a qualifying holding
in certain regulated businesses must make a prior notification to, and be
20 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Belgium
approved by, the Financial Services and Markets Authority or the National banking network. As long as all the required formalities are fulfilled,
Bank of Belgium, as appropriate. A qualifying holding means any direct however, it should be possible to structure secured loans.
or indirect holding that represents 10 per cent or more of the capital or
voting rights, makes it possible to exercise a significant influence over the Assignment of loans
management of the undertaking, or both. There are additional thresholds 24 What steps are required to perfect an assignment of
at 20, 30 and 50 per cent and companies may decide to insert specific loans originated on a peer-to-peer or marketplace lending
thresholds in their articles of association. In addition, shareholders platform? What are the implications for the purchaser if the
ceasing to hold a qualifying holding, or reducing their holding below 10, assignment is not perfected? Is it possible to assign these
20, 30 or 50 per cent, must also make a prior notification to the relevant loans without informing the borrower?
Belgian regulator.
Finally, shareholders who have acquired a direct or indirect holding The formalities for assignment will depend on how the lending is struc-
of 5 per cent or more (or have reduced their holding to below 5 per cent) tured (via a loan agreement or a debt instrument and through a direct
of capital or voting rights must make a notification to the relevant Belgian or an indirect model).
regulator within 10 business days of the acquisition. As a general rule, and in the absence of any contractual provisions
prohibiting the transfer, the transfer of a loan agreement by the lender
FINANCIAL CRIME requires the express prior consent of the borrower (as an agreement
involves both rights and obligations for both parties). Such consent may
Anti-bribery and anti-money laundering procedures be granted in the loan agreement itself. Alternatively, the lender can
21 Are fintech companies required by law or regulation to have transfer only its rights (ie, its receivable in relation to the borrower)
procedures to combat bribery or money laundering? without the express consent of the borrower. Indeed, according to
article 1690 of the Belgian Civil Code, the transfer of a receivable or
There is no legal or regulatory requirement for fintech companies to have right is valid between parties (transferor and transferee) and enforce-
anti-bribery or anti-money laundering procedures unless the company able in relation to all third parties other than the assigned debtor (ie, the
is a licensed financial institution (eg, a payment services institution) or borrower) by the mere conclusion of the transfer agreement. However,
carries out business that is subject to the Belgian anti-money laundering the transfer will only become enforceable in relation to the borrower
regulations. Specific customer due diligence and know-your-customer once the transfer is notified to it or once the borrower has acknowl-
obligations apply to e-money products. Fintech companies, regardless of edged the transfer. In practice, if (and as long as) the assignment is
whether they are authorised, ought to have appropriate financial crime not perfected, this means that repayment is validly made to the initial
policies and procedures in place as a matter of good governance and lender. The latter can act as servicer for the receivables, which, in prac-
proportionate risk management. tice, avoids having to notify the borrowers upfront.
The transfer of consumer loans is subject to specific rules. If secu-
Guidance rity rights are attached to the loans, additional formalities may also
22 Is there regulatory or industry anti-financial crime guidance be required.
for fintech companies? The formalities to transfer a debt instrument depend on the type of
instrument (bearer, registered or dematerialised) and whether the latter
There is no anti-financial crime guidance specifically for fintech firms. is freely negotiable or not.
The general rules and standards set out for regulated financial institu- If the applicable transfer formalities are not fulfilled, the transfer
tions apply, particularly the circulars issued by the Belgian regulators could be held to be unenforceable towards the borrower and possibly
(the National Bank of Belgium and the Financial Services and Markets third parties.
Authority). These documents are helpful for non-authorised fintech firms
and may inform their own internal financial crime policies and procedures. Securitisation risk retention requirements
25 Are securitisation transactions subject to risk retention
PEER-TO-PEER AND MARKETPLACE LENDING requirements?
Execution and enforceability of loan agreements Yes, the EU risk retention rules apply to securitisations of loans
23 What are the requirements for executing loan agreements or originated on a peer-to-peer or marketplace lending platform (P2P secu-
security agreements? Is there a risk that loan agreements ritisations). The risk retention requirements set out in the sectoral EU
or security agreements entered into on a peer-to-peer or legislation will apply to P2P securitisations that are offered to European
marketplace lending platform will not be enforceable? banks, investment firms, alternative investment funds or insurers.
Under the current sectoral EU risk retention rules, certain investors
As a general rule, there are no documentary or execution requirements (such as credit institutions, Markets in Financial Instruments Directive-
applicable to loan and security agreements (other than security over real regulated firms and firms regulated under the Alternative Investment
estate), which can be signed by private contract and in counterparts (with Fund Managers Directive) will be subject to higher regulatory capital
as many originals as there are parties to the agreement). The nature charges where they invest in securitisation positions that do not comply
of the collateral will determine the type of security that can be granted with the risk retention rules.
and the formalities required to make it enforceable in relation to third Those rules require that either the sponsor, originator or original
parties. The revision of the legal regime applicable to security interests in lender in respect of the securitisation explicitly discloses to the investor
movable assets (which came into force in early 2018), whereby it became that it will retain, on an ongoing basis, a material net economic interest
possible to perfect such security by way of filing in a central register. in the securitisation (which in any event is not less than 5 per cent)
Consumer loans, however, are subject to specific formal and content using one of five prescribed retention methods. Those methods include,
legal requirements. among other things, retention of:
In the current Belgian market, peer-to-peer loans generally do • the most subordinated tranches, so that the retention equals no less
not involve security agreements as they operate outside the traditional than 5 per cent of the nominal value of the securitised exposures;
www.lexology.com/gtdt 21
© Law Business Research 2020
Belgium Simmons & Simmons LLP
• 5 per cent of the nominal value of each of the tranches sold to documents that would prevent it from disclosing information about the
investors; or loans and the relevant borrowers to the SPV and the other securitisation
• randomly selected exposures equivalent to no less than 5 per cent parties. If there are such restrictions in the underlying loan documenta-
of the nominal value of the securitised exposures. tion, the assignor will require the consent of the relevant borrower to
disclose to the SPV and other securitisation parties the information they
The definitions of ‘sponsor’ and ‘originator’ as used in the sectoral EU require before agreeing to the asset sale.
legislation are set out in Regulation (EU) 2017/2402. The term ‘original In addition, the SPV will want to ensure that there are no restric-
lender’ is undefined. tions in the loan documents that would prevent it from complying with
Since 1 January 2019, there has been a direct requirement on the its disclosure obligations under Belgian and EU law (such as those
sponsor, originator and original lender to agree on an entity that will act set out in the Credit Rating Agency Regulation). Again, if such restric-
as retention holder and to ensure compliance with the retention require- tions are included in the underlying loan documents, the SPV would be
ment. In the absence of agreement among the originator, sponsor and required to obtain the relevant borrower’s consent to such disclosure.
original lender as to who will be the retention holder, the originator will Furthermore, if the borrowers are individuals, the SPV, its agents
be the retention holder. Definitions of ‘sponsor’, ‘originator’ and ‘original and the peer-to-peer platform will each be required to comply with the
lender’ are set out in the EU Securitisation Regulation. statutory data protection requirements under Belgian law.
The EU Securitisation Regulation does not explicitly set out the juris-
dictional scope of the ‘direct’ retention obligation, but there is a helpful ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
note in the Explanatory Memorandum to the European Commission’s TECHNOLOGY AND CRYPTO-ASSETS
original proposal for the EU Securitisation Regulation that the intention
is that the ‘direct’ approach would not apply to securitisations (including Artificial intelligence
P2P securitisations) where none of the originator, sponsor or original 27 Are there rules or regulations governing the use of artificial
lender is ‘established in the EU’. ‘Establishment’ is typically described by intelligence, including in relation to robo-advice?
reference to the jurisdiction in which the legal entity is incorporated or
has its registered office. Therefore, the non-EU subsidiary of an EU entity Currently, there is no specific regulation on robo-advice or artificial
may not be subject to the ‘direct’ retention obligation because a subsid- intelligence in Belgium.
iary is typically a separate legal entity, whereas a non-EU branch of an EU
entity may be caught within this provision because a branch is typically Distributed ledger technology
not a separate legal entity. Market participants are still seeking clarity on 28 Are there rules or regulations governing the use of
this and it is expected that this point will be raised as part of the ongoing distributed ledger technology or blockchains?
European Banking Authority (EBA) consultation on risk retention.
Distributed ledger technology is in a developmental phase and, as a
Possible retaining entities in respect of P2P securitisations consequence, it is not yet subject to specific legal or regulatory rules
Typically, a peer-to-peer lending platform will not qualify as the ‘sponsor’, or guidelines. Several legal and regulatory issues need to be carefully
‘originator’ or ‘original lender’ of a P2P securitisation, and another entity considered relating to the clearing, settling and recording of payments,
with the capacity to retain will, therefore, need to be identified. The range securities, derivatives or other financial transactions. The impact of
of entities with capacity to retain is broader under the EU Securitisation various rules and regulations must be analysed and may be relevant
Regulation than under the current EU sectoral legislation and, therefore, in respect of digital transformation initiatives, such as the Central
the ability of an entity to retain will depend on the rules that apply at the Securities Depositories Regulation, the Settlement Finality Directive,
time the securitised notes are issued. the European Market Infrastructure Regulation, Markets in Financial
Any entity that retains in the capacity of ‘originator’ is expected to Instruments Directive and so on. Outsourcing arrangements also need
be an entity of substance, and the EU Securitisation Regulation expressly to be carefully reviewed where regulated firms outsource technological
provides that an entity shall not be considered to be an originator where innovations to third parties.
it has been established or operates for the sole purpose of securitising Data protection requirements and customer data protection also
exposures. The EU Securitisation Regulation does not specify in what need detailed analysis because of the transparency of transactions,
circumstances an entity will be considered to have been established for which is inherent to the blockchain technology, and the fact that once
the sole purpose of securitising exposures but, in December 2017, the data is stored it cannot be altered (this could be an issue for the compli-
EBA published a consultation paper that proposed that an originator will ance with the right for rectification or the right to be forgotten).
not be considered to have been established with the ‘sole purpose’ of Given that the nodes on a blockchain can be located anywhere in
securitising exposures if it satisfies certain conditions, including that: the world, the determination of the data controller, applicable law and
• it has a broader business enterprise and strategy; competent courts in the case of litigation and the drafting of appropriate
• it has sufficient decision makers with the required experience; and contractual provisions in that respect are also essential.
• its ability to make payment obligations depends neither on the A particular point of attention relates to the status of the decen-
exposures to be securitised nor on any exposures retained for the tralised autonomous organisations that are used to execute smart
purposes of the risk retention regulations. contracts, recording activity on the blockchain.
22 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Belgium
(2009/110/EC) as implemented in Belgian law, e-money means ‘mone- to the Protection of Individuals regarding the Processing of Personal
tary value as represented by a claim on the issuer that is stored Data and came into force on 5 September 2018. The GDPR, however,
electronically, issued on receipt of funds of an amount not less in value remains the principal legislation governing the processing of personal
than the monetary value issued, and accepted as a means of payment data as only few provisions of the Belgian law concern private compa-
by undertakings other than the issuer’. Digital Instruments do not fall nies. The GDPR provides how data controllers (the natural person
under this definition as they do not represent a claim on the issuer, or legal person, which, alone or jointly with others, determines the
which is not obliged to exchange them back to real money. Furthermore, purposes and means of the processing of personal data) may process
they are purely digital and not necessarily linked to the real funds upon the personal data of living individuals (data subjects). The GDPR
which they were issued. requires that businesses may only process personal data where that
Consequently, digital instruments are currently not regulated processing is done in a lawful, fair and transparent manner. The Belgian
under Belgian law. No licence is required to issue digital instruments law provides some specific provisions on the consent, the processing of
and they are not subject to regulatory supervision. Digital instruments health-related and judicial data, the processing for statistical purposes
do not benefit from legal protection. The Financial Services and Markets or scientific research, exceptions to data subjects’ rights, etc.
Authority (FSMA) has issued several warnings advising the Belgian The GDPR requires that any processing of personal data must
public against the risks of these currencies (eg, the risk of consider- be done pursuant to one of six lawful bases for processing. The most
able currency fluctuations and the risk of losing the virtual money if the commonly used lawful basis for processing is to obtain the consent of
trading platform is hacked). the data subject to that processing – in relying on this lawful basis, the
business must ensure that consent is freely given, specific, informed and
Digital currency exchanges unambiguous, and capable of being withdrawn as easily as it is given.
30 Are there rules or regulations governing the operation of Other lawful bases for processing data include where that processing
digital currency exchanges or brokerages? is necessary for the business to perform a contract it has with the data
subject, or where required to comply with a legal obligation.
A distinction must be made between e-money and virtual curren- The GDPR also provides a set of rights for the data subjects,
cies. E-money is currently regulated by the second E-Money Directive including the right to information, the right to access to their personal
(2009/110/EC), which refers to, among others, the Anti-Money data, to correct their personal data should it be inaccurate, the right
Laundering Directive (now 2015/849 EU) setting out various rules to oppose (upon request and free of charge) the processing of their
regarding the operation of exchanges or brokerage offices in the EU. personal data for marketing purposes, the right to withdraw one’s
Additionally, the Law of 11 March 2018 on the Status and Supervision consent and the right to data portability.
of Payment Institutions and Electronic Payment Institutions amends The GDPR also differs from the previous regime in that it places a
the Investment Law, which sets out similar rules for the operation of significantly increased compliance burden on businesses, including, for
e-money currency exchanges and brokerage as those applicable to non- example, mandatory requirements to notify regulators of data breaches,
digital currencies. obligations to keep detailed records on processing and requirements for
Virtual currencies, however, are not subject to regulatory supervi- most entities to appoint a data protection officer.
sion and there are no rules or guidelines relating to the operation of The Belgian Data Protection Authority is the body that controls
exchanges or brokerage offices in Belgium for these digital currencies. compliance with the GDPR and applicable Belgian law by businesses.
Various warnings in respect of digital currency exchanges have been Data subjects now have the right to lodge a complaint with the Belgian
issued by the FSMA. Data Protection Authority. Significant administrative sanctions (up to the
greater of €20 million and 4 per cent of the worldwide turnover) can be
Initial coin offerings imposed following a breach of the GDPR.
31 Are there rules or regulations governing initial coin offerings Recital 26 of the GDPR states that where data has been processed
(ICOs) or token generation events? such that it is truly anonymised, the principles within the GDPR do not
apply to the processing of that data. Businesses will have to determine
The FSMA issued a communication on ICOs in Belgium on 13 November what steps must be taken to ensure that personal data is indeed truly
2017, building on a communication by the European Securities and anonymised.
Markets Authority on the same subject and on the same date. While The Article 29 Working Party (an EU body comprising repre-
no specific regulatory rules are in place for ICOs, depending on its sentatives from data protection regulators across the member states)
structuring it might fall within the scope of more generic Belgian laws released Opinion 05/2014 on Anonymisation Techniques (in the context
such as the law implementing the Prospectus Directive and the law on of the previous EU data protection regime). This Opinion discusses the
crowdfunding platforms. main anonymisation techniques used – randomisation and generalisa-
tion (including aggregation). The Opinion states that when assessing the
DATA PROTECTION AND CYBERSECURITY robustness of an anonymisation technique, it is necessary to consider:
• if it is still possible to single out an individual;
Data protection • if it is still possible to link records relating to an individual; and
32 What rules and regulations govern the processing and • if information can be inferred concerning an individual.
transfer (domestic and cross-border) of data relating to
fintech products and services? In relation to aggregation, the Opinion further states that aggregation
techniques should aim to prevent a data subject from being singled out
There are no regulations specifically governing the processing and by grouping them with other data subjects. While aggregation will avoid
transfer of personal data relating to fintech products and services. the risk of singling out, it is necessary to be aware that links and infer-
However, the processing and transfer of personal data relating to ences may still be possible with certain aggregation techniques.
fintech products and services shall be governed by the General Data The position on anonymisation taken from the Article 29 Working
Protection Regulation (GDPR), which took effect on 25 May 2018. The Party’s Opinion is broadly unchanged in the GDPR. The GDPR itself
GDPR was implemented in Belgium by the Law of 30 July 2018 relating also gives limited guidance on anonymisation in Recital 26, requiring
www.lexology.com/gtdt 23
© Law Business Research 2020
Belgium Simmons & Simmons LLP
data controllers to consider a number of factors in deciding if personal OUTSOURCING AND CLOUD COMPUTING
data has been truly anonymised, including the costs and time required
to de-anonymise, the technology available at the time to attempt Outsourcing
de-anonymisation, and further developments in technology. 34 Are there legal requirements or regulatory guidance with
respect to the outsourcing by a financial services company of
Cybersecurity a material aspect of its business?
33 What cybersecurity regulations or standards apply to fintech
businesses? When a Markets in Financial Instruments Directive firm outsources
operational tasks of critical importance to the continuous and satis-
Belgium has implemented Directive (EU) 2016/1148 (the NIS Directive) factory provision of investment services and activities, it has to take
by way of the Belgian Law of 7 April 2019 (entered into force on 3 May appropriate measures to limit the associated operational risk. In
2019) establishing a framework for the security of network and informa- particular, the outsourcing must not substantially affect the effective-
tion systems of general interest for public security. The Law applies to ness of the internal control procedures of the company or the ability
sectors of banking and financial market infrastructure and establishes, of the regulator to check whether the company is fulfilling its legal
among others, security and notification requirements for operators obligations.
of essential services and for digital service providers. Many practical The Financial Services and Markets Authority has issued a circular
aspects provided for in the Law of 7 April 2019 are further elaborated on on sound management practices for outsourcing by credit institutions
in a Belgian Royal Decree dated 12 July 2019. and investment firms, and, recently, the National Bank of Belgium issued
The Payment Services Directive (EU) 2015/2366 entered into a recommendation on outsourcing by credit institutions and investment
force on 12 January 2016, setting out, among others, rules concerning firms to providers of cloud computing that implements the recommen-
strict security requirements for electronic payments and the protec- dations of the European Banking Authority on this subject.
tion of consumers’ financial data, guaranteeing safe authentication and
reducing the risk of fraud. Belgium implemented the provisions of the Cloud computing
Payment Services Directive by way of the Belgian Law of 11 March 2018. 35 Are there legal requirements or regulatory guidance with
Regarding cybersecurity, the Law of 11 March 2018 stipulates a security respect to the use of cloud computing in the financial services
policy containing a number of obligations for payment service providers. industry?
Furthermore, Regulation (EU) 526/2013 is of importance in the
fintech sector, as it establishes the European Union Agency for Network There are no specific legal requirements with respect to the use of cloud
and Information Security (ENISA). ENISA provides recommendations on computing in the financial services industry. However, the outsourcing
cybersecurity, supports policy development and its implementation, and of cloud computing by regulated entities is subject to regulatory super-
collaborates with operational teams throughout Europe for the purpose vision from both a data protection and an IT security perspective.
of contributing to a high level of network and information security
within the EU. INTELLECTUAL PROPERTY RIGHTS
Moreover, on 13 September 2017, the European Commission
published the Proposal for a Regulation of the European Parliament and IP protection for software
of the Council on ENISA, the ‘EU Cybersecurity Agency’, and repealing 36 Which intellectual property rights are available to protect
Regulation (EU) 526/2013, and on ICT cybersecurity certification. The software, and how do you obtain those rights?
Proposal reinforces ENISA’s role in the areas where the agency is
already competent, and introduces new areas where support is needed, Under Belgian law, computer programs (or software) are protected by
in particular the NIS Directive, the review of the EU Cybersecurity copyright (article XI.294-XI.304 of the Belgian Code of Economic Law) and
Strategy, the upcoming EU Cybersecurity Blueprint for cyber crisis assimilated as literary works in the meaning of the Berne Convention.
cooperation and ICT security certification. Copyright protection also covers the source code, object code, architec-
Additionally, on 17 May 2017, the European Parliament adopted ture of the software and preparatory design materials (provided that
Resolution 2016/2243 on fintech: the influence of technology on the they can lead to a computer program). Ideas and principles that underlie
future of the financial sector. This resolution further underlines that any element of a program, including those that underlie its interfaces,
regulation on the provision of financial services infrastructure needs are, however, excluded from the copyright protection.
to provide for appropriate incentive structures for providers to invest The author of the software owns the rights as soon as it is created,
adequately in cybersecurity and emphasises the need for end-to-end provided that the software is original. No registration is required to
security across the whole financial services value chain. This resolution benefit from the protection. For evidentiary purposes, it is, however,
is non-binding and has a purely advisory function. useful to include the name of the author and the creation date in the
Finally, in March 2018 the European Commission adopted an action code of the software and to file it with a public notary or the Benelux
plan on fintech, setting out a number of steps that the Commission Office for Intellectual Property.
intends to take, one of which is to increase cybersecurity and the integ- If the software code has been kept confidential it may also be
rity of the financial system. The action plan mentions the fact that the protected as confidential information. No registration is required, but
European Parliament has called on the Commission ‘to make cyberse- confidentiality agreements are recommended if third parties have
curity the number one priority in the fintech action plan’. It states that access to it.
the transposition by member states of the NIS Directive is ongoing but Computer programs and business methods are explicitly excluded
that gaps may remain in EU financial sector legislation that should be from patent protection. The exclusion from patentability is, however,
filled to improve the sector’s resilience. Therefore, we can expect this limited to the software as such and it is possible to grant a patent to an
field to evolve in the near future. invention implemented by or including a piece of software.
In Belgium, databases underlying software programs may also be
protected by copyright (article XI.186-XI.188 Belgian Code of Economic
Law) and, in certain circumstances, by sui generis database right (Book
24 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Belgium
XI, Title 7 Belgian Code of Economic Law). The database right is a stan- discloses confidential information and to enter into proper confidenti-
dalone right that protects databases that have involved a substantial ality agreements with those persons. These confidentiality agreements
investment in obtaining, verifying or presenting their contents (article should include provisions such as the definition of confidential informa-
XI.306 Belgian Code of Economic Law). Both database copyright and tion, the duration of the confidentiality obligations (knowing that under
database rights arise automatically without any need for registration. general Belgian civil law, it is always possible to terminate an obliga-
Database rights do not apply to computer programs as such, including tion for an indefinite term against ‘reasonable’ notice, meaning that a
those used in the manufacture or operation of databases. fixed term should be provided in the confidentiality agreement) and the
limited use of trade secrets and confidential information regarding the
IP developed by employees and contractors purpose of a specific project.
37 Who owns new intellectual property developed by an Legal proceedings are, in principle, public, so it would be possible
employee during the course of employment? Do the same to hear trade secrets and confidential information during hearings or
rules apply to new intellectual property developed by pleadings. In addition, the Belgian Judicial Code does not restrict access
contractors or consultants? to documents including trade secrets – it provides for principles of
collaboration as regards production of evidence in court proceedings
Unless otherwise provided in writing, where a computer program is and the requirement for any party to submit all documents to the other
created by an employee in the execution of his or her duties or following party, without specifications or exceptions concerning trade secrets.
the instructions given by his or her employer, the employer will be In practice, however, it appears that, depending on the interest that
exclusively entitled to exercise all economic rights in the program so is considered most relevant, Belgian (commercial) courts may choose
created. This means that the IP rights subsisting in a computer program to limit the production of evidence to certain elements or even block
are automatically transferred to the employer when an employee has access to or disclosure of trade secrets (eg, if there is no sufficient
developed the software in the framework of his or her employment evidence of a breach).
contract. This automatic transfer only applies to the economic rights, not
the moral rights of the author. The rule is different for other forms of IP Branding
rights, meaning that (except for above-mentioned computer programs), 40 What intellectual property rights are available to protect
IP that is created by an employee in execution of his or her employment branding and how do you obtain those rights? How can
contract in principle belongs to the employee himself or herself, unless fintech businesses ensure they do not infringe existing
a clause explicitly stipulates that it belongs to the employer. brands?
Where IP is developed by a contractor or a consultant, the rights
are owned by the author of the software (ie, the contractor or the Brands can be protected by a Benelux trademark (covering the Benelux
consultant). The fintech company will only own the economic rights territory) or by an EU trademark (covering the EU territory). Registration
if they have been explicitly transferred in writing (even if the fintech is required to obtain a trademark right (with the Benelux Office for
company has commissioned the software). The same goes for other IP Intellectual Property for Benelux trademarks or with the European
developed by a contractor or consultant. Therefore, contracts must be Union Intellectual Property Office (EUIPO) for EU trademarks).
carefully drafted. Brands can also be protected by market practices if they have
acquired sufficient goodwill in the market and another undertaking tries
Joint ownership to take advantage of the reputation or market position of the brand.
38 Are there any restrictions on a joint owner of intellectual Brands in the form of logos or slogans can also be protected by
property’s right to use, license, charge or assign its right in copyright as artistic works (provided they are original) or by Benelux
intellectual property? or EU design and models rights (provided that they are new and have
specific character).
There are no legal restrictions to the exercise of IP rights by a joint The Benelux Office for Intellectual Property and EUIPO have public
owner. However, in general, an agreement is required between the joint databases that can be consulted to check the availability of a design
owners regarding their respective IP rights, in the absence of which the or trademark. It is highly advisable for new businesses to conduct
IP rights must be exercised jointly. There are certain exceptions to this, trademark and design searches to check whether earlier registrations
depending on the type of IP. exist that are identical or similar to their proposed brand names. It may
also be advisable to conduct searches for any unregistered trademark
Trade secrets rights that have gained sufficient distinctiveness on the market that may
39 How are trade secrets protected? Are trade secrets kept prevent use of the proposed mark. Specialised companies offer services
confidential during court proceedings? to carry out these searches.
Belgium mainly implemented the Trade Secrets Directive (EU) 2016/943 Remedies for infringement of IP
in Book XI of the Code of Economic Law. The Directive requires member 41 What remedies are available to individuals or companies
states to provide protection for information that: whose intellectual property rights have been infringed?
• is secret, in the sense that it is not generally known among, or
readily accessible to, persons within the circles that normally deal The following remedies and proceedings may be available:
with the kind of information in question; • (unilateral) primary injunction;
• has commercial value because it is secret; and • cease-and-desist action;
• has been subject to reasonable steps by the holder of the informa- • damages; and
tion to keep it secret. • application with custom authorities for border detention.
www.lexology.com/gtdt 25
© Law Business Research 2020
Belgium Simmons & Simmons LLP
TAX IMMIGRATION
26 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Belgium
Current developments
46 Are there any other current developments or emerging
trends to note?
www.lexology.com/gtdt 27
© Law Business Research 2020
Brazil
Nei Zelmanovits, Thais De Gobbi, Pedro Nasi, Vicente Braga, Érica Yamashita, Diego Gualda,
Vinicius Costa and Alina Miyake
Machado Meyer Advogados
FINTECH LANDSCAPE AND INITIATIVES In the case of the BCB, all the actions described above are part of
a broader agenda, in place since 2018 and currently known as ‘Agenda
General innovation climate BC#’, which seeks to foster financial inclusion, competition, transparency
1 What is the general state of fintech innovation in your and education, and identifies the fintech sector as a strategic partner.
jurisdiction?
FINANCIAL REGULATION
As a developing country with a young population, a culture of plurality,
a strong appetite for social media, a high percentage of unbanked popu- Regulatory bodies
lation and tens of millions of entrepreneurs, Brazil has a lively and 3 Which bodies regulate the provision of fintech products and
booming fintech scene. According to recent data, there are more than services?
700 fintech entities in Brazil (an increase of more than 30 per cent since
last year), employing around 40,000 people. Fintech products and services involving payment (the issuance of pre-
Although, historically speaking, Brazilian regulators were very paid cards and credit cards, acquiring services, etc) and lending are
cautious and not particularly sympathetic towards innovation, this subject to the rules issued by the National Monetary Council (CMN) and
has been gradually changing over the past few years, especially the Central Bank of Brazil (BCB), whereas those regarding securities,
as policymakers see the fintech sector as an opportunity to foster such as crowdfunding, are subject to the regulatory framework issued
some long-desired competition and financial inclusion in the finan- by the Securities and Exchange Commission (CVM).
cial industry.
Led by a few already well-established companies, the sector enjoys Regulated activities
massive adherence and political support from the general public and is 4 Which activities trigger a licensing requirement in your
expected to grow further in the upcoming years. jurisdiction?
Government and regulatory support The legal framework for financial institutions in Brazil is set by Law No.
2 Do government bodies or regulators provide any support 4,595 of 31 December 1964, while Law No. 6,385 of 7 December 1976
specific to financial innovation? If so, what are the key regulates securities offerings and trading. Several activities trigger a
benefits of such support? licensing requirement in Brazil pursuant to applicable regulations,
including:
Since 2018, the Central Bank of Brazil (BCB) has allowed payment insti- • conducting banking business (ie, performing financial intermedi-
tutions (payment fintech companies) to function outside its regulation ation on a regular and professional basis through the raising of
and supervision – including without the need for a licence – as long as funds from the public in general, as well the custody of values on
their activities do not reach specific operational thresholds. The BCB also behalf of third parties: this requires authorisation from the BCB;
created two new categories of financial institution with simpler regula- • rendering certain types of payment services: this requires authori-
tory requirements to accommodate credit-granting fintech entities that sation from the BCB upon reaching the thresholds set forth in
perform their services exclusively through electronic platforms: direct applicable regulations;
lending companies and peer-to-peer lending companies. • dealing in securities transactions in regulated markets as principal
In mid-2019, the BCB, the Securities and Exchange Commission or agent (ie, securities brokerage services): this requires authorisa-
(CVM) and the Superintendence of Private Insurance, together with the tion from the BCB and the CVM;
Special Finance Bureau of the Ministry of Economy, jointly announced • rendering investment advisory services: this requires authorisa-
their intention to set up a regulatory sandbox for fintech companies to tion from the CVM; and
test and develop new products. The first of those initiatives is expected • operating in the foreign exchange market: this requires authorisa-
to begin by the end of 2020. tion from the BCB.
Both the BCB and the CVM, together with other entities, engage
with and support financial innovation labs (the Financial and Technology
Innovation Laboratory (launched by the BCB) and the Laboratory of
Financial Innovation (in connection with the CVM)), which are aimed at
providing guidance and identifying opportunities and obstacles to the
fintech sector.
28 Fintech 2021
© Law Business Research 2020
Machado Meyer Advogados Brazil
Consumer lending individuals to enter into a lending and financing transaction among
5 Is consumer lending regulated in your jurisdiction? themselves, exclusively by means of electronic platforms.
Crowdfunding platforms (and the offer of securities in connection
Yes. The provision of consumer lending in Brazil (eg, overdraft, credit thereof) are subject to a specific rule issued by the CVM and may only be
card invoice financing and consumer loans) is restricted to financial operated by a legal entity duly authorised by the CVM to do so.
institutions duly authorised to operate by the BCB and subject to certain
specific rules. Alternative investment funds
Interest rates vary depending on the institution and are not subject 8 Are managers of alternative investment funds regulated?
to specific limits (except for overdraft interests, which were recently
limited to 8 per cent per month). Administrators of any investment fund, which are responsible for a
However, when extending credit to individuals, micro-companies group of services related to the maintenance and proper operation of
and small companies, financial institutions must disclose to the client, the fund, such as treasury, bookkeeping, custody of financial assets and
prior to the execution of the credit transaction, the total effective cost, portfolio management, are regulated by the CVM and are required to
expressed as an annual percentage rate, which evidences the sum of obtain a licence before commencing their activities.
all the costs related to the transaction (including taxes and fees). This Administrators may delegate certain responsibilities to third
allows consumers to compare the total cost of the loans offered by parties, such as portfolio management activities. Portfolio managers
different institutions. (either individuals or legal entities) are also regulated by the CVM and
Individuals, micro-companies and small companies are also enti- are required to obtain a specific licence.
tled to prepay their debts, in whole or in part, without having to pay any
additional fees in connection thereof. Peer-to-peer and marketplace lending
Furthermore, when entering into transactions with, or rendering 9 Describe any specific regulation of peer-to-peer or
services to, consumers, financial institutions are also subject to the marketplace lending in your jurisdiction.
Consumer Defence Code.
SEPs are financial institutions of which the main purpose is to enable
Secondary market loan trading individuals to enter into lending and financing transactions among
6 Are there restrictions on trading loans in the secondary themselves exclusively by means of electronic platforms. Transactions
market in your jurisdiction? intermediated by SEPs will have the characteristics of a linked credit
transaction, in which there is a link between the funds raised from the
In general, no, provided that the loans do not have a securities nature creditors and the corresponding loan transaction entered into with the
in accordance with applicable laws and regulations. Certain exceptions debtor, with the respective subordination of the repayment of the funds
apply, such as in respect of direct lending companies, which may only delivered by the creditors to the payment of the loan transaction by the
assign credit to financial institutions, receivables investment funds and debtors. Granting of loans with their own funds, as well as any type of
securitisation companies. risk retention, either directly or indirectly, is not allowed for SEPs.
To be effective towards the debtor, the debtor must be notified of SEPs may also provide certain ancillary services in connection with
the credit assignment. their main activity, such as credit analysis for clients and third parties,
collection of debts on behalf of clients and third parties and issuance of
Collective investment schemes electronic money, according to applicable regulations.
7 Describe the regulatory regime for collective investment Finally, SEPs must:
schemes and whether fintech companies providing • be incorporated as corporations and have paid-up stock capital and
alternative finance products or services would fall within its shareholders’ equity of 1 million reais;
scope. • segregate their funds from the funds of creditors and debtors;
• provide information to their clients and users in respect of the
In Brazil, the types of special condominium (pool of assets) directed to nature and complexity of the transactions and services offered;
investment purposes, of which the portfolio is indirectly owned by their • use a proper credit analysis model; and
investors (quota holders) proportionally to the amounts invested by • comply with proportional operational and prudential requirements
each of them (investment funds) and their permitted investments, are consistent with their size and profile.
subject to the rules and regulatory oversight of the CVM.
Investment funds are divided into two main groups: Crowdfunding
• ‘traditional’ investment funds, which may invest in several different 10 Describe any specific regulation of crowdfunding in your
types of financial assets (eg, equity, fixed income, real estate and jurisdiction.
derivatives); and
• structured funds, such as: Crowdfunding in Brazil is regulated by the CVM and defined as the
• private equity funds, which may invest mainly in securities (eg, raising of funds through public offers for the distribution of securities
shares and subscription bonuses) and convertible notes; and issued by small businesses conducted with exemption from registration
• credit receivables investment funds, which may invest in through an electronic investment platform.
credit rights arising from different sectors of the economy, The rule expressly excludes peer-to-peer loans from its activities
such as financial, industrial and commercial ones. (which are regulated by the BCB). However, the regulation does not
limit the type of security to be offered; therefore, small businesses may
Fintech companies, such as peer-to-peer lending and crowdfunding issue shares, debentures or other securities as long as they are legally
platforms, are subject to a different regulatory regime. available.
Peer-to-peer lending platforms are operated by peer-to-peer The public offering (which is limited to 5 million reais) must take
lending companies (SEPs), which are a type of financial institution place through an electronic platform managed by a company duly incor-
(and not an investment fund), the main purpose of which is to enable porated in Brazil and registered with the CVM, which is responsible for
www.lexology.com/gtdt 29
© Law Business Research 2020
Brazil Machado Meyer Advogados
verifying compliance by the issuer and the offering with applicable regu- Only financial institutions belonging to segments S1 and S2 of
latory requirements. the Brazilian financial system (which mainly comprises major banks),
The offers are intended for any type of investor, subject to a 10,000 according to segmentation rules set forth in Brazil, will be required to
reais investment limit per calendar year (exceptions apply to certain join open banking at its inception. Other institutions, such as payment
investors, such as qualified investors). institutions, are allowed to participate on a voluntary basis, but only
The grouping of investors supporting a lead investor in ‘participatory those licensed by the BCB may take part in the open banking directly.
investment syndicates’ is expressly allowed, as is the incorporation of an Non-licensed institutions may participate through partnerships
investment vehicle for those purposes (subject to certain requirements). with authorised participant institutions. Any participation must follow
the principle of reciprocity (ie, the recipient must also share informa-
Invoice trading tion). All regulated institutions offering payment accounts, on-demand
11 Describe any specific regulation of invoice trading in your deposit accounts and savings accounts will also be required to join open
jurisdiction. banking in its third phase (August 2021) in respect of payments initiation
services and the sharing of data related to those services.
Trade notes are regulated by Law No. 5,474 of 18 July 1968 as well as by The new regulation is based on the principle that registration data
Decree No. 57,663 of 24 January 1966, which also governs the endorse- and information on the products and services provided belong to the
ment of trade notes, jointly with the Civil Code. customer, and it is up to him or her to decide whether to share them
Furthermore, in May 2020, the CMN and the BCB issued two rules with third parties. Therefore, consent will always be required before any
governing the use of book-entry trade notes. Following the trend of customer data sharing.
dematerialisation of financial assets and securities seen in the Brazilian Self-regulatory provisions will play an important role in the imple-
market in recent decades, the new rules regulate: mentation of open banking in Brazil. Participants will be required to
• financial transactions guaranteed by book-entry trade notes and discuss, prepare and execute a convention regulating operational
the discounting or sale of those receivables; and aspects of the ecosystem, such as technological standardisation,
• the bookkeeping activity of those securities. communications and security protocols, reimbursements among partic-
ipants, disputes resolution and standardisation of data and service
The rules aim to provide greater security for issuance, registration, layouts, among others. This convention will be subject to approval
settlement and trading in respect of those transactions. The main by the BCB.
change introduced by the rules is the mandatory use of registered book-
entry trade notes. Financial institutions should, therefore, require their Robo-advice
counterparts, in particular sellers who wish to discount their receiva- 14 Describe any specific regulation of robo-advisers or other
bles, to issue and register the respective book-entry trade notes. companies that provide retail customers with automated
access to investment products in your jurisdiction.
Payment services
12 Are payment services regulated in your jurisdiction? There is no specific regulatory framework for robo-advisers. However,
the CVM has already identified three main activities performed by
The legal framework for payment services in Brazil is set by Law No. robo-advisers: the provision of financial advice, asset management and
12,865 of 9 October 2013. A licence is required upon reaching specific financial analysis (robo-traders are considered financial analysts). As
operational thresholds if the fintech company executes the following each of these activities is specifically regulated by the CVM, a robo-
types of payment services: adviser providing any of these must comply with the same regulatory
• issuance of electronic money and associated services, such as requirements applicable for traditional providers.
issuance of prepaid instruments, management of prepaid payment
accounts and provision of payment transactions based on elec- Insurance products
tronic money deposited into those accounts; 15 Do fintech companies that sell or market insurance products
• issuance of post-paid payment instruments (such as credit in your jurisdiction need to be regulated?
cards); and
• acquiring services. Insurance companies and the marketing of insurance products in Brazil
are subject to regulation and supervision by different authorities: the
Fintech companies providing the payment services mentioned above Superintendence of Private Insurance and the National Council of Private
are defined by applicable legislation as payment institutions. Insurance. Only duly licensed insurance companies may provide insur-
Owners of card networks (ie, the legal entities in charge of ance coverage in Brazil. The solicitation and intermediation of insurance
managing the rules, procedures and the use of the brand associated contracts may be carried out only by licensed insurance brokers.
with a card network) must request authorisation for the card network Pursuant to applicable regulations, legal entities may promote and
that they operate (upon reaching certain triggers). Card networks are market insurance products for and on behalf of insurance companies,
defined by applicable regulations as the set of rules governing the use acting as their representatives. Insurance representatives do not need
of payment instruments accepted by more than one recipient entity. to be regulated or obtain any type of authorisation, but they must act
within the powers established in the relevant agreement executed with
Open banking the relevant insurance company.
13 Are there any laws or regulations introduced to promote Insurance representatives may not act as brokers; therefore,
competition that require financial institutions to make any sales of insurance products carried out by the representative are
customer or product data available to third parties? considered direct sales by the insurance company if not intermediated
by a duly licensed broker.
The BCB recently issued baseline regulations for open banking (via Only certain lines of insurance may be sold through this channel,
application programming interfaces) based on the UK model, the imple- namely the simpler insurance, such as all risks, travel, extended
mentation of which is expected to start in November 2020. warranty, life, unemployment and consumer credit.
30 Fintech 2021
© Law Business Research 2020
Machado Meyer Advogados Brazil
Not all licensed fintech companies may act as insurance represent- CHANGE OF CONTROL
atives. Payment institutions (direct lending companies and peer-to-peer
lending companies) are authorised to act as insurance representa- Notification and consent
tives for the distribution of insurance products that are related to their 20 Describe any rules relating to notification or consent
lending activities. requirements if a regulated business changes control.
www.lexology.com/gtdt 31
© Law Business Research 2020
Brazil Machado Meyer Advogados
To be valid, loan and security agreements are subject to the same Securitisation confidentiality and data protection requirements
general requirements set forth by the Civil Code for the validity of 26 Is a special purpose company used to purchase and securitise
any agreement (be executed by capable parties; have a licit, feasible, peer-to-peer or marketplace loans subject to a duty of
determined or determinable object or purpose; and be formalised in a confidentiality or data protection laws regarding information
manner provided by, or not prohibited by, applicable laws). relating to the borrowers?
Furthermore, the validity of the transaction is dependent on the
absence of any legal defects (such as fraud in enforcement procedures, Brazilian financial institutions (such as SEPs and SCDs) are subject to
fraud against creditors and simulation). banking secrecy requirements. In summary, they are prevented from
In general, credit transactions executed on a peer-to-peer platform disclosing to third parties any information concerning the transactions
are formalised through bank credit notes, which are subject to addi- and services provided by them to their customers, except in certain situ-
tional requirements, and signed electronically, which is permitted by ations provided by applicable laws.
applicable laws and regulations. It is debatable whether third parties, such as investment funds and
Specific requirements may be applicable to security instruments securitisation companies purchasing loans originated by financial insti-
depending on their type. tutions, would also be subject to banking secrecy requirements.
In any case, provided that the relevant loan and security agree- In any case, according to the Brazilian General Data Protection
ments entered into on a peer-to-peer or marketplace lending platform Law (which is not yet in full force), a purchaser of the relevant loans
are compliant with applicable laws and regulations (and that the peer- is subject to specific data protection obligations in respect of personal
to-peer lending company (SEP) or the direct lending company (SCD) data, which is defined as any information relating to an identified or
is duly authorised by the Central Bank of Brazil), those transactions identifiable natural person (including identifying numbers, location
should be deemed valid for all legal purposes. data or electronic identifiers when these are related to a person). In
those cases, it will be necessary to evaluate the role of the contracting
Assignment of loans parties as controllers or processors in the context of the operation and
24 What steps are required to perfect an assignment of to include the applicable data protection provisions in the agreements
loans originated on a peer-to-peer or marketplace lending to safeguard the parties accordingly.
platform? What are the implications for the purchaser if the
assignment is not perfected? Is it possible to assign these ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
loans without informing the borrower? TECHNOLOGY AND CRYPTO-ASSETS
With regard to SCDs (which may provide direct loans using their own Artificial intelligence
funds), the loans are usually formalised through bank credit notes 27 Are there rules or regulations governing the use of artificial
(issued by clients to the SCD), which may be transferred by the SCD intelligence, including in relation to robo-advice?
through endorsement or assignment (the latter carried out pursuant to
the rules of the Civil Code). In general, loans are assigned by the SCDs There is no specific regulatory framework for the use of artificial
to finance their operations. intelligence in financial markets. Furthermore, there is no legal distinc-
SEPs may adopt different business models. Some of those finan- tion between robo-advice and traditional investment advice in Brazil.
cial institutions endorse the relevant credit instrument issued to their As such, companies providing robo-advice must fulfil the same legal
benefit (by the borrower) to the creditor (which includes investment requirements as companies providing traditional investment advice,
funds and securitisation companies). which are regulated by the Securities and Exchange Commission (CVM).
Assignment of credit pursuant to the Civil Code is subject to regis-
tration with the registries of the titles and deeds of the place where the Distributed ledger technology
relevant parties reside if they are to be effective towards third parties. 28 Are there rules or regulations governing the use of
On the other hand, endorsements are not subject to this registration distributed ledger technology or blockchains?
requirement.
Although the Civil Code requires the borrower to be notified for Not presently, but there are certain bills under discussion in the House
a credit assignment to be effective towards the borrower, the lack of of Representatives that, if approved, will establish a regulatory frame-
notification does not affect the validity of the assignment between the work for digital currency transactions, exchanges and wallets.
parties. From a practical standpoint, SEPs and SCDs usually collect
payments from borrowers on behalf of creditors (assignees), which Crypto-assets
is why the absence of notification does not pose an issue under those 29 Are there rules or regulations governing the use of crypto-
structures. assets, including digital currencies, digital wallets and
e-money?
32 Fintech 2021
© Law Business Research 2020
Machado Meyer Advogados Brazil
The Central Bank of Brazil (BCB) has issued certain public notices DATA PROTECTION AND CYBERSECURITY
acknowledging that digital currencies such as bitcoin are virtual curren-
cies and, thus, would be different from electronic currencies (e-money), Data protection
which are governed by Brazilian payment and electronic currency laws 32 What rules and regulations govern the processing and
and regulations. Electronic currencies are funds (based on the ‘official transfer (domestic and cross-border) of data relating to
currency’ or fiat currency) stored in electronic devices or electronic fintech products and services?
systems that allow for end users to enter into payment transactions.
Digital or virtual currencies, on the other hand, are not considered offi- The processing and transfer of data should be verified according to the
cial currencies even though they may work as a means for end users to scope, regardless of whether the processing or transfer would include
enter into payment transactions. personal data. In Brazil, personal data is considered to be any information
In one of those public notices, the regulator stated that transactions relating to an identified or identifiable natural person.
with digital currencies that imply international transfers denominated in The Brazilian General Data Protection Law (LGPD), which provides
foreign currencies must take place in accordance with the applicable the general rules for privacy and data protection in Brazil, sets forth the
foreign exchange regulations (in particular, the requirement to enter conditions of any processing and transferring (including cross-border
into any foreign exchange transaction exclusively through institutions transfer) of personal data. The LGPD is expected to enter into full force
authorised to operate in the foreign exchange market). on 3 May 2021.
Currently, there are certain bills being discussed in the House of Cross-border personal data processing is allowed:
Representatives that, if approved, may affect digital currency transac- • to countries or international organisations that provide the appro-
tions, exchanges and wallets. In particular, the bills propose to place priate level of protection of personal data, as approved by the
digital currency transactions and exchanges under the BCB’s supervi- Brazilian National Data Protection Authority;
sion, create a series of rules and principles for their activity and protect • where the controller provides and demonstrates guarantees of
user resources in the event of exchange bankruptcy. Although there compliance with the principles and rights of the data subject and
is still much uncertainty regarding future regulation, there should be data protection regime established in the law, in the form of:
more discussions and public hearings about these bills in the House of • specific contractual clauses for a given transfer;
Representatives in the coming months. • standard contractual clauses;
• binding corporate rules; or
Digital currency exchanges • seals, certificates and codes of conduct that are regularly issued;
30 Are there rules or regulations governing the operation of • when the transfer is required for international legal cooperation
digital currency exchanges or brokerages? between government intelligence, investigation and police bodies, in
accordance with the international law instruments;
Currently, digital currency exchanges or brokerages are not specifically • when the transfer is required for the protection of life or the physical
regulated in Brazil. However, digital currency exchanges domiciled in integrity of the data subject or any third party; or
Brazil for tax purposes must make certain tax-related reports to the • for other reasons, such as consent or compliance with a legal or
Federal Revenue Service (RFB) in respect of transactions involving regulatory obligation by the controller.
crypto-assets carried out by users and their yearly balance information.
The RFB defines an ‘exchange of crypto-assets’ as a legal entity that For anonymised data (when the data relates to a data subject who cannot
offers services related to crypto-assets transactions, including inter- be identified), considering the use of reasonable and available technical
mediation, negotiation and custody – accepting any payment means, means at the time of the processing, there is no restriction on the transfer
including crypto-assets. The definition is very broad and encompasses of the information.
different kinds of companies dealing with crypto-assets. Fintech companies licensed by the Central Bank of Brazil (BCB) must
comply with certain rules on the outsourcing of relevant data storage,
Initial coin offerings data processing and cloud computing services in Brazil or abroad when
31 Are there rules or regulations governing initial coin offerings those services are considered critical services within the institution. As a
(ICOs) or token generation events? general rule, they must guarantee the confidentiality, integrity and avail-
ability of the data and systems, and they must ensure that their partners
Currently, ICOs or other token generation events are not regulated in and third-party service providers also have policies, procedures and
Brazil. The CVM has issued statements and investor alerts advising that controls to prevent incidents related to the cyber environment as well as
unregistered public offerings of tokens that constitute a security under ensure the security of sensitive information. The outsourcing of critical
Brazilian laws are illegal when they involve securities, subjecting the services must be reported to the BCB, and, if services are contracted
offering and the parties to applicable sanctions. In other words, if the abroad, authorisation is required in the absence of agreement for the
underlying rights attributes a security nature to the relevant asset, the exchange of information between the BCB and the supervisory authority
transaction, the issuer and other parties involved must comply with of the country where the data storage and processing services will
applicable securities laws and regulations. When evaluating if a certain be provided.
coin offering is a security offering, the CVM has been applying a test
similar to the Howey test. Cybersecurity
33 What cybersecurity regulations or standards apply to fintech
businesses?
www.lexology.com/gtdt 33
© Law Business Research 2020
Brazil Machado Meyer Advogados
policies, procedures and controls to prevent incidents related to the cyber Certain specific provisions must be included in the relevant
environment; and ensure the security of sensitive information. outsourcing agreements. As a general rule, the regulated institution
To that end, licensed fintech companies must put in place a cyber- outsourcing the services must verify that the service provider is able
security policy that takes into consideration the entity’s size, risk profile to ensure:
and business model, as well as the nature of the operations and data • compliance with Brazilian laws and regulations;
sensitiveness. An action and response plan in respect of security inci- • access by the regulated institution to the data to be processed or
dents must be established as well. stored by the service provider;
The cybersecurity policy must, among other things, comprise: • confidentiality, integrity, reliability, availability and recovery of the
• procedures and controls adopted to reduce vulnerability to incidents; data to be processed or stored by the service provider;
• specific controls, including those directed at information traceability, • adherence to the certifications required by the institution for the
that aim to ensure the security of sensitive information; rendering of the services;
• procedures to record incidents relevant to the entity’s activities as • access by the institution to the reports prepared by an independent
well as the analysis of their cause and impact, and the control of audit company hired by the service provider in respect of the proce-
their effects; dures and controls used in the rendering of the services;
• guidelines on: • supply of information and management resources adequate to
• the development of scenarios that reflect incidents considered monitor the services;
in business continuity tests; • identification and segregation of the data of the clients of the institu-
• the definition of procedures and controls directed at the preven- tion through physical or logical means; and
tion and treatment of incidents to be adopted by third-party • the quality of the access controls aimed at protecting the data and
providers that handle sensitive data or information, or that are information in respect of the clients of the institution.
relevant for the institution’s operational activities;
• the classification of data and information according to its Data on Brazilian clients (personal, financial or otherwise) should be
relevance; and treated as confidential and should not be transferred to third parties
• the definition of parameters to be used in the assessment of the without the express prior consent of those concerned. Data location and
relevance of incidents; processing may take place inside or outside the Brazilian territory, but
• mechanisms for dissemination of a cybersecurity culture within the access to data stored abroad must be granted at all times to the BCB for
entity, including the implementation of programmes for the training inspection purposes.
and periodic evaluation of employees, the provision of information to
clients and users regarding precautions when using financial prod- Cloud computing
ucts and services and the commitment of senior management to the 35 Are there legal requirements or regulatory guidance with
continuous improvement of procedures related to cybersecurity; and respect to the use of cloud computing in the financial services
• initiatives for sharing information with other entities regarding the industry?
relevant incidents.
The contracting of critical cloud computing services by licensed enti-
The procedures and controls adopted to reduce the institutions’ vulner- ties must follow the requirements imposed by applicable regulations.
ability to incidents and to meet other cybersecurity objectives should Cloud computing services encompass the availability of at least one of
include, at least, authentication, encryption, intrusion prevention and the following services:
detection, information leakage prevention, periodic testing and scanning • data processing, data storage, infrastructure of computer networks
for vulnerabilities, protection against malicious software, establishment and other computer services that allow the implementation or
of traceability mechanisms, computer network access and segmentation execution of software by a financial institution, including operational
controls, and maintenance of data and information backups. systems and applications developed by a financial institution or
acquired by it from third parties;
OUTSOURCING AND CLOUD COMPUTING • implementation or execution of applications developed by a finan-
cial institution or acquired by it from third parties, using computer
Outsourcing resources of a third-party service provider; or
34 Are there legal requirements or regulatory guidance with • execution, through the internet, of applications implemented or
respect to the outsourcing by a financial services company of a developed by the third-party service provider, using computer
material aspect of its business? resources of the third party.
Yes. Licensed institutions must comply with specific rules for contracting INTELLECTUAL PROPERTY RIGHTS
data storage, data processing and cloud computing services with third
parties in Brazil or abroad when those services are considered critical IP protection for software
services within the institution. There are no express guidelines for 36 Which intellectual property rights are available to protect
institutions to determine when a service should be qualified as critical; software, and how do you obtain those rights?
applicable regulations simply state that the financial institution must
take into account the importance of the service and the sensitiveness Intellectual property rights for software in Brazil are regulated by Law
of the data and information to be processed, stored or managed by the No. 9,609 of 19 February 1998. Typically, software will be protected under
services provider. the Copyright Law and will not be patentable. However, it is possible to
The outsourcing of critical services must be reported to the Central require the patent of software related to an invention that meets the
Bank of Brazil (BCB), and, if those services are contracted abroad, patent requirements set forth by the Industrial Property Law (Law No.
authorisation is required in the absence of agreement for the exchange 9,279 of 14 May 1996).
of information between the BCB and the supervisory authority of the The copyright on software provides the holder with all related
country where the data storage and processing services will be provided. economic rights, independently of any previous registration. In respect of
34 Fintech 2021
© Law Business Research 2020
Machado Meyer Advogados Brazil
moral rights, except for the right to claim the authorship of the software, Joint ownership
no other moral rights are applicable. 38 Are there any restrictions on a joint owner of intellectual
The owner is also assured the exclusive commercial licensing rights property’s right to use, license, charge or assign its right in
of the software and technology transference. In the latter case, the tech- intellectual property?
nology transfer agreements must be registered with the National Institute
of Industrial Property (INPI) to have effect in relation to third parties. Brazilian copyright law provides for the possibility for co-authorship of
When software is protected by copyright, the protection is inde- works. The co-authors (or joint owners) receive legal protection both for
pendent of any form of registration, extending for 50 years from its their individual contributions and for the entire work. They must exer-
creation, after which the work enters the public domain. However, cise their rights by common agreement (unless otherwise agreed).
the owner has the option to register the source code before the INPI If the contributions of each author are not divisible (identifiable), no
under Federal Decree No. 2,556 of 20 April 1998. The registration will co-author may publish or authorise the publication of the work without
not put forth any differences in the protection of the specific rights over the consent of the others. However, it should be noted that each author
the software, but is instead an alternative to publicise the ownership of may defend his or her rights over the work without the consent of the
the software. others. The intellectual property produced by them will be an undivided
During the 50 years in which the computer programs are protected, part, assuming that each author will have equal and proportional partic-
only the owner can authorise its use by third parties by means of a ipation in the software, unless otherwise stipulated in writing.
licensing agreement. In the absence of a written licensing agreement, When the work is made through an institution, organisation or legal
the tax invoice relating to the acquisition or licensing of a copy of the entity, which is formed by the participation of different authors, whose
program will evidence the regularity of its use. contributions merge into an autonomous creation, it is called a collec-
tive work, as per section 17 of the Federal Law No. 9,610/98. Article 5,
IP developed by employees and contractors item XXVIII, item ‘a’ of the Federal Constitution also ensures individual
37 Who owns new intellectual property developed by an participation in a collective work.
employee during the course of employment? Do the same The legislation guarantees to the joint owner of collective work his
rules apply to new intellectual property developed by or her due remuneration and establishes the property rights over the
contractors or consultants? collective work as a single right of the organisation. The contract with
the organisation shall indicate the contribution of each of the partici-
Law No. 9,609 of 19 February 1998, which provides the rights and obliga- pants, the remuneration and other conditions for its execution, such as
tions for the protection of software’s intellectual property, states that the licensing, charging and the assignment.
software ownership developed as a result of services provided within Unlike the co-authorship, the collective work, despite being elabo-
a specific contract will belong to the contracting party (an employer, a rated by several people, becomes a unique work, and for this reason,
company or a public agency) unless it can be proven that the software the agreement shall establish the participation of each author, and the
was created without connection to the performance of the contract and conditions for the economic exploitation of it.
without the use of resources, technological information, industrial or
commercial secrets, materials, installations or equipment belonging to Trade secrets
the contracting party. 39 How are trade secrets protected? Are trade secrets kept
The same provisions are applicable in the case of an employment confidential during court proceedings?
agreement. Violations of those intellectual property rights may result in
penalties. Trade secrets are protected by the Industrial Property Law, which
Brazilian copyright laws provide for the possibility for co-authorship characterises as a criminal offence the ‘disclosure, exploitation or use,
of works. The co-authors (or joint owners) receive legal protection both without authorisation, of confidential knowledge, information or data,
for their individual contributions and for the entire work. They must exer- usable in industry, commerce or the provision of services, excluding
cise their rights by common agreement (unless otherwise agreed). information which is publicly known or evident to a person skilled in the
If the contributions of each author are not divisible (identifiable), field, to which one has had access through a contractual or employment
none of the co-authors may publish or authorise the publication of the relationship’. Penalties may include imprisonment of the offender, from
work without the consent of the others. However, each author may three months to one year, or a fine. In addition, the company is liable for
defend his or her right over the work without the consent of the others. any proven damages as a civil violation.
The intellectual property produced by them will be an undivided part, The Industrial Property Law also assures injured parties ‘the right
assuming that each author will have equal and proportional participation to receive compensation for the loss caused by acts of infringement of
in the software unless otherwise stipulated in writing. industrial property rights and by acts of unfair competition’.
When the work is made through an institution, organisation or legal To prove that one is the lawful holder of the violated rights, it must
entity, which is formed by the participation of different authors, whose be evidenced that reasonable steps to maintain the confidentiality of
contributions merge into a single creation, it is called a collective work. the information were taken and that access to the information by the
The Constitution also ensures individual participation in a collective work. infringing party was fraudulent and unlawful, in breach of contractual
The legislation guarantees to the joint owner of a collective work or legal obligations.
his or her due remuneration and establishes the property rights over the The injured party can request judicial secrecy over the lawsuit.
collective work as a single right of the organisation. The contract with the Furthermore, if a trade secret is disclosed ‘in the course of a court
organisation indicates the contribution of each of the participants and the action in order to defend the interests of any of the parties, the judge
remuneration and other conditions for its execution, such as licensing, must determine that the case proceed in judicial secrecy’, which implies
charging and the assignment. restricted access to the case files and hearings only by the parties, their
Unlike co-authorship, the collective work, despite being created lawyers, the judge and his or her clerks.
from the collaboration of several people, becomes a unique work, and for
this reason, the agreement establishes the participation of each author,
and the conditions for the economic exploitation of it.
www.lexology.com/gtdt 35
© Law Business Research 2020
Brazil Machado Meyer Advogados
Branding COMPETITION
40 What intellectual property rights are available to protect
branding and how do you obtain those rights? How can Sector-specific issues
fintech businesses ensure they do not infringe existing 42 Are there any specific competition issues that exist with
brands? respect to fintech companies in your jurisdiction?
There are two ways of protecting branding rights in Brazil: the grant of Digital markets have been the focus of competition enforcers worldwide,
industrial design registration and the grant of trademark registration (or including Brazil. The banking market is dominated by a few players and
brand registration). Both are related to the registration before the INPI. fintech companies are viewed by the Brazilian antitrust authority – the
The industrial design registration protects the design of a product. Administrative Council for Economic Defence (CADE) – as disruptive
The product should have a new aesthetic or an ornamental aspect that companies, capable of offering more specific and profitable financial
differs from existing products. The requirements are that the design products and services and, consequently, of exerting competitive pres-
should be new (when it has not been made public in Brazil or abroad sure on banks and other financial institutions.
before the deposit of the request to the INPI) and original (when it In this sense, in the past couple of years, CADE has been conducting
results from a distinctive visual configuration in relation to other several investigations of alleged anticompetitive practices involving
previous objects, including those resulting from the combination of the abuse of dominant position, particularly by financial institutions to
known elements). The registration grants ownership to a specific brand. exclude or limit the operations of fintech companies, such as the refusal
The conditions for an application for registration can be found in articles to provide services or information that are essential for the operation of
101 to 106 of the Industrial Property Law. their business or providing the services on discriminatory basis.
The trademark registration is related to: As for merger cases, although CADE has yet to review a merger
• distinctive signs, such as company names or logos, products and filing solely affecting the fintech market, cases involving large banks
service marks, used to distinguish them from their competitors that may entail conglomerate or vertical integration issues are being
• certification marks, which are those used to certify that a product subject to close scrutiny by CADE to ensure that the acquisition is not
or service complies with certain technical specifications; and aimed at alleviating the threat of potential competition or preventing
• collective marks, which are used to identify products and services an increase of market power that could further lead to discrimination
of the members of a certain entity. or market foreclosure. Behavioural remedies, for instance, have been
adopted to ensure future competition in the acquisition by a major bank
The conditions for an application for trademark registration can be or stake in a platform for financial products (investments).
found in the Industrial Property Law. In October 2019, CADE published a comprehensive report on the
Foreign businesses, including in the fintech field, can ensure that payment industry, concluding that its technological developments
they do not infringe existing brands in Brazil by properly applying for – including the surge of fintech companies – require a dynamic assess-
the registration of its own brand and industrial property before the INPI. ment, with the introduction of more sophisticated and appropriate tools
The current legal protection of intellectual and industrial prop- to evaluate the effects of those constant changes on competition in
erty in Brazil derives from the Agreement on Trade-Related Aspects of digital markets. The concentration in the banking market, the verticali-
Intellectual Property Rights. sation of the players in the payment industry, and the introduction of
open banking in Brazil will continue to demand CADE’s attention and
Remedies for infringement of IP careful review to ensure competition, innovation and improved welfare.
41 What remedies are available to individuals or companies There is a memorandum of understanding between CADE and
whose intellectual property rights have been infringed? the Central Bank of Brazil (BCB) for joint cooperation, providing for
coordinated actions, the exchange of information, meetings and discus-
Under Law No. 9,609 of 19 February 1998, the violation of a piece of sions, for example, on the legal framework that may impact competition
software’s intellectual property is a criminal offence, punishable by the involving institutions regulated by the BCB, as well as collaboration in
imprisonment of the offender from six months to two years or a fine, and the review of merger filings or investigation of anticompetitive practices
a civil tort. The offender is also liable for all losses and harm suffered involving financial institutions.
by the claimant when the offender acts in bad faith or with the intention
of imitating the claimant, or commits a gross error by violating a third TAX
party’s intellectual property.
Crimes against brands and industrial designs may be found in the Incentives
Industrial Property Law, accompanied by their respective penalties. The 43 Are there any tax incentives available for fintech companies
penalties usually involve a period of incarceration from three months to and investors to encourage innovation and investment in the
one year or the application of a fine. fintech sector in your jurisdiction?
Crimes or illicit activity that violates copyright can be found in
Law No. 9,610 of 19 February 1998, which establishes the obligatory There are no specific tax incentives for fintech companies or investors
compensation for losses and damage as well as other applicable sanc- in Brazil.
tions, such as the suspension of transmissions or product sales and the Certain fintech companies that invest in research, development
destruction of illicit copies, according to the type of violation. and innovation projects and that have surpassed the break-even point
currently enjoy reductions from corporate income tax (IRPJ), social
contribution on net profits (CSLL), the tax on manufactured products
and withholding income tax under Law No. 11,196 of 21 November 2005.
These benefits are available to any Brazilian company assessing IRPJ or
CSLL under the real profit regime.
36 Fintech 2021
© Law Business Research 2020
Machado Meyer Advogados Brazil
Certain fintech entities in Brazil (eg, digital banks, direct lending compa-
nies and peer-to-peer lending companies) are qualified as financial
institutions under Brazilian law. Those entities are subject to taxes
imposed on net profits, namely IRPJ and CSLL, and taxes imposed on
gross revenues, namely the contribution to the employees’ profit partici- Nei Zelmanovits
pation programme (PIS) and the Contribution to the Financing of Social nsz@machadomeyer.com.br
Security (COFINS) under the financial institution regime.
Thais de Gobbi
This regime is more burdensome than the regimes applicable tgobbi@machadomeyer.com.br
to other companies in Brazil: the aggregate rate of corporate income
tax and the CSLL is 45 per cent, and the aggregate rate of the PIS and Pedro Nasi
pdn@machadomeyer.com.br
COFINS is 4.65 per cent (with no credit deductions), rather than the
respective rates (with credit deductions) of 34 per cent and 9.25 per Vicente Braga
cent applicable to companies assessing the IRPJ and the CSLL under vbraga@machadomeyer.com.br
the real profit regime. Érica Yamashita
Other tax regimes are applicable to small and medium-sized eyamashita@machadomeyer.com.br
companies in Brazil, which are not subject to the financial institutions’
Diego Gualda
regime. In those cases, the tax burden tends to be even lower.
dlgualda@machadomeyer.com.br
In relation to crypto-asset exchanges, the Federal Revenue Service
has created an ancillary obligation for exchanges incorporated in Brazil: Vinicius Costa
they must disclose a set of information regarding every transaction vcosta@machadomeyer.com.br
intermediated by them. Alina Miyake
At this stage, the digital taxes that have been created do not affect amiyake@machadomeyer.com.br
the fintech environment.
There are no specific immigration schemes available for fintech busi- In addition, the advent of regulatory sandbox initiatives promises to
nesses, nor for the technology and financial sectors in Brazil. The foster innovation, especially those related to the use of blockchain and
ordinary rules described in the Migration Law (Law No. 13,445 of 24 distributed ledger technology. The widespread use of tokenised assets
May 2017) and the Migration Decree (Decree No. 9,199 of 20 November is particularly expected, considering how the Securities and Exchange
2017) concerning work and residence permit requirements apply, which Commission (CVM) designed its regulatory sandbox initiative. Moreover,
includes the possibility of granting a permit for the provision of services alternatives for trading foreign exchange are expected, as some stable-
of technical assistance and technological transfer. coins make their way into the Brazilian market and the BCB welcomes
its first cohort of regulatory sandbox applicants.
UPDATE AND TRENDS News regarding the development of all these initiatives may be
found at the official websites of the BCB and the CVM.
Current developments
46 Are there any other current developments or emerging Coronavirus
trends to note? 47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
In 2020, the Central Bank of Brazil (BCB) started to implement the implemented to address the pandemic? Have any existing
instant payments system (PIX), which promises to foster competi- government programmes, laws or regulations been amended
tion in the retail payment industry – a sector in which fintech entities to address these concerns? What best practices are advisable
are overrepresented – and accelerate transactions through mobile for clients?
and QR codes.
The Brazilian open banking initiative is also scheduled to launch The government has enacted several pieces of emergency legislation
its first phase this year. The initiative was initially mostly aimed at insti- and other initiatives, aiming mostly to preserve jobs and to help small
tutions already regulated by the BCB, but the regulator was adamant and medium-sized enterprises.
about keeping an open door for the participation of non-regulated In the financial sector, the National Monetary Council (CMN) and
entities. Participation is designed to take place through partnership the BCB are considering the impacts of the pandemic in financial insti-
agreements with regulated entities in a provider capacity, focused on tutions and are openly aware of the challenges of maintaining their
enhancing the user’s experience. financial stability while ensuring that the economy has proper access
www.lexology.com/gtdt 37
© Law Business Research 2020
Brazil Machado Meyer Advogados
38 Fintech 2021
© Law Business Research 2020
China
Jingyuan Shi
Simmons & Simmons LLP
FINTECH LANDSCAPE AND INITIATIVES incentives and special funds. Besides, some regions in China, such as
Beijing, Guangdong-Hong Kong-Macao Greater Bay Area, Chengdu,
General innovation climate Chongqing and Hangzhou, also issued incentive plans for the
1 What is the general state of fintech innovation in your fintech industry.
jurisdiction?
FINANCIAL REGULATION
China’s reputation as a global leader in fintech innovation continues
to grow, and fintech companies in China have particular expertise in Regulatory bodies
areas such as payments, AI, blockchain and digital currency. Going 3 Which bodies regulate the provision of fintech products and
forward, we expect fintech innovation in China to play a substantial services?
role in the development of the entire financial services industry. The
Chinese government actively encourages innovation by fintech compa- There is no single regulatory body responsible for the regulation of
nies. However, the fintech sector remains highly regulated and this fintech products and services. Different fintech services and products
seem unlikely to change. In fact, it is possible that fintech companies are regulated by different regulatory bodies. The main regulatory
may be subject to greater regulatory supervision in the future, espe- bodies include the People's Bank of China (PBOC), China Banking
cially where they carry out business related to peer-to-peer online and Insurance Regulatory Commission (CBIRC) and China Securities
lending, blockchain-based currency, online insurance, the central- Regulatory Commission (CSRC).
ised storage of deposits in payments sectors, cybersecurity and data
protection. Regulated activities
4 Which activities trigger a licensing requirement in your
Government and regulatory support jurisdiction?
2 Do government bodies or regulators provide any support
specific to financial innovation? If so, what are the key The following activities are regulated and require a licence:
benefits of such support? • carrying on securities brokerage;
• carrying on securities investment consultancy;
In August 2019, the People's Bank of China (PBOC) issued the Fintech • financial advising relating to securities trading or investment;
Development Plan (2019–2021) (the Fintech Plan), which calls for • securities underwriting and sponsorship;
strengthening the strategic deployment of fintech and the rational • carrying on proprietary account transactions;
use of financial technology. The Fintech Plan outlines the principles, • carrying on securities asset management;
objectives, tasks and supporting measures of fintech development in • taking in deposits from the general public;
the three years from 2019 to 2021. It sets out 27 major tasks covering • handling domestic and foreign settlements;
six areas, including measures to remove the data barrier for different • handling, accepting and discounting of negotiable instruments;
financial businesses, to accelerate the integration of AI technology and • issuing financial bonds;
financial operations. • acting as an agent for the issue, honouring and underwriting of
Following the Fintech Plan, the PBOC and other five government government bonds;
ministries and commissions approved 10 fintech application pilot prov- • buying and selling government bonds and financial bonds;
inces and cities for the term of one year, which are Beijing, Shanghai, • offering and providing discretionary investment manage-
Jiangsu, Zhejiang, Fujian, Shandong, Guangdong, Chongqing, Sichuan ment services;
and Shanxi. A sandbox scheme was first introduced in Beijing in • buying and selling foreign exchange, and acting as an agent for the
December 2019 and expanded to five more cities and districts in late purchase and sale of foreign exchange;
April 2020, namely Shanghai, Chongqing, Shenzhen, Xiongan New Area • carrying on fund management services;
of Hebei, Hangzhou and Suzhou. • carrying on fund custodian services;
The pilot areas mentioned above have issued their own incen- • carrying on derivative products transactions;
tive plans. For example, in January 2020, the government of Shanghai • lending micro loans online or offline; and
issued the Implementation Plan for Accelerating the Construction of • providing consumer finance services.
Shanghai Fintech Centre, which calls for actively exploring financial
technology regulatory innovation and carrying out trials for fintech
innovations. In addition, the Shanghai government supports fintech
companies that meet certain qualifications to apply for relevant tax
www.lexology.com/gtdt 39
© Law Business Research 2020
China Simmons & Simmons LLP
Consumer lending are funds managed by fund managers, placed in the custody of fund
5 Is consumer lending regulated in your jurisdiction? custodians and used in the interest of the holders of the fund units
for investment in securities. Accordingly, peer-to-peer or marketplace
Consumer lending is a regulated activity and is governed by the General lenders or crowdfunding platforms do not fit the definition of collec-
Rules of Loans, the Administrative Measures for Pilot Consumer tive investment schemes and do not fall into the regulatory scope
Finance Companies (the Consumer Finance Measures) and the of the them.
Commercial Bank Law.
The General Rules of Loans require that lenders are approved by Alternative investment funds
the PBOC to engage in lending business, hold a financial legal person 8 Are managers of alternative investment funds regulated?
licence or a financial institution business licence issued by the PBOC,
and are approved and registered by the Administration for Industry Managers of alternative investment funds that raise capital from a
and Commerce. number of investors and invest it in accordance with a defined invest-
The Consumer Finance Measures regulates the operating activities ment policy for the benefit of those investors are regulated. These
of consumer finance companies that refer to non-bank financial institu- activities are broadly defined as asset management services, and
tions and do not receive public deposits but provide loans to resident may be conducted by securities companies, trust companies and fund
individuals within China for consumption purposes (excluding house management companies and their subsidiaries. Managers are subject
and vehicle purchases) under the principle of small sum and disper- to different regulatory regimes depending on the specific form of these
sion. The consumer finance companies must be approved by the CBIRC. alternative investment funds.
Trading loans between financial institutions in the secondary market The Interim Measures for the Administration of Business Activities on
are subject to regulatory supervision by the CBIRC and the following Online Lending Information Intermediary Agencies (the Online Lending
restrictions: Rules), issued on 17 August 2016 by the CBIRC, specifically target
• the financial institutions must report certain information to the activities of peer-to-peer lending between individuals through an
the CBIRC; internet-based platform. The Online Lending Rules require that the peer-
• the transfer of loans is subject to the consent of the borrower and to-peer lending platforms register with the local branch of the CBIRC,
the guarantor (if any); apply for the applicable telecommunication service operation licence
• all outstanding principal and interest must be transferred and include serving as an internet lending information intermediary
as a whole; in its business scope, and shall only act as information intermediaries
• parties are prohibited from making any direct or indirect repur- between parties. Peer-to-peer lending platforms must not conduct
chase arrangements; and credit enhancement services, cash concentration or fundraising activi-
• if the lender is from a consortium, other members of the consor- ties for themselves, or provide security or guarantee arrangements for
tium shall have the right of first refusal for such a transfer. lenders. The Online Lending Rules also set out detailed requirements
for information disclosure, protection of lenders and borrowers and risk
Trading loans between non-financial institutions are generally not control measures.
subject to mandatory regulatory restrictions. In the years 2017 to 2019, the Chinese government and relevant
regulatory authorities issued various regulations and guidelines
Collective investment schemes governing the peer-to-peer online lending industry. The main purpose
7 Describe the regulatory regime for collective investment was to regulate peer-to-peer industry behaviour and enhance supervi-
schemes and whether fintech companies providing sion of the industry.
alternative finance products or services would fall within its
scope. Crowdfunding
10 Describe any specific regulation of crowdfunding in your
The establishment and operation of securities investment funds within jurisdiction.
China via public and non-public raising of funds is regulated by the
Securities Investment Fund Law. The primary regulatory body for The Guideline Opinion on Promoting the Healthy Development of
funds in China is the CSRC. Generally, the regulation on public raising Internet Finance has defined equity-based crowdfunding as public equity
funds (retail funds) is more detailed and restrictive than for private financing in small amounts through an internet-based platform. The
funds. Retail funds and retail fund managers must be registered with Opinion provides that equity crowdfunding must be conducted through
the CSRC. Fundraising, fund custodian and investment activities are an agency platform such as a website or other digital medium, and
strictly regulated by the CSRC. Agencies that engage in sales, sales that the CSRC will be the regulatory authority for equity crowdfunding
payment, unit registration, valuation services, investment consulting, business. In 2016, the CSRC issued an action plan for risk control of
rating, information technology system services and other fund services equity-based crowdfunding, prohibiting the establishment of private
related to publicly raised funds are subject to registration or record equity funds or public offering of securities through crowdfunding.
filing in accordance with the requirements of the CSRC. Private funds In 2014, the Securities Association of China was entrusted by the
and private fund managers must register with the Asset Management CSRC to draft a Management Measures for Private Equity Crowdfunding
Association of China, an industry self-disciplinary body under the super- (Trial). The Measures were released for public comment in December
vision of the CSRC. 2014. However, the final version of the Measures has not yet been offi-
Pursuant to article 2 of Securities Investment Fund Law, the defi- cially released.
nition of collective investment schemes (securities investment funds)
40 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP China
www.lexology.com/gtdt 41
© Law Business Research 2020
China Simmons & Simmons LLP
42 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP China
If the assignment is not perfected, it may still constitute an equitable On 10 January 2019, the Cyberspace Administration of China (CAC)
assignment (in contrast to a legal assignment), which is still recognised issued the Administrative Provisions on Blockchain Information
by Chinese courts. However, the disadvantage of an undisclosed assign- Services (the Blockchain Provisions), which came into effect on 15
ment is that, in the event of taking any legal action against the borrower February 2019. The Blockchain Provisions apply to blockchain infor-
for payment, the assignee would have to join the assignor in any such mation services in China, which are defined as information services
legal action against the borrower (in contrast to being able to sue in its delivered to the public by way of the internet or application programs
own name in the case of legal assignment) and the assignee may be based on blockchain technology or systems. The Blockchain Provisions
vulnerable to, among other things, certain competing claims and other do not require blockchain service providers to obtain special operating
set-off rights that may otherwise have been halted by the serving of permits from regulators. However, if the blockchain services fall within
notice on the borrower. the application scope of other Chinese rules, such as telecom business-
It is not possible to transfer loans to the purchaser without related regulations, the blockchain service will still be subject to the
informing the borrower. Unless the borrower is notified, the assign- operating permits under those rules. Although there is no operating
ment shall not be binding on the borrower. This notice by the assignor permits requirement on providing blockchain services, the Blockchain
to assign its rights must not be revoked, unless such revocation is Provisions require blockchain service providers to file a record with the
consented to by the assignee. CAC within 10 working days from the commencement of the blockchain
services. In addition, the Blockchain Provisions set out certain security
requirements for blockchain service providers. For example, blockchain
www.lexology.com/gtdt 43
© Law Business Research 2020
China Simmons & Simmons LLP
service providers should certify the real identity of blockchain service mainland China) had to stop. For completed ICOs (launched within main-
users by checking relevant information and keeping the login records of land China), exit arrangements were made for the investors that would
the users for at least six months. reasonably protect the investors’ interest. All financial institutions and
In October 2019, the Central Committee of the Communist Party of third-party payment institutions must not provide services in connec-
China organised a special study on blockchain technology chaired by tion with ICOs or virtual currency.
Chinese President Xi Jinping, who promoted the use of the technology
and its industrial innovation and development. This top-level endorse- DATA PROTECTION AND CYBERSECURITY
ment was viewed as an encouragement to those in the sector, which
has been dampened since the ban on initial coin offerings (ICOs) in 2017 Data protection
(however, there has been no relaxation of this ban). 32 What rules and regulations govern the processing and
In the Fintech Development Plan (2019–2021) issued by the PBOC, transfer (domestic and cross-border) of data relating to
the regulator proposed to improve China’s internet identity authentica- fintech products and services?
tion system by steadily advancing the testing, R&D and application of
distributed ledger technology. The key regulation governing the processing and transfer of data is the
Chinese Cybersecurity Law (the Cybersecurity Law) promulgated by
Crypto-assets the Standing Committee that was effective in 2017. It sets out the main
29 Are there rules or regulations governing the use of crypto- requirements and principles related to cybersecurity and data privacy.
assets, including digital currencies, digital wallets and The Cybersecurity Law is not specifically aimed at fintech companies.
e-money? Instead, it applies generally to a ‘network operator’, which is broadly
defined as ‘the owner or manager of a network, or a network service
The PBOC, together with six ministries, issued the Notice on Preventing provider’.
Financial Risks relating to Initial Coin Offerings on 7 September 2017, Under the Cybersecurity Law, the general principles of use and
which remains the primary regulation on ICOs. The Notice states that processing of personal data in China include that:
all financial institutions and non-banking payment institutions in China • the collection, use and processing of personal data shall be legiti-
must not directly or indirectly provide products or services for ICO mate, reasonable and necessary;
financing and cryptocurrency activities, including account opening, • data subjects shall be informed of the purpose, scope, method and
registration, trading, clearing and settlement services, and must not rules of data collection and processing, rights to access and correct
provide insurance services for ICOs and cryptocurrency activities or personal data, and the implications for refusal of data collection or
include any of them in insurance coverage. processing;
In light of above, virtual currency is generally not recognised and • the consent of data subjects shall be obtained prior to any collec-
virtual currency issuance and trading is generally prohibited in China. tion, use, processing or transfer of his or her personal data;
The PBOC recently announced that it has made some break- • the data collected shall be kept strictly confidential and shall not
throughs on its Digital Currency Electronic Payment (DCEP) project. The be leaked, tampered with, sold or otherwise illegally provided to
DCEP is the digital version of the renminbi and has the same legal status third parties;
and functionality as paper currency. The value of DCEP is also backed • the data processor shall take reasonable technical and other
by state credit. The DCEP will be distributed to the market through measures to ensure the safety of collected data and shall promptly
the PBOC and other commercial banks and banking institutions. It is notify and make remedies in case of data breach incidents; and
reported that the DCEP will first be pilot tested in Suzhou, Shenzhen, • telecoms service providers shall establish a compliant mechanism
Xiongan New Area and Chengdu in May 2020. However, the DCEP is fiat for data collection and processing, and shall provide data subjects
money, and its development does not in any way suggest a change in the access to their collected data and the right to correct such data.
regulator’s attitude towards cryptocurrencies.
In addition, the Cybersecurity Law requires that personal information
Digital currency exchanges and important data collected or gathered by the Critical Information
30 Are there rules or regulations governing the operation of Infrastructure (CII) operators during their operations is stored within the
digital currency exchanges or brokerages? territory of China. Where it is necessary to provide this information and
data to overseas entities owing to business demands, a security assess-
Virtual currency trading is generally prohibited in China, and digital ment must be conducted. The draft Measures for Security Assessment
currency exchanges and brokerages are also banned. of Data Exportation and the draft Measures for Security Assessment of
Cross-Border Transfer of Personal Information were published, which
Initial coin offerings further extend the security assessment requirements on cross-border
31 Are there rules or regulations governing initial coin offerings transfer from CII to all network operators. However, these two meas-
(ICOs) or token generation events? ures have not been finalised and adopted.
In addition to the Cybersecurity Law, certain industrial-specific
The PBOC, together with six ministries, issued the Notice on Preventing laws (including regulations in the financial sector) prohibit or restrict
Financial Risks relating to Initial Coin Offerings on 7 September 2017 the cross-border transfer of certain types of sensitive data. For example,
confirming that initial coin offerings (ICOs) are considered a type of financial institutions must not provide the personal financial information
unauthorised public financing activity, and, therefore, these activities of citizens in China to any entity overseas, subject to exceptions made by
must (within mainland China) stop immediately. The Notice reaffirmed the law. A credit rating entity must not collect sensitive personal infor-
the official position that virtual currency is not legitimate in mainland mation relating to, for example, religion, gene information, fingerprints,
China and must not be traded. The Notice states that ICOs are deemed blood type, diseases and other medical history, or other information
a significant risk to the financial stability of society and may allow prohibited by law.
various crimes (such as illegal offering of securities, illegal fund raising The Cybersecurity Law allows network operators to provide
and financial fraud). Effective immediately, all ICOs (launched within personal data to a third party without consent under exceptional
44 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP China
circumstances where the personal data has been anonymised so that it • avoidance of a high concentration level of suppliers;
cannot be used or recovered to identify a specific individual. • stricter due diligence on suppliers by the banking institutions and
Besides the mandatory laws and regulations, two new specifica- third parties when necessary, on their technology and industrial
tions that came into effect in 2020 are notable to fintech companies. experiences, internal control and management capability and conti-
One is the Personal Information Security Specification issued by the nuity of operation;
Standardisation Administration of China, which sets out a much higher • a specific chapter on cross-border and off-site IT outsourcing,
standard for personal data protection than the mandatory laws and which may involve international compliance; and
introduces many concepts and rules for data protection derived from • any outsourcing involving client information must be authorised by
EU data protection laws. The other is the Personal Financial Information the clients and comply with regulations and policies.
Protection Technology Specification issued by the People's Bank of China,
which classifies personal financial data into three categories according The banking institutions are required to report their important
to the level of sensitivity and requires personal financial data be trans- outsourcing activities to CBIRC or its local branches beforehand.
ferred via safe channels or in the form of encrypted data. The Personal Important outsourcing activities include, among others:
Financial Information Protection Technology Specification requires that, • outsourcing of the entire IT service;
under certain circumstances, (such as sharing and transfer, disclosure • outsourcing of the entire data centre or disaster recovery centre;
and aggregation of personal financial information) a security impact • outsourcing of the analysis or processing of client information or
assessment be conducted. transaction data;
Although the above two specifications are not binding, they are • off-site outsourcing of operation systems with client data storage;
recommended as best practice for personal data protection in China. • affiliated outsourcing; and
• cross-border IT outsourcing.
Cybersecurity
33 What cybersecurity regulations or standards apply to fintech In addition, banking institutions must report to the CBIRC or its local
businesses? branches within two working days in cases of leaks of sensitive data,
data damage or suspension of important operations, possible suspen-
There are no cybersecurity regulations specific to fintech business. sion of outsourcing services caused by force majeure or the operational
The general cyber security obligations of network operators under the or financial problems of the suppliers, violation of laws and regulations
Cybersecurity Law include requirements to: by the suppliers, and other significant events.
• establish internal cybersecurity policies and procedures; The Asset Management Association of China (AMAC) issued the
• implement proper technical measures to prevent hacking and Interim Administrative Measures for Private Funds Services Business
viruses as well as to monitor network operations; on 1 March 2017. The Measures require that service providers providing
• retain network operation records and logs for at least six months; fundraising, investment consulting, fund unit registration, valuation
• formulate and implement contingency plans; and audit and information technology system services to private fund
• address cyber risks known to the operators; and managers register with the AMAC. The service providers must not sub-
• report any cybersecurity incident to the government and the contract any such outsourcing business to third parties.
customers affected by the incident.
Cloud computing
OUTSOURCING AND CLOUD COMPUTING 35 Are there legal requirements or regulatory guidance with
respect to the use of cloud computing in the financial services
Outsourcing industry?
34 Are there legal requirements or regulatory guidance with
respect to the outsourcing by a financial services company of Cloud computing is deemed a type of value-added telecommunication
a material aspect of its business? service and requires a telecoms service licence. There are no specific
legal rules relating to the use of cloud computing in the financial sector,
The China Banking and Insurance Regulatory Commission (CBIRC) but the State Council has issued several related policy documents, such
issued the Guidelines of Risk Management for Outsourcing by Banking as the Guiding Opinions on Actively Promoting the ‘Internet Plus’ Action
Financial Institutions on 4 June 2010. The Guidelines define outsourcing Plan (2015), the Opinions on Promoting the Innovation and Development
activities as entrusting service providers to continually process certain of Cloud Computing and Fostering New Business models of Information
business for and on behalf of the banking institutions themselves. The Industry (2015) and the Development Plan of Promoting Inclusive
board of directors and senior management of the banking institutions Finance (2015), where the use of cloud computing in the financial sector
shall be ultimately responsible for the outsourcing activities. The banking and the use of online financial cloud service platforms is encouraged.
institutions must conduct a risk assessment prior to engaging any
outsourcing service providers. The banking institutions must enter into INTELLECTUAL PROPERTY RIGHTS
written agreements with service providers and establish a client infor-
mation confidentiality mechanism. Additionally, the service providers IP protection for software
must not sub-contract any outsourcing business to third parties. 36 Which intellectual property rights are available to protect
In 2013, the CBIRC issued the Guidelines on the Risk Supervision software, and how do you obtain those rights?
of Information Technology Outsourcing of Banking Financial Institutions,
which provide more detailed requirements on outsourcing in terms of Computer software is protected by copyright as an independent cate-
risk evaluation, due diligence, contracting, security management, super- gory of works. The subject of copyright is the code script of the software
vision and assessment, and services suspension and termination. Key and not the operating process or results of the software.
issues covered in the Guidelines and requirements include: Software copyright arises automatically upon completion of the
• major risks in the IT outsourcing of banking institutions; code script. Although registration is not a mandatory requirement for
• thorough assessment of outsourcing risks at least once a year; granting copyright, there is a specific procedure of software copyright
www.lexology.com/gtdt 45
© Law Business Research 2020
China Simmons & Simmons LLP
registration under Chinese law. Copyright issuers may apply to the Trade secrets
China Copyright Protection Centre for the registration of software copy- 39 How are trade secrets protected? Are trade secrets kept
right, licence agreement and assignment agreement of the software confidential during court proceedings?
copyright.
If the software code has been kept confidential it may also be Trade secrets are protected against unauthorised disclosure, misuse
protected as confidential information. No registration is required. and appropriation under competition laws in China. It is also provided
Although it is not common, software can also be protected by in employment contract law that employees are responsible for keeping
patents as long as the software demonstrates novelty, creativity and the trade secrets of their employer confidential. Trade secrets are
applicability as required by patent laws. Patents must be applied for, defined as any technology information or business operation informa-
granted and registered before the competent patent office. tion that: is unknown to the public; can bring about economic benefits
to the owner; has practical utility; and the owner has adopted security
IP developed by employees and contractors measures on. Serious infringement of trade secrets can be deemed a
37 Who owns new intellectual property developed by an criminal offence in China.
employee during the course of employment? Do the same Trade secrets are kept confidential during court proceedings. Cases
rules apply to new intellectual property developed by involving trade secrets can be heard in private if a party so requests.
contractors or consultants?
Branding
The copyright of works created mainly by using the materials and 40 What intellectual property rights are available to protect
technical resources of the employer (and that were the employer’s branding and how do you obtain those rights? How can
responsibility) shall belong to the employer. Otherwise, any works fintech businesses ensure they do not infringe existing
created during the course of employment shall belong to the employee brands?
who develops it. However, the employer has the priority right to exploit
the work within the scope of its normal business operation. Furthermore, Brands can be protected as registered trademarks in China. Other
the author may not authorise a third party to use the work in the same branding factors, such as trade names, commercial appearance,
manner in which his or her employer uses it, without the employer’s product packaging and decoration, can be protected from plagiarism
consent, within two years of the work’s completion. under competition laws in China.
The patent right of an invention accomplished in the course of Certain branding, such as logos and stylised marks, can also be
performing normal employee duties or mainly by using the material and protected by design rights and may also be protected by copyright as
technical resources of the employer shall be owned by the employer. artistic works.
However, in practice, most employers, especially technology All registered trademarks are publicly announced upon registra-
companies, will specify in the employment contract that all intellectual tion and recorded in the trademark database of the State Intellectual
property rights of works and inventions developed during the course Property Office of China, and can be publicly searched. It is highly advis-
of employment or for the purpose of fulfilling a work assignment are able for fintech businesses to conduct trademark searches to check
owned by the employer. whether earlier registrations exist that are identical or similar to their
The rules do not apply to new intellectual property developed by proposed brand names. It may also be advisable to conduct internet
contractors or consultants unless otherwise agreed, the intellectual searches for any unregistered trademark rights that are also recognised
property rights of inventions or works developed by contractors or and protected in China, which may prevent use of the proposed mark.
consultants shall be owned by the contractors or consultants.
In practice, it is often provided in the commissioning contract that Remedies for infringement of IP
the commissioner owns the intellectual property rights of the work, or 41 What remedies are available to individuals or companies
that the author owns the rights but shall grant the commissioner an whose intellectual property rights have been infringed?
exclusive and royalty-free licence to use the commissioned work for the
purposes contemplated at the time of the commissioning. Remedies include preliminary and final injunctions, damages or an
account of profits, destruction of infringing products, and costs.
Joint ownership
38 Are there any restrictions on a joint owner of intellectual COMPETITION
property’s right to use, license, charge or assign its right in
intellectual property? Sector-specific issues
42 Are there any specific competition issues that exist with
The joint owners of intellectual property rights must negotiate and respect to fintech companies in your jurisdiction?
reach agreement on the use, licensing and assignment of these intel-
lectual property rights. If no such agreement exists, any joint owner has There is a competition regime in China that applies to all entities
the right to use or grant a non-exclusive licence to third parties, and the carrying out business in China. However, there are no particular aspects
licence fees collected shall be distributed among all joint owners. The of this regime that would affect fintech businesses disproportionately to
granting of a sole or exclusive licence, and the charge, assignment or other businesses.
other disposal of the intellectual property rights shall be subject to the
consent of all joint owners.
The joint owners of a trademark are not subject to the above restric-
tions. This is because, usually, the joint owners register the trademark
under different classes and will not create confusion for customers.
Each joint owner is entitled to use, license, charge or assign its right in
the trademark without the consent of the other joint owners.
46 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP China
TAX
Incentives
43 Are there any tax incentives available for fintech companies
and investors to encourage innovation and investment in the
fintech sector in your jurisdiction?
One area of particular note in the People's Bank of China's (PBOC) Fintech In addition, the State Council announced in February that social secu-
Development Plan (2019–2021) is the proposal for a new standard for rity contributions will be exempted for medium-sized, small and micro
domestic payments, an area in which Chinese fintech players are heavily companies and large companies in Hubei province for five months, and
focused. The PBOC aims to propel the interoperability of different reduced by half for large businesses in other areas for three months.
payment barcode systems by setting out a single set of coding rules At the provincial level, most local governments also introduced
for barcode payments. This unified barcode system is hoped to enable similar financial support policies for fighting against covid-19. To
every scanning terminal in China to recognise any domestic payment boost consumption, some local governments are working closely
barcode (regardless of the payment service provider) and will greatly with e-payment service providers to provide citizens with consump-
enhance payment efficiency. tion coupons.
www.lexology.com/gtdt 47
© Law Business Research 2020
Denmark
Rasmus Mandøe Jensen and Christian Scott Uhlig
Plesner Advokatpartnerselskab
In recent years, the fintech sector has experienced significant growth in The main financial regulator is the Financial Supervisory Authority,
Denmark. This has been facilitated by: which also oversees compliance with anti-money laundering
• a highly educated and digitally literate population; regulation.
• a high degree of digitisation of public sector systems; Compliance with certain business conduct rules and other
• the support of specific government policies aimed at promoting consumer and competition-oriented rules is overseen by the
fintech innovation; and Competition and Consumer Authority.
• the development of Copenhagen as an international fintech hub. The Data Protection Agency oversees compliance with data
protection rules.
Under the auspices of Copenhagen Fintech (https://copenhagenfintech. The Central Bank has limited oversight over systemically impor-
dk/), a dedicated fintech lab opened in Copenhagen in 2016 (https:// tant payment and securities clearing and settlement infrastructures
copenhagenfintech.dk/startups/copenhagen-fintech-lab/) and has and similar systems.
become a central hub for fintech activity in Denmark.
In recent few years, a number of partnerships between fintech Regulated activities
start-ups and banks have been announced, which reflects the current 4 Which activities trigger a licensing requirement in your
trend of fintech companies seeking to partner and cooperate with jurisdiction?
existing financial sector bodies rather than attempting to be in competi-
tion with and opposition to them. Banking
While there has been significant activity in traditional fintech core Deposit-taking activities generally require a banking licence under
areas such as payments and investment services, ancillary areas such the Financial Business Act (https://www.retsinformation.dk/eli/
as regtech and insurtech remain less developed, but are expected to lta/2019/937) to legally operate in Denmark. There are no de minimis
grow in the future. or similar exemption available.
Lending does not require a licence in Denmark, although a regis-
Government and regulatory support tration under the Act on Measures to Prevent Money Laundering
2 Do government bodies or regulators provide any support and Financing of Terrorism may be required (as described below).
specific to financial innovation? If so, what are the key However, under the Financial Supervisory Authority's current guid-
benefits of such support? ance, EU banking institutions may have to passport their licence into
Denmark if they wish to perform lending activities there.
The government has specific policies aimed at promoting fintech busi- A new Act on Consumer Loan Undertakings entered into force on
ness and investments and to support Copenhagen as an international 1 July 2019, creating an exception to the licence-free lending require-
fintech hub. Recently, this has resulted in increased funding for the ment in Denmark.
Financial Supervisory Authority, enabling it to dedicate resources to a
specialised fintech office and create a regulatory sandbox. The Financial Payment services or e-money issuance
Supervisory Authority opened applications for its regulatory sandbox The performance of payment services, as defined in the Annex to
in 2018 and opened for applications for its second cohort during 2019. the Payments Act implementing Annex I to the revised EU Payment
In terms of purpose and eligibility criteria, the sandbox is similar to the Services Directive (2015/2366/EU) (PSD2), requires a licence under the
existing one operated by the UK Financial Conduct Authority. Payments Act (https://www.retsinformation.dk/eli/lta/2019/1024).
The Payments Act generally reflects the catalogue of exemptions
to the licence requirement in article 3 of the PSD2 and article 1 of the
Second EU Electronic Money Directive (2009/110/EU) (EMD2), except
that technical services covered by the exemption in article 3(j) of the
PSD2 are subject to certain fee regulations in the Payments Act.
Specifically, regarding the limited network exemption (article 3(k)
of the PSD2 and article 1(4) of the EMD2), although limited network
48 Fintech 2021
© Law Business Research 2020
Plesner Advokatpartnerselskab Denmark
products are exempted from the licence requirement, they must still The licensing exemptions set out in article 2 of the EU Markets in
comply with the disclosure, business conduct and fee rules of the Financial Instruments II Directive have generally been implemented
Payments Act, as well as the regulation on issuance and redemption without material changes.
of e-money (corresponding mainly to Titles III and IV of the PSD2 and
article 11 of the EMD2). However, the disclosure, business conduct and Investment advice
fee rules do not apply to e-money issued within a limited network if: Undertakings that provide investment advice must be licensed as an
• the instrument cannot load a value of more than 3,000 investment adviser if they do not hold another licence that permits them
Danish kroner; to provide investment advice. Investment advisers may also receive and
• the instrument cannot be reloaded; and transmit orders.
• the issuer's aggregate outstanding e-money liabilities do not
exceed an amount equivalent to €5 million, in which case only the Financial advice
rules on redemption of e-money apply. Undertakings that provide advice on financial products to consumers
must be licensed as financial advisers. For this purpose, ‘financial prod-
Denmark has not elected to use the options in article 32 of the PSD2 ucts’ are credit agreements, excluding residential credit agreements,
and article 9 of the EMD2 to exempt low-volume and low-value payment deposits, insurances, pension and investment products. ‘Investment
services or e-money from the licensing requirement; however, the products’ are transferable securities, units or shares in collective
Payments Act provides for a less burdensome licensing process for investment schemes, deposits in banks where the return depends on
such providers and issuers, which are also exempt from the own funds the performance of one or more underlying assets, guarantee certifi-
requirements. cates, cooperative certificates and mortgage deeds.
www.lexology.com/gtdt 49
© Law Business Research 2020
Denmark Plesner Advokatpartnerselskab
50 Fintech 2021
© Law Business Research 2020
Plesner Advokatpartnerselskab Denmark
No, except the rules implementing articles 65 to 68 of the PSD2. The The laws and regulations that govern and restrict the sale and marketing
Payments Act contains rules that severely restrict the processing and of financial services and products in Denmark include:
use of payment data. • the Act on Alternative Investment Fund Managers (implementing the
EU Alternative Investment Fund Managers Directive (2011/61/EU));
Robo-advice • the Markets in Financial Instruments Directive (2014/65/EU);
14 Describe any specific regulation of robo-advisers or other • the Consumer Contracts Act (implementing parts of the EU
companies that provide retail customers with automated Directive on Consumer Rights (2011/83/EU) and the EU Directive
access to investment products in your jurisdiction. on Distance Marketing of Consumer Financial Services (2002/65/
EU)), which contains rules on pre-contractual information require-
Robo-advice is not subject to specific regulation in Denmark. In July ments, right of withdrawal, termination and binding periods;
2019, the Financial Supervisory Authority published a regulatory note • the Marketing Practices Act (implementing the EU Directive on
regarding best practice when using supervised machine learning. Unfair Commercial Practices (2005/29/EU)), which – in addition
to the rules implementing the EU Unfair Commercial Practices
Insurance products Directive – contains rules on, among other things:
15 Do fintech companies that sell or market insurance products • unsolicited marketing;
in your jurisdiction need to be regulated? • comparative advertisements;
• the marketing of consumer credit;
Insurance activities generally trigger a licensing requirement. The • Consumer Ombudsman activities; and
Financial Business Act provides certain specific exemptions to the • how businesses must comply with good marketing practices;
licensing requirement, none of which are considered relevant for fintech • the Payments Act (implementing the Payment Services Directive
businesses. (2015/2366/EU)), which contains rules implementing the disclo-
If the activity is not of a scale for the provider to be considered an sure, business conduct and fee rules set out in Titles III and IV of the
insurer but involves insurance distribution, the activity will require a directive and corresponding provisions of the Second EU Electronic
licence if it constitutes insurance or reinsurance mediation. There are no Money Directive (2009/110/EU));
exemptions to this requirement. On the other hand, intermediaries that • the Credit Contracts Act (implementing parts of the EU Consumer
perform only ancillary insurance intermediation must be registered. Credit Directive (2008/48/EU)), which applies to credit arrange-
ments with consumers and that contains, among other things:
Credit references • mandatory disclosure requirements;
16 Are there any restrictions on providing credit references or • rules on changes to interest rates;
credit information services in your jurisdiction? • walk-away rights; and
• rules on term and termination;
Credit information services and credit information bureaus must gener- • the Act on Consumer Loan Undertakings, which applies to certain
ally adhere to the rules set out in the EU General Data Protection forms of loan and credit to consumers provided by lenders that are
Regulation and the Danish Data Protection Act. Credit information not banks or other forms of licensed financial business;
bureaus must seek a licence from the Danish Data Protection Agency • the Executive Order on Good Business Practices for Financial
prior to the commencement of any data processing. Businesses (implementing parts of the EU Directive on Consumer
Rights), which contains rules on duty of care to customers,
disclosure requirements, advising customers and restrictions
on amending or terminating customer contracts and applies to,
among others:
www.lexology.com/gtdt 51
© Law Business Research 2020
Denmark Plesner Advokatpartnerselskab
• banks; platforms are not subject to bespoke regulation, there is no specific risk
• mortgage banks; and that the agreements in question would not be enforceable.
• investment firms; and However, new legislation has been adopted by the Danish parlia-
• the Executive Order on Good Business Conduct for Insurance ment on 4 June 2020, which entered into effect on 1 July 2020, and
Distributors (implementing parts of the EU Insurance Distribution amended the Act on Consumer Loan Undertakings. The amendments
Directive (2016/97/EU)), if the activity involves insurance distribution. include a 35 per cent cap on the annual percentage rate (APR) on
consumer loans, including on peer-to-peer loans to consumers. To the
As of 1 July 2020, the Marketing Practices Act also (subject to limited extent that a consumer loan agreement has APR higher than the 35 per
exceptions, including marketing on the credit provider’s own website) cent cap and the lender does not hold a licence as a consumer loan
prohibits the on-marketing of consumer loans with an annual percentage provider or is licensed as a financial institution, the lender will only be
rate of more than 25 per cent and all marketing of consumer loans in entitled to demand repayment of the principal (ie, repayment without
connection with gambling or betting, or both. any interest). To the extent that the lender holds a license as a consumer
loan provider or is licensed as a financial institution, the lender would in
CHANGE OF CONTROL this case only be entitled to demand repayment of the principal together
with costs (the interest and fees, etc) up to an APR of 35 per cent.
Notification and consent
20 Describe any rules relating to notification or consent Assignment of loans
requirements if a regulated business changes control. 24 What steps are required to perfect an assignment of
loans originated on a peer-to-peer or marketplace lending
In general, if a regulated business changes control, this triggers a notifi- platform? What are the implications for the purchaser if the
cation or a consent requirement from the Financial Supervisory Authority. assignment is not perfected? Is it possible to assign these
This includes businesses and undertakings subject to the regulations set loans without informing the borrower?
out in the Financial Business Act. Further, to the extent that a company
must register with the Financial Supervisory Authority pursuant to the In the relationship between an assignor and assignee, the transfer of the
Anti-money Laundering Act, there would be a de facto consent require- assignment will be effective once an assignment agreement has been
ment from the Financial Supervisory Authority in the event of a change entered into. However, for the sale to be effective against any creditors
of control, as the Financial Supervisory Authority can revoke a registra- of the assignor and the bankruptcy estate of the assignor, the assignee
tion if it considers that the company or the management of the company (or the assignor, or both) must notify the relevant borrower of the sale
no longer meets the requirements under the Anti-money Laundering Act. and inform it to redirect payments under the loan to the assignee.
If an assignment has not been duly perfected, it may be voided
FINANCIAL CRIME subject to a hardening period, pursuant to which it may become void-
able and unenforceable. In the case of unaffiliated parties, the normal
Anti-bribery and anti-money laundering procedures hardening period under Danish law is three months.
21 Are fintech companies required by law or regulation to have Therefore, it is impossible to complete the perfection requirements
procedures to combat bribery or money laundering? without informing the borrower. However, in the relationship between
the assignor and assignee, the borrower need not be notified to validate
Fintech businesses that require a licence under the Financial Business the assignment.
Act, the Payments Act, the Alternative Fund Managers Act or the Act
on Financial Advisers, Investment Advisers and Residential Credit Securitisation risk retention requirements
Intermediaries or require a licence to carry out insurance activities, 25 Are securitisation transactions subject to risk retention
investment services or the provision of investment or financial advice are requirements?
subject to the rules set out in the Act on Measures to Prevent Money
Laundering and the Financing of Terrorism. This also applies to fintech There are no specific Danish law risk retention requirements; however,
businesses carrying out activities as a foreign exchange (and not other- the rules on risk retention requirements set out in the Capital
wise subject to regulatory requirements under the Financial Business Act). Requirements Regulation may apply.
PEER-TO-PEER AND MARKETPLACE LENDING Such special purpose vehicles are subject to both the EU General Data
Protection Regulation and the Danish Data Protection Act.
Execution and enforceability of loan agreements
23 What are the requirements for executing loan agreements or
security agreements? Is there a risk that loan agreements
or security agreements entered into on a peer-to-peer or
marketplace lending platform will not be enforceable?
52 Fintech 2021
© Law Business Research 2020
Plesner Advokatpartnerselskab Denmark
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER Danish rules, including special rules on the processing of national iden-
TECHNOLOGY AND CRYPTO-ASSETS tification numbers (ie, CPR number).
Fintech products and services that involve the processing of
Artificial intelligence personal data on behalf of another company (ie, the customer or data
27 Are there rules or regulations governing the use of artificial controller) require that a written data processing agreement is entered
intelligence, including in relation to robo-advice? into. Further, if data is transferred outside the European Union, a legal
basis for the transfer must be in place.
AI is not subject to bespoke regulation in Denmark. In July 2019, the
Financial Supervisory Authority published a regulatory note regarding Cybersecurity
best practice when using supervised machine learning. 33 What cybersecurity regulations or standards apply to fintech
businesses?
Distributed ledger technology
28 Are there rules or regulations governing the use of Financial businesses (eg, banks, investment firms and insurers),
distributed ledger technology or blockchains? payment institutions and e-money institutions must generally have
prudent IT and cybersecurity systems, procedures and policies.
Distributed ledger technology and blockchain are not subject to bespoke However, apart from these general regulatory requirements, there
regulation in Denmark. are no generally applicable statutory cybersecurity regulations or
standards.
Crypto-assets Further, particularly within payment services, there are a number
29 Are there rules or regulations governing the use of crypto- of important IT and cybersecurity standards, including:
assets, including digital currencies, digital wallets and • the Regulatory Technical Standards on Strong Customer
e-money? Authentication and Common and Secure Open Standards of
Communication (Commission Delegated Regulation (EU) 2018/389);
Crypto-assets and digital currencies are not subject to bespoke regula- • the Guidelines on the Security Measures for Operational and
tion. Digital wallets and e-money are subject to the EU rules pursuant Security Risks of Payment Services (promulgated under the
to the revised EU Payment Services Directive (2015/2366/EU). revised EU Payment Services Directive); and
Furthermore, as of 10 January 2020, custodian wallet providers and • the payment card industry (PCI) IT industry security standards,
providers of exchange services between virtual and fiat currencies are particularly the PCI Data Security Standard and the PCI Payment
subject to regulation under the Act. Application Data Security Standard. Although these are widely
accepted industry standards, they do not constitute public law
Digital currency exchanges regulations and as such are not directly enforced by the Financial
30 Are there rules or regulations governing the operation of Supervisory Authority.
digital currency exchanges or brokerages?
OUTSOURCING AND CLOUD COMPUTING
There are no specific rules regulating the operation of digital currency
exchanges or brokerages; however, custodian wallet providers and Outsourcing
providers of exchange services between virtual and fiat currencies 34 Are there legal requirements or regulatory guidance with
fall under the Act on Measures to Prevent Money Laundering and the respect to the outsourcing by a financial services company of
Financing of Terrorism. a material aspect of its business?
Initial coin offerings The Executive Order on Outsourcing of Material Areas of Activity (the
31 Are there rules or regulations governing initial coin offerings Outsourcing Order) sets out the legal requirements relating to the
(ICOs) or token generation events? outsourcing by a financial services company of a material aspect of its
business. In addition to the Outsourcing Order, the Financial Supervisory
There are no specific rules regulating initial coin offerings (ICOs) or Authority has published regulatory guidance on its requirements.
token generation events. However, to the extent that coins or tokens A new draft Outsourcing Order has been put forward that will
offered in an ICO constitute financial instruments, the general capital significantly amend the existing Outsourcing Order.
market rules, including the EU Regulation 596/2014 on market abuse The purpose of the new legislative proposal is to, inter alia, align
and the Danish Capital Markets Act, apply. the Danish outsourcing rules with the outsourcing guidelines of the
European Banking Authority. As one of the key changes to the existing
DATA PROTECTION AND CYBERSECURITY Outsourcing Order, it is the intention that electronic money institutions
and payment institutions be subject to the rules set out therein. The new
Data protection Outsourcing Order contains some national gold plating provisions (eg,
32 What rules and regulations govern the processing and regarding outsourcing to cloud service providers) that goes beyond the
transfer (domestic and cross-border) of data relating to outsourcing guidelines of the European Banking Authority.
fintech products and services? The new Outsourcing Order will regulate all outsourcing and will
entail further requirements for ‘critical or important’ outsourcing, which
The EU General Data Protection Regulation (GDPR) and the Danish Data includes, inter alia, outsourcing of capital and liquidity-risk manage-
Protection Act (DDPA) apply to fintech products and services if personal ment, outsourcing of IT and security and outsourcing of key functions.
data is processed. The regulations apply to all data processing relating The new Outsourcing Order sets out specific requirement for the
to an identified or identifiable natural person (eg, name, account and outsourcing of ‘critical or important’ areas, including detailed require-
credit card information, other customer identification data and internet ments for the outsourcing agreement between the company and the
protocol address). The DDPA supplements the GDPR with national outsourcing provider; for example, requirements for the description of
www.lexology.com/gtdt 53
© Law Business Research 2020
Denmark Plesner Advokatpartnerselskab
the outsourced activity and whether the outsourcing provider may sub- Inventions (patents and utility models)
outsource the activity to a third party. If a person (eg, an employee or a consultant) has made a technical
Furthermore, the new Outsourcing Order will require businesses invention that can be patented or registered as a utility model, the
to keep a register of information on all of the relevant company's starting point is that the employee or the consultant is entitled to this
outsourcing and outsourcing providers. invention.
The new Outsourcing Order entered into force on 1 July 2020. Pursuant to the Danish Employees’ Inventions Act, if the invention
has been made as part of the employment, the employer is entitled to
Cloud computing claim that the right to the invention be transferred to them if the use
35 Are there legal requirements or regulatory guidance with of the invention falls within the scope of the activities of the company.
respect to the use of cloud computing in the financial services The same applies if the employee’s invention relates to a specific
industry? task assigned to him or her by the employer. Even if the invention was
made during off-duty hours, the employer could still be entitled to claim
In addition to the Outsourcing Order and the related Financial Supervisory the right to the invention. The Danish Employees' Inventions Act does
Authority regulatory guidance on the Outsourcing Order, Danish finan- not apply to consultants.
cial services companies use the European Banking Authority guidelines The Act on inventions at public research institutions regulates the
on outsourcing as guidance. right to inventions made by teachers and other scientific employees at
universities. The Act stipulates that the employee is entitled to an inven-
INTELLECTUAL PROPERTY RIGHTS tion that he or she has made him or herself; however, the Act also states
that the institution has a right to claim that this invention be transferred
IP protection for software to it, if the employee made the invention as part of his or her work.
36 Which intellectual property rights are available to protect
software, and how do you obtain those rights? Designs
The right to a design depends on whether it is a Danish design or a
Fintech innovations may be protected as inventions under patent law community design. The Danish Designs Act stipulates that the person
if they are patentable. This includes filing for a patent and meeting the who created the Danish design or the person to whom the designer's
requirements under Danish patent laws (eg, patentable subject matter, right has been transferred has the right to acquire the exclusive right
novelty and inventive step). Fintech innovations may also be protected as to the design.
utility models where the bar for protection is lower than that of a patent. The Danish Designs Act does not regulate the relationship between
Further, if the innovation is embodied in software coding, copyright employer and employee. It is, however, assumed that under the Danish
protection may be available to the author (in this case, the programmer) Designs Act the design rights belong to the employer, unless the design
if the software coding has a sufficient degree of originality. In addition, is also protected by copyright. In the latter case, the design right follows
fintech innovations may be protected as sui generis database rights if the copyright and is determined based on an analogy of the rules on
the conditions for protection set out in section 71 of the Copyright Act copyright for employees (see above).
(incorporating the EU directive on the Legal Protection of Databases According to article 14(3) of the Regulation on Community designs,
(96/9/EU)) are met. any rights to a community design shall vest in the employer unless
Although not intellectual property in the traditional sense, a fintech otherwise agreed or specified under national law. This only applies
innovation may be protected as a trade secret under the Trade Secrets to traditional employment relationships (employer–employee). For
Act (incorporating the EU directive on the Protection of Undisclosed commissioned designs, the question of whom the rights belong to must
Know-How and Business Information (Trade Secrets) (2016/943/EU)) if be decided specifically.
the innovation is kept secret.
Trademarks
IP developed by employees and contractors The trader, and not the person who created the sign, owns the rights
37 Who owns new intellectual property developed by an to the sign. If an employee owns the copyright or design rights to the
employee during the course of employment? Do the same sign, the employer can only use it if they have agreed on this or if it is
rules apply to new intellectual property developed by otherwise justified under the copyright and design rules. Accordingly, it
contractors or consultants? is important to determine whether the employee created the trademark
as a part of his or her work or whether the exploitation of the trademark
Copyright falls within the scope of the usual activities of the employer.
The Danish Copyright Act stipulates that the person who creates a work If a consultant owns the copyright to the sign, the trader will have
owns the copyright to that work. This applies regardless of whether the a right of use only unless otherwise agreed.
person is an employee or a contractor or consultant.
In relation to copyright created during the term of employment, the Joint ownership
general rule is that there is an automatic transfer of copyright from the 38 Are there any restrictions on a joint owner of intellectual
employee to the employer by virtue of the employment provided certain property’s right to use, license, charge or assign its right in
criteria are met. The employer shall only be entitled to the parts of the intellectual property?
employee's copyright that were necessary for the employer’s usual
activities at the time when the employee created the work. Further, it As the joint ownership of IP rights is commonly regulated on a contrac-
is a condition that the employment is of a permanent nature and that tual basis between the joint owners, restrictions on a joint owner follow
creating the work was part of the employee's tasks. from the contractual regulation thereof.
Further, the copyright to computer programs developed by an If an invention is made jointly, each person will own a propor-
employee within the scope of his or her employment or as a result of tionate share of the invention in the absence of a prior agreement. The
the employer's directions, automatically transfer in full to the employer. joint ownership entails some restrictions in each person's right to use,
license, charge or assign the invention, even without an agreement.
54 Fintech 2021
© Law Business Research 2020
Plesner Advokatpartnerselskab Denmark
In general, all joint owners of an invention must agree on substantial Remedies for infringement of IP
decisions regarding the jointly owned invention, including agreements 41 What remedies are available to individuals or companies
on licensing. Each owner may individually sell or assign its own share in whose intellectual property rights have been infringed?
the invention unless otherwise agreed.
With regard to copyright, co-authors to a copyrighted work, where A number of remedies are available to individuals or companies whose
each contribution cannot be separated as independent works, enjoy IP rights have been infringed, including:
joint co-ownership in the copyright of the work. • financial compensation (eg, damages and reasonable
remuneration);
Trade secrets • injunctions (eg, preliminary injunctions);
39 How are trade secrets protected? Are trade secrets kept • corrective measures;
confidential during court proceedings? • the publication of judicial decisions;
• reasonable compensation for legal costs; and
Confidential information and trade secrets are covered by the new • criminal penalties.
Trade Secrets Act (incorporating the EU Directive on the Protection
of Undisclosed Know-How and Business Information (Trade Secrets) COMPETITION
(2016/943/EU)) and the Danish Penal Code.
With regard to the confidentiality of trade secrets (including confi- Sector-specific issues
dential information) during court proceedings, the Trade Secrets Act 42 Are there any specific competition issues that exist with
stipulates that the duty of confidentiality to which the court's staff (eg, respect to fintech companies in your jurisdiction?
the judge), lawyers and others employed by the law firm are subject,
implies that the unlawful use or disclosure of trade secrets that the The fintech nature of a product or service does not in itself give rise to
person in question has learned about through involvement in or access particular competition law issues.
to the legal proceedings is a punishable offence. This also applies to However, aspects of the fintech business model mean that certain
other persons involved in the legal proceedings, such as witnesses. competition law considerations – of general application – often become
relevant in the context of fintech businesses.
Branding One example of this is the widespread use of partnerships between
40 What intellectual property rights are available to protect fintech businesses and incumbent financial institutions that, depending
branding and how do you obtain those rights? How can on the nature of the partnership, may raise competition law questions
fintech businesses ensure they do not infringe existing about horizontal or vertical cooperation.
brands? At the other end of the spectrum, where a fintech product or
service requires the fintech business to access a financial institution's
The most relevant IP rights protecting branding are set out in the systems or customer data and the financial institution is reluctant to
Trademarks Act, the Marketing Practices Act and the Copyright Act. provide this access, questions of anticompetitive behaviour may arise in
The Trademarks Act protects signs used in branding, such as brand certain circumstances.
names, mottos or catchphrases and logos. The Marketing Practices Act
protects certain commercial signs that have the necessary degree of TAX
distinctiveness. Copyright protection may in principle be afforded under
the Copyright Act for user interfaces in software and website designs, Incentives
which may enjoy copyright protection with regard to branding; however, 43 Are there any tax incentives available for fintech companies
in practice, this protection is difficult to obtain. and investors to encourage innovation and investment in the
Trademark protection in Denmark may be obtained by way of both fintech sector in your jurisdiction?
a community (EU) trademark and on the national level in Denmark as a
Danish trademark. In Denmark, trademark protection may be obtained Danish tax law provides no specific fintech incentives. However, Danish
by way of both registration and use-based rights. To be registered as a tax law contains general tax incentives in the form of tax-favourable
trademark, the trademark owner must be able reproduce the trademark treatment on granting shares, options and warrants, where a company
in an appropriate manner by using technology that is generally avail- can grant up to 10 per cent (or 20 per cent if certain requirements are
able in order to determine the content of the trademark right clearly and met) of an employee's remuneration through such instruments. These
precisely. Protection under the Marketing Practices Act is obtained by favourable tax incentives have in part been introduced to promote start-
use, when necessary degree of distinctiveness exists. up businesses in Denmark.
To avoid trademark infringement of existing brands, fintech busi-
nesses should perform appropriate freedom-to-operate analysis prior Increased tax burden
to launching brands, including checking both national and EU registers 44 Are there any new or proposed tax laws or guidance that
for potentially conflicting registered rights. As protection in some cases could significantly increase tax or administrative costs for
can be established by use, a market check is also necessary. Similarly, fintech companies in your jurisdiction?
as regards the Marketing Practices Act, where protection is also estab-
lished formlessly, a market check is necessary. There are no such proposed tax laws currently implemented or
The Danish Patent and Trademark Office will, in connection with underway.
a trademark application, produce a search report showing rights with
which the applicant may come into conflict. However, the owners of
these prior rights are not automatically notified of this and, thus, it is up
to each owner to stay informed and assess whether they believe their
rights are infringed.
www.lexology.com/gtdt 55
© Law Business Research 2020
Denmark Plesner Advokatpartnerselskab
IMMIGRATION
Sector-specific schemes
45 What immigration schemes are available for fintech
businesses to recruit skilled staff from abroad? Are there
any special regimes specific to the technology or financial
sectors?
Citizens from other EU and EEA countries or Switzerland may work Rasmus Mandøe Jensen
rmj@plesner.com
in Denmark under the EU rules on the free movement of persons and
services. As a clear starting point, these citizens must have a work Christian Scott Uhlig
permit to work in Denmark. csu@plesner.com
There are several immigration schemes aimed at the recruitment
of skilled staff. However, none are specific to the technology or financial Amerika Plads 37
sector. The most relevant schemes for a fintech business are: DK-2100 Copenhagen
• the Pay Limit Scheme, which ensures that an employee is granted Denmark
a work permit if their annual salary is over a certain amount Tel: +45 33 12 11 33
(436,000 kroner) and the employment terms correspond to Danish www.plesner.com
standards;
• the Positive List scheme, under which residence and work permits
are granted to employees who have been offered jobs that are listed
on the Positive List covering certain professions and fields that are and ‘covid-19 investor loans’, which both are aimed at seed-stage start-
currently experiencing a shortage of qualified professionals. The ups, and ‘covid-19 syndicated loans’, which are aimed at late-stage
list contains more than 100 professions and is available on the start-ups.
Danish Immigration Service website; and These covid-19 financing schemes are set to expire on 30
• the fast-track scheme, which makes it faster and easier for certified September 2020.
companies to recruit foreign employees with special qualifications
to work in Denmark
Current developments
46 Are there any other current developments or emerging
trends to note?
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
In the area of banking and finance, the Danish authorities have put in
place several schemes as a result of the covid-19 outbreak, however
none specifically targeted fintech companies.
These schemes include, inter alia, a guarantee scheme from the
Danish Growth Fund covering up to 70 per cent of loans issued for the
purpose of funding losses resulting from the covid-19 outbreak as well
as a similar guarantee scheme from the Danish Export Credit Agency
directed at Danish export businesses (ie, businesses where a minimum
of 10 per cent of the revenue stream from the last financial year related
to exports), which also covers up to 70 per cent of losses incurred by
lenders on new credit lines offered for liquidity purposes.
Furthermore, the Danish Growth Fund has initiated certain lending
schemes directed at Danish start-ups. These schemes include ‘covid-19
start loans’, which are aimed at pre-seed start-ups, as well as certain
match-rate financing schemes, including ‘covid-19 business angel loans
56 Fintech 2021
© Law Business Research 2020
Egypt
Mohamed Hashish
Soliman, Hashish & Partners
FINTECH LANDSCAPE AND INITIATIVES After an almost five-month review, the House of Representatives intro-
duced a number of amendments to the Law, which were approved, in
General innovation climate principle, by the House of Representatives on 5 May 2020.
1 What is the general state of fintech innovation in your The Draft Banking Law was referred to the State Council for review,
jurisdiction? which approved and referred it to the President for issuance.
Fintech is governed by several Egyptian laws and regulations, including Government and regulatory support
the following main laws and regulations (as amended): 2 Do government bodies or regulators provide any support
• the Non-cash Payment Methods Law No. 18 of 2019; specific to financial innovation? If so, what are the key
• Law No. 88 of 2003 on the Central Bank of Egypt and the Banking benefits of such support?
Sector (the Banking Law) and its executive regulation;
• the E-signature Law No. 15 of 2004 and its executive regulation; In May 2019, the CBE launched a regulatory sandbox for the purpose of
• the Non-Financial Markets and Instruments Law No. 10 of 2009; providing fintech players with is a virtual space within which, subject
• the Microfinance Law No. 141 of 2014; to a specific framework, applicants can experiment with their solutions
• the Trade Code No. 17 of 1999; for a limited period of time on a small scale and under a well-defined
• the Consumer Finance Law No. 18 of 2020; parameter.
• the Cybercrime Law No. 175 of 2018; Furthermore, a number of funds initiatives are available to fintech
• the Investment Law No. 72 of 2017 and its executive regulation; start-ups in Egypt. For example, in March 2019, the CBE launched the
• the Consumer Protection Law No. 181 of 2018 and its executive Fintech Innovation Fund with a value of 1 billion Egyptian pounds. In
regulation; April 2019, the International Finance Corporation launched, in collabora-
• the Small and Microenterprises Law No. 141 of 2004 and its execu- tion with two local partners in Egypt, a two-year programme to support
tive regulation; the fintech space in Egypt, and the World Bank Group set aside US$200
• the Telecoms Law No. 10 of 2003; million for small and medium-sized enterprises in Egypt, which can be
• the Media Law No. 180 of 2018; used also by small and medium-sized fintech players.
• the Capital Market Law No. 95 of 1992 and its executive regulation;
• the Movable Securities Law No. 115 of 2015 and its executive FINANCIAL REGULATION
regulation;
• the Anti-Money Laundering Law No. 80 of 2002 and its executive Regulatory bodies
regulation; 3 Which bodies regulate the provision of fintech products and
• the Public Entities Contracts Law No. 182 of 2018 and its executive services?
regulation; and
• Presidential Decree No. 89 of 2017, founding the National Several bodies are responsible for enforcing fintech-related laws and
Payments Council. regulations, including:
• the Central Bank of Egypt (CBE), which is empowered by Law No.
There has been rapid global change in the banking and finance sector, 88 of 2003 on the Central Bank of Egypt and the Banking Sector
particularly in the fintech space. The banking sector in Egypt, being a (the Banking Law) to, among other things, regulate bank accounts
country that witnessed two revolutions in 2011 and 2013, was certainly and banking transactions;
affected by this change as well as the local political challenges. • the Information Technology Industry Development Agency, which is
As a result, the Egyptian government, upon a request by the Central empowered by the E-signature Law No. 15 of 2004 to, among other
Bank of Egypt (CBE), proposed a new Draft Banking Law. This Law things, promote and develop the information technology and commu-
was prepared based on, among other things, several pieces of advice nications industry, support small and medium-sized enterprises in
provided by international consultancy firms, a comparative study on the using e-transactions and regulate e-signature services activities;
laws of other countries, international standards, the Basel Framework, • the Financial Regulatory Authority (FRA), which is empowered by
recommendations of the Organisation for Economic Co-operation and the Non-Financial Markets and Instruments Law No. 10 of 2009
Development, the World Bank Group and the International Monetary to, among other things, license the carrying out of non-banking
Fund, as well as recommendations made by the banks that are regis- financial activities and the protection of stakeholders within the
tered with the CBE. non-banking financial market;
In accordance with the Constitution, the Draft Banking Law was • the National Payments Council, which is empowered by Presidential
submitted to the House of Representatives for review and approval. Decree No. 89 of 2017 to, among other things, reduce the use of
www.lexology.com/gtdt 57
© Law Business Research 2020
Egypt Soliman, Hashish & Partners
cash outside the banking sector, support and encourage the use of Secondary market loan trading
electronic methods and channels instead of cash, and protect the 6 Are there restrictions on trading loans in the secondary
consumers of any payment systems and services; and market in your jurisdiction?
• the National Telecommunications Regulatory Authority, which is
generally empowered by the Telecoms Law No. 10 of 2003 to regu- In general, there are no restrictions on trading loans in Egypt. However,
late and enhance telecommunication services. if the trading is being carried out on a regular basis, then it may be
deemed as the carrying out of banking activities, in which case licensing
Regulated activities by and registration with the CBE is required.
4 Which activities trigger a licensing requirement in your The assignment of debts in Egypt is subject to a specific legal
jurisdiction? framework to be effective in respect of debtor and surety (if any).
In general, according to the Banking Law and several judgments issued Collective investment schemes
by the economic courts, neither natural nor juristic persons may practise 7 Describe the regulatory regime for collective investment
any banking activity in Egypt without being licensed by and registered schemes and whether fintech companies providing
with the CBE. alternative finance products or services would fall within its
‘Banking activities’ are defined under the Banking Law as any activ- scope.
ities regarding the receipt of deposits, the provision of refinancing, loans,
facilities, contributions to share capital in local companies and any other As a general rule, no activity relating to investment funds can be carried
activities that are considered as banking activities according to banking out unless a licence is obtained from the FRA. Banks registered with the
customs that are carried out on a regular basis and as the main business CBE may carry out the activity, provided that an approval is obtained
activities of any person carrying out those activities. This definition is from the CBE.
also found in the Trade Code No. 17 of 1999. Investment funds may, in general, be established in the form of a
Any person that violates those provisions is subject to imprison- joint-stock company with a minimum issued capital of 5 million Egyptian
ment of between 24 hours and three years or a fine of between 5,000 pounds or any equivalent currency.
Egyptian pounds and 50,000 Egyptian pounds, or both, in accordance Licensed investment funds must deposit any securities that
with the Banking Law. There are two main prerequisites that must be they are investing in with one of the banks that is registered with the
satisfied to apply those penalties in respect of any banking activity, CBE, providing that the bank (and its related parties) does not control
namely carrying out the banking activity on a regular basis and having or hold more than 10 per cent of the total shares in the investment
the banking activity as the main activities of any person, including indi- fund company.
viduals and juristic persons. One of the licensing requirements to be qualified for the invest-
Other than the general rule above, each of the following activities is ment fund underwriting is to have the minimum required infrastructure
also regulated and subject to licensing requirements in Egypt: and technology to do so.
• microfinancing; Investment funds may take the form of an open-end fund, closed-
• investment banking; end fund, private equity fund, exchange-traded fund, money market
• brokerage; fund, debt fund, real estate fund, donor-advised fund or related fund.
• factoring; Promoting investment funds is generally not allowed before estab-
• foreign exchange trading; lishing them except for in the case of private equity funds and providing,
• payment services; among other things, that a notification is sent to the FRA and that no
• e-commerce; underwriting is made as a part of the promotion.
• financial leasing; Most of the alternative financial products and services that are
• mortgage finance; and provided by fintech companies generally fall within the scope of either
• consumer lending. collective investment schemes or banking activities.
The Consumer Finance Law No. 18 of 2020 was issued on 16 March 2020, Yes, managers of alternative investment funds are regulated, including
governing any activity aiming at financing the purchase of products or board members.
services for consumption purposes as long as the activity will be carried
out on a regular basis. Among the activities covered is financing through Peer-to-peer and marketplace lending
payment cards or any other means decided by the CBE. 9 Describe any specific regulation of peer-to-peer or
The consumer finance-related activities above may not be carried out marketplace lending in your jurisdiction.
in Egypt unless a licence is obtained from the FRA. The licence requires,
among other things, the carrying out of the activities by a joint-stock Peer-to-peer and marketplace lending can be deemed as banking
company with an issued capital of at least 10 million Egyptian pounds. activities, in which case licensing by and registration with the CBE is
The Consumer Finance Law (including the licensing requirement) required.
does not apply to all banks registered with the CBE nor any entity licensed
to carry out mortgage financing, financial leasing, factoring, microfi- Crowdfunding
nancing or the purchasing of properties from real estate developers. 10 Describe any specific regulation of crowdfunding in your
The Consumer Finance Law applies only to vehicles, durable jurisdiction.
products, educational services, medical services, travel and leisure
services as well as any other products and services that are determined Crowdfunding falls within the meaning of banking activities; however, it
by the FRA. may also be a form of donor-advised fund.
58 Fintech 2021
© Law Business Research 2020
Soliman, Hashish & Partners Egypt
The subject may also be fully depreciated, provided that points (2) and CROSS-BORDER REGULATION
(3) are satisfied.
The provisions of Law No. 88 of 2003 on the Central Bank of Egypt Passporting
and the Banking Sector and several judgments issued by the economic 17 Can regulated activities be passported into your jurisdiction?
courts also apply to factoring.
Not applicable.
Payment services
12 Are payment services regulated in your jurisdiction? Requirement for a local presence
18 Can fintech companies obtain a licence to provide financial
There is a specific regulation governing payment services that are services in your jurisdiction without establishing a local
provided by technical payment aggregators or payment facilitators. presence?
Services agreements are subject to specific know-your-customer and
anti-money laundering checks and must include specific terms and No,
conditions for those services, including a restriction on sub-contracting
unless certain conditions are being met. SALES AND MARKETING
Under the Draft Banking Law, no activity concerning the opera-
tion of a payment system or the provision of a payment system may be Restrictions
carried out unless a licence is obtained by the CBE. This new restric- 19 What restrictions apply to the sales and marketing of
tion applies to all persons, whether natural or juristic, carrying out the financial services and products in your jurisdiction?
activity in Egypt or providing the services from abroad to any residents
in Egypt, with the exceptions of stock exchanges, futures exchanges, In general, the sales and marketing of financial services and products in
securities settlement systems, licensed central clearing, depository and Egypt are regulated and subject to a prior licence and approval.
registry systems, custodian banks and internal systems of the Egyptian
Ministry of Finance that do not include payment, collection, setting-off CHANGE OF CONTROL
or clearance of payment.
Notification and consent
Open banking 20 Describe any rules relating to notification or consent
13 Are there any laws or regulations introduced to promote requirements if a regulated business changes control.
competition that require financial institutions to make
customer or product data available to third parties? It depends on several elements, such as the type and location of busi-
ness that is the subject of the change of control. For example, no one
No. is allowed to acquire between 5 and 10 per cent of the issued capital
of any bank registered with the Central Bank of Egypt (CBE) unless a
www.lexology.com/gtdt 59
© Law Business Research 2020
Egypt Soliman, Hashish & Partners
notification is sent to the CBE. Prior approval from the CBE is required Securitisation risk retention requirements
to acquire more than 10 per cent of the issued capital. A similar restric- 25 Are securitisation transactions subject to risk retention
tion applies to insurance companies. requirements?
Yes, all available guides can be found on the anti-money laundering Artificial intelligence
page of the Central Bank of Egypt’s website. 27 Are there rules or regulations governing the use of artificial
intelligence, including in relation to robo-advice?
PEER-TO-PEER AND MARKETPLACE LENDING
There is no special regulation in Egypt governing artificial intelligence.
Execution and enforceability of loan agreements However, according to Prime Ministerial Decree No. 2889 of 2019, a new
23 What are the requirements for executing loan agreements or national council was established: the Artificial Intelligence National
security agreements? Is there a risk that loan agreements Council (AINC). The AINC is empowered to determine, supervise and
or security agreements entered into on a peer-to-peer or follow up on Egypt’s national strategy for artificial intelligence in light of
marketplace lending platform will not be enforceable? international developments.
In addition, since 2019, the Minister of High Education has started
In general, loan agreements do not require any execution formali- to add special artificial intelligence departments to several engineering
ties, whereas almost all types of securities, such as mortgages, liens, universities in Egypt.
pledges, assignments of rights and movable collateral, have specific
execution formalities to be enforceable and effective in respect of Distributed ledger technology
third parties. 28 Are there rules or regulations governing the use of
Peer-to-peer and marketplace lending platforms may be deemed distributed ledger technology or blockchains?
as banking activities; therefore, there is an invalidity risk associated
with any loan granted within the peer-to-peer and marketplace lending There are no specific regulations or rules applied to distributed ledger
platform without compliance with the relevant licensing framework. technology or blockchain. However, the Draft Banking Law includes a
Chapter regulating fintech, including, among other things, the possibility
Assignment of loans of issuing cryptocurrencies for the first time in Egypt.
24 What steps are required to perfect an assignment of
loans originated on a peer-to-peer or marketplace lending Crypto-assets
platform? What are the implications for the purchaser if the 29 Are there rules or regulations governing the use of crypto-
assignment is not perfected? Is it possible to assign these assets, including digital currencies, digital wallets and
loans without informing the borrower? e-money?
In general, there are no restrictions on trading loans in Egypt. However, There is no specific regulation governing crypto-assets in Egypt.
if the trading is being carried out on a regular basis, then it may be However, the Draft Banking Law includes a Chapter regulating fintech,
deemed as the carrying out of banking activities, in which case licensing including, among other things, the possibility of issuing cryptocurren-
by and registration with the Central Bank of Egypt is required. cies for the first time in Egypt.
The assignment of debts in Egypt is subject to a specific legal The Mobile Payment Regulation was issued by the Central Bank
framework to be effective in respect of debtor and surety (if any). of Egypt (CBE) in November 2016. The Regulation governs mobile
payments and provides the minimum requirements that banks must
meet to authorise mobile payments, including risk management, super-
visory requirements, customers’ security, mobile cash, partnership with
services providers, interoperability, authentication, confidentiality and
licensing framework.
60 Fintech 2021
© Law Business Research 2020
Soliman, Hashish & Partners Egypt
The Mobile Payment Regulation does not apply to mobile banking, Cybersecurity
which is governed separately. 33 What cybersecurity regulations or standards apply to fintech
Each bank is allowed to issue mobile cash of up to 5 per cent of its businesses?
paid-in capital or 50 million Egyptian pounds, whichever is less. Mobile
cash may only be issued in Egyptian pounds, not in any other currency. According to the Cybercrime Law No. 175 of 2018, all providers of infor-
Local transactions in mobile cash within Egypt are allowed within mation technology and telecommunications services, including the
specific daily and monthly thresholds adopted by the CBE. However, processing or storing of data, must retain and store users’ data for at
these thresholds may be exceeded if a positive outcome for the know- least 180 continuous days, including identification, the content of the
your-customer and authentication process is made. services’ system, communication traffic, terminals and any other data
The Mobile Payment Regulation allows the receipt of mobile cash required by the National Telecommunications Regulatory Authority.
transfers from abroad, subject to satisfying a number of conditions, The providers must also keep all stored and archived data
including that the transfers must be converted into Egyptian pounds (including personal data) confidential and not disclose the data unless
and be limited to natural persons. there is court order to do so.
www.lexology.com/gtdt 61
© Law Business Research 2020
Egypt Soliman, Hashish & Partners
INTELLECTUAL PROPERTY RIGHTS claim damages that cover all the losses incurred to the owner as well
as all the profits of which the owner has been deprived as a result of
IP protection for software the infringement.
36 Which intellectual property rights are available to protect
software, and how do you obtain those rights? COMPETITION
Software is protected in Egypt in the form of copyright. This protection Sector-specific issues
requires the registration of the software, including, among other things, 42 Are there any specific competition issues that exist with
the first and final 10 pages of the source code, with the Information respect to fintech companies in your jurisdiction?
Technology Industry Development Agency.
To assess whether there is an antitrust-related risk, it must first be deter-
IP developed by employees and contractors mined whether the relevant fintech player is deemed to be in a dominant
37 Who owns new intellectual property developed by an position in accordance with the meaning given under the Antitrust Law
employee during the course of employment? Do the same No. 3 of 2005 (the Antitrust Law) and its executive regulations.
rules apply to new intellectual property developed by For a fintech player and its controlled affiliates in Egypt to be
contractors or consultants? deemed to be in a dominant position under the Antitrust Law, the
player must:
According to the Intellectual Property Rights Law No. 82 of 2002 (the 1 hold a market share exceeding 25 per cent of the market that is
IPRs Law), only the person who provides the direction to create a joint relevant to each service provided by the player (the relevant
work is entitled to exercise the author rights of the work. This rule market), the percentage being calculated based on two elements,
applies to copyright created by employees during the course of their namely the relevant products (the relevant market products) and
employment. the geographic area during a certain period;
For contractors and consultants, it depends on the specific terms 2 be able to make an impact on changing the prices or the quantity of
and conditions of the relevant development or services agreement. the market products (the dominant ability); and
3 not be in a position to limit the dominant ability, noting that the
Joint ownership competitors have the ability to carry out the same business as the
38 Are there any restrictions on a joint owner of intellectual fintech player in Egypt whether in the present or in the future.
property’s right to use, license, charge or assign its right in
intellectual property? Points (2) and (3) are reviewed and assessed by the Egyptian Competition
Authority (ECA) based on specific criteria.
According to the IPRs Law, if there is more than one author of any work, If the fintech player is in a dominant position in the relevant market,
all participants in the work are considered joint authors, and none of then that player must be in a position to conduct certain practices,
them can individually use any right over the work unless otherwise including entering into any agreement with any of its suppliers or its
agreed between the authors in writing. customers that results in limiting competition.
The assessment of any violation under the Antitrust Law is made
Trade secrets by ECA on a case-by-case basis according to specific criteria, including,
39 How are trade secrets protected? Are trade secrets kept among other things, the benefits of customers and commercial customs.
confidential during court proceedings? The assessment is subject to a judicial review by the economic courts.
According to the IPRs Law, the court will maintain the confidentially of The Investment Law No. 72 of 2017 provides fintech companies, subject
trade secrets. to the satisfaction of specific criteria, with several key guarantees and
incentives, including:
Branding • exemption from stamp duty and the notarisation fee imposed on
40 What intellectual property rights are available to protect articles of incorporation, facilities and loans agreements, security
branding and how do you obtain those rights? How can documents or plot of land purchase agreements for five years,
fintech businesses ensure they do not infringe existing starting from the date of registration with the Commercial Registry;
brands? • application of a unified custom duty at a flat rate of 2 per cent of the
value of any equipment, machinery and device that is necessary for
Branding is generally protected as both copyright and trademarks. establishment of the investment projects; and
• tax reduction for seven years, counting from the date of starting the
Remedies for infringement of IP investment projects in Egypt, subject to a specific formula.
41 What remedies are available to individuals or companies
whose intellectual property rights have been infringed?
There are several remedies under Egyptian law for owners of intel-
lectual property rights, including specific performance and the right to
62 Fintech 2021
© Law Business Research 2020
Soliman, Hashish & Partners Egypt
IMMIGRATION
10th Floor, Degla Plaza Building (75/77)
Sector-specific schemes 199 St, Degla
45 What immigration schemes are available for fintech New Maadi, Cairo
businesses to recruit skilled staff from abroad? Are there Egypt
any special regimes specific to the technology or financial Tel: +201 00047 0077
www.shandpartners.com
sectors?
Current developments
46 Are there any other current developments or emerging
trends to note?
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
www.lexology.com/gtdt 63
© Law Business Research 2020
Germany
Christopher Götz, Dang Ngo, Elmar Weinand, Eva Heinrichs, Felix Biedermann, Janine Marinello,
Jochen Kindermann, Martin Gramsch and Sascha Kuhn
Simmons & Simmons LLP
FINTECH LANDSCAPE AND INITIATIVES be subject to reduced requirements provided it limits its activities
to, broadly:
General innovation climate • the distribution of open or closed-end funds registered for public
1 What is the general state of fintech innovation in your distribution in Germany; or
jurisdiction? • the distribution of participation rights, subordinated loans or profit
participation rights.
According to latest statistics, the fintech market has reached a level
of saturation. Recent statistics show that after a peak of new compa- In these cases, the local trade office would be the competent supervi-
nies in 2017 the number of new fintech start-ups in Germany reduced to sory authority.
eight in 2019. As a result of strong competition with non-German fintech
companies, several big tech companies and long-established market Regulated activities
participants, a substantial increase in new fintech companies in the 4 Which activities trigger a licensing requirement in your
German market is not expected. There is a trend towards established jurisdiction?
business models that have proven to be reliable. Established companies
benefit from higher funding compared to smaller or new companies for Pursuant to section 32(1), sentence 1 of the German Banking Act
whom access to funding seems to have become more difficult. (KWG), anyone wishing to conduct banking business or to provide
financial services in Germany commercially or on a scale that requires
Government and regulatory support a commercially organised business undertaking requires a written
2 Do government bodies or regulators provide any support licence from BaFin. What constitutes banking business or financial
specific to financial innovation? If so, what are the key services is set out in section 1(1) and (1a) KWG and includes, among
benefits of such support? other things:
• the acceptance of monies from the public (deposit business);
The German government and municipalities support fintech companies • the provision of money loans (lending business);
in various ways. The Federal Financial Supervisory Authority (BaFin) is • the brokering of business involving the purchase and sale of finan-
the financial regulatory authority in Germany. BaFin set up a dedicated cial instruments (investment broking);
team to support fintech companies in relation to their market entry, • providing customers or their representatives with personal recom-
and it also organises events (eg, the annual BaFin-Tech conference) to mendations in respect of transactions relating to certain financial
discuss regulatory developments with market participants. Although instruments where the recommendation is based on an evalua-
fintech companies do not benefit from special treatment, BaFin supports tion of the investor’s personal circumstances or is presented as
fintech companies in relation to evaluating licensing requirements and being suitable for the investor and is not provided exclusively via
clarifying ongoing regulatory aspects. The German FinTechRat includes information distribution channels or for the general public (invest-
experts appointed by the German Ministry of Finance who support the ment advice);
legislature in developing a suitable regulatory framework. All German • the purchase and sale of financial instruments on behalf of and for
cities that are hubs for fintech (Berlin, Frankfurt, Munich and Hamburg) the account of others (contract broking);
offer additional support through fintech centres. In addition, universities • the management of individual portfolios of financial instruments
in or around fintech centres tend support and dedicate resources to the for others on a discretionary basis (portfolio management);
development of an effective fintech ecosystem. • dealing in foreign notes and coins (foreign currency dealing);
• the ongoing purchase of receivables on the basis of standard
FINANCIAL REGULATION agreements, with or without recourse (factoring);
• the conclusion of financial lease agreements in the capacity of the
Regulatory bodies lessor and the management of asset-leasing special purpose vehi-
3 Which bodies regulate the provision of fintech products and cles (financial leasing); and
services? • the purchase and sale of financial instruments separately from the
management of a collective investment scheme for a community of
The Federal Financial Supervisory Authority (BaFin) is responsible for investors, who are natural persons, on a discretionary basis with
regulating fintech products and services in Germany if they fall under regard to the choice of financial instruments (asset management).
the scope of regulated activities or products. A fintech company may
64 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Germany
Since the beginning of 2020, crypto-custody business has been added Alternative investment funds
to the list of licensable activities. Crypto-custody business is defined as 8 Are managers of alternative investment funds regulated?
the safekeeping, administration and storage of crypto-assets or private
cryptographic keys used to hold, store and transfer crypto-assets for Managers of alternative investment funds located in Germany are
others (crypto assets custody services). regulated under the KAGB. The same also applies to a certain extent to
In general, a licence is required for any investment services and German branches of non-German managers of alternative investment
activities listed in section A of Annex I of the Directive 2014/65/EU funds. Alternative investment funds may only be marketed in Germany
on markets in financial instruments or Annex I of Directive 2013/36/ once they are registered or passported for distribution to investors in
EU on access to the activity of credit institutions and the prudential Germany. Germany has implemented the Alternative Investment Fund
supervision of credit institutions and investment firms. The provision of Managers Directive 2011/61/EU.
payment services is licensable based on the provisions of the German Depending on the nature of their actual activities, fintech companies
Act on the Supervision of Payment Services (ZAG). could fall outside the scope of the KAGB if their activities do not consti-
The trading of claims deriving from fully drawn loan agreements tute an investment fund. An investment fund is, pursuant to section 1(1),
does not trigger a licence requirement, provided that the claim is not sentence 1 of the KAGB, any collective investment scheme that raises
amended. However, amendments requiring a new credit decision (eg, capital from a number of investors, with a view to investing in accord-
prolongation) can constitute licensable lending business. ance with a defined investment policy for the benefit of those investors
and that does not constitute an undertaking operating outside of the
Consumer lending financial sector. Such a number of investors will be deemed to exist if
5 Is consumer lending regulated in your jurisdiction? the fund rules or the articles of association of the collective investment
fund do not limit the number of potential investors to a single investor.
The contractual basis for consumer lending contracts can be found in
the German Civil Law Code. The civil law provisions contain an elabo- Peer-to-peer and marketplace lending
rate protection regime and require the borrower to comply with, among 9 Describe any specific regulation of peer-to-peer or
other things, certain disclosure obligations and walk-away rights for marketplace lending in your jurisdiction.
the borrowers. In particular, the licence requirement is triggered if
the repayment obligation is in cash. Where the repayment obligation Lenders and borrowers
takes the form of financial instruments or other goods or rights, other BaFin has published guidance on the question of when the participants
licensing requirements may apply (eg, investment services). of a P2P marketplace typically conduct lending or deposit business on a
scale that triggers a licensing requirement. According to this guidance,
Secondary market loan trading BaFin assesses potential licence requirements on a case-by-case basis,
6 Are there restrictions on trading loans in the secondary taking into account the activities of each single investor. It is particularly
market in your jurisdiction? important that investors do not invest on a commercial scale or in a
manner that would require a commercially organised business under-
In general, the trading of fully drawn loans does not trigger a licensing taking, because otherwise a banking licence requirement is triggered.
requirement in Germany. Restrictions on the trading of loans may apply BaFin suggests that a commercially organised business undertaking is
under the terms of the respective contract or as a result of data protec- required if more than €500,000 is invested or more than 100 loans are
tion rules. granted. An investor invests on a commercial scale if he or she under-
takes the investments for a certain time and with a view to making a
Collective investment schemes profit. In addition, under certain circumstances crowd-lending models
7 Describe the regulatory regime for collective investment are subject to the Act on Capital Investments, so that several investor
schemes and whether fintech companies providing protection rules apply, such as the requirement to produce a sales
alternative finance products or services would fall within its prospectus, which must be approved by BaFin. However, exemptions
scope. may apply.
The German Capital Investment Code (KAGB) provides the licensing and Peer-to-peer or platform operators
supervision regime for investment management companies and invest- Whether the operation of a crowd-lending platform requires a licence
ment funds in Germany. In addition, the marketing of investment funds (and which kind of licence) depends on the actual services that are
to investors in Germany is also regulated under the KAGB. The KAGB provided. Generally, it depends on the way the contracting is designed
takes a holistic approach and provides the legal regime for all collective on the platform. In cases where the operator of the platform merely
investment schemes (eg, alternative investment funds and undertak- provides the infrastructure, the licensable activities are more likely to
ings for collective investments in transferable securities). The aim of the be conducted by the users of the platform. If, on the other hand, the
KAGB is to ensure an adequate supervision of collective investments, operator of the platform steps into each transaction and takes on its
including the administration, marketing and compliance with investment own credit risk, it is likely that the licensable activity will be conducted
rules. However, crowdfunding platforms and peer-to-peer (P2P) lending by the platform operator. However, the pure brokerage of loans would
platforms are generally not viewed as collective investment schemes generally not be considered as banking, financial or payment services,
by BaFin. BaFin focuses on the lending aspect and indicates in several so ‘only’ an authorisation under the GewO may be required.
guidance notes that, depending on the actual nature of the services
provided, licensable lending business may be conducted. Further, the
brokerage of loans requires a licence under the German Industrial Code
(GewO) and, therefore, the operation of a P2P lending platform could
trigger the requirement for a loan broker licence.
www.lexology.com/gtdt 65
© Law Business Research 2020
Germany Simmons & Simmons LLP
66 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Germany
SALES AND MARKETING under the Money Laundering Act. For this reason, the corresponding
sanctions also result directly from the law itself.
Restrictions There have been some important changes to the Money Laundering
19 What restrictions apply to the sales and marketing of Act in the past: on 1 January 2020, the Act was amended to implement
financial services and products in your jurisdiction? the requirements of EU’s Fifth Anti-money Laundering Directive. The
changes imposed additional obligations, especially for regulated finan-
There are various restrictions regarding the sales and marketing of cial services businesses, including fintech companies. Since this date,
financial services and products in Germany. The marketing of a regu- institutions in the field of crypto-assets (eg, virtual currency exchange
lated activity in Germany constitutes a licensable activity and providing platforms and custodian wallet providers) are explicitly included in the
those services without the necessary licence constitutes a criminal group of obliged entities.
offence. The marketing of financial instruments is subject to a detailed Generally, entities subject to German AML laws are, or will be
regulatory framework set out in Directive 2014/65/EU on markets required to, among other things:
in financial instruments. Providing false or misleading information is • implement preventive policies, controls and procedures;
generally prohibited. Further rules apply for specific types of financial • identify and assess the firm’s exposure to money laundering risk
instruments like investment funds. by, for example, undertaking a risk assessment;
• perform customer due diligence to an adequate standard
CHANGE OF CONTROL depending on the risk profile of that client;
• keep appropriate records;
Notification and consent • monitor compliance with the anti-money laundering regulations,
20 Describe any rules relating to notification or consent including internal communication of policies and procedures; and
requirements if a regulated business changes control. • report suspicious transactions.
Investors that intend to acquire 10 per cent or more of the capital or the Furthermore, the abovementioned amendment of the Money
voting rights of a regulated entity are required to file a disclosure as Laundering Act includes unified, enhanced due diligence requirements
holders of a significant holding. These investors must provide detailed for transactions with high-risk countries and extended data access
information regarding their background, the origin of their funding, the competencies for the Federal Financial Intelligence Unit and law
CVs of relevant persons and the details of their group structure. The enforcement agencies. In addition, digital companies will be required
Federal Financial Supervisory Authority then generally has 60 days to to provide payment service providers with access to infrastructure
approve or oppose the acquisition and may make approval subject to services. These include, for example, interfaces for near field commu-
certain actions being taken. nication, which is required for cashless payments by mobile phone at
In addition, notification requirements under securities trading or physical points of sale.
stock corporation laws may apply, depending on the legal nature of Violations of anti-money laundering regulations are administra-
the target. tive offences and will result in fines of up to €5 million or 10 per cent of
the institution’s total revenue.
FINANCIAL CRIME According to recent federal jurisdiction plans, fines of up to 10 per
cent of a corporation's annual turnover for regulatory offences may be
Anti-bribery and anti-money laundering procedures imposed. Furthermore, corporations are to be excluded from public
21 Are fintech companies required by law or regulation to have tenders for a term of five years if they have been fined for bribery or if
procedures to combat bribery or money laundering? a member of the executive board has been convicted for bribery. At a
state level, some German federal states already have adopted an act
Firstly, a distinction must be made between anti-corruption and bribery that allows their authorities to exclude companies from public tenders
(ABC) regulations and rules for combating money laundering (AML). if the company or its employees are associated with ABC-related
As taking and giving bribes are criminal offences under the behaviour.
German Criminal Code, only individuals can be held criminally liable. In addition, Germany has been debating for years whether compa-
Corporations and legal entities as such can solely be subject to regu- nies should be held liable under a kind of criminal law (ie, corporate
latory investigations and sanctions. However, if the individual acts on sanctions law) if its responsible persons commit crimes or regulatory
behalf of a corporate body, the corporation may be subject to additional offences. The current federal government is working on such an act
fines and confiscation of assets gained because of the criminal conduct and has recently published a first draft. However, this draft will likely
or forfeiture of other assets. All relevant administrative offences be revised a few times before it enters into force.
committed in Germany are mainly covered under the provisions of the In summary, despite some differences in the material scope, it is
Act on Regulatory Offences. important for fintech companies to adhere to the legal requirements of
Thus, German regulatory offences law allows legal entities to be ABC and AML regulations and to create a corresponding compliance
fined for bribery offences that have been committed by their legal repre- structure. After all, the risk for the company is always the same in the
sentatives or by any other senior management employee, the conduct of event of infringement as very high fines are threatened.
whom can be associated to the legal entity. Fines of up to €600 million
have been imposed for bribery offences in the past. Guidance
In contrast to this, all companies in Germany must generally 22 Is there regulatory or industry anti-financial crime guidance
comply with national AML regulations. In addition, where an institu- for fintech companies?
tion is an obliged entity under the German Money Laundering Act (see
section 2), it is under numerous additional obligations (eg, to set up a There is no specific anti-financial crime guidance for fintech compa-
specific AML compliance system). This means that it is not – as with the nies apart from the general advice that companies should always be
ABC regulations – a matter of breach of criminal provisions by natural compliant with relevant regulations. Therefore, it is essential to have
persons (eg, employees), but that the entity itself may violate the rules an adequate compliance system in place.
www.lexology.com/gtdt 67
© Law Business Research 2020
Germany Simmons & Simmons LLP
The design of the compliance system and the compliance organi- to damage claims by the borrower; if the form requirements are not
sation is fundamentally subject to the business judgement rule as an complied with, the loan agreement can be void; or if the consumer has
entrepreneurial decision. The management has to make decisions not been instructed correctly on his or her revocation rights, the loan
based on appropriate information, acting for the benefit of the entity. can become revocable for an indefinite period. With regard to formal
Above all, in terms of compliance, this means analysing the risks to requirements for the execution of the loan and security agreements,
which the company is exposed as part of its business activities and to written form is required; electronic form is permitted as well, except
repeat that continuously and regularly. Based on the risk analysis, the for in the case of certain security documents where a notarisation by
management must make appropriate organisational arrangements for a German notary is required (eg, land charge deeds, which include an
compliance in the company, such as: immediate enforcement clause or share pledge agreements, which
• use of increased compliance resources in countries with a high risk relate to the pledge of shares in a German limited liability company).
of corruption;
• stricter compliance checks on public contracts; Assignment of loans
• ongoing due diligence and monitoring; 24 What steps are required to perfect an assignment of
• ongoing internal training; loans originated on a peer-to-peer or marketplace lending
• separate rules for dealing with certain occupational groups; platform? What are the implications for the purchaser if the
• clear rules; and assignment is not perfected? Is it possible to assign these
• where appropriate, controls for contacts with competitors. loans without informing the borrower?
However, institutions that are regulated by the Federal Financial An assignment agreement would need to be concluded in relation to the
Supervisory Authority, in addition, should comply with all applicable assignment of the loan claims; there are no further perfection require-
anti-financial crime guidance for the financial sector. ments and the borrower’s consent is not required. The assignment is
also valid if it is not being disclosed to the borrowers. In the case of a
PEER-TO-PEER AND MARKETPLACE LENDING transfer of rights and obligations under a loan agreement (ie, transfer
of the whole contractual relationship) to a new lender of record, the
Execution and enforceability of loan agreements borrower (as both debtor and creditor of the transferred rights and
23 What are the requirements for executing loan agreements or obligations) would need to consent to the transfer. Usually, the loan
security agreements? Is there a risk that loan agreements documentation would include provisions requiring the prior consent of
or security agreements entered into on a peer-to-peer or the borrower to such a transfer. In the case of an assignment of rights
marketplace lending platform will not be enforceable? under a loan agreement, an assignment is generally possible without
the consent of the borrower. If an assignment of the rights under a
There is no special legislation applicable in Germany in relation to peer- loan agreement was explicitly excluded by a borrower in the loan docu-
to-peer (P2P) lending (ie, the general regulatory and civil law provisions mentation, the assignment would be void. However, in the case of the
are applicable). A distinction needs to be made between direct and indi- indirect P2P lending structure, the loan documentation should already
rect P2P lending. include the prior consent of the borrower to transfer the rights and obli-
• In relation to direct P2P lending, the agreement is concluded gations under the loan agreement to the investor (or intermediary, as
directly between the investor and the borrower. However, owing to the case may be).
regulatory limitations (ie, licence requirements for lending activity),
this structure is not popular in Germany. Securitisation risk retention requirements
• In relation to indirect P2P lending (which is more common in 25 Are securitisation transactions subject to risk retention
Germany), a cooperating licensed bank is involved. The licensed requirements?
bank enters into a loan agreement with the borrower. Once the
loan agreement between the bank and the borrower has been Regulation (EU) 2017/2402 provides for the general securitisation
entered into, the bank assigns under a purchase and assignment framework, including rules regarding risk retention. Under this frame-
agreement its claims under the loan agreement pro rata to the work, the originator, sponsor or original lender of a securitisation must
respective investor whereby often an affiliated company (inter- retain a material net economic interest in the securitisation of not less
mediary) of the platform provider is interposed. Thus, there is no than 5 per cent. However, if securitisation is achieved via an interme-
direct agreement between the borrower and the investor. The bank diary single purpose company, this entity will no longer be allowed
cooperates with the platform provider under a cooperation agree- to retain risk as the originator. Rather, this may only be done by an
ment and the platform provider serves as loan broker under a loan originator with a broader business purpose, the sponsor or the original
brokerage agreement with the borrower. For the loan brokerage, lender. The required entity must possess sufficient substance to hold
the platform provider needs permission according to the German the assets for a minimum period of time before they are securitised.
Industrial Code. Further, the platform provider must not receive Furthermore, assets to be securitised must not be selected with the aim
monies that are determined to have been forwarded, otherwise a of rendering the losses on such assets higher than the losses on compa-
payment services licence could be required. Generally, care should rable assets remaining on the balance sheet of the originator without
be taken in the documentation that the purchase of claims does not disclosing this accordingly to investors.
qualify as factoring, that the money laundering requirements have
been complied with and that the borrower consents to the transfer
of the borrower’s personal data to the investors.
68 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Germany
Securitisation confidentiality and data protection requirements could fall under a number of regulated services, including investment
26 Is a special purpose company used to purchase and securitise advice and contract broking. Additionally, providers often offer portfolio
peer-to-peer or marketplace loans subject to a duty of management services under the label of robo-advice. Depending on the
confidentiality or data protection laws regarding information actual structure of the business, additional conduct of business rules
relating to the borrowers? may apply. For example, where the provider uses an advisory model
and gives personalised recommendations to its investors, certain
Yes, the special purpose company would be subject to data protection documentation obligations apply. In addition, the provider may need to
laws regarding information relating to the borrowers. However, in the determine the suitability and appropriateness of the financial products
case of the indirect P2P lending structure, the loan documentation that it recommends.
should already include the consent of the borrower to share its informa-
tion with the special purpose company. Distributed ledger technology
28 Are there rules or regulations governing the use of
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER distributed ledger technology or blockchains?
TECHNOLOGY AND CRYPTO-ASSETS
No, there is no single regulation specifically addressing distributed
Artificial intelligence ledger technology (DLT). However, use cases deploying DLT or block-
27 Are there rules or regulations governing the use of artificial chain technology in regulated markets (eg, securities markets) must
intelligence, including in relation to robo-advice? comply with the existing legal framework applicable to the specific
service and its providers. European requirements such as the European
In Germany, the Federal Financial Supervisory Authority (BaFin) has Market Infrastructure Regulation (EU) No 648/2012 (EMIR), the
actively addressed these regulatory aspects in the past; however, Markets in Financial Instruments Regulation (EU) No 600/2014 (MiFIR),
currently this is an ongoing process. Starting in 2018, BaFin conducted the Central Securities Depositaries Regulation (EU) No 909/2014,
a comprehensive study on the challenges and implications for supervi- the Markets in Financial Instruments Directive II 2014/65/ EU, the
sion and regulation of AI-based and big data-based services, concluding Alternative Investment Fund Managers Directive 2011/61/EU and the
that proliferation of these technologies will increasingly challenge Securities Financing Transactions Regulation (EU) 2015/2365 as well as
current regulatory frameworks. Besides ascertaining the need to adapt the national implementation thereto must be regarded. For instance, a
the supervisory framework accordingly, regulated companies remain use case involving the clearing of assets by deploying DLT would have
accountable for regulatory compliance in AI-based and big data-based to fulfil the requirements of EMIR and MiFIR regarding authorisation
products. While management boards remain fully accountable for any and regulated entities. BaFin has the power to prohibit unauthorised
results automatically produced or used within their company (section businesses. In addition, smart contracts and initial coin offerings (ICOs)
25a German Banking Act (KWG)), these results must also remain trans- are currently under close scrutiny by the supervisory authorities.
parent and explainable to ensure persisting human control. Thus, BaFin BaFin issued a consumer warning with regards to risks associated
considers the use of ‘black-box’ algorithms an indicator of dysfunctional with ICOs on 15 November 2017. Specific risks identified by BaFin include
(unlawful) business organisation. In addition, the accurateness and reli- the significant price fluctuations of tokens and, in many cases, a lack of
ability of AI-based and big data-based products must be ensured. This, information regarding ICO providers making ICO businesses prone to
again, requires robust data quality, thorough testing and continuous the risk of fraud, money laundering and the financing of terrorism. BaFin
supervision of algorithmic decision models, as well as technical safe- also published an advisory letter to the classification of tokens on 20
guards against maldevelopment (eg, automated shutdown procedures). February 2018. The key aspect of this letter is that BaFin will assess
Since late 2019, there has been increasing demand by various on a case-by-case basis whether a token constitutes a financial instru-
stakeholders in the German financial market for BaFin to engage in ment, a security or a capital investment. The supervisory classification
authorising the use of algorithms for automated decision-making. To of a token determines the applicability of the existing legal framework,
date, this request remains unheard. BaFin announced that, apart from the services and products associated with the tokens. Depending on the
existing authorisation of individual scenarios (eg, article 142 et seqq classification of tokens, several legislative acts apply including, among
and 362 et seqq EU Capital Requirements Regulation; high-frequency others, the WpHG, the German Securities Prospectus Act, the German
trading), there is no legal basis for requiring or granting such authorisa- Capital Investment Act, the German Capital Investment Code and the
tion on a general basis. KWG. Further, at the beginning of 2020 crypto-custody business was
Robo-advice is any form of customer support on investment deci- added to the list of licensable activities.
sions by making use of partially or fully automated IT systems. There
are several different kinds of automated investment advice platforms Crypto-assets
that are active in Germany. BaFin has issued guidance on robo-advice, 29 Are there rules or regulations governing the use of crypto-
indicating that these services can be qualified as (and regulated assets, including digital currencies, digital wallets and
as) investment advice, financial portfolio management, acquisition e-money?
brokerage and investment brokerage (each depending on its individual
features), and, thus, offering respective services regularly requires Yes. BaFin treats bitcoin and other crypto-tokens as a financial instru-
licensing under German banking (eg, KWG and the German Securities ment in the form of ‘units of account’. These units of account are similar
Trading Act) and commercial law (eg, the German Industrial Code). Most to foreign currencies and are not legal tender. Bitcoin is neither central
offerings currently available on the German market constitute invest- bank money nor e-money under German law: it is not central money
ment advice or financial portfolio management. because it is not issued by the central bank, and it is not e-money because
In terms of their supervision and regulation, robo-advising busi- it is not issued by an issuer against whom a claim can be established. The
nesses are generally subject to the same rules as if such service was distribution of bitcoin requires authorisation by BaFin if the distribution
rendered ‘manually’. Thus, automated investment advice will need to is performed on a commercial basis or requires a commercially organ-
comply with the applicable licensing requirements and conduct of busi- ised business operation. If virtual currencies are bought and sold for
ness rules. BaFin’s guidance sets out that the provision of robo-advice third parties, this could be classified as ‘proprietary trading’ under the
www.lexology.com/gtdt 69
© Law Business Research 2020
Germany Simmons & Simmons LLP
German Banking Act, depending on the specific arrangements deployed, The GDPR requires that any processing of personal data be done
which requires a BaFin authorisation as well. In addition, e-money insti- pursuant to one of six lawful bases for processing. The most commonly
tutions must be authorised and subject to supervision by BaFin. Offering used lawful basis for processing is to obtain the consent of the data
digital wallets online may require BaFin authorisation depending on the subject to that processing – in relying on this lawful basis, the busi-
tokens and the wallet services being provided. BaFin has the power to ness must ensure that the consent is freely given, specific, informed
prohibit any unauthorised business activities with immediate effect. and unambiguous, and capable of being withdrawn as easily as it is
At the beginning of 2020, crypto-custody business was added to given. This places a significant burden on businesses to ensure that
the list of licensable activities. Crypto-custody business is defined as their customers are fully informed as to what their personal data is
the safekeeping, administration and storage of crypto-assets or private being used for, which is a crucial change to the previous regime under
cryptographic keys used to hold, store and transfer crypto-assets for which disclosure did not need to be so transparent. Other lawful bases
others (crypto-assets custody services). for processing data include where that processing is necessary for the
business to perform a contract it has with the data subject, or where
Digital currency exchanges required to comply with an obligation the business has at law (not a
30 Are there rules or regulations governing the operation of contractual obligation).
digital currency exchanges or brokerages? The GDPR further differs from the previous regime in that it places a
significantly increased compliance burden on businesses, including, for
There is no special legal regime for digital currency exchanges or example, mandatory requirements to notify regulators of data breaches,
brokerages in Germany. The German regulator assesses activities in obligations to keep detailed records on processing, and requirements
the context of cryptocurrencies or tokens on a case-by-case basis. It for most entities to appoint a data protection officer.
has been BaFin’s administrative practice for several years now to view The GDPR does not apply to personal data that has been truly
bitcoin and similar cryptocurrencies as financial instruments in the form anonymised – as anonymised data cannot, by definition, be personal
of units of account. Consequently, the rules for dealings with financial data. However, to ensure that GDPR does not apply to a certain data set,
instruments apply. In a guidance note dated 20 February 2018, BaFin that data set must be truly anonymised. The GDPR itself gives limited
states that the mining of cryptocurrencies and the sale of the mined guidance on anonymisation in Recital 26, requiring data controllers to
tokens are, in principle, licence-free in Germany. However, persons who, consider a number of factors in deciding if personal data has been truly
for example, buy and sell cryptocurrencies in their own name and for anonymised, including the costs and time required to de-anonymise,
the account of others on a commercial scale are likely to conduct the the technology available at the time to attempt de-anonymisation and
licensable business of financial brokerage. Further, operating a digital further developments in technology.
currency exchange could qualify as operating a multilateral trading When it comes to international data transfers, a two-step test must
facility. Additionally, operators of mining pools may be carrying on be carried out. First, the legitimacy of an international data transfer has
licensable activities. the same requirements as a national data transfer. An international data
transfer can only be legitimate if an analogous transfer within Germany
Initial coin offerings was legitimate. Second, an international data transfer is only legitimate
31 Are there rules or regulations governing initial coin offerings if the country to which data is to be transferred provides for reasonable
(ICOs) or token generation events? data protection legislation. The transfer of data to other members of the
EEA is permitted because those countries provide for an adequate level
BaFin is of the view that each initial coin offering has to be judged of data protection. In the case of a data transfer to a country outside the
on a case-by-case basis, applying the existing legal framework. First, EEA, it must be ensured that the country of destination also provides
BaFin categorises the token to be issued and then, depending on the for an adequate level of protection. With regard to certain jurisdictions,
legal nature of the token (security token, utility token, payment token, the European Commission has provided decisions on the adequacy of
etc), applies the applicable legal framework. The consequence of this data protection. Another way of ensuring that adequate safeguards
approach is that, for example, a securities prospectus would be required are provided is the use of one of the model contracts approved by the
for the issuance of securities tokens and a payment services licence European Commission (standard contractual clauses (SCCs)). To date,
would be required for the issuance of payment tokens. the European Commission has already approved different types of
There is, however, no special legal regime for token-generating model contracts. In addition, there is theoretically another solution that
events yet. Discussions between the legislature and the respective renders an assessment of the second step (legality of a data transfer
stakeholders, including the Federal Ministry of Finance and BaFin, are to an entity in a country without an adequate level of data protection)
ongoing with a view to evaluating the need for special legislation and its unnecessary, namely corporate binding rules (CBRs). CBRs are codes
potential scope. of conduct and a set of rules a company can draft to allow data transfer
outside the EEA and to overcome some practical problems with SCCs.
DATA PROTECTION AND CYBERSECURITY From an EU perspective, the United States does not provide for adequate
protection of personal data. For this reason, the European Commission
Data protection has adopted a special decision in respect of the US: an adequate level
32 What rules and regulations govern the processing and of protection will be deemed to apply for those organisations that have
transfer (domestic and cross-border) of data relating to registered under the EU–US Privacy Shield. However, financial institu-
fintech products and services? tions cannot register under the Privacy Shield.
Businesses that infringe the GDPR may be subject to administra-
On 25 May 2018, the EU General Data Regulation (GDPR) came into force tive fines of an amount up to €20 million or 4 per cent of global turnover,
with direct effect across the EU. The GDPR governs the storage, viewing, whichever is higher.
use of, manipulation and other processing by businesses of data that In Germany, a new Federal Data Protection Act (BDSG) came into
relates to a living individual. In summary, the GDPR requires that busi- force at the same time as the GDPR. The BDSG makes use of opening
nesses only process personal data where that processing is done in a clauses, such as for the processing of personal data in the context of
lawful, fair and transparent manner, as further described in the GDPR. employment and for the appointment of data protection officers. The
70 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Germany
oversight of GDPR, including compliance and enforcement, is carried OUTSOURCING AND CLOUD COMPUTING
out in Germany by 16 data protection supervisory authorities (one
supervisory authority based in each federal state). Outsourcing
German data protection authorities have not issued any specific 34 Are there legal requirements or regulatory guidance with
guidance for fintech companies. respect to the outsourcing by a financial services company of
a material aspect of its business?
Cybersecurity
33 What cybersecurity regulations or standards apply to fintech There is a legal regime for outsourcing by financial services compa-
businesses? nies. Section 25b of the German Banking Act (KWG) sets the framework
and the Federal Financial Supervisory Authority's (BaFin) publication
‘Fintech’ here is understood as technology-enabled innovation in finan- ‘Minimum Requirements for Risk Management’ (MaRisk) further details
cial services often resulting in new business models, applications, the requirements for outsourcing in chapter AT9. Further, BaFin indi-
processes or products each materially affecting the traditional provi- cates that the ‘Guidelines on Outsourcing’ published by the Committee
sion of financial services. Owing to the technology-neutral regulation of European Banking Supervisors and European Banking Authority are
of financial markets in Germany, there are no cybersecurity standards also relevant for BaFin’s administrative practice.
specifically addressing fintech companies. In broad terms, it can be said that the outsourcer needs to ensure
The Federal Financial Supervisory Authority's (BaFin) standards on that its risk profile does not change owing to the outsourcing and that
cybersecurity reflect the traditional demarcations of regulatory frame- the outsourced services must be in compliance with the applicable legal
works in Germany: the German Banking Act (ie, BaFin Circular 10/2017 requirements. The outsourcing of services must not lead to outsourcing
on Banking Supervisory Requirements for IT), the Insurance Supervision of the management’s responsibilities and the regulator must not be
Act (ie, BaFin Circular 10/2018 on Insurance Supervisory Requirements hindered in its supervisory activities owing to the outsourcing. Further,
for IT) and German Capital Investment Code (ie, BaFin Circular 11/2019 the outsourcing agreement must meet certain criteria, if material parts
on Capital Management Supervisory Requirements for IT). of the business are outsourced. Controlling and audit functions may
According to BaFin, compliance with its sector-specific stand- only be outsourced to an extent that it does not bias the capability of
ards on IT security and cybersecurity does not relieve any regulated the outsourcing entity to monitor, understand and manage the risks it
entity from complying with other (general) standards in this field. incurs during its business operations.
For Germany, this namely refers to standards issued by the Federal
Office for Information Security (BSI), including the IT-Basic Protection Cloud computing
Compendium, the Standards 200-1 to 200-3 (security and risk manage- 35 Are there legal requirements or regulatory guidance with
ment), the Technical Guidelines and, particularly relevant, the standards respect to the use of cloud computing in the financial services
on certain aspects of cybersecurity. Fintech businesses must also industry?
comply with IT and data security requirements stipulated in other appli-
cable laws (such as the GDPR). Sections 25a paragraph 1 and 25b KWG stipulate specific legal require-
Certain stakeholders on the financial markets are, thus, also ments relating to IT outsourcing and, as such, cloud computing in the
regulated as operators of a critical infrastructure or digital service, or financial services industry. Regulatory guidance is given in this context
both, under the German IT Security Act (IT-SiG). Briefly, any facility or by MaRisk. According to MaRisk, any material outsourcing requires an
installation (or parts thereof) in the finance and insurance sectors is outsourcing agreement in writing that fulfils minimum requirements,
considered a critical infrastructure if their failure or impairment would such as stipulating audit rights (in favour of the financial services
lead to considerable supply bottlenecks or threats to public safety. provider as well as the supervisory authority), data protection and exit
Digital services are electronically provided services relating to online management. New guidance on the ‘Bank regulatory requirements
marketplaces, search engines and cloud-computing applications; these relating to IT’ was published by BaFin. This guidance specifies MaRisk
are likewise regulated if they qualify as ‘critical’ in the aforesaid meaning requirements relating to IT risk and information security management
and provide the public with finance or insurance products. Specific guid- as well as the concrete IT operation, and, therefore, is also relevant to
ance on identifying critical infrastructure and services in practice is cloud computing in the financial services industry.
provided in form of legislative decrees of the German Federal Ministry
of the Interior. Operators of critical infrastructure are, inter alia, obliged INTELLECTUAL PROPERTY RIGHTS
to take appropriate organisational and technical precautions to avoid
disruptions to the availability, integrity, authenticity and confidentiality IP protection for software
of their IT systems, components or processes, as far as these are essen- 36 Which intellectual property rights are available to protect
tial for the functionality of their critical infrastructure (see section 8a, software, and how do you obtain those rights?
paragraph 1 BSI Act). The same accounts for critical service providers
in terms of IT security and network security (see section 8c BSI Act). As According to German copyright law, computer programs shall be
detailed by the BSI, both obligations require regulated entities to imple- protected if they represent individual works in the sense that they are
ment various measures to ensure network security. the result of the author’s own intellectual creation. No other criteria,
BaFin is conducting regular checks relating to the IT infrastruc- especially qualitative or aesthetic criteria, shall be applied. The protec-
ture of regulated entities. These aspects are likewise covered in audits tion granted shall apply to the expression in any form of a computer
performed by data protection supervisory authorities. Resulting from program. Ideas and principles underlying any element of a computer
latest amendments of the IT-SiG, BSI is furnished with information and program, including the ideas and principles underlying its interfaces,
audit rights. Furthermore, fintech businesses must comply with the IT shall not be protected. A copyrightable work is protected as of the
security requirements that are stipulated in any other applicable law, moment of creation, so no further administrative measures are needed.
such as the GDPR. The German Act on Copyright and Related Rights comprises specific
stipulations concerning various uses of software, including decompi-
lation and rearrangement of software. While software as such is not
www.lexology.com/gtdt 71
© Law Business Research 2020
Germany Simmons & Simmons LLP
patent-protectable, computer-implemented inventions may be if they • it is secret in the sense that it is not, as a body or in the precise
show a technical effect. configuration and assembly of its components, generally known
Business methods and software as such are not patent-eligible; among or readily accessible to persons within the circles that
both the German Patent Act and the European Patent Convention say so normally deal with the kind of information in question;
explicitly. However, for practical purposes the patent eligibility of soft- • it has commercial value because it is secret; and
ware very much depends on the claim drafting: if the invention can be • it has been subject to reasonable steps under the circumstances, by
presented as having a technical effect, patent protection may be avail- the person lawfully in control of the information, to keep it secret.
able. The case law of both the Federal Court of Justice and the EPO
Boards of Appeal provide useful guidance in this respect. The most important requirement for the applicability of the German
Trade Secrets Act is that the confidential information needs to be subject
IP developed by employees and contractors to adequate and traceable trade secret measures implemented by the
37 Who owns new intellectual property developed by an trade secret owner. The adequacy of the measures depends on the
employee during the course of employment? Do the same company and the usual confidentiality measures, the value and nature
rules apply to new intellectual property developed by of the trade secret in detail as well as the specific circumstances of its
contractors or consultants? use. Physical access restrictions and precautions as well as contractual
security mechanisms should be considered.
In Germany, intellectual property generated by an employee will not The still fairly new law protects trade secrets against direct
automatically become the gratuitous property of the employer as in most unlawful attainment, use and disclosure, as well as against indirect
other jurisdictions. Rather, the German Act on Employees’ Inventions infringements when third parties acquire trade secrets from a party and
provides a complex system according to which the employer merely has knew or should have known that a trade secret was used or disclosed
a right to claim an employee invention. In this case, the employer must in an unlawful way. In the event of an unlawful action, the holder of a
pay a certain amount, which is calculated in a complex manner based on trade secret can claim for cease and desist, destruction, surrender and
a number of factors and parameters. recall, disclosure, and, in the case of intentional or negligent violation,
These rules do not apply to independent contractors or consult- damages. A special feature of the German Trade Secrets Act is the legal
ants. If the intellectual property is based on true cooperation, this can basis for a right to information about infringing products. Thus, it can
lead to complex legal situations, including the factual foundation of a prove a powerful tool to protect confidential information when other
private partnership. Accordingly, any such potential issues should be intellectual property rights might not be applicable.
dealt with in a contract, clearly allocating the rights and obligations of However, the German Trade Secrets Act does not provide protec-
all parties arising under such a cooperation or R&D project. tion against reverse engineering. Rather, it is generally permitted if the
product or article has been made publicly available or if it is in the lawful
Joint ownership possession of the party who observes, tests, examines or dismantles it
38 Are there any restrictions on a joint owner of intellectual and is not subject to any (contractual) prohibition from obtaining the
property’s right to use, license, charge or assign its right in trade secret.
intellectual property? As for the protection of trade secrets in court proceedings, the
German Trade Secrets Act stipulates special regulations that apply to
Subject to contractual stipulations, co-ownership of inventions and trade secret litigation proceedings only and prevails through execution
patents are considered a simple company-like structure (Gemeinschaft). proceedings. At the request of a party, contentious information can be
This legal form is dealt with in the German Civil Code, though only in fully or partly classified as a trade secret. Parties to the proceedings
rudimentary form. Each owner may use the invention (as a rule, without and individuals with access to procedural documents can neither use
having to pay a licence fee to the others) or may sell its share in the nor disclose trade secrets. There is no in-camera proceeding, but the
invention. However, a licence may only be granted with the consent number of individuals gaining access to procedural documents can be
of all co-owners. Each co-owner can request that the Gemeinschaft limited to one natural person from each party and their respective liti-
be dissolved, which typically happens by way of selling the intellec- gant or legal representative. The court may, at the request of one of the
tual property asset. This is one reason why co-owners should devise a parties, impose a fine of up to €100,000 or imprisonment for up to six
contract early on rather than relying on statutory rights. months for failure to comply with the obligations; however, this might
In addition, the German trade secret law, unlike patent and copy- not be considered a very high fine compared to the value some trade
right law, does not regulate the legal relationship between joint owners secrets hold. The German Courts Constitution Act can also be applied
and can, therefore, cause difficulties if no contractual provisions are as it contains, inter alia, a confidentiality obligation subject to criminal
established. prosecution for the hearing itself.
After the proceedings it is relevant to know that the prevailing party
Trade secrets can request to (partly) publish the decision when it is legally binding and
39 How are trade secrets protected? Are trade secrets kept cannot be subject to appeals anymore.
confidential during court proceedings? As it is at the discretion of the court to decide which orders are
necessary for adequate protection during legal proceedings, it remains
Germany implemented the Trade Secrets Directive (EU) 2016/943 on to be seen how the still relatively new German Trade Secrets Act is
26 April 2019 with the civil law on the protection of trade secrets (ie, enforced in practice. In any event, care must be taken to ensure that
the German Trade Secrets Act), which first and foremost protects trade trade secrets are, firstly, categorised and documented as such and,
secrets. Trade secrets are also protected under criminal law as well as secondly, kept secret by adequate trade secret measures so that confi-
through general civil law, civil procedure law and unfair competition dential treatment is ensured and accidental disclosure is avoided.
law (against general passing-off). Contracting parties are also free to
protect individually defined trade secrets.
The German Trade Secrets Act protects information that meets all
the following requirements:
72 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Germany
www.lexology.com/gtdt 73
© Law Business Research 2020
Germany Simmons & Simmons LLP
74 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Germany
www.lexology.com/gtdt 75
© Law Business Research 2020
Germany Simmons & Simmons LLP
Where it is sufficient that two of these three criteria are met, finan-
cial sector enterprises and credit institutions are excluded from these
measures.
76 Fintech 2021
© Law Business Research 2020
Gibraltar
David Borge, Kunal Budhrani and Peter Howitt
Ince
www.lexology.com/gtdt 77
© Law Business Research 2020
Gibraltar Ince
• acting as a bureau de change; and • Financial Services (Alternative Investment Fund Managers)
• providing distributed ledger technology services. Regulations 2020;
• Financial Services (Investment Services) Regulations 2020;
Consumer lending • Financial Services (UCITS) Regulations 2020;
5 Is consumer lending regulated in your jurisdiction? • Financial Services (Distance Marketing) Regulations 2006; and
• Financial Services (Experienced Investor Funds) Regulations 2020.
Consumer lending is a regulated activity in Gibraltar.
Directive 2014/17/EU (the Mortgage Credit Directive) created Fintech companies providing alternative finance products would fall
harmonised EU rules in the mortgage-credit market in respect of within the scope of the regulatory regime of collective investment
the provision of credit for residential properties. It is transposed schemes if the product or service being offered falls within the defini-
into Gibraltar law by way of the Financial Services (Mortgage Credit) tion of a collective investment scheme.
Regulations 2020 and does the following:
• sets out the requirement to provide precontractual information Alternative investment funds
through the European Standardised Information Sheet – a stand- 8 Are managers of alternative investment funds regulated?
ardised format – and the calculation of the Annual Percentage Rate
of Charge; Managers of alternative investment funds are regulated in Gibraltar.
• sets out principles for marketing and advertising; Gibraltar has implemented the EU regime applicable under the
• encourages the concept of responsible lending practices; Alternative Investment Fund Managers Directive (2011/61/EU) (AIFMD)
• includes provisions requiring the lender to assess the creditworthi- in respect of the regulation of investment advisers, arrangers and
ness of the consumer, and imposes disclosure obligations on the managers, as well as managers of collective investment schemes. It
part of the consumer; also has national legislation that covers a number of other areas outside
• requires the application of appropriate standards to valuations, the scope of EU law, which can largely be found in the Financial Services
where these are carried out; Act 2019 and the Financial Services (Collective Investment Schemes)
• provides standards for the provision of advisory services; Regulations 2020.
• provides minimum knowledge and competence requirements for The AIFMD has been implemented by way of several legislative
staff as well as remuneration requirements; changes, including those made to the following:
• establishes a regulatory regime for creditors and credit intermedi- • Financial Services (Alternative Investment Fund Managers)
aries, as well as containing provisions that allow for the regulation Regulations 2020;
and supervision of non-credit institutions; and • Financial Services (Alternative Investment Fund Managers) (Fees)
• permits tied credit intermediaries and appointed representatives. Regulations 2015;
• Financial Services (Alternative Investment Fund Managers
The lending of amounts between €200 and €75,000 (which are not (European Long-Term Investment Funds) Regulations 2020;
secured by way of mortgage) is governed by two distinct regimes: the • Financial Services (Alternative Investment Fund Managers)
Financial Services (Consumer Credit) Act 2011 and by the Financial (European Venture Capital Funds) Regulations 2020;
Services (Moneylending) Act 1917. • Financial Services (Alternative Investment Fund Managers)
Licences granted under the Financial Services (Consumer Credit) (European Social Entrepreneurship Funds) Regulations 2020; and
Act 2011 are issued and regulated by the GFSC, while licences granted • Financial Services (Experienced Investor Funds) Regulations 2020.
under the Financial Services (Moneylending) Act 1917 are issued by the
Gibraltar Finance Minister. The regime under the AIFMD applies to fund managers that manage
within the scope of alternative investment funds.
Secondary market loan trading Most funds in Gibraltar are either experienced investor funds (EIFs)
6 Are there restrictions on trading loans in the secondary (not available to retail investors) or private funds (limited to 50 inves-
market in your jurisdiction? tors and not capable of being publicly promoted).
Some investors take advantage of the private funds regime in
There are no restrictions on trading loans in the secondary market in Gibraltar, which is intended to be a vehicle to enable friends, family and
Gibraltar. close associates of a person to invest using a pooling structure without
the need for full authorisation of the fund. Private funds are limited to 50
Collective investment schemes investors and do not require licensed fund administrators (unlike EIFs).
7 Describe the regulatory regime for collective investment
schemes and whether fintech companies providing alternative Peer-to-peer and marketplace lending
finance products or services would fall within its scope. 9 Describe any specific regulation of peer-to-peer or
marketplace lending in your jurisdiction.
The regulatory framework for collective investment schemes is set out
in the Financial Services (Collective Investment Schemes) Act 2011, There is no specific regulation governing peer-to-peer lending in
which, among other things, transposes Directive 2009/65/EC on under- Gibraltar; however, any person or entity wishing to offer lending
takings for collective investment in transferable securities into national platform services must ensure that they comply with the Markets in
law. The Financial Services Act 2019, the Financial Services (Collective Financial Instruments Directive (MiFID) (if applicable) and with local
Investment Schemes) Regulations 2011 and Financial Services financial services and securities legislation, such as the Financial
(Collective Investment Scheme Administrators) Regulations 2020 are Services (Investment Services) Regulations 2020, which regulates
the main pieces of legislation governing all retail collective investment offering securities and investment services.
schemes in Gibraltar.
In relation to undertakings in collective investment schemes in
transferable securities, the following regulations are applicable:
78 Fintech 2021
© Law Business Research 2020
Ince Gibraltar
Gibraltar does not have a specific crowdfunding regime. At present, No, but the EU General Data Protection Regulation is in effect in Gibraltar
MiFID does not provide a unified crowdfunding landscape in the EU and so European data protection laws apply.
and largely relies on specific local regimes. Operators in Gibraltar
also need to consider the applicability of local regulatory regimes of CROSS-BORDER REGULATION
the jurisdiction of the investor when seeking to raise finance by way of
crowdfunding. Passporting
17 Can regulated activities be passported into your jurisdiction?
Invoice trading
11 Describe any specific regulation of invoice trading in your Certain regulated activities that are subject to European harmonised
jurisdiction. financial services regulatory regimes, such as the Markets in Financial
Instruments Directive, the Alternative Investment Fund Managers
There is no specific regulation relating to invoice trading in Gibraltar. Directive, credit institutions, insurance and reinsurance intermediaries,
payments and e-money services can be passported into Gibraltar from
Payment services other EU member states.
12 Are payment services regulated in your jurisdiction?
Requirement for a local presence
The second Payment Services Directive (PSD2) applies in Gibraltar 18 Can fintech companies obtain a licence to provide financial
and has been transposed into national law by virtue of the Financial services in your jurisdiction without establishing a local
Services (Payment Services) Regulations 2020. presence?
There is no specific regulation of robo-advisers or other companies that The marketing of financial services and products is governed by the
provide retail customers with automated access to investment products Financial Services Act 2019. It requires that where financial products
in Gibraltar. and services are advertised the contents and the presentation are fair
and not misleading and the risks involved in that service or investment
Insurance products are disclosed and understood. It further provides that the issuer of the
15 Do fintech companies that sell or market insurance products advertisement has the appropriate expertise in relation to the invest-
in your jurisdiction need to be regulated? ment or service.
Distance sales are also covered by the Financial Services (Distance
Fintech companies that sell or market insurance products are regulated Marketing) Act 2006.
by the same national legislation that regulates traditional insurance
products. This includes the following: CHANGE OF CONTROL
• Financial Services Act 2019;
• Financial Services (Insurance Distribution) Regulations 2020; Notification and consent
• Financial Services (Insurance Management) Regulations 2020; 20 Describe any rules relating to notification or consent
• Financial Services (Insurance Companies) Regulations 2020; requirements if a regulated business changes control.
• Financial Services (Insurance Companies: Accounts Directive)
Regulations 2020; Changes in the control of a regulated business requires the Gibraltar
• Financial Services (Insurance Distribution) Regulations 2020; Financial Services Commission consent and approval.
• Financial Services (Insurance Business Transfer) (Saving)
Regulations 2020; and
• Insurance (Marine) Act 1960.
www.lexology.com/gtdt 79
© Law Business Research 2020
Gibraltar Ince
FINANCIAL CRIME In a novation, the transferee transfers both rights and obligations
to a third party: this is usually executed by way of deed, which requires
Anti-bribery and anti-money laundering procedures execution by all the parties involved.
21 Are fintech companies required by law or regulation to have Without a perfected deed of assignment or deed of novation, rights
procedures to combat bribery or money laundering? or obligations under a loan agreement will not be assigned. This would
prevent the new lender from enforcing its rights against the borrower
Fintech companies are subject to the same laws relating to money laun- and the borrower enforcing its rights against the new lender.
dering and bribery as any other financial services provider in the EU.
This derives from the fifth Anti-Money Laundering Directive and is trans- Securitisation risk retention requirements
posed into national law by way of the Proceeds of Crime Act 2015 (POCA). 25 Are securitisation transactions subject to risk retention
POCA requires fintech companies to have measures in place to requirements?
prevent the financial system from being used for money laundering or
terrorist financing purposes. Yes, securitisation transactions are subject to risk retention
The Crimes Act 2011 details rules related to anti-bribery require- requirements.
ments. In addition, Gibraltar is a British Overseas Territory and so various EU Regulation 2017/2404/EU (the Securitisation Regulation)
elements of the UK anti-bribery regime (Bribery Act 2010) are applicable. applies directly in EU member states, including Gibraltar, as of 1
January 2019.
Guidance The Securitisation Regulation applies to relevant securitisation
22 Is there regulatory or industry anti-financial crime guidance transactions, the securities of which are issued on or after 1 January 2019
for fintech companies? and to any securitisation in which a new securitisation position is created
on or after 1 January 2019, subject to certain transitional arrangements.
The Gibraltar Financial Services Commission has issued anti- Under the Securitisation Regulation, originators, sponsors and
money laundering guidance notes on its website (www.gfsc.gi/fsc/ original lenders (including corporates) are under a positive obligation to
financialcrime). retain a 5 per cent net economic interest in securitisation transactions.
The Gibraltar Association of Compliance Officers is among the
organisations that issue anti-financial crime guidance for fintech Securitisation confidentiality and data protection requirements
companies. 26 Is a special purpose company used to purchase and securitise
peer-to-peer or marketplace loans subject to a duty of
PEER-TO-PEER AND MARKETPLACE LENDING confidentiality or data protection laws regarding information
relating to the borrowers?
Execution and enforceability of loan agreements
23 What are the requirements for executing loan agreements or Peer-to-peer and marketplace lending is not a specific regulated activity
security agreements? Is there a risk that loan agreements in Gibraltar.
or security agreements entered into on a peer-to-peer or
marketplace lending platform will not be enforceable? ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
TECHNOLOGY AND CRYPTO-ASSETS
Loan agreements must be executed in writing in accordance with the
same formalities that govern regular contracts. Artificial intelligence
Security agreements must also be in writing. Mortgages and 27 Are there rules or regulations governing the use of artificial
charges that contain a power of attorney should be executed as deeds. intelligence, including in relation to robo-advice?
Executed documents and their corresponding charge should be regis-
tered at Companies House within 30 days. No.
Where mortgage or security relates to real estate, there is a further
requirement to register it at the Gibraltar Land Titles Registry (Land Distributed ledger technology
Property Services Limited). 28 Are there rules or regulations governing the use of
Peer-to-peer and marketplace lending is not a regulated activity distributed ledger technology or blockchains?
in Gibraltar.
Yes, the Financial Services (Distributed Ledger Technology Providers)
Assignment of loans Regulations 2020 (the DLT Regulations).
24 What steps are required to perfect an assignment of
loans originated on a peer-to-peer or marketplace lending Crypto-assets
platform? What are the implications for the purchaser if the 29 Are there rules or regulations governing the use of crypto-
assignment is not perfected? Is it possible to assign these assets, including digital currencies, digital wallets and
loans without informing the borrower? e-money?
Ordinarily, rights or obligations under a loan can be assigned by way of E-money and payment services are governed by the Financial Services
assignment and by novation. (Electronic Money) Regulations 2020 and Financial Services (Payment
Under an assignment, a lender assigns its rights under a loan to a Services) Regulations 2020 respectively.
new lender. The original lender only transfers its rights, for example, to Subject to the below, the use of crypto-assets is regulated by
receive loan repayment and interest payments. The lender is still liable the DLT Regulations in relation to DLT. Entities that handle or store
for any obligations under the loan. Unless the original loan provides crypto-assets (specifically, such as collective investment schemes
otherwise, the borrower may need to be notified of the assignment or that are investing in crypto-assets) but that are not licensed under the
consent to it. An assignment is usually executed by deed. DLT Regulations are still expected to adhere to the Gibraltar Financial
80 Fintech 2021
© Law Business Research 2020
Ince Gibraltar
Services Commission guidance to DLT providers in relation to safe- In the case of automated processing, each data controller and data
keeping of customer assets, cybersecurity and resilience. processor must, following an evaluation of the risks, implement meas-
Where an alternative financial services licence is applicable, alter- ures designed to:
native legislation would take precedence over the DLT Regulations. • prevent unauthorised processing or unauthorised interference
By way of example, under Gibraltar law an experienced investor fund with the systems used in connection with it;
(EIF) can contain crypto-assets and so might fall within EIF regulations. • ensure that it is possible to establish the precise details of any
Equally, a crypto-asset that represents a security may fall within the processing that takes place;
ambit of legislation governing securities. • ensure that any systems used in connection with the processing
function are used properly and may, in the case of interruption, be
Digital currency exchanges restored; and
30 Are there rules or regulations governing the operation of • ensure that stored personal data cannot be corrupted if a system
digital currency exchanges or brokerages? used in connection with the processing malfunctions.
The operation of digital currency exchanges or brokerages is governed Fintech businesses are also expected to adhere to Gibraltar Financial
by the DLT Regulations. The exception to this is when the exchange Services Commission guidance issued in relation to the safekeeping of
or brokerage offers a service that requires an alternative financial customer assets, cybersecurity and resilience that apply to distributed
services licence. ledger technology providers.
www.lexology.com/gtdt 81
© Law Business Research 2020
Gibraltar Ince
• there is no specific requirement for a DLT Provider to have their • it was made in the course of the employee’s duties and the employee
technology or servers physically located in Gibraltar; and similarly, has, because of the nature of the duties and the particular respon-
a DLT provider will not ordinarily be required to have their intel- sibilities arising from them, a special obligation to further the
lectual property held in Gibraltar as this may be held by an affiliate employer’s interests.
company outside Gibraltar;
• a DLT provider will be able to use cloud services to host their busi- Joint ownership
ness platforms and this can be outsourced to reputable and secure 38 Are there any restrictions on a joint owner of intellectual
cloud service providers locally or outside Gibraltar so long as the property’s right to use, license, charge or assign its right in
DLT provider can demonstrate it has access to and adequate over- intellectual property?
sight over cloud storage and processing; and
• a DLT provider should ensure that it has access to all relevant In Gibraltar, in the absence of some other agreement between them,
records, and can provide access to the GFSC on demand, at all co-owners will be able to exploit the jointly held rights themselves
times and have arrangements in place in the event of failure of but will not will not be able to assign or license them to third parties,
primary record storage systems. without the consent of the other co-owner.
While the guidance is specific to DLT providers, it is deemed to apply to Trade secrets
all financial service companies in Gibraltar. 39 How are trade secrets protected? Are trade secrets kept
confidential during court proceedings?
INTELLECTUAL PROPERTY RIGHTS
As with the ownership of IP rights, the confidentiality of trade secrets is
IP protection for software usually governed by confidentiality clauses in the employment contract
36 Which intellectual property rights are available to protect or service contract.
software, and how do you obtain those rights? In respect of court proceedings, upon application by one of the
parties, the courts will often embargo the reporting of such trade secrets.
Gibraltar follows English law in relation to the registration of IP rights
and the protection of registered and unregistered IP rights. Branding
The UK Patents Act 1977 operates in Gibraltar by virtue of the 40 What intellectual property rights are available to protect
Gibraltar Patents Act 1924. It is not possible to make an original applica- branding and how do you obtain those rights? How can
tion to register a patent in Gibraltar. The application must be made to fintech businesses ensure they do not infringe existing
the UK Intellectual Property Office and extended to include Gibraltar brands?
within three years of the UK patent’s date of issue and protection will
run for as long as the UK patent is valid. As with other IP, branding can be protected by way of trademark or
European trademarks may be registered from Gibraltar and a UK design registration. Further, there are instances in which even without
registration can be extended to cover Gibraltar. formal registration, the brand or trademark may have developed suffi-
Designs registered in the UK are automatically protected in cient goodwill to enable the brand owner to take action against another
Gibraltar by virtue of the Gibraltar Designs Act 1928. There is no Gibraltar person or entity for infringement or passing-off.
design registry and no need for an application to be made in Gibraltar. To avoid infringement, fintech companies should carry out the
Designs registered in the EU (by way of a registered community design) appropriate online searches and searches of IP registers when devel-
are also automatically protected in Gibraltar under the Treaty on the oping a brand or product to ensure that it does not infringe pre-existing
Functioning of the European Union. Further international protection is intellectual property rights of third parties.
available under the World Intellectual Property Office Hague Agreement
Concerning the International Deposit of Industrial Designs 1925. Remedies for infringement of IP
With regard to unregistered designs, protection arises automati- 41 What remedies are available to individuals or companies
cally when the design is recorded in a design document or an article whose intellectual property rights have been infringed?
is made to the design. Designs made in Gibraltar qualify for reciprocal
protection in UK (Design Right (Reciprocal Protection) Order 1989 (No. Remedies for IP infringement include the following:
2) 1989 (SI 1989/1294)). • interlocutory relief;
In Gibraltar, copyright protects the authors of works by preventing • order for delivering up;
others from copying or reproducing the work, with protection arising auto- • seizure of infringing copies and other articles;
matically on creation of the qualifying work: registration is not required. • forfeiture;
• injunctions;
IP developed by employees and contractors • damages; or
37 Who owns new intellectual property developed by an • an account of profits.
employee during the course of employment? Do the same
rules apply to new intellectual property developed by COMPETITION
contractors or consultants?
Sector-specific issues
This is governed by the employment or service contract between the 42 Are there any specific competition issues that exist with
company and its employee or the contractor or consultant. Where respect to fintech companies in your jurisdiction?
there is no such contractual provision, the IP rights will belong to the
employer if: Fintech is viewed as generally pro-competitive in the financial services
• it was made in the course of the employee’s normal or specifically market. However, the EU competition regime applies to Gibraltar and
assigned duties; or is enshrined in articles 101 and 102 of the Treaty on the Functioning of
82 Fintech 2021
© Law Business Research 2020
Ince Gibraltar
the European Union, which sets out the rules relating to anticompetitive
agreements and the abuse of dominance.
TAX
Incentives
43 Are there any tax incentives available for fintech companies
and investors to encourage innovation and investment in the
fintech sector in your jurisdiction? David Borge
davidborge@incegd.com
Gibraltar has an attractive tax regime both for individuals and business, Kunal Budhrani
with businesses enjoying a 10 per cent corporate tax rate. There are, kunalbudhrani@incegd.com
however, no incentives specific to fintech companies. Peter Howitt
peterhowitt@incegd.com
Increased tax burden
44 Are there any new or proposed tax laws or guidance that
Unit 6.20, World Trade Center
could significantly increase tax or administrative costs for
6 Bayside Road
fintech companies in your jurisdiction?
Gibraltar GX11 1AA
Gibraltar
No. Tel: +350 200 68 450
www.incegd.com
IMMIGRATION
Sector-specific schemes
45 What immigration schemes are available for fintech Coronavirus
businesses to recruit skilled staff from abroad? Are there 47 What emergency legislation, relief programmes and other
any special regimes specific to the technology or financial initiatives specific to your practice area has your state
sectors? implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
A company can apply to the Gibraltar Government’s Finance Centre to address these concerns? What best practices are advisable
Department (the Finance Centre) director to have employees designated for clients?
as a high executives possessing specialist skills (HEPSS individual).
HEPSS individuals must: While the Gibraltar government was quick to implement measures
• possess specialist skills of exceptional economic value to Gibraltar; across the board to alleviate the general financial strain on employers
• have skills that are not available in Gibraltar; and and business tenants and has been extremely proactive in monitoring
• earn more than £100,000 a year. and modifying these measures on a daily basis.
No measures were introduced that were specific to the financial
Income tax liability is capped at the first £120,000 of taxable earnings. services and legal services industries.
The cap primarily applies to income from the designated employment, The Gibraltar Financial Services Commission is allowing finan-
but can extend to certain dividends, interest, pensions income and cial services licence fees to be paid over the course of 12 months as
foreign income. A HEPSS individual will be required to have residential opposed to upfront in advance as is usually required.
accommodation in Gibraltar that is suitable for HEPSS requirements.
The Finance Centre director must confirm suitability before a HEPSS
individual can enter into any residential property agreements.
Current developments
46 Are there any other current developments or emerging
trends to note?
www.lexology.com/gtdt 83
© Law Business Research 2020
Hong Kong
Ian Wood
Simmons & Simmons LLP
FINTECH LANDSCAPE AND INITIATIVES to these agreements, the SFC will cooperate to share information on
emerging fintech trends, developments and related regulatory issues, as
General innovation climate well as on organisations that promote innovation in financial services.
1 What is the general state of fintech innovation in your In September 2017, the Insurance Authority launched a fast-track
jurisdiction? scheme to expedite applications by insurance companies using solely
digital distribution channels as a means to promote the development of
Hong Kong is home to more than 600 fintech companies and start-ups, insurtech in Hong Kong.
covering services in the areas of payment, AI, wealthtech, blockchain The government also supports tech start-ups through the HK$2
and insurtech. As is fitting for an international financial centre, more billion Innovation and Technology Venture Fund.
than one-third of fintech founders are from other countries. Nearly half
of the established fintech companies have been in operation for more FINANCIAL REGULATION
than three years, and the market has begun to mature. Hong Kong has a
67 per cent consumer fintech adoption rate according to a recent Trade Regulatory bodies
Development Council report, which demonstrates consumer desire 3 Which bodies regulate the provision of fintech products and
for innovative approaches to serving their financial needs; although, services?
business-to-business services remain the biggest drivers of fintech
development in Hong Kong. The government supports the sector and The main regulatory bodies are the Hong Kong Monetary Authority
has strengthened cooperation with regulators in other jurisdictions to (HKMA), Securities and Futures Commission (SFC) and the Insurance
encourage cross-border fintech development. Authority.
In 2019, the Hong Kong Monetary Authority (HKMA) granted eight
new ‘virtual bank’ licences. A number of new virtual banking licence Regulated activities
holders are operating in joint ventures, bringing together strengths 4 Which activities trigger a licensing requirement in your
from traditional banking and online platforms to facilitate innovation. jurisdiction?
Government and regulatory support Pursuant to the Securities and Futures Ordinance, the following activi-
2 Do government bodies or regulators provide any support ties are regulated and trigger a licence requirement:
specific to financial innovation? If so, what are the key • Type 1: dealing in securities;
benefits of such support? • Type 2: dealing in futures contracts;
• Type 3: leveraged foreign exchange trading;
Fintech is identified by the government as a priority investment area. • Type 4: advising on securities;
In 2019, the Hong Kong Monetary Authority (HKMA) granted • Type 5: advising on futures contracts;
eight virtual bank licences. These licences were granted as part of the • Type 6: advising on corporate finance;
government’s Smart Banking Initiative and recipients included tech- • Type 7: providing automated trading services;
nology companies as well as more traditional banks. • Type 8: securities margin financing;
The Securities and Futures Commission (SFC) operates a Fintech • Type 9: asset management; and
Contact Point and the HKMA established a Fintech Facilitation Office • Type 10: providing credit rating services.
which, in each case, are intended to facilitate the fintech community’s
understanding of the current regulatory regime and for the regulators to For the purposes of the above categories, ‘securities’ are very widely
work with market participants to support the sustainable development defined and include stocks, shares, loan stock, bonds, debentures, all
of the fintech industry. Linked with the Fintech Supervisory Sandbox rights and interests in such securities, interests in collective investment
established by the HKMA, in 2017 the SFC launched a Regulatory schemes and structured products. However, shares and debentures of
Sandbox that permits new and existing licensed entities to carry out a private Hong Kong company do not constitute securities. Hong Kong
regulated activities within a confined regulatory environment prior to private companies are companies incorporated in Hong Kong that
launching on a wider scale. restrict members’ rights to transfer shares, limit the maximum number
The HKMA is one of the founding contributors of, and the SFC has of shareholders to 50 and prohibit the making of an invitation to the
joined as a coordination group member of, the Global Financial Innovation public to subscribe for shares or debentures.
Network. The SFC has also signed cooperation agreements with a number The licensing regime applies irrespective of whether the specified
of overseas regulators, including the UK’s Financial Conduct Authority activities take place in Hong Kong or, if a person is actively marketing
and the Australian Securities and Investments Commission. Pursuant these activities to the public in Hong Kong, from outside Hong Kong.
84 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Hong Kong
The activities that are most relevant to fintech businesses are likely Collective investment schemes
to be dealing in securities and advising on securities. Dealing in securi- 7 Describe the regulatory regime for collective investment
ties includes making or offering to make an agreement with a person, or schemes and whether fintech companies providing alternative
inducing or attempting to induce another person to enter into an agree- finance products or services would fall within its scope.
ment to acquire, dispose, subscribe or underwrite securities. Advising
on securities includes giving advice on whether, and the terms on which, Broadly, a scheme is a collective investment scheme under Hong Kong
securities should be acquired or disposed of and issuing analyses or law if it has the following four elements:
reports for the purpose of facilitating decisions on whether to acquire • it is an arrangement in respect of property;
or dispose of securities. It is also possible that some fintech platforms • participants do not have day-to-day control over the management
could constitute automated trading services, the operation of which of the property even if they have the right to be consulted or to give
requires a licence. directions about the management of the property;
In addition to the above licensing requirements, if a business is • the property is managed as a whole by or on behalf of the person
undertaking banking activities, such as receiving money on a current, operating the arrangements or the contributions of the partici-
deposit, savings or similar account or paying or collecting cheques, pants, or both, and the profits or income from which payments are
such a business is required to be licensed as a bank by the HKMA. made to them are pooled; and
Certain other activities, such as moneylending, money exchange • the purpose of the arrangement is for participants to participate in
services, money remittance services and money broking services, or receive profits, income or other returns from the acquisition or
also require licences from the HKMA or the Commissioner of Customs management of the property.
and Excise.
The operation of stored value facilities (such as prepay cards or A collective investment scheme can cover any property and that prop-
prepay mobile apps) or designated retail payment systems is subject to erty does not need to be located in Hong Kong for the scheme to be a
a new licensing regime under the Payment Systems and Stored Value collective investment scheme. ‘Property’ in this context is not limited to
Facilities Ordinance. Operators of these facilities now require a licence real property.
from the HKMA. It is an offence in Hong Kong to issue any marketing material
that contains an offer to the Hong Kong public to acquire an interest
Consumer lending or participate in a collective investment scheme unless it has been
5 Is consumer lending regulated in your jurisdiction? authorised by the SFC or an exemption applies. Promoting a collective
investment scheme may also constitute a regulated activity for which a
Under Hong Kong law, the offering and provision of consumer lending is licence is required. It is possible that certain fintech activity could consti-
not distinguished from primary lending. tute a collective investment scheme where the business concerned is
Lending (consumer lending and primary lending) is a regulated managing assets on behalf of participants who have invested through a
activity in the jurisdiction and is governed by the Money Lenders fintech platform (eg, investing in real estate or debt securities). Careful
Ordinance. The Money Lenders Ordinance requires that all loans made analysis of the specific circumstances and the way in which the platform
available in Hong Kong are by licensed moneylenders or authorised permits investors to participate will be required to determine whether it
institutions (eg, licensed banks, restricted-licence banks and deposit- constitutes a collective investment scheme.
taking companies under the Banking Ordinance).
There are a number of exemptions that, if applicable, mean no formal Alternative investment funds
licence is required. The loan and lending entity would need to satisfy 8 Are managers of alternative investment funds regulated?
one of the specified categories of exempted lenders and exempted loans
in Schedule 1 of the Money Lenders Ordinance. Examples of exempted Management of securities or futures contracts or real estate investment
loans are: schemes constitutes a regulated activity as it falls under Type 9: asset
• a loan made bona fide for the purchase of immovable property on management of the Securities and Futures Ordinance. Accordingly,
the security of a mortgage of that property and a loan made bona managers of alternative investment funds that invest in real estate
fide to refinance such a mortgage; or securities (which are widely defined) or futures contracts require a
• a loan made by a company, firm or individual whose ordinary busi- licence to do so.
ness does not primarily or mainly involve the lending of money in The SFC confirmed in November 2018 that companies engaged in
the ordinary course of that business; the distribution to the Hong Kong public of funds that invest in virtual
• an intra-group loan; and assets are required to be licensed for Type 1 activity whether or not
• a loan made to a company that has a paid-up share capital of such virtual assets amount to ‘securities’. In addition, the SFC will now
not less than HK$1 million or an equivalent amount in any other apply additional conditions on licensed corporations that manage or
approved currency. distribute funds that invest, solely or partially, (more than 10 per cent
of the gross asset value) in, or that have a stated investment objective
Secondary market loan trading to invest in, virtual assets. These conditions include a restriction that
6 Are there restrictions on trading loans in the secondary such funds can only be invested in, or offered to, professional investors.
market in your jurisdiction?
Peer-to-peer and marketplace lending
Secondary market loan trading is not a regulated activity in itself but it 9 Describe any specific regulation of peer-to-peer or
constitutes primary lending regardless of whether the loan has been marketplace lending in your jurisdiction.
fully drawn and, therefore, the loan and lender are subject to the restric-
tions of the Money Lenders Ordinance. There are no specific regulations applicable to peer-to-peer (P2P)
However, secondary market loan intermediation is not a regulated or marketplace lending in Hong Kong. The SFC has issued a notice
activity, provided that it does not involve any lending or deposit-taking reminding potential P2P businesses that activity such as P2P lending
and provided that loans are not in the form of securities. might constitute a regulated activity, but much will depend on the
www.lexology.com/gtdt 85
© Law Business Research 2020
Hong Kong Simmons & Simmons LLP
precise structure of the platform. For example, it is likely that a platform Robo-advice
offering debentures or loan stocks would constitute a regulated activity 14 Describe any specific regulation of robo-advisers or other
of dealing in securities. companies that provide retail customers with automated
Additionally, it is an offence in Hong Kong to issue any marketing access to investment products in your jurisdiction.
material that contains an offer to the Hong Kong public to enter into
an agreement to acquire or dispose of securities, unless an exemp- Robo-advisers will usually need to be licensed by the SFC as they
tion applies. provide investment advice and services for dealing in securities.
In addition, the SFC has issued Guidelines on Online Distribution
Crowdfunding and Advisory Platforms that took effect on 6 July 2019 (the Guidelines).
10 Describe any specific regulation of crowdfunding in your The Guidelines set out requirements through the application of core
jurisdiction. principles concerning the proper design of the platform, clear disclo-
sure of information, risk management, governance, capabilities and
There are no specific regulations concerning crowdfunding. However, resources, review and monitoring of activities on the platform and
certain crowdfunding activity is likely to constitute a regulated activity. record-keeping. Specific guidance is also given concerning robo-advi-
For example, equity crowdfunding is likely to constitute dealing in secu- soes in respect of client profiling, system design and development,
rities and possibly advising on securities, both of which are regulated supervision and testing of algorithms and technology and staff resource
activities in Hong Kong. As such, the operator of these platforms would requirements.
need to be licensed by the SFC.
Additionally, it is an offence in Hong Kong to issue any marketing Insurance products
material that contains an offer to the Hong Kong public to enter into 15 Do fintech companies that sell or market insurance products
an agreement to acquire or dispose of securities unless an exemp- in your jurisdiction need to be regulated?
tion applies.
Yes, both insurance companies and insurance intermediaries (such as
Invoice trading agents) need to be authorised or registered, or both, with the Insurance
11 Describe any specific regulation of invoice trading in your Authority in Hong Kong.
jurisdiction.
Credit references
To the extent that an invoice is purchased, without risk of being re-char- 16 Are there any restrictions on providing credit references or
acterised as a loan for the purposes of the Money Lenders Ordinance, credit information services in your jurisdiction?
with true sale there is no specific regulation on the buying and selling
of invoices. This is common in factoring and invoice discounting The provision of credit ratings (opinions regarding the creditworthiness
arrangements. of entities other than an individual, securities and agreements to provide
However, if invoices are opened to the public and crowdfunded credit) is regulated, but the gathering, collating, dissemination or distri-
then the operator of the trading platform needs to follow certain regu- bution of information concerning the indebtedness or credit history of
lations. It is usually the case that if a platform investor is classed as a any person is not regulated (except under data protection law).
professional investor, then much of the regulation around crowdfunded
invoicing might not apply, depending on the platform structure. CROSS-BORDER REGULATION
Payment services include a wide range of activities such as taking cash No.
deposits, making cash withdrawals, executing payment transactions,
issuing or acquiring of payment instruments, issuing and administering Requirement for a local presence
means of payment, making payments sent through the intermediary of a 18 Can fintech companies obtain a licence to provide financial
telecoms, IT system or network operator, or even providing stored value services in your jurisdiction without establishing a local
cards or devices. presence?
Payment services are regulated activities in Hong Kong and are
subject to the Banking Ordinance, the Anti-Money Laundering and It is unlikely that the SFC would grant a licence for regulated activities
Counter-Terrorist Financing Ordinance and the Payment Systems and to an entity that did not have a local presence. Equally, the Hong Kong
Stored Value Facilities Ordinance (as applicable). Monetary Authority is unlikely to provide a banking licence to an entity
that does not have a presence in Hong Kong as it would be difficult to
Open banking see how such an entity could comply with the obligations to which it
13 Are there any laws or regulations introduced to promote would be subject as a bank.
competition that require financial institutions to make
customer or product data available to third parties? SALES AND MARKETING
No. However, the HKMA published the Open Application Programming Restrictions
Interface (API) Framework for the Hong Kong Banking Sector in July 19 What restrictions apply to the sales and marketing of
2018. This is intended to encourage financial institutions to make financial services and products in your jurisdiction?
information available through open APIs within a staged time frame
depending on the type of information but this is not a regulatory The issuance of any marketing materials that contain an offer to the
requirement. Hong Kong public to enter into an agreement to acquire or dispose of
86 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Hong Kong
securities must be authorised by the Securities and Futures Commission, (eg, the persons authorised in the board resolutions to sign) is required
unless an exemption applies. (under section 121 of the Companies Ordinance).
A security agreement would typically be required to be executed as
CHANGE OF CONTROL a deed. As such, in respect of the execution by a Hong Kong company,
the deed should be executed either with the common seal affixed in
Notification and consent accordance with the requirements in the articles of association of the
20 Describe any rules relating to notification or consent company or, in accordance with the Companies Ordinance, without the
requirements if a regulated business changes control. common seal affixed but signed by, in the case of a Hong Kong company
with two or more directors, any two directors or any director and the
Different consent requirements apply to the acquisition of different company secretary or, in the case of a Hong Kong company with sole
types of regulated businesses. In general, where a person is to become director, its sole director.
a holder of a specified percentage of a regulated entity or will control a The key risk in respect of a peer-to-peer (P2P) marketplace lending
specified percentage of voting rights of that entity, prior consent must platform is that in respect of pure P2P lending involving companies or
be obtained from the relevant regulatory authority. For banks or enti- individuals lending via the lending platform, each such lending company
ties that hold a licence for regulated activity, before a person acquires a and individual may be regarded as carrying on a business as a money-
holding of more than 10 per cent of the issued shares, or prior to them lender and, thus, is subject to licensing and regulatory restrictions,
controlling, alone or with other associates, more than 10 per cent of the including the restrictions on the form of loan agreement, early payment,
voting rights in the bank or regulated entity, consent must be sought interest rate, moneylending advertisements and duty to provide infor-
from the Hong Kong Monetary Authority or Securities and Futures mation and so on under the Money Lenders Ordinance.
Commission respectively. Additional rules apply to persons becoming
majority holders of banks and to the acquisition of indirect sharehold- Assignment of loans
ings in regulated entities. Failure to obtain consent is a criminal offence. 24 What steps are required to perfect an assignment of
In all cases, advice should be sought as to the applicable requirements loans originated on a peer-to-peer or marketplace lending
and the process for obtaining consent. platform? What are the implications for the purchaser if the
assignment is not perfected? Is it possible to assign these
FINANCIAL CRIME loans without informing the borrower?
Anti-bribery and anti-money laundering procedures According to the Hong Kong Law Amendment and Reform (Consolidation)
21 Are fintech companies required by law or regulation to have Ordinance, the legal assignment of a loan by the assignor (ie, the lender)
procedures to combat bribery or money laundering? to the assignee (ie, the purchaser) will be perfected if:
• the assignor absolutely assigns the receivable to the assignee;
If the relevant entity is licensed for regulated activities, is licensed as • the assignment is in writing and signed by the assignor in favour
a bank, operates a money service or provides trust or company incor- of the assignee; and
poration services, it needs to comply with the Hong Kong legislation • a written notice of assignment is delivered to and received by the
in relation to anti-money laundering and counter-terrorist financing, party liable to pay the loan (the underlying debtor, in other words,
including establishing policies and procedures to identify clients and the borrower).
combat money laundering and terrorist financing. Whether these
requirements apply to companies that receive digital currencies or Regarding the written notice of assignment above, although there is no
launching ICOs will depend on whether they are carrying out a regu- time limit within which this notice of assignment has to be given, the
lated activity and are required to be licensed to do so. notice should be given as soon as possible to complete the perfection
The Hong Kong legislation in relation to the prevention of bribery of the assignment.
would also apply, and licensed companies should have in place policies If the assignment is not perfected, the assignment concerned may
and procedures to prevent bribery. still constitute an equitable assignment (in contrast to a legal assign-
ment), which is still recognised by the Hong Kong courts, although there
Guidance are some practical disadvantages that may affect enforcement.
22 Is there regulatory or industry anti-financial crime guidance The lender (as assignor) need not obtain the consent of the
for fintech companies? borrower unless the loan agreement between the lender and the
borrower contains a prohibition on the lender assigning certain or all of
There is no specific guidance for fintech companies, but there is guid- its rights under the loan agreement to a third party.
ance for licensed corporations and banks that would apply to fintech Notification to the borrower of the assignment is not mandatory
businesses that are licensed accordingly. for the assignment to be effective. However, there are a number of
practical and legal difficulties that arise from an assignment without
PEER-TO-PEER AND MARKETPLACE LENDING notice to the debtor (that is, an equitable assignment rather than a legal
assignment).
Execution and enforceability of loan agreements
23 What are the requirements for executing loan agreements or Securitisation risk retention requirements
security agreements? Is there a risk that loan agreements 25 Are securitisation transactions subject to risk retention
or security agreements entered into on a peer-to-peer or requirements?
marketplace lending platform will not be enforceable?
In June 2016, the Hong Kong Monetary Authority (HKMA) published the
A loan agreement does not need to be executed as a deed and, accord- Credit Risk Transfer Activities Module (the CRTA Module) for inclusion
ingly, in respect of a Hong Kong company entering into a loan agreement, in the HKMA Supervisory Policy Manual. The CRTA Module defines an
only the signature of the persons acting upon the company’s authority ‘originator’ as:
www.lexology.com/gtdt 87
© Law Business Research 2020
Hong Kong Simmons & Simmons LLP
Distributed ledger technology The regulation of tokens offered in ICOs depends on the nature of the
28 Are there rules or regulations governing the use of tokens offered. Utility tokens that only provide membership or access to
distributed ledger technology or blockchains? a service or payment tokens that are only used as a means of payment
for goods or services (such as bitcoin) are not regulated. However,
There are no specific regulations or guidelines regarding the use of tokens that comprise securities under Hong Kong regulations are regu-
distributed ledger technologies. lated. For example, tokens that represent an asset such as a debt or a
88 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Hong Kong
claim on the issuer’s assets (such as a share in future earnings) or that Cybersecurity
amount to a collective investment scheme are securities. 33 What cybersecurity regulations or standards apply to fintech
Where the tokens involved in an ICO fall under the definition of businesses?
securities, dealing in or advising on these tokens, or managing or
marketing a fund investing in them, may constitute a regulated activity. There are no cybersecurity regulations or standards specifically
Persons engaging in a regulated activity targeting the Hong Kong public addressing fintech businesses in Hong Kong. Cybersecurity is covered
are required to be licensed by or registered with the SFC, irrespective under various laws and regulations, such as the Personal Data Privacy
of where they are located. In addition, investment products linked to any Ordinance and the Crimes Ordinance.
tokens (whether securities or not), such as futures or derivatives, are The Hong Kong Monetary Authority's (HKMA) Supervisory Policy
considered to be securities and offering, trading or advising on these Manual sets out the key regulatory standards that the HKMA expects
products is a regulated activity. authorised institutions to follow in relation to technology security and has
issued a circular on Cybersecurity Risk Management, requiring industry
DATA PROTECTION AND CYBERSECURITY players to establish appropriate governance frameworks. Several
frameworks were launched by HKMA to strengthen cyber resilience in
Data protection the banking sector, including the Enhanced Competency Framework on
32 What rules and regulations govern the processing and Cybersecurity and the Cybersecurity Assessment Framework.
transfer (domestic and cross-border) of data relating to The Securities and Futures Commission has issued the Guidelines
fintech products and services? for Reducing and Mitigating Hacking Risks Associated with Internet
Trading, and the Circular to All Licensed Corporations on Cybersecurity,
There are no specific regulations governing the processing and transfer setting out areas that licensed corporations should pay close attention
of data relating to fintech products and services in Hong Kong, but to when reviewing and mitigating their cybersecurity risks, as well as
fintech companies are required to comply with the Personal Data certain controls that these corporations should consider implementing
(Privacy) Ordinance (PDPO) when collecting or using the personal where applicable.
data of individuals. Personal data is information that relates to a living
person and can be used to identify that person, where the data is in a OUTSOURCING AND CLOUD COMPUTING
form in which access or processing is practicable. Organisations that
collect and use personal data must comply with, among other things, six Outsourcing
data protection principles, which include the following. 34 Are there legal requirements or regulatory guidance with
• DPP1: personal data can only be collected for a purpose directly respect to the outsourcing by a financial services company of
related to a function and activity of the data user in a lawful and a material aspect of its business?
fair manner, and the amount of data to be collected must not be
excessive. Data subjects have to be informed of the purpose of the The Securities and Futures Commission (SFC) has endorsed the
collection of data and how it will be used. Principles on Outsourcing of Financial Services for Market Intermediaries
• DPP2: data users must take all practicable steps to ensure published by the International Organisation of Securities Commission
personal data remains accurate and is deleted after the purpose of (the IOSCO Principles) but there are no specific regulations or guidance
collecting this data is fulfilled. issued by the SFC on outsourcing. There are specific requirements that
• DPP3: unless the data subject has given prior consent, personal regulated entities must comply with, such as record-keeping require-
data can only be used for the purpose for which it was originally ments, which are relevant to decisions to outsource parts of the business.
collected or a directly related purpose. The Hong Kong Monetary Authority (HKMA), which regulates
• DPP4: data users must take all practicable steps to ensure that authorised institutions, such as banks, includes in its supervisory policy
personal data is protected against unauthorised or accidental manual a chapter on outsourcing. The HKMA expects authorised insti-
accessing, processing, loss or erasure. tutions to be aware of their legal obligations to meet the minimum
• DPP5: data users should stipulate, publish and implement poli- authorisation criteria under the Banking Ordinance in relation to
cies in relation to personal data that can generally be achieved by outsourcing plans. In particular, authorised institutions need to have
having a data privacy policy in place. adequate accounting systems and systems of control and to conduct
• DPP6: individuals have rights of access to and correction of their their business with integrity, competence and in a manner not detri-
personal data. Data users should comply with data access or data mental to the interests of depositors.
correction requests within the requisite time limit, unless reasons
for rejection prescribed in the PDPO are applicable. Cloud computing
35 Are there legal requirements or regulatory guidance with
The Hong Kong Privacy Commissioner issued an information leaflet respect to the use of cloud computing in the financial services
in March 2019 explaining the privacy implications and risks of fintech industry?
applications. The publication also recommends good practices in rela-
tion to data privacy for fintech operators. The Hong Kong Privacy Commissioner, the HKMA and the SFC have
The Hong Kong Privacy Commissioner has also published an infor- published guidelines on outsourcing and data privacy in connection with
mation leaflet – ‘Matching Procedure: Some Common Questions’ – that cloud computing.
emphasises the importance of obtaining consent from all individual data The Hong Kong Privacy Commissioner has published various guide-
subjects or the Privacy Commissioner if the process of aggregation of lines, circulars and information leaflets providing guidance on measures
personal data for commercial gain constitutes a matching procedure and best recommended practices that are pertinent to cloud services.
under the PDPO, to ensure that the risk of potential harm to the relevant These include having contractual arrangements between providers and
data subjects is minimised. It also issued the ‘Guidance on the Proper customers of cloud services, to address the Privacy Commissioner’s key
Handling of Customers’ Personal Data for the Banking Industry’. concerns relating to loss of control, and the use, retention or erasure
and security, of personal data when it is stored in the cloud.
www.lexology.com/gtdt 89
© Law Business Research 2020
Hong Kong Simmons & Simmons LLP
The HKMA’s Supervisory Policy Manual sets out the key regulatory IP developed by employees and contractors
standards that the HKMA expects authorised institutions to follow, or 37 Who owns new intellectual property developed by an
else be prepared to justify non-compliance, for managing technology employee during the course of employment? Do the same
risks and cybersecurity, covering topics such as: rules apply to new intellectual property developed by
• IT governance and oversight, system development and change contractors or consultants?
management;
• information processing; Copyright created by an employee in the course of his or her employ-
• communication network management; and ment is automatically owned by the employer unless otherwise agreed.
• management of technology service providers. An invention made by an employee belongs to the employer:
• if it was made in the course of the normal duties of the employee or
The SFC has endorsed the IOSCO Principles in relation to ‘licensed in the course of duties falling outside his or her normal duties, but
corporations’ outsourcing their activities. The SFC also issued guide- specifically assigned to him or her, and the circumstances in either
lines that require licensed corporations to establish policies and case were such that an invention might reasonably be expected to
procedures to ensure the integrity, security, availability, reliability and result from the carrying out of his or her duties; or
thoroughness of all information relevant to the licensed corporation’s • if the invention was made in the course of the duties of the employee
business, which extends to situations where data is stored in the cloud. and, at the time of making the invention, because of the nature of
Other best recommended practices relevant to cloud computing include: his or her duties and the particular responsibilities arising from
• reviewing policies and procedures to manage, identify and assess the nature of his or her duties, he or she had a special obligation to
cybersecurity threats and IT security controls; further the interests of the employer’s undertaking.
• considering the cybersecurity controls of third-party service
providers; and Copyright or inventions created by contractors or consultants in the
• ensuring continuity of critical activities and systems. course of their duties are owned by the contractor or consultant unless
otherwise agreed in writing. However, the person who commissions a
On 31 October 2019, the SFC issued a circular on the use of external copyrighted work has an exclusive licence to exploit the commissioned
electronic data storage by licensed corporations. The circular sets out work for all purposes that could reasonably have been contemplated by
various requirements in relation to licensed corporations' use of external the author and the person who commissioned the work at the time the
data storage providers (EDSPs). These include requirements to obtain work was commissioned, and the power to restrain any exploitation of
undertakings from EDSPs in favour of the SFC in certain circumstances the commissioned work for any purpose against which he or she could
and requirements regarding the management of risks and security with reasonably take objection.
regard to the use of EDSPs.
Joint ownership
INTELLECTUAL PROPERTY RIGHTS 38 Are there any restrictions on a joint owner of intellectual
property’s right to use, license, charge or assign its right in
IP protection for software intellectual property?
36 Which intellectual property rights are available to protect
software, and how do you obtain those rights? If copyright is jointly owned (eg, copyright in respect of a computer
program that has been co-written by two people) then all joint owners
Computer programs (and preparatory design materials for computer must consent to any act restricted by copyright (such as its use, licensing
programs) are protected by copyright as literary works under the and assignment). As a result, the commercialisation of jointly owned
Copyright Ordinance. Copyright arises automatically as soon as the copyright can be a challenge unless all owners consent to its use. It is
computer program is recorded. Registration of copyright is not required advisable for the joint owners to enter into an agreement setting out
and is not possible in Hong Kong. how these rights should be exercised.
If the software code has been kept confidential, it may also be In respect of patents, each co-owner is entitled to an equal share in
protected as confidential information. No registration is required. the patent and can do anything in respect of the invention for his or her
Programs for computers, and schemes, rules or methods of doing own benefit without the consent or need to account to the other (in each
business ‘as such’, are expressly excluded from patentability under the case, subject to any other agreement reached between the co-owners).
Patents Ordinance.
Notwithstanding these exclusions, it is possible to obtain patents Trade secrets
for computer programs and business methods if it can be shown that 39 How are trade secrets protected? Are trade secrets kept
the underlying invention makes a ‘technical contribution’ over and confidential during court proceedings?
above that provided by the program or business method itself, such
as an improvement in the working of the computer. Accordingly, a Confidential information can be protected against misuse, provided
well-drafted patent may be able to bring a computer-based software the information in question has the necessary quality of confidence, is
or business method invention within this requirement, but this may be subject to an express or implied duty of confidence, and that no registra-
difficult to do and will not always be possible. Registration formalities tion is necessary (or possible).
must be followed to obtain protection. Confidential information can be kept confidential during civil
In particular, ‘standard’ patents are based on patents applied for proceedings with the permission of the court.
and granted by one of three designated patent offices, namely, in China,
the UK and the European Patent Office (where the UK is designated).
They have a maximum period of protection of 20 years from the filing
date of the designated application.
90 Fintech 2021
© Law Business Research 2020
Simmons & Simmons LLP Hong Kong
Branding
40 What intellectual property rights are available to protect
branding and how do you obtain those rights? How can
fintech businesses ensure they do not infringe existing
brands?
There are no specific tax incentives applicable to fintech companies. Current developments
46 Are there any other current developments or emerging
Increased tax burden trends to note?
44 Are there any new or proposed tax laws or guidance that
could significantly increase tax or administrative costs for There is a particular focus on opening up banking and payment infra-
fintech companies in your jurisdiction? structure and services in Hong Kong and the roll-out of services by the
holders of the newly granted virtual bank licences. The industry is also
No. watching the effect of the recent developments regarding the regulation
of virtual assets platforms.
www.lexology.com/gtdt 91
© Law Business Research 2020
Hong Kong Simmons & Simmons LLP
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
While there have not been any Hong Kong government support meas-
ures specifically targeted at the fintech sector, there are a number of
market-wide and industry programmes under which fintech business
may obtain support. These include low interest loans for small and
medium-sized enterprises (SMEs) and an SME financing guarantee
scheme, pre-approved loan principal payment holidays, employee wage
support, subsidies for Securities and Futures Commission-licensed indi-
viduals and waivers of business registration and annual return fees.
92 Fintech 2021
© Law Business Research 2020
India
Anuj Kaila and Stephen Mathias
Kochhar & Co
FINTECH LANDSCAPE AND INITIATIVES banks, financial institutions and any other company partnering with or
providing support to financial services businesses, is eligible to qualify
General innovation climate under the regulatory sandbox. The relaxations extend to applicants
1 What is the general state of fintech innovation in your dealing with liquidity requirements, board composition, management
jurisdiction? experience, financial soundness and track record.
The Securities and Exchange Board of India, in May 2020, also
India has been the hub of fintech innovation over the past few years, released its own regulations on a regulatory sandbox for fintech compa-
and reports suggest there are over 2,000 fintech start-ups at present nies in relation to securities markets. This sandbox deals primarily with
in the country. seeking innovation in securities market-related data, which includes
India is the world’s second most populous country, but a large data from depositories (holding and KYC data), stock exchange data
percentage of the population has yet to take the benefit of true financial (transaction data, such as order logs and trade logs) and mutual
inclusiveness. Fintech companies have a unique opportunity to combine fund data.
finance and technology to offer more effective financial solutions than This regulatory acknowledgement of innovation comes as a boost
traditional institutions. for the industry, which has always been a few steps ahead of the regu-
Fintech innovation is taking place across various industry verti- latory framework. Many entities have already started testing their
cals, which include banking, payments, insurance, asset management, innovative products within these sandboxes.
brokerage, etc. Fintech companies also focus on machine learning The government has also, over the past few years, opened no-frills
that analyses customer expectations and matches them with appro- bank accounts for the majority of people without access to formal
priate services. banking. This has given direct access to millions of Indians to formal
With the advent of Aadhaar, a biometric-based identification project, banking solutions.
the government can directly transfer subsidy-based payments to the
bank accounts of holders without any third-party intervention. Aadhaar FINANCIAL REGULATION
is also being used to meet know-your-customer (KYC) requirements in a
cost-effective manner. However, a Supreme Court ruling in recent years Regulatory bodies
over fears of privacy breaches of data with Aadhaar has derailed many 3 Which bodies regulate the provision of fintech products and
fintech companies relying on the Aadhaar database for their businesses, services?
and the law is in the process of being amended to resolve this issue.
There is no universal regulatory body for fintech entities in India.
Government and regulatory support Depending on the product or service offered by the entity, the regula-
2 Do government bodies or regulators provide any support tory body governing the vertical would regulate those specific entities.
specific to financial innovation? If so, what are the key By and large, fintech products and services can be considered to fall
benefits of such support? under the purview of these regulators: the Reserve Bank of India (RBI);
the Securities Exchange Board of India (SEBI); the Ministry of Electronics
The Reserve Bank of India (RBI) set up an inter-regulatory working and Information Technology; the Ministry of Corporate Affairs; and the
group to look into the granular aspects of fintech and its implications so Insurance Regulatory and the Development Authority of India (IRDAI).
as to review the regulatory framework and to respond to the dynamics However, the RBI currently regulates the majority of fintech companies
of the rapidly evolving scenario of the market concerned. The working dealing with payment aggregation and gateways, account aggregation,
group recommended the introduction of an appropriate framework for peer-to-peer (P2P) lending, cryptocurrencies, payments, etc.
a regulatory sandbox and to provide an environment for developing
fintech innovations and testing applications and application program- Regulated activities
ming interfaces developed by banks and fintech companies. 4 Which activities trigger a licensing requirement in your
Accordingly, the RBI, in August 2019, released regulations on jurisdiction?
a regulatory sandbox for fintech entities to enable and encourage
innovation in the industry with minimum regulatory supervision. The Indian law regulates various types of financial services. Advisory
innovative products permitted to be tested within the sandbox include work relating to investments in Indian securities requires a licence
retail payments, money transfer services, digital KYC, smart contracts, as an investment adviser. Certain types of investment banking, such
marketplace lending, financial advisory services, wealth management as assisting private companies in obtaining funding, are considered to
services, digital identification services, financial inclusion products be outside the scope of the licence. There are also licensed merchant
and cybersecurity products. Any fintech company, including start-ups, bankers; for example, making a public issue on the stock exchanges or
www.lexology.com/gtdt 93
© Law Business Research 2020
India Kochhar & Co
a public offer under the Takeover Code would need the support of a Asset reconstruction companies or securitisation companies are
registered merchant banker. There are different categories of merchant permitted to securitise the acquired debt and sell the securitised debt
bankers, and the functions of each level of category vary. There are only to qualified institutional buyers, which include banks, insurance
other categories of agencies that require a licence, such as custodians, companies and foreign institutional investors.
stockbrokers, underwriters, portfolio managers, credit rating agencies, Risk participation, either funded or unfunded, is unregulated in
foreign institutional investors, venture capital funds, depositories and India, and banks and NBFCs rarely enter into domestic risk participation
stock exchanges. transactions.
There are various categories of institutions that can engage in In June 2020, the RBI released draft guidelines easing securitisa-
lending. These are banks that include scheduled commercial banks tion and loan sale guidelines.
and non-scheduled commercial banks, cooperative society banks,
small finance banks, non-banking financial companies (NBFCs) and Collective investment schemes
moneylenders. In respect of deposits, there are various categories of 7 Describe the regulatory regime for collective investment
institutions that can receive deposits. These are banks that include schemes and whether fintech companies providing alternative
scheduled commercial banks and non-scheduled commercial banks, finance products or services would fall within its scope.
cooperative society banks, small finance banks, NBFCs that are author-
ised to receive deposits and payment banks. There is also the concept There are several categories of collective investment schemes. These are,
of a chit fund, which receives contributions from members and periodi- broadly, mutual funds, alternative investment funds (AIFs) and collective
cally conducts a lottery to pay the winner. Post offices can also receive investment schemes, all of which must be registered with SEBI. Mutual
deposits. There is a provident fund that is a pension scheme operated funds are primarily focused on listed equity and debt instruments, and
by the government. Mutual funds are also regulated. anyone can participate in a mutual fund. AIFs are primarily focused on
Factoring can be undertaken by banks, NBFCs registered as factors unlisted instruments, and primarily institutional investors invest in AIFs
with the RBI and certain other government entities. owing to a significant minimum investment by an investor.
Invoice discounting can be undertaken by banks, NBFCs and The regulations on collective investment schemes cover all other
corporates. forms of collective investment schemes. The regulations are extremely
Bonds and debentures can be listed on stock exchanges as public stringent on collective investment management companies; for example,
offerings. Syndications of loans are generally not regulated unless they there are requirements for rating, insurance, appraisal, schemes to be
are converted into securitised instruments. closed-ended, no guaranteed returns and restrictions on advertise-
Payment services are also regulated and are particularly relevant ment materials. Units subscribed to collective investment schemes
to fintech. are freely transferable. A fintech company must be registered as a
Entities in India can deal in foreign exchange trading only with collective investment management company to deal with collective
permitted stock exchanges and banks in India. Other entities, such as investment schemes. However, alternative financial services, such as
fully fledged money changers, are also permitted to deal with foreign P2P or marketplace lenders, would not fall under the ambit of collective
exchange. Indian residents are not permitted to trade in foreign investment schemes. There are separate regulations governing these
exchange through overseas trading platforms. services, which a fintech company must comply with.
Yes, consumer lending is regulated. There are various types of insti- Yes, managers of AIFs are regulated. There are requirements regarding
tutions that are entitled to engage in consumer lending. These are their qualifications and minimum years of experience. The manager or
banks that include scheduled commercial banks and non-scheduled sponsor of an AIF is also required to have a minimum investment in the
commercial banks, NBFCs, cooperative society banks, small finance fund of not less than 2.5 per cent or 50 million rupees, whichever is lower.
banks, microfinance institutions and moneylenders. Regulations require There are requirements relating to disclosure of their investments.
lending agencies to maintain standards relating to capital adequacy,
prudential norms, cash reserve ratio, statutory liquidity ratio, credit Peer-to-peer and marketplace lending
ceiling, know-your-customer guidelines, etc, although each of these 9 Describe any specific regulation of peer-to-peer or
norms would apply to each category of lending agency in a different marketplace lending in your jurisdiction.
manner. Each agency plays a different role in terms of the type of
lending and the kind of borrower. For example, infrastructure NBFCs The RBI is the authority that regulates P2P lending in India. All P2P
can extend credit facilities to entities in the transport, energy, water and lending platforms must be registered with the RBI as an NBFC. The eligi-
sanitation, and communications sectors. Loans and advances of up to bility requirements for a company to register as a P2P lending platform
2.5 million rupees are required to constitute at least 50 per cent of the include, among other things:
loan portfolio of small finance banks. • a minimum capital of 20 million rupees;
• that the company applying for registration is incorporated in India;
Secondary market loan trading • that a robust and secure information technology system is in place;
6 Are there restrictions on trading loans in the secondary • that there is a viable business plan; and
market in your jurisdiction? • that the promoters and directors fulfil the fit and proper criteria laid
down by the RBI.
Issuance and listing of debt securities and public offer and listing of
securitised debt instruments are regulated in India. Trading of debt Although many analysts have cheered the steps taken by the RBI to
securities and securitised debt instruments in the secondary market is regulate the P2P industry, the regulations themselves are extremely
permitted after the debt securities or securitised debt instruments are stringent in respect of the scope of activities that can be undertaken by
listed on a recognised stock exchange. these entities. For example:
94 Fintech 2021
© Law Business Research 2020
Kochhar & Co India
• P2P lending can only be done on an unsecured basis; The RBI, in March 2020, released regulations dealing with payment
• loan maturity is capped at 36 months; aggregators and payment gateways. Payment aggregators are enti-
• there is a limit of 50,000 rupees regarding exposure between the ties that facilitate the process for e-commerce sites and merchants to
same lender and borrower; accept various payment instruments from customers for the completion
• there is a limit of 1 million rupees in respect of exposure of a of their payment obligations, without the requirement for merchants to
borrower across all P2P lending platforms and 5 million rupees for create a separate payment integration system of their own. Payment
lenders across all P2P lending platforms; and aggregators make it easier for merchants to connect with acquirers,
• there must be quarterly reporting to the RBI. and, in the process, they receive payments from customers, and pool
and transfer them to the merchants.
Crowdfunding A payment aggregator must obtain a licence to carry on its busi-
10 Describe any specific regulation of crowdfunding in your ness, and it must strictly adhere to the technology specifications laid
jurisdiction. down in the regulations. Some of the conditions to be met by payment
aggregators are:
To the extent that crowdfunding involves investments in equity or debt • it must have a minimum net worth of 150 million rupees;
instruments, these would be regulated by company or securities law. • e-commerce entities engaging in payment aggregation should hive
A private company cannot access capital from the public and cannot off the payment aggregation business into a separate entity and
have more than 200 shareholders. It also cannot accept deposits from apply for a license;
the public. A public company must follow primary market processes for • it must follow stringent settlement timelines with merchants;
equity or debt funding. There are no regulations that deal directly with • it must adhere to know-your-customer and anti-money laundering
crowdfunding. guidelines prescribed by the government;
For other types of funding, that is, those that are not debt or equity • it must maintain an escrow account parking all merchant
based, the law is not settled at the moment as all kinds of crowdfunding proceeds; and
could be considered as ‘deposits’. We believe that crowdfunding that • it must do authenticity checks on merchants.
can be justified as an advance against purchase of a product would be
permitted in India. The regulations are only advisory in nature for payment gateways.
After the overnight demonetisation of the 500-rupee and 1,000-
Invoice trading rupee notes in circulation on 8 November 2016, digital payments have
11 Describe any specific regulation of invoice trading in your seen huge traction in the country. At the forefront of this traction are
jurisdiction. e-wallets; it is believed that e-wallet transactions have increased 40
times in the past five years. E-wallets are frequently used for online
To enhance the ease of financing micro, small and medium-sized enter- purchase of goods and services. They have also gained popularity
prises in India, the RBI has given approval to three companies to set because of the requirement of a second authentication (such as Visa
up invoice discounting platforms. The Trade Receivables Discounting Verify or MasterCard Secure Code) for ‘card not present’ credit card
System (TReDS) is a fintech platform where financers discount invoices and debit card transactions. This is difficult for services such as Uber.
due by corporates, government entities, etc. TReDS requires a minimum Accordingly, customers use payment wallets that allow for automatic
paid-up capital of 250 million rupees, and entities, other than the debit without the need for a second authentication.
promoters, are not permitted to maintain shareholding in excess of 10
per cent in TReDS. Open banking
13 Are there any laws or regulations introduced to promote
Payment services competition that require financial institutions to make
12 Are payment services regulated in your jurisdiction? customer or product data available to third parties?
Yes, payment services are regulated under the Payment and Settlement The laws regarding disclosure of customer data to third parties are
Systems Act 2007. A payment system is defined as ‘a system that enables not very well established in India. Banks are required to adhere to the
payment to be effected between a payer and a beneficiary, involving guidelines on information security, electronic banking, technology risk
clearing, payment or settlement service or all of them, but does not management and cyber fraud issued by the RBI to ensure the data
include a stock exchange’. These include credit cards, debit cards, smart protection of customers.
cards and money transfers. Any entity interested in commencing a Under normal circumstances, disclosure of customer data requires
payment system is required to obtain authorisation from RBI. prior written approval from the customer. This is usually obtained in
The categories of payment providers are payment aggregators and the account opening forms or provided for in the terms and condi-
payment gateways, prepaid payment instruments, financial market infra- tions. Under the current legal framework, financial institutions are only
structure (clearing houses), retail payment organisations, card payment obliged to share this information where the disclosure is required by a
networks (Visa, MasterCard, etc), cross-border money transfers, ATM court of law or where the disclosure is necessary for government agen-
networks, white-label ATM operators and instant money transfer. cies mandated under law to procure the information.
There are three types of prepaid payment instruments: open
payment instruments, which are payment instruments that can be used Robo-advice
to make a payment to any merchant; semi-closed, which are payment 14 Describe any specific regulation of robo-advisers or other
instruments that can be used to make payment to a defined set of companies that provide retail customers with automated
merchants; and closed, which are payment instruments of a merchant access to investment products in your jurisdiction.
for payment only to that merchant. Open payment instruments can be
issued only by banks. Cash withdrawal is permitted only in the case of SEBI, which regulates all public listed securities, has, in recent years,
open payment instruments. Only closed payment instruments do not directed all fund houses and asset management companies to report
require registration under the regulations. with SEBI all artificial intelligence and machine learning applications
www.lexology.com/gtdt 95
© Law Business Research 2020
India Kochhar & Co
and systems offered and used by mutual funds. SEBI intends to conduct SALES AND MARKETING
a survey and create an inventory of the robo-advisory landscape in the
Indian financial markets to gain an in-depth understanding of the adop- Restrictions
tion of those technologies in the markets and to ensure preparedness 19 What restrictions apply to the sales and marketing of
for any robo-advisory policies that may arise in the future. SEBI also financial services and products in your jurisdiction?
wants to ensure that any advertised financial benefit owing to these
technologies in investor facing financial products do not constitute Rules on marketing materials for financial services are fairly limited.
misrepresentation. Information in prospectus and letters of offer for public and public offers
respectively are regulated. The Reserve Bank of India also requires
Insurance products financial companies to use only registered telemarketers for telemar-
15 Do fintech companies that sell or market insurance products keting activity.
in your jurisdiction need to be regulated?
CHANGE OF CONTROL
Selling and marketing of insurance products is regulated in India. The
statutory authority regulating insurance products in India is IRDAI. An Notification and consent
insurer must justify the premium amount and terms and conditions 20 Describe any rules relating to notification or consent
of the insurance policy to be offered to customers to IRDAI. A fintech requirements if a regulated business changes control.
company cannot offer any insurance product for sale unless the fintech
company is duly certified by IRDAI. Most regulated entities require prior notification or consent for changes
IRDAI has also issued guidelines on the advertisement, promotion in control. For non-banking financial companies, including peer-to-peer
and publicity of insurance companies and insurance intermediaries. entities and account aggregators, prior approval from the Reserve Bank
Fintech companies must comply with these guidelines in respect of of India (RBI) is required for a change beyond 26 per cent shareholding.
marketing insurance products. For banks, RBI approval is required for foreign investment beyond 49
per cent shareholding. Foreign investment in banks is capped at 74 per
Credit references cent. For insurance companies, prior RBI approval is required when the
16 Are there any restrictions on providing credit references or transferee’s shareholding is likely to exceed 5 per cent shareholding of
credit information services in your jurisdiction? the insurance company, and if a transferor intends to transfer more than
1 per cent of its shareholding of the insurance company. For prepaid
Companies carrying on the business of credit information services are payment instrument entities and payment aggregators, any takeover,
regulated under the Credit Information Companies (Regulation) Act acquisition or change in management should be communicated to the
2005. Under the provisions of the Act, those companies must obtain a RBI within 15 days.
certificate of registration from the RBI. Credit information companies
are required to have a minimum issued capital of 200 million rupees. FINANCIAL CRIME
The RBI has set up a Central Repository of Information on Large Credits
to collect, store and disseminate credit data to lenders. Under the Anti-bribery and anti-money laundering procedures
Insolvency and Bankruptcy Code 2016, information utilities have been 21 Are fintech companies required by law or regulation to have
set up where all credit information is required to be reported by lenders procedures to combat bribery or money laundering?
and borrowers.
India has a law on the prevention of corruption that penalises
CROSS-BORDER REGULATION corrupt practices. There are no requirements on framing policies or
conducting training.
Passporting The Prevention of Money Laundering Act 2002 prescribes strict
17 Can regulated activities be passported into your jurisdiction? criminal penalties on entities indulging in money laundering. It covers
involvement with or concealment, possession, acquisition or use
No, India does not allow passporting of regulated activities; that is, a of proceeds of a claim or projecting or claiming such proceeds as
financial services provider registered in one country is not entitled to untainted property.
engage in regulated financial services in India purely based on regis- The Reserve Bank of India has also prescribed stringent know-
tration in a foreign jurisdiction and would need to obtain registration your-customer (KYC) norms, anti-money laundering standards and
separately in India. guidelines on combating the financing of terrorism to be adhered to by
all banks, non-banking financial companies, payment system operators,
Requirement for a local presence e-wallet companies, etc.
18 Can fintech companies obtain a licence to provide financial Companies or exchanges dealing with digital currencies are gener-
services in your jurisdiction without establishing a local ally not regulated in India.
presence?
Guidance
By and large, this would be difficult as obtaining a licence for a regu- 22 Is there regulatory or industry anti-financial crime guidance
lated financial service is available only to agencies incorporated in India for fintech companies?
or, in the case of banks, that have a presence in India. It is possible for a
fintech company outside India to provide services outside India to Indian India has fairly detailed laws with regard to the prevention of money
nationals, especially for investments outside India. However, the scope laundering, KYC requirements, insider trading and combating the
for this is limited because exchange control restrictions may come in the financing of terrorism. Depending on the services provided by the
way of making payments outside India for services rendered. fintech companies, they may be governed by some of or all these regu-
lations. There is also a heightened awareness of identity fraud, and most
96 Fintech 2021
© Law Business Research 2020
Kochhar & Co India
financial institutions require a much higher level of identity proof from necessary to make the assignment binding against the borrower. For
customers than is the case in many developing countries. example, A owes money to B, who transfers the right to receive the
Given the slow court process and inefficiencies of the investigative dues to C. B then demands the debt from A, who, having not received
agencies, financial institutions also resort to a high level of protection notice of the transfer, pays B. The payment is valid, and C cannot sue A
compared with developed countries, such as through higher security for the debt.
cover, undated cheques, bank guarantees, personal guarantees and the In June 2020, the Reserve Bank of India released draft guidelines
appointment of nominee directors. Fintech companies must consider easing securitisation and loan sale guidelines.
the optimal mix of these options to balance obtaining sufficient protec-
tion with ensuring business efficiency. Securitisation risk retention requirements
25 Are securitisation transactions subject to risk retention
PEER-TO-PEER AND MARKETPLACE LENDING requirements?
Execution and enforceability of loan agreements The transferor transfers the risk of the underlying asset to the trans-
23 What are the requirements for executing loan agreements or feree. It is not necessary for the transferor to retain the risk from the
security agreements? Is there a risk that loan agreements underlying asset. This is usually negotiated and specifically agreed to
or security agreements entered into on a peer-to-peer or during the transfer.
marketplace lending platform will not be enforceable?
Securitisation confidentiality and data protection requirements
Loan agreements and security agreements must be executed in accord- 26 Is a special purpose company used to purchase and securitise
ance with the constitutional documents of the entity and the corporate peer-to-peer or marketplace loans subject to a duty of
authorisations executed by the entity. Under Indian law, a mortgage confidentiality or data protection laws regarding information
deed – that is, relating to immovable property – is executed by the relating to the borrowers?
mortgagor, attested by two witnesses and registered with the relevant
land registry. Most security arrangements involving immovable prop- Under Indian banking laws, there is a central register maintained by the
erty relate to mortgage by deposit of title deeds. A mortgage by deposit regulator relating to security being provided by borrowers. This register
of title deeds or an equitable mortgage encompasses a declaration is accessible by any person upon payment of the prescribed fees.
provided by the mortgagor and a memorandum of entry in the records Outside this law, general laws on data protection and privacy apply,
of the mortgagee that records the deposit of title deeds. There are other and a duty of confidentiality also applies. The law provides for payment
various formalities to ensure perfection of the security documents. This of compensation on failure to exercise reasonable security practices
includes filing a form with the company registry and registration of the and procedures to protect sensitive personal data or information (which
charge with a central registry for security interest. includes financial information) that results in wrongful loss or gain, and
As long as the peer-to-peer (P2P) lending contracts are prop- a criminal penalty for disclosure of personal information in breach of
erly executed, they would be enforceable. While Indian law broadly contract or without consent of the data subject where the breach is done
allows electronic contracts, a key issue relates to stamp duty. Indian with the intention of or knowing that it is likely to result in wrongful loss
state governments are yet to introduce digital stamping of documents. or wrongful gain.
There is, therefore, likely to be a need for contracts to be printed and
stamped to comply with laws on stamp duty and for those contracts to ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
be admitted as evidence in court. TECHNOLOGY AND CRYPTO-ASSETS
www.lexology.com/gtdt 97
© Law Business Research 2020
India Kochhar & Co
In 2015, the RBI released a Financial Stability Report, detailing the Initial coin offerings
possible impact of blockchain technology. The report recognises the 31 Are there rules or regulations governing initial coin offerings
need for the regulators and authorities to keep pace with developments (ICOs) or token generation events?
as many of the world’s largest banks are said to be supporting a joint
effort to set up a ‘private blockchain’ and build an industry-wide plat- ICOs are not regulated in India. The regulatory sandbox set up by the RBI
form for standardising the use of the technology. specifically restricts ICOs from being tested in it.
The importance of blockchain and distributed ledger technologies
also finds specific mention in the report published by the working group DATA PROTECTION AND CYBERSECURITY
set up by the RBI on fintech and digital banking. The working group
recognises the importance of adopting these technologies in the finan- Data protection
cial sector. On numerous occasions, the government has also made 32 What rules and regulations govern the processing and
public statements in support of vast adoption of these technologies in transfer (domestic and cross-border) of data relating to
various government sectors. A prime example of where the technology fintech products and services?
could be extremely useful in India is for maintaining land records, which
the government recognises and hopes to implement in the near future. India does not have a specific law on data protection. Certain provi-
Certain Indian banks have successfully used blockchain technology sions of the Information Technology Act 2000 (the IT Act) deal with data
in trade finance transactions with foreign banks. There are also reports protection.
on Indian banks looking to use blockchain technology to share know- There are two provisions, civil and criminal, on the use of personal
your-customer information through a private blockchain. data. A body corporate that has access to sensitive personal data or
information (SPDI) will be liable to compensation if it is negligent in using
Crypto-assets reasonable security practices and procedures (RSPP) in protecting such
29 Are there rules or regulations governing the use of crypto- SPDI and it results in wrongful loss or wrongful gain. SPDI includes:
assets, including digital currencies, digital wallets and • passwords;
e-money? • financial information, such as bank account, credit or debit card or
other payment instrument details;
On 6 April 2018, the RBI issued a circular prohibiting any entity regu- • information on physical, physiological and mental health conditions;
lated by the RBI (including banks, financial institutions, payment • sexual orientation;
gateways and digital wallets) from dealing with digital currencies or • medical records and history; and
providing services that facilitate any person or entity in dealing with or • biometric information.
settling digital currencies. The prohibition on services included main-
taining accounts, registering, trading, settling, clearing, giving loans RSPP refers to procedures determined by any law in force (at present,
against virtual tokens, accepting them as collateral, opening accounts none) or as agreed between the parties and, in the absence of those, the
of exchanges dealing with them and transferring or receiving money rules of the central government. Accordingly, it is open to an organisa-
in accounts relating to the purchase or sale of digital currencies. tion to agree privacy policies and security standards with its customers,
Regulated entities were given until 6 July 2018 to discontinue providing service providers, employees, etc. The central government rules are
those services. more in the nature of cursory privacy rules on collection, storage,
This circular essentially crippled the digital currency market transfer, etc, of SPDI. They prescribe no specific security standard.
in India. Users were only able to trade in digital currencies and not Indian law also imposes criminal penalties on an organisation
exchange or redeem them for Indian rupees as the mode of payment of providing a service that is in possession of personal information if it
Indian rupees is usually through banking channels. discloses the information in breach of contract or without the consent
This notification was appealed in the Supreme Court, which struck of the data subject and does so with the intention of or knowing that it is
down this order of the RBI. Entities have only recently resumed offering likely to result in wrongful gain or wrongful loss.
virtual currencies in India. However, banks in India are still cautious in There are some general data protection and security require-
dealing with any virtual currency operators. The government has, on ments applicable to the financial sector. For example, credit information
various occasions, displayed its displeasure on any cryptocurrencies companies are governed by certain norms concerning protection and
or virtual currencies being traded in India. Any entity dealing in those disclosure of personal information. The card-issuing entity should not
currencies in India should be extremely cautious in doing so. reveal any information relating to customers obtained at the time of
opening the account or issuing the credit card to any other person or
Digital currency exchanges organisation without obtaining their specific consent. The purpose for
30 Are there rules or regulations governing the operation of which the information would be used and the organisations with which
digital currency exchanges or brokerages? the information would be shared must also be disclosed.
The Reserve Bank of India (RBI) has frowned upon credit companies
There are no rules or guidelines relating to the operation of digital that obtain the consent of the customer for sharing their information,
currency exchanges or brokerages in India. That being said, on 6 furnished while applying for the credit card with other agencies, as part
April 2018, the RBI issued a circular prohibiting any entity regulated of the terms and conditions. Credit companies must provide the customer
by the RBI (including banks, financial institutions, payment gateways with the option to decide whether he or she is in agreement with the
and digital wallets) from dealing with digital currencies or providing credit company sharing the information with other agencies. Credit
services that facilitate any person or entity in dealing with or settling companies are also required to explicitly state and explain clearly to the
digital currencies. This notification was appealed in the Supreme Court, customer the full meaning and implications of the disclosure clause.
which struck down this order of the RBI. Entities have only recently Separately, the regulations governing account aggregators
resumed offering virtual currencies in India. prescribe a consent architecture to be followed by aggregators while
Specific advice should be sought for the nature of the exchange. collecting personal and sensitive personal information from the data
subject. They also impose restrictions on the sharing of financial
98 Fintech 2021
© Law Business Research 2020
Kochhar & Co India
information without the consent of the data subject and a use limitation, Cloud computing
and they require the conducting of periodical information security audits. 35 Are there legal requirements or regulatory guidance with
The RBI has instructed all payment systems operators to store respect to the use of cloud computing in the financial services
the entirety of the data relating to payment systems, including the full industry?
end-to-end transaction details and the information collected, carried or
processed as part of the message or payment instruction, on servers At present there are no legal requirements or statutory guidance for use
located in India. The data storage norms also apply to system partici- of cloud computing.
pants, service providers, intermediaries, payment aggregators and The Institute for Development and Research in Banking Technology,
gateways, third-party vendors and other entities (whatever they are established by the RBI, has a centre for cloud computing. The centre
called) in the payments ecosystem who are retained or engaged by the focuses on providing suitable cloud platforms to banks for testing,
authorised or approved entities for providing payment services. If the undertaking studies on security, scalability and building secure cloud
processing of the payment transaction is done abroad, the data should storage, among other things.
be deleted from the systems abroad and brought back to India not A working committee formed by the RBI published a report on the
later than the one business day or 24 hours from payment processing, use of cloud computing by urban cooperative banks in 2012. The report
whichever is earlier. The data must be stored only in India, other than in tried to lay down the existing issues and the way forward for urban
cross-border payment transactions in which case a copy of the domestic cooperative banks to establish a robust IT network that includes cloud
component of the payment data may be stored abroad. computing.
India proposes to enact a Personal Data Protection Bill. It is There are various private players in the market offering their cloud
currently being reviewed by a joint committee of Parliament. Thereafter, computing services to banks and non-banking financial companies
it will be revised if required and then introduced in Parliament. The Bill (NBFCs). Banks and NBFCs in India are slowly accepting and moving
is expected to come into force before the end of 2020. towards those services.
www.lexology.com/gtdt 99
© Law Business Research 2020
India Kochhar & Co
Trade secrets A unique aspect of Indian law is that individuals can file a case of
39 How are trade secrets protected? Are trade secrets kept copyright or trademark infringement not just where the cause of action
confidential during court proceedings? arose or where the defendant resides or does business, but also where
the plaintiff resides and does business. Individuals can obtain Anton
India does not have a specific law dealing with trade secrets. Trade Piller orders for appointment of a court commissioner to conduct an
secrets are protected under the common law remedy of breach of confi- inspection, and it is possible to obtain injunctions.
dentiality. Confidentiality may be protected under contract or implied,
depending on the nature of the service. COMPETITION
Trade secrets are to be kept secret unless it is an inherent part
of the court proceedings; in that case, disclosure for the purpose of Sector-specific issues
providing evidence is required. This has sometimes acted as a deterrent 42 Are there any specific competition issues that exist with
to many from enforcing their trade secrets through the judicial process. respect to fintech companies in your jurisdiction?
Branding There are none. Indian competition law in general relates to anticompet-
40 What intellectual property rights are available to protect itive practices, monopolistic practices and merger control requirements,
branding and how do you obtain those rights? How can which are across all industries.
fintech businesses ensure they do not infringe existing
brands? TAX
Branding is largely protected under trademark law, whereby the indi- Incentives
vidual would need to register a trademark. The individual can file an 43 Are there any tax incentives available for fintech companies
action for infringement in the case of a registered trademark or a and investors to encourage innovation and investment in the
passing-off action in the case of unregistered marks. Indian law also fintech sector in your jurisdiction?
recognises the concept of transnational reputation of international
trademarks. There are no tax incentives specifically aimed at fintech companies.
Trademark owners can also register their brands with customs However, the fintech companies that qualify as start-ups may avail
authorities that could enable authorities to intercept goods they believe themselves of various benefits under the Startup India initiative
are counterfeits. The trademark owner can also claim prior use and launched by the Indian government. Tax benefits are also extended to
strike down a registered owner’s right, by seeking cancellation of the units in a special economic zone.
mark. The trademark owner can also keep watch and seek to oppose
any new marks that are the same or similar to the one owned by it. It Increased tax burden
can also obtain a copyright registration over the copyright in a mark. 44 Are there any new or proposed tax laws or guidance that
However, registration is not mandatory for ownership of copyright. could significantly increase tax or administrative costs for
A new business can undertake a trademark search to determine fintech companies in your jurisdiction?
whether a similar trademark has been registered. The trademark
registry is online, and the business can search via the trademark There are no specific additional taxes or exemptions for fintech compa-
registry website. The business can also undertake market studies or nies. However, under the Startup India initiative, certain companies
test marketing to see if similar unregistered marks are in use. It can falling under the ambit of the start-up definition are provided with tax
also search domain name registries to determine if websites with breaks to encourage innovation.
similar domain names have been registered.
IMMIGRATION
Remedies for infringement of IP
41 What remedies are available to individuals or companies Sector-specific schemes
whose intellectual property rights have been infringed? 45 What immigration schemes are available for fintech
businesses to recruit skilled staff from abroad? Are there
If a trademark, copyright or patent has been infringed, the individual any special regimes specific to the technology or financial
would file a suit for infringement. In the case of a trademark, the indi- sectors?
vidual can also file a passing-off action. In the case of copyright and a
trademark, the individual can also pursue criminal remedies in the case There are no specific limits applicable for immigrants seeking employ-
of infringement. ment in India. There are certain criteria that the applicant must meet;
The Copyright Act deals with offences of infringement of copy- for example, a minimum salary of US$25,000 per year, subject to certain
right or other rights conferred under it. It provides for imprisonment exemptions given only to individuals with skills that are unavailable in
that ranges from six months to three years and a fine that ranges from India (such as highly qualified technical experts, senior executives in a
50,000 to 200,000 rupees. The Trademarks Act 1999 also deals with managerial position, etc). Labour and employment law in India dealing
criminal remedies against infringement and passing-off actions. Search- with immigration is complex and specific advice should be sought.
and-seizure procedures can also be invoked to deal with infringement.
Individuals can also engage in opposition proceedings in respect
of trademarks and patents that are sought to be registered. There is
a procedure for the cancellation of marks. In addition, individuals can
file actions with the company authorities in respect of companies regis-
tered with names that are similar to trademarks or other company
name; however, a trade name registration in no way confers trademark
protection.
Current developments
46 Are there any other current developments or emerging
trends to note?
There has been a large amount of activity in the fintech regulatory space
during the past year. The government has formally recognised the
importance of this niche industry by setting up committees to study the Anuj Kaila
anuj.kaila@bgl.kochhar.com
development and future of the industry. It has also passed regulations
on peer-to-peer lending platforms and account aggregators directly in Stephen Mathias
relation to fintech entities. stephen.mathias@bgl.kochhar.com
Although the Supreme Court struck down the notification of the
Reserve Bank of India (RBI) restricting cryptocurrencies, banks are 201 Prestige Sigma
reluctant to deal with any money arising from the proceeds of crypto- 3 Vittal Mallya Road
currencies. The financial industry will likely wait for an official go-ahead Bangalore 560001
from the government to commence full-fledged operations dealing with India
cryptocurrencies, which is extremely unlikely to happen. Tel: +91 80 4030 8000
On 6 April 2018, the RBI issued directives to all payment system Fax: +91 80 4112 4998
providers to store all data relating to payment systems operated by www.kochhar.com
them only in India no later than 15 October 2018. The data includes the
full end-to-end transaction details – the information collected, carried
and processed as part of the message or payment instruction. For the
foreign leg of the transaction, if any, the data can also be stored in the
foreign country, if required. This has given rise to India–US tensions,
with the US government threatening retaliatory measures affecting
Indian businesses.
In March 2020, the RBI issued regulations regulating payment
aggregators and payment gateways. The regulations are extremely
broad and vague in nature, and they may end up including entities within
the ambit of a regulated payment aggregator without the regulator
intending to do so; for example, educational institutions or companies
running cafeterias permitting third-party stalls to sell food from time to
time (through an e-commerce site) and where the educational institute
or company collects the proceeds of the sale of the third-party vendor
and settles the payment with the third-party vendor within mutually
agreed timelines.
India proposes to enact a Personal Data Protection Bill. It is
currently being reviewed by a joint committee of Parliament. Thereafter,
it will be revised if required and then introduced in Parliament. The Bill
is expected to come into force before the end of 2020. The Bill is India’s
first attempt towards a specific data protection and privacy statute in
India. A large portion of the Bill seems to have been adopted from the
recent global data protection regulations of the European Union, and it
includes concepts such as the right to be forgotten, privacy by design,
consent-based approach, data localisation requirements, data protec-
tion offices and data protection authorities, etc.
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
www.lexology.com/gtdt 101
© Law Business Research 2020
Indonesia
Winnie Rolindrawan and Harry Kuswara
SSEK Legal Consultants
FINTECH LANDSCAPE AND INITIATIVES fintech activities that require licensing or registration in relation to mone-
tary stability, financial system stability and payment systems, as follows:
General innovation climate • payment system activities, including authorisation, clearing, final
1 What is the general state of fintech innovation in your settlement and implementation of payment; for example, block-
jurisdiction? chain or distributed ledgers for the provision of fund transfers,
electronic money, electronic wallet and mobile payments;
Fintech innovation is developing rapidly in Indonesia and the government • market support (ie, activities that use information or electronic
has issued several regulations relevant to fintech in recent years and technology, or both, to facilitate the faster and more cost-efficient
has endeavoured to register new fintech activities to ensure they do not provision of information to the public on financial products and
cause losses to the public. New innovations and solutions are surfacing services; for example, the provision of information comparing avail-
that are boosting the business activities they support, with more roles able products or services in the financial services area);
available as, for example, aggregators, e-know your customer support, • investment management and risk management for the provision of
financing agents, financial planners, equity crowdfunding support, online investment and online insurance, among others; and
payment system support and market support. Among fintech busi- • lending, financing or funding and capital raising including peer-
nesses, peer-to-peer lending appears to have had the largest impact on to-peer lending or information technology-based fundraising
the market to date and has received the most media coverage. (crowdfunding).
Government and regulatory support Digital financial innovation, commonly referred to as fintech, is regu-
2 Do government bodies or regulators provide any support lated from a financial services perspective under OJK Regulation No.
specific to financial innovation? If so, what are the key 13/POJK.02/2018, dated 16 August 2018, regarding Digital Financial
benefits of such support? Innovation in the Financial Services Sector. This regulation covers:
• transaction settlement: this focuses on, among other things, invest-
The government is continuously trying to monitor and supervise fintech ment settlement;
activities and developments in the sector. To keep abreast of recent • capital raising, such as equity crowdfunding, virtual exchange,
developments in the market, support the players and at the same time smart contracts and alternative due diligence;
ensure Indonesian consumers are well protected, the Indonesian central • investment management; for example, advance algorithms, cloud
bank, Bank Indonesia, and the Financial Services Authority (OJK) each computing, capability sharing, open source information technology,
provide sandboxes for new innovations with the potential to have a long automated advice and management, social trading and retail algo-
reach and an impact on Indonesian consumers. Bank Indonesia focuses rithmic trading;
on the aspects of the fintech sector related to payment systems and • fundraising and fund disbursement: this includes activities such as
the OJK focuses on the aspects of the fintech sector related to financial peer-to-peer lending, alternative adjudication and third-party appli-
services, such as banking, investment and insurance. cation programming interface;
• provision of insurance; for example, sharing economy, autonomous
FINANCIAL REGULATION vehicles, digital distribution and securitisation and hedge funds;
• market support; for example, artificial intelligence or machine
Regulatory bodies learning, machine readable news, big data, social sentiment, market
3 Which bodies regulate the provision of fintech products and information platforms and automated data collection and analysis;
services? • other digital finance supporting activities, such as social and
eco-crowdfunding, Islamic digital financing, e-waqf, e-zakat, robo-
Fintech products and services in Indonesia are mainly regulated by advisers and credit scoring; and
two government bodies, Bank Indonesia and the Financial Services • other financial services activities; for example, invoice trading,
Authority (OJK). vouchers and products using blockchain-based applications.
an implementing regulation for GR 80/2019. These regulations impose Alternative investment funds
new obligations for organisers of trade through electronic systems 8 Are managers of alternative investment funds regulated?
(PPMSE), which is any business practitioner that provides electronic
communication facilities used in trade transactions. A PPMSE operating Collective investment in the form of an equity crowdfunding platform
from outside Indonesia and that fulfils certain criteria is now required is described as the provision of share offering services whereby the
to appoint a representative in Indonesia and, consequently, must have a issuers sell shares directly to investors through an open electronic
foreign trade company representative office in the country. PPMSE that system network, as governed by OJK Regulation No. 37/POJK.04/2018
have completed transactions with more than 1,000 consumers in a year regarding Equity Crowdfunding, dated 31 December 2018. Collective
or have delivered more than 1,000 packages to consumers in a year, or investment undertakings through the internet, whereby capital is raised
both, are required to appoint a representative in Indonesia. from a number of investors and invested in accordance with a defined
investment policy for the benefit of those investors, are not specifically
Consumer lending regulated.
5 Is consumer lending regulated in your jurisdiction?
Peer-to-peer and marketplace lending
Consumer lending is regulated in Indonesia, with a particular focus on 9 Describe any specific regulation of peer-to-peer or
information technology-based money lending services (peer-to-peer marketplace lending in your jurisdiction.
lending), as regulated under OJK Regulation No. 77/POJK.01/2016
regarding Information Technology-Based Money Lending Services, Marketplace lending is not specifically regulated in Indonesia. Peer-
dated 29 December 2016. The OJK has the authority to regulate, register to-peer lending is specifically regulated under OJK Regulation No. 77/
and issue licences, as well as supervise the fintech consumer lending POJK.01/2016 regarding Information Technology-Based Money Lending
industry. A company engaging in the provision of peer-to-peer lending Services, dated 29 December 2016. It provides the OJK the right to regu-
activities can have a maximum foreign ownership of 85 per cent, which late and supervise peer-to-peer lending activities, including handling the
means at least 15 per cent of the ownership must be in the hands of registration and licensing of peer-to-peer lending platform providers.
Indonesian parties. A company that wishes to register with the OJK Peer-to-peer lending in Indonesia is described as the provision of finan-
is required to have a minimum issued and paid-up capital of 1 billion cial services whereby the lender meets the borrower in the framework
Indonesian rupiahs. Once an applicant is registered, it will have one of entering into a lending agreement in rupiahs directly through an elec-
year to apply for a licence from the OJK, and the company’s minimum tronic system by using the internet.
issued and paid-up capital must then be 2.5 billion rupiahs. A company
engaging in the provision of peer-to-peer lending is not allowed to Crowdfunding
engage in any other business activities. The regulation refers to infor- 10 Describe any specific regulation of crowdfunding in your
mation technology-based money lending services (peer-to-peer lending) jurisdiction.
as the provision of financial services that allow the lender to meet the
borrower in the framework of entering into a lending agreement in To date there is no specific regulation that deals with donation-based
rupiahs directly through an electronic system by using the internet. crowdfunding in Indonesia. Equity crowdfunding covers the provision
of share offering services conducted by issuers to sell shares directly
Secondary market loan trading to investors through an open electronic system network. Equity crowd-
6 Are there restrictions on trading loans in the secondary funding is regulated under OJK Regulation No. 37/POJK.04/2018
market in your jurisdiction? regarding Equity Crowdfunding, dated 31 December 2018. Under this
regulation, a licensed equity crowdfunding platform provider or organ-
Currently, the trading of loans in the secondary market in Indonesia iser is able to provide access for issuers (Indonesian limited liability
is not specifically regulated and there is no specific restriction on companies) to sell their shares to investors that are also using the plat-
this activity. form. An equity crowdfunding platform company is required to be an
Indonesian limited liability company or an Indonesian cooperative with
Collective investment schemes a minimum issued and paid-up capital of 2.5 billion rupiahs and to have
7 Describe the regulatory regime for collective investment registered with and received a licence from the OJK to provide, manage
schemes and whether fintech companies providing and operate the equity crowdfunding platform.
alternative finance products or services would fall within its
scope. Invoice trading
11 Describe any specific regulation of invoice trading in your
The prevailing regulations do not categorise activities into collective jurisdiction.
investment schemes. They only specifically regulate alternative finance
products in the form of equity crowdfunding platforms. Peer-to-peer The prevailing regulations do not specifically address invoice trading
lending is described as an information technology-based money lending in Indonesia.
service, which is specifically regulated under a different regulation.
Equity crowdfunding is regulated under the auspices of the OJK, through Payment services
OJK Regulation No. 37/POJK.04/2018 regarding Equity Crowdfunding, 12 Are payment services regulated in your jurisdiction?
dated 31 December 2018. The OJK has the authority to regulate, register
and issue licences, as well as supervise equity crowdfunding activities. Payment services in Indonesia are regulated mainly by Indonesia’s
central bank, Bank Indonesia, which is in charge of regulating payment
system activities in Indonesia.
www.lexology.com/gtdt 103
© Law Business Research 2020
Indonesia SSEK Legal Consultants
Open banking The Credit Bureau Regulation also specifically mentions that a credit
13 Are there any laws or regulations introduced to promote bureau must be in the form of an Indonesian limited liability company
competition that require financial institutions to make and is subject to applicable foreign shareholding restrictions. In addition,
customer or product data available to third parties? a credit bureau must obtain a business licence from the OJK to conduct
its business activities. While the total ownership of one or more foreign
To date there is no law or regulation that requires financial institutions parties in a credit bureau is limited to 20 per cent, if one foreign party
to make customer or product data available to third parties, unless to owns more than one credit bureau that foreign party’s total ownership in
the relevant government agency or for law enforcement purposes. all the credit bureaus combined is limited to 20 per cent.
In collecting and processing credit information, a licensed Indonesian
Robo-advice credit bureau obtains credit data from the OJK. The credit data from the
14 Describe any specific regulation of robo-advisers or other OJK consists of data submitted to it by financial institutions. A licensed
companies that provide retail customers with automated Indonesian credit bureau may also cooperate with financial institutions
access to investment products in your jurisdiction. to obtain credit data or financial institutions and non-financial institutions
for other data, or both. A credit bureau must make an effort to ensure
To date there is no specific law or regulation that addresses robo- that the source of the data informs the relevant debtor or customer of
advisers or other companies that provide retail customers with how the credit data and other data will be utilised. Credit data is defined
automated access to investment products. as data regarding the condition of funding facility, funding from non-
bank institutions and other facilities that can be deemed similar to the
Insurance products foregoing.
15 Do fintech companies that sell or market insurance products Other data in relation to a credit bureau is defined as data other than
in your jurisdiction need to be regulated? credit data that can be used to describe the capability of a certain party
in fulfilling the party’s financial obligations.
In principle, the selling and marketing of insurance products in
Indonesia is regulated and licensed by the OJK, although there seems CROSS-BORDER REGULATION
to be no differentiation yet between fintech companies and companies
that engage in the conventional selling and marketing of insurance Passporting
products. In practice, licensed insurance companies in Indonesia have 17 Can regulated activities be passported into your jurisdiction?
been selling their products over the internet, through their own plat-
forms or by cooperating with other parties (eg, e-commerce platforms The prevailing laws and regulations in Indonesia do not recognise the
or e-money platforms) to assist in facilitating the selling and marketing concept of passporting, and regulated activities cannot be passported
of their insurance products. The OJK is still in discussions over whether into Indonesia.
unit-linked products can continue to be sold without a face-to-face
meeting with the potential insured party. The prevailing regulations Requirement for a local presence
require unit-linked products to be sold with a face-to-face meeting that 18 Can fintech companies obtain a licence to provide financial
is used to explain the product to the potential insured party. services in your jurisdiction without establishing a local
presence?
Credit references
16 Are there any restrictions on providing credit references or No. To obtain a licence from the Indonesian government to provide finan-
credit information services in your jurisdiction? cial services in Indonesia, a party must establish a local presence.
There are restrictions on providing credit information services. SALES AND MARKETING
In Indonesia, credit reports can only be issued by a credit bureau
licensed by the Financial Services Authority (OJK). A credit report is Restrictions
defined under OJK Regulation 42/POJK.03/2019 regarding Credit 19 What restrictions apply to the sales and marketing of financial
Information Management Agencies dated 31 December 2019 and Bank services and products in your jurisdiction?
Indonesia Circular Letter No. 15/49/DPKL regarding Credit Information
Management Agencies dated 5 December 2013 (together, the Credit There are regulations for the sale and marketing of financial services and
Bureau Regulation) as a product or service generated by a credit bureau products in the traditional sense, such as conventional banking, invest-
in writing, verbally or by some other method, sourced from credit data ment and insurance. There is far less clarity regarding the organisation of
and other data owned by the credit bureau. The credit report generated the sale and marketing of unconventional financial services, for example,
by the credit bureau, among other things, contains information on: investments related to cryptocurrency and initial coin offerings. The main
• the feasibility of the debtor or customer to obtain funds; principle of sales and marketing by financial and fintech businesses is a
• the track record of the debtor or customer in fulfilling its fund prohibition on misleading information and causing loss for consumers.
provision obligations;
• the ability of the debtor or customer to fulfil its fund provision CHANGE OF CONTROL
obligations;
• the character of the debtor or customer; and Notification and consent
• other information that may be utilised to assess the abilities of the 20 Describe any rules relating to notification or consent
debtor or customer. requirements if a regulated business changes control.
Pursuant to the Credit Bureau Regulation, a credit bureau engages The rules relating to notification or consent requirements in a change
in the business activities of collecting credit data and other data, and of control depend on the specific licence held by the entity. As a matter
processing credit data and other data to generate a credit report. of general principle, entities holding a licence in the financial services
sector and the payment system services sector need to obtain prior • mechanism of dispute settlement; and
approval from the Indonesian central bank or the Financial Services • settlement mechanism if the provider is unable to continue its
Authority. operational activities.
FINANCIAL CRIME The provider is required to provide the lender with access to informa-
tion on the appropriation of funds. This information does not include
Anti-bribery and anti-money laundering procedures information related to the identity of the borrower. The information will
21 Are fintech companies required by law or regulation to have include, at least, the:
procedures to combat bribery or money laundering? • amount of loaned funds to the borrower;
• purpose of the use of the funds by the borrower;
In general, fintech companies are required to implement anti-money • amount of the loan interest; and
laundering procedures and also need to conform to anti-bribery regu- • tenor of the loan.
lations in Indonesia. Initial coin offering activities are not yet clearly
regulated in Indonesia. Commodity Futures Trading Regulatory Agency The lending agreement between the lender and borrower is made in
(Bappebti) Regulation No. 5 of 2019 (as amended by Bappebti Regulation electronic document format and must contain, at least, the:
No. 9 of 2019 regarding the Amendment of Bappebti Regulation 5/2019 • agreement number;
dated 26 July 2019; Bappebti Regulation No. 2 of 2020 regarding the • date of agreement;
Second Amendment of Bappebti Regulation 5/2019 dated 7 February • identities of the parties;
2020; and Bappebti Regulation No. 3 of 2020 regarding the Third • provisions on the rights and obligations of the parties;
Amendment of Bappebti Regulation 5/2019 dated 31 March 2020) • amount of the loan;
only deals specifically with the administration of the implementation • nterest rate of the loan;
of crypto-asset exchanges within Indonesia and does not address or • instalment value;
cover the implementation and operation of crypto-asset exchange plat- • tenor;
forms outside Indonesia offering products and services to customers in • object of guarantee (if any);
Indonesia on a cross-border basis. • breakdown of relevant expenses;
• provisions on fines (if any); and
Guidance • mechanism of dispute settlement.
22 Is there regulatory or industry anti-financial crime guidance
for fintech companies? The provider is required to provide the borrower with access to infor-
mation on the position of the received loan. This information will not
Currently, there is no specific regulatory or industry anti-financial crime include information related to the identity of the lender. The agreements
guidance for fintech companies. above are made by using electronic signatures in accordance with the
prevailing laws and regulations on electronic signatures. If the provider
PEER-TO-PEER AND MARKETPLACE LENDING uses a standard agreement (for any agreement between the provider
and the users of the platform, be it lenders or borrowers, the standard
Execution and enforceability of loan agreements agreement must not:
23 What are the requirements for executing loan agreements or • transfer the responsibilities or obligations of the provider to
security agreements? Is there a risk that loan agreements the user; or
or security agreements entered into on a peer-to-peer or • state that the user is subject to new regulations, addendums,
marketplace lending platform will not be enforceable? supplementary or amendments drawn up unilaterally by the
provider within the period during which the user uses the service.
Loan agreements in a peer-to-peer lending platform are acknowledged
and regulated. Based on Financial Services Authority Regulation No. 77/ A standard agreement or standard clause is described as a written
POJK.01/2016 regarding Information Technology-Based Money Lending agreement as set forth unilaterally by the provider and that contains
Services, dated 29 December 2016, there are two agreements in a peer- standard clauses regarding content, format, as well as method of
to-peer lending scheme: production, and is used to make a mass offer of service to users.
• an agreement between the provider of the peer-to-peer lending
service (the provider of the platform) and the lender; and Assignment of loans
• an agreement between the lender and the borrower. 24 What steps are required to perfect an assignment of
loans originated on a peer-to-peer or marketplace lending
The agreement on the provision of peer-to-peer lending between a platform? What are the implications for the purchaser if the
provider and a lender is made in electronic document format and must assignment is not perfected? Is it possible to assign these
contain, at least, the: loans without informing the borrower?
• agreement number;
• date of agreement; Presently there is no specific fintech law or regulation that addresses
• identities of the parties; the assignment of loans on a peer-to-peer lending platform. Given this
• provisions on the rights and obligations of the parties; absence, the assignment of loans should be allowed under the freedom
• amount of the loan; of contract principle contained in the Indonesian civil law code. Any
• interest rate of the loan; assignment of a loan will need notification to the borrower.
• amount of commission;
• tenor;
• breakdown of relevant expenses;
• provisions on fines (if any);
www.lexology.com/gtdt 105
© Law Business Research 2020
Indonesia SSEK Legal Consultants
Securitisation risk retention requirements ledgers are referred to as examples of other financial service activities,
25 Are securitisation transactions subject to risk retention which include such examples as invoice trading, vouchers and products
requirements? using blockchain-based applications.
This is not specifically regulated under the prevailing laws and regulations. Crypto-assets
29 Are there rules or regulations governing the use of crypto-
Securitisation confidentiality and data protection requirements assets, including digital currencies, digital wallets and
26 Is a special purpose company used to purchase and securitise e-money?
peer-to-peer or marketplace loans subject to a duty of
confidentiality or data protection laws regarding information Crypto-assets trade is specifically regulated in Indonesia by Bappebti,
relating to the borrowers? an agency under the Ministry of Trade, under the following regulations:
• Bappebti Regulation No. 5 of 2019 regarding the Technical Provisions
This is not specifically regulated under the prevailing laws and regula- for the Implementation of the Crypto Asset Physical Market in Futures
tions. However, to date, there is no exemption for business practitioners Exchange dated 8 February 2019 (Bappebti Regulation 5/2019);
for the implementation of data protection principles apart from for law • Bappebti Regulation No. 9 of 2019 regarding the Amendment of
enforcement and public interest purposes. Bappebti Regulation 5/2019, dated 26 July 2019;
• Bappebti Regulation No. 2 of 2020 regarding the Second Amendment
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER of Bappebti Regulation 5/2019, dated 7 February 2020; and
TECHNOLOGY AND CRYPTO-ASSETS • Bappebti Regulation No. 3 of 2020 regarding the Third Amendment
of Bappebti Regulation 5/2019, dated 31 March 2020.
Artificial intelligence
27 Are there rules or regulations governing the use of artificial nder the regulations listed above, crypto-assets are deemed commodi-
intelligence, including in relation to robo-advice? ties that can be traded in a crypto-asset exchange. The regulations
describe crypto-assets as intangible commodities in the form of
Presently, there is no specific law or regulation that addresses the use digital assets, using cryptography, peer-to-peer network and distrib-
of artificial intelligence, including robo-advice. However, artificial intel- uted ledger to manage the creation of new units, verify transactions
ligence is mentioned in Financial Services Authority (OJK) Regulation and secure transactions without any intervention by other parties. In
No. 13/POJK.02/2018, dated 16 August 2018, regarding Digital Financial Indonesia, crypto-assets or cryptocurrencies are not recognised as a
Innovation in the Financial Services Sector as one of the examples of payment instrument and, therefore, are prohibited from being used as
digital financial innovation in the category of market support. Other a payment instrument.
examples of market support include artificial intelligence or machine Digital wallets in Indonesia are commonly viewed as part of the
learning, machine-readable news, big data, social sentiment, market payment system environment and, therefore, are regulated under the
information platform, and automated data collection and analysis. Robo- regulations of Bank Indonesia, which oversees payment system activi-
advice is also referred to in this OJK Regulation as a type of other digital ties in Indonesia. Digital wallets or electronic wallets as referred to
finance supporting activity. Other examples activities include social and in regulations in Indonesia are mainly regulated by Bank Indonesia
eco-crowdfunding, Islamic digital financing, e-waqf, e-zakat, robo-advice Regulation No. 18/40/PBI/2016 regarding the Provision of Payment
and credit scoring. The regulation is silent on any specific provisions Transaction Processing, dated 9 November 2016. This regulation
for artificial intelligence and robo-advice. Therefore, the principles and defines an electronic wallet (e-wallet) as an electronic service to store
provisions under OJK Regulation No. 13/POJK.02/2018 is generally all payment instrument data (among others, payment instruments
applicable to artificial intelligence and robo-advice used in the fintech using cards and electronic money) and an e-wallet is also able to store
sector in Indonesia. credits (funds) to conduct payments.
E-money in Indonesia is also viewed as part of the payment system
Distributed ledger technology environment and is, therefore, regulated under regulations of Bank
28 Are there rules or regulations governing the use of Indonesia. E-money is mainly regulated by Bank Indonesia Regulation
distributed ledger technology or blockchains? No. 20/6/PBI/2018 regarding Electronic Money, dated 4 May 2018. This
regulation defines e-money as a payment instrument:
There is no specific rule or regulation governing the use of distributed • that is issued based on the value of money that has been first
ledger technology or blockchains. Blockchain and distributed ledger tech- deposited to the
nology is referred to in Bank Indonesia Regulation No. 19/12/PBI/2017 • issuer;
regarding the Organisation of Financial Technology, dated 30 November • where the value of money is deposited electronically in a server
2017. The regulation refers to blockchain and distributed ledgers as one of or chip; and
the recognised examples of fintech activities within the payment system • where the value of electronic money managed by the issuer does
category. Payment system activities include authorisation, clearing, final not constitute savings as intended in banking laws.
settlement and implementation of payments, with examples such as
blockchain or distributed ledgers for the provision of fund transfers, elec- E-money issued in Indonesia is required to be issued in Indonesian rupiahs.
tronic money, electronic wallets and mobile payments. The regulation is
silent on any specific provisions for artificial intelligence and robo-advice; Digital currency exchanges
therefore, the principles and provisions under Bank Indonesia Regulation 30 Are there rules or regulations governing the operation of
No. 19/12/PBI/2017 is generally applicable to blockchain and distributed digital currency exchanges or brokerages?
ledgers used in the fintech industry in Indonesia.
From the perspective of financial services, under OJK Regulation There is a regulation in Indonesia that specifically deals with the
No. 13/POJK.02/2018, dated 16 August 2018, regarding Digital Financial trading of crypto-assets. The operation of a digital currency exchange
Innovation in the Financial Services Sector, blockchain and distributed is governed by Bappebti Regulation No. 5 of 2019 and its amendments.
There is no specific legal requirement or regulatory guidance with Under Law No. 20 of 2016 regarding Marks and Geographical
respect to the use of cloud computing in the financial services industry. Indications, a brand (mark) is protected once it is registered with the
relevant government IP office in Indonesia. As a precautionary action
a fintech business can check with the government IP office to see if
there are similar brands or trademarks already registered in Indonesia.
It can also conduct market monitoring of known brands in its industry
in Indonesia.
www.lexology.com/gtdt 107
© Law Business Research 2020
Indonesia SSEK Legal Consultants
COMPETITION
Winnie Rolindrawan
Sector-specific issues winnierolindrawan@ssek.com
42 Are there any specific competition issues that exist with Harry Kuswara
respect to fintech companies in your jurisdiction? harrykuswara@ssek.com
There are no specific tax incentives available for fintech companies and Sector-specific schemes
investors. 45 What immigration schemes are available for fintech
businesses to recruit skilled staff from abroad? Are there
Increased tax burden any special regimes specific to the technology or financial
44 Are there any new or proposed tax laws or guidance that sectors?
could significantly increase tax or administrative costs for
fintech companies in your jurisdiction? There is no specific immigration scheme for fintech businesses, and,
therefore, the general immigration scheme is applicable. An Indonesian
The Indonesian Minister of Finance (MOF) recently issued a regulation on entity must act as the sponsor for any foreign national who will work in
VAT for digital goods and services: MOF Regulation No. 48/PMK.03/2020 Indonesia, and foreign workers can only fill positions that are allowed
regarding Procedures for the Appointment of Collectors and for the for foreign workers, as set out by the Ministry of Manpower.
Collection, Deposit and Reporting of VAT for the Use Inside the Customs
Area of Intangible Taxable Goods and/or Taxable Services from Outside UPDATE AND TRENDS
the Customs Area through Electronic System Trade Activities. This is an
implementing regulation for Government Regulation in Lieu of Law No. Current developments
1 of 2020 regarding State Financial Policy and Financial System Stability 46 Are there any other current developments or emerging
for the Management of the Coronavirus or COVID-19 Pandemic and/ trends to note?
or in Facing Threats to the National Economy and/or Financial System
Stability (GR 1/2020). GR 1/2020 has since been adopted into law, as We understand that the Financial Services Authority has introduced a
Law No. 2 of 2020. Starting 1 July 2020, a 10 per cent VAT will be appli- moratorium on the registration and licensing of peer-to-peer lending
cable to intangible taxable goods and services from outside Indonesia companies in Indonesia. The Financial Services Authority will no longer
that are utilised in Indonesia through electronic system trade activities receive applications for the registration of peer-to-peer lending compa-
(PMSE). These goods and services include digital goods and services. If nies. There has been no confirmation on how long the moratorium
the utilisation of goods and services from outside Indonesia is the result will last. There are also ongoing discussions of a draft Personal Data
of a transaction between foreign traders or foreign service providers Protection Law, but it is not clear when the law might be passed by the
and the Indonesian purchasers, the VAT will be directly collected, paid House of Representatives and issued by the government.
and reported by these foreign parties. The foreign traders or foreign
service providers will be appointed by the Directorate General on Coronavirus
Taxation (DGT) as the PMSE VAT Collector. 47 What emergency legislation, relief programmes and other
To qualify as a PMSE VAT Collector a party must have a transac- initiatives specific to your practice area has your state
tion value with Indonesian purchasers that exceeds a certain threshold implemented to address the pandemic? Have any existing
within 12 months; a traffic volume or number of persons who accessed government programmes, laws or regulations been amended
the party’s platform that exceeds a certain threshold within 12 months; to address these concerns? What best practices are advisable
or both. These thresholds will be further set out by the DGT. Indonesian for clients?
government officials have been quoted in various media reports saying
that they are targeting providers such as Spotify and Netflix that operate The Indonesian government has not issued any specific emergency
outside of Indonesia with a significant number of users in the country. legislation or relief programme for fintech businesses.
FINTECH LANDSCAPE AND INITIATIVES The main state business and employment promotion agencies, IDA
Ireland and Enterprise Ireland, provide a range of support for fintech
General innovation climate operations at all levels of development, and the state investment fund
1 What is the general state of fintech innovation in your has made multiple venture capital or equity investments in promising
jurisdiction? fintech start-ups.
On 20 April 2018, the Central Bank launched its Innovation Hub.
Ireland has a very active fintech scene and is one of the leading juris- This is a direct and dedicated point of contact for firms developing or
dictions for fintech start-ups and corporate innovation in Europe. In implementing innovations in financial services based on new technolo-
addition, with the impact of Brexit still to be determined, many payments gies. This was to accommodate greater interaction with the growing
and e-money firms that previously provided services across the EU via a number of fintech businesses looking to set up operations in Dublin, or
UK payments or e-money licence have sought to obtain authorisation by expand their existing operations both in the regulated and unregulated
the Central Bank of Ireland (the Central Bank) so as to ensure continuity space. According to the Innovation Hub: 2019 Update, the innovation hub
of operations. This has led to a very significant increase in the number has facilitated 166 engagements.
of licensed payments and e-money firms, to 18 and 12 respectively, and
there are multiple further licence applications in the pipeline. Examples FINANCIAL REGULATION
of some of these companies that have chosen Ireland as their EU hub
are Stripe, Google Payments, Western Union, Currency Fair, Paysafe, Regulatory bodies
Coinbase and Facebook International Payments Limited. 3 Which bodies regulate the provision of fintech products and
Ireland has won an outsized share of European investment in services?
corporate innovation labs, with many global financial services groups
establishing their innovation labs in Ireland. Accelerator programmes There is only one financial services regulator in Ireland, the Central
are also expanding their activities in Ireland, with Dublin being added Bank of Ireland (the Central Bank), which is responsible for author-
as one of two accelerator locations by the NadiFin FinTech accelerator ising and supervising all providers of regulated financial services. The
programme and the National Digital Research Centre expanding its Central Bank is responsible for both prudential supervision and conduct
activities outside Dublin to Waterford and Galway. Dublin remains the of business supervision of regulated entities that it has authorised.
hub for fintech activities in Ireland, but other regional centres are also Where a regulated firm has been authorised by a supervisory authority
seeing growth. in another EU or EEA jurisdiction, the home state regulator will be
Notwithstanding the burgeoning start-up scene, digital challenger responsible for prudential supervision, but the Central Bank will be
banks are only now penetrating the Irish market to any significant extent responsible for conduct of business supervision in Ireland. The Single
and there are currently no home-grown challenger banks. European Supervisory Mechanism at the European Central Bank also directly
digital operators have passported their services into Ireland but do not supervises significant credit institutions and has exclusive competence
yet pose an existential threat to traditional Irish banking houses. Robo- for the authorisation of credit institutions (other than branches of third-
advice has yet to make an appearance in the mainstream investments country credit institutions).
market. Many life and health insurers are now investigating the poten-
tial incorporation of wearable devices into insurance underwriting, and Regulated activities
some of the main motor insurers have launched safe driving apps that 4 Which activities trigger a licensing requirement in your
provide telematics-based discounts for drivers. jurisdiction?
Government and regulatory support Whether a fintech business needs to hold a financial services authori-
2 Do government bodies or regulators provide any support sation will depend on the nature of the activities that the firm engages
specific to financial innovation? If so, what are the key in. As far as investment-related activities are concerned, Directive
benefits of such support? 2014/65/EU (MiFID II) was transposed into Irish law by the European
Union (Markets in Financial Instruments) Regulations 2017 (the Irish
The government of Ireland is strongly supportive of fintech and in its MiFID II Regulations). Engaging in any of the investment services and
recently revised Strategy for the International Financial Services Sector activities listed in MiFID II, such as providing investment advice or
(‘Ireland for Finance 2025’) has stated its commitment to developing executing client orders, is a regulated activity requiring authorisation.
Ireland as a global leader in the financial services sector, creating an Other parts of the MiFID II package also have direct effect in Ireland.
environment in which both indigenous and multinational firms can draw Engaging in banking business requires authorisation under the
on key government incentives and supports to grow their businesses. Central Bank Act 1971. The European Union (Capital Requirements)
www.lexology.com/gtdt 109
© Law Business Research 2020
Ireland Matheson
Regulations 2014 transposed the Capital Requirements Directive Collective investment schemes
2013/36/EU (CRD IV) into Irish law, and the requirements for obtaining 7 Describe the regulatory regime for collective investment
an Irish banking licence are based on the transposition of the CRD IV schemes and whether fintech companies providing
package. Other parts of the CRD IV package also have direct effect in alternative finance products or services would fall within its
Ireland. Banking business means taking deposits or other repayable scope.
funds from members of the public and granting credit for own account.
There is a restriction in the 1971 Act, in the absence of an exemption Investment funds are authorised and regulated by the Central Bank, and
from the Central Bank, which prohibits anyone from using the term may be regulated as:
‘bank’ in their name or holding themselves out as a bank without • undertakings for collective investment in transferable securi-
holding the necessary authorisation. Ireland also has a regime for ties (UCITS) in accordance with the European Communities
authorising branches of credit institutions established in third countries (Undertakings for Collective Investment in Transferable Securities)
(third country branches) under section 9A of the Central Bank Act 1971. Regulations 2011, which implement the UCITS Directives into Irish
law, and the Central Bank (Supervision and Enforcement) Act
Consumer lending 2013 (Section 48(1)) (Undertakings for Collective Investment in
5 Is consumer lending regulated in your jurisdiction? Transferable Securities) Regulations 2019 (collectively the UCITS
Regulations); or
Subject to very limited exceptions, providing cash loans to individuals • retail investor alternative investment funds (RIAIFs) or qualifying
(not just consumers) in Ireland is a regulated activity requiring authori- investor alternative investment funds (QIAIFs) in accordance with
sation as a retail credit firm under the Central Bank Act 1997, unless the requirements of the Central Bank and of the European Union
the lender is otherwise authorised to provide such credit, for example, (Alternative Investment Fund Managers) Regulations 2013 (as
a bank. This is an Irish domestic licensing regime and does not derive amended) (the AIFM Regulations), which implement the Alternative
from an EU law obligation. Investment Fund Managers Directive 2011/61/EU (AIFMD) into
Multiple aspects of consumer lending are also regulated (at a Irish law.
conduct-of-business level) under the Consumer Credit Act 1995 and
the European Communities (Consumer Credit Agreement) Regulations UCITS, RIAIFs and QIAIFs may be organised through a number of legal
2010, which regulate the form and content of credit agreements. The structures, the most popular of which are the Irish collective asset-
1995 Act and the 2010 Regulations implement the provisions of Directive management vehicle (ICAV), the investment public limited company
87/102/EEC as amended, and Directive 2008/48/EC. (investment company) and authorised unit trusts. It is an offence to
The Central Bank’s Consumer Protection Code 2012 and asso- carry on business as an ICAV, investment company or authorised unit
ciated addenda (the CPC) are also relevant. The CPC applies to all trust unless authorised by the Central Bank.
financial services providers who are authorised, registered or licensed Fintech companies, whether providing alternative finance prod-
by the Central Bank, as well as financial services providers author- ucts or otherwise, would not typically fall to be regulated as investment
ised, registered or licensed in another EU or EEA member state when funds. However, fintech firms that fall within the definition of alterna-
providing services in Ireland on a branch or cross-border basis. The tive investment funds would require authorisation. Fintech companies
CPC essentially requires regulated entities to adhere to a set of general that provide services to investment funds may require authorisation
requirements such as to provide terms of business to consumers, if they are providing regulated depositary or administration services.
conduct know-your-customer, to establish the suitability of the product Depositaries and administrators to investment funds may also engage
and adhere to lending and advertisement requirements. fintech firms, in which case applicable Central Bank outsourcing require-
There are also separate requirements for mortgage lending ments may apply, although in general, the fintech service providers
to consumers, including the housing loan requirements under the would not themselves require authorisation.
Consumer Credit Act 1995, European Union (Consumer Mortgage
Credit Agreements) Regulations 2016, implementing the provisions Alternative investment funds
of Directive 2014/17/EU and the Central Bank’s Code of Conduct on 8 Are managers of alternative investment funds regulated?
Mortgage Arrears.
The Central Bank authorises and regulates Irish alternative investment
Secondary market loan trading fund managers (AIFMs) under the AIFM Regulations, as well as regu-
6 Are there restrictions on trading loans in the secondary lating UCITS management companies in accordance with the UCITS
market in your jurisdiction? Regulations, and non-UCITS management companies (a residual cate-
gory post-AIFMD). Most fintech companies would be expected to fall
Part V of the Central Bank Act 1997 regulates credit servicing, which outside the scope of the AIFM Regulations and the UCITS Regulations.
includes holding the legal title to loans made by regulated financial
services providers to individuals and small to medium-sized enterprises Peer-to-peer and marketplace lending
(SMEs). Credit servicing is a regulated activity requiring authorisation 9 Describe any specific regulation of peer-to-peer or
by the Central Bank of Ireland. Acquiring the beneficial interest in such marketplace lending in your jurisdiction.
loans is not, however, a regulated activity, although there are associated
licensing requirements applicable to entities that provide administra- There is currently no distinct regulatory regime for peer-to-peer or
tion or servicing in respect of such loans. Trading in non-SME corporate marketplace lending in Ireland. Some of the regimes described in this
loans is not, generally, a regulated activity in Ireland. chapter (eg, retail credit) may, however, be relevant depending on the
There may also be data protection issues and general contractual nature of the specific activities engaged in and a regulatory analysis of
issues that need to be addressed, irrespective of the nature of the loans the proposed process flow is therefore always advisable.
being traded.
www.lexology.com/gtdt 111
© Law Business Research 2020
Ireland Matheson
Guidance to a third party. This obligation only applies to a regulated entity, which
22 Is there regulatory or industry anti-financial crime guidance would include regulated lenders and also regulated credit servicing
for fintech companies? firms appointed to hold the legal title to, or service, the loans. Assuming
there is no prohibition on assignment without the consent of the
There is nothing specific to fintech companies. In line with other regula- borrower under the terms of the loan, Irish law would not otherwise
tors, the Central Bank has generally increased its focus on AML/CFT require the borrower to be informed of the assignment. However, any
and cyber risks across all regulated financial services. The Central Bank such assignment without notice would take effect as an equitable
issued best practice guidance on cybersecurity within the investment assignment.
firm and fund services industry in September 2015, followed by cross-
industry guidance on information technology and cybersecurity risks in Securitisation risk retention requirements
September 2016. The Central Bank will also expect relevant firms to 25 Are securitisation transactions subject to risk retention
apply European Banking Authority guidelines and technical standards requirements?
published under Directive 2015/2366/EU and other specific regimes,
as applicable. There are also AML/CFT guidelines applicable to fintech The Securitisation Regulation (Regulation EU 2017/2402), which
business that are ‘designated persons’ for the purposes of the CJA. became directly applicable across the EU on 1 January 2019, applies in
Ireland. It requires institutional investors to ensure that the originator,
PEER-TO-PEER AND MARKETPLACE LENDING sponsor or original lender of a securitisation retains at least a 5 per cent
net economic interest in the securitisation.
Execution and enforceability of loan agreements
23 What are the requirements for executing loan agreements or Securitisation confidentiality and data protection requirements
security agreements? Is there a risk that loan agreements 26 Is a special purpose company used to purchase and securitise
or security agreements entered into on a peer-to-peer or peer-to-peer or marketplace loans subject to a duty of
marketplace lending platform will not be enforceable? confidentiality or data protection laws regarding information
relating to the borrowers?
For a loan agreement or security agreement to be binding, there has to
be an offer, acceptance, consideration, intention to create legal relations Where the special purpose vehicle is established in Ireland and
and certainty as to terms. The application of these principles does not controls personal data, it will be subject to the full scope of Ireland’s
depend on the particular technology that is being used so that accept- data processing laws. Irish incorporated companies, partnerships or
ance can be evidenced by clicking in a designated box on a peer-to-peer other unincorporated associations formed under the law of Ireland, and
or marketplace lending platform website. persons not falling within the foregoing but who maintain in Ireland
There are additional requirements for specific types of loan an office, branch or agency, or a regular practice will be established in
agreement, for example under the European Communities (Consumer Ireland for these purposes. Data controllers that make use of equipment
Credit Agreements) Regulations 2010, the Consumer Credit Act 1995 in Ireland for processing data can also fall within the scope of Ireland’s
and the European Union (Consumer Mortgage Credit Agreements) data processing laws in certain circumstances. Broader confidentiality
Regulations 2016. provisions applicable to a special purpose vehicle would typically arise
A deed is necessary for certain types of transactions, including as a matter of contract, and the implied banker’s duty of confidentiality
property-related transactions. Deeds made by individuals must be at common law is unlikely to apply.
signed, and Irish law recognises electronic contracts and signatures in
accordance with the requirements of the Electronic Commerce Act 2000 ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
and Regulation 910/2014 on electronic identification and trust services TECHNOLOGY AND CRYPTO-ASSETS
for electronic transactions.
Artificial intelligence
Assignment of loans 27 Are there rules or regulations governing the use of artificial
24 What steps are required to perfect an assignment of intelligence, including in relation to robo-advice?
loans originated on a peer-to-peer or marketplace lending
platform? What are the implications for the purchaser if the There are no specific rules governing the use of artificial intelligence,
assignment is not perfected? Is it possible to assign these including in relation to robo-advice, in Ireland. However, a regulated
loans without informing the borrower? financial service provider would need to comply with applicable conduct
and regulatory requirements in applying artificial intelligence (and robo-
There are two main types of assignments of legal rights under Irish law: advice) to its regulated activities and would also need to ensure that
a legal assignment and an equitable assignment. Irish law is similar it complies with Irish equality legislation (the Equal Status Acts 2000–
to English law in this regard. The distinction can be important at point 2015) when using such technology to determine access to services.
of enforcement and in general terms, a legal assignment is prefer-
able. To create a legal assignment of a debt, the assignment must be in Distributed ledger technology
writing and signed by the assignor; the assignment must be absolute (ie, 28 Are there rules or regulations governing the use of
unconditional and not merely by way of security); and express notice in distributed ledger technology or blockchains?
writing must be given to the borrower from whom the assignor would
have been entitled to receive the debt. Part of a debt, or other legal There are no specific rules governing the use of distributed ledger
chose in action, may not be legally assigned; only the whole debt may technology or blockchain in Ireland, but a regulated financial service
be legally assigned. provider would need to comply with applicable conduct and regulatory
The Central Bank’s Consumer Protection Code 2012 and associ- requirements in applying such technologies to its regulated activities.
ated addenda requires a regulated entity to provide two months’ notice
before transferring any part of its regulated activities (including loans)
www.lexology.com/gtdt 113
© Law Business Research 2020
Ireland Matheson
Crypto-assets Cybersecurity
29 Are there rules or regulations governing the use of crypto- 33 What cybersecurity regulations or standards apply to fintech
assets, including digital currencies, digital wallets and businesses?
e-money?
The Central Bank of Ireland (the Central Bank) issued best practice
Assuming the crypto-assets are not financial instruments or other guidance on cybersecurity within the investment firm and fund services
forms of collective investment, there is no regulatory framework industry in September 2015, followed by cross-industry guidance on
governing crypto-assets in Ireland. When Fifth Money Laundering information technology and cybersecurity risks in September 2016. The
Directive (EU) 2018/843 (MLD5) is transposed into Irish law, this will Central Bank will also expect relevant firms to apply relevant European
impose anti-money laundering and counter-terrorist financing (AML/ Supervisory Authority guidelines, whether issued by the European
CFT) requirements on crypto-asset exchanges and wallet providers. In Banking Authority or the European Securities and Markets Authority
April 2020, the Central Bank of Ireland published a response to the EU (such as the Guidelines on security measures for operational and secu-
consultation on an EU framework for markets in crypto-assets. rity risks under Directive 2015/2366/EU and other specific regimes, as
applicable).
Digital currency exchanges
30 Are there rules or regulations governing the operation of OUTSOURCING AND CLOUD COMPUTING
digital currency exchanges or brokerages?
Outsourcing
Assuming the digital currency is not linked to any financial instruments 34 Are there legal requirements or regulatory guidance with
and the exchange is not engaging in any other regulated activity, there respect to the outsourcing by a financial services company of
is no regulatory framework governing the operation of digital currency a material aspect of its business?
exchanges or brokerages. When MLD5 is transposed into Irish law, this
will impose AML/CFT requirements on digital currency exchanges and There are multiple sector-specific requirements governing outsourcing,
providers who exchange fiat currencies for digital currencies. for example, under the Directive 2014/65/EU and Directive 2009/138/
EC regimes. For credit institutions, payments and e-money firms, the
Initial coin offerings European Banking Authority (EBA) has issued extensive Guidelines as
31 Are there rules or regulations governing initial coin offerings of February 2019. The Central Bank of Ireland takes an active interest
(ICOs) or token generation events? in compliance by regulated firms with outsourcing requirements and in
November 2018, published a paper ‘Outsourcing – Findings and Issues
There are no laws specific to ICOs and offerings of digital assets in for Discussion’, highlighting the most obvious and minimum super-
Ireland, and it is possible, depending on the nature of the digital assets, visory expectations for regulated firms around the management of
that the offering, holding or trading of these assets may fall outside outsourcing risks.
current securities or prospectus law, financial services regulation and
other laws. Cloud computing
35 Are there legal requirements or regulatory guidance with
DATA PROTECTION AND CYBERSECURITY respect to the use of cloud computing in the financial services
industry?
Data protection
32 What rules and regulations govern the processing and The EBA published its ‘Guidelines on Outsourcing Arrangements’ in
transfer (domestic and cross-border) of data relating to February 2019 (the Outsourcing Guidelines). When the Outsourcing
fintech products and services? Guidelines entered into force on 30 September 2019, the EBA’s
‘Recommendations on outsourcing to cloud service providers’, which
The General Data Protection Directive (Regulation 2016/679) (GDPR) had been published in December 2017, were repealed.
has had effect in Ireland since 25 May 2018, and is supplemented by the
Data Protection Act 2018. The GDPR is intended to harmonise further the INTELLECTUAL PROPERTY RIGHTS
data protection regimes within the EU and a full account of its impact
is outside the scope of this chapter. For fintech operators, anonymisa- IP protection for software
tion and aggregation of data for commercial gain may be important. 36 Which intellectual property rights are available to protect
Aggregation of data for commercial gain will only be permissible where software, and how do you obtain those rights?
the collection, aggregation and commercial use of the data meets GDPR
requirements. There may be somewhat greater flexibility in the use of The principal intellectual property right that protects software is copy-
anonymised data for commercial gain. However, it is generally accepted right (the right to prevent others from, among other things, copying the
that the standard required for data to be truly anonymised (and therefore software). Under the Copyright Act 2000 (as amended), copyright vests
not be personal data) is a high one, and that anonymisation techniques in the author on creation. Organisations should ensure that they have
can only provide privacy guarantees if appropriate techniques are used appropriate copyright assignment provisions in place in all agreements
and the application of those techniques is engineered appropriately. they have with employees or contractors to ensure that they obtain
This is a complex area and any fintech operator considering engaging in these rights.
such techniques should seek appropriate specialist advice.
The default position under Irish law is that the employer owns intel- The main intellectual property rights available to protect branding are
lectual property developed by an employee during the course of registered and unregistered trade and service marks.
employment, unless it is otherwise stated in an agreement with the Registered trade and service mark rights only arise through regis-
employee. However, this default position does not extend to intellectual tration, and can be applied for either in Ireland (in respect of Ireland
property generated by an employee outside their employment (such as only) or more broadly in the EU (as an EU trademark) or internationally.
out of hours or off premises). Trade and service mark rights give registered owners certain rights to
Contractors and consultants (who are not employees) are gener- prevent others using identical or confusingly similar trademarks to their
ally not subject to the default position described above and, unless registered mark.
the agreement between the contractor or consultant includes an Brand owners can also rely on unregistered trademark rights
assignment or other transfer of intellectual property to the customer, through the common law tort of passing-off. This allows the owner to
the contractor or consultant will own any intellectual property rights prevent others from damaging their goodwill with customers by using
generated during the course of the work. Ownership of such intellec- branding or get up that is identical or confusingly similar to their own.
tual property, if related to the subject matter of employment, should be For certain branding (particularly complex branding with artistic
addressed through the relevant contract. elements), copyright protection may also be available.
Trade secrets There are no competition issues that are specific to fintech companies
39 How are trade secrets protected? Are trade secrets kept in Ireland.
confidential during court proceedings?
TAX
Trade secrets are not a standalone right and are not protected sepa-
rately from confidential information under Irish law. Confidential Incentives
information is protected either through a contractual agreement to 43 Are there any tax incentives available for fintech companies
keep certain information confidential, or through the common law obli- and investors to encourage innovation and investment in the
gation to keep information confidential (because of the nature of the fintech sector in your jurisdiction?
relationship between the discloser and disclosee, the nature of the
communication or the nature of the information itself). In addition to Irish corporation tax rate of 12.5 per cent, there are a
There is no general rule that requires confidential information that number of further Irish tax provisions that encourage innovation and
is revealed during court proceedings to be kept secret. It is possible investment in fintech in Ireland, including:
to obtain an order from a court limiting access to such confidential • a 25 per cent tax credit for qualifying R&D expenditure carried on
information, but such orders are given on a case-by-case basis and are within the EEA. This tax credit is in addition to the normal business
typically considered difficult to obtain. deduction for such R&D expenditure (at the 12.5 per cent rate), thus
providing relief for expenditure on R&D at an effective rate of 37.5
per cent. These credits may also be surrendered by the company to
key employees actively involved in R&D activities, thereby reducing
the effective rate of Irish income tax for such employees;
• a best-in-class ‘knowledge development box’ that complies with
the OECD’s ‘modified nexus’ standard. This can reduce the rate
of Irish corporation tax to 6.25 per cent for profits derived from
certain IP assets, where qualifying R&D activity is carried on in
www.lexology.com/gtdt 115
© Law Business Research 2020
Ireland Matheson
Ireland. This relief can also be claimed in conjunction with the R&D
tax credit;
• tax depreciation for certain intangible assets. Such assets can be
amortised for Irish corporation tax purposes either in line with
their accounting treatment or on a straight basis over 15 years;
• the Employment and Investment Incentive (EII) and Start-up
Refunds for Entrepreneurs schemes, which allow individual inves-
tors in fintech companies to obtain Irish income tax relief (of up to
41 per cent) on investments made, in each tax year, into certified
Liam Flynn
qualifying companies. Relief under the EII is available in respect of
liam.flynn@matheson.com
funding of up to €15 million and is available until 2020;
• entrepreneur relief, which allows for a capital gains tax rate of 10 Lorna Smith
per cent on the disposal of certain qualifying business assets up to lorna.smith@matheson.com
a lifetime amount of €1 million;
• an extensive double tax treaty network, totalling 74 treaties, that 70 Sir John Rogerson’s Quay
prevents the taxation of the same portion of a company’s income Dublin 2
by multiple jurisdictions; Ireland
• start-up relief, which provides for a reduction in corporation tax Tel: +353 1 232 2000
liability for the first three years of trading for companies of a Fax: +353 1 232 3333
certain size provided the company was incorporated on or after www.matheson.com
14 October 2008 and began trading between 1 January 2009 and
31 December 2021. This relief can be claimed on both profits from
trading and on capital gains; and
• a stamp duty exemption for transfers of intellectual property. Coronavirus
47 What emergency legislation, relief programmes and other
Increased tax burden initiatives specific to your practice area has your state
44 Are there any new or proposed tax laws or guidance that implemented to address the pandemic? Have any existing
could significantly increase tax or administrative costs for government programmes, laws or regulations been amended
fintech companies in your jurisdiction? to address these concerns? What best practices are advisable
for clients?
There are currently no proposals at Irish national level to significantly
increase tax or administrative costs for fintech companies in Ireland. The Irish Government announced a €5 billion stimulus package for busi-
The OECD has launched a new project on the tax challenges of digi- ness in July 2020, which is to be implemented in legislation shortly. The
talisation. Proposals in respect of this project should be made by the package will include enterprise supports to employers and enterprise-
end of 2020. focused tax reliefs.
The Central Bank has introduced certain initiatives in regulated
IMMIGRATION sectors more generally including the following.
• Countercyclical capital buffer (CCYB): the Central Bank has
Sector-specific schemes released the CCYB from 0 to 1 per cent to assist banks and support
45 What immigration schemes are available for fintech lending to households and businesses.
businesses to recruit skilled staff from abroad? Are there • Mortgage payment breaks: the Central Bank in conjunction with the
any special regimes specific to the technology or financial retail banks implemented a six-month payment break for mortgage
sectors? holders in difficulty as a result of covid-19.
• The Central Bank has established a COVID-19 Crisis Response
There are no specific immigration schemes available for fintech busi- Task Force, with a series of work streams covering subjects such
ness, or the technology and financial sectors, in Ireland. The ordinary as financial and operational resilience, funds and bank liquidity,
rules in relation to employment permit requirements apply. forbearance, and consumer-related issues.
• The Central Bank has announced a series of regulatory flexibility
UPDATE AND TRENDS measures for credit institutions, credit unions, insurers and rein-
surers, securities markets, investment management, investment
Current developments firms and fund service providers to assist with the pressures of the
46 Are there any other current developments or emerging covid-19 pandemic.
trends to note?
In terms of best practices, we are currently advising fintech clients to
We expect Ireland to continue to develop as a leading domicile in this ensure that operational risks continue to be managed, including busi-
area. We also expect the Central Bank of Ireland (the Central Bank) to ness continuity arrangements, and that they continue to ensure robust
follow best EU practice in its regulation of the sector and to adopt a governance and oversight remains in place over any outsourced func-
relatively accommodating approach to fintech innovation, but we do tions in the current environment, and that any changes to business
not necessarily expect the Central Bank to introduce a specific sandbox models and engagement models with customers as a result of covid-19
regime in Ireland. do not create any risks from a consumer protection perspective in terms
of transparency and disclosure, and treating customers fairly.
In Japan, fintech innovation has been quite active in almost every area The Financial Services Agency (FSA) is the main regulatory body of
of finance. In particular cryptocurrency-based businesses, cashless fintech products and services that are regulated under the various
payment or mobile payment services, financial account aggregation financial regulations. The Ministry of Economy, Trade and Industry is
services, robo-advisers and crowdfunding are well known to the public. also the regulatory body for certain payment services (eg, credit cards
In 2018 and 2019, an increasing number of companies entered or other advanced payment services).
into or expanded their businesses in the mobile payment market, and
several companies have launched QR code payment services. As a Regulated activities
result, this market sector has become highly competitive. 4 Which activities trigger a licensing requirement in your
In 2020, security tokens, or digital securities, have become a focus. jurisdiction?
Because of amendments to the relevant laws and regulations, a number
of financial institutions are entering into this new market. The arrangement of investment deals for an investment fund that
Additionally, on 6 March 2020, the Financial Services Agency invests mainly in securities or derivative transactions, constitutes a
submitted a bill to the Diet for: ‘financial instruments business’ under the Financial Instruments and
• the establishment of a financial services intermediary business that Exchange Act (FIEA), and registration under the FIEA is required.
is capable of intermediating the cross-sectoral financial services of To arrange transactions for investments that mainly comprise
banking, securities and insurance under a single license; and securities or derivatives, registration under the FIEA is also required.
• the classification of funds transfer services into three categories, Dealing in investments as principal or agent, under which invest-
based on staggered maximum limits on remittance amounts. ments are made mainly in securities or derivative transactions, may also
The bill was passed by the Diet on 5 June 2020. constitute a financial instruments business under the FIEA (in certain
circumstances); thus, registration under the FIEA may also be required.
Government and regulatory support Giving advice on investments in relation to the value of securities
2 Do government bodies or regulators provide any support or investment decisions on financial instruments under a contract for
specific to financial innovation? If so, what are the key a fee may constitute an ‘investment advisory business’ under the FIEA,
benefits of such support? and registration is required.
Lending money is regarded as a ‘moneylending business’,
Yes. Financial regulators and policymakers in Japan are supportive of which generally requires registration as a moneylender under the
fintech innovation and new technology-focused entrants in the regu- Moneylending Business Act.
lated financial services markets. For instance, the Ministry of Economy, There is no specific licensing requirement for factoring transac-
Trade and Industry has been supportive of the blockchain industry, tions and invoice discounting.
and it hosted the Blockchain Hackathon in February 2019 as part of a Secondary market loan trading does not trigger a licensing
broader effort for the social implementation of blockchain technologies. requirement.
In June 2018, the Japan Economic Revitalisation Bureau, under Acceptance of deposits is generally prohibited without a banking
the auspices of the Cabinet Secretariat, opened a cross-government licence under the Banking Act.
one-stop desk for the regulatory sandbox in Japan (the Regulatory There is no licensing requirement for foreign exchange transactions.
Sandbox). The Regulatory Sandbox can be used by both Japanese and A bank licensed under the Banking Act may conduct funds transfer
overseas companies, enabling them to apply and receive approval for services (which will generally include payment services). Other than
projects, not yet covered by present laws and regulations, to conduct banks, registration under the Payment Services Act as a funds transfer
demonstrations under certain conditions without the need for a legal service provider is required before conducting payment services. If the
amendment to cover the project. payment service is provided as a later payment option using a credit
card, then registration under the Instalment Sales Act is required for
the issuers.
www.lexology.com/gtdt 117
© Law Business Research 2020
Japan Anderson Mori & Tomotsune
Consumer lending individuals and distributes the funds as dividends and returns to inves-
5 Is consumer lending regulated in your jurisdiction? tors. In this structure, the operator is required to be registered both as
a moneylender under the Moneylending Business Act (to provide the
A lender conducting consumer lending activities must register as a loans) and as a financial services provider under the FIEA to solicit the
moneylender under the Moneylending Business Act. The total permis- purchase of interests in TK partnerships to investors.
sible lending amount is generally limited to one-third of the borrower’s
annual income if the borrower is an individual. The cap of the interest Crowdfunding
falls between 15 and 20 per cent per annum depending on the principal 10 Describe any specific regulation of crowdfunding in your
amount of the loan pursuant to the Interest Rate Restriction Act. jurisdiction.
www.lexology.com/gtdt 119
© Law Business Research 2020
Japan Anderson Mori & Tomotsune
PEER-TO-PEER AND MARKETPLACE LENDING Securitisation confidentiality and data protection requirements
26 Is a special purpose company used to purchase and securitise
Execution and enforceability of loan agreements peer-to-peer or marketplace loans subject to a duty of
23 What are the requirements for executing loan agreements or confidentiality or data protection laws regarding information
security agreements? Is there a risk that loan agreements relating to the borrowers?
or security agreements entered into on a peer-to-peer or
marketplace lending platform will not be enforceable? While it is less likely that a special purpose company is used to
purchase and securitise peer-to-peer or marketplace loans, a lending
In terms of a peer-to-peer or marketplace lending platform in Japan, platform operator extending loans to the borrowing participants must
it had been construed that each lending participant would be required comply with the Personal Information Protection Act, which is one of the
to be registered as a moneylender under the Moneylending Business primary data protection laws in Japan.
Act unless there were multiple anonymised borrowing participants.
However, the Financial Services Agency published its interpretation that ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
each lending participant is not required to be so registered if: TECHNOLOGY AND CRYPTO-ASSETS
• all the borrowing participants are corporations;
• the platform is formed as a tokumei kumiai, which is an agree- Artificial intelligence
ment under the Commercial Code to be entered between the 27 Are there rules or regulations governing the use of artificial
platform operator registered as a moneylender and each lending intelligence, including in relation to robo-advice?
participant; and
• the agreement prohibits each lending participant from contacting No. A robo-adviser using artificial intelligence is regulated under the
any borrowing participants for the purpose of collecting money. Financial Instruments and Exchange Act (FIEA), generally in the same
way as an ordinary investment adviser or manager.
In terms of enforceability of loans, the portion of any interests (including
lending-related fees) exceeding 15 per cent or higher (or up to 20 per Distributed ledger technology
cent) of the loan principal amount shall be null and void under the 28 Are there rules or regulations governing the use of
Interest Rate Restriction Act. distributed ledger technology or blockchains?
No.
Crypto-assets On the other hand, tokens that do not fall under the definition of
29 Are there rules or regulations governing the use of crypto- ERTRs but are used as payment instruments are likely to constitute
assets, including digital currencies, digital wallets and crypto-assets or prepaid payment instruments governed by the PSA.
e-money?
DATA PROTECTION AND CYBERSECURITY
While the use of crypto-assets is not directly regulated, a service
provider who deals with digital currencies, digital wallets or e-money Data protection
may be regulated as a crypto-asset exchange service provider, a prepaid 32 What rules and regulations govern the processing and
payment instruments issuer or, as the case may be, a fund transfer transfer (domestic and cross-border) of data relating to
service provider under the Payment Services Act (PSA). fintech products and services?
A crypto-asset exchange service provider is defined as an entity
that, as a business: The Personal Information Protection Act (PIPA) applies to a person who
1 purchases, sells and exchanges crypto-assets; processes and transfers personal data. The general and industry-specific
2 acts as a broker, intermediary or agent with regard to the transac- (including the financial services industry) guidelines regarding protec-
tions listed in (1); tion of personal information are issued by the Personal Information
3 maintains users’ money or crypto-assets in relation to the transac Protection Committee and the relevant government authority (including
tions listed in (1) or (2); or the Financial Services Agency (FSA)), although they do not particularly
4 holds crypto-assets in custody for and on behalf of another person, focus on the fintech industry.
unless otherwise licensed to do so under the applicable laws. The PIPA requires a person who handles a personal information
database in the business (a personal information handling business
A prepaid payment instruments issuer is a person who issues prepaid operator (PIHBO)), as a general rule:
payment instruments for its own or a third party’s business. • not to handle any personal information beyond the scope neces
A fund transfer service provider is an entity that transfers users’ sary for achieving the purpose of use;
funds (not exceeding ¥1 million per transaction) as a business. • not to transfer any personal data to a third party without obtaining
The amended PSA is expected to be implemented in the first prior consent of the relevant data subject;
half of 2021. The amended PSA has refined the regulatory framework • to keep the personal data accurate and updated;
surrounding fund transfer service providers to categorise them into the • to put in place necessary and appropriate measures to maintain
three categories to take into account the amount of funds contemplated the personal data in a safe manner;
in their fund transfer businesses. • to disclose the personal data in hand to the relevant data subject
whenever requested; and
Digital currency exchanges • to correct and delete or cease to use the personal data in hand
30 Are there rules or regulations governing the operation of if the relevant data subject so requests with reasonable grounds.
digital currency exchanges or brokerages?
In the case of the transfer of personal data within Japan, as an excep
Yes. It is regulated as a crypto-asset exchange service. tion to the general rule, a PIHBO may transfer personal data (excluding
sensitive personal information) to a third party without obtaining prior
Initial coin offerings consent of the relevant data subject, if the PIHBO notifies the matters
31 Are there rules or regulations governing initial coin offerings prescribed by the PIPA to the relevant data subject and the Personal
(ICOs) or token generation events? Information Protection Committee.
In the case of the transfer of personal data to a third party
It had not been clear whether initial coin offerings or any other methods located overseas, as a special rule, a PIHBO may not transfer personal
of token generation were governed by the PSA or the FIEA, or both. data unless:
The amended FIEA, which came into effect in May 2020, introduces the • the PIHBO obtains the relevant data subject’s prior consent to the
concept of electronically recorded transferable rights (ERTRs) to clarify transfer of personal data to a third party located overseas;
the scope of tokens governed by the FIEA. The amended PSA clarifies • the relevant third party is located in a jurisdiction having an equiva
that ERTRs do not fall under the category of ‘crypto-assets’ governed lent personal information protection framework to the PIPA; or
by the PSA. • the relevant third party puts in place equivalent personal infor
Tokens generated in security token offerings will constitute ERTRs mation protection measures to those required of a PIHBO
if they meet the three requirements of ‘collective investment scheme under the PIPA.
interests’ under the FIEA (mentioned below) and are represented
by proprietary value transferable by means of an electronic data The aforementioned general rules do not apply in respect of anonymised
processing system. Collective investment scheme interests are deemed data. Instead, the PIPA requires a PIHBO to comply with the standard
to be formed if: prescribed by the PIPA and the relevant government guidelines when
• investors contribute cash or other assets (including crypto-assets) creating and handling anonymised data to ensure that nobody can iden-
to a business; tify any specific individual or recover personal information from such
• the cash or other assets so contributed are invested in the data. A person who handles anonymised data in its business shall, when
business; and transferring it to a third party, publish the items of information relating
• investors have the right to receive dividends of profits generated to individuals contained in it and clearly state that the information to be
from investments in the business. transferred is anonymised.
ERTRs may be subject to the disclosure rules under the FIEA. Offering
of ERTRs will need to be handled by a Type I financial instruments busi-
ness operator registered under the FIEA.
www.lexology.com/gtdt 121
© Law Business Research 2020
Japan Anderson Mori & Tomotsune
IP protection for software Brands may be protected by a trademark. A trademark must be regis-
36 Which intellectual property rights are available to protect tered as a result of successful application with the JPO. Also, protection
software, and how do you obtain those rights? under the Unfair Competition Act may be available for brands, regard-
less of whether they are registered. It must be proven that the product,
Patent or copyright may be available to protect software. Software may or indications, is well known or famous.
be registered as a patent under the Patent Act if it can be deemed as a For fintech businesses to ensure that they do not infringe existing
‘computer program, etc’. Business methods themselves are not patent- brands, they must conduct research of existing trademarks. They can
able; however, a patent may be granted for business methods that are utilise J-PlatPat, the database operated by the National Centre for
combined with computer systems or other devices. Productions in Industrial Property Information and Trading, for initial screening.
which thoughts or ideas are expressed in creative ways (and that fall
within the literary, scientific, artistic or musical domain) are protected Remedies for infringement of IP
by copyright. 41 What remedies are available to individuals or companies
Patent protection must be registered as a result of successful whose intellectual property rights have been infringed?
application with the Japan Patent Office (JPO).
A patent holder or the exclusive licensee or copyright holder can claim
IP developed by employees and contractors for actual damages for losses incurred as a consequence of the infringe-
37 Who owns new intellectual property developed by an ment, and the Patent Act and the Copyright Act provide presumptive
employee during the course of employment? Do the same provisions for the damages. The holder can also seek injunctions
rules apply to new intellectual property developed by against infringing third parties, as well as actions required to prevent
contractors or consultants? the infringement. In addition, it can make claims for unjust enrichment
and licence fee equivalents, and it can seek to restore honour or credit,
Under the Patent Act, a patent for an invention is owned by the inventor. for example, by publication of an apology. Infringing third parties may be
If the inventor is an employee, he or she will own the patent. The right to subject to criminal penalties under the Patent Act and the Copyright Act.
COMPETITION
Sector-specific issues
42 Are there any specific competition issues that exist with
respect to fintech companies in your jurisdiction?
Following recent tax reforms, a tax incentive to promote open innova- UPDATE AND TRENDS
tion is available from April 2020 to the end of March 2022. Under this
new system, a 25 per cent income deduction will apply to investments of Current developments
at least ¥100 million by domestic entities and corporate venture capital 46 Are there any other current developments or emerging
in unlisted venture companies that are less than 10 years old. trends to note?
In addition, the research and development tax incentive system
has been adopted and is often revised with the aim of maintaining and At present, Japanese labour laws do not allow wages and salaries
strengthening initiatives that support Japan’s global competitiveness. to be wire transferred to any account other than bank accounts. The
Japanese government is now considering lifting the limitation so that
Increased tax burden wages and salaries can be paid to users’ accounts held in fund transfer
44 Are there any new or proposed tax laws or guidance that service providers.
could significantly increase tax or administrative costs for
fintech companies in your jurisdiction?
No.
www.lexology.com/gtdt 123
© Law Business Research 2020
Japan Anderson Mori & Tomotsune
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
FINTECH LANDSCAPE AND INITIATIVES a position to support innovators to develop capital market-related inno-
vative ideas to a level of maturity that can be admitted to the sandbox.
General innovation climate The Insurance Regulatory Authority has set up a regulatory
1 What is the general state of fintech innovation in your sandbox to facilitate the testing of new ideas and innovations in the
jurisdiction? insurance sector. The Insurance Regulatory Authority is currently
receiving applications for the first cohort of applicants.
The fintech space in Kenya is vibrant. Investment in the sector has The Central Bank of Kenya has signed a fintech cooperation
been focused on digital-based lenders, peer-to-peer payment providers, agreement with the Monetary Authority of Singapore to support digital
crowdfunding platforms, initial coin offerings and the spread of the use infrastructure development in Kenya and has agreed to collaborate in
of cryptocurrency. Across the globe, Kenya is gaining a reputation as developing basic digital infrastructure services in Kenya, based on a
a leading fintech hub and was recently ranked as number 63 in the set of common standards. The two authorities also launched the Global
global top 100 rankings in the 2020 report of the Findexable Global Fintech Hackcelerator, a platform for start-ups to showcase sustainable
Fintech Rankings. financial services innovations. In addition, they organised the Afro-
The steady growth of fintech in Kenya can be largely attributed to Asia Fintech Festival, a first of its kind in the region, which seeks to
not only market forces but also the interaction and cooperation between explore sustainable financial services innovations from emerging Afro-
industry players, end users and an enabling regulatory framework. Asian markets.
There has also been an increase in the use of fintech in the delivery The Central Bank of Kenya partnered with five commercial banks
of public services; for instance, the Kenyan government has issued to facilitate the launch of a mobile application dubbed Stawi, which is a
mobile-based treasury bonds and has set up a taskforce to explore how lending platform targeted towards small and medium-sized enterprises.
Kenya can leverage blockchain and internet of things technology. It will offer loans of up to 250,000 Kenyan shillings at a preferential
lending rate.
Government and regulatory support
2 Do government bodies or regulators provide any support FINANCIAL REGULATION
specific to financial innovation? If so, what are the key
benefits of such support? Regulatory bodies
3 Which bodies regulate the provision of fintech products and
Regulators and government bodies provide support to financial innova- services?
tion balanced against consumer protection. For example, the Ministry
of Information Communication and Technology set up the Distributed They include the following:
Ledgers Technology and Artificial Intelligence Taskforce, which deliv- • the Ministry of ICT is generally responsible for setting policy to
ered a report on how the emerging technological revolution could be govern the fintech landscape;
leveraged to enhance ICT adoption and development in Kenya. The • the Central Bank of Kenya, established under the Central Bank of
government also collaborates with other governments and mone- Kenya Act 1984 (revised edition 2019), is primarily responsible for
tary agencies. formulating and implementing monetary policy and regulates the
The Capital Markets Authority has signed a cooperation agree- banking and payments sectors;
ment with the Abu Dhabi Global Market and the Australian Securities • the Capital Markets Authority, established under the Capital
and Investments Commission, which provides a framework for coop- Markets Act 2012 is responsible regulating and maintaining capital
eration to support financial innovation between Kenya and the United markets in Kenya;
Arab Emirates and between Kenya and Australia. The Capital Markets • the Communications Authority of Kenya, established under the
Authority is also a member of the Global Financial Innovation Network, Kenya Information and Communication Act 1998 is in charge
an international network of 29 financial services regulators and related of overseeing and developing the information and communica-
organisations that is committed to supporting financial innovation. tion sectors;
The Capital Markets Authority has also set up a regulatory sandbox • the Competition Authority, established under the Competition Act
to test innovative products and services relevant to capital markets in 2010, is purposed with promoting and maintaining fair competition
Kenya in a controlled and monitored environment under a more flex- in markets within Kenya; and
ible regulatory regime. The Authority is currently receiving applications • other regulators, such as the Insurance Regulatory Authority, regu-
for admission to the sandbox from innovators whose ideas have been late fintech products to the extent they are used in connection with
developed to a level of operational testing. Moreover, the Authority is the activities regulated by those regulators.
also working with existing innovation or incubation centres that are in
www.lexology.com/gtdt 125
© Law Business Research 2020
Kenya Coulson Harney Advocates
Regulated activities • the platform or marketplace collects and pools funds from
4 Which activities trigger a licensing requirement in your the public or a section of the public in Kenya for the purpose of
jurisdiction? investment; and
• the funds collected are managed by or on behalf of the scheme by
The following activities trigger a requirement to be licensed by the the promoter.
Capital Markets Authority if the investments in question relate to securi-
ties issued to the public: Considering the above definition, there is a greater likelihood of a
• arranging (bringing about) deals in investments; crowdfunding platform being deemed a collective investment scheme
• making arrangements with a view to transact in investments; than a peer-to-peer or marketplace lending platform. To the extent
• dealing in investments as principal or agent; and that the fintech innovation will be regarded as a collective investment
• advising on investments. scheme, it must be registered with the Capital Markets Authority, which
will regulate the activities of the scheme if approved.
Foreign exchange trading also requires a licence issued by the Capital The Capital Markets Authority, on 28 May 2020, published a note
Markets Authority. titled ‘Guidance for Collective Investment Schemes on Valuation,
Deposit-taking business and provision of payment services require Investment Performance Measurement Reporting and other Related
licensing and authorisation by the Central Bank of Kenya. Lending, Matters’ in recognition of the need to standardise practices in the
factoring and invoice discounting do not require licensing. sector. The Guidance is in draft form and is awaiting public participation.
It seeks to ensure that fund managers of collective investment schemes
Consumer lending have developed comprehensive investment policies and procedures to
5 Is consumer lending regulated in your jurisdiction? govern the valuation of assets. In addition, the fund manager would be
required to prepare and submit to the Authority a performance measure-
Consumer lending constitutes a financial service that does not require ment report quarterly in addition to the existing reporting obligations.
licensing in Kenya. However:
• if the funds used for lending constitute deposits held from Alternative investment funds
members of the public, a license issued by the Central Bank of 8 Are managers of alternative investment funds regulated?
Kenya is required;
• persons undertaking consumer lending must comply with the Yes. If the alternative investment fund is a collective investment scheme
business set-up requirements in Kenya, including the obligation to as defined in the Capital Markets Act 2012, it may only appoint a person
obtain a business permit from the applicable county government who is licensed by the Capital Markets Authority as a fund manager to
where their business premises are located; and manage it.
• persons undertaking consumer lending must comply with the If the alternative investment fund does not constitute a collec-
requirements of the Consumer Protection Act 2012, which include tive investment scheme and is, therefore, not regulated by the Capital
disclosure requirements and restrictions against imposition of Markets Authority, the manager may still have to be regulated as a
penalty charges and prepayment penalties licensed investment adviser or fund manager, depending on the amount
of the portfolio managed on behalf of the fund. An investment adviser
There have been a number of statements by the Central Bank of Kenya may manage a portfolio of up to 10 million Kenyan shillings, whereas
on the issue of regulating consumer lending by digital platforms. The a fund manager’s licence would be required to manage a portfolio
first attempt to do this was through the Financial Markets Conduct Bill exceeding 10 million Kenyan shillings.
2018, which sought to introduce a new prudential regulator in the finan-
cial services sector. The Bill went through public participation but is yet Peer-to-peer and marketplace lending
to be introduced to Parliament. 9 Describe any specific regulation of peer-to-peer or
marketplace lending in your jurisdiction.
Secondary market loan trading
6 Are there restrictions on trading loans in the secondary Except to the extent that peer-to-peer or marketplace lending constitute
market in your jurisdiction? collective investment schemes, these are not generally regulated activi-
ties in Kenya.
There are no regulatory restrictions on trading loans in the secondary If these activities are provided in conjunction with a regulated entity
market. If the loans constitute debt securities issued to the public, (such as banks, financial institutions or payment service providers), the
however, the requirements of the capital markets legislation with product may be subject to approval by the relevant regulator (being
regard to issuance of securities to the public apply. These include the the Central Bank of Kenya), as well as compliance with regulations or
need to obtain the approval of the Capital Markets Authority. guidelines issued by the regulator.
issued thereunder; thus, equity crowdfunding and, depending on The Act requires persons carrying out insurance or reinsurance
the nature of the rewards, reward-based crowdfunding would be business to be licensed by the Commissioner of Insurance. Insurance
regulated; and intermediaries, such as agents, motor assessors, insurance investiga-
• by virtue of the fact that crowdfunding facilitates the transfer of tors and loss adjusters, must also be registered under the Act. There is
value, it may fall within the regulatory ambit of the anti-money no distinction or exemption in place for fintech companies that carry on
laundering and countering the financing of terrorism regulator, the any of these regulated activities.
Financial Reporting Centre, and would be subject to the Proceeds
of Crime and Anti-Money Laundering Act 2009 and the Prevention Credit references
of Terrorism Act 2012. 16 Are there any restrictions on providing credit references or
credit information services in your jurisdiction?
Invoice trading
11 Describe any specific regulation of invoice trading in your Yes, only entities that are licensed by the Central Bank of Kenya under
jurisdiction. the Banking Act (Credit Reference Bureau) Regulations 2020 to conduct
credit reference business may provide credit reference checks.
There is no specific regulation that governs invoice trading in Kenya.
CROSS-BORDER REGULATION
Payment services
12 Are payment services regulated in your jurisdiction? Passporting
17 Can regulated activities be passported into your jurisdiction?
Yes. Payment services are regulated by the Central Bank of Kenya
under the National Payment System Act 2011 and the regulations issued No, regulated activities cannot be passported into Kenya.
thereunder.
These laws require individuals to obtain the authorisation of the Requirement for a local presence
Central Bank of Kenya to carry on a payment services provider business 18 Can fintech companies obtain a licence to provide financial
in Kenya. The laws also empower the Central Bank of Kenya to desig- services in your jurisdiction without establishing a local
nate a payment system, which will be subject to regulation. presence?
Open banking No. To provide regulated financial services in Kenya, a fintech company
13 Are there any laws or regulations introduced to promote must establish a local presence in Kenya. In addition, as part of the
competition that require financial institutions to make licensing process and ongoing compliance requirements, they
customer or product data available to third parties? often require a confirmation of the physical address of the applicant
or licensee.
No. Local laws do not require the mandatory sharing of information by Additionally, the Companies Act 2015 prohibits a company from
financial institutions to make customer or product data available to third carrying out business in Kenya unless it has been registered as a
parties. However, there is a credit referencing framework set up under foreign company.
the Central Bank of Kenya Act 1984 (revised edition 2019).
Kenya passed the Data Protection Act 2019, which requires data SALES AND MARKETING
controllers and processors (in this case, financial institutions), as far as
practicable before collecting personal data, to inform the data subject Restrictions
of, among other things, the third parties with whom their personal 19 What restrictions apply to the sales and marketing of
data may be shared. Customers should be notified of any anticipated financial services and products in your jurisdiction?
sharing of their data, including for purposes of open banking or credit
referencing. The marketing of financial services in Kenya is generally restricted to
licensed entities. Various prudential regulators have sector-specific
Robo-advice restrictions on marketing. For instance, the Central Bank of Kenya
14 Describe any specific regulation of robo-advisers or other requires marketing communication issued by its licensees to indicate
companies that provide retail customers with automated that they are regulated by the Central Bank of Kenya. On the other hand,
access to investment products in your jurisdiction. the Capital Markets Authority grants prior approval of public communi-
cation by its licensees and issuers of securities.
There is no specific regulation pertaining to robo-advisers or other The Consumer Protection Act 2012 also sets out criteria for the
companies that provide retail customers with automated access to marketing of products and services, which require that communication
investment products in Kenya. be clear and true.
However, where the investments in question relate to securities
issued to the public, the company must comply with the capital market CHANGE OF CONTROL
legislation and must obtain a licence.
Notification and consent
Insurance products 20 Describe any rules relating to notification or consent
15 Do fintech companies that sell or market insurance products requirements if a regulated business changes control.
in your jurisdiction need to be regulated?
The consent of the Competition Authority is required if the acquisition of
Yes. The Insurance Act (revised edition 2020) and the subsidiary legisla- shares, business or other assets results in a change of control of a busi-
tion issued thereunder regulates all persons carrying out insurance or ness under the Competition Act 2010. The Rules of the Determination
reinsurance business. of Merger Notification Thresholds and Method of Calculation provide
www.lexology.com/gtdt 127
© Law Business Research 2020
Kenya Coulson Harney Advocates
guidelines on the transactional limits that require a merger notifica- • National Payment System (Anti-money Laundering Guidelines for
tion and an application for the exclusion or approval of the Competition the Provision of Mobile Payment Services) Guidelines 2013, which
Authority. provide guidance to mobile payment services on the monitoring
In addition to the approval of the Competition Authority, if certain and reporting of suspected money laundering activities on their
regulated entities change control, they must obtain approval or notify platforms; and
the relevant regulator. For example: • Guidelines on the Prevention of Money Laundering and Terrorism
• a regulated telecommunications entity must notify the Financing in the Capital Markets (Gazette Notice 1421), which
Communications Authority of any change of control, and where the emphasise the need for due diligence, record-keeping, the estab-
change of control affects at least 15 per cent of the shareholding, lishment of policies and procedures to address specific risks
the approval of the Communications Authority must be sought; associated with the use of new technology and business rela-
• a person who intends to acquire at least 5 per cent of the share tions or transactions conducted at a distance, and reporting to the
capital of any licenced bank must obtain the approval of the Central Financial Reporting Centre.
Bank of Kenya;
• any amalgamation of a bank or financial institution, or arrange- Fintech businesses that fall within the definition of reporting institutions
ment to transfer any part of the assets or liabilities, must obtain under the Proceeds of Crime and Anti-Money Laundering Act 2009 and
the written approval of the Cabinet Secretary of National Treasury the Prevention of Terrorism Act, 2012 should register with the Financial
and Planning; Reporting Centre, actively exercise due diligence and conduct legal
• a transfer of more than 10 per cent of a deposit-taking micro compliance audits to avoid violating the law.
finance institution requires the prior approval of the Central Bank
of Kenya; PEER-TO-PEER AND MARKETPLACE LENDING
• a person who intends to acquire or dispose of 10 per cent or more
of the share capital of an insurance company must obtain the Execution and enforceability of loan agreements
approval of the Insurance Regulatory Authority; 23 What are the requirements for executing loan agreements or
• for listed entities, the takeover regime requires the purchaser to security agreements? Is there a risk that loan agreements
notify the Capital Markets Authority, the target and the Nairobi or security agreements entered into on a peer-to-peer or
Securities Exchange if it intends to acquire effective control of the marketplace lending platform will not be enforceable?
target entity; and
• every company carrying out business in Kenya must inform the Under the general Contract Law, it is advisable for parties to execute an
Kenya Revenue Authority of any changes in the case of persons with agreement that is valid, certain and provable. Execution formalities in
a shareholding of 10 per cent or more of the issued share capital. relation to corporate entities largely depend on the constitutive docu-
ments and applicable laws. For instance, the Companies Act provides
FINANCIAL CRIME that in respect of companies and for any agreement to be validly
executed, it must be either signed by a director in the presence of a
Anti-bribery and anti-money laundering procedures witness or by any two authorised signatories.
21 Are fintech companies required by law or regulation to have Additional execution requirements, such as attestation, may apply,
procedures to combat bribery or money laundering? particularly for security documents. Pursuant to recent changes under
the law, electronic signatures are acceptable as valid signatures to
Yes. Fintech companies, as is the case of all other companies offering the extent that they meet the requirements regarding the reliability of
regulated financial services in Kenya, must have procedures to combat advanced electronic signatures. These requirements are set out under
bribery or money laundering, including procedures to maintain robust the Kenya Information and Communications Act 2010.
know-your-customer procedures and to report any suspicious activity An internet agreement should comply with the provisions of the
by customers that may be indicative of money laundering activities. Consumer Protection Act 2012. An internet agreement is defined as an
agreement that is formed by text-based internet communications. The
Guidance Act requires full disclosure of all prescribed information to a customer.
22 Is there regulatory or industry anti-financial crime guidance However, it is not clear what prescribed information is to be provided as
for fintech companies? this has not been provided under the Act. An online loan agreement will
be enforceable if a customer is given an opportunity to accept, decline
Kenya does not have an industry anti-financial crime guidance. or correct any errors before concluding the agreement. Moreover, the
Nonetheless, all entities operating in Kenya and their officers fall internet agreement will be validly executed by the use of an electronic
under the purview of laws relating to anti-financial crime, including signature.
fintech companies. The anti-financial crime laws require entities to In addition, unless exempted from payment of stamp duty, agree-
comply with the: ments must be stamped with the relevant stamp duty to be enforceable.
• Bribery Act 2016, which requires private entities to put in place Stamp duty payment and assessment may be done using the online
procedures appropriate to their size and nature of their operations Kenya Revenue Authority platform. Failure to stamp the agreements
for the purposes of preventing bribery and corruption; does not render them invalid, but the lack of stamping means that
• Proceeds of Crime and Anti-Money Laundering Act 2009 and the they may not be admissible before the Kenyan courts as evidential
Prevention of Terrorism Act 2012, which prohibit the use of prop- documents. Further, security agreements should be registered at the
erty for money laundering purposes. They specifically target money relevant registries in accordance with applicable laws.
laundering, tax evasion, theft, fraud, terrorist financing, drug traf-
ficking, piracy, bribery and corruption;
• Anti-Corruption and Economic Crimes Act 2003, which provides
for the prevention, investigation and punishment of corruption,
economic crime and related offences;
Assignment of loans solely on automated processing, including profiling, that produces legal
24 What steps are required to perfect an assignment of effects concerning or significantly affecting the data subject.
loans originated on a peer-to-peer or marketplace lending
platform? What are the implications for the purchaser if the Distributed ledger technology
assignment is not perfected? Is it possible to assign these 28 Are there rules or regulations governing the use of distributed
loans without informing the borrower? ledger technology or blockchains?
The assignment of loans that originated on a peer-to-peer or marketplace There are no rules or regulations governing the use of distributed ledger
lending platform should be registered on the online collateral registry, technology or blockchains.
in accordance with the Movable Property Security Rights Act 2017, for
the assignment to be effective against third parties. The registration is Crypto-assets
done online on the eCitizen online platform. It is fairly straightforward, 29 Are there rules or regulations governing the use of crypto-
and it requires the registrant to have a user account, that is, an eCitizen assets, including digital currencies, digital wallets and
account that allows access to the eCitizen online platform. e-money?
Where registration is not undertaken, the assignment may
not be enforceable against a receiver or creditors of the assignor or There are currently no regulations that regulate the use of crypto-assets
other parties. in Kenya. However, the Central Bank of Kenya has warned the Kenyan
It is also necessary to inform or notify the borrowers or debtors public against dealing in virtual currencies, and the Capital Markets
about the assignment to ensure that they are bound to channel repay- Authority has cautioned that it has not approved any initial coin offerings
ments in accordance with the assignee’s instructions. Borrowers or because of the perceived volatility and the lack of specific regulation.
debtors who have been notified can only be discharged by making The notice by the Central Bank of Kenya stated that virtual currencies
payment as instructed in the notification. are not acceptable since they are not legal tender in Kenya. However, it is
unclear what the legal position is in respect of virtual currencies that have
Securitisation risk retention requirements been designated as legal tender in foreign jurisdictions as they would fall
25 Are securitisation transactions subject to risk retention within the definition of foreign currency, which is acceptable in Kenya.
requirements? Digital wallets and e-money constitute payment instruments under
the National Payment System Act 2011, which defines a payment instru-
The regulation governing securitisation transactions requires that, as ment as an instrument that enables a person to obtain money, goods or
key features of asset-backed securities, the special purpose vehicle services or to otherwise make payments. Accordingly, the use of digital
used in the securitisation be bankruptcy or insolvency-remote, and that wallets and e-money is regulated and governed by the Act and would
there should be a true sale of the assets to the special purpose vehicle need to comply with the conditions contained within it, including the
or a direct origination of assets into the special purpose vehicle. Other requirement of the digital wallet or e-money provider to register with
than those, there are no risk retention requirements. the Central Bank of Kenya.
www.lexology.com/gtdt 129
© Law Business Research 2020
Kenya Coulson Harney Advocates
The Data Protection Act 2019 is the overarching legislation in Kenya instance, the National Payment System Act 2011 requires prior approval
that regulates collection, processing and related actions governing of the Central Bank of Kenya for material outsourcing and prior notifica-
the handling, use and storage of personal data. The Act applies to the tion where the outsourcing is not material. The Banking Act (revised
processing of personal data by resident and non-resident data control- edition 2019) also requires that licensees apply for the prior approval of
lers and processors where the data subjects are located in Kenya. the Central Bank of Kenya for any material outsourcing.
There are certain restrictions related to the processing of sensitive
personal data. Cloud computing
Fundamentally, all processing of personal data should only be 35 Are there legal requirements or regulatory guidance with
carried out in accordance with the data protection principles under the respect to the use of cloud computing in the financial services
Data Protection Act 2019. A data controller or processor is not permitted industry?
to process personal data unless it has a lawful basis for the processing,
such as consent or necessity, or the processing is for the performance The ICT Authority of Kenya published the Cloud Computing Standard
of a contract. However, where the data constitutes sensitive personal 2019 (the Standard), which outlines various considerations for minis-
data, it should only be processed if the processing is necessary for the tries, counties or agencies in the selection of services and models for
purpose of carrying out the obligations and exercising specific rights of online storage services, applications and data, such as software as a
the controller or the data subject. A data controller or processor must service, infrastructure as a service, public cloud, private cloud, commu-
obtain the personal data directly from the data subject and may only nity cloud and hybrid cloud. It is recommended that fintech service
collect the data from a third party in accordance with the provisions of providers model their products in accordance with the Standard to
the Data Protection Act 2019. allow for the use of the products and solutions by government agencies.
A data controller or processor that transfers personal data outside In addition, where cloud computing involves the transfer of personal
Kenya should ensure that it obtains the data subject’s consent or have data to data servers located outside Kenya, fintech companies should
in place appropriate safeguards for the protection of the data that is ensure compliance with the Data Protection Act 2019.
subject to the transfer. Where the personal data being transferred
constitutes sensitive personal data, the consent of the data subject INTELLECTUAL PROPERTY RIGHTS
must be obtained, and adequate data protection safeguards must be
put in place. IP protection for software
36 Which intellectual property rights are available to protect
Cybersecurity software, and how do you obtain those rights?
33 What cybersecurity regulations or standards apply to fintech
businesses? Copyright
The ownership of copyright to a computer program belongs to the
All companies in Kenya, including fintech businesses, are subjected to creator of the software. Subject to the provisions of the Copyright
the Computer Misuse and Cybercrimes Act 2018, which aims to protect Act 2001, the copyright holder enjoys the right to copy the software,
the confidentiality, integrity and availability of computer systems, create derivative or modified versions of it and distribute copies to the
programs and data, as well as facilitate the prevention, detection, inves- public for sale or licence. The rights come into existence immediately
tigation, prosecution and punishment of cybercrimes. The Act provides upon the production of the work in a tangible medium of expression.
for various offences including, inter alia, system interference; unlawful However, it is recommended to register the copyright with the Kenya
interception of computer data, traffic data or signals; unlawful intercep- Copyright Board.
tion of electronic messages or money transfers; and wilful misdirection
of electronic messages. Patent
In addition, the Central Bank of Kenya issued the Guideline on Patent protection is available for inventions of novel software that,
Cybersecurity for Payment for Service Providers 2019. The Guideline beyond being novel, also disclose an inventive step that is machine
sets out the minimum requirements that payment service providers linked and is industrially applicable. Patent protection is not available
should build on in the development and implementation of strategies, for software that comprises business methods or results in a score. A
frameworks, policies and procedures to mitigate cyber risk and enhance patent holder will enjoy the right to exclusive use, sale and distribution
cybersecurity governance and risk management. This Guideline builds of the software.
on a 2017 guidance note issued by the Central Bank of Kenya in August An eligible applicant should submit their claims and the prescribed
2017, which set the minimum requirements that regulated institutions Form IP3 to the Registrar of Patents at the Kenya Industrial Property
must factor into their standards, policies and procedures. Institute, requesting the Registrar to grant a patent under the Industrial
For fintech businesses that are also telecommunications licensees, Property Act 2001. Kenya operates a substantive examination process
they are mandated, at all times, to ensure the integrity of their commu- that includes a worldwide novelty search. Patent holders’ rights may be
nications infrastructure and to desist from unlawful interception of any subject to compulsory licensing where certain conditions under the Act
messages or correspondence between users. are met for reasons of public interest or are based on the interdepend-
ence of patents.
OUTSOURCING AND CLOUD COMPUTING Patent holders are prohibited from including unjustified restrictions
in licences on the licensee where the restrictions are harmful to the
Outsourcing economic interests of Kenya. The restrictions are put in place to ensure
34 Are there legal requirements or regulatory guidance with that the terms of licensing are fair, reasonable and non-discriminatory.
respect to the outsourcing by a financial services company of
a material aspect of its business? Trademarks
Although trademarks do not protect the software or technology itself,
Yes, where financial services companies are regulated, various pruden- they can be used to protect the names or symbols used to distinguish a
tial statutes have legal requirements in respect of outsourcing. For particular software or product in the marketplace.
IP developed by employees and contractors of the right, the proprietor can institute a claim for damages and may
37 Who owns new intellectual property developed by an obtain an injunction preventing future use of the infringing mark.
employee during the course of employment? Do the same A fintech business seeking to avoid infringing on any existing
rules apply to new intellectual property developed by brands should conduct a search of the particular mark they propose to
contractors or consultants? use at the trademarks registry to determine whether a brand is avail-
able for use or registration prior to use in Kenya.
The Industrial Property Act 2001 and the Copyright Act 2001 provide
that intellectual property developed by an employee during the course Remedies for infringement of IP
of employment belongs to the employer. This notwithstanding, where an 41 What remedies are available to individuals or companies
invention is exceptionally important, an employee is entitled to equitable whose intellectual property rights have been infringed?
remuneration.
Intellectual property developed by a contractor or consultant while In terms of copyright infringement under the Copyright Act 2001, an
executing a commission belongs to the person who commissioned the aggrieved party should alert the Kenya Copyright Board to seize the
work unless otherwise agreed between the parties in writing infringing materials and initiate appropriate criminal proceedings. Civil
proceedings may also be initiated by aggrieved parties, and some of the
Joint ownership remedies that may be sought include injunctions and damages.
38 Are there any restrictions on a joint owner of intellectual In respect of trademarks, enforcement proceedings should be
property’s right to use, license, charge or assign its right in filed against any infringing action before the High Court of Kenya.
intellectual property? If successful, the aggrieved party may be entitled to an injunction to
prevent the future use of the trademark, damages, an account for profits
Yes, a joint owner must obtain the consent of the other joint owner of by the infringer, delivery up and destruction of goods, products or mate-
the intellectual property right to use, license, charge or assign its right rial bearing the infringing marks.
in the intellectual property. Patent infringement proceedings are instituted before the
It is recommended that joint owners set out each party’s rights and Industrial Property Tribunal, which sits within the Kenya Industrial
obligations in an agreement. Property Institute. The aggrieved party may be entitled to an injunction
to prevent the future use of the patent and damages.
Trade secrets
39 How are trade secrets protected? Are trade secrets kept COMPETITION
confidential during court proceedings?
Sector-specific issues
In Kenya, protection of trade secrets is mostly by way of common law 42 Are there any specific competition issues that exist with
and equity (and there are a few judicial decisions on this topic). Some respect to fintech companies in your jurisdiction?
form of protection of trade secrets can also be found in various pieces of
legislation, such as those relating to employment and contracts. The Competition Act 2010 provides the statutory framework governing
Kenya does not have a statute dedicated to the protection of trade competition within Kenya. Specific to fintech companies, the Act
secrets. However, Kenya is a signatory to the Agreement on Trade- provides that in the provision of banking, microfinance, insurance and
Related Aspects of Intellectual Property Rights, which regulates the other services, the services provider is not permitted to impose unilat-
unauthorised use and disclosure of trade secrets. eral charges and fees if these have not been brought to the attention
To protect trade secrets, non-disclosure agreements may be used, of the consumer prior to their imposition or prior to the provision of
and information that is confidential should be marked as such and kept the service.
confidential, and its circulation should be limited to restricted persons. In addition, fintech companies must ensure not to engage in restric-
tive trade practices that are prohibited by the Competition Act, including
Branding entering into any agreements or undertakings, the effect of which
40 What intellectual property rights are available to protect prevent or weaken competition in the trade of any goods and services.
branding and how do you obtain those rights? How can
fintech businesses ensure they do not infringe existing TAX
brands?
Incentives
Branding is protected in Kenya by registration of a brand as a trademark 43 Are there any tax incentives available for fintech companies
under the Trade Marks Act 1982 (revised edition 2012). A trademark and investors to encourage innovation and investment in the
is defined as a mark, which includes a guise, slogan, device, brand, fintech sector in your jurisdiction?
heading, label, ticket, signature, word, letter or numeral or any combi-
nation of these, that is used to distinguish a product or service. There are currently no tax incentives specifically available to fintech
To be afforded protection under the Act, an applicant is required companies in Kenya.
to register the trademark with the Registrar of Trademarks at the
Kenya Industrial Property Institute, using the prescribed Form TM2 and Increased tax burden
providing a specimen of the trademark. Trademark protection is avail- 44 Are there any new or proposed tax laws or guidance that
able for product names, logos, dress, certification marks and collective could significantly increase tax or administrative costs for
marks. Trademarks must be distinctive for them to be registrable fintech companies in your jurisdiction?
and enforceable against third parties unless acquired distinctiveness
through use can be proven. Under the Income Tax Act (revised edition 2019), income that is derived
Upon registration of a trademark, the proprietor of the trademark from or that accrues in Kenya through a digital marketplace is subject
will enjoy the right to exclusive use of the trademark. Upon infringement to income tax at the prescribed rates, namely 25 per cent for Kenya
www.lexology.com/gtdt 131
© Law Business Research 2020
Kenya Coulson Harney Advocates
tax residents and 37.5 per cent for permanent establishments for non-
resident persons. A digital marketplace has been defined as a platform
that enables the direct interaction of buyers and sellers though elec-
tronic means.
The Finance Bill, 2020 (the Bill) proposes to amend the Income Tax
Act (revised edition 2019) by introducing a digital services tax (DST) that
will be payable by a person whose income is derived from or that is
accrued in Kenya through a digital marketplace. The DST will be payable
at the time of transfer of the payment for the services to the services John Syekei
john.syekei@bowmanslaw.com
provider. The rate of DST is 1.5 per cent of the gross transactional
value. For residents and permanent establishments of a non-resident Dominic Indokhomi
person (foreign companies), the DST is proposed to be an advance tax dominic.indokhomi@bowmanslaw.com
that can be utilised towards offsetting a taxable person’s tax liability Irene Muthoni
for that year of income. The Bill also provides for the appointment of a irene.muthoni@bowmanslaw.com
digital services agent by the Kenya Revenue Authority for purposes of
Mercy Mwaniki
collecting the DST.
mercy.mwaniki@bowmanslaw.com
Under the Value Added Tax Act 2013, services in relation to the
issue, transfer, receipt and any other dealing with money, including
money transfer services and telegraphic money transfer services, are 5th Floor, West Wing
exempt from value added tax (VAT). ICEA Lion Centre Riverside Park
For the supply of electronic services, these are subject VAT at the Chiromo Road Nairobi
standard rate, which is 14 per cent. Electronic services comprise the Kenya
Tel: +254 20 289 9000
following services when offered through a telecommunications network:
Fax: +254 20 289 9100
• websites, web-hosting, or remote maintenance of programs and
www.bowmanslaw.com
equipment;
• software and the updating of software;
• images, text and information;
• access to databases; UPDATE AND TRENDS
• self-education packages;
• music, films and games, including games of chance; and Current developments
• political, cultural, artistic, sporting, scientific and other broadcasts 46 Are there any other current developments or emerging
and events, including broadcast television. trends to note?
Additionally, VAT is chargeable on supplies made through a digital The mainstream use of fintech is gaining traction in Kenya, and both
marketplace. The implementation of the provision is subject to the issu- commercial enterprises and government entities are exploring the
ance of regulations by the Cabinet Secretary in charge of the National adoption of fintech to improve service delivery; for instance, blockchain
Treasury and Planning. The Cabinet Secretary recently issued the VAT solutions are being explored to streamline and update the land registra-
(Digital Market Supply) Regulation (the Draft Regulations) for public tion process.
comment. The Draft Regulations provide for a number of matters, At the same time, fintech innovation has led to the development
including taxable services chargeable to VAT when supplied through of various platforms, such as Kopa Link, that aim to bridge the finan-
a digital marketplace and registration of non-resident digital services cial gap by making financial products more accessible to a larger
providers under a simplified registration regime or appointment of a tax population.
representative where necessary. An emerging trend is the taxation of the digital economy with the
The proposed taxes target both the parties transacting in a digital introduction and proposal of digital taxes on supplies of digital services
marketplace as well as the operator of the digital marketplace platform. and the revenues of digital services providers.
The growth of the fintech industry is likely to be accelerated by the
IMMIGRATION covid-19 pandemic as the Kenyan government has discouraged cash
transactions, leading to an increase in use of other payment services,
Sector-specific schemes especially mobile-based payment solutions.
45 What immigration schemes are available for fintech
businesses to recruit skilled staff from abroad? Are there Coronavirus
any special regimes specific to the technology or financial 47 What emergency legislation, relief programmes and other
sectors? initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
There are no immigration schemes available for fintech businesses to government programmes, laws or regulations been amended
recruit skilled staff from abroad. There is also no special regime specific to address these concerns? What best practices are advisable
to the technology or financial sectors. Any person can apply under the for clients?
Kenya Citizenship and Immigration Act 2011 for a work permit. However,
ICT experts require clearance from the ICT Ministry to support their Some of the measures implemented by the government to contain the
application for a work permit from the Immigration Department. spread of the coronavirus and cushion the economy against the adverse
effects of the pandemic include those listed below.
• The government has discouraged the use of physical cash. Through
the Central Bank of Kenya in partnership with licensed banks, the
www.lexology.com/gtdt 133
© Law Business Research 2020
Liechtenstein
Thomas Nägele and Thomas Feldkircher
NÄGELE Attorneys at Law
FINANCIAL REGULATION assignment price paid for the purchased receivables without the possi-
bility of a redemption. The retailer is only liable for the legal existence of
Regulatory bodies its assigned customer claim.
3 Which bodies regulate the provision of fintech products and However, if loans (in the sense of a lending business) are traded (ie,
services? a new creditor is entering the agreement), then this will likely constitute
a banking business. This must be differentiated on a case-by-case basis.
The Financial Market Authority (FMA) is the supervisory authority in the
fintech sector, as well as the Liechtenstein financial market in general. Collective investment schemes
The FMA has an entire department solely dedicated to the fielding of 7 Describe the regulatory regime for collective investment
fintech-related inquiries. schemes and whether fintech companies providing
alternative finance products or services would fall within its
Regulated activities scope.
4 Which activities trigger a licensing requirement in your
jurisdiction? The Liechtenstein Collective Investment Scheme Regulation is mainly
based on the Undertakings for the Collective Investment in Transferable
As Liechtenstein is a member of the EEA, general EU regulations and Securities (UCITS) Directive (2009/65/EC) and the Alternative
directives apply (with an EEA Joint Committee decision required). All Investment Fund Managers Directive (2011/61/EU) (AIFMD) and is
banking activities (deposit and loan business), as well as investment therefore harmonised within the European Union and the EEA.
services pursuant to Annex I of Markets in Financial Instruments An ‘alternative investment fund’ (AIF) is broadly defined as an
Directive II are regulated. In addition, payment services pursuant to the undertaking collecting capital to invest it pursuant to a defined invest-
Payment Services Directive (2015/2366/EC) (PSD2) and the E-money ment strategy on behalf of the investors.
Directive (2009/110/EC) are regulated. This represents an advantage A ‘UCITS’ refers to an undertaking that raises capital from the
for start-ups based in Liechtenstein that benefit from the EU passport, public and invests this capital collectively in specific transferable secu-
a system allowing providers of financial services already licensed in the rities on the principle of risk spreading.
EEA to offer their services in other EEA countries (and, thus, including
the EU) without additional approval requirements. Alternative investment funds
Since 1 January 2020, legal and natural persons with headquar- 8 Are managers of alternative investment funds regulated?
ters (registered office) or a place of residence in Liechtenstein who wish
to professionally act as trustworthy technologies service providers (TT With funds, it is crucial to distinguish between the investment portfolio
service providers) must apply to be entered into the TT Service Provider and the shares of the fund. Since a fund pursuant to the UCITS Directive
Register in writing with the FMA before beginning their activity. This may invest only in specific types of financial product, a true crypto-fund
also applies to token issuers that issue tokens in their own name or is not feasible and only the shares of the fund may be tokenised. In that
in the name of a client in a non-professional capacity if tokens in the sense, a true crypto-fund can only be achieved under the AIFMD, as this
amount of 5 million Swiss francs or more are issued within a 12-month is primarily a fund-manager regulation, rather than an investment-fund
period. According to the transitional provisions of the Law on Tokens regulation. An AIF mainly targets professional investors.
and TT Service Providers (the Blockchain Act), however, persons who, Hence, a fund pursuant to the AIFMD may invest in a crypto-port-
on the date the Act entered into force, had already provided TT services, folio and its shares may be tokenised. A central aspect of an AIF is the
were required to register within a 12-month period of the Blockchain Act pooling of capital or assets. These criteria must be broadly construed to
entering into force. mean any assets. Thus, a fund may hold yachts in its portfolio or other
commodities, such as tokens.
Consumer lending
5 Is consumer lending regulated in your jurisdiction? Peer-to-peer and marketplace lending
9 Describe any specific regulation of peer-to-peer or
Regulation of consumer lending depends on the concrete business marketplace lending in your jurisdiction.
model. Taking deposits (in legal tender) and lending this money to
others (deposit and lending business) are considered to be banking No specific regulation applies to peer-to-peer lending. EU legislation
activities, which are both reserved to licensed banking institutions. If a applies and it should be analysed if banking business is conducted.
platform is operated that enables users to provide these kinds of activi-
ties to other participants, then this could be an illegal business model. Crowdfunding
However, it depends on the exact use case. In addition, if loans are given 10 Describe any specific regulation of crowdfunding in your
in the form of tokens (which neither represent e-money nor financial jurisdiction.
instruments), then the Banking Act is not applicable, as it deals with
legal tender (fiat) only. An EU directive on crowdfunding is due to be enacted in the future, which
will affect Liechtenstein jurisprudence owing to the country’s harmoni-
Secondary market loan trading sation with the European Union as an EEA member state. At present, an
6 Are there restrictions on trading loans in the secondary initial coin offering (ICO) or a token generation event may be regulated
market in your jurisdiction? in Liechtenstein if security tokens are being issued. In general, there is
no singular act specific to ICOs that regulates crowdfunding, but several
If obligations from a debtor to a creditor are purchased (eg, if the retail- laws may apply.
er's receivables are purchased by a company) and the risk of insolvency Moreover, the Blockchain Act directly applies to token generating
(eg, of the customer as debtor) is assumed by the buyer upon conclu- events, ICOs and security token offerings.
sion of the assignment agreement (credit risk function), there is no
requirement for special financial licences. The retailer may retain the
www.lexology.com/gtdt 135
© Law Business Research 2020
Liechtenstein NÄGELE Attorneys at Law
Factoring is not regulated as a financial market activity if the risk of The Liechtenstein Insurance Act is based on the Insurance Distribution
insolvency is assumed by the buyer. Only a commercial business licence Directive (2016/97/EC) and the distribution of insurance products is a
is required from the Office of Economic Affairs. If a TT service is offered, regulated activity.
registering under the Blockchain Act is required. Depending on the
use case, the registration under the Blockchain Act may supersede the Credit references
requirement for a business licence. 16 Are there any restrictions on providing credit references or
credit information services in your jurisdiction?
Payment services
12 Are payment services regulated in your jurisdiction? Credit references and information services may constitute account
information services pursuant to PSD2.
The revised Liechtenstein Payment Service Act, which is based on PSD2,
entered into force on 1 October 2019. The E-money Act, which is based CROSS-BORDER REGULATION
on the EU E-money Directive, is also relevant to payment services.
For a variety of business models, the application of PSD2 could Passporting
trigger the need for a payment services licence. 17 Can regulated activities be passported into your jurisdiction?
Open banking Since Liechtenstein is a member of the EEA, the financial market –
13 Are there any laws or regulations introduced to promote along with the licensed financial intermediaries – is generally fully
competition that require financial institutions to make harmonised. This allows passporting (notification) throughout the
customer or product data available to third parties? European Union and the EEA, which enables companies to make use
of the freedom of services and the freedom of establishment within the
PSD2 introduces the new roles of a payment initiation service provider European single market.
and an account information provider. In this regard, banking institutions
must, to a certain extent, make customer or product data available to Requirement for a local presence
third parties. 18 Can fintech companies obtain a licence to provide financial
services in your jurisdiction without establishing a local
Robo-advice presence?
14 Describe any specific regulation of robo-advisers or other
companies that provide retail customers with automated Companies can make use of the freedom of services to provide financial
access to investment products in your jurisdiction. services without establishing a local presence. In contrast to services
provided under the freedom of services, when establishing a branch,
The automated distribution of financial instruments (robo-advice) can, supervision may be split between the home and target jurisdiction
depending on the business model, meet the definition of investment supervisory authority.
advice and may require a banking or investment firm licence or a licence
under the Asset Management Act – provided, however, that financial SALES AND MARKETING
instruments are issued or services in relation to them are offered.
Article 4 (1) (1) of the AIFMD provides that an AIF is any collective Restrictions
investment undertaking, including the sub-funds thereof, that raises 19 What restrictions apply to the sales and marketing of
capital from a number of investors with the intention of investing it financial services and products in your jurisdiction?
to benefit of these investors in accordance with a defined investment
strategy, and is not a UCITS as defined in the UCITS Directive nor an The provision of financial services (investment or ancillary services)
investment undertaking as defined in the Investment Undertakings is regulated under the Markets in Financial Instruments Directive II.
Act. In this context, the term ‘capital’ is very broad, including not only Likewise, the marketing of financial services may be deemed to be an
traditional assets (such as equity or real estate) but also assets such investment service.
as ships, forests and wine. Thus, conventional commodities are also
included, which include cryptocurrencies, unless they are already CHANGE OF CONTROL
covered in another manner by financial market regulations. A collective
investment is a necessary characteristic of an AIF. Collective investment Notification and consent
means that capital raised from investors is pooled together and invested 20 Describe any rules relating to notification or consent
for the benefit of the investors, in line with the predefined investment requirements if a regulated business changes control.
strategy. However, if capital is raised to be invested according to an
unchangeable algorithm, which could be the case with a robo-advice, it Licensed intermediaries and institutions must notify the Financial
can be argued that the fund regulations do not apply as long as there is Market Authority of any qualified holdings (10 per cent or more).
no discretion in the investment of the collected capital.
www.lexology.com/gtdt 137
© Law Business Research 2020
Liechtenstein NÄGELE Attorneys at Law
in the act serve to combat money laundering, organised crime and Digital currency exchanges
terrorist financing, and apply to providers of exchange services, among 30 Are there rules or regulations governing the operation of
others. An ‘exchange office’ is defined as any natural or legal person digital currency exchanges or brokerages?
whose activities consist of the exchange of legal tender at the official
exchange rate or of virtual currencies against legal tender and vice As there are various forms of crypto-exchanges, varying regulations
versa. ‘Virtual currencies’ are defined as ‘digital monetary units, which apply in certain cases. Exchanges that match the buying and selling
can be exchanged for legal tender, used to purchase goods or services interests (matched principal trading; multilateral) with regard to utility
or to preserve value and thus assume the function of legal tender’. tokens against fiat and cryptocurrencies are deemed to be unregulated
Pursuant to the Report and Motion 2016/159, 31, the most famous and may only require a trade licence from the Office of Economic Affairs
example of such a virtual currency is bitcoin. to conduct an operating business or a registration under the Blockchain
‘E-money’ is defined as any electronically or magnetically stored Act (eg, if providing services as trustworthy technologies (TT) service
monetary value in the form of a claim against the issuer of electronic provider). In both cases, the exchange is required to comply with the
money issued against the payment of a sum of money to effect payment obligations under the DDA. However, the settlement in fiat is considered
transactions within the meaning of the Payment Service Act, and that to be a regulated payment service (especially as the commercial broker
is accepted by natural or legal persons other than the issuer of elec- exemption is no longer applicable under PSD2 when acting both on the
tronic money. In that sense, there are five characteristics or attributes buyer and seller side).
of e-money: However, if these tokens are traded against the own book for fiat
• having electronic or magnetic monetary value; payments, it may be deemed to be a ‘TT exchange service provider’
• involving a claim against the issuer (central issuance); pursuant to the Blockchain Act. This type of exchange must be regis-
• being obtained by money (legal tender and e-money itself); tered with the FMA.
• being suitable to conduct payments; and There are also security token exchanges. These kinds of exchange
• being accepting by third parties. are fully regulated pursuant to the Markets in Financial Instruments
Directive II and require an investment firm with a multilateral trading
Cryptocurrencies such as bitcoin are mined; therefore, they cannot be facility (MTF) or an organised trading facility (OTF). The main differ-
classified as e-money, because there is no claim against the issuer. In ences between an MTF and an OTF are that all financial instruments
addition, if tokens (eg, in an ICO) can only be obtained through the use may be traded on an MTF, whereas only certain debt instruments may
of other cryptocurrencies (non-regulated tokens), then the E-Money Act be traded on an OTF (the OTF may also act on a bilateral basis regarding
is not applicable. With regard to the payment function and acceptance government bonds). Therefore, an MTF has participants while an OTF
by third parties, two major exemptions may be relevant. If only a limited has customers (also owing to the discretionary execution). Another
product range or range of services can be obtained with a newly gener- difference between the two trading facilities is that an OTF allows
ated and issued token, then an exemption from the e-money regime discretionary trading and matching rules, compared to the non-discre-
applies. The same applies if only a restricted service provider network tionary nature of an MTF.
accepts the tokens as a means of payment (this is especially relevant Lastly, it is possible to set up fully decentralised peer-to-peer
for franchises). security exchanges without any regulation requirements. With a
However, the e-money regime is generally not suitable for block- decentralised network operating an exchange, there is no entity to be
chain and crypto-technology. Most of the stablecoins (coins pegged to regulated and the exchange itself does not fall under the definition of
fiat) should probably be deemed e-money, which has been implemented an MTF or OTF (trading venues). Depending on the services rendered in
incorrectly, as certain restrictions apply to e-money and its distribution connection with such a peer-to-peer exchange, certain licence require-
(although the territorial scope of the E-Money Directive may not apply ments may apply. In any event, prospectus requirements must be
to jurisdictions outside the European Union and the European Economic adhered to. Both matching and settlement are usually carried out in a
Area). For example, e-money must be exchanged back to fiat at all times decentralised manner on these exchanges and associated aspects, such
at par value (Cp EFTA Court Decision in Case E-9/17 Falkenhahn AG as the order book and custodial or escrow services (smart contracts),
v Liechtenstein FMA) and no or only minimal fees may apply for this are also decentralised.
service (this is not a criterion for e-money to come into existence, but the
re-exchange is merely the logical and legal consequence of e-money). Initial coin offerings
E-money also cannot be used for savings purposes and no interest may 31 Are there rules or regulations governing initial coin offerings
be granted. In addition, problems may arise with token holders storing (ICOs) or token generation events?
their e-money token on a wallet to which they have access to the private
key. Lastly, the money collected in exchange for e-money must be placed The rules and regulations governing ICOs or token generation events
in deposit-protected accounts, which means that – contrary to popular depend on the token being offered. If the token offered constitutes a
belief – these funds may not be used by the entity that collected them financial instrument or e-money, the respective regulation applies (eg,
for their operating business. it is necessary to apply for an e-money licence or to prepare a securi-
However, even if a token was deemed ‘electronic money’ as ties prospectus). Under the Blockchain Act, the issuer of tokens needs
defined in article 2(2) of the E-Money Directive, it would be exempt from to register with the FMA and publish the ‘basic Information’ defined in
the applicability of the E-Money Directive if it was issued outside the article 30 seq of the Blockchain Act.
European Economic Area, namely in a country that is not subject to the
E-Money Directive.
With regard to the variety of business models in the sector, the
Payment Services Directive (2015/2366/EC) (PSD2) may also apply;
therefore, it may be necessary to apply for a payment service licence.
www.lexology.com/gtdt 139
© Law Business Research 2020
Liechtenstein NÄGELE Attorneys at Law
the infringement; however, the claim for remedy must be paid to all TAX
joint owners (paragraph 4, article 7 of the Copyright Act).
Incentives
Trade secrets 43 Are there any tax incentives available for fintech companies
39 How are trade secrets protected? Are trade secrets kept and investors to encourage innovation and investment in the
confidential during court proceedings? fintech sector in your jurisdiction?
Employees are prohibited from sharing or exploiting trade secrets of As a member of the European Economic Area, Liechtenstein is also
which they acquire knowledge while being employed. If it is necessary subject to the prohibition of state aid. For this reason, specific tax
to protect the employer’s legitimate interests, the employee remains concessions for the fintech sector are prohibited.
bound to secrecy even after the employment contract is terminated. Overall, Liechtenstein is attractive for innovative business models
The confidentiality of other information is subject to the employment because of its liberal tax law and the direct exchange with the tax
agreement. administration.
Trade secrets can be kept confidential in civil court proceedings.
If the presentation of a document would lead to a breach of a trade Increased tax burden
secret, the document does not have to be presented. Likewise, if, during 44 Are there any new or proposed tax laws or guidance that
a witness statement, answering a question would reveal a trade secret, could significantly increase tax or administrative costs for
the witness can refuse to answer the question. fintech companies in your jurisdiction?
In addition, the Directive 2016/943/EU on the protection of undis-
closed know-how and business information (trade secrets) against their No.
unlawful acquisition, use and disclosure (Directive on the Protection of
Trade Secrets) is relevant for Liechtenstein as a member of the EEA. IMMIGRATION
According to Liechtenstein law, branding and trademarks must be regis- Immigration to Liechtenstein is generally restricted. However, members
tered for the corresponding rights to emerge. The rights include the of the European Union or European Economic Area can locate near
exclusive right to use the branding or trademark to denote the holder’s the Liechtenstein border in Switzerland, Austria or Germany. In addi-
goods or services and the right to dispose of it. Thus, others can be tion, a short-term permit can generally be granted for up to 12 months.
prohibited from using the branding or trademark for their own goods or Further, there are exceptions from this restrictive regime for highly
services. The registration of a brand or trademark is valid for 10 years skilled individuals.
and can be extended by filing a corresponding application. Further, As the fintech area generally requires specialist knowledge, there
branding and trademarks can also be registered on an EU level; regis- is potential to have these work permits granted to promote the growth
trations in the EU trademark registry are valid in all EU member states. of fintech businesses within the country.
There is no method that is specifically designed for fintech compa- In addition, if a person is unable to achieve residency in Liechtenstein,
nies to ensure that existing brands are not infringed. The most reliable they can seek residency in Switzerland, Austria or Germany and then be
way to avoid infringement is to check the national and EU trademark granted a cross-border commuter card for the purposes of employment
registries regularly during the initiation process to determine whether within the country.
the envisioned brand has already been registered.
UPDATE AND TRENDS
Remedies for infringement of IP
41 What remedies are available to individuals or companies Current developments
whose intellectual property rights have been infringed? 46 Are there any other current developments or emerging
trends to note?
Available remedies include:
• a declaratory action regarding the breach of IP rights; In the past year, the market has shifted from a focus on initial coin offer-
• an injunction regarding an imminent breach; ings for utility tokens to a focus on security token offerings and the goal
• a claim for remedying a present breach; and of creating crypto-exchanges with the ability to support the secondary
• a claim for damages and reparation; if applicable, compensation market for security tokens.
for pain and suffering, as well as compensation for lost profits, can
also be asserted.
COMPETITION
Sector-specific issues
42 Are there any specific competition issues that exist with
respect to fintech companies in your jurisdiction?
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
The 2nd Covid-19 Act was passed by the Liechtenstein Parliament in Thomas Nägele
tn@naegele.law
April 2020. As a result of a financial ordinance by the Liechtenstein
government, financial support is available to those individual and micro- Thomas Feldkircher
enterprises that have been able to maintain their business activities tf@naegele.law
but are affected by a loss of earnings owing to regulations concerning
the covid-19 pandemic and are not entitled to receive compensa- Dr. Grass Strasse 12
tion for short-time work or other support measures. This applies, in FL-9490 Vaduz
particular, to companies whose customers or suppliers have been shut Principality of Liechtenstein
down by the authorities or that are experiencing a decreasing number Tel: +423 237 60 70
of customers. Eligible for support are self-employed persons whose Fax: +423 237 60 71
main occupation is that of sole proprietor or manager or shareholder www.naegele.law
of a microenterprise. Also eligible for support are persons who are not
entitled to short-time work compensation and who are employed by a
company, such as co-directors or spouses.
Employers that have made wage payments to employees who are
prevented from working for a long and unforeseeable period of time
owing to official measures in connection with the covid-19 pandemic are
compensated for continued wage payments through the covid-19 daily
allowance.
Additionally, the possibility of taking out an emergency loan from
the National Bank of Liechtenstein, for which the Liechtenstein govern-
ment grants a 100 per cent default-in-payment guarantee, is very
popular. The loans will be granted interest-free until 30 June 2022.
Financial intermediaries must continue to comply with their regula-
tory obligations. However, there may be eased requirements or special
obligations as a result of the pandemic. These are based on the integra-
tion of the Financial Market Authority (FMA) in the European System of
Financial Supervision. The FMA supports the recommendations of the
European supervisory authorities and intends to implement them.
www.lexology.com/gtdt 141
© Law Business Research 2020
Malta
Leonard Bonello and James Debono
Ganado Advocates
FINTECH LANDSCAPE AND INITIATIVES The Malta Digital Innovation Authority (MDIA) is a relatively new
regulator established to act as:
General innovation climate • a fintech promoter that incentivises ‘investment’ in ‘innovative
1 What is the general state of fintech innovation in your technology arrangements’, as such terms are defined under the
jurisdiction? MDIAA; and
• a supervisory authority that ensures the reliability of these tech-
Malta’s reputation as the ‘blockchain island’ is a testament to its positive nologies and the integrity of the market.
approach to the fintech industry. Malta was a pioneer in regulating distrib-
uted ledger technologies and cryptocurrencies through the enactment of: FINANCIAL REGULATION
• the Virtual Financial Assets Act (Chapter 590 of the Laws of Malta);
• the Malta Digital Innovation Authority Act (Chapter 591 of the Laws Regulatory bodies
of Malta) (MDIAA); and 3 Which bodies regulate the provision of fintech products and
• the Innovative Technology Arrangements and Services Act (Chapter services?
592 of the Laws of Malta).
The Malta Financial Services Authority (MFSA) and the Malta Digital
Other prominent fintech areas attracting investment in Malta relate to Innovation Authority are the main competent authorities regulating the
e-payment services and insurtech. Furthermore, the Malta Financial provision of fintech products and services.
Services Authority (MFSA) is also buttressing this technology revolution
by setting up a dedicated FinTech and Innovation function. The MFSA is Regulated activities
also driving the long-term fintech strategy targeting both start-ups and 4 Which activities trigger a licensing requirement in your
industry scale-ups with the aim of establishing Malta as an international jurisdiction?
fintech hub while promoting the infusion of technology solutions in the
financial world. The local financial services regulatory framework comprises:
• the Investment Services Act (Chapter 370 of the Laws of Malta) (ISA),
Government and regulatory support which outlines the regulatory requirements of operators wishing
2 Do government bodies or regulators provide any support to set up investment services undertakings and collective invest-
specific to financial innovation? If so, what are the key benefits ment schemes. It transposes the Markets in Financial Instruments
of such support? Directive (2014/65/EU) (MiFID II) into Maltese law and regulates
services outlined therein when they are carried out in or from Malta
The Maltese government has always given the fintech industry priority in and in relation to one or more ‘instruments’, as defined therein;
policy formation. The MFSA has launched a standalone FinTech Strategy • the Banking Act, Chapter 371 of the Laws of Malta, which is the
aimed at providing legal and regulatory certainty and ensuring market law regulating credit institutions that carry out the ‘business of
integrity and financial soundness while safeguarding investor rights in banking’, defined as:
the fintech sphere. This strategy is based on six main pillars, namely: • accepting deposits of money from the public that are with-
• a suite of regulations to support regulatory efficiency; drawable or repayable on demand, after a fixed period or
• a holistic all-encompassing ecosystem to enhance access to finance after notice;
and foster innovation; • borrowing or raising money from the public with the purpose
• implementing an open architecture to support the use of application of using all or some of such money to lend to others; or
programme interfaces in financial services; • otherwise investing for the account and at the risk of the
• fostering international links to enhance bilateral cooperation and person accepting this money; and
cross-border fintech knowledge, adoption and investment; • the Financial Institutions Act, Chapter 376 of the Laws of Malta, (FIA),
• cultivating knowledge by the attracting and retaining talent and which sets out the licensing and ongoing obligations of non-banking
carrying out extensive research; and institutions. These can be classified in two categories – namely,
• security through implementing robust systems, plans and tech- institutions that carry out:
niques to counteract threats and exposure. • payment services or the issuance of electronic money; and
• activities such as lending, financial leasing, the provision of
The strategy also features a regulatory sandbox that enables financial guarantees and commitments, foreign exchange services and
service providers to test the viability of their products within the regula- money brokering.
tory framework, while keeping in direct contact with the regulators.
The FIA, the subsidiary legislation and the regulations promulgated A de minimis AIFM will be exempt from complying with certain provisions
under the FIA transpose the Payment Services Directive (2015/2366/EU) of the AIFMD but does not enjoy the use of the EU passporting rights.
(PSD2) and the second EU Electronic Money Directive (2009/110/EC).
Peer-to-peer and marketplace lending
Consumer lending 9 Describe any specific regulation of peer-to-peer or
5 Is consumer lending regulated in your jurisdiction? marketplace lending in your jurisdiction.
Lending is a regulated activity under the FIA, irrespective of whether it is The FIA stipulates that any person that, as a lender, regularly lends
provided to consumers. Article 5 of the FIA outlines the requirements for money in or from Malta is carrying out a regulated activity and requires
the authorisation of an institution to carry out lending activities, including: an MFSA licence prior to commencing operations. However, there is no
• an initial capital in the amount established by the MFSA; specific regulation on P2P platforms or marketplaces lending under the
• at least two individuals effectively directing the business of the insti- local financial services framework.
tution in Malta;
• all qualifying shareholders, controllers and all persons effectively Crowdfunding
directing the institution’s business are suitable persons to ensure 10 Describe any specific regulation of crowdfunding in your
its prudent management; and jurisdiction.
• sound and prudent management and robust governance
arrangements. While reward-based and donation-based crowdfunding platforms
remain unregulated, the MFSA has introduced a framework under the
Secondary market loan trading ISA applicable to investment-based crowdfunding services. Measures
6 Are there restrictions on trading loans in the secondary under this regime include a licensing requirement under the ISA, which,
market in your jurisdiction? in addition to capital requirements, encompasses mandatory disclosure
obligations. In the case of offers of securities that fall within the scope
There are no particular restrictions applicable to trading loans in the of the EU Regulation 2017/1129 (in which case, the EU regime would
secondary market in Malta. apply), the issuer must provide an information document, which will,
however, not be approved or verified by the MFSA.
Collective investment schemes
7 Describe the regulatory regime for collective investment Invoice trading
schemes and whether fintech companies providing alternative 11 Describe any specific regulation of invoice trading in your
finance products or services would fall within its scope. jurisdiction.
Collective investment schemes (CIS) are regulated under the ISA. CIS Invoice trading falls within the scope of the FIA. Factoring and invoice
which fall within the scope of the local regulations are: discounting are listed as two types of lending activity that in turn trigger
• retail collective investment schemes, primarily undertaking in a licensing obligation under the FIA if and when they are carried out in
collective investment transferable securities; or from Malta on a regular basis.
• professional investor funds;
• alternative investment funds (AIFs); and Payment services
• notified alternative investment funds. 12 Are payment services regulated in your jurisdiction?
Investment-based crowdfunding is regulated under a separate regime. The FIA includes a list of the payment services that are regulated in Malta
With respect to peer-to-peer (P2P) or marketplace lenders, it is and reflects the services outlined in the PSD2. Institutions engaging in
pertinent to refer to the FIA, which regulates ‘money broking’, defined these payment activities must obtain authorisation from the MFSA prior
as the activity of introducing counterparties that wish to deal at mutually to the provision of these services in or from Malta on a regular basis.
agreed terms with respect to wholesale and retail financial products.
This regulation may have implications for both marketplace lenders and Open banking
P2P platforms. 13 Are there any laws or regulations introduced to promote
competition that require financial institutions to make
Alternative investment funds customer or product data available to third parties?
8 Are managers of alternative investment funds regulated?
There are no laws or regulations promoting competition among finan-
Managers of alternative investments funds (AIFMs) that operate in or cial institutions through the use of available data. However, the concept
from Malta fall within the scope of the ISA and the Alternative Investment of open banking has been locally introduced under the FIA through the
Fund Managers Regulations (Subsidiary Legislation 370.23 of the laws regulation of third-party payment service providers, namely, payment
of Malta), which transpose the Alternative Investment Fund Managers initiation service providers and account information service providers.
Directive (2011/61/EU) (AIFMD) into Maltese law. An AIFM may be
subject to a lite regime akin to the regime under the MiFID II if it quali- Robo-advice
fies as a de minimis AIFM. This will be the case where the assets under 14 Describe any specific regulation of robo-advisers or other
management are worth less than: companies that provide retail customers with automated
• €100 million; or access to investment products in your jurisdiction.
• €500 million and the portfolio consists of AIFs that are unleveraged
and have no redemption rights in the first five years following the No laws or regulations specific to robo-advisers or the automated
date of initial investment. access to investment products have been issued in Malta.
www.lexology.com/gtdt 143
© Law Business Research 2020
Malta Ganado Advocates
Credit references The Malta Financial Services Authority (MFSA) has the discretional
16 Are there any restrictions on providing credit references or authority to issue marketing guidelines and restrictions that apply to
credit information services in your jurisdiction? various financial services sectors and to prohibit or alter any kind of
promotional activity carried out by any financial services institution.
‘Credit reference agency’ is defined under the Trading Licence Act, Specific restrictions apply to licence holders that market their services
Chapter 441 of the laws of Malta, as any undertaking licensed by the and products to ensure that all information including marketing
Trade Licensing Unit, whose main business is to prepare, assemble communications addressed to retail investors or potential retail inves-
and evaluate credit information and related credit and risk manage- tors is fair, clear and not misleading. The Investment Services Act states
ment services concerning legal and natural persons for the purpose that no collective investment schemes, licensed or otherwise, can
of issuing credit scores to be furnished to third parties, provided that issue or cause to be issued a prospectus in or from Malta unless it has
the agency is not precluded from carrying out other related tasks. been approved by the MFSA. The marketing of retail financial services
The definition of ‘credit reference agencies’ pursuant to the draft law in Malta also falls within the scope of the EU Distance Selling (Retail
falls outside the scope of EU Regulation 1060/2009 and, therefore, the Financial Services) Regulation (Subsidiary Legislation 330.07), which
European Securities and Markets Authority would not have supervisory implements EU Directive 2002/65/EC.
powers over these entities. Further, credit reference services are listed
under the Banking Act as one of the additional activities exercisable by CHANGE OF CONTROL
credit institutions.
On 7 November 2018, the European Central Bank received a Notification and consent
request from the Central Bank of Malta (CBM) for an opinion on a draft 20 Describe any rules relating to notification or consent
law amending the Central Bank of Malta Act and on Draft Directive 15 on requirements if a regulated business changes control.
the supervision of credit reference agencies, which:
• gives the CBM new supervisory powers with respect to credit The Investment Services Act imposes a notification requirement for
reference agencies; and persons who, directly or indirectly, acquire a ‘qualifying shareholding’
• designates the CBM as the supervisory authority of credit refer- (as defined therein) in an investment services licence holder or increase
ence agencies solely for the purpose of overseeing and regulating their qualifying shareholding to an extent that the proportion of the
the issuance of credit scores. voting rights or the capital held would reach or exceed 20 per cent, 30
per cent or 50 per cent or so that the investment services licence holder
CROSS-BORDER REGULATION would become its subsidiary. The Malta Financial Services Authority
(MFSA) can object to such an acquisition. A notification obligation is
Passporting also triggered in the case of disposal or reduction of such qualifying
17 Can regulated activities be passported into your jurisdiction? shareholding. Licence holders must obtain written consent from the
MFSA before acquiring 10 per cent or more of the voting share capital
Regulated activities emanating from EU directives transposed into of another company before agreeing to sell or merge all or any part of
Maltese law can, subject to regulatory and procedural formalities, its undertaking.
be passported into Malta. Credit and financial institutions, invest- In the context of credit institutions, Banking Rule 13/2009,
ment services providers, collective investment schemes and issuers ‘Prudential assessment of acquisitions and increase of qualifying
that are legally established in one member state may passport their shareholdings in credit institutions authorised under the Banking Act’,
services through the establishment of a branch or otherwise, as may provides a blueprint of the procedural rules and evaluation criteria for
be applicable. Conversely, ‘homegrown’ services that are regulated by a the prudent assessment of acquisitions and holdings increases in the
standalone legislative framework in EU member states cannot be pass- financial sector and determines the criteria to be applied by the MFSA
ported into Malta. in the assessment process of a proposed acquirer. These rules reflect
the Joint Guidelines JC/GL/2016/01, which were issued by the Joint
Committee of the European Supervisory Authorities in 2016.
FINANCIAL CRIME pledge of shares, special rules contained in the Companies Act Chapter
386 of the laws of Malta, will also apply, which requires the pledge to
Anti-bribery and anti-money laundering procedures be constituted by an instrument in writing and notified to the Malta
21 Are fintech companies required by law or regulation to have Business Registry.
procedures to combat bribery or money laundering? Given that loan and security agreements are determined by
contract between the parties, enforcement depends on the provisions
The regulatory framework that governs anti-money laundering (AML) of the respective contracts; however, parties are not precluded from
procedures in Malta falls under the Prevention of Money Laundering Act, enforcing an agreement before the Maltese courts or by instituting arbi-
Chapter 373 of the laws of Malta (PMLA) and the Prevention of Money tration proceedings in Malta.
Laundering and Funding of Terrorism Regulations, which implements
EU Directive 2015/849/EU. The European Union extended the scope of Assignment of loans
its AML regime to digital currencies through EU Directive 2018/8432/ 24 What steps are required to perfect an assignment of
EU. Entities that must abide by the AML regulations include those that: loans originated on a peer-to-peer or marketplace lending
• provide services to safeguard private cryptographic keys on platform? What are the implications for the purchaser if the
behalf of its customers, or to hold, store and transfer virtual assignment is not perfected? Is it possible to assign these
currencies; and loans without informing the borrower?
• engage in exchange services between virtual currencies and fiat
currencies. The assignment of loans and other rights is generally dealt with in the
Civil Code, Chapter 16 of the laws of Malta. The Civil Code provides
Malta has acknowledged the risks associated with digital currencies that an assignment is complete and the ownership of the thing being
and has taken the initiative to anticipate this framework. The new assigned is acquired by the assignee as soon as the thing is transferred,
Implementing Procedures issued by the Financial Intelligence Analysis the price has been agreed and when the deed of assignment (which
Unit (FIAU) now also cover issuers of virtual financial assets (VFAs), must be in writing) is made. The assignee may not exercise the rights
VFA service providers and the activities of safe custody services, even assigned to them, except against third parties after due notice of the
when provided by any person or institution other than those licensed assignment (by judicial act) has been given to the debtor; however,
or authorised under the Banking Act or the Investment Services Act. notice is not necessary if the debtor has acknowledged the assignment.
Digital currency exchanges and issuers of VFAs are deemed to be However, Malta’s securitisation framework, based on the
subject persons and must have measures, policies and procedures in Securitisation Act, Chapter 484 of the laws of Malta, operates as an
place to address the identified risks. These measures, policies, controls opt-in regime whereby legal entities entering into securitisation trans-
and procedures must include, inter alia: actions may style themselves as securitisation vehicles subject to the
• customer due diligence, record-keeping procedures and reporting Securitisation Act, which aims to facilitate securitisation transactions by,
procedures; and among other things, relaxing some of the requirements regarding the
• risk management measures. assignment of rights as set out in the Civil Code. An assignment of rights
(to a securitisation vehicle) made pursuant to the Securitisation Act:
Guidance • does not require the assignment to have a price;
22 Is there regulatory or industry anti-financial crime guidance • is complete as soon as the assignment is written; and
for fintech companies? • allows notice to be given to debtors by a simple written notice (ie,
not a judicial act) or by publication of a notice in a daily newspaper.
The FIAU has issued a specific rulebook applicable to VFA agents,
issuers and licence holders with sector-specific guidance on how these An assignment made properly under the Securitisation Act is considered
issuers and operators can meet their AML obligations under the PMLA. a true sale as the Act provides that such an assignment will be treated
These procedures complement the Implementing Procedures that are as final, absolute and binding on the assignor (the originator), the
applicable across all other sectors, and apply to VFA service providers, assignee (securitisation vehicle) and all third parties and is not subject
VFA agents and issuers of initial VFA offerings, as well as to unlicensed to clawback. This implies that an assignment that is not perfected under
subject persons operating within the VFA space. the Securitisation Act may not be considered a true sale and may be
subject to annulment, rescission, revocation or termination.
PEER-TO-PEER AND MARKETPLACE LENDING
Securitisation risk retention requirements
Execution and enforceability of loan agreements 25 Are securitisation transactions subject to risk retention
23 What are the requirements for executing loan agreements or requirements?
security agreements? Is there a risk that loan agreements
or security agreements entered into on a peer-to-peer or The Securitisation Regulation (Regulation 2017/2402/EU) became
marketplace lending platform will not be enforceable? directly applicable to all EU member states as of 1 January 2019.
Article 6 of the Securitisation Regulation directly tackles risk retention,
Loan and security agreements are contracts that are generally providing that, subject to any exceptions set out therein, the originator,
governed by Maltese contract law. In this respect, the parties entering sponsor or original lender of a securitisation must retain, on an ongoing
into such an agreement must have the capacity to do so, which, in the basis, a material net economic interest in the securitisation of no less
case of companies, means that the agreement is signed by a director than 5 per cent. In the circumstance that the retainer of this risk was not
after having obtained proper authorisation from the board. In the case of agreed, the originator must by law retain the risk.
natural persons, contracts can generally be entered into by anyone over
the age of 18, provided that they have not previously been interdicted
or incapacitated. Depending on the type of loan or security agreement
that is being entered into, special laws may apply. In the context of a
www.lexology.com/gtdt 145
© Law Business Research 2020
Malta Ganado Advocates
Securitisation confidentiality and data protection requirements • a virtual financial asset (VFA); or
26 Is a special purpose company used to purchase and securitise • a virtual token.
peer-to-peer or marketplace loans subject to a duty of
confidentiality or data protection laws regarding information If a person provides any of the services listed in the VFAA in relation
relating to the borrowers? to a DLT asset that qualifies as a VFA, licensing obligations apply. The
issuance of e-money also mandates a Malta Financial Services Authority
The Securitisation Act provides that the transfer of any data or informa- (MFSA) authorisation pursuant to the Financial Institutions Act.
tion made in the context of a securitisation transaction must remain
subject to professional secrecy, confidentiality and data protection laws. Digital currency exchanges
However, transfers of personal data made in the context of a securitisa- 30 Are there rules or regulations governing the operation of
tion are deemed to have been made for the legitimate interest of the digital currency exchanges or brokerages?
transferee and transferor unless it is shown that this interest is over-
ridden by the interest to protect the fundamental rights and freedoms of The VFAA imposes a licensing requirement on service providers in the
the data subject. Transfers of personal data made to a third country that VFA space, including VFA exchanges, custodians of VFAs (including
does not ensure an adequate level of protection within the meaning of wallet providers) and VFA advisers and brokers that are operating in or
the Data Protection Act, Chapter 586 of the laws of Malta, will not require from Malta. The MFSA has issued a Virtual Financial Assets Rulebook,
the authorisation of the data protection commissioner, provided that the which is divided into three main chapters. The requirements for a VFA
controller of this data can provide adequate safeguards for the protec- service provider licence include:
tion of the data subjects’ privacy and fundamental rights and freedoms. • the setting up of a Maltese entity;
• the holding of minimum capital;
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER • the appointment of various functionaries; and
TECHNOLOGY AND CRYPTO-ASSETS • undergoing assessments by the MFSA into (among other things)
the entity’s ultimate beneficial owners and board of administration.
Artificial intelligence
27 Are there rules or regulations governing the use of artificial Initial coin offerings
intelligence, including in relation to robo-advice? 31 Are there rules or regulations governing initial coin offerings
(ICOs) or token generation events?
AI is not yet a regulated area. A Malta AI task force, commissioned
by the government launched the Strategy and Vision for Artificial The VFAA states that no issuer can:
Intelligence in Malta 2030, to put the island among the foremost juris- • offer a VFA to the public in or from Malta; or
dictions with the highest-impact national AI programme. The strategy • apply for a VFA’s admission to listing on a DLT exchange unless the
rests on three vertical pillars that direct efforts towards investment, issuer draws up a white paper that:
innovation and private and public sector adoption; and three horizontal • is dated;
enablers, namely education and workforce, the legal framework and • states the matters specified in the first schedule to the VFAA;
infrastructure. • includes a statement by the board of administration confirming
that the white paper complies with the Act; and
Distributed ledger technology • is registered with the MFSA.
28 Are there rules or regulations governing the use of
distributed ledger technology or blockchains? The white paper must enable investors to make an informed assessment
of the prospects of the issuer, the proposed project and the features of
The Innovative Technology Arrangements and Services Act (ITAS) the VFA. Issuers must appoint a number of functionaries, including a
outlines the framework of designated innovative technology arrange- VFA agent, a custodian and a systems auditor, and must ensure that an
ments (including blockchain platforms and smart contracts) while investor does not invest more than €5,000 in its initial VFA offerings over
catering for the Malta Digital Innovation Authority (MDIA) and its regula- a 12-month period.
tory functions with regards thereto. Under the ITAS, any person may on
a voluntary basis request the MDIA to certify eligible arrangements or DATA PROTECTION AND CYBERSECURITY
services on the basis of a number of conditions, including that, among
other things, the arrangement is fit and proper for the purposes for Data protection
which it was set up and its underlying software has been reviewed by a 32 What rules and regulations govern the processing and
registered systems auditor. transfer (domestic and cross-border) of data relating to
fintech products and services?
Crypto-assets
29 Are there rules or regulations governing the use of crypto- There is no specific law or guidance regulating fintech companies’ use
assets, including digital currencies, digital wallets and of personal data. The processing and transfer of data is regulated by
e-money? the Data Protection Act (DPA), which implements the EU General Data
Protection Regulation, alongside any subsidiary legislation that supple-
Crypto-assets in Malta are regulated by the Virtual Financial Assets Act ments the DPA, and regulates the processing of personal data with
(VFAA), which spearheads the implementation of a bespoke financial regards to the e-communications sector, thereby implementing EU
instrument test, applicable to issuers, agents and licence holders, for Directive 2002/58/EC.
the purpose of determining whether a distributed ledger technology The European Commission has issued draft proposals for an
(DTL) asset qualifies as: e-privacy regulation to supersede the current Directive (2002/58/EC),
• electronic money; which would be directly applicable in all member states, harmonising
• a financial instrument; data protection laws. On the 21 February 2020, the revised test of the
Proposal for a Regulation of the European Parliament and of the Council INTELLECTUAL PROPERTY RIGHTS
concerning the respect for private life and the protection of personal
data in electronic communications and repealing Directive 2002/58/EC IP protection for software
(Regulation on Privacy and Electronic Communications) was published. 36 Which intellectual property rights are available to protect
software, and how do you obtain those rights?
Cybersecurity
33 What cybersecurity regulations or standards apply to fintech Software constitutes literary work, which enjoys automatic copyright
businesses? protection under the Copyright Act, Chapter 415 of the laws of Malta,.
A copyright is a non-registrable right that arises as soon as a work
Different cybersecurity standards apply across different business considered eligible for copyright protection (which under Maltese law,
sectors within the financial industry. In the digital assets space, which includes artistic works, audiovisual works, databases, literary works
is regulated by the Virtual Financial Assets Act, licence holders must and musical works) is created. No formal registration of copyright
establish various management policies within their cybersecurity (voluntary or otherwise) in Malta is required. Further, in accordance
framework. Further, acknowledging that the financial services industry with the Patents and Designs Act, Chapter 417 of the laws of Malta
is experiencing a digital and technological transformation, the Malta (PDA), schemes, rules and methods for doing business and computer
Financial Services Authority has proposed a new set of guidance notes programs are not considered to constitute inventions that are capable
on cybersecurity, which will apply to key players in this industry, setting of patent protection.
out a minimum set of best practices and risk management procedures
to be followed in order to effectively mitigate cyber risks. IP developed by employees and contractors
37 Who owns new intellectual property developed by an
OUTSOURCING AND CLOUD COMPUTING employee during the course of employment? Do the same
rules apply to new intellectual property developed by
Outsourcing contractors or consultants?
34 Are there legal requirements or regulatory guidance with
respect to the outsourcing by a financial services company of In terms of works that are eligible for copyright protection, the Copyright
a material aspect of its business? Act dictates that such protection shall vest initially in the author or joint
authors of the particular work. Particularly in the case of computer
In general, the outsourcing of material activities of a financial services programs and databases, however, where a work is made in the course
company would lead to the regulatory intervention and oversight of the of the author’s employment, the economic rights arising therefrom will
Malta Financial Services Authority (MFSA). For example, the Banking Act be deemed to be transferred to the author’s employer – subject to an
provides that no credit institution shall outsource its material services agreement between the parties to the contrary. Other works eligible for
or activities, unless the outsourcing service provider is granted recog- copyright (ie, barring computer programs and databases) shall always
nition by the MFSA. To obtain this recognition, the outsourcing service vest in the author or joint authors of the particular work, provided that
provider must make a written request providing information on: an agreement to the contrary has not been entered into.
• its name and address; With reference to patentable inventions, the PDA holds that any
• the material services or activities to be outsourced; invention occurring under a contract of employment belongs to the
• the reasons for outsourcing the service or activities; and employer; however, the creator of that work (ie, in this context, the
• the regulatory status, if any, if it is authorised or licensed in a employee) would have a right to equitable remuneration for their inven-
foreign jurisdiction. tion. In the absence of an agreement between the parties as to the
remuneration due, this must be ascertained by the Maltese courts.
Cloud computing In view of the various nuances highlighted above, it is always advis-
35 Are there legal requirements or regulatory guidance with able to incorporate a clause regulating the ownership, or otherwise, of
respect to the use of cloud computing in the financial services intellectual property into a company’s standard contract of employment
industry? and service agreements with its contractors or consultants. However,
when developing or making use of intellectual property in the course of
Various initiatives at both a local and European level seek to govern employment or engagement, there is an argument to be made that the
the evolution of cloud computing. However, these are not neces- employee or the contractor or consultant engaged to render a particular
sarily specific to the financial services sector. Locally, the Malta service must be considered a fiduciary in accordance with article 1124
Communications Authority has issued a guidance document enti- et seq of the Civil Code, and must therefore abide by the various obliga-
tled ‘Cloud Computing Guidelines for SMEs & Microenterprises’ that tions specified therein.
highlights considerations to be taken by small and medium-sized enter-
prises and microenterprises when assessing the suitability of the use of Joint ownership
cloud computing in their firm. This guidance document provides further 38 Are there any restrictions on a joint owner of intellectual
details as to the contractual implications that may arise between small property’s right to use, license, charge or assign its right in
and medium-sized enterprises, microenterprises and cloud computing intellectual property?
service providers. Transposing EU Directive 2016/1148/EU, Subsidiary
Legislation 460.35 sets out cybersecurity standards and establishes The Trademarks Act, Chapter 597 of the laws of Malta, states that where
a Critical Information Infrastructure Protection Unit (CIIP Unit). In a registered trademark is subject to co-ownership, each joint owner is
Malta the CIIP Unit falls under the remit of the Critical Infrastructure entitled, subject to an agreement stating the contrary, to an equal undi-
Protection Directorate, which also oversees the National Computer vided share in the registered trademark. Each co-owner is also entitled,
Security Incidence Response Team. personally or otherwise, to perform for their own benefit, without the
other co-owner’s consent, any act that would otherwise amount to an
infringement of the registered trademark. A co-owner may not grant a
www.lexology.com/gtdt 147
© Law Business Research 2020
Malta Ganado Advocates
licence over the registered trademark or assign or cede control of their This liability attaches to any person who, with a view to gain for them-
share in the trademark without the other co-owner’s consent. selves or another, or with intent to cause loss to another, uses or applies
The aforementioned is also applicable in the case of co-ownership without the consent of the trademark owner an infringing sign or else
of a registered design under the Patents and Designs Act. Conversely, has in their possession or control or offers for sale, hire or distribu-
in the case of joint proprietors of a patent, the law specifies that either tion goods that bear infringing marks. The Enforcement of Intellectual
party may separately assign or transfer by succession their share of the Property Rights (Regulation) Act, Chapter 488 of the laws of Malta,
patent with or without the other patent owner’s agreement. However, provides for measures that may be requested by IP rights holders to
to surrender the patent or conclude a licensing agreement with third enforce their IP rights or to preserve evidence and request information
parties, the co-owners must act jointly. from alleged infringers.
In terms of copyright, a joint author can assign or license copyright
unilaterally, provided that where any other joint author is not satisfied COMPETITION
with the manner in which this assignment or licence has been granted,
they can resort to the Copyright Board within three months from the Sector-specific issues
day on which the terms of the assignment or licence have been commu- 42 Are there any specific competition issues that exist with
nicated to them in writing. respect to fintech companies in your jurisdiction?
Trade secrets There are no competition issues that specifically affect fintech compa-
39 How are trade secrets protected? Are trade secrets kept nies in Malta. However, in 2019 the European Commission published
confidential during court proceedings? its Competition Policy for the Digital Era, which tackles competition
issues that arise from the digital industries and states how regulations
The Trade Secrets Act, Chapter 589 of the laws of Malta, (TSA) provides should be tailor-made to cater for the specific issues that might arise.
for measures to be taken against the unlawful acquisition, use and The report identified the following characteristics of the industry that
disclosure of trade secrets. The TSA allows the competent court to might give rise to incentives for dominant digital firms to act in an anti-
issue precautionary acts against the alleged infringer for the cessation competitive manner:
or prohibition of the use or disclosure of the trade secret on a provi- • the extreme returns to scale that the industry brings with it;
sional basis. The court may also issue precautionary acts to prohibit the • the convenience of the product being dependant on a large
production, offering, placing on the market or use of infringing goods user base; and
or the seizure of these infringing goods to prevent their entry into or • the pivotal role of data.
circulation on the market. Once the court has determined that there
has been unlawful acquisition, use or disclosure of a trade secret, it TAX
can order the cessation of the unlawful behaviour, apply injunctive and
corrective measures or impose damages that are appropriate to the Incentives
actual prejudice suffered as a result of the unlawful acquisition, use or 43 Are there any tax incentives available for fintech companies
disclosure of the trade secret. The TSA also states that should an appli- and investors to encourage innovation and investment in the
cation be submitted by an interested party, it shall be unlawful for any fintech sector in your jurisdiction?
of the parties participating within the legal proceedings to disclose the
nature or any details relating to the trade secret in question. This obli- While the Maltese corporate tax environment is very attractive to
gation shall remain in force even after legal proceedings have ended. businesses establishing a local presence, there do not seem to be tax
incentives specifically available for fintech companies. Malta offers
Branding several fiscal schemes and incentives in the form of tax credits to
40 What intellectual property rights are available to protect companies deemed as being innovative enterprises according to the
branding and how do you obtain those rights? How can fintech rules and regulations set out by the Malta Enterprise.
businesses ensure they do not infringe existing brands?
Increased tax burden
Trademarks create a distinctive brand and can be obtained by lodging 44 Are there any new or proposed tax laws or guidance that
an application with the Malta IP rights directorate outlining the trade- could significantly increase tax or administrative costs for
mark name or image (or combination thereof), as well as the goods and fintech companies in your jurisdiction?
service that this trademark will protect. It is also possible to apply for
an EU trademark, which will grant pan-European protection over the Without prejudice to the regulatory fees payable to the competent
trademark. On an international level, it is also possible to lodge an appli- authorities in relation to any new licensing obligations imposed on
cation with the World Intellectual Property Organisation, designating the fintech companies, there are no new or proposed tax laws or guidance
countries in which trademark protection is sought. specific to fintech business that will amplify tax and administrative costs.
businesses are no different from the schemes that are available to other
business sectors. There are two regimes available, distinguishing EU,
EEA and Swiss nationals from non-EU nationals. EU, EEA and Swiss
nationals aspiring to work in Malta’s fintech business must apply for
residence via CEA Form A submitted on the basis of employment or self-
employment pursuant to the Free Movement of EU Nationals and their
Family Members Order (LN 191/2007) and the Immigration Regulations
(LN 205/2004). The non-EU, EEA and Swiss regime grants two appli-
cations to third-country nationals – namely, CEA Form B and the key Leonard Bonello
lbonello@ganadoadvocates.com
employee initiative, which is a single work permit for managerial or
highly technical posts. James Debono
jdebono@ganadoadvocates.com
UPDATE AND TRENDS
171, Old Bakery Street
Current developments
Valletta VLT1455
46 Are there any other current developments or emerging Malta
trends to note? Tel: +356 21 23 54 06
Fax: +356 21 22 59 08
The main current development in Malta is the drive and effort with www.ganadoadvocates.com
which the Malta Financial Services Authority, as a proactive financial
services regulator, is promoting the idea of Malta becoming a global
fintech hub. Throughout its long-term fintech strategy, the regulator is
not only supporting the financial services industry to harness the oppor- Guarantee Scheme), which mainly provides guarantees to commer-
tunities presented by innovation and technology, but is also geared up to cial banks that facilitate access to bank financing for businesses
harness as much legal and regulatory certainty as possible for industry established and operating in Malta (both small and meduim-sized
players to operate in an environment with effective investor protection, enterprises with up to 250 employees and large enterprises with
market integrity and financial soundness. more than 250 employees) that are facing liquidity and cash flow
problems because of the pandemic.
Coronavirus • To complement the Guarantee Scheme, the government also
47 What emergency legislation, relief programmes and other announced a second measure to further alleviate the terms
initiatives specific to your practice area has your state relating to working capital loans extended by banks under the
implemented to address the pandemic? Have any existing Scheme. Through the Interest Rate Subsidy Scheme, which is also
government programmes, laws or regulations been amended targeted towards businesses facing unprecedented disruptions
to address these concerns? What best practices are advisable owing to the covid-19 outbreak, businesses may avail themselves
for clients? of a subsidy of up to 2.5 per cent on the interest rate charged by
banks during the first two years of working capital loans guaran-
The covid-19 pandemic has triggered a number of legislative and regu- teed by the Guarantee Scheme.
latory initiatives within the financial services world that the Maltese
government, regulators and competent authorities have implemented
to lessen and mitigate the negative impacts to the relevant institutions
and the general public. Among other measures relating to borrower-
based measures or the timing of supervisory reporting, some of the
initiatives launched to counteract the risks posed by the pandemic
include the following.
• Eurozone institutions have been granted a one-month extension
by the Malta Financial Services Authority for the submission of
specific supervisory reporting modules with remittance dates
between March 2020 and May 2020. A further extension may be
granted, but this will only be given on a case-by-case basis and
provided that exceptional circumstances exist.
• The government of Malta issued the Moratorium on Credit Facilities
in Exceptional Circumstances Regulations to mandate credit and
financial institutions licensed under the laws of Malta to grant
a six-month moratorium on capital and interest for borrowers
with respect to credit facilities satisfying the eligibility criteria
established under Directive No. 18 issued by the Central Bank of
Malta. Foreign banks do not fall within the scope of the Directive
unless they have a branch, agency or office in Malta. The mora-
torium has been extended by a further six months in an effort to
continue providing assistance for borrowers negatively affected by
the pandemic.
• The Malta Development Bank (MDB) has launched the EU
Commission-approved MDB Covid-19 Guarantee Scheme (the
www.lexology.com/gtdt 149
© Law Business Research 2020
Netherlands
Aron Berket, Jeroen Bos and Marline Hillen
Simmons & Simmons LLP
FINTECH LANDSCAPE AND INITIATIVES the DNB to adopt a more data-driven approach and focus on the use of
digital technologies in its supervision.
General innovation climate Furthermore, in April 2020, the DNB stated that it has a favourable
1 What is the general state of fintech innovation in your attitude towards central bank digital currency (CBDC). CBDC is money
jurisdiction? issued by a central bank and is generally accessible to households and
businesses. Therefore, DNB does not only support financial innovation,
Fintech innovation in the Netherlands continues to develop. There has but also intends to play a leading role in certain financial innovation,
been a high level of activity in the fields of artificial intelligence, machine such as the development of CBDC.
learning, blockchain, mobile and advanced analytics. The Dutch market There are no formal arrangements with foreign regulators that
is also adopting other innovations, such as open banking (as a result relate specifically to fintech companies. However, the AFM and DNB
of the Revised Payment Services Directive). Generally, diversification maintain contact with other regulators in the Netherlands (such as the
in the Dutch financial services sector is increasing as new companies ACM and the Dutch Data Protection Authority), the EU and globally (such
enter the market and incumbents (such as large Dutch banks) progress as the International Organization of Securities Commissions).
their own fintech initiatives. However, some market participants are
concerned that the new registration regime for certain crypto-service FINANCIAL REGULATION
providers that entered into force on 21 May 2020 will deter potential
new entrants from entering the market owing to additional administra- Regulatory bodies
tive and compliance costs. 3 Which bodies regulate the provision of fintech products and
services?
Government and regulatory support
2 Do government bodies or regulators provide any support There is no specific regulatory framework applicable to the provision of
specific to financial innovation? If so, what are the key fintech products and services.
benefits of such support? Furthermore, it is unlikely that such a specific Dutch regulatory
framework will be established now that the Dutch Authority for the
In 2016, the Dutch Authority for the Financial Markets (AFM) and the Financial Markets (AFM) and Dutch Central Bank (DNB) have issued the
Dutch Central Bank (DNB) set up the InnovationHub to provide new recommendation to regulate cryptos at an international level. As such,
and existing firms with support in answering queries related to the depending on the nature and scope of products and services offered,
regulation of innovative financial products and services. Within the the AFM and DNB supervise compliance with conducts of business rules
InnovationHub, the AFM and DNB cooperate with the Dutch Authority and prudential requirements respectively.
for Consumers and Markets. The InnovationHub aims to offer easy
access to supervisors and regulators for companies that provide inno- Regulated activities
vative services or products, remove any unnecessary barriers to entry, 4 Which activities trigger a licensing requirement in your
gain more insight into the rapidly developing technological innova- jurisdiction?
tion within the financial sector, and improve knowledge, sharing and
dialogue with all relevant stakeholders. The InnovationHub enables Depending on the nature and scope of services offered, licensing
fintech companies to obtain a temporary banking licence, among requirements under the Dutch Financial Supervision Act (FSA) and
other things. secondary legislation may apply.
The AFM and DNB have also set up a ‘regulatory sandbox’ for The following activities are regulated under the FSA.
fintech companies to test and develop new products. If certain criteria • Deposit-taking and granting credits for one's own account: credit
are met, the regulatory sandbox can provide bespoke solutions for institutions (ie, institutions that attract repayable funds from the
financial services companies that cannot reasonably meet specific poli- public in the Netherlands and that extend credit for own account)
cies, rules or regulations when marketing an innovative product, service require a banking licence.
or business model, and that do meet the underlying rationale of these • Consumer lending: the extension of credit to consumers requires
policies, rules or regulations. a licence.
Furthermore, the DNB periodically organises a seminar, ‘Fintech • Factoring, to the extent this would constitute consumer lending.
meets the Regulators’, during which relevant market participants and • Invoice discounting, to the extent this would constitute consumer
DNB share thoughts on current developments. lending.
Additionally, in November 2019, the DNB launched a joint partner- • Payment services: all institutions carrying out payment services as
ship of banks, insurers and partnerships, the iForum, which enables described in the Annex to the Revised Payment Services Directive
(PSD2), require a licence. A licence to act as a credit institution may investment scheme can be an undertaking for collective investment in
also cover carrying out payment services. transferable securities, as defined in the Undertakings for Collective
• Investment services: a financial institution is required to have a Investment in Transferable Securities Directive.
licence if it intends to provide investment services. These can be Whether a fintech company would qualify as a collective invest-
split into the following services, carried out in pursuit of a business ment scheme will depend on the exact nature of its business. For
or profession: example, fintech companies that manage assets on a pooled basis on
• receiving and transmitting client orders relating to financial behalf of investors should give particular consideration as to whether
instruments (which includes bringing about deals in financial they qualify as a collective investment scheme. On the other hand,
instruments); fintech companies that provide advice or payment services may be
• executing client orders relating to financial instruments; less likely to constitute a collective investment scheme. Peer-to-peer
• managing an individual’s assets; lenders, marketplace lenders or crowdfunding platforms could poten-
• providing advice regarding financial instruments; tially fall within the scope of the AIFMD, to the extent they would qualify
• underwriting or placement with a firm commitment basis of as (managers of) collective investment schemes. Currently, the AFM’s
financial instruments; and register ‘Crowdfunding platforms’ indicates that no crowdfunding
• placement without a firm commitment basis of financial platform holds a licence for managing or offering units in collective
instruments. investment schemes.
• Investment activities: a financial institution is required to have a
licence if it intends to perform an investment activity. Investment Alternative investment funds
activities can be split into three activities: 8 Are managers of alternative investment funds regulated?
• dealing on one's own account (including foreign exchange
trading); Managers of alternative investment funds are regulated under the
• operating an organised trading facility; and AIFMD, which has been implemented in the FSA.
• operating a multilateral trading facility.
• Clearing and settlement: acting as a clearing and settlement insti- Peer-to-peer and marketplace lending
tution requires a licence. 9 Describe any specific regulation of peer-to-peer or
• Secondary market loan trading. marketplace lending in your jurisdiction.
www.lexology.com/gtdt 151
© Law Business Research 2020
Netherlands Simmons & Simmons LLP
There is no specific regulatory framework for robo-advisers in the To obtain a licence for any of the activities regulated pursuant to the
Netherlands. FSA, in general, a local presence must be established, unless a firm can
Furthermore, there is no legal distinction between robo-advice benefit from a European passport.
and traditional investment advice in the Netherlands. As such, compa-
nies providing robo-advice must fulfil the same legal requirements as
Depending on the regulatory status of the financial institution, different There is no general framework under which fintech companies are
marketing rules may apply, including clientele restrictions. Advice required to have in place procedures to combat bribery or money laun-
should be sought on the specific circumstances of any particular case. dering. However, as of 21 May 2020, certain crypto-service providers
The Dutch Financial Supervision Act (FSA) states that, in general, fall with scope of the Money Laundering and Terrorist Financing
relevant marketing activities: (Prevention) Act. This concerns companies, legal entities or natural
• must be correct, clear and not misleading; persons that provide:
• must be recognisable as being of a commercial nature (where • services for the exchange between virtual and fiat currencies; and
applicable); and • services offering custodian wallets (ie, services to safeguard
• may not contradict the information that is required to be made private cryptographic keys on behalf of customers; consequently,
available pursuant to the FSA. ‘soft wallets’ do not fall within the scope).
In addition, specific rules apply depending on the type of product These crypto service providers are also required to register with the
offered or service provided and, in some cases, also on the type of client Dutch Central Bank (DNB). Requirements for registration include having
targeted. Some of these are summarised below. in place an adequate integrity policy to ensure ethical operation manage-
Marketing materials for complex products (eg, participation rights ment. In this policy, an analysis of integrity risks, compliance with the
in an open-ended collective investment scheme and investment objects) Sanctions Act 1977, transaction monitoring, reporting of unusual trans-
should include a risk indicator as prescribed by the Further Regulation actions to the Financial Intelligence Unit-Netherlands and customer
on Conduct of Business Supervision of Financial Undertakings (the due digilence must be discussed. Other requirements for registration
Further Regulation). include, among others, that:
Marketing materials for credit offerings to consumers that refer to • the policymakers of crypto-service providers are trustworthy; and
debit interest rates or other information regarding costs should include • the (directors of) holders of a qualifying holding (at least 10 per
(at a minimum) information regarding floating or fixed interest rates cent of the shares or voting rights, or both) in crypto-service
and other costs that form part of the total costs of the credit for the providers are trustworthy.
consumer, the total credit amount, the yearly cost percentage, identity
and address of the provider or intermediary, and certain other informa- Guidance
tion depending on the type of credit, all as prescribed in the Decree 22 Is there regulatory or industry anti-financial crime guidance
on Conduct of Business Supervision of Financial Undertakings. In addi- for fintech companies?
tion, certain risk warnings are prescribed and certain prohibitions apply,
such as the prohibition on including any references to the speed or ease There is no regulatory or industry anti-financial crime guidance specifi-
with which the credit may be obtained. cally for fintech companies. However, the Dutch Authority for the
For products other than complex products, the more general Financial Markets and DNB have set up the InnovationHub to support
marketing rules included in the Further Regulation apply, including the market operators, such as fintech companies. Furthermore, the DNB
obligation to include a warning that the value of an investment may has published a brochure entitled ‘Good practices fighting corruption’
fluctuate and that historical returns offer no guarantee for the future. and the DNB website provides answers to questions about DNB’s integ-
Depending on the medium used for marketing (print, TV, radio or rity supervision of crypto-companies. As regards anti-money laundering
internet) further rules apply, such as the relevant information to be and combating financing of terrorism, DNB issued a comprehensive
included at a minimum (ie, the name of the provider, the regulatory guidance that also relates to trade sanctions on 18 December 2019.
status of provider, and where and how further information relating to
the product or service can be obtained). Specific marketing rules have PEER-TO-PEER AND MARKETPLACE LENDING
been introduced to facilitate marketing on social media.
Execution and enforceability of loan agreements
CHANGE OF CONTROL 23 What are the requirements for executing loan agreements or
security agreements? Is there a risk that loan agreements
Notification and consent or security agreements entered into on a peer-to-peer or
20 Describe any rules relating to notification or consent marketplace lending platform will not be enforceable?
requirements if a regulated business changes control.
Loan agreements are not restricted to a certain form and can there-
If a qualifying holding (at least 10 per cent of the shares or voting rights, fore be entered into and executed electronically. To create a security
or both) is obtained in certain Dutch financial firms (such as settlement right (ie, a right of pledge or mortgage) a deed is required, which has to
institutions, banks, managers of UCITS, investment firms, entities for be in writing. Dutch law distinguishes between authentic deeds, which
risk acceptance, premium pension institutions and insurers and rein- require the involvement of a civil-law notary (and can therefore not be
surers), prior approval by the Dutch Central Bank (DNB) is required. executed in electronic form), and private deeds.
The DNB grants approval by way of a ‘Declaration of No Objection’. In A private deed can be executed electronically provided its contents
specific cases, increases of qualifying holdings above certain thresholds are stored for future reference during a minimum relevant period
are also notifiable to or subject to approval from DNB. (depending on the nature of the deed) in such a way that they can be
reproduced without alteration. For example, a deed of pledge can be
executed electronically provided that the pledgee can store the deed
www.lexology.com/gtdt 153
© Law Business Research 2020
Netherlands Simmons & Simmons LLP
during the duration of the loan agreement for which the pledge was firms and alternative investment fund managers) will be subject to higher
issued. In addition, the deed still needs to be printed as the tax authori- regulatory capital charges where they invest in securitisation positions
ties do not accept electronic copies of a deed. that do not comply with the risk retention rules. Those rules require that
An electronic deed will require an electronic signature. An electronic either the sponsor, originator or original lender in respect of the securiti-
signature can constitute proof of the intention of the signatory to agree sation explicitly discloses to the investor that it will retain, on an ongoing
with the contents of a certain document in the same way a written signa- basis, a material net economic interest in the securitisation (which in any
ture does if the method used to authenticate the electronic signature is event is not less than 5 per cent) using one of five prescribed retention
sufficiently reliable. The Dutch courts asses the reliability of this method methods. Those methods include (among others) retention of:
in view of all the circumstances of the relevant case. There is no specific • the most subordinated tranche or tranches, so that the retention
risk that loan agreements or security agreements will not be enforce- equals no less than 5 per cent of the nominal value of the securi-
able when entered into on a P2P or marketplace lending platform. tised exposures;
• 5 per cent of the nominal value of each of the tranches sold to
Assignment of loans investors; or
24 What steps are required to perfect an assignment of loans • randomly selected exposures equivalent to no less than 5 per cent
originated on a peer-to-peer or marketplace lending platform? of the nominal value of the securitised exposures.
What are the implications for the purchaser if the assignment
is not perfected? Is it possible to assign these loans without Definitions of ‘sponsor’, ‘originator’ and ‘original lender’ are set out in
informing the borrower? the EU Securitisation Regulation. Furthermore, there is a direct require-
ment on the sponsor, originator and original lender to agree on an
Under Dutch law, there is a distinction between the transfer of loans entity that will act as retention holder and to ensure compliance with
(ie, the receivables and the liabilities under a loan) and the sole assign- the retention requirement. In the absence of agreement as to who will
ment of receivables under the loans. As securitisations require that be the retention holder, the originator shall be the retention holder.
only the receivable is assigned, only the assignment of receivables is The EU Securitisation Regulation does not explicitly set out the juris-
discussed here. dictional scope of the ‘direct’ retention obligation, but there is a helpful
Assignment always requires that: (1) the receivable is transferable; note in the Explanatory Memorandum to the European Commission’s
(2) the seller holds legal title to the receivable; (3) there is a valid title for original proposal for the EU Securitisation Regulation that the intention
the assignment (an agreement usually); and (4) the receivable is deliv- is that the ‘direct’ approach would not apply to securitisations (including
ered. Delivery can be perfected by way of an undisclosed assignment or P2P securitisations) where none of the originator, sponsor or original
disclosed assignment. lender is ‘established in the EU’. The European Banking Authority (EBA)
An undisclosed assignment requires an executed deed, either in has stated in the Draft Regulatory Standards to the EU Securitisation
notarial form or in private form, to be registered with the Dutch Tax Regulation (dated 31 July 2018) that the ‘direct’ obligation should apply
Authority. Perfection takes place the moment the deed is executed by the only to originators, sponsors and original lenders established in the EU
notary or at the time of registration with the Tax Authority. Receivables as suggested by the Commission in the explanatory memorandum.
may only be transferred by way of undisclosed assignment if they: (1) ‘Establishment’ is typically described by reference to the jurisdic-
exist at the date of registration or execution of the deed of assignment; tion in which the legal entity is incorporated or has its registered office.
or (2) are future receivables directly resulting from a legal relationship Therefore, the non-EU subsidiary of an EU entity may not be subject
existing at the date of assignment. to the ‘direct’ retention obligation because a subsidiary is typically a
A disclosed assignment requires that notification of the assignment separate legal entity, whereas a non-EU branch of an EU entity may be
is given to the debtor. caught within this provision because a branch is typically not a separate
If the (delivery of the) assignment is not perfected, the receiv- legal entity. Market participants are still seeking clarity on this and it is
able has not been successfully assigned to the assignee. If the seller expected that this point will be raised as part of the ongoing EBA consul-
becomes insolvent before all conditions for the assignment have been tation on risk retention.
perfected, the receivables can no longer be assigned and the insolvent
seller remains the owner. Securitisation confidentiality and data protection requirements
Until notification of the assignment, borrowers can only validly pay 26 Is a special purpose company used to purchase and securitise
to the assignor in order to validly discharge their payment obligations, peer-to-peer or marketplace loans subject to a duty of
and payments made prior to notification of the assignment but after the confidentiality or data protection laws regarding information
assignor has been declared insolvent will fall in the estate of the assignor. relating to the borrowers?
Assignment of receivables does not require the consent of the
borrower or informing the borrower. Assignment of receivables only Yes, a special purpose vehicle that is based in the Netherlands will fall
requires notification to the borrower in the case of a disclosed assign- under the scope of these laws if it processes personal data in relation to
ment. A contractual non-assignment clause may prevent the transfer of activities in the Netherlands.
receivables, depending on the exact wording of the clause.
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
Securitisation risk retention requirements TECHNOLOGY AND CRYPTO-ASSETS
25 Are securitisation transactions subject to risk retention
requirements? Artificial intelligence
27 Are there rules or regulations governing the use of artificial
As of 1 January 2019, the risk retention rules as set out in the EU intelligence, including in relation to robo-advice?
Securitisation Regulation will apply to P2P securitisations that are offered
to European banks, investment firms, alternative investment funds or There is no specific regulatory framework for the use of artificial
insurers. Under these risk retention rules, certain investors (such as intelligence. Furthermore, there is no legal distinction between robo-
credit institutions, Markets in Financial Instruments Directive-regulated advice and traditional investment advice in the Netherlands. As such,
companies providing robo-advice must fulfil the same legal require- Initial coin offerings
ments as companies providing traditional investment advice. 31 Are there rules or regulations governing initial coin offerings
There is no specific regulation on automated investment advice. (ICOs) or token generation events?
However, the Dutch Authority for the Financial Markets (AFM) has issued
guidelines regarding the duty of care of asset managers who offer semi- The tokens that are used with an initial coin offering (ICO) are typically
automatic investment advice. These guidelines are not legally binding drawn up in a way so as not to qualify as securities or units in an alter-
but they do bring clarity for asset managers. The guidelines are aligned native investment funds. Therefore, they fall outside the scope of the
with Dutch law, the Markets in Financial Instruments Directive II and FSA. This means that ICOs are not regulated by the FSA or supervised
suitability guidelines published by the European Securities and Markets by the AFM or DNB. Theoretically, the ICO tokens could be drawn up in
Authority and set out, among other things, guidance on safety and the a way that qualifies them as securities or units in an alternative invest-
provision of information. ment fund. If that is the case, the FSA applies to the ICOs and there is
The AFM has published its views on robo-advice more generally, supervision by the AFM and DNB.
stating that while robo-advice could be an opportunity to improve both The AFM and DNB have issued multiple warnings about the risks
access and the quality of investment advice, there are also specific of investing in ICOs and digital tokens. The AFM considers investing in
points of attention to consider. ICOs as not suitable for retail investors.
www.lexology.com/gtdt 155
© Law Business Research 2020
Netherlands Simmons & Simmons LLP
The Revised Payment Services Directive (PSD2) includes provisions If a financial institution wants to make use of cloud computing, it must
relating to measures that should be implemented by payment institu- notify the Dutch Central Bank (DNB) of its intention to do so. Before
tions, such as securing the payment service user’s personal security using cloud computing, the financial institution is required to develop
data and agreeing on how to manage operational and security risks. a risk analysis, which must be presented to the DNB. Because the DNB
In addition to the PSD2, there are cybersecurity related provisions qualifies cloud computing as a specific type of outsourcing, the rules
in the following regulations. on outsourcing apply. Outsourcing is not allowed in cases where it
The GDPR includes a few provisions relating to the security of would obstruct the supervision of the outsourced activities or where the
processing, such as the requirement for the controller to, both at the time internal audit function would be negatively affected by the outsourcing
of the determination of the means for processing and at the time of the of the activities. Furthermore, the financial institution is required to have
processing itself, implement appropriate technical and organisational adequate policies and proper procedures to manage outsourcing risks.
measures that are designed to implement data protection principles in
an effective manner and to integrate the necessary safeguards into the INTELLECTUAL PROPERTY RIGHTS
processing to meet the requirements of the GDPR and protect the rights
of data subjects. The controller and the processor must also implement IP protection for software
these measures to ensure a level of security appropriate to the risk, 36 Which intellectual property rights are available to protect
which may include, among other things: software, and how do you obtain those rights?
• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, avail- Computer programs (and preparatory materials) are protected by copy-
ability and resilience of processing systems and services; right. Copyright arises automatically as soon as the computer program
• the ability to restore the availability and access to personal data in is created, registration is not required. Copyrighted works are protected
a timely manner in the event of a physical or technical incident; and until 70 years after the death of the creator.
• a process for regularly testing, assessing and evaluating the effec- Databases underlying software programs may also be protected by
tiveness of technical and organisational measures for ensuring the copyright and, in certain circumstances, by database right. A database
security of the processing. right is a stand-alone right that protects databases that have involved
a substantial investment in obtaining, verifying or presenting their
Furthermore, the Network and Information Security Act (NIS) applies contents. The right automatically comes into existence upon creation
to so-called ‘vital’ providers. The vital providers are designated by the and expires after 15 years.
Network and Information Security Decree. Fintech companies might fall Software may also be protected as confidential information or as a
under the definition of vital providers and, if so, they might be subject to trade secret by keeping the software code secret. There are no formal
certain requirements. For instance, vital providers are – in short – obliged (registration) requirements other than that a trade secret holder needs
to report a breach of the security or loss of integrity of their information to take reasonable measures to protect its secret and it needs to have
systems. Moreover, the NIS includes obligations relating to taking meas- commercial value.
ures to control the security of network and information systems. Programs for computers and schemes, rules or methods of doing
Finally, not having implemented any organisational and technical business as such are expressly excluded from patentability under the
security measures could possibly lead to criminal liability. Any person Dutch Patent Act 1995 and the European Patent Convention. However,
who by negligence or carelessness is responsible for, among other patent protection for software may be possible if the inventor is able to
things, wrongful changes or losses of data that lead to serious damage demonstrate that the software makes a novel and inventive technical
to that data, may be punished with a maximum prison sentence of one contribution over and above that provided by the program or business
month or a fine. method itself. To obtain patent protection, registration is required with
the relevant Dutch and European patent offices and the registration hand down decisions in which confidential information is redacted. The
requirements must be followed. Patent protection is limited to 20 years current Trade Secrets Act proposal includes a new rule introducing the
starting from the date of filing the application. option for the court to impose a confidentiality club, limiting the access
to trade secrets.
IP developed by employees and contractors
37 Who owns new intellectual property developed by an Branding
employee during the course of employment? Do the same 40 What intellectual property rights are available to protect
rules apply to new intellectual property developed by branding and how do you obtain those rights? How can
contractors or consultants? fintech businesses ensure they do not infringe existing
brands?
Copyrights and databases created by an employee during the course of
his or her employment are automatically owned by the employer unless Brands can be protected as registered trademarks either in the Benelux
the parties have agreed otherwise. Patents protecting inventions made alone (as a Benelux trademark) or across the EU (as an EU trade-
by an employee in the course of his or her normal duties are owned mark). Certain branding, such as logos and stylised marks, can also
by the employer. Any other patented inventions will be owned by the be protected by design rights and may also be protected by copyright.
employee unless agreed otherwise. Design rights and trademarks are obtained by registering the design
Inventions or copyrights created by contractors or consultants in or trademark with the relevant authority (eg, the Benelux Office for
the course of their duties are owned by the contractor or consultant Intellectual Property, World Intellectual Property Organization or
unless otherwise agreed. By contrast, database rights are owned by the European Union Intellectual Property Office).
person who takes the initiative and assumes the risk of investing in The Benelux and EU trademark databases can be searched to iden-
obtaining, verifying and presenting the data in question. Depending on tify registered trademarks or applications for a trademark with effect in
the circumstances, this is likely to be the business that has retained the the Netherlands. It is highly advisable for new businesses to conduct
contractor or consultant. trademark searches to check whether earlier registrations exist that are
identical or similar to their proposed brand names.
Joint ownership
38 Are there any restrictions on a joint owner of intellectual Remedies for infringement of IP
property’s right to use, license, charge or assign its right in 41 What remedies are available to individuals or companies
intellectual property? whose intellectual property rights have been infringed?
Where two or more persons jointly own an intellectual property right, Remedies include:
any one of them may use and enforce the right, unless otherwise • preliminary and final injunctions (preliminary injunctions are avail-
agreed. Each joint owner may assign or charge its share of the intel- able cross-border);
lectual property right without the other owners’ consent. Exploitation • damages or surrender of profits;
of the intellectual property right, including the granting of licences and • delivery up or destruction of infringing products;
charging or assigning the intellectual property right, can only be done • orders to disclose certain information that relates to the
by the joint owners of the intellectual property right. infringement;
• publication orders; and
Trade secrets • reimbursement of costs, including court fees and costs of (patent)
39 How are trade secrets protected? Are trade secrets kept attorneys and experts (cost orders in Dutch intellectual property
confidential during court proceedings? litigation are typically between 80 per cent and 100 per cent of
actual costs).
In the Netherlands, trade secrets are protected by the general law of
tort (such as breach of the rules of fair competition) and by the Dutch COMPETITION
Trade Secrets Act, which entered into force on 23 October 2018 and
implements the EU Trade Secrets Directive (Directive 2016/943/EU). Sector-specific issues
The Trade Secrets Act provides more specific rules for the protection 42 Are there any specific competition issues that exist with
for trade secrets. The Trade Secrets Act defines a trade secret as infor- respect to fintech companies in your jurisdiction?
mation that:
• is secret, in the sense that it is not generally known among, or The Dutch Authority for Consumers and Markets (ACM) continuously
readily accessible to, persons within the circles that normally deal monitors compliance with competition law by companies active in the
with the kind of information in question; financial sector. It has established a specifically designated research
• has commercial value because it is secret; and body, the Financial Sector Monitor (FSM). The FSM carries out economic
• has been subject to reasonable steps by the holder of the informa- research into the operation of the financial markets and analyses the
tion to keep it secret. risks to competition. Furthermore, the ACM has specific regulatory by
payment system providers and interchange fees.
The Trade Secrets Act contains measures and remedies to enforce trade In 2016, the ACM called for public input on how it can help to boost
secrets. The secret holder can claim an injunction against further use or fintech companies’ contribution to competition in the financial sector,
disclosure of a trade secret. The Trade Secrets Act includes the possi- whereby it indicated it would pay special attention:
bility for the court to grant the winning party a full cost award of all • to barriers to entry that prevent the fintech sector from reaching
reasonable and equitable legal and other costs. its full potential; and
Measures are available in the Netherlands to prevent public • to risks involved with rapid technological change that may have
disclosure of trade secrets during court procedures. For example, the adverse effects on competition and innovation.
court may order oral hearings be conducted ‘behind closed doors’ and In addition, the ACM considered:
www.lexology.com/gtdt 157
© Law Business Research 2020
Netherlands Simmons & Simmons LLP
• being more actively involved in the national implementation of • Innovation box: it allows companies to have profits derived from
European regulation, such as the Revised Payment Services qualifying IP taxed at an effective corporate income tax rate of 7
Directive (PSD2), whereby it would try to make sure that the per cent instead of the regular corporate income tax rate of 16.5
competition perspective stays in focus; and per cent to 25 per cent.
• conducting a market study. • Costs incurred in connection with the development of intangible
assets may immediately be fully depreciated, instead of capitalised
In this context, the ACM mentioned various competitive risks it identified and depreciated over a number of years.
in the form of:
• anticompetitive behaviour; In general, directors or majority shareholders of a company are deemed
• high concentration and entry barriers; and to receive an annual salary from their company of at least €46,000 (in
• consumer inertia. respect of which payroll taxes are payable) unless it can be demon-
strated that others performing similar activities earn less. For directors
Following this communication, the ACM has, to date, looked into the or majority shareholders of a start-up company, the deemed salary may
following two specific issues. be lowered to the minimum wage in the Netherlands (€1,680.00 a month
• Whether regulatory costs constitute barriers to entry for fintech as of 1 July 2020) as a result of which less payroll taxes are payable. A
companies. The ACM ordered a study from EY that concluded that number of conditions must be met to qualify for each incentive.
such regulatory costs do not constitute obstacles for new providers
in the financial sector. Increased tax burden
• Whether banks are limiting access of fintech companies – fron- 44 Are there any new or proposed tax laws or guidance that
tend providers and end-to-end providers – to bank accounts and could significantly increase tax or administrative costs for
thereby hinder competition in the payment market. fintech companies in your jurisdiction?
The ACM conducted a study and identified a risk of foreclosure of front- No.
end providers. As a result, the ACM announced that it will actively
monitor the behaviour of banks and how they deal with requests for IMMIGRATION
access. In addition, the ACM:
• proposed that, where possible in light of the PSD2 and the Sector-specific schemes
European Commission’s Regulatory Technical Standards, further 45 What immigration schemes are available for fintech
national implementation of EU law regarding access to bank businesses to recruit skilled staff from abroad? Are there any
accounts should enable this access; special regimes specific to the technology or financial sectors?
• indicated that a system of free access could result in the banks
refusing access (which implies that the ACM proposes to allow the The following are the most common corporate immigration schemes
banks to ask for compensation for the costs related to providing in and to the Netherlands (which are only relevant for those who are
access); and not EU, EEA or Swiss nationals – third-country nationals – as all EU,
• proposed that a light version of the banking licence could be EEA and Swiss nationals are free to reside and perform any activities in
created for fintech companies so that they can offer payment the Netherlands for as long as they wish owing to the rules on the free
accounts. movement of workers within the EU, which is expanded to the EEA and
Switzerland).
As regards end-to-end providers, the ACM considered that the risks of • Knowledge migrant scheme: this relates to the gross monthly
foreclosure were limited. Nevertheless, it proposed to cut the red tape – salary (exclusive of holiday allowance, normally 8 per cent of the
in addition to the above-mentioned light banking licence: salary) that is consistent with Dutch salary standards and with
• by defining objective permit criteria that are related to the actual thresholds that vary from €2,423 to €4,612, depending on age and
risks posed by end-to-end providers; and specific education (for the lowest threshold). Additionally, the formal
• by making sure that, in the development of instant payments employer in most cases needs to be recognised as a sponsor. If the
infrastructures in Europe, fintech companies are able to directly employer is not a sponsor, one can apply to become one or can make
participate in the systems and arrangements for clearing and use of a recognised payroll company to fill up that gap, or both.
settlement of payments under non-discriminatory and objective • Intra-corporate transfer scheme (Directive 2016/66/EU): if the
conditions. employee is a specialist, manager or trainee and remains on the
payroll of his or her employer outside the EU, he or she may be
TAX transferred to the Netherlands under that scheme for up to three
years (after which he or she can return to his or her home country
Incentives or the residence permit can be prolonged, for example, under the
43 Are there any tax incentives available for fintech companies knowledge migrant scheme). No salary thresholds and no recog-
and investors to encourage innovation and investment in the nised sponsorship is required, but, nevertheless, it is advisable for
fintech sector in your jurisdiction? a faster procedure. Some form of intra-EU mobility is possible. This
scheme is compulsory unlike other schemes if the application or
There are no specific tax incentives applicable to fintech companies. situation falls within the scope of the Directive.
However, there are some tax incentives available to ‘innovative’ compa- • Blue card scheme (Directive 2009/50/EC): the EU version of the
nies. The key incentives are: US Green Card, but much more limited. Specific education require-
• WBSO (R&D payroll tax credit): it allows an employer a payroll tax ments apply. The salary threshold in the Netherlands is now
refund of 16 per cent to 40 per cent of the salary costs for the part €5.403,00 gross per month exclusive of holiday allowance. No
of the salary costs that an employer has paid to its employees who recognised sponsorship is necessary but, nevertheless, is advis-
conduct R&D activities. able. It is unpopular in the Netherlands owing to the much more
www.lexology.com/gtdt 159
© Law Business Research 2020
Netherlands Simmons & Simmons LLP
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
Fintech in New Zealand is in a very healthy state, driven largely by the There are several regulators, depending on the type of products and
country’s strong start-up ecosystem, a broad base of industry partici- services being offered. The Financial Markets Authority (FMA) is the
pants and a push from both the government and industry to develop a securities regulator, which supervises offers of financial products in New
stronger technology export sector. The industry association FinTechNZ Zealand and is responsible for licensing the provision of certain financial
acts as a focal point for the fintech community in New Zealand, services and the enforcement of certain prudential and fair dealing stand-
connecting banks, insurers and managers with investors, innovators ards. The Reserve Bank of New Zealand is responsible for the supervision
and regulators and promoting NZ fintech to the world. This promotion and prudential regulation of banks, non-bank deposit takers and insurers,
is made easier because of New Zealand’s excellent international reputa- as well as generally maintaining the robustness of New Zealand’s finan-
tion for being a good place to do business and for having: cial system. Other regulators include the Department of Internal Affairs
• a strong financial system; (anti-money laundering) and the Commerce Commission (competition).
• low corruption; and
• open and approachable regulators. Regulated activities
4 Which activities trigger a licensing requirement in your
Government and regulatory support jurisdiction?
2 Do government bodies or regulators provide any support
specific to financial innovation? If so, what are the key Under the Financial Markets Conduct Act 2013 (FMCA) and subsidiary
benefits of such support? regulations, if a person provides to retail investors any financial advice,
crowdfunding services, ‘robo advice’, discretionary investment manage-
Government departments (eg, the Ministry of Business and Innovation) ment services or peer-to-peer (P2P) lending services, or if they operate
and regulators (eg, the Financial Markets Authority) have demonstrated a managed investment scheme for, issue derivatives (eg, a contract for
their strong support for NZ fintech through proactively engaging with difference or forex futures) to or take deposits from retail investors, they
industry participants and associations, such as FinTechNZ and its must be licensed by the FMA. Further, any person who carries on insur-
FinTech Regulatory Roundtable. ance business in New Zealand must be licensed by the Reserve Bank of
New Zealand's Innovation Fund, an initiative set up as a joint New Zealand. Any business that provides financial services (whether in
programme by the New Zealand government and Westpac bank, New Zealand or from New Zealand to other countries) is also required
provides funding to participants in the fintech sector to support initia- by the Financial Service Providers (Registration and Dispute Resolution)
tives with a focus on the fund's themes, being digital identity, digital Act 2008 (FSP(RDR)A) to be registered on the Financial Services
inclusion, optimising payment systems, and processes and data. Provider Register (FSPR). With registration comes certain obligations,
Otherwise, the Reserve Bank of New Zealand, while striking a note including joining a dispute resolution scheme (if the business has retail
of caution about fintech, has nevertheless recognised the efficiencies clients) and filing an annual confirmation of its details and services.
that it might bring to NZ banking and payments systems. However,
government regulators have stopped short of creating a sandbox, and Consumer lending
fintech companies are encouraged to engage with them early on to 5 Is consumer lending regulated in your jurisdiction?
inform their thinking about potential routes through the regulatory
environment. Consumer lending is regulated primarily under the Credit Contracts and
Consumer Finance Act 2003 (CCCFA), which applies to a range of trans-
actions where money is loaned for personal use, such as consumer
credit contracts, consumer leases and buy-back transactions. Among
other things, the CCCFA:
• requires those to whom it applies to act responsibly and disclose
certain information to borrowers; and
• provides general rules for credit contracts.
www.lexology.com/gtdt 161
© Law Business Research 2020
New Zealand Anderson Lloyd Lawyers
P2P lending markets such as Harmoney and Squirrel must be licensed Invoice trading
providers of a P2P lending service. 11 Describe any specific regulation of invoice trading in your
jurisdiction.
Collective investment schemes
7 Describe the regulatory regime for collective investment There is no specific regulation of invoice trading; however, under the
schemes and whether fintech companies providing FSP(RDR)A, invoice trading will likely constitute a financial service
alternative finance products or services would fall within its (being a creditor under a credit contract) and invoice traders will be
scope. required to register on the FSPR as financial services providers. With
registration comes certain obligations, including joining a dispute reso-
Collective investment schemes, in which money from several investors lution scheme (if the business has retail clients) and filing an annual
is pooled together and those investors are reliant on the investment confirmation of its details and services.
expertise of a scheme manager, are regulated chiefly as managed
investment schemes. The FMCA’s definition of these schemes is broad Payment services
enough to capture most open and closed-ended collective investment 12 Are payment services regulated in your jurisdiction?
schemes and those involving participatory securities. Fintech compa-
nies providing P2P lending or crowdfunding platforms are not regulated There is no specific regulation of payment services along the lines of
as managed investment schemes, but instead are regulated under the the revised EU Payment Services Directive (2015/2366/EU); however,
relevant licensing regimes for those platforms. under the FSP(RDR)A, such services will constitute financial services (as
they involve issuing and managing a means of payment) and payment
Alternative investment funds services providers will be required to register on the FSPR as finan-
8 Are managers of alternative investment funds regulated? cial services providers. With registration comes certain obligations,
including joining a dispute resolution scheme (if the business has retail
Yes, managed investment scheme managers must register on the FSPR clients) and filing an annual confirmation of its details and services.
as a provider of financial services and (where they will make a regu-
lated offer to retail investors) be licensed by the FMA. Managers must Open banking
also meet and maintain certain minimum standards (including fitness 13 Are there any laws or regulations introduced to promote
and propriety of directors and senior managers) and have obligations competition that require financial institutions to make
relating to financial reporting, fair dealing and anti-money laundering. customer or product data available to third parties?
Peer-to-peer and marketplace lending Not yet, as the government has preferred to allow the industry to take
9 Describe any specific regulation of peer-to-peer or the lead. The implementation of open banking is being spearheaded by
marketplace lending in your jurisdiction. Payments NZ (a company formed in 2010 by ANZ, ASB, BNZ, Citibank,
HSBC, Kiwibank, TSB Bank and Westpac with the support of the
P2P lending is regulated by the FMA as a financial market service under Reserve Bank of New Zealand), which launched its API Centre in May
the FMCA. Anyone wishing to operate in such a market must be licensed 2019. This is a suite of industry-standardised application program inter-
as a provider of P2P lending services. Borrowers that use a licensed faces (APIs) for payment-related services, which is designed to manage
service are exempt from the requirement to issue a product disclosure a move to greater openness in banking and payments and to create an
statement (which they would otherwise be required to do, as it would be API-enabled ecosystem in New Zealand. Payments NZ is responsible
seen as the issue of a debt security to the public). In addition to meeting for the governance of the API Centre but has delegated it to an API
certain minimum standards and conditions for their licence, licensed Council comprising banks, non-bank third parties and independent
P2P platforms have several ongoing obligations, including notifying members. The API Council gets recommendations from a business and
the FMA of certain events (as well as providing an annual regulatory a technical group, and has an independent subcommittee to handle
return) and relating to financial reporting, fair dealing and anti-money sensitive issues.
laundering. Payments NZ published version 2.0 of their API standards for
Payment Initiation and Account Information in May 2020, and these
standards were added to their API Centre sandbox in July 2020. This • entitling individuals to a free credit score (if the credit reporter has
will allow users and community contributors to first test their fintech a practice of releasing such scores to subscribers);
innovations against the API standards to ensure that their solutions • reducing the time limit for access to credit information from 20 to
function as expected without having to first negotiate terms of access 10 working days; and
with a bank. Payments NZ continues to work on a broader develop- • giving reporters the right to charge for expedited access requests
ment pipeline of other API standards and iterations, including customer (ie, within three working days).
experience guidelines to support the use of the standardised APIs in
the market. CROSS-BORDER REGULATION
Robo-advice Passporting
14 Describe any specific regulation of robo-advisers or other 17 Can regulated activities be passported into your jurisdiction?
companies that provide retail customers with automated
access to investment products in your jurisdiction. Overseas issuers of financial products wishing to extend offers to New
Zealand must do so under an official recognition scheme or an exemp-
Robo-advice is expressly permitted under the Financial Advisers tion from the Financial Markets Authority (FMA). There are two such
(Personalised Digital Advice) Exemption Notice 2018. Robo-advisers schemes in place:
must apply to the FMA for approval under that exemption – currently • the Trans-Tasman Mutual Recognition Arrangement with Australia,
there are nine approved, including NZ fintech company Sharesies. The which allows an Australian issuer to extend its offers into New
application process typically involves an assessment of the applicant's Zealand, provided that they comply with Australian laws and
adherence to certain minimum standards, including the good character certain reporting and filing obligations in New Zealand; and
of the directors and senior managers of the applicant, their skills and • with effect from July 2019, the Asia Region Funds Passport, under
experience, and the applicant's risk management processes and IT which a managed fund in the participating countries (ie, Australia,
systems. For some of these criteria the standards might be relaxed for Japan, South Korea and Thailand) may extend the offer to New
smaller applicants. The exemption notice will be revoked when the new Zealand provided that they:
financial advice regime, which will be brought into effect in April 2021 • register in their home jurisdiction as a passport fund;
by the Financial Services Legislation Amendment Act 2019, comes into • apply to the FMA for authorisation; and
force. Therefore, there may be additional requirements relating to the • comply with certain initial and ongoing requirements
provision of robo-advice under the new regime. (including registering on the Financial Services Provider
Register (FSPR), joining a dispute resolution scheme and
Insurance products appointing an agent for service in New Zealand).
15 Do fintech companies that sell or market insurance products
in your jurisdiction need to be regulated? As of the date of writing, no foreign passport funds have been approved
for NZ entry.
Fintech companies that carry on insurance business in New Zealand
are subject to the supervision of the Reserve Bank of New Zealand Requirement for a local presence
and must be licensed. Whether this applies to an insurtech entity will 18 Can fintech companies obtain a licence to provide financial
depend on its business activities – under Section 8(1) of the Insurance services in your jurisdiction without establishing a local
(Prudential Supervision) Act 2010 (IPSA) it will be held to be carrying presence?
on insurance business if it acts as an insurer either in or outside New
Zealand or is otherwise liable as an insurer under a contract of insur- Any fintech company that provides financial services to New Zealand
ance to a NZ policy holder. Regulation takes the form of a risk-based from overseas is required to register on the FSPR. If its activities in New
supervisory regime established under the IPSA, requiring the licensee Zealand constitute ‘carrying on business’ within the meaning of section
to meet certain criteria relating to: 332 of the Companies Act 1993, it must register with New Zealand’s
• governance; Registrar of Companies as an overseas company (effectively a NZ branch
• the fitness and propriety of their officers and managers; of the foreign company). Registration imposes obligations on the company
• capital adequacy; and to submit annual financial statements to the Companies Office and may
• liquidity. bring it within the remit of New Zealand’s anti-money laundering laws.
www.lexology.com/gtdt 163
© Law Business Research 2020
New Zealand Anderson Lloyd Lawyers
Other general consumer laws that prohibit fraudulent conduct (eg, • to assess and mitigate money laundering and terrorism financing
obtaining money by deception) may apply. risks.
CHANGE OF CONTROL The other two supervisors (ie, the Financial Markets Authority and the
Reserve Bank of New Zealand) to whom the AMLCFTA gives respon-
Notification and consent sibility for providing industry guidance have also given more general
20 Describe any rules relating to notification or consent guidance on several other anti-money laundering topics, including:
requirements if a regulated business changes control. • risk assessment;
• enhanced customer due diligence;
Persons or entities that wish to provide a financial market service in New • beneficial ownership; and
Zealand (ie, peer-to-peer lending or crowdfunding) must be licensed as • suspicious activity reporting.
providers of such services under the Financial Markets Conduct Act
2013 (FMCA). Each regulated business holding a market service licence Other guidelines published by the Police Financial Intelligence Unit may
issued under the FMCA must notify and report to the Financial Markets also be relevant.
Authority (FMA) on the occurrence of ‘a material change in circum-
stances’. This is defined under the FMCA as including any change in PEER-TO-PEER AND MARKETPLACE LENDING
the licensee’s directors and senior managers or the fulfilment of the
eligibility criteria in respect of which the licence was originally granted. Execution and enforceability of loan agreements
Holders of a market service licence must report to the FMA as soon as 23 What are the requirements for executing loan agreements or
is practical if the relevant licensee proposes to (among other things): security agreements? Is there a risk that loan agreements
• change its legal structure; or security agreements entered into on a peer-to-peer or
• enter into any major transaction; or marketplace lending platform will not be enforceable?
• enter into a transaction that has the effect of a person obtaining or
losing control of the licensee. Simple loan agreements require only the signature of the parties, while
security documents such as a general or specific security agreement are
On receipt of such reporting, the FMA may suspend, vary or revoke the executed as deeds and require individuals‘ signatures to be witnessed.
licensee’s market services licence if it considers that, in light of the Secured parties should register a financing statement for their security
relevant change, the licensee can no longer meet its licence conditions interests on the Personal Property Securities Register to maximise the
or any of the minimum criteria in respect of which the original licence priority to be given to that security, as the order of registration determines
was granted. priority. Provided that these basic criteria are met, the NZ courts will
generally give effect to and enforce such loan and security documents.
FINANCIAL CRIME
Assignment of loans
Anti-bribery and anti-money laundering procedures 24 What steps are required to perfect an assignment of
21 Are fintech companies required by law or regulation to have loans originated on a peer-to-peer or marketplace lending
procedures to combat bribery or money laundering? platform? What are the implications for the purchaser if the
assignment is not perfected? Is it possible to assign these
Yes, if fintech companies carry on one of the many specified activities loans without informing the borrower?
(including issuing or managing means of payment, such as electronic
money) that would bring them within the definition of a ‘financial insti- Under the Property Law Act 2007, notice to a borrower is not required
tution’ under the Anti-money Laundering and Countering Financing of for an absolute assignment to be effective as a true sale; however, notice
Terrorism Act 2009 (AMLCFTA), they must have procedures to combat must be given to the borrower to perfect such assignment. If there is any
bribery or money laundering. If it is a financial institution, a fintech underlying security assigned, further steps might be required to perfect
company has certain obligations under the AMLCFTA, including: that security. If the assignment is not perfected, it will be subject to any
• conducting a review and assessment of the risk of money laun- further equities that may have arisen in priority to the purchaser’s claim.
dering specific to its business;
• implementing a compliance programme; Securitisation risk retention requirements
• undertaking due diligence on its customers (which could be simpli- 25 Are securitisation transactions subject to risk retention
fied, standard or enhanced); requirements?
• monitoring transactions; and
• filing suspicious activity reports. Non-bank issuers are not subject to any specific NZ laws or regulations
relating to credit risk retention.
Guidance
22 Is there regulatory or industry anti-financial crime guidance Securitisation confidentiality and data protection requirements
for fintech companies? 26 Is a special purpose company used to purchase and securitise
peer-to-peer or marketplace loans subject to a duty of
The Department of Internal Affairs, which is the lead AMLCFTA contact confidentiality or data protection laws regarding information
for virtual asset service providers (VASPs), published guidance in relating to the borrowers?
November 2019 stating that financial services provided by VASPs fall
within the existing definition of a ‘financial institution’ in the AMLCFTA. Any person that processes personally identifiable information (PII) will
As a result, VASPs have AMLCFTA responsibilities, including: be an agency under the Privacy Act 1993 and must therefore comply
• to report suspicious activities and certain transactions; with the 12 information privacy principles set out in the Act. There are
• to verify the identity of customers in certain circumstances; and no specific restrictions under the Privacy Act on an agency’s ability to
disclose PII, beyond a general restriction against disclosure for any apply to international transfers of digital assets. BlockchainNZ
purpose that is not one of the purposes in connection with which the understands that the DIA will nevertheless take a pragmatic
information was obtained. The current Privacy Act will be replaced by approach to VASP’s implementation of this rule, particularly in light
the Privacy Act 2020 in December 2020, which will introduce further of current business disruptions that many are facing; and
restrictions against the disclosure of PII to overseas persons (other • an international delegation from the Financial Action Task Force
than cloud storage providers or other overseas processors). visited New Zealand in March 2020 to undertake a review of New
Zealand’s approach to preventing money laundering and terrorist
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER financing. The delegation met with representatives of BlockchainNZ
TECHNOLOGY AND CRYPTO-ASSETS to discuss the approaches taken in New Zealand. The outcome of
the evaluation is expected to result in changes to New Zealand’s
Artificial intelligence anti-money laundering regulations.
27 Are there rules or regulations governing the use of artificial
intelligence, including in relation to robo-advice? Further developments in this area are expected as blockchain and DLT
become more widespread.
There are no specific rules or regulations governing the use of artifi-
cial intelligence. In relation to robo-advice, however, applicants must Crypto-assets
describe their digital advice service as part of the application – including 29 Are there rules or regulations governing the use of crypto-
any use of artificial intelligence – and the Financial Markets Authority assets, including digital currencies, digital wallets and
(FMA) will assess the service against certain minimum standards e-money?
around functionality and cyber resilience.
Robo-advice is expressly permitted under the Financial Advisers In October 2017 the FMA issued guidance on cryptocurrencies, initial
(Personalised Digital Advice) Exemption Notice 2018. Robo-advisers coin offerings (ICOs) and related services. The FMA’s view is that any
must apply to the FMA for approval under that exemption – currently provision of a financial service relating to cryptocurrencies in New
there are nine approved, including NZ fintech company Sharesies. The Zealand will require compliance with the fair dealing requirements
application process typically involves an assessment of the applicant's under the Financial Markets Conduct Act 2013 (FMCA) and (potentially)
adherence to certain minimum standards, including the good character with obligations under the Financial Service Providers (Registration
of the directors and senior managers of the applicant, their skills and and Dispute Resolution) Act 2008 (FSP(RDR)A). The guidance states that
experience, and the applicant's risk management processes and IT wallet providers that store cryptocurrency or money on behalf of others,
systems. For some of these criteria the standards might be relaxed for or that facilitate exchanges between cryptocurrencies or between fiat
smaller applicants. The exemption notice will be revoked when the new and crypto, will be operating a value transfer service. This is a type
financial advice regime, which will be brought into effect in April 2021 of financial service within the meaning of the FSP(RDR)A and requires
by the Financial Services Legislation Amendment Act 2019, comes into providers to register under that Act. Further, if a person holds money
force. Therefore, there may be additional requirements relating to the for depositors, they may be offering debt securities (which are financial
provision of robo-advice under the new regime. products regulated under the FMCA). Although, if those funds are held
in trust, the wallets may not be debt securities.
Distributed ledger technology The DIA confirmed in November 2019 that the Anti-money
28 Are there rules or regulations governing the use of Laundering and Countering Financing of Terrorism Act 2009 (AMLCFTA)
distributed ledger technology or blockchains? imposes certain anti-money laundering checks and obligations on VASPs.
These responsibilities include:
Not as yet. However, it is on the regulatory radar – for example, the • to report suspicious activities and certain transactions;
Reserve Bank of New Zealand (which has responsibility for providing • to verify the identity of customers in certain circumstances; and
critical payment system infrastructure and maintaining the soundness • to assess and mitigate money laundering and terrorism financing
of New Zealand’s financial system) has considered the role of distributed risks.
ledger technology (DLT) in improving payments processes and how the
use of DLT could affect the stability of payment systems. Furthermore, Digital currency exchanges
Crown innovation entity Callaghan Innovation published a report in 30 Are there rules or regulations governing the operation of
December 2018 (funded in part by Ministry of Business and Innovation) digital currency exchanges or brokerages?
exploring the opportunities for DLT and blockchain in New Zealand.
The industry association, BlockchainNZ, has been engaging with Under the FMA’s guidance, if a person arranges cryptocurrency transac-
NZ government agencies such as the Financial Markets Authority, the tions, they are also operating a value transfer service and are regulated
Department of Internal Affairs and the Reserve Bank, to discuss regula- under the FSP(RDR)A. Further, if a person provides transaction services
tory approaches to blockchain. It is clear there is much interest from the relating to cryptocurrencies or tokens that also qualify as financial prod-
regulators and a desire to work together to ensure New Zealand has the ucts under the FMCA, they may have obligations as a broker under the
right structures in place. For example: Financial Advisers Act 2008.
• the Inland Revenue Department issued a consultation paper in early Exchanges or brokerages would be considered to be VASPs,
2020 to seek input on a proposal to exclude cryptocurrencies (crypto- which the DIA confirmed in November 2019 are covered by the anti-
assets) from goods and services tax and the financial arrangement money laundering checks and obligations on VASPs required under
rules to ensure these rules do not impose barriers to developing the AMLCFTA.
new products, raising capital or investing through crypto-assets; These responsibilities include:
• the Department of Internal Affairs (DIA) has published guidance for • to report suspicious activities and certain transactions;
the virtual asset service provider (VASP) sector (including cryptocur- • to verify the identity of customers in certain circumstances; and
rency exchanges, brokers and token issuers). Under the guidance, • to assess and mitigate money laundering and terrorism
the existing rules applying to international wire transfers will also financing risks.
www.lexology.com/gtdt 165
© Law Business Research 2020
New Zealand Anderson Lloyd Lawyers
Initial coin offerings Further, the Financial Markets Authority conducted a thematic review
31 Are there rules or regulations governing initial coin offerings of cyber resilience in New Zealand’s financial services, culminating
(ICOs) or token generation events? in a report issued in July 2019 containing guidance for regulated
entities where they identified the need for improvement. The report
There are no specific rules or regulations relating to ICOs, as the FMA recommended that market participants make use of a recognised cyber-
has instead preferred to analyse offers of tokens under the current security framework to assist in planning, prioritising and managing their
FMCA regulation of financial products. How an ICO will be regulated will cyber resilience.
depend on whether:
• the token on offer is a financial product (which will depend on the OUTSOURCING AND CLOUD COMPUTING
characteristics and economic substance of the token);
• the entity is providing a financial service (which will depend on the Outsourcing
structure and features of the ICO); and 34 Are there legal requirements or regulatory guidance with
• the investor is retail or wholesale and based in New Zealand respect to the outsourcing by a financial services company of
or overseas. a material aspect of its business?
Tokens cannot be offered through crowdfunding platforms. The FMA’s The Reserve Bank of New Zealand has published an outsourcing policy
guidance on cryptocurrencies specifically addresses both ICOs and how (last revised in April 2020), to which large banks (ie, those incorporated
the fair dealing obligations apply to them. as a company in New Zealand with net liabilities exceeding NZ$10 billion)
ICO providers are considered to be VASPs, which the DIA confirmed must comply as a condition of their registration. The policy aims to:
in November 2019 are covered by the anti-money laundering checks and • ensure that the outsourcing does not compromise a bank’s ability
obligations on VASPs required under the AMLCFTA. to be effectively administered and operated;
These responsibilities include: • facilitate the carrying on of basic banking services by any new
• to report suspicious activities and certain transactions; owner of all or part of a bank; and
• to verify the identity of customers in certain circumstances; and • address the impact that the failure of an outsourced service
• to assess and mitigate money laundering and terrorism provider may have on a bank’s ability to carry on all or part of
financing risks. its business.
DATA PROTECTION AND CYBERSECURITY The Financial Markets Authority (FMA) also has certain rules relating
to outsourcing (eg, by requiring certain licensees to ensure that their
Data protection outsourced functions are adequate, effective and comply with their
32 What rules and regulations govern the processing and licence obligations).
transfer (domestic and cross-border) of data relating to
fintech products and services? Cloud computing
35 Are there legal requirements or regulatory guidance with
There are no specific restrictions under the Privacy Act 1993 on an agen- respect to the use of cloud computing in the financial services
cy’s ability to transfer personally identifiable information (PII) outside industry?
New Zealand. However, the Privacy Act will be replaced in December
2020 by the new Privacy Act 2020, which introduces further restrictions There are no legal requirements or regulatory guidance with respect to
against the disclosure of PII to overseas persons. Under the Privacy Act cloud computing, although any outsourcing arrangements that imple-
2020, agencies would be able to disclose PII to an overseas person only if: ment cloud computing must comply with the Reserve Bank of New
• the individual concerned authorised the disclosure; Zealand’s policy and any requirements imposed by the FMA.
• the overseas person was a prescribed country; or Cyber risk (eg, that arises from the use of cloud computing) was
• the agency believed on reasonable grounds that the overseas one of the issues stemming from fintech that was identified in 2017 by
person was required to protect the PII in a manner comparable to the Financial Stability Board as meriting closer attention. In July 2019
that required by the agency under NZ law. the FMA published guidance on cyber resilience in FMA-regulated finan-
cial services, which, among other things, strongly encouraged market
The new Act will also provide that the proposed restrictions against the participants to use a recognised cybersecurity framework to assist with
disclosure of PII to overseas persons should not apply to transfers to planning, prioritising and managing their cyber resilience.
cloud storage providers or other overseas processors. Furthermore, in light of the move to remote working for much of the
New Zealand workforce caused by covid-19, the New Zealand National
Cybersecurity Cyber Security Centre published a cybersecurity guide in March 2020 to
33 What cybersecurity regulations or standards apply to fintech help organisations consider the specific risks around staff working from
businesses? remote locations, including the deployment at pace and use of cloud-
computing as part of a remote working solution.
The Crimes Act 1961 provides for several cybersecurity regulations that Further developments in this area are expected.
apply to all business operating in New Zealand. These include:
• the criminal offences of accessing a computer system for a
dishonest purpose or without authorisation;
• damaging or interfering with a computer system;
• making, selling, distributing or possessing software for committing
a crime; and
• using an interception device.
INTELLECTUAL PROPERTY RIGHTS infringement of the trade secret constituted a breach of that contract)
or for the tort of breach of confidence. The courts recognise an obliga-
IP protection for software tion on a person that unlawfully receives confidential information not
36 Which intellectual property rights are available to protect to take unfair advantage of it and can grant injunctions to give effect to
software, and how do you obtain those rights? these obligations.
Under Section 21(2) of the Copyright Act, if an employee creates protect- Remedies for infringement of IP
able work in the course of their employment, their employer is the first 41 What remedies are available to individuals or companies
owner of the copyright in that work. A similar but narrower provision whose intellectual property rights have been infringed?
is contained in Section 21(3) in relation to contractors and consult-
ants. This section provides that if a person commissions and pays or The usual civil remedies are available, including:
agrees to pay for one of the artistic works specified in that section (ie, • monetary damages;
a computer program, photograph, painting, drawing, diagram, map, • summary judgment;
chart, plan, engraving, model, sculpture, film or sound recording) and • injunctive relief (including ex parte);
the work is made in pursuance of that commission, the commissioner is • specific performance (eg, delivery up of infringing articles and
the first owner of the copyright in that work. For any other kind of work corrective advertising); and
capable of copyright protection, provision regarding IP ownership must • civil search and seizure orders.
be made in the applicable consulting agreement.
Rights holders may also plead misleading and deceptive conduct in
Joint ownership trade in breach of the Fair Trading Act 1986. The Copyright Act also
38 Are there any restrictions on a joint owner of intellectual provides for criminal liability for the infringement of copyright works for
property’s right to use, license, charge or assign its right in commercial gain.
intellectual property?
COMPETITION
This will depend on the type of intellectual property in question. For
example, under the Copyright Act, an exclusive licence of a copyrighted Sector-specific issues
work is required to be in writing signed by or on behalf of all of the joint 42 Are there any specific competition issues that exist with
owners, but otherwise the joint owners are free to use, licence, charge respect to fintech companies in your jurisdiction?
or assign their rights in that work. Under Section 24 of the Patents Act,
without any agreement to the contrary, co-owners of patents are each There is no fintech-specific competition regulation in New Zealand.
entitled to exercise the exclusive rights given by the patent for their own However, if fintech and open banking take off in New Zealand it will have
benefit without accounting to the others, but cannot assign or grant a competition law implications, which will be of interest to New Zealand’s
patent licence without the consent of all of the co-owners. competition regulator, the Commerce Commission. Competition law in
New Zealand is governed by the Commerce Act 1986 and its subsid-
Trade secrets iary regulations and is already applied by the commission to regulate
39 How are trade secrets protected? Are trade secrets kept behaviour in the sector. In early July 2019 the commission indicated
confidential during court proceedings? that it would commence High Court proceedings against payday
lender NZ Fintech Limited (trading as Moola), alleging breaches of the
Trade secrets are not protected by statute but by common law prin- lender responsibility principles in the Credit Contracts and Consumer
ciples of breach of confidence and the laws of contract (including Finance Act 2003.
under contracts of employment). Trade secret owners do not need to
– and cannot – register their trade secrets for them to be protected.
Instead, they must bring an action for breach of contract (where the
www.lexology.com/gtdt 167
© Law Business Research 2020
New Zealand Anderson Lloyd Lawyers
TAX
Incentives
43 Are there any tax incentives available for fintech companies
and investors to encourage innovation and investment in the
fintech sector in your jurisdiction?
Starting with the 2019/20 tax year, fintech and other businesses can
take advantage of the research and development (R&D) tax incen- Derek Roth-Biester
tive, which was brought in by the coalition government to grow New derek.roth-biester@al.nz
Zealand’s investment in R&D. This is a tax credit equal to 15 per cent of Megan Pearce
eligible R&D spending up to NZ$120 million. To be eligible, businesses megan.pearce@al.nz
must spend more than NZ$50,000 per year on ‘eligible R&D’, although
spending under this level may still be eligible if the R&D is done through
Level 3
an approved research provider on a business’s behalf. The eligible R&D
Australis Nathan Building
must be carried out in New Zealand, subject to a 10 per cent cap on the 37 Galway Street
total eligible R&D spending being carried out outside New Zealand. Britomart
Auckland 1010
Increased tax burden New Zealand
44 Are there any new or proposed tax laws or guidance that Tel: +64 9 338 8300
could significantly increase tax or administrative costs for www.al.nz
fintech companies in your jurisdiction?
www.lexology.com/gtdt 169
© Law Business Research 2020
Singapore
Grace Chong, Jason Valoti, Calvin Tan, Benedict Tan, Marcus Teo, Ng Aik Kai, Sun Zixiang, Low Si Rong
and Seah Ern Xu
Simmons & Simmons JWS
FINTECH LANDSCAPE AND INITIATIVES firms to embark on experiments more quickly without needing to go
through the existing bespoke sandbox application and approval process,
General innovation climate if the intended activities entail risks that are generally low or could be
1 What is the general state of fintech innovation in your reasonably contained within the specific predefined sandbox with its
jurisdiction? predetermined boundaries, expectations and regulatory reliefs.
MAS has encouraged engagement with the industry and has been
Singapore provides a conducive fintech ecosystem with supporting open to discuss the support it can provide in forms such as financial
regulations, customer demand, strong investments and the potential support, training and mentorship. In 2016, MAS opened a fintech inno-
for high returns. The government considers a vibrant fintech sub-sector vation lab, Looking Glass@MAS, to provide a platform for the fintech
key to Singapore’s vision for a Smart Financial Center – a subset of the community to connect, collaborate, and co-create with one another, and
Smart Nation initiative. MAS also regularly publishes sets of data as application programming
According to a study by Accenture, fintech investments in Singapore interfaces (APIs) on its website to encourage and facilitate development
more than doubled to hit US$861 million in 2019 from US$365 million of innovative solutions.
in 2018, placing it among the top five fintech markets by funds raised MAS has also launched the Financial Sector Technology and
in the Asia-Pacific in 2019. About 40 per cent of the total funds raised in Innovation scheme to support innovation initiatives in the finance
Singapore in 2019 went to payments start-ups, while insurtechs took 25 industry. Under the scheme, MAS set aside S$225 million over five years
per cent and those in lending took 13 per cent. for the development of fintech, to attract financial institutions to estab-
Based on the Innovation page of the Monetary Authority of lish their research and development and innovation hubs in Singapore,
Singapore (MAS), there are currently more than 1,100 fintech start-ups to support the construction of industry-wide technological infrastruc-
operating in Singapore, and there are more than 50 innovation labs in ture to deliver innovative integrated services and to catalyse financial
Singapore. The Singapore FinTech Association, the industry association, institutions to develop creative solutions promoting growth, efficiency
has enabled the development of the ecosystem by facilitating collabora- and competitiveness.
tion between market participants and stakeholders.
FINANCIAL REGULATION
Government and regulatory support
2 Do government bodies or regulators provide any support Regulatory bodies
specific to financial innovation? If so, what are the key 3 Which bodies regulate the provision of fintech products and
benefits of such support? services?
MAS is a member of the Global Financial Innovation Network (GFIN), Generally, the provision of fintech products and services is predominantly
which was formally launched in January 2019 by an international group regulated by the Monetary Authority of Singapore (MAS), Singapore’s
of financial regulators and related organisations. The GFIN is committed central bank and financial regulatory authority. Particular aspects
to supporting financial innovation in the interests of consumers and relating to competition and data privacy issues may be specifically regu-
helping innovative firms navigate between countries as they look to lated by the Competition and Consumer Commission of Singapore and
scale new ideas. A cross-border testing pilot programme was launched the Personal Data Protection Commissioner. The Intellectual Property
in 2019 to allow firms to simultaneously trial and scale new technologies Office of Singapore has also launched a fintech fast-track initiative to
in multiple jurisdictions, gaining real-time insight into how a product or expedite the file-to-grant process for fintech patent applications.
service might operate in the market. MAS has launched various initiatives pertaining specifically
As of November 2019, MAS had signed 33 fintech cooperation to fintech, such as the FinTech and Innovation Group and FinTech
agreements with other countries, including Abu Dhabi, Australia, China, Regulatory Sandbox. MAS has also promulgated regulations relating to
Canada, France and the United Kingdom, to foster closer cooperation on aspects of fintech.
fintech and to promote innovation in financial services in their respec-
tive markets.
MAS released a consultation paper on 14 November 2018 to
propose the creation of predefined sandboxes, known as Sandbox
Express, to complement the existing FinTech Regulatory Sandbox
launched in 2016. The proposed predefined sandboxes would enable
Regulated activities business carries on a business of providing any type of payment service
4 Which activities trigger a licensing requirement in your in Singapore, it must have a licence that entitles it to do so in respect of
jurisdiction? that type of payment service or be an exempt payment service provider
with respect to that type of payment service. Each of the following
Depending on the nature and scope of services or products offered, services is a payment service for the purposes of the PS Act:
licensing requirements under the Securities and Futures Act (Chapter • account issuance;
289) (SFA) or the Financial Advisers Act (Chapter 110) (FAA), or both, • domestic money transfer;
may apply. • cross‑border money transfer;
The following activities are regulated under the SFA: • merchant acquisition;
• dealing in capital markets products; • e-money issuance;
• advising on corporate finance; • digital payment token; and
• fund management; • money‑changing.
• real estate investment trust management;
• product financing; In general, licensing requirements may differ depending on the nature
• providing credit rating services; and and scope of activities contemplated, and advice should be sought on
• providing custodial services. the specific circumstances of any particular case.
The following activities are regulated under the FAA: Consumer lending
1 advising others, either directly or through publications or writ- 5 Is consumer lending regulated in your jurisdiction?
ings, and whether in electronic, print or other form, concerning any
investment product, other than: Under Singapore law, the offering and provision of consumer lending
• in the manner set out in (2); or is not distinguished from primary lending. Lending (consumer lending
• advising on corporate finance within the meaning of the SFA; and primary lending) is a regulated activity in the jurisdiction and is
2 advising others by issuing or promulgating research analyses governed by the Moneylenders Act (Chapter 188) of Singapore.
or research reports, whether in electronic, print or other form, The Moneylenders Act requires that all loans made available in
concerning any investment product; and Singapore are by licensed moneylenders or excluded moneylenders.
3 arranging any contract of insurance in respect of life policies, other Examples of excluded moneylenders are:
than a contract of reinsurance. • any person regulated by MAS under any other written law who is
permitted or authorised to lend money or is not prohibited from
The licensing requirements under the SFA and the FAA have extrater- lending money under that other written law;
ritorial effect. Section 339 of the SFA and section 90 of the FAA provide • any person who lends money solely to his or her employees as a
that where a person does an act partly in and partly outside Singapore, benefit of employment;
which, if done wholly in Singapore, would constitute an offence against • any person who lends money solely to accredited investors within
any provision of the SFA or the FAA (as the case may be), that person the meaning of section 4A of the SFA of Singapore; and
shall be guilty of that offence as if the act were carried out by that • any person carrying on any business not having as its primary
person wholly in Singapore, and may be dealt with as if the offence was object the lending of money in the course of which and for the
committed wholly in Singapore. In addition, section 339 of the SFA also purposes whereof he or she lends money.
provides that where a person does an act outside Singapore that has
a substantial and reasonably foreseeable effect in Singapore and that Secondary market loan trading
act would, if carried out in Singapore, constitute an offence under the 6 Are there restrictions on trading loans in the secondary
relevant provisions of the SFA, that person shall be guilty of that offence market in your jurisdiction?
as if the act were carried out by that person in Singapore, and may be
dealt with as if the offence were committed in Singapore. The acquisition of a (funded) loan receivable and the holding of that
The activity most relevant to fintech businesses is likely to be loan receivable does not constitute moneylending unless, following the
‘dealing in capital markets products’ under the SFA. ‘Dealing in capital acquisition, additional loans are extended.
markets products’ means (whether as principal or agent) making or Secondary market loan intermediation is not a regulated activity,
offering to make with any person, or inducing or attempting to induce provided that it does not involve any lending or deposit taking and
any person to enter into or to offer to enter into any agreement for or provided that loans are not in the form of securities.
with a view to acquiring, disposing of, entering into, effecting, arranging,
subscribing for, or underwriting any capital markets products. ‘Capital Collective investment schemes
markets products’ means any securities, units in a collective investment 7 Describe the regulatory regime for collective investment
scheme, derivatives contracts, spot foreign exchange contracts for the schemes and whether fintech companies providing
purposes of leveraged foreign exchange trading, and such other prod- alternative finance products or services would fall within its
ucts as MAS may prescribe as capital markets products. scope.
In addition to the above licensing requirements, where a fintech busi-
ness undertakes banking business, such as receiving money on current Broadly, ‘collective investment schemes’ are arrangements in respect of
or deposit accounts, this business is required to be licensed as a bank any property that exhibit the following features:
by MAS pursuant to the Banking Act (Chapter 19). Similarly, if the fintech • the participants do not have day-to-day control over the manage-
business undertakes the business of moneylending or promotes doing ment of the property (Control Limb);
so, it will require a licence pursuant to the Moneylenders Act (Chapter • the property is managed as a whole by or on behalf of a manager
188), unless it is an excluded moneylender or an exempt moneylender. (Management Limb) or the contributions of the participants, or
Since 29 January 2020, the Payment Services Act (No. 2 of 2019) both, and the profits or income out of which payments are to be
(the PS Act) has come into force. Under the PS Act, where a fintech made to the participants are pooled (Pooling Limb); and
www.lexology.com/gtdt 171
© Law Business Research 2020
Singapore Simmons & Simmons JWS
• the purpose or effect (or purported purpose or effect) of the Generally, securities-based fundraising from the public through
arrangement is to enable participants to participate in or receive equity-based crowdfunding is regulated by MAS under the SFA and the
profits, income, or other payments or returns arising from the FAA. Therefore, such activity might constitute a regulated activity that
acquisition, holding, management, disposal, exercise, redemption requires a licence, but much will depend on the precise model.
or expiry of, any right, interest, title, or benefit in the property or Such a licensed crowdfunding operator must comply with the
any part of the property or to receive sums paid out of such profits, controls and disclosures required of it under the MAS Circular No. CMI
income, or other payments or returns (Purpose Limb). 27/2018 (issued 23 August 2018) (the Securities-Based Crowdfunding
Circular). Under the Securities-Based Crowdfunding Circular, an
Previously, it was a requirement that both the Management Limb and operator must:
the Pooling Limb be satisfied. However, following certain amendments • disclose to investors the scope of due diligence that it has
to the laws in October 2018, arrangements can now qualify as a ‘collec- performed on issuers;
tive investment scheme’ if they fulfil either the Management Limb or the • institute policies and procedures to handle issuer defaults (particu-
Pooling Limb, or both, in addition to the Control Limb and Purpose Limb. larly lending-based operators);
Generally, unless an exemption applies, it is an offence to make an • put in place a proper business cessation plan; and
offer of units in a collective investment scheme to the Singapore public • if offering auto-allocation tools, have a proper governance and
unless the scheme is authorised or recognised by MAS and the offer is management framework over the design, monitoring, testing and
made in or accompanied by an SFA-compliant prospectus. operation of the tools.
It is possible that certain fintech activity could involve a collective
investment scheme where the business concerned is managing assets As for lending-based crowdfunding in particular, it is specifically regu-
on behalf of participants who have invested through a fintech platform. lated by the MAS’s FAQ on Lending-Based Crowdfunding (issued 8
Careful analysis of the specific circumstances and the way in which the October 2018). While the FAQs do not introduce new rules, the FAQs
platform permits investors to participate will be required to determine do clarify the applicability of the SFA or the FAA to lending-based
whether it constitutes a collective investment scheme. crowdfunding.
If applicable, the SFA would require a lending-based crowdfunder
Alternative investment funds to register a prospectus with MAS, unless exempted. It would only be
8 Are managers of alternative investment funds regulated? exempted if the crowdfunding offer is:
• a personal offer (made only to pre-identified entities) below S$5
Managing the property of or operating a collective investment scheme million per 12-month period;
or undertaking on behalf of a customer (whether on a discretionary • a private placement to 50 or fewer investors within a 12-month
authority granted by the customer or otherwise) is regulated as ‘fund period; or
management’ under the SFA if it involves: • an offer made only to institutional or accredited investors.
• the management of a portfolio of capital markets products; or
• the entry into spot foreign exchange contracts for the purpose The SFA would also require the operator to obtain a capital markets
of managing the customer’s funds, but not including real estate services licence. Separately, if the operator provides financial advice to
investment trust management. interested investors, the operator would also need to comply with the
requirements of the FAA.
Accordingly, unless an exemption applies, managers of alternative The FAQs also clarify that crowdfunding with promissory notes are
investment funds generally require a licence to conduct business not exempted from the requirements under the SFA. Some of the peer-
involving these activities. to-peer lending companies in Singapore engage with MAS-regulated
trustees to hold escrow funds.
Peer-to-peer and marketplace lending
9 Describe any specific regulation of peer-to-peer or Invoice trading
marketplace lending in your jurisdiction. 11 Describe any specific regulation of invoice trading in your
jurisdiction.
There are no specific regulations applicable to peer-to-peer or market-
place lending in Singapore. Fundraising from the public through To the extent that an invoice is purchased, without risk of being rechar-
lending-based crowdfunding, or peer-to-peer lending, is regulated by acterised as a loan for the purposes of the Moneylenders Act, with true
MAS under the SFA and the FAA. Therefore, such activity might consti- sale there is no specific regulation on the buying and selling of invoices.
tute a regulated activity that requires a licence, but much will depend This is common in factoring and invoice discounting arrangements.
on the precise model. However, if invoices are opened to the public and crowdfunded, the
Furthermore, in Singapore, any invitation to lend money to an operator of the trading platform will need to follow certain regulations,
entity is deemed to be an offer of debentures, which is a type of security. including the SFA, FAA, the Securities-Based Crowdfunding Circular and
The entity offering the debentures is required to prepare and register the MAS’s FAQ on Lending-Based Crowdfunding. The extent to which
an SFA-compliant prospectus with MAS unless an exemption applies. each of these regulations apply will depend on the precise nature of the
crowdfunding scheme and the manner in which it is carried out.
Crowdfunding
10 Describe any specific regulation of crowdfunding in your Payment services
jurisdiction. 12 Are payment services regulated in your jurisdiction?
There are specific regulations applicable to crowdfunding in Singapore. Payment services include a wide range of activities, such as taking cash
These regulations apply to securities-based crowdfunding operators deposits, making cash withdrawals, executing payment transactions,
and lending-based crowdfunding. issuing or acquiring payment instruments, issuing and administering
means of payment, money remittance, making payments sent through
the intermediary of a telecoms, IT system or network operator, or even MAS has also implemented the Financial Industry API Register,
providing stored value facilities. which is updated semi-annually and designed to serve as the initial
Since 29 January 2020, certain payment services are now regu- landing site for Open APIs in the Singaporean finance industry. These
lated in Singapore under, inter alia, the PS Act. These regulated payment APIs fall under the following functional categories:
service activities are: • product APIs that provide information on financial product details,
• account issuance; rates and branch or ATM locations;
• domestic money transfer; • sales and marketing APIs for product sign-ups, sales or cross-
• cross‑border money transfer; sales and leads generation;
• merchant acquisition; • servicing APIs for managing customer profiles or account details
• e-money issuance; and customer queries or feedback;
• digital payment token; and • transaction APIs that support customer instructions for payments,
• money‑changing funds transfers, settlements, clearing, trade confirmations
and trading;
To carry on the business of providing any of the above-mentioned • other APIs for common services, such as authentication, authorisa-
payment services, the entity will require one of three types of licence: tion, reporting, market data and compliance; and
money-changing, standard payment institution or major payment • regulatory APIs that enable extraction of data sets related to the
institution. financial industry as a whole.
Different regulatory conditions apply to each type of licence, with
the extent of regulatory conditions increasing from standard payment On 14 May 2020, the Personal Data Protection Commission and the
institutions to major payment institutions. For instance, major payment Ministry of Communications and Information launched a public consul-
institutions must safeguard customer money with an undertaking by tation paper where it proposed to introduce a new Data Portability
a bank or prescribed financial institution, a guarantee by a bank or Obligation to give individuals greater choice and control over their
prescribed financial institution or segregate customer money in a trust personal data, prevent consumer lock-in and enable switching to new
account maintained by a bank or prescribed financial institution. On the services. Data portability allows individuals to request an organisation
other hand, standard payment institutions are not subjected to these to transmit a copy of their personal data to another organisation.
safeguarding measures, although they must alert customers so they
can make informed decisions. Robo-advice
Correspondingly, each type of licence authorises the licensee to 14 Describe any specific regulation of robo-advisers or other
conduct different types and different quantums of each type of payment companies that provide retail customers with automated
service. For example, licensees holding a money-changing licence may access to investment products in your jurisdiction.
only conduct money-changing services. By contrast, standard payment
institutions may conduct any type of payment service, so long as the Robo-advisoes and other companies that provide retail customers
monthly transactions for any activity type do not exceed S$3 million, with automated access to investment products in Singapore are regu-
the monthly transactions for two or more activity types do not exceed lated under the SFA or the FAA, or both, and must adhere to the MAS’s
S$6 million and, where relevant, the total amount of daily outstanding Guidelines on Provision of Digital Advisory Services (CMG-G02) (the
e-money does not exceed S$5 million. By extension, major payment Advisory Guidelines), including the requirement to be appropriately
institutions may conduct any type of payment services, and the quantum licensed unless they qualify for relevant exemptions.
limits applicable to standard payment institutions do not apply. However, as MAS is keen not to stifle digital innovation, the
The PS Act includes provisions to mitigate the risks of loss of Advisory Guidelines provide for a lower bar for licensing in certain
customer monies, money laundering and terrorism financing risks, frag- circumstances. For example, digital advisers that seek to offer fund
mentation and lack of interoperability across payment solutions, and management services to retail investors will be eligible for licensing
technology risks including cyber risks. MAS has also proposed tech- even if they do not meet the SFA corporate track record requirements,
nology risk management requirements, including cybersecurity risk provided they meet other specified safeguards.
management guidelines. Under the Advisory Guidelines, digital advisers will be exempted
from the FAA requirement to collect the full suite of information on
Open banking the financial circumstances of a client, such as income and financial
13 Are there any laws or regulations introduced to promote commitments. This is on the condition that they put in place measures to
competition that require financial institutions to make mitigate the risks of providing unsuitable investment recommendations
customer or product data available to third parties? owing to limited client information.
While MAS is making it easier for digital advisers to set up in
MAS has published a comprehensive application programming interface Singapore, the business model carries unique risks, such as faulty
(API) playbook in its bid to encourage more banks to participate in open algorithms and cyber threats. To mitigate these risks, the Advisory
banking. This document outlines and standards framework for: Guidelines set out MAS’s expectations for digital advisers to establish
• API governance; robust frameworks to govern and supervise their algorithms, as well as
• API lifecycle governance; to manage technology and cyber risks.
• governance of API risk; and
• regulatory considerations for partner API operating models. Insurance products
15 Do fintech companies that sell or market insurance products
The result of MAS’s push towards open banking can be clearly seen in your jurisdiction need to be regulated?
with businesses such as Citibank, DBS, OCBC, Standard Chartered and
payments service provider NETS running their own Open API portals The marketing and sale of insurance products are regulated under the
comprising over 272 API sets. Insurance Act (Chapter 142) of Singapore and the FAA.
www.lexology.com/gtdt 173
© Law Business Research 2020
Singapore Simmons & Simmons JWS
Different consent requirements apply to the acquisition of different Loan agreements governed by Singapore law and evidencing appropriate
types of regulated businesses. In general, where a person is to become consideration for the loan can be executed in the form of agreements by
a holder of a specified percentage of a regulated entity or will control a signatories of the respective parties having due authority.
specified percentage of voting rights of that entity, prior consent must Moneylending in Singapore is a regulated activity under the
be obtained from the relevant regulatory authority. Moneylenders Act of Singapore and, accordingly, any person or entity
In all cases, advice should be sought as to the applicable require- lending money to a person or entity in Singapore must either be licensed
ments and the process for obtaining consent. in Singapore, exempted or excluded. Any lending to individuals resident
in Singapore would customarily require a licence.
The execution requirements for a Singapore law security agree-
ment will depend on the form of security agreement. However, most
Singapore law security agreements will be executed in the form of a enforcement action being taken and held, by the purchaser, pending
deed to ensure that no challenge can be made on the grounds of consid- any enforcement event occurring, at which time the notice of assign-
eration or owing to the form of property being secured. The execution ment could be delivered to the borrower, giving rise to a legal security
requirements for deeds allow for three options: assignment.
• signing by a director of the company and a secretary of the company; Any assignment, by way of security or otherwise, will be subject
• signing by at least two directors of the company; or to the general provisions of the loan agreement, including, without
• signing by a director of the company in the presence of a witness limitation, confidentiality restrictions, restrictions on the granting of
who attests the signature. security or transfers to third parties. As such, loan agreements for P2P
or marketplace lending platforms that contemplate ease of assignment
The enforceability of peer-to-peer (P2P) loan agreements and security or transfer must be drafted to ensure that any such restrictions are kept
agreements will depend on the precise model being applied. However, as to a minimum or excluded to the extent possible and subject to regula-
a general observation, provided that any P2P model complies with any tory constraints applicable to lending to specific classes of borrowers.
regulatory requirements as outlined above in Singapore (and in any other
relevant jurisdiction), there should be no specific issues regarding the Securitisation risk retention requirements
enforceability of the loan agreement or security agreement in Singapore. 25 Are securitisation transactions subject to risk retention
requirements?
Assignment of loans
24 What steps are required to perfect an assignment of The Monetary Authority of Singapore Notice 637 (the MAS Notice) (last
loans originated on a peer-to-peer or marketplace lending revised on 31 March 2020) requires a reporting bank (being a bank
platform? What are the implications for the purchaser if the incorporated in Singapore) to ensure that the originator of the credit
assignment is not perfected? Is it possible to assign these claims or receivables being securitised retains a material net economic
loans without informing the borrower? exposure and demonstrates a financial incentive in the performance of
these assets following their securitisation. As such, the reporting bank
A legal assignment by way of security of the rights of the lender of a is required to ensure that this originator does retain such applicable risk
loan under a P2P or marketplace lending platform, under which the in the exposures.
purchaser of that loan would be entitled to directly sue the borrower for Pursuant to MAS Notice 637, reporting banks are also subject to
repayment of the debt under the loan, requires notice of this assignment maximum retention thresholds in respect of securitisation exposures to
by way of security to be given by the assigning lender to the borrower the extent that this reporting bank is looking to apply regulatory capital
under the loan agreement. relief in respect of these exposures, as set out in more detail in MAS
The ability to transfer rights and obligations in a loan under Notice 637.
Singapore law (whether in respect of a P2P or marketplace lending
platform or otherwise) will depend on the terms of the loan. Securitisation confidentiality and data protection requirements
In the absence of any specific provisions regarding transfer of both 26 Is a special purpose company used to purchase and securitise
rights and obligations of a lender’s position in a loan in the loan agree- peer-to-peer or marketplace loans subject to a duty of
ment, the borrower’s consent would be required to transfer the lender’s confidentiality or data protection laws regarding information
rights and obligations under a loan (although, in the absence of any relating to the borrowers?
express provisions to the contrary, an assignment of a lender’s rights
only (and not the lender’s obligations) would not require the giving of Possibly. In addition, loan agreements may contain confidentiality provi-
notice to, or the receipt of consent from, the borrower although any lack sions that any purchaser, including any special purpose company, is
of notice may affect the nature of any assignment by way of security of bound by. These would need to be carefully reviewed or drafted as part
these rights). of any securitisation structure.
It is quite common, however, for specific transfer provisions to be
included in loan agreements to allow a lender to transfer its rights and ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
obligations in their position in a loan to a third party without borrower TECHNOLOGY AND CRYPTO-ASSETS
consent. Customarily, criteria will be specified as to what constitutes an
eligible transferee. Except in certain structures, it would be necessary Artificial intelligence
to notify the borrower of the transfer in order for the transfer to take 27 Are there rules or regulations governing the use of artificial
effect even in circumstances where borrower consent was not required. intelligence, including in relation to robo-advice?
Any transfer would also need to comply with any related restric-
tions imposed under the terms of the loan agreement and under The Monetary Authority of Singapore (MAS) has issued a set of principles
regulations applicable to particular classes of borrower. to promote fairness, ethics, accountability and transparency (FEAT) in
In connection to any assignment of a lender’s rights under a loan the use of AI and data analytics in finance. Known as the FEAT Principles,
by way of security, where notice of the assignment by way of security the document provides guidance to firms offering financial products and
is not given by the assigning lender to the borrower under the loan services on the responsible use of AI and data analytics, to strengthen
agreement, the security assignment would, in ordinary circumstances internal governance around data management and use.
(and subject to due execution and other formalities), be characterised as MAS has said that this is intended to foster greater confidence and
an equitable assignment. An equitable assignment is still characterised trust in the use of AI and data analytics, as firms increasingly adopt tech-
as a security interest. However, any action by the purchaser to enforce nology tools and solutions to support business strategies and in risk
rights under the loan agreement needs to be taken by the lender on management.
behalf of the purchaser. This may delay the taking of action and have an With regard to robo-advice, MAS has issued the Guidelines on
impact on recoveries. Provision of Digital Advisory Services (the Advisory Guidelines) to facili-
In the case of an equitable assignment, it may be possible to have tate the provision of robo-advice in Singapore. Digital advisers that seek
a notice of security assignment executed by the lender prior to any to offer fund management services to retail investors will be eligible for
www.lexology.com/gtdt 175
© Law Business Research 2020
Singapore Simmons & Simmons JWS
licensing even if they do not meet the Securities and Futures Act (SFA) Digital currency exchanges
corporate track record requirements, provided they meet other specified 30 Are there rules or regulations governing the operation of
safeguards. digital currency exchanges or brokerages?
Under the Advisory Guidelines, digital advisers will be exempted
from the Financial Advisers Act (FAA) requirement to collect the full suite Yes, digital currency exchanges or brokerages that allow token trading
of information on the financial circumstances of a client, such as income constituting capital markets products will need to seek MAS’s approval,
and financial commitments. This is on the condition that they put in recognition or exemption under the SFA.
place measures to mitigate the risks of providing unsuitable investment Additionally, under the PS Act, digital payment token service
recommendations owing to limited client information. providers that facilitate the exchange of or that deal in digital payment
While MAS is making it easier for digital advisers to set up in tokens, commonly known as digital currencies or cryptocurrencies, will
Singapore, the business model carries unique risks, such as faulty algo- have to be licensed.
rithms and cyber threats. To mitigate these risks, the Advisory Guidelines
set out MAS’s expectations for digital advisers to establish robust frame- Initial coin offerings
works to govern and supervise their algorithms, as well as to manage 31 Are there rules or regulations governing initial coin offerings
technology and cyber risks. (ICOs) or token generation events?
In May 2020, MAS announced the first phase of its Veritas initiative.
Veritas outlines a framework for the responsible adoption of AI and data The regulation in Singapore of tokens offered in initial coin offerings
analytics by financial institutions. MAS will commence with the develop- (ICOs) depends on the nature of the tokens offered. Utility tokens that
ment of metrics to measure the fairness of deployment of this technology. only provide membership or access to a service or payment tokens that
MAS has identified credit risk scoring and customer marketing as the are only used as a means of payment for goods or services (such as
first two workstreams in which it would like to introduce the metric. bitcoin) are not at present regulated. Digital payment tokens are regu-
lated under the PS Act. However, if a digital token constitutes a capital
Distributed ledger technology markets product (eg, securities, futures contracts and contracts or
28 Are there rules or regulations governing the use of distributed arrangements for purposes of leveraged foreign exchange trading), the
ledger technology or blockchains? offer or issue of these digital tokens will be regulated under the SFA and
(in certain cases) the FAA. For example, digital tokens may represent
There are no specific regulations or guidelines in relation to the use of ownership or a security interest over an issuer’s assets or property.
distributed ledger technology (DLT) in Singapore. MAS has been encour- These tokens may, therefore, be considered an offer of shares or units
aging the industry to look at DLT in relation to the financial system in in a collective investment scheme (as defined in the SFA). Digital tokens
Singapore. For example, in early 2017, MAS announced the successful may also represent a debt owed by an issuer and be considered a
conclusion of the proof-of-concept project to conduct domestic interbank debenture under the SFA.
payments using DLT, and in late 2017 an industry consortium led by In this regard, MAS has issued ‘A Guide to Digital Token Offerings’
MAS and the Association of Banks in Singapore released source-codes (updated May 2020), which provides general guidance on the applica-
of successful DLT prototypes publicly to encourage innovation in inter- tion of the securities laws administered by MAS in relation to offers or
bank payments. issues of digital tokens in Singapore. MAS recommends that all issuers
of digital tokens, intermediaries facilitating or advising on an offer of
Crypto-assets digital tokens and platforms facilitating trading in digital tokens should
29 Are there rules or regulations governing the use of crypto- seek independent legal advice to ensure they comply with all applicable
assets, including digital currencies, digital wallets and laws, and consult MAS where appropriate.
e-money? On 24 May 2018, MAS warned eight digital token exchanges in
Singapore not to facilitate trading in digital tokens that are securities
Singapore’s parliament has passed the new Payment Services Act (the or futures contracts without MAS’s authorisation. It also warned an
PS Act) to regulate the following activities in relation to digital curren- ICO issuer to discontinue the proposed offering of its digital tokens in
cies, digital wallets and e-money: Singapore (the tokens in question would be considered as securities
• account issuance; under the SFA and the offer had been made without a MAS-registered
• electronic money issuance; and prospectus). While it is unclear how much was raised from inves-
• digital payment tokens. tors in Singapore, the ICO issuer has since ceased the offer and is
taking remedial actions to comply with the local laws and regulations,
The PS Act repeals the Payment Systems (Oversight) Act. A multipur- including returning all funds received from Singapore-based investors.
pose stored value facility (ie, one that is or is intended to be used for the Ultimately, MAS’s position in respect of digital token exchanges and
payment of goods or services provided by a service provider apart from ICOs is indicated clearly in the following statement: ‘We do not see a
the holder of that stored value facility) is now subject to the licensing need to restrict them if they are bona fide businesses. But if any digital
requirements under the PS Act. token exchange, issuer or intermediary breaches our securities laws,
Singapore does not otherwise have any specific regulatory meas- MAS will take firm action.’
ures in respect of digital currencies or digital wallets, but the existing Under the new PS Act, entities will require licences to provide
laws provide for protection against unlawful activities in general, for payment services, including the issuance of electronic money and
example, anti-money laundering, fraud and terrorism financing. digital payment tokens. Based on the definition of digital payment token
as well as e-money found in the PS Act, many tokens in the market
today can be viewed as either e-money or digital payment tokens, and
any service provider who issues tokens falling within these categories
through an ICO can be deemed as providing a digital payment token
service or e-money issuance by the PS Act.
There is an exception applicable for tokens that have a limited financial institutions must put in place to manage cyber threats, which
purpose (ie, non-monetary consumer loyalty or reward points, in-game could include:
assets or similar digital representations of value that cannot be returned • addressing system security flaws in a timely manner;
to the issuer or sold, transferred or exchanged for money). • establishing and implementing robust security for systems; and
• deploying security devices to secure system connections.
DATA PROTECTION AND CYBERSECURITY
OUTSOURCING AND CLOUD COMPUTING
Data protection
32 What rules and regulations govern the processing and Outsourcing
transfer (domestic and cross-border) of data relating to 34 Are there legal requirements or regulatory guidance with
fintech products and services? respect to the outsourcing by a financial services company of
a material aspect of its business?
There are no legal requirements or regulatory guidance relating to
personal data that are specifically aimed at fintech businesses. However, On 5 October 2018, the Monetary Authority of Singapore (MAS) issued
fintech companies must have regard to Chapter 6 on Online Activities revised Guidelines on Outsourcing. Various industry guidelines on
of the Personal Data Protection Commissioner's (PDPC) Advisory outsourcing have also been issued by the Investment Management
Guidelines on the PDPA for Selected Topics. Association of Singapore and the Association of Banks in Singapore.
The PDPC has recently announced new initiatives to facilitate The MAS Guidelines on Outsourcing set out risk management
the movement and use of data to support innovation, and strengthen practices to be complied with when a regulated entity has entered into
accountability among organisations. The first is the PDPC’s response any outsourcing or is planning to outsource its business services to a
note to the public consultation on proposed data portability and data service provider (whether this outsourcing is done on an intra-group
innovation provisions, as part of the review of the PDPA. The proposed or a third-party basis, or a material or non-material basis). Certain key
data portability provision will provide individuals with greater control requirements in the Outsourcing Guidelines include maintaining an
over their personal data and enable greater access to more data by Outsourcing Register and ensuring that all outsourcing contracts are
organisations to facilitate data flows and increase innovation, while the written agreements containing the minimum prescribed clauses. The
proposed data innovation provision makes it clear that organisations can Outsourcing Guidelines also detail the responsibilities of the board
use data for appropriate business purposes without individuals’ consent. and senior management in this regard (eg, approving a risk evalua-
The second is the PDPC’s introduction of new guides, such as: the tion framework, setting a suitable risk appetite statement, laying down
Guide on Active Enforcement, as part of its drive for organisations to appropriate approval authorities, assessing management competencies
shift from compliance to accountability; an updated Guide to Managing to develop sound and responsive outsourcing risk management poli-
Data Breaches 2.0, to help organisations manage and respond to data cies and procedures that are commensurate with the nature, scope and
breaches more effectively; and a new Guide to Notification, which illus- complexity of the outsourcing arrangements).
trates good notification practices for organisations to comply with their Moving forward, in a consultation paper issued 7 February 2019,
Notification Obligations under the PDPA . MAS has proposed to issue Outsourcing Notices that set out require-
ments for banks and merchant banks in relation to material outsourcing
Cybersecurity arrangements. These changes include:
33 What cybersecurity regulations or standards apply to fintech • introducing a new section in the Banking Act (Chapter 19)
businesses? to empower MAS to impose requirements relating to banks’
outsourcing arrangements; and
While there is a new cybersecurity law, the Cybersecurity Act 2018, that • introducing identical powers to impose requirements relating to
came into force in August 2018, it is unlikely to directly affect unregu- merchant banks’ outsourcing arrangements.
lated fintech start-ups as it is intended to regulate systems involved in
the provision of essential services within Singapore. The Cybersecurity As for the proposed new Outsourcing Notices, they will impose
Act provides an overarching legislative framework for the regulation of requirements on banks and merchant banks relating to their material
owners of critical information infrastructure and cybersecurity service outsourcing arrangements in the areas of:
providers. • management of these arrangements;
With regard to regulated fintech companies, the Monetary Authority • assessment of service providers;
of Singapore (MAS) issued a consultation in March 2019 seeking feed- • accessing information by MAS and the bank or merchant bank;
back to expand the Technology Risk Management Guidelines to include • protection of customer information;
guidance for the following: • audit; and
• technology risk governance and oversight; • termination of these arrangements.
• best practices for software development;
• additional guidance for new technologies (ie, application program- MAS published its response to the consultation paper on 5 November
ming interfaces, smart electronic devices and virtualisation); and 2019 and intends to seek feedback on the draft Outsourcing Notices in
• effective cyber surveillance, secure software development, adver- due course.
sarial attack simulation and management of cyber risks posed by
the internet of things. Cloud computing
35 Are there legal requirements or regulatory guidance with
In September 2018, MAS also sought to strengthen the rules on cyber respect to the use of cloud computing in the financial services
security through its Notice on Cyber Hygiene in view of the deep- industry?
ening cyber threat landscape and to further strengthen the overall
cyber resilience of financial institutions. It intends to eventually Yes, financial institutions regulated by MAS should have regard mainly
prescribe a set of legally binding essential cyber security practices that to the MAS Guidelines on Outsourcing. MAS considers cloud services
www.lexology.com/gtdt 177
© Law Business Research 2020
Singapore Simmons & Simmons JWS
www.lexology.com/gtdt 179
© Law Business Research 2020
Singapore Simmons & Simmons JWS
FINTECH LANDSCAPE AND INITIATIVES industry. The IFWG Innovation Hub was launched in April 2020. At this
stage, it is too early to assess and comment on its efficacy.
General innovation climate In January 2019, the CARWG published a consultation paper
1 What is the general state of fintech innovation in your containing policy proposals for the development of regulatory
jurisdiction? responses, proposing its intended regulatory approach in respect of
priority areas and heralding an initial focus on anti-money laundering,
South Africa has a vibrant fintech environment, including: token-based transacting, capital raising, cryptographic derivative prod-
• fintech start-ups as well as product development teams at tradi- ucts and market provisioning.
tional, established financial institutions, primarily in remittances, In January 2020, the IFWG published its first fintech landscaping
microfinance, personal and commercial insurance, investment, report (‘Fintech Scoping in South Africa'), the object of which was to
mobile payments, peer-to-peer lending offerings and virtual token obtain a ‘clearer understanding of the Fintech market to enable policy-
exchanges; makers and regulators to better manage risk and enable innovation’.
• funders servicing the spectrum from venture capital through to In April 2020, the IFWG issued a policy position paper on crypto-
more traditional equity and debt funding arrangements; assets that aimed to provide recommendations for the development of a
• a range of incubation and acceleration facilities, some independent regulatory framework for crypto-assets.
(including commercial and academic providers) and some hosted
by established financial institutions; and FINANCIAL REGULATION
• relatively transparent efforts at developing a coherent regulatory
framework involving most of the relevant regulatory authorities. Regulatory bodies
3 Which bodies regulate the provision of fintech products and
Government and regulatory support services?
2 Do government bodies or regulators provide any support
specific to financial innovation? If so, what are the key There are currently no fintech product and services-specific laws or
benefits of such support? regulatory bodies.
However, certain fintech products and services may fall within the
In 2016, the Intergovernmental FinTech Working Group (IFWG) was scope and ambit of general financial services regulatory frameworks
established (comprising members from the South African Reserve and, thus, will be subject to the supervision of regulatory bodies charged
Bank, the National Treasury, the Financial Sector Conduct Authority, the with the monitoring of those frameworks. As such, the Financial Sector
Financial Intelligence Centre and the South African Revenue Service) Conduct Authority (FSCA), the Prudential Authority (PA), the National
with the purpose of developing a common understanding among Credit Regulator (NCR), the South African Reserve Bank (SARB) and
regulators and policymakers of financial technology developments the Financial Intelligence Centre may each have regulatory over-
as well as policy and regulatory implications for the financial sector sight in respect of various aspects of the offering of fintech products
and economy. and services.
In early 2018, a joint working group was formed under the auspices
of the IFWG to specifically review the position on cryptocurrencies. Regulated activities
The working group is called the Crypto Assets Regulatory Working 4 Which activities trigger a licensing requirement in your
Group (CARWG). jurisdiction?
The IFWG Innovation Hub comprises a regulatory guidance unit,
a regulatory sandbox unit and an innovation accelerator. The regula- Financial services
tory guidance unit helps market innovators resolve specific questions The Financial Advisory and Intermediary Services Act 2002 (FAIS)
regarding the policy landscape and regulatory requirements and requires any person who seeks to market or provide financial services
provides a central point of entry for market innovators to submit to clients or investors, whether from within South Africa or on a cross-
enquiries related to fintech and innovation-oriented policies and regu- border basis from offshore, as a regular feature of its business, to be
lations. The regulatory sandbox unit provides market innovators with appropriately authorised under FAIS (as a financial services provider or,
an opportunity to test new products and services that challenge the under certain circumstances, as a representative). The term ‘financial
formulation or application of existing regulation under the supervision services’, for the purposes of FAIS, comprises ‘advice’ and ‘intermediary
of relevant regulators. The innovation accelerator exists to provide a services’ in relation to ‘financial products’. In turn, the term ‘financial
collaborative, exploratory environment for financial sector regulators products’ is broadly defined to include, among other things, shares,
to learn from and work with each other on emerging innovations in the derivatives, money market instruments, bonds, participatory interests
www.lexology.com/gtdt 181
© Law Business Research 2020
South Africa Bowmans
in collective investment schemes, certain investment instruments, includes in its definition of a credit provider a person who acquires the
deposits as well as ‘any other product similar’. Therefore, depending on rights of a credit provider under an NCA-regulated credit agreement
its specific characteristics and function, it is possible for a virtual token after that agreement has been entered into. Secondary market loan
to meet one or more of the criteria for a financial product, accordingly trading will be subject to the NCA under circumstances where the orig-
triggering the relevant regulation and supervision. inal loan being traded was subject to the NCA (in other words, where an
FAIS falls under the purview of the FSCA. Services that are currently exemption from the NCA applied to the original loan, secondary market
subject to licensing by the FSCA under FAIS (as intermediary services) trading in respect of that loan will also be exempt from the NCA). The
include (but are not limited to) arranging investment deals, making NCA falls under the purview of the NCR.
arrangements with a view to investment transactions and dealing in
investments as an agent. Acting as an agent or intermediary in rela- Banking and deposit-taking activities
tion to forex investments by local clients or investors is also licensable The Banks Act 1990 (the Banks Act) requires any person seeking to
under FAIS. At present, dealing in investments or financial products as conduct ‘the business of a bank’ in South Africa to be registered as a
principal is not licensable under FAIS, although an amendment to the local bank or to be licensed as a local branch of a foreign banking insti-
definition of an intermediary service, brought about in 2018 (but which is tution. Two of the key activities included in the concept of the business of
not yet in force), will subject principal dealing in investments with local a bank are the marketing or solicitation of deposits (which would include
clients to FAIS licensing requirements in future. the promotion of bank deposit accounts) and the acceptance of deposits,
Services that are subject to licensing under FAIS (as ‘advice’) among other things. The Banks Act falls under the purview of the PA,
include (but are not limited to) advising on investments and advising from a prudential perspective, and the FSCA, from a market conduct
on forex trades. In terms of FAIS, a FAIS-unlicensed financial services perspective. Licensing under the Banks Act is considered by the PA.
provider may not promote or market its business or capabilities to any
South African-resident person, whether onshore in South Africa or from Payment services
offshore on a cross-border basis. The National Payment System Act 1998 (NPSA) provides for the manage-
ment, administration, operation, regulation and supervision of payment,
OTC derivatives clearing and settlement systems in South Africa. It also provides for the
Regarding over-the-counter (OTC) derivatives as investment instru- establishment of the Payments Association of South Africa (PASA) as
ments, Regulations under the Financial Markets Act 2012 (the FMA the body mandated by the SARB to organise, manage and regulate the
Regulations) provide that a person who, as a regular feature of business participation of its members in the payment system. The NPSA makes
and transacting as principal, originates, issues, sells or makes a market provision for various role players (both bank and non-bank) in the
in an OTC derivative must be registered as an OTC derivative provider. payment system and requires the role players seeking to participate in
The FMA Regulations fall under the purview of the FSCA. the payment system to be formally authorised to do so. The NPSA falls
under the purview of the SARB and PASA.
Credit and lending activities
The provision of loans or any form of credit is regulated under South Trading in currencies
African law by the provisions of the National Credit Act 2005 (NCA), Where forex trading involves the buying and selling of foreign currency,
which requires lenders in respect of whose credit agreements the NCA those activities can be performed only by authorised dealers in South
applies, to formally register as ‘credit providers’ with South Africa’s Africa (generally, commercial banks in South Africa that have been
NCR. The NCA generally applies to every credit agreement between appointed as such by the SARB) or, to a limited extent, by authorised
parties dealing at arm’s length and made within, or having an effect in, dealers with limited authority. This falls under the purview of the SARB
South Africa. in terms of South Africa’s legislated exchange control regime.
The NCA provides for certain general exemptions from its applica-
tion (the NCA Exemptions). In this regard, the NCA will not apply to: Consumer lending
• a credit agreement in respect of which the credit receiver (borrower) 5 Is consumer lending regulated in your jurisdiction?
is a juristic or legal person (as opposed to a natural person or indi-
vidual) whose net asset value or annual turnover, together with the Credit and lending activities
combined net asset value or annual turnover of all persons related The provision of loans or any form of credit is regulated under South
to the juristic person credit receiver, equals or exceeds 1 million African law by the NCA, which requires lenders in respect of whose
rand at the time of conclusion of the credit agreement; credit agreements the NCA applies, to formally register as ‘credit
• a ‘large’ credit agreement (eg, a credit transaction, in respect of providers’ with South Africa’s NCR. The NCA generally applies to every
which the principal debt under that transaction falls at or exceeds credit agreement between parties dealing at arm’s length and made
250,000 rand, where the consumer for the purposes of the NCA is a within, or having an effect in, South Africa.
juristic person having a net asset value or annual turnover falling The NCA does provide for certain general exemptions from its
below 1 million rand); and application. In this regard, the NCA will not apply to:
• a local applicant credit receiver can formally apply to the Ministry • a credit agreement in respect of which the credit receiver (borrower)
of Trade and Industry for a credit agreement that the credit receiver is a juristic or legal person (as opposed to a natural person or indi-
seeks to enter into with an offshore (foreign) credit provider to be vidual) whose net asset value or annual turnover, together with the
formally exempt from the application of the NCA. combined net asset value or annual turnover of all persons related
to the juristic person credit receiver, equals or exceeds 1 million
Lending will be subject to the NCA unless an exemption from the NCA rand at the time of conclusion of the credit agreement;
applies. While there is no specific licensing regime for factoring or • a ‘large’ credit agreement (eg, a credit transaction, in respect of
invoice discounting, where the NCA applies to the underlying agree- which the principal debt under that transaction falls at or exceeds
ments in respect of which the factoring or discounting takes place, the 250,000 rand, where the consumer for the purposes of the NCA is a
person acquiring the rights to the debts under those underlying agree- juristic person having a net asset value or annual turnover falling
ments must also be licensed under the NCA. This is because the NCA below 1 million rand); and
• a local applicant credit receiver can formally apply to the Ministry established as companies, bewind trusts (in which the trust founder
of Trade and Industry for a credit agreement that the credit receiver transfers ownership of the trust assets to the beneficiaries with control
seeks to enter into with an offshore (foreign) credit provider to be vested in the trustees) or en commandite partnerships (a form of limited
formally exempt from the application of the NCA. partnership) and are, therefore, subject to the laws that govern those
arrangements. AIFs could trigger the application of CISCA; however, as
Lending will be subject to the NCA unless an exemption from the NCA no express carve-out for them is provided for in CISCA, AIFs should be
applies. While there is no specific licensing regime for factoring or carefully structured and marketed discriminatively to selected (sophis-
invoice discounting, where the NCA applies to the underlying agree- ticated) local investors. The application (or non-application) of CISCA to
ments in respect of which the factoring or discounting takes place, the an AIF must be considered on a case-by-case basis.
person acquiring the rights to the debts under those underlying agree- Where CISCA is triggered, the manager or operator of a foreign CIS
ments must also be licensed under the NCA. This is because the NCA will be indirectly regulated by the FSCA. Where CISCA does not apply
includes in its definition of a credit provider a person who acquires the to an AIF, the manager of the AIF is likely to be caught by the licensing
rights of a credit provider under an NCA-regulated credit agreement provisions of FAIS, in that investments in AIFs constitute financial prod-
after that agreement has been entered into. Secondary market loan ucts for the purposes of FAIS.
trading will be subject to the NCA under circumstances where the orig- In its policy position paper on crypto-assets (the Crypto Position
inal loan being traded was subject to the NCA (in other words, where an Paper), the Intergovernmental FinTech Working Group made a recom-
exemption from the NCA applied to the original loan, secondary market mendation that the pooling of crypto-assets be regarded as constituting
trading in respect of that loan will also be exempt from the NCA). The an AIF, which should, therefore, become a licensable activity in terms of,
NCA falls under the purview of the NCR. and following the enactment of, the Conduct of Financial Institutions Bill.
The Crypto Position Paper indicates, however, that a CIS should not be
Secondary market loan trading allowed to include crypto-assets in its portfolios.
6 Are there restrictions on trading loans in the secondary
market in your jurisdiction? Peer-to-peer and marketplace lending
9 Describe any specific regulation of peer-to-peer or
Secondary market loan trading will be subject to the NCA under circum- marketplace lending in your jurisdiction.
stances where the original loan being traded was subject to the NCA
(in other words, where an exemption from the NCA applied to the orig- There is no specific regulation of peer-to-peer or marketplace lending
inal loan, secondary market trading in respect of that loan will also be in South Africa. Activities in relation to peer-to-peer lending, however,
exempt from the NCA). are likely to trigger licensing or regulatory requirements under South
Africa’s general financial services regulatory frameworks (eg, the NCA,
Collective investment schemes the Banks Act, CISCA or the NPSA), where the offering entails engage-
7 Describe the regulatory regime for collective investment ment in regulated activities or regulated ancillary activities.
schemes and whether fintech companies providing In the main, peer-to-peer or marketplace lending will be regu-
alternative finance products or services would fall within its lated under the NCA unless an exemption from the NCA applies. The
scope. NCA requires lenders in respect of whose credit agreements the NCA
applies, to formally register as ‘credit providers’ with South Africa’s
The solicitation of investments in foreign collective investment schemes NCR. The NCA generally applies to every credit agreement between
(CISs) from local investors (including institutional investors) is governed parties dealing at arm’s length and made within, or having an effect in,
by the Collective Investment Schemes Control Act 2002 (CISCA), South Africa. The NCA provides for the following general exemptions:
together with the regulations and notices promulgated under CISCA. • a credit agreement in respect of which the credit receiver (borrower)
In terms of CISCA, no person may market, or solicit investments in, is a juristic or legal person (as opposed to a natural person or indi-
a foreign CIS unless the foreign CIS has itself been formally approved in vidual) whose net asset value or annual turnover, together with the
accordance with CISCA’s requirements by the FSCA. This prohibition is combined net asset value or annual turnover of all persons related
strictly enforced (such that even the naming of an unapproved foreign to the juristic person credit receiver, equals or exceeds 1 million
CIS to a South African prospect of any classification is strictly prohib- rand at the time of conclusion of the credit agreement;
ited). Breach of the prohibition constitutes a criminal offence. • a ‘large’ credit agreement (eg, a credit transaction, in respect of
The definition of a CIS includes an open-ended investment company, which the principal debt under that transaction falls at or exceeds
and it provides for a scheme where members of the public are invited to 250,000 rand, where the consumer for the purposes of the NCA is a
invest money or other assets in a portfolio where investors hold partici- juristic person having a net asset value or annual turnover falling
patory interests (any interest, shares, units, etc) and share pro rata in below 1 million rand); and
terms of their investment in the risks and benefits of the scheme. • a local applicant credit receiver can formally apply to the Ministry
The applicability (or non-applicability) of CISCA depends entirely of Trade and Industry for a credit agreement that the credit receiver
on whether the definition of a CIS under CISCA is met. As such, certain seeks to enter into with an offshore (foreign) credit provider to be
fintech product offerings could trigger the application of CISCA (eg, formally exempt from the application of the NCA.
crowdfunding offerings could trigger CISCA in circumstances where
investments are pooled in a portfolio as defined under CISCA). The offering and structure of the service would also generally need to
be assessed for compliance with the Banks Act, CISCA or the NPSA to
Alternative investment funds ensure that those frameworks are not inadvertently breached (ie, to
8 Are managers of alternative investment funds regulated? ensure that the offering does not involve the business of a bank, the
pooling of investments or the processing of payments in the regu-
Alternative investment funds (AIFs) themselves, including private equity lated space).
funds (but excluding hedge funds, which have been declared to be CISs),
are not currently specifically regulated in South Africa. AIFs are usually
www.lexology.com/gtdt 183
© Law Business Research 2020
South Africa Bowmans
Requirement for a local presence • holds more than 15 per cent of the shares in the company;
18 Can fintech companies obtain a licence to provide financial • is able to exercise or control the exercise of more than 15 per cent
services in your jurisdiction without establishing a local of the voting rights associated with securities of the company; or
presence? • has the right to appoint or elect, or control the appointment or elec-
tion of, directors of that company who control more than 15 per
The Collective Investment Schemes Control Act 2002, the Financial cent of the votes at a meeting of the board.
Advisory and Intermediary Services Act 2002 and the National Payment
System Act 1998 allow the acquisition of licences by foreign entities Acquisition of shares or any other interest in excess of 49 per cent in
without having a physical, staffed presence in South Africa. a market infrastructure requires the prior approval of the Minister
of Finance.
SALES AND MARKETING A CIS manager requires the prior approval of the FSCA where there
is a change in its shareholding, irrespective of the extent or materiality
Restrictions of the change.
19 What restrictions apply to the sales and marketing of Changes to the direct shareholding of a financial services provider
financial services and products in your jurisdiction? requires formal, post-notification to the FSCA, within 15 business days
after the change has occurred.
The marketing or offering of financial products (including collective A registered credit provider must notify the National Credit
investment schemes, insurance and deposit-taking, among other things) Regulator of a change to its shareholding post-registration, in accord-
requires the appropriate licences from the Financial Sector Conduct ance with the conditions attached to its registration.
Authority to be held. The marketing of lending products regulated by
the National Credit Act 2005 (NCA) is also prohibited unless a person FINANCIAL CRIME
is registered as a credit provider by the National Credit Regulator. The
marketing of payment services is not regulated or restricted per se, Anti-bribery and anti-money laundering procedures
but a person will not be permitted to provide the relevant regulated 21 Are fintech companies required by law or regulation to have
services in the absence of the required licence or registration with the procedures to combat bribery or money laundering?
Payments Association of South Africa.
No anti-corruption, anti-money laundering or other financial crime regu-
CHANGE OF CONTROL lations specifically govern fintech products and services in South Africa.
The Prevention and Combating of Corrupt Activities Act 2004 is the
Notification and consent primary law governing bribery and corruption prevention and enforce-
20 Describe any rules relating to notification or consent ment in South Africa. The Act criminalises public and private corruption
requirements if a regulated business changes control. (ie, corruption committed between private parties) and criminalises both
the payment and receipt of a bribe (referred to as ‘gratification’ under
In relation to banks, a person who seeks to acquire 15 to 49 per cent South African legislation). The Act may also apply extraterritorially where
of shares in a bank requires prior approval of the Prudential Authority there is a sufficiently close connection. The Act does not prescribe any
(PA), and seeking to acquire 49 per cent or more of shares in a bank specific anti-bribery procedures that would apply to fintech companies.
requires prior approval of the Minister of Finance. The two most significant pieces of anti-money laundering legisla-
Prior approval must be obtained by a person who seeks to be a tion in South Africa are the Prevention of Organised Crime Act 1998
‘significant owner’ of a bank, an insurer, a collective investment scheme (POCA) and the Financial Intelligence Centre Act 2001 (FICA). In broad
(CIS) manager or a market infrastructure (such as a stock exchange terms, POCA creates statutory money laundering offences, and FICA
or central securities depository). In respect of insurers and banks, establishes the broad legal and administrative framework for combating
approval must be obtained from the PA, and in respect of CIS managers anti-money laundering in South Africa.
and market infrastructures approval, approval must be obtained from FICA’s anti-money laundering provisions are more stringent for
the Financial Sector Conduct Authority (FSCA). A person is regarded as companies that are ‘accountable institutions’ in terms of the Act. A
a significant owner if the person, directly or indirectly, alone or together fintech company may have to register as an accountable institution
with a related or interrelated person, has the ability to control or influ- under FICA and would be subject to the anti-money laundering (AML)
ence materially the business or strategy of the institution. In turn, a regime set up by that Act, for example, where a particular fintech-based
person has the ability to control or influence materially the business or product meets the definition of a financial product under the Financial
strategy of an institution if: Advisory and Intermediary Services Act 2002.
• the person, directly or indirectly, alone or together with a related Fintech businesses that fall under the definition of accountable
or interrelated person, has the power to appoint 15 per cent of the institutions in FICA are subject to demanding compliance obligations,
members of the board of directors; including:
• the consent of the person, alone or together with a related or inter- • ensuring that there are measures being taken to identify and verify
related person, is required for the appointment of 15 per cent of the their clients;
board members; or • conducting due diligence on clients;
• the person, directly or indirectly, alone or together with a related • filing suspicious transactions reports; and
or interrelated person, holds a qualifying stake in the institution. • conducting enhanced ongoing monitoring procedures on clients
that fall under the definition of ‘foreign prominent public official’ or
Any acquisition of shares or any other instrument in a market infra- ‘domestic prominent influential person’.
structure that will entitle that person to exercise direct or indirect
control over the institution requires the prior approval of the FSCA. For South Africa also belongs to the Financial Action Task Force (FATF) and
this purpose, a person exercises control if that person, alone or with the Eastern and Southern Africa Anti-money Laundering Group. In 2019,
associates: the FATF amended FATF Recommendation 15 (on new technologies). The
www.lexology.com/gtdt 185
© Law Business Research 2020
South Africa Bowmans
amendment requires jurisdictions to regulate crypto-assets and crypto- quotation, pre-agreement statement and loan agreement, and adhere to
asset service providers (CASPs) for anti-money laundering and combating several pre- and post-agreement rules and restrictions).
the financing of terrorism (AML/CFT). Jurisdictions must ensure that A credit agreement regulated by the NCA entered into on a peer-
CASPs are licensed or registered and subject to AML/CFT systems. to-peer or marketplace lending platform may be declared void and
In addition to the above, the Intergovernmental FinTech Working unenforceable in certain instances (eg, where a lender who is required to
Group’s policy position paper on crypto-assets (the Crypto Position be registered as a credit provider in terms of the NCA is not registered).
Paper) recommends that Schedule 1 of the Financial Intelligence Centre It is probably unlikely that peer-to-peer and marketplace lending
Act 2001 (FICA) be amended to include CASPs to the list of accountable arrangements will fall under any of the general NCA exemptions, but the
institutions (that is, for CASPs to be listed as their own category). This NCA will not apply in those cases. The exemptions are:
would encompass CASPs becoming accountable institutions in respect • a credit agreement in respect of which the credit receiver (borrower)
of those CASPs that are not already accountable institutions (by virtue is a juristic or legal person (as opposed to a natural person or indi-
of being, for example, an FSP). vidual) whose net asset value or annual turnover, together with the
No single law enforcement agency is charged with the investigation combined net asset value or annual turnover of all persons related
of corruption and money laundering offences in South Africa. Agencies to the juristic person credit receiver, equals or exceeds 1 million
with investigation powers include the South African Police Service, the rand at the time of conclusion of the credit agreement;
National Prosecuting Authority and Asset Forfeiture Unit, the Public • a ‘large’ credit agreement (eg, a credit transaction, in respect of
Protector and the Special Investigations Unit. The circumstances of which the principal debt under that transaction falls at or exceeds
each case determine who investigates it. 250,000 rand, where the consumer for the purposes of the NCA is a
juristic person having a net asset value or annual turnover falling
Guidance below 1 million rand); and
22 Is there regulatory or industry anti-financial crime guidance • a local applicant credit receiver can formally apply to the Ministry
for fintech companies? of Trade and Industry for a credit agreement that the credit receiver
seeks to enter into with an offshore (foreign) credit provider to be
There is currently no specific regulatory or industry anti-financial formally exempt from the application of the NCA.
crime guidance for fintech companies in South Africa. In January 2019,
however, the Crypto Assets Regulatory Working Group, in a consultation Assignment of loans
paper containing policy proposals for the development of regulatory 24 What steps are required to perfect an assignment of
responses, proposed that crypto-asset service providers be required to: loans originated on a peer-to-peer or marketplace lending
• register as accountable institutions with the Financial platform? What are the implications for the purchaser if the
Intelligence Centre; assignment is not perfected? Is it possible to assign these
• conduct customer due diligence; loans without informing the borrower?
• file reports on suspicious and unusual transactions; and
• implement appropriate record keeping. Where the loan agreement is regulated under the NCA (ie, where an
The Crypto Position Paper recommends, among other things: exemption from the NCA does not apply), the assignee must be regis-
• the implementation of an anti-money laundering and counterter- tered as a credit provider in terms of the NCA for the assignment to
rorism financing regime; and be lawful. This is because the NCA includes in its definition of a ‘credit
• a regulatory regime for the monitoring of cross-border finan- provider’ any person who acquires the rights of a credit provider under
cial flows. an NCA-regulated agreement after the agreement has been entered into.
Fintech companies should also be aware of how the compliance provi- Securitisation risk retention requirements
sions of the Cybercrimes and Cybersecurity Bill may affect them in 25 Are securitisation transactions subject to risk retention
future. The Bill has not yet been promulgated and, at present, has no requirements?
legal effect, but it is currently before the relevant South African legisla-
tive authority. The Bill aims to create a number of new offences relating Currently, no risk retention requirements are applicable in the South
to cybercrime and to assist in the prosecution and investigation of African market. However, given that South Africa has implemented the
those offences. For example, the present draft of the Bill would oblige Basel III requirements via regulations to the Banks Act 1990 (the Banks
financial institutions and electronic communications service providers Act), it is likely that securitisation transactions in South Africa may soon
to report offences implicating its computer system within 72 hours of be subject to similar risk retention requirements as those promulgated
the commission of the offence, taking steps to preserve any evidence across the European Union, including the Securitisation Regulation
related to the offence. (Regulation (EU) 2017/2402) and the Counterparty Credit Risk Amending
Regulation (Regulation (EU) 2017/2401), requiring, among other things,
PEER-TO-PEER AND MARKETPLACE LENDING securitising entities to have a new direct obligation to retain risk and the
implementation of the revised Basel securitisation framework.
Execution and enforceability of loan agreements
23 What are the requirements for executing loan agreements or Securitisation confidentiality and data protection requirements
security agreements? Is there a risk that loan agreements 26 Is a special purpose company used to purchase and securitise
or security agreements entered into on a peer-to-peer or peer-to-peer or marketplace loans subject to a duty of
marketplace lending platform will not be enforceable? confidentiality or data protection laws regarding information
relating to the borrowers?
Loan agreements (and, indirectly, related security agreements) regu-
lated under the National Credit Act 2005 (NCA) as credit agreements must In South Africa, a special purpose vehicle that is set up to issue
comply with the onerous prescripts of the NCA to be valid (eg, a regis- commercial paper, as well as to acquire, own and deal in the under-
tered credit provider must provide a borrower with an NCA-compliant lying receivables acquired by the originator (the issuer SPV), may only
issue commercial paper if it complies with certain conditions set out in Crypto-assets
the Securitisation Regulations issued in terms of the Banks Act 1990, 29 Are there rules or regulations governing the use of crypto-
which exempts a securitisation structure from falling under the regula- assets, including digital currencies, digital wallets and
tory framework for banks. The issuer SPV can be formed in South Africa e-money?
or another jurisdiction, depending on the location of the securitisation
originator and other applicable commercial factors. It is well established (and confirmed by the relevant regulators) that
In cases where the SPV is set up in South Africa and is subject crypto-assets are currently not regulated. Accordingly (in very broad
to South Africa laws and regulations, there are no specific rules and terms), any activities in respect of those types of assets are not regu-
regulations governing confidentiality and data protection as it relates lated in South Africa. However, crypto-assets may have a different
to issuer SPVs in relation to the borrower in the context of securiti- regulatory treatment if they have characteristics similar to those of
sation (peer-to-peer or marketplace loans). However, the Protection existing regulated financial instruments or products in the South African
of Personal Information Act 2013 (POPIA) governs the processing and landscape. Whether crypto-assets have characteristics similar to those
transfer of personal data relating to securitisation transactions. The of existing regulated financial instruments or products in South Africa is
operative provisions and related regulations of POPIA were due to come a factual question and can be determined only on a case-by-case basis.
into effect on 1 April 2020, but this was delayed owing to the covid-19 In our experience, some crypto-assets constitute collective invest-
pandemic. The operative provisions and related regulations of POPIA ment schemes (CISs) under the Collective Investment Schemes Control
came into effect on 1 July 2020. Act 2002 (CISCA). In light of this, the key considerations in determining
In South Africa, there are also common law and constitutional whether a crypto-asset is a regulated instrument under CISCA are as
rights to privacy, including privacy of personal information. In practice, follows: whether the crypto-asset involves the pooling of investors’
South African institutions (including financial institutions and Issuer funds for investment in crypto-assets; whether the investors hold partic-
SPVs) already comply with POPIA in the treatment of personal data and ipatory interests (howsoever called); and whether the investors share
confidentiality because POPIA enshrines the common law and constitu- the risk and the benefit of investment in proportion to their participatory
tional rights to privacy already in place. interests. The Intergovernmental FinTech Working Group’s policy posi-
tion paper on crypto-assets (the Crypto Position Paper) recommends
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER that the pooling of crypto-assets be regarded as constituting an alterna-
TECHNOLOGY AND CRYPTO-ASSETS tive investment fund, which should become a licensable activity in terms
of the Conduct of Financial Institutions Bill. The Crypto Position Paper
Artificial intelligence indicates that a CIS should not be allowed to include crypto-assets in
27 Are there rules or regulations governing the use of artificial its portfolios.
intelligence, including in relation to robo-advice? Some crypto-assets, such as stablecoins, have the potential to be
seen as derivative instruments (forex derivatives), which are regulated
Yes, in respect of certain products. The National Payment System Act by both the Financial Markets Act 2012 (FMA) (regulating securities
1998 (NPSA) regulates system operators whose business is to assist traded on a stock exchange) and the Financial Advisory and Intermediary
participants in the South African payment system with the sending or Services Act 2002 (FAIS) (regulating the provision of financial services
receiving of instructions in respect of payment transactions, mainly in respect of listed and unlisted financial products). Similarly, owner-
through the provision of technical infrastructure. The NPSA regulates ship tokens that meet the functional definition of securities could be
such technical infrastructure. regulated under the FMA and FAIS.
The Determination of Fit and Proper Requirements for Financial E-money is not dealt with in any legislation, including the Banks Act
Services Providers 2017 (the Fit and Proper Requirements), published 1990 (the Banks Act), but it has been addressed in the E-Money Position
under the Financial Advisory and Intermediary Services Act 2002 Paper, issued by the South African Reserve Bank (SARB). According to
(FAIS), specifically regulates ‘automated advice’, which is defined as the E-Money Position Paper, the SARB will allow only registered South
‘the furnishing of advice through an electronic medium that uses algo- African banks to issue e-money, subject to section 52 of the Banks Act,
rithms and technology, without the direct involvement of a natural which allows for non-banks to enter into arrangements with banks
person’. A person that provides robo-advice is expected to be licensed that may permit those non-banks to offer payment-related services in
under FAIS as a financial services provider (FSP) to do so and to meet relation to e-money, in conjunction with the bank. Some digital wallets
certain criteria. qualify as e-money, and the activities surrounding those wallets are
In addition to the standard governance requirements applicable to subject to the E-Money Position Paper.
an FSP in the Fit and Proper Requirements, an FSP that provides auto-
mated advice must meet additional requirements relating to, among Digital currency exchanges
other things, human resources, policies and procedures relating to the 30 Are there rules or regulations governing the operation of
monitoring and reviewing of algorithms, the testing of algorithms and digital currency exchanges or brokerages?
technological resources.
Virtual currencies are not specifically regulated in South Africa. South
Distributed ledger technology Africa is, however, a common law-based jurisdiction that follows a princi-
28 Are there rules or regulations governing the use of ples-based, conduct-centric approach to financial regulation; therefore,
distributed ledger technology or blockchains? some of the activities relating to virtual currencies may be subject to
regulation if they have characteristics similar to the vanilla instru-
No. ments that are currently regulated in South Africa. The FMA applies
to all exchanges that facilitate transactions in ‘securities’ as defined;
therefore, the functional characteristics of each of the digital currencies
traded on an exchange must be considered to determine whether the
exchange should be licensed under the FMA.
www.lexology.com/gtdt 187
© Law Business Research 2020
South Africa Bowmans
Initial coin offerings including the unlawful accessing of data using software or hardware
31 Are there rules or regulations governing initial coin offerings tools. The intention is that new cybersecurity legislation will also be
(ICOs) or token generation events? made, although there is no firm timing on this and draft legislation has
not yet been released for comment.
There are no such rules specifically referring to ICO’s or other token The Intergovernmental FinTech Working Group’s policy position
generation events. However, to the extent that the tokens issued, gener- paper on crypto-assets (the Crypto Position Paper) notes the increased
ated or sold meet the functional definition of equity securities or debt cybersecurity risk in relation to crypto-assets and recommends that
securities under the Companies Act 2008, their issuance and sale may crypto-asset service providers (CASPs) ensure they meet the interna-
be subject to the existing (and complex and onerous) rules for initial tional cybersecurity standards for the safeguarding of crypto-assets.
public offerings, or for primary or secondary offerings of equity or debt. The Crypto Position Paper recommends implementing a regulatory
framework with guidelines to ensure that proper cybersecurity controls
DATA PROTECTION AND CYBERSECURITY are adopted by CASPs.
classification of data, the materiality of the activity outsourced, the level • the intention of the parties to conclude a contract of employment;
of risk, the mode and form of cloud computing and the offshoring of data. • the existence of a relationship of authority (whether the employer
No such similar directives or guidance notes have been issued in exercises control and supervision over the employee);
respect of any other financial services providers in South Africa at present. • the remuneration of the employee (including an assessment of
economic dependence on the alleged employer);
INTELLECTUAL PROPERTY RIGHTS • the period of the contract of employment; and
• the rendering of personal services by the employee. An agreement
IP protection for software to the contrary can, however, be concluded between the employer
36 Which intellectual property rights are available to protect and the employee.
software, and how do you obtain those rights?
Importantly, the above exception does not apply to independent contrac-
If it complies with the relevant requirements, software (or a computer tors (ie, contractors or consultants). Independent contractors retain
program) is afforded protection in South Africa as a ‘work’ eligible for ownership of all intellectual property rights attaching to their work,
copyright under the Copyright Act 1978 (the Copyright Act). unless agreed otherwise. Therefore, where an independent contractor
Copyrights cannot be registered, but their protection arises auto- is creating software for payment, it is important to confirm that the
matically in law. As soon as a work comes into existence and meets the contract makes provision for the assignment of the copyright to the
requirements set out in the Copyright Act, it is protected in terms of person commissioning the work. For the assignment to be valid, it must
South African common law as a copyright work. be in writing and must show the necessary animus to transfer and
Copyright protects the product of an idea, or the ‘work’, rather receive ownership of the copyright on both sides of the transaction.
than an idea itself and entitles the copyright holder to prevent any All other forms of intellectual property do not automatically vest
other person from doing, directly or indirectly, any act in relation to the in the employer and must be assigned. Therefore, employment agree-
relevant work that the copyright owner has the exclusive right to do or ments (and independent contractor agreements) must include an
authorise. assignment of all intellectual property rights developed in the course
There are a number of types of works that are eligible for copyright and scope of employment.
under the Copyright Act, including, but not limited to, literary works and
computer programs. A program only constitutes a computer program Joint ownership
in terms of the Copyright Act if it is a finished product that is capable of 38 Are there any restrictions on a joint owner of intellectual
directing the operation of a computer to bring about an intended result. property’s right to use, license, charge or assign its right in
It is commonly understood that, until the time the program is capable of intellectual property?
doing so, it constitutes a literary work. As a result, software is afforded
protection under the Copyright Act. The protection of intellectual property software is only dealt with in
An important consideration for copyright protection is the identity terms of the Copyright Act. According to the Copyright Act, a ‘work
of the author. As a general rule, copyright automatically vests in the of joint ownership’ means a work produced by two or more authors
author of a work (although there are exceptions). In addition, to qualify in which the contribution of each author is not separable from the
for protection under the Copyright Act, the author must be an ‘eligible contribution of the other author or authors. The inseparability of the
person’, which means either a South African citizen or an entity incor- authors’ contributions gives rise to joint authorship (ie, co-ownership).
porated according to South African laws, and the work must be original Co-ownership may also arise where the copyright is assigned to more
and reduced to material form. than one assignee. In South African law, each co-owner obtains an indi-
Certain forms of copyright are subject to ‘moral rights’, which belong visible share in the copyright and may not use or dispose of such share
to the author. These are rights of paternity (ie, the right to claim owner- without the consent of the other co-owner.
ship) and integrity (ie, the right to object to any distortion, mutilation
or other modification of the work). However, the author of a computer Trade secrets
program or a work associated with a computer program may not prevent 39 How are trade secrets protected? Are trade secrets kept
or object to modifications that are absolutely necessary on technical confidential during court proceedings?
grounds or for the purpose of commercial exploitation of the work.
The Patents Act 1978 expressly excludes a program for a computer Confidential information
from being a patentable invention in South Africa. Confidential information is information that has the necessary quality of
confidentiality to justify legal protection, where confidentiality is more
IP developed by employees and contractors than value or usefulness of the information. To be treated as confidential
37 Who owns new intellectual property developed by an information, information must be:
employee during the course of employment? Do the same • capable of application in trade and industry;
rules apply to new intellectual property developed by • secret or confidential, that is, it must be known only to certain people
contractors or consultants? or be something that is not public property or public knowledge; and
• the information must have economic value to the person trying to
The protection of intellectual property software is only dealt with in protect it. Whether information is confidential is a question of fact,
terms of the Copyright Act. Generally, copyright automatically vests and information may lose its confidential nature over time.
in the author of the work. One of the exceptions in the Copyright Act
is in the case of an employment relationship, in which case the copy- Legal framework
right in any work made during the course of the author’s employment There is no specific legislation or regulation that deals directly with
under a contract of service or apprenticeship will vest in the employer. confidential information in South Africa. Confidential information is,
‘Employment’ is not specifically defined in the Copyright Act, so it is accordingly, regulated under the common law. In certain instances,
generally understood to have the meaning given to it under applicable confidential information may be protected under the Copyright Act where
law. In this regard, the following criteria are generally taken into account: the information constitutes a literary work and is reduced to writing.
www.lexology.com/gtdt 189
© Law Business Research 2020
South Africa Bowmans
Protections and remedies • marks that exclusively comprise a sign or indication that designates
The common law provides various mechanisms that can be used to various characteristics of goods or services; or
protect confidential information, trade secrets and know-how, including: • marks that exclusively comprise a sign or an indication that has
• contractual protection (this may either be express or implied); become customary in the current language or bona fide established
• delictual protection, comparable to tort under English law (specifi- practices in the trade.
cally protection from unlawful competition);
• interdict (equivalent to an injunction under English law); and The process of registering a trademark involves making an application,
• protection arising from a fiduciary relationship (eg, an agent, which is then examined.
mandatory or director). Examination first considers the formal requirements (ie, that the
mark is distinctive and capable of registration), and second considers
Most importantly, the person wishing to protect confidential information whether any conflict or third-party rights based on prior applications
must take practical steps to keep the information confidential. or registrations would be contravened using the trademark. The regis-
trar may accept the application unconditionally, or the registrar may
Trade secret accept the application subject to conditions, amendment or modification.
A trade secret is essentially a sub-category of confidential information Conversely, the registrar may also refuse the application provisionally,
in that it is a formula, practice, process, design, instrument, pattern, or the registrar may refuse the application altogether.
commercial method or compilation of information not generally known If the application is accepted, the acceptance must be advertised
or reasonably ascertainable by others by which a business can obtain in the Patent Journal. Any interested person may, within three months
an economic advantage or competitive edge over competitors or following the advertisement of the trademark application in the Patent
customers. Usually, only a strategic and limited number of persons hold Journal, lodge an opposition to the registration of the trademark. An
such information. opposition can be lodged on any of the grounds that the trademark is
not capable of registration under the Trade Marks Act.
Legal framework If the application is advertised and no objection is raised, the regis-
There is no specific legislation or regulation that deals directly with trar will register the trademark and issue a certificate of registration.
trade secrets in South Africa. Trade secrets are, accordingly, regulated Trademark registration is effective for an initial period of 10 years
under the common law. from the date of filing the application and, thereafter, is renewable
for similar periods in perpetuity. A trademark that has lapsed may be
Protection and remedies restored upon payment of a fine or additional fee and provided that the
The protection and remedies for trade secrets are the same as those registrar is satisfied that it is just to do so.
discussed above for confidential information. The general rule is that A trademark may be infringed in the following circumstances:
confidential information will be disclosed during court proceedings. The 1 the unauthorised use in the course of trade in relation to the same
exception would be that the information would not be disclosed if it falls goods or services in respect of which the mark is registered, of an
within the ambit of legal privilege. In addition, a witness can be subpoe- identical mark or a mark so nearly resembling the registered mark
naed to provide confidential information. The only ground for refusing as to be likely to deceive or cause confusion;
to provide documents or information in terms of a subpoena is legal 2 the unauthorised use in the course of trade of a mark that is iden-
privilege. tical or similar to the registered trademark, in relation to goods or
services so similar to the goods or services in respect of which the
Branding mark is registered that such use has a likelihood of deception or
40 What intellectual property rights are available to protect confusion;
branding and how do you obtain those rights? How can fintech 3 the unauthorised use in the course of trade in relation to any goods
businesses ensure they do not infringe existing brands? or services of a mark that is identical or similar to the registered
trademark if the registered trademark is well known in South Africa
Branding may be protected through the use of trademarks, which are and the use of the mark is likely to take unfair advantage of, or be
regulated in terms of the Trade Marks Act 1993 (the Trade Marks Act). A detrimental to, the distinctive character or repute of the well-known
trademark provides the owner thereof with the exclusive rights to use registered trademark, notwithstanding the absence of confusion or
the mark. Trademarks are registerable; however, registration is not a deception; and
requirement for the holder to have a remedy in the event of infringe- 4 the unauthorised use of a trademark that constitutes, or the
ment. The registration of a trademark, nevertheless, provides a clear and essential part of which constitutes, a reproduction, imitation or
enforceable right to that trademark. Accordingly, it is recommended that translation of a trademark that is entitled to protection under the
trademarks be registered as the remedies in respect of infringement of Paris Convention as a well-known mark (even though not registered
a registered trademark are more comprehensive and easily enforceable in South Africa), if the use is in relation to goods or services that are
than those under common law in respect of an unregistered trademark. identical or similar or to goods or services for which the mark is
In terms of the Trade Marks Act, a trademark can be registered if: well known, and the use is likely to cause deception or confusion.
• the trademark is capable of distinguishing between goods and
services of one person from those of another; and The Trade Marks Act sets out the following defences to an infringement
• a mark is capable of making a distinction as it is either inherently claim (with an exception to point (4) above):
capable of distinguishing between goods and services of one trader • any bona fide use by a person of his or her own name, the name of
from another, or capable of making a distinction through prior use. his or her place of business, the name of any of his or her prede-
cessors in business, or the name of any such predecessor’s place
The Trade Marks Act excludes certain trademarks from registration, of business;
including without limitation: • the use by any person of any bona fide description or indication of
• marks that do not constitute a trademark; the kind, quality, quantity, intended purpose, value, geographical
• marks that lack the general or inherent ability to make a distinction; origin or other characteristics of his or her goods or services, or
The protection of confidential information, trade secrets and know-how Foreign nationals require work permits to work in South Africa. The
is almost exclusively governed by common law; hence, there are protec- Immigration Act 2002 provides for various permits. The most commonly
tive mechanisms that provide for common law remedies. In addition to used permits are general work permits and intra-company transfer
the common law protective mechanisms that are available, legislation permits. General work permits are typically only granted if no suitable
also provides protection of intellectual property rights. South African is available to perform the work concerned.
In terms of the Copyright Act and the Trade Marks Act, the infringe-
ment of certain provisions is a criminal offence, the penalty for which UPDATE AND TRENDS
is a fine or imprisonment. In addition, both the Copyright Act and the
Trade Marks Act provide for civil proceedings to be instituted where Current developments
intellectual property rights have been infringed, affording the following 46 Are there any other current developments or emerging
possible relief: trends to note?
• in the case of copyright:
• damages (but only where the defendant was aware or had Financial regulatory
reasonable grounds for suspecting that copyright subsisted In January 2019, the Crypto Assets Regulatory Working Group (CARWG)
in the work); published a consultation paper containing policy proposals for the
• an interdict; development of regulatory responses. The paper points out that a
• delivery of infringing copies or plates used for making useful starting point for regulatory intervention is through registration.
infringing copies; The objective of the registration process is specifically to gain further
• in lieu of damages, at the option of the plaintiff, a reasonable insights from market participants. According to the proposals, the
royalty; or crypto-asset service providers that will require registration are:
• additional damages as the court may deem fit, in certain • crypto-asset trading platforms or any other entity facilitating
exceptional circumstances; and crypto-asset transactions;
• in the case of trademarks: • crypto-asset digital wallet providers (custodial wallets);
• an interdict; • crypto-asset safe custody service providers (custodial services);
• an order for the removal of the infringing mark from all mate- • crypto-asset payment service providers; and
rial and where inseparable or incapable of being removed • merchants and service providers accepting payments in
from the material, an order that all such material be delivered crypto-assets.
to the proprietor;
• damages; or The policy position paper of the Intergovernmental FinTech Working
• in lieu of damages and at the option of the proprietor, a Group (IFWG) on crypto-assets (the Crypto Position Paper) recommends
reasonable royalty. the development of a regulatory framework for crypto-assets, including
recommending that crypto-assets remain without legal tender status
COMPETITION and not be recognised as electronic money.
The Crypto Position Paper recommends that the Financial Sector
Sector-specific issues Conduct Authority (FSCA) should become the responsible authority for
42 Are there any specific competition issues that exist with the licensing of ‘services related to the buying and selling of crypto-
respect to fintech companies in your jurisdiction? assets’ and that Schedule 1 of the Financial Intelligence Centre Act 2001
(FICA) be amended to include crypto-asset service providers (CASPs) to
No. the list of accountable institutions.
www.lexology.com/gtdt 191
© Law Business Research 2020
South Africa Bowmans
The Crypto Position Paper also outlines the principle-based approach Kirsten Kern
that should be adopted by South Africa’s regulatory response, which kirsten.kern@bowmanslaw.com
includes: Livia Dyer
• adopting a risk-based approach; livia.dyer@bowmanslaw.com
• adopting a unified regulatory approach:
Claire Franklyn
• adopting a phased approach;
claire.franklyn@bowmanslaw.com
• being technology-neutral and primarily principles-based; and
• being resilient and adaptive. Bright Tibane
bright.tibane@bowmanslaw.com
The implementation plan provided in the Crypto Position Paper provides
estimated timelines ranging from six to twelve months to implement the 11 Alice Lane
theme outlined in the recommendations. Most notable is the implemen- Sandton
tation of a regulatory regime for anti-money laundering and combating Johannesburg 2146
the financing of terrorism, which the IFWG and CARWG estimate will South Africa
take six to nine month, noting, however, the possibilities of delays in the Tel: +27 11 669 9000
administrative process. www.bowmanslaw.com
The Conduct of Financial Institutions Bill provides (following its
enactment) for the requirements for the granting of a financial product
or service licence to be adapted to ‘facilitate financial inclusion’ or to
promote ‘innovative technology, processes and practices’. specific frameworks. The PA has also provided relief to the banking
sector in the form of minimum capital requirements for banks relating
Intellectual property to credit risk and temporary capital relief to alleviate risks posed by
The Copyright Amendment Bill was tabled in Parliament in May 2017 the pandemic.
and aims to provide greater protection to South African performers
and authors by ensuring that they receive fair remuneration. The Bill Competition law
has been criticised for not achieving this desired purpose, particu- The Minister of Trade, Industry and Competition (the Minister) published,
larly because it introduces a ‘fair use’ clause that is critiqued as being among other things, the Covid-19 Block Exemption for the Banking
too broad, thereby weakening the protection afforded to authors and Sector 2020 Regulations on 23 March 2020 (the Banking Exemption).
publishers. The Banking Exemption was published in terms of sections 10(10) and
78(1) of the Competition Act 1998 (the Competition Act), which permit
Coronavirus the Minister to issue regulations exempting a category of agreements
47 What emergency legislation, relief programmes and other or practices from the application of Chapter 2 of the Competition Act.
initiatives specific to your practice area has your state Chapter 2 of the Competition Act deals with prohibited conduct
implemented to address the pandemic? Have any existing (ie, horizontal and vertical restraints and abuse of dominance). The
government programmes, laws or regulations been amended Banking Exemption exempts, in coordination with or at the request of
to address these concerns? What best practices are advisable the Minister or, if applicable, the Minister of Finance, certain agreements
for clients? or practices between banks (as registered in terms of the Banks Act)
that would otherwise constitute contraventions of section 4 (horizontal
Financial regulatory prohibited conduct) and section 5 (vertical prohibited conduct) of the
As at the time of writing, no emergency legislation has been promul- Competition Act for the duration of the declaration of a state of national
gated to address the pandemic; however, the FSCA and the Prudential disaster in terms of the Disaster Management Act, and only for the
Authority (PA) have published a number of communications and notices purpose of responding to the disaster (eg, providing payment holidays
to mitigate the strain on resources and the financial and operational to debtors or maintaining the functioning and integrity of the national
capacity of financial institutions owing to the pandemic. These commu- payment system). The scope of the Banking Exemption was extended
nications and notices have provided relief in a number of ways, such as on 5 May 2020 to include all financial institutions registered as such in
providing relaxations and extensions to regulatory and filing deadlines terms of the FSRA.
in terms of the FSRA, the Financial Advisory and Intermediary Services
Act 2002, the Financial Markets Act 2012 and FICA. Tax law
The FSCA and PA have also provided relief by communicating Various tax measures have been introduced to provide relief to
expectations of regulated entities, such as insurers and collective taxpayers, including the measures set out below. These measures are
investment schemes, as well as publishing implementation dates for only applicable for a specific time period:
specific regulatory frameworks in advance to provide certainty and • qualifying employers may defer a percentage of their employees’
allow financial institutions to prepare for the implementation of the tax payments in respect of remuneration paid to employees during
April to July 2020. The deferred portion must be settled in six equal
instalments, with repayment commencing with the August payroll;
• qualifying taxpayers may defer a percentage of their provisional
tax payments. The deferred portion must be settled by way of a
top-up payment within six months after year end;
• payment of excise taxes on alcoholic beverages and tobacco prod-
ucts for May and June 2020 were deferred by 90 days;
• the first carbon tax payments would have been due by 31 July
2020, but were postponed until 31 October 2020;
• various tax administrative time periods were extended during the
initial lockdown period;
• covid-19 disaster relief organisations qualify for exemptions in
respect of income tax and donations tax, and donations to those
organisations are tax deductible subject to certain limits;
• the normal limits applicable to the deductibility of donations to
approved non-profit organisations were relaxed in respect of dona-
tions to the government’s solidarity fund;
• from April to July 2020, employers may claim an employment tax
incentive in respect of all employees earning less than 6,500 rand
per month;
• employers do not have to pay skills development levies for the
period from May to August 2020, although there was subsequently
a request by the Department of Higher Education for this to be a
deferral rather than an exemption;
• smaller businesses that normally file value added tax (VAT) returns
on a bimonthly basis, could submit VAT returns on a monthly basis
to accelerate VAT refunds;
• various anti tax-avoidance measures, which were announced in
February 2020, will be deferred until at least January 2021; and
• individuals who receive annuity income from living annuities can
generally only increase or decrease their annuity income once
a year, on the anniversary date of the annuities; however, these
rules were relaxed to allow for increases or decreases from May
to August 2020.
Securitisation
With regard to securitisation structures in particular, there has been
no new legislation or relief programme specifically enacted to address
the covid-19 pandemic. However, as the South African economy suffers
from the effects of the pandemic, some types of assets underlying South
African securitisation structures (ie, auto and equipment lease and
debtor books) will similarly be affected. As such, some types of secu-
ritisations will suffer some degree of credit weakening. Advisable best
practice for clients is to re-examine covenant headroom in the trans
action documentation as well as material adverse change provisions.
www.lexology.com/gtdt 193
© Law Business Research 2020
Spain
Alfredo De Lorenzo, Álvaro Muñoz, Carlos Jiménez de Laiglesia, Ignacio González, Juan Sosa and
María Tomillo
Simmons & Simmons LLP
The Spanish fintech community is one of the biggest in Europe. In The regulator in charge of supervision of fintech products and services
this regard, Spain continues to promote this type of business, and the is the Spanish Securities Market Commission (CNMV) together with the
number of companies that use innovation and technology in the financial Bank of Spain and the General Directorate for Insurance and Pension
industry increases each year. Recent studies show that 70 per cent of Funds, depending on the type of entity intending to provide services in
the total number of fintech companies provide services linked to credit Spain and the exact nature of those services.
activities. The number of companies focused on electronic payments is
increasing as well as those dedicated to investment solutions. Regulated activities
4 Which activities trigger a licensing requirement in your
Government and regulatory support jurisdiction?
2 Do government bodies or regulators provide any support
specific to financial innovation? If so, what are the key There are a large number of activities that, when carried out in Spain on
benefits of such support? a professional and ongoing basis in respect of specified financial instru-
ments, trigger licensing requirements. These are set out in a number
The Spanish Securities Market Commission (CNMV) has set up a of different regulations, including those implementing the second
point of contact for business initiatives related to financial innovations Markets in Financial Instruments Directive in Spain as well as legisla-
currently available on the online portal of the CNMV (the CNMV Fintech tion that governs activities carried out by financial institutions, such as
Portal). This site gives online support to promote fintech initiatives that credit entities.
deliver better outcomes for consumers and that improve the efficiency The most common activities that may require a licence with respect
and competitiveness of the Spanish financial markets. Through this site, to specified financial instruments include:
the CNMV collaborates with fintech businesses and financial institu- • the reception and transmission of orders;
tions, providing guidance regarding the interpretation and application of • the execution of orders on behalf of clients;
rules and regulations where appropriate. In February 2020, the draft act • portfolio management;
that regulates a fintech sandbox in Spain, following the models already • providing investment advice (which requires that specific recom-
established in other jurisdictions, was approved. Under this draft act, mendations are made as opposed to providing generic advice only);
among others, the following objectives are met: financial sustainability • the underwriting or placing of financial instruments, or both;
control and risk minimisation, mitigation and adaptation of the regu- • dealing in investments as the principal or agent;
latory burden, creation of an space to boost the development of open • arranging or bringing about deals in investments; and
financial innovation and attraction of international investment. The final • making arrangements with a view to transactions in investments.
implementation will create opportunities for this country and important
advantages to better the position of the Spanish fintech sector. The To carry on any of these activities in relation to specified financial instru-
Spanish Association of Fintech and Insurtech actively participated in the ments on a professional and ongoing basis in Spain, the relevant entity or
creation of this fintech sandbox. The sandbox is designed to position natural person must obtain the appropriate authorisation or passport. In
Spain as a leader in financial innovation. addition to this authorisation, registration is a requirement to operate in
Spain. Authorisation is also required to carry out marketing or canvassing
of clients on a professional basis, as well as prior or preliminary activities
related to investment services and offering of financial instruments.
A similar regime applies to the provision of services that are typical
activities carried out by credit entities. The Spanish implementing text of
the Capital Requirements Directive expressly states that the activity of
taking repayable funds from the public (whether in the form of deposits,
loans or temporary transfers of financial assets or other analogous
actions) is a licensable activity that can only be carried out by credit CISs are a regulated product in Spain and must be locally regis-
entities that are authorised to operate in Spain and duly registered with tered. Management and distribution of CISs (ie, marketing, promotion
the Bank of Spain. Taking repayable funds from the public using capital and advertising) may only be carried out by licensed entities in Spain
markets through the issuance and placement of instruments with the as these activities trigger licensing requirements. Marketing of CISs is
aim of giving credit is a reserved activity. defined as those activities aimed at raising funds from clients by way
Notably, the provision of loans does not trigger licensing require- of any advertising activity for their investment into the CIS. Advertising
ments, even though it is a typical activity of credit entities. However, activity consists of targeting the public through telephone calls initi-
while the activity of extending credit is not a reserved activity, it is ated by the CIS or its management company, home visits, personalised
usually connected to other regulated activities that trigger licensing letters, emails or any other electronic media forming part of a dissemi-
requirements. nation, promotional or marketing campaign.
Regarding payment services, it is prohibited for entities or natural Whether a fintech company falls within the scope of this regulatory
persons who are not payment service providers (apart from certain regime will depend on the exact nature of its business and the type of
exceptions derived from the second Payment Services Directive (PSD2)) activities being carried out.
to provide payment services in Spain on a professional basis.
Alternative investment funds
Consumer lending 8 Are managers of alternative investment funds regulated?
5 Is consumer lending regulated in your jurisdiction?
Managers of alternative investment funds are regulated in Spain
Although it has traditionally been an activity carried out in Spain by under the AIFMD, which was implemented in Spain by Act 22/2014,
credit institutions and financial credit establishments, in the case of a of 12 November, governing private equity entities, other closed-ended
non-financial institution (ie, neither a credit institution nor a financial collective investment undertakings, and the management companies of
credit establishment) that is dedicated solely to the activity of granting closed-ended collective investment undertakings, which amended Act
consumer loans, this non-credit institution (formed as a company) may 35/2003, of 4 November, on Collective Investment Schemes.
carry out this activity without a licence. The number of persons who tend
to get credit from non-financial institutions offering personal loans rather Peer-to-peer and marketplace lending
than other traditional means (eg, banking credit cards and banking loans) 9 Describe any specific regulation of peer-to-peer or
is increasing. marketplace lending in your jurisdiction.
The regulatory regime for consumer credit is governed by Act
16/2011, of 24 June, on Credit Agreements for Consumers. This regula- Peer-to-peer lending is considered a crowd-lending activity under
tory regime applies to all contracts where entities or natural persons in Spanish legislation and is regulated by Act 5/2015, of 27 April, on the
the course of their business activity, profession or craft, grant or promise Promotion of Business Financing.
to grant a consumer credit in the form of a deferred payment, loan,
opening credit or any other equivalent means of financing, with the aim Crowdfunding
of covering personal needs outside of his or her professional or busi- 10 Describe any specific regulation of crowdfunding in your
ness activity and amounting to at least €200. This regulation broadly sets jurisdiction.
out the requirements that lenders need to comply with in relation to the
provision of information, documents and statements, and the detailed Crowdfunding is regulated by Act 5/2015, of 27 April, on the Promotion
requirements as to the form and content of the credit agreement itself, of Business Financing. This law affects reward-based crowdfunding,
including advertising, information to consumers, content, form of the equity crowdfunding and crowd lending, and governs, among other
contracts, cases of null-and-void contracts, right of withdrawal and costs. things, the normal operating model and regime of the platforms, the
In addition, Spanish Legislative Decree 1/2007, of 16 November, accreditation of the investor and the limits established for the amount
for the Protection of Consumers and Users also applies to consumer of the investment. These limits, which are some of the most restrictive
lending. Depending on the circumstances, other Spanish supplementary elements established in the law, include limitations on:
regulations may also be relevant. • raising funds for start-ups that amount to €5 million for accredited
investors (ie, professional investors) and to €2 million for non-
Secondary market loan trading accredited investors;
6 Are there restrictions on trading loans in the secondary • equity crowdfunding projects, which cannot exceed 125 per cent of
market in your jurisdiction? the project’s projected target; and
• platforms and projects to be invested in by non-accredited inves-
Provided that the loan itself is being traded, and not the loan instrument tors, which are capped at €10,000 and €3,000 respectively.
(the financial instrument creating or acknowledging indebtedness), there
are no restrictions on trading loans in the secondary market. It is expressly established that these types of investments are not
covered by the guarantee fund.
Collective investment schemes
7 Describe the regulatory regime for collective investment Invoice trading
schemes and whether fintech companies providing alternative 11 Describe any specific regulation of invoice trading in your
finance products or services would fall within its scope. jurisdiction.
The general regulatory regime for collective investment schemes (CISs) There is no specific regulation of invoice trading in Spain. As a general
in Spain consists of the transposition of the Undertakings for Collective rule, there are no restrictions on invoice trading; however, the activities
Investment in Transferable Securities Directive and the Alternative and structure of a firm engaged in invoice trading should be analysed
Investment Fund Managers Directive (AIFMD), in addition to the regime to determine whether a regulated activity that requires permission or
that applies specifically to Spanish CISs. authorisation is taking place.
www.lexology.com/gtdt 195
© Law Business Research 2020
Spain Simmons & Simmons LLP
Open banking An EEA firm may exercise passport rights to provide services in Spain
13 Are there any laws or regulations introduced to promote and may provide services through a local branch, agent or on a cross-
competition that require financial institutions to make border basis without presence in the territory. A non-EEA firm or an
customer or product data available to third parties? EEA firm that is not undertaking an activity that can be passported into
Spain, must establish a local presence, obtain an appropriate licence
No. or, in some cases, receive authorisation from the relevant regulator to
operate on a cross-border basis
Requirement for a local presence legal provision is complemented by Circular 6/2010, of 28 September,
18 Can fintech companies obtain a licence to provide financial for Credit and Payment Entities, on Advertising of Banking Services
services in your jurisdiction without establishing a local and Products.
presence? This Circular determines general principles and criteria to be
followed when preparing marketing materials and procedures and
An EEA firm may exercise passport rights to provide services in Spain. controls that entities must have in place in connection with banking
A non-EEA firm or an EEA firm that is not undertaking an activity that services and products. Other rules such as Order EHA/2899/2011, of 28
can be passported into Spain, must establish a local presence, obtain October, on Transparency and Protection of Clients of Banking Services
an appropriate licence or, in some cases, receive authorisation from the may also apply.
relevant regulator to operate on a cross-border basis. Although this regime is still in place (this regime basically follows
ex post control of advertising material), it is clear that a review of this
SALES AND MARKETING system is needed to adapt it to digital technology and guarantee compli-
ance. In this regard, on 1 July 2019, a draft of a new Circular of the Bank
Restrictions of Spain was published in respect of advertising of banking services
19 What restrictions apply to the sales and marketing of and products, which will give clarity to the advertising of these type
financial services and products in your jurisdiction? of services and products and will enhance client protection. This new
regulation, if finally enacted, may lead to significant changes in adver-
Investments tising as it would be the first time that social networks and audiovisual
Although general rules on marketing and advertising shall apply to the media are regulated in Spain.
investment business, there are specific regulations covering the sales The CNMV has supervisory functions in respect of the marketing
and marketing of investment services and products in Spain. In accord- and advertising of investment services and products.
ance with the Spanish Securities Market Act (which transposes the
second Markets in Financial Instruments Directive (MiFID II) in Spain), CHANGE OF CONTROL
this activity must be only carried out by entities that are authorised or
passported to provide the relevant investment service. Notification and consent
Although the sales and marketing of financial services is not an 20 Describe any rules relating to notification or consent
investment service itself, the activity consisting of marketing as well as requirements if a regulated business changes control.
the canvassing of clients triggers licensing requirements in Spain.
Advertising and marketing of investment services and prod- There are specific rules relating to change of control of regulated enti-
ucts are covered under sectorial regulations, in particular the Order ties. Where a person (whether acting separately or with others) decides
EHA/1717/2010, of 11 June, of Regulation and Control of Advertising to acquire, directly or indirectly, shares in a credit institution, insurance
of Investment Services and Products covers this type of advertising in company or investment firm that imply acquiring a significant holding
Spain and includes a definition of advertising activity. In this regard, or taking control of the entity, the relevant regulators (the Bank of
advertising activity includes a communication to the general public Spain, Spanish Securities Market Commission or General Directorate
aimed to promote, directly or indirectly through third parties, the for Insurance and Pension Funds) must first be notified and provide
contracting of a specific investment service or product (covering finan- their consent. The notification must be accompanied by documents and
cial instruments under MiFID), as well as those communications made information that will enable the relevant regulator to analyse the suit-
in the course of a public offer with the aim of impacting its result. It is ability of the potential acquirer. Once the relevant regulator expressly
expressly contemplated that advertising activity shall exist in respect states that there are no grounds to prevent the acquisition, the acquisi-
of communications to the general public on management or marketing tion may take place.
of collective investment schemes, private equity schemes or securitisa- A prior request must always be sent to the relevant supervisory
tion vehicles, although these communications do not refer to a specific authority and the acquisition may not take place before receiving rele-
product. This legal provision determines those procedures and controls vant authorisations. There are specific procedures and standardised
that entities must have in place when producing advertising materials forms that must be used in these circumstances.
in connection with investment services and products.
The content of the advertising material in no case may contradict FINANCIAL CRIME
or play down the importance contained in the prospectus and the key
investor information document. Advertising materials must be clearly Anti-bribery and anti-money laundering procedures
recognisable as such and the promotional character of the message 21 Are fintech companies required by law or regulation to have
must be explicit and evident. All information included in the materials procedures to combat bribery or money laundering?
must be fair, clear and not misleading, with the ultimate goal of abiding
by the general obligation to act in an honest, loyal and professional There is no specific legal or regulatory requirement for fintech
manner and in the best interests of clients while rendering invest- companies to have anti-money laundering procedures. The Spanish
ment services. Anti-Money Laundering Act applies to a number of regulated entities
The Spanish Securities Market Commission (CNMV) has supervi- and persons carrying out certain activities. Compliance with the Anti-
sory functions in respect of marketing and advertising of investment Money Laundering Act is compulsory and includes an obligation to have
services and products. appropriate policies and procedures in place to combat money laun-
dering and terrorism financing.
Banking Spanish legislation does not regulate anti-bribery and corruption
In respect of banking activities, Order EHA/1718/2010, of 11 June, on separately. The relevant regulation establishes monitoring mechanisms
the Regulation and Control of Advertising of Banking Services and to avoid illicit activity in organisations while also providing a range of
Products regulates this type of advertising in Spain. In addition, this sanctions, including the suspension of the activities and the dissolu-
tion of the company engaged in illegal activities. Regardless of whether
www.lexology.com/gtdt 197
© Law Business Research 2020
Spain Simmons & Simmons LLP
they are regulated, fintech companies should adopt a proactive position Assignment of loans
to establish preventive criminal monitoring measures and appropriate 24 What steps are required to perfect an assignment of
policies and procedures as a matter of good governance and risk loans originated on a peer-to-peer or marketplace lending
management. platform? What are the implications for the purchaser if the
Where initial coin offerings (ICOs) fall under the classification of a assignment is not perfected? Is it possible to assign these
public offer, procedures to combat bribery or money laundering should loans without informing the borrower?
be in place.
In May 2018, the EU approved new anti-money laundering legisla- Under Spanish law, the transfer of a loan originated on a peer-to-peer
tion targeting anonymity in the cryptocurrency market. (P2P) marketplace lending platform requires only the agreement of the
In September 2018, Spanish Royal Decree Act 11/2018 was transferor and the transferee. The loan agreement could impose addi-
published to partially implement the EU’s fourth Anti-Money Laundering tional requirements that would then be required for the effectiveness
Directive and this new text is now in force, although further regulations of the assignment in relation to the borrower, but this is not customary
are still pending approval. except in large loans. The transfer is valid even if no notice is given
to the borrower. However, until this notice is given, or the borrower is
Guidance aware of the transfer, the transfer is not effective against the borrower
22 Is there regulatory or industry anti-financial crime guidance and he or she may discharge his or her obligations by payment to the
for fintech companies? transferor, without any liability to the transferee. In addition, the transfer
will not be fully effective against third parties (including the transferor’s
There is no anti-financial crime guidance specifically for fintech firms. creditors) unless the transfer agreement is executed and notarised with
However, firms that are subject to the Anti-Money Laundering Act for the intervention of a public notary. As a result, transfer agreements are
carrying out certain types of activities subject to anti-money laundering usually notarised, and the parties notify the transfer to the borrower as
checks should comply with it. In addition, these entities should follow soon as it is effective.
the general recommendations for internal monitoring to prevent money Any security interest that secures the loan will transfer auto-
laundering and terrorism financing issued by the Spanish Executive matically with the loan and will secure the new creditor. In practice,
Service of the Commission for the Prevention of Money Laundering. however, it is necessary to carry out certain additional acts to put the
Regulatory and financial crime rules apply as far as the entities security under the name of the new lender. In the case of mortgages, it
are subject to these regulations considering the type of activity or the is necessary to register the transfer in the land registry and in the case
type of entity (banks, insurance companies, asset managers, investment of pledges over shares, claims or bank accounts, notice should be given
firms, etc). In this regard, there is an initiative proposing the creation of to the company, the debtor or the account bank respectively.
a specific regulatory framework for the fintech sector.
Securitisation risk retention requirements
PEER-TO-PEER AND MARKETPLACE LENDING 25 Are securitisation transactions subject to risk retention
requirements?
Execution and enforceability of loan agreements
23 What are the requirements for executing loan agreements or Application of the EU risk retention rules to securitisations
security agreements? Is there a risk that loan agreements of loans originated on a peer-to-peer or marketplace lending
or security agreements entered into on a peer-to-peer or platform (P2P securitisations)
marketplace lending platform will not be enforceable? The risk retention requirements set out in the sectoral EU legislation will
apply to P2P securitisations that are offered to European banks, invest-
Spanish law does not generally impose any formal requirements for ment firms, alternative investment funds or insurers. Under the current
executing loans. An exception to this is in respect of consumer loans for sectoral EU risk retention rules, certain investors (such as credit insti-
which there is a requirement that the agreement has to be drawn up tutions, Markets in Financial Instruments Directive-regulated firms and
on paper or another durable medium. Electronically signed documents alternative investment fund managers) will be subject to higher regula-
are recognised and are enforceable. The market practice, however, is tory capital charges where they invest in securitisation positions that do
that loan agreements are generally made in writing and are notarised not comply with the risk retention rules. Those rules require that either
by a Spanish public notary for the lenders to be able to enforce the loan the sponsor, originator or original lender in respect of the securitisa-
through certain special summary foreclosure procedures for notarised tion explicitly discloses to the investor that it will retain, on an ongoing
agreements. Only loans of small amounts are not executed in this way. basis, a material net economic interest in the securitisation (which in
Security agreements, on the other hand, are subject to strict any event is not less than 5 per cent) using one of five prescribed reten-
formalities and they will not be enforceable if these formalities are not tion methods. Those methods include (among other things) retention of:
met. All security agreements (with the exception of financial collateral • the most subordinated tranche or tranches, so that the retention
arrangements) have to be notarised and certain other formalities are equals no less than 5 per cent of the nominal value of the securi-
required depending on the type of security. Real estate mortgages have tised exposures;
to be registered with the land registry. In the case of ordinary pledges, • 5 per cent of the nominal value of each of the tranches sold to
the possession of the charged asset has to be delivered to the creditor investors; or
or to someone acting on its behalf. Pledges over shares, claims or bank • randomly selected exposures equivalent to no less than 5 per cent
accounts have to be notified to the company, the debtor or the account of the nominal value of the securitised exposures. The definitions
bank, respectively. of ‘sponsor’ and ‘originator’ as used in the sectoral EU legislation
are set out in the legislation. The term ‘original lender’ is undefined.
The risk retention rules set out in the sectoral EU legislation have been
replaced as of 2 January 2019 with the risk retention rules set out in
the EU Securitisation Regulation. The retention requirement and the
methods of retention remain the same under the EU Securitisation want to ensure that there are no restrictions in the loan documents that
Regulation. However, there is now a direct requirement on the sponsor, would prevent it from complying with its disclosure obligations under
originator and original lender to agree on an entity that will act as reten- Spanish and EU law (such as those set out in the Credit Rating Agency
tion holder and to ensure compliance with the retention requirement. Regulation). Again, if these restrictions are included in the underlying
In the absence of agreement among the originator, sponsor or original loan documents, the SPV would be required to obtain the relevant
lender as to who will be the retention holder, the originator will be borrower’s consent to this disclosure. In addition, if the borrowers
the retention holder. Definitions of ‘sponsor’, ‘originator’ and ‘original are individuals, the SPV, its agents and the P2P platform will each be
lender’ are set out in the EU Securitisation Regulation. required to comply with the statutory data protection requirements
The EU Securitisation Regulation does not explicitly set out the juris- under Spanish law.
dictional scope of the ‘direct’ retention obligation, but there is a helpful
note in the Explanatory Memorandum to the European Commission’s ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
original proposal for the EU Securitisation Regulation that the intention TECHNOLOGY AND CRYPTO-ASSETS
is that the direct approach would not apply to securitisations (including
P2P securitisations) where none of the originator, sponsor or original Artificial intelligence
lender is ‘established in the EU’. ‘Establishment’ is typically described 27 Are there rules or regulations governing the use of artificial
by reference to the jurisdiction in which the legal entity is incorporated intelligence, including in relation to robo-advice?
or has its registered office. Therefore, the non-EU subsidiary of an EU
entity may not be subject to the direct retention obligation because a The Spanish Securities Market Commission (CNMV) has stated that the
subsidiary is typically a separate legal entity, whereas a non-EU branch fact that the investment advice or portfolio management is automated
of an EU entity may be caught within this provision because a branch is does not make a difference in the way that the service is regulated and
typically not a separate legal entity. Market participants are still seeking that the relevant conduct of business rules, suitability assessments and
clarity on this and it is expected that this point will be raised as part other rules apply in the normal way. In this regard, there are no specific
of the ongoing European Banking Authority (EBA) consultation on risk rules or regulations governing the use of artificial intelligence.
retention.
Distributed ledger technology
Possible retaining entities in respect of P2P securitisations 28 Are there rules or regulations governing the use of
Typically, a P2P lending platform will not qualify as the sponsor, origi- distributed ledger technology or blockchains?
nator or original lender of a P2P securitisation, and another entity with
the capacity to retain will therefore need to be identified. The range of No.
entities with capacity to retain is broader under the EU Securitisation
Regulation than under the current EU sectoral legislation and, there- Crypto-assets
fore, the ability of an entity to retain will depend on the rules that apply 29 Are there rules or regulations governing the use of crypto-
at the time the securitised notes are issued. Any entity that retains in assets, including digital currencies, digital wallets and
the capacity of originator is expected to be an entity of substance, and e-money?
the EU Securitisation Regulation expressly provides that an entity shall
not be considered to be an originator where it has been established Although not a regulation, the CNMV has published a joint warning with
or operates for the sole purpose of securitising exposures. The EU the Bank of Spain regarding the risks of investing in cryptocurrencies
Securitisation Regulation does not specify in what circumstances an and initial coin offerings (ICOs).
entity will be considered to have been established for the sole purpose
of securitising exposures but, in December 2017, the EBA published a Digital currency exchanges
consultation paper that proposed that an originator will not be consid- 30 Are there rules or regulations governing the operation of
ered to have been established with the ‘sole purpose’ of securitising digital currency exchanges or brokerages?
exposures if it satisfies certain conditions, including that:
• it has a broader business enterprise and strategy; No.
• it has sufficient decision makers with the required experience; and
• its ability to make payment obligations depends neither on the Initial coin offerings
exposures to be securitised nor on any exposures retained for the 31 Are there rules or regulations governing initial coin offerings
purposes of the risk retention regulations. (ICOs) or token generation events?
Securitisation confidentiality and data protection requirements Given the complexity of the phenomenon, criteria in this regard
26 Is a special purpose company used to purchase and securitise are subject to review in light of the experience accumulated and the
peer-to-peer or marketplace loans subject to a duty of debate that is currently taking place at an international level and, in
confidentiality or data protection laws regarding information particular, within the European Securities and Markets Authority. The
relating to the borrowers? CNMV and Bank of Spain are jointly working on this topic, setting out
criteria applying in relation to ICOs. There is an official document that
The entity assigning loans to the special purpose vehicle (SPV) must provides guidance on, mainly, the consideration of tokens as transfer-
ensure that there are no confidentiality requirements in the loan docu- able securities, the need and scope of intervention of entities authorised
ments that would prevent it from disclosing information about the loans to provide investment services, as well as representation of tokens and
and the relevant borrowers to the SPV and the other securitisation the consequence of their trading on trading platforms, and, finally, the
parties. If there are these restrictions in the underlying loan documen- requirement for a prospectus.
tation, the assignor will require the consent of the relevant borrower
to disclose to the SPV and other securitisation parties the information
they require before agreeing to the asset sale. In addition, the SPV will
www.lexology.com/gtdt 199
© Law Business Research 2020
Spain Simmons & Simmons LLP
On 25 May 2018, the EU General Data Protection Regulation (GDPR) There are no regulations specific to the outsourcing of IT systems,
came into force with direct effect across the entire EU. The GDPR including in relation to cloud computing and the internet of things.
governs the storage, viewing, use of, manipulation and other However, depending on the activities contemplated, consideration
processing by businesses of data that relates to a living individual. In will need to be given to restrictions on the processing of personal
summary, the GDPR requires that businesses only process personal data under the General Data Protection Regulation, aspects of the
data where that processing is done in a lawful, fair and transparent Intellectual Property Act approved by Royal Legislative Decree
manner, as further described in the GDPR. 1/1996, of 12 April, and parts of the General Telecommunications Act
The GDPR requires that any processing of personal data be 9/2014, of 9 May.
done pursuant to one of six lawful bases for processing. The most Financial services companies planning to outsource certain
commonly used lawful basis for processing is to obtain the consent services or activities may be subject to specific regulations. In general,
of the data subject to that processing – in relying on this lawful basis, credit institutions may delegate the provision of certain services and
the business must ensure that the consent is freely given, specific, the carrying on of certain functions to a third party provided that:
informed and unambiguous, and capable of being withdrawn as easily • there is no resulting void in the credit institution’s functions or
as it is given. This places a significant burden on businesses to ensure reduction in its internal control capacities; and
that their customers are fully informed as to what their personal data • supervisory authorities can continue to perform their supervisory
is being used for, which is a crucial change to the previous regime responsibilities.
under which disclosure did not need to be so transparent. Other lawful
bases for processing data include where that processing is necessary Importantly, outsourcing does not reduce a credit institution’s liability
for the business to perform a contract it has with the data subject, or for its legal obligations.
where required to comply with an obligation the business has at law Additional restrictions apply to the delegation by a credit institu-
(not a contractual obligation). tion of essential services or essential functions. Generally, a service or
The GDPR further differs from the previous regime in that it function is considered essential if it could affect compliance with the
places a significantly increased compliance burden on businesses, terms of a credit institution’s authorisation, financial results, solvency
including, for example, mandatory requirements to notify regulators or the continuity of banking activity. Financial institutions must notify
of data breaches, obligations to keep detailed records on processing any agreements delegating essential services or functions to the
and requirements for most entities to appoint a data protection officer. Bank of Spain, the Spanish Securities Market Commission or both one
Businesses that infringe the GDPR may be subject to adminis- month in advance.
trative fines of an amount up to €20 million or 4 per cent of global Bank of Spain Circular 2/2016 sets out further details regarding
turnover, whichever is higher. the extent to which outsourcing is permitted.
The Spanish parliament approved the Organic Act 3/2018, of 5 Credit institutions providing investment services must comply
December, to implement the measures and sanctions developing the with additional requirements set out in Royal Legislative Decree
GDPR. The main topics included in the new law are: 4/2015, of 23 October.
• data inspection and the appointment of an agency with responsi-
bility for inspections; Cloud computing
• penalties, including some exemptions from fines under the GDPR; 35 Are there legal requirements or regulatory guidance with
• proceedings in the case of a breach with different conditions respect to the use of cloud computing in the financial
depending on whether the breach is solely within Spain or services industry?
whether other jurisdictions are involved; and
• setting new digital rights as net neutrality, universal access to Not at the national level.
the internet, rights to security and digital education, right of The EU Agency for Network and Information Security (ENISA)
digital disconnection, digital last will, portability and right to be guidance entitled ‘Secure Use of Cloud Computing in the Finance
forgotten. Sector’ contains analysis of the security of cloud computing systems
in the finance sector and provides recommendations. Cooperation
Likewise, Organic Act 3/2018, of 5 December, also covers the rights of between financial institutions, national financial supervisory authori-
freedom of speech on the internet and the right to reply or clarify in ties and cloud service providers is encouraged. ENISA advocates a
relation to online news. risk-based approach to developing cloud computing systems in the
Oversight of compliance with the GDPR and related legislation is finance sector.
carried out by the Spanish Data Protection Agency.
INTELLECTUAL PROPERTY RIGHTS
Cybersecurity
33 What cybersecurity regulations or standards apply to IP protection for software
fintech businesses? 36 Which intellectual property rights are available to protect
software, and how do you obtain those rights?
There are no local rules on cybersecurity for fintech companies,
although Directive (EU) 2016/1148 on cybersecurity has been trans- Computer programs are protected by copyright as literary works.
posed by means of Royal Decree Act 12/2018, of 7 September. Registration is recommended.
Spanish law differentiates between works made in a collaborative way Increased tax burden
and collective works. The first is made by the collaboration of different 44 Are there any new or proposed tax laws or guidance that
authors and its division must be agreed by all the authors, although no could significantly increase tax or administrative costs for
author can unreasonably hold his or her consent for any exploitation fintech companies in your jurisdiction?
once division has been agreed. Each author is able to exploit his or her
part of the work unless it prejudices the common work. The collective Yes; the new government proposed in the last budget bill some tax
work is made by different authors but under the initiative and coordina- measures that were not finally approved. However, it is expected that in
tion of another person, who has the rights over it. the coming year these measures will be introduced. Among others we
can highlight the following.
Trade secrets
39 How are trade secrets protected? Are trade secrets kept Digital services tax
confidential during court proceedings? A digital services tax was pre-drafted as an indirect tax assessed on
a quarterly basis. The taxable event would be the provision of certain
Confidentiality is mainly protected under the agreements or contracts digital services in Spain such as the sale of online advertising space,
that pertain to it, although its breach can be construed in certain cases online intermediary services and the transfer of user-related data
as a criminal offence. The Trade Secrets Directive has been implemented gathered from digital platforms. The tax rate would be 3 per cent of
in Spain by means of Act 1/2019, of 20 February, on trade secrets. gross revenue.
No.
www.lexology.com/gtdt 201
© Law Business Research 2020
Spain Simmons & Simmons LLP
IMMIGRATION
Sector-specific schemes
45 What immigration schemes are available for fintech
businesses to recruit skilled staff from abroad? Are there
any special regimes specific to the technology or financial
sectors?
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
In view of the covid-19 pandemic, from 14 March 2020 (the date of the
declaration of the state of alarm in Spain), the Spanish government
and the majority of regional and local authorities approved several
sets of legal measures to mitigate the adverse effects that this situ-
ation is having on the Spanish economy. Emergency legislation and
relief programmes have been published that impact the financial sector;
however, no specific measures have been put in place for the fintech
sector. In addition, fintech associations at a global level are working
together to propose a series of measures in the regulatory, legislative
and political environment to improve the ability of clients to access
financial digital services and improve the financing of fintech compa-
nies. The objective is to offer solutions in view of covid-19 to boost
the digital market and harmonise the legislative measures, creating a
unique market for digital financial services. The main purpose of these
proposed measures, and, specifically, financing solutions, is to protect
fintech companies from collapse as they may greatly help the economy
to recover.
FINTECH LANDSCAPE AND INITIATIVES All marketing activities that have the purpose of furthering the
sale of any product in Sweden, including fintech products of various
General innovation climate nature, are subject to the Swedish Marketing Practices Act (2008:486
1 What is the general state of fintech innovation in your (MPA)), which requires, for example, that marketing is carried out in
jurisdiction? accordance with generally accepted marketing practices. The Swedish
Consumer Agency, which includes the Consumer Ombudsman, is the
During its long history of fintech innovation, Sweden has produced primary authority responsible for ensuring that marketing material is
companies such as Klarna, iZettle, Trustly, Lendify, BehavioSec and compliant with the MPA.
Safello, just to name a few. Innovation is diverse, and fintech products
span areas such as banking services, payment and payment settle- Regulated activities
ment services, lending, biometrics and cryptocurrency. The Swedish 4 Which activities trigger a licensing requirement in your
fintech industry is still growing rapidly, and multiple fintech companies jurisdiction?
have emerged in, inter alia, the Swedish housing credit market. This
phenomenon may indicate a structural change for housing loan origi- The following activities trigger a licensing requirement:
nation in Sweden and a reduced market share for Sweden’s largest • consumer lending;
banks. However, the Swedish Financial Supervisory Authority (SFSA) • mortgage lending;
has indicated plans to introduce additional regulations in this area, and • consumer credit mediation;
the longevity of the new market actors remains to be seen. • lending in combination with accepting repayable funds from
the public;
Government and regulatory support • factoring and invoice discounting (when combined with accepting
2 Do government bodies or regulators provide any support repayable funds from the public);
specific to financial innovation? If so, what are the key • deposit taking (for deposits over 50,000 kronor);
benefits of such support? • management of alternative investment funds (AIFs) or undertak-
ings for collective investment in transferable securities (UCITS);
The Minister for Financial Markets has expressed interest in setting up • foreign exchange trading;
regulatory sandboxes where fintech start-ups may develop in an unreg- • insurance mediation;
ulated environment or only comply with a regulation-light regime, but • provision of payment services; and
the SFSA disagreed in a report published on 1 December 2017. In the • activities under the Capital Requirements Regulation No. 575/2013
same report, the SFSA proposed the introduction of the SFSA Innovation (the Capital Requirements Regulation).
Centre. The Innovation Centre was opened on 16 March 2018 and serves
to act as a point of contact for fintech companies and to facilitate a A licence is, furthermore, required for offering the services and products
dialogue with the SFSA. Furthermore, the Innovation Centre is intended covered by the Markets in Financial Instruments Directive 2014/65/EU
to provide guidance on applicable regulations for new financial services (MiFID II), such as the reception and transmission of orders in relation
products and fintech start-ups. to one or more financial instruments, the execution of orders on behalf
of clients, dealing on own account, portfolio management, advising on
FINANCIAL REGULATION investments in financial instruments, underwriting of financial instru-
ments or placing of financial instruments on a firm commitment basis,
Regulatory bodies and placing of financial instruments without a firm commitment basis.
3 Which bodies regulate the provision of fintech products and The following activities trigger a registration requirement:
services? • currency exchange;
• management or trading in virtual currencies;
The Swedish Financial Supervisory Authority (SFSA) generally acts as • deposit taking (for deposits up to 50,000 kronor); and
the competent regulator responsible for ongoing supervision of fintech • lending and credit mediation to non-consumers (if not combined
products and services and for the issuance of supplementary regula- with deposit taking).
tions and formal guidance. The SFSA is responsible for ensuring that
the business of (regulated) fintech companies is carried out in accord-
ance with applicable laws and regulations.
www.lexology.com/gtdt 203
© Law Business Research 2020
Sweden Vinge
Consumer lending neutral and factual as possible and may not be intrusive (by way of,
5 Is consumer lending regulated in your jurisdiction? for example, targeting certain types of possible consumers via digital
means). The marketing should also be balanced in the sense that certain
Yes, consumer lending is regulated through, inter alia, the Swedish terms of the credit should not be disproportionately highlighted, thereby
Consumer Credit Act (2010:1846), which includes relevant provisions reducing the consumer’s ability to make a well-founded decision.
relating to, among other things, sound lending practices, marketing of
consumer loans, credit assessments, information prior to the conclu- Secondary market loan trading
sion of and in relation to documentation of loan agreements, interest, 6 Are there restrictions on trading loans in the secondary
fees and repayment of loans. market in your jurisdiction?
To offer or provide consumer loans, the relevant company
is required to be authorised by the SFSA under, for example, the There are no particular restrictions on trading loans in the secondary
Swedish Consumer Credit (Certain Operations) Act (2014:275 (CCCOA)) market in Sweden.
(should the company solely provide or act as intermediary in relation
to consumer loans), the Swedish Banking and Financing Business Collective investment schemes
Act (2004:297) (should the company instead, given the operations 7 Describe the regulatory regime for collective investment
carried out, be considered a credit institution (as defined in the Capital schemes and whether fintech companies providing
Requirements Regulation)) or the Swedish Housing Credit Operations alternative finance products or services would fall within its
Act (2016:2014 (HCOA)) (should the company solely provide, act as an scope.
intermediary in relation to or provide advice regarding consumer loans
in the form of mortgages). Collective investment undertakings are regulated through the Swedish
Since 1 September 2018, new rules regarding high-cost credits UCITS Act (2004:46), stipulating that the management of a Swedish
apply, defined as credits granted to consumers that have an interest UCITS, the sale and redemption of units in the fund and administra-
rate of 30 percentage points above the reference rate according to the tive measures relating thereto may only be conducted following
Swedish Interest Act (1975:635), as determined by the Swedish Central authorisation from the SFSA (with foreign EEA management companies
Bank, and that do not primarily relate to a credit purchase or residential authorised in their respective home state being able to rely on pass-
immovable property. porting regulations to carry out operations in Sweden).
Pursuant to the new rules, certain caps have been introduced Fintech companies would generally not fall within the scope of the
whereby: (1) the maximum amount of interest, as well as any default above-mentioned regulatory regime.
interest, that may be charged under a credit agreement may not exceed
40 percentage points above the aforementioned reference rate; and (2) Alternative investment funds
the maximum amount of fees under a credit agreement may not exceed 8 Are managers of alternative investment funds regulated?
the credit amount.
For the purposes of (2), fees are defined as costs for the credit Yes, managers of AIFs (AIFMs) are regulated through the Swedish
(comprising the aggregate amount of interest rate, credit fees and other Alternative Investment Fund Managers Act (2013:561 (AIFMA)), imple-
costs that the consumer is obliged to pay under the loan, inclusive of menting the Alternative Investment Fund Managers Directive 2011/61/
necessary costs for valuation but excluding notarisation fees), default EU (AIFMD). Small AIFMs (ie, AIFMs managing AIFs below the thresh-
interest and costs pursuant to the Swedish Compensation for Collection olds specified in article 3(2) of the AIFMD) may be exempted from the
Costs Act (1981:739), comprising costs that the creditor has incurred for licensing requirements but must register with the SFSA and may not
measures taken for the purposes of obtaining payment including, for passport the registration into any other EU member state.
example, payment reminders and collection demands. Similar to the case in relation to UCITS, fintech companies would
The marketing of consumer credits has previously been subject generally not fall within the scope of the AIFMA.
to certain requirements regarding moderation and restraint. The new
rules also include an explicit requirement for all such marketing to be Peer-to-peer and marketplace lending
moderate. The new requirement is applicable to all types of consumer 9 Describe any specific regulation of peer-to-peer or
credits and, thus, not solely to high-cost credits (as defined above). marketplace lending in your jurisdiction.
It is not entirely clear what the meaning of moderation entails, and it
remains to be seen how this requirement will be applied by Swedish Companies facilitating peer-to-peer or marketplace lending, comprising
courts and authorities in practice. loan intermediation or brokering, are regulated by and require authori-
The authorities have paid more attention to the moderation sation pursuant to the CCCOA (if the borrowers are consumers) or the
requirement recently, and it is clear that a comprehensive assessment HCOA (if the borrowers are consumers and the loans relate to purchases
of all relevant circumstances will be made. In particular, the authorities of residential immovable property). Both the CCCOA and the HCOA
and courts will assess: contains regulations on, for example, anti-money laundering measures,
• whether the credit is presented in a way that misleads the sound practices for loan intermediation operations, and ownership and
consumer about the financial consequences of the credit or brings management assessments.
the consumer to make an unfounded decision to enter into a credit Business operators providing those services to borrowers that are
agreement; not consumers are required to register its operations with the SFSA
• whether the credit is presented as a carefree solution to the (by way of notification to the SFSA) in accordance with the Swedish
consumer’s financial problems; and Certain Financial Operations (Reporting Duty) Act (1996:1006) and
• whether the credit is neutral in a way that enables the consumer to comply with provisions relating to, for example, anti-money laundering,
decide whether the credit is favourable or not. as well as undergo ownership and management assessments. Should
the relevant company also be responsible for the transactions of funds
Pursuant to the Swedish government preparatory works implementing between lenders and borrowers (including keeping funds on a client
the above changes, it is stipulated that the marketing should be as account, or similar), the operations would instead fall under and require
authorisation pursuant to the Swedish Payment Services Act (2010:751 Payment services
(PSA)), which imposes additional requirements relating to, for example, 12 Are payment services regulated in your jurisdiction?
own funds and information and technical processes relating to the
execution of payment transactions. Yes. Payment services are regulated under the Second Payment
Services Directive (EU) 2015/2366 (PSD2), which has been imple-
Crowdfunding mented into Swedish law through the PSA. Money remittance, execution
10 Describe any specific regulation of crowdfunding in your of payment transactions, acquisition of payment instruments, payment
jurisdiction. initiation and account information services are among the services
currently regulated under the PSA.
There is currently no specific regulation of crowdfunding under Swedish
law. Certain crowdfunding schemes may, however, fall within the scope Open banking
of the general financial services framework. In the case of equity-based 13 Are there any laws or regulations introduced to promote
crowdfunding, the Swedish Companies Act (2005:551) prohibits a private competition that require financial institutions to make
company or a shareholder thereof from attempting to sell shares or customer or product data available to third parties?
subscription rights in the company or debentures or warrants issued by
the company to the public. The obligation for financial institutions to make customer or product
In July 2016, the Swedish government appointed a special data available to third parties under PSD2 has been implemented
committee to analyse the need for further regulations with regard to, and without change in Sweden.
to improve the legal and regulatory opportunities for, peer-to-peer and
grassroots financing in Sweden. A legislative proposal was published Robo-advice
in February 2018 that proposes the introduction of a new Swedish 14 Describe any specific regulation of robo-advisers or other
Financing Mediation Act (SFA). The proposed SFA includes licensing companies that provide retail customers with automated
requirements for the activities that fall within the scope of the SFA and access to investment products in your jurisdiction.
provisions on operational requirements, supervision and sanctions. The
SFSA would be the authority responsible for licensing, registration and There is no specific regulation of automated investment advice in
supervision, and companies authorised under the proposed SFA would Sweden. The SFSA defines automated investment advice as personal
be subject to the provisions of the Money Laundering and Terrorist advice regarding financial instruments that is provided without, or with
Financing Prevention Act (2017:630), implementing the Fourth Anti- limited, human interaction. In Sweden, automated investment advice
Money Laundering Directive 2015/849/EU, as amended. The proposed (eg, robo-advice) constitutes regulated investment advice under the
SFA would apply to business activities where the purpose is to – in Swedish Securities Markets Act (2007:528), implementing MiFID II, and
exchange for payment – bring together natural or legal persons who is consequently subject to all the substantive provisions of the Swedish
intend to acquire financing from other natural or legal persons, where MiFID II implementation, including the SFSA’s regulations regarding
the financing is in the form of: investment services and activities (2017:2).
• loan-based crowdfunding (credit granted by companies in exchange
for payment, where the creditor is not licensed by the SFSA to Insurance products
conduct lending or loan mediation); 15 Do fintech companies that sell or market insurance products
• share-based crowdfunding (financing through the transfer of debt in your jurisdiction need to be regulated?
or ownership rights in the legal person seeking financing);
• reward-based crowdfunding (financing through the offer to provide Yes, if the selling and marketing is classified as ‘insurance distribu-
a service or commodity by the person seeking financing); or tion’. Insurance distribution is regulated under the Swedish Insurance
• donation-based crowdfunding (financing without an obliga- Distribution Act (2018:1219 (IDA)) implementing Directive (EU) 2016/97
tion for the person seeking financing to provide any payment or on Insurance Distribution (IDD). The IDA entered into force in Sweden on
performance). 1 October 2018. The IDD is a minimum harmonisation directive, enabling
member states to impose stricter regulation. The IDA includes the same
Licensing will mainly be required for share-based and loan-based definition of ‘insurance distribution’ and the same exemptions from
crowdfunding. Companies that receive authorisation to mediate share- regulation as the IDD. Sweden has, however, imposed stricter regula-
based or loan-based crowdfunding will be referred to as licensed capital tions regarding third-party remunerations, conditions for providing
mediators. The proposal has, however, not yet been adopted into law. advice on a fair and personal analysis, certain marketing prohibitions
and information to a customer on remuneration. The stricter regulatory
Invoice trading framework introduced by the IDD regarding insurance-based invest-
11 Describe any specific regulation of invoice trading in your ment products also applies to the distribution of pension insurance that
jurisdiction. is exposed to market volatility.
In accordance with the Certain Financial Operations (Reporting Duty) Credit references
Act, a company participating in financing, for example, by acquiring 16 Are there any restrictions on providing credit references or
claims (invoice trading), is required to register its operations with the credit information services in your jurisdiction?
SFSA (by way of notification to the SFSA), and it is further obliged to
comply with provisions relating to, for example, anti-money laundering, Yes. Credit references and credit information services are regulated
and to undergo ownership and management assessments. under the Swedish Credit Information Act (1973:1173) and the Swedish
Credit Information Regulation (1981:955). A licence from the Swedish
Data Protection Authority is required when carrying out credit-rating
operations in Sweden.
www.lexology.com/gtdt 205
© Law Business Research 2020
Sweden Vinge
Guidance Provided that the company processes personal data as part of its
22 Is there regulatory or industry anti-financial crime guidance operations, it would further, in respect of borrowers’ personal data, be
for fintech companies? subject to the EU General Data Protection Regulation and Swedish data
protection laws.
Yes. The SFSA has adopted regulations and guidelines in respect of AML,
setting out the detailed provisions applicable for relevant companies. ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
TECHNOLOGY AND CRYPTO-ASSETS
PEER-TO-PEER AND MARKETPLACE LENDING
Artificial intelligence
Execution and enforceability of loan agreements 27 Are there rules or regulations governing the use of artificial
23 What are the requirements for executing loan agreements or intelligence, including in relation to robo-advice?
security agreements? Is there a risk that loan agreements
or security agreements entered into on a peer-to-peer or There is no specific regulation of automated investment advice in Sweden.
marketplace lending platform will not be enforceable? The Swedish Financial Supervisory Authority (SFSA) defines automated
investment advice as personal advice regarding financial instruments
Loan origination is regulated under the Banking and Financing Business that is provided without, or with limited, human interaction. In Sweden,
Act as well as in subsequent regulations and guidelines issued by the automated investment advice (eg, robo-advice) constitutes regulated
Swedish Financial Supervisory Authority (SFSA) and the Swedish investment advice under the Securities Markets Act (SMA), implementing
Consumer Agency (SCA). The SFSA and the SCA have recently raised the EU Markets in Financial Instruments Directive (MiFID II), and is conse-
demands on lenders’ investigation of creditworthiness prior to entering quently subject to all the substantive provisions of the Swedish MiFID II
into loan agreements with consumers. Furthermore, the loan agree- implementation, including the SFSA’s regulations regarding investment
ments are subject to the Consumer Credit Act. services and activities (2017:2). If the use of artificial intelligence would
The risk that loan agreements entered into on a peer-to-peer or include decisions based solely on automated processing of personal
marketplace lending platform would not be enforceable under Swedish data, including profiling, this would be subject to the requirements in
law is minimal. article 22 of the EU General Data Protection Regulation (GDPR).
www.lexology.com/gtdt 207
© Law Business Research 2020
Sweden Vinge
Business operators conducting ICOs would be subject to the provisions Under the GDPR, controllers must have ‘appropriate technical and
of the Certain Financial Operations (Reporting Duty) Act to the extent organisational measures’ in place to ensure a level of security appro-
their operations constitute management or trading in virtual currencies. priate to the risk. There is, therefore, no prescribed level of security, but
Moreover, should the coins or tokens qualify as financial instruments an analysis must be carried out to ascertain what level of security is
under the SMA, the issuers may become subject to, inter alia, the SMA, appropriate to the type of processing of personal data being carried out.
the Alternative Investment Fund Managers Act, the Swedish imple- The EU Directive on security of network and information systems
mentation of the Prospectus Directive (2003/71/EC) and the Money (the NIS Directive) has been implemented into Swedish law (2018:1174)
Laundering and Terrorist Financing Prevention Act. and supplemented by a regulation (2018:1175). These Acts impose
cybersecurity requirements for digital services providers and opera-
DATA PROTECTION AND CYBERSECURITY tors of essential services. Companies in the financial industry that are
deemed as operators of essential services within the banking or finan-
Data protection cial market infrastructure are covered by the Acts and are, therefore,
32 What rules and regulations govern the processing and obliged, among other things, to:
transfer (domestic and cross-border) of data relating to • notify the Swedish Financial Supervisory Authority immediately;
fintech products and services? • demonstrate a systematic and risk-based approach to matters
regarding information security, and
The EU General Data Protection Regulation (GDPR) and the Swedish Act • report incidents to the Swedish Civil Contingencies Agency.
on Supplementary Provisions to the GDPR (2018:218) generally apply
to the processing of personal data by data controllers established in OUTSOURCING AND CLOUD COMPUTING
Sweden. The main requirements relating to the processing of personal
data include the following. Outsourcing
• Personal data may only be processed (ie, collected, used and 34 Are there legal requirements or regulatory guidance with
stored) if there are legal grounds (ie, consent) for the processing. respect to the outsourcing by a financial services company of
However, there are several exemptions from the requirement of a material aspect of its business?
consent (eg, where the processing is necessary to fulfil a contract
or a legal obligation or is necessary to pursue a legitimate interest There are multiple legal and regulatory requirements in respect of
of the data controller, unless this interest is overridden by the outsourcing by financial services companies, including, inter alia, the
interest of the registered person to be protected against undue Banking and Financing Business Act, the Consumer Credit (Certain
infringement of privacy). Operations) Act, the Securities Markets Act, the Electronic Money Act,
• Certain fundamental requirements must be met (eg, personal the Payment Services Act, the regulations of the Swedish Financial
data must be adequate, relevant and non-excessive in relation to Supervisory Authority (SFSA) (2010:3) and (2011:49), detailed provisions
the purpose of the processing and must not be kept longer than set out in the Markets in Financial Instruments Directive Commission
necessary). Delegated Regulation 600/2014/EU and the European Banking Authority
• Data subjects must, as a general rule, be informed of the processing (EBA) Guidelines on Outsourcing Arrangements (EBA/GL/2019/02), as
of their personal data, and data subjects have certain rights (eg, well as questions and answers provided by the SFSA on the application
right of access, rectification, erasure and data portability). of the EBA Guidelines.
• Processing of sensitive personal data and criminal offence data The provisions are subject to some variation, but in general impose
may only be performed in limited circumstances. In general, that financial services companies are required to exercise the requisite
consent from the person concerned is required for sensitive data. skill, care and diligence when entering into, managing and terminating
As a general rule, it is prohibited to process criminal offence data outsourcing arrangements. Furthermore, the rights and obligations
(there are a few exemptions, for example, regarding whistle- of the financial services company and the services provider must be
blowing systems, where it is permitted to process criminal offence clearly documented in an outsourcing agreement. If the financial
data under certain conditions). services company intends to outsource a significant part of the licensed
• There are specific requirements that must be met in case of export operations, or activities that have a natural connection with financial
of personal data to countries outside the European Union or the operations or their support functions, the financial services company
European Economic Area (eg, consent or model clause agreements is required to notify the SFSA thereof in advance and also provide the
may justify such export). SFSA with a copy of the relevant outsourcing agreement.
• A data controller must take appropriate technical and organi- The SFSA requires outsourcing agreements to be in writing and
sational measures to protect personal data. Data processing to regulate clearly the rights and obligations of the financial services
agreements must be entered into with data processors. company and the third-party service provider. The SFSA further expects
• The GDPR also includes requirements regarding, inter alia, the financial services company to be able to assess and monitor how
appointment of data protection officers, personal data breaches, well the third-party service provider is carrying out its duties and to
data protection by design and by default, records of processing terminate the agreement should the third-party service provider lack
activities, data protection impact assessments, consultation and the skills, capacity and authorisations required by law to reliably and
cooperation with the data national protection authority. professionally perform the outsourced duties and manage risks related
• The GDPR applies to pseudonymised data but not to fully to these duties.
anonymised data (ie, where it is not possible to directly or indirectly
identify an individual by any means).
www.lexology.com/gtdt 209
© Law Business Research 2020
Sweden Vinge
Branding
40 What intellectual property rights are available to protect
branding and how do you obtain those rights? How can
fintech businesses ensure they do not infringe existing
brands?
There are numerous remedies available when suing an alleged infringer Malin Malm Waerme
malin.malmwaerme@vinge.se
in court. For example, preliminary injunctions and prohibitions under
penalty of fine as well as damages for infringement, loss of profit and
impaired goodwill are available in all Swedish intellectual property Stureplan 8
laws. Infringements committed intentionally or through gross negli- Box 1703
gence can also result in fines or imprisonment. 111 87 Stockholm
Sweden
COMPETITION Tel: +46 10 614 3000
Fax: +46 10 614 3190
Sector-specific issues www.vinge.se
There are no specific competition rules for fintech companies. The Increased tax burden
general Swedish competition rules, which are based on EU competition 44 Are there any new or proposed tax laws or guidance that
law, apply. The rapid growth of the Swedish fintech industry in recent could significantly increase tax or administrative costs for
years has given rise to many new payment solutions and increased fintech companies in your jurisdiction?
competition between the old and the new. Although we have seen
issues relating, inter alia, to the interoperability between the traditional No.
banking systems and the new digital solutions, case law regarding the
application of the competition rules in the fintech industry is still limited. IMMIGRATION
rule under Swedish law is that for a citizen of a non-EU country to be The Swedish government, the Swedish Financial Supervisory
able to work and reside in Sweden, a work permit and a residence permit Authority and the Swedish Central Bank have, furthermore, presented
is required. EU citizens are, however, entitled to work in Sweden without a number of initiatives to avoid credit supply problems and to support
any kind of permit. Swiss citizens are entitled to work in Sweden without business, including but not limited to the Central Bank making avail-
a work permit, but are still required to apply for a residence permit. able up to 500 billion kronor in loans for Swedish banks to be used
Certain other categories of employees may also temporarily for on-lending to Swedish non-financial companies, the Central Bank’s
work in Sweden without a specific work permit, provided that certain purchase of up to 300 billion kronor of securities (in government and
requirements are fulfilled. For example, a work permit is not required municipal bonds, covered bonds and securities issued by non-finan-
for individuals employed by a multinational corporate group where the cial companies) and state guarantees for 70 per cent of new bank
employees will undergo practical training, on-the-job training or other financing of up to 75 million kronor in each case to otherwise viable
in-service training at a company in Sweden that is part of the group (a small and medium-sized enterprises facing difficulties owing to the
maximum aggregate period of three months). In the absence of any of covid-19 pandemic.
the aforementioned exemptions, all non-EU citizens must obtain a work
permit to be entitled to work in Sweden.
The application procedure is generally the same for all applicants
regardless of occupation or industry. Applications are assessed by the
Swedish Migration Agency (MA), and the application processing time
varies. It currently takes up to four months for the MA to examine a
complete first-time application registered through the regular queue.
There are, however, particular certified firms (such as certain law
firms) with access to the MA’s fast-track system when applying for
work permits on behalf of a client company and its employees. Certified
firms are entitled to a significantly shorter turnaround time (10 days for
complete first-time applications). In cases where the employer is not
bound by a collective bargaining agreement and the concerned Swedish
trade union does not oppose the absence thereof, the official fast-track
turnaround time is 60 days.
Current developments
46 Are there any other current developments or emerging
trends to note?
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
www.lexology.com/gtdt 211
© Law Business Research 2020
Switzerland
Clara-Ann Gordon and Thomas A Frick
Niederer Kraft Frey
FINTECH LANDSCAPE AND INITIATIVES conclusion of such contracts). Various other changes to the relevant laws
were already made or initiated to further enhance the fintech ecosystem.
General innovation climate
1 What is the general state of fintech innovation in your FINANCIAL REGULATION
jurisdiction?
Regulatory bodies
Switzerland strongly supports innovation both at the government and 3 Which bodies regulate the provision of fintech products and
corporate level. This includes fintech innovation. The country has a services?
strong and mature financial market and strong service industries that
support such initiatives. Well-known internationally is the Crypto Valley, The provision of fintech products and services is governed by the general
a fintech hub focused on crypto offerings located in Zug, a small canton laws and regulations applicable to the financial market, which in general
close to the financial centre of Zurich. Google, IBM, Disney, Thomson is supervised by the Financial Market Supervisory Authority (FINMA).
Reuters and the Federal Institute of Technology ETH have all established FINMA regulates the provision of these products and services in more
research laboratories in and around Zurich, adding to the technical detail by issuing circulars and guidelines, such as the guideline for initial
innovation network. Zurich University is in the process of creating 18 coin offerings (ICOs). FINMA is the competent supervisory authority for
new chairs for digital innovation studies; Zurich University also intends banks, insurance companies and asset managers managing assets of
to further enhance its research on artificial intelligence. There are collective investment schemes.
numerous companies focusing on digital offerings, specialised ones such Financial intermediaries, which were not prudentially supervised
as Swissquote, Temenos and Avaloq, and others providing IT support prior to 1 January 2020, became subject to prudential supervision (in
and IT-focused financial services. In addition, major Swiss banks such as particular, asset managers). They must join a self-regulatory organisa-
UBS and Credit Suisse both have fintech innovation laboratories. Banks tion (SRO) for the purpose of anti-money laundering (AML) compliance
focused on crypto offerings (eg, SEBA and Sygnum) received a banking and one of the newly set up special supervisory bodies for asset
licence in summer 2019; other projects are currently aiming to set up managers. These in turn are supervised by FINMA but are privately run
trading platforms and exchanges (eg, SIX Swiss Exchange and its SDX organisations.
project) and to obtain a licence from the Financial Market Supervisory Finally, certain ICOs were made by foundations domiciled in
Authority (FINMA). FINMA also recently granted the first two of the new Switzerland and these foundations are supervised by separate supervi-
fintech licenses. sory authorities at the communal, cantonal and federal level; foundations
set up for the purpose of making an ICO are usually supervised by the
Government and regulatory support Federal Authority for Foundation Supervision.
2 Do government bodies or regulators provide any support
specific to financial innovation? If so, what are the key benefits Regulated activities
of such support? 4 Which activities trigger a licensing requirement in your
jurisdiction?
There are numerous initiatives by government bodies and regulators
to provide support to financial innovation. The most comprehensive FINMA provides on its website (www.finma.ch) an overview of activi-
one is the Digital Switzerland initiative that coordinates various private ties that may trigger a licensing requirement. Fintech companies are
initiatives and provides government support to them. FINMA set up a particular likely to fall within the scope of the Banking Act, the Financial
special fintech desk as a competence centre for fintech applications and Institutions Act, the Financial Market Infrastructure Act (FMIA) and the
enquiries. Through this desk, FINMA issued, for instance, guidelines Anti-money Laundering Act (AMLA).
for initial coin offerings (ICOs) in 2018 and confirmed its willingness to Anyone who accepts deposits from the public on a commer-
review submissions for ICOs and provide clearance letters for these cial basis is subject to banking licence requirements. This is the case
offerings confirming that an ICO will not be in breach of Swiss regu- if either deposits of more than 20 investors are actually held or if the
lations. Through the state agency Innosuisse, the Swiss Federation entity publicly announces to a non-limited number of persons that it is
supports technology-based innovation in Swiss enterprises. Innosuisse willing to accept these deposits. Bond issues do not qualify as deposits
offers coaching, thereby helping start-ups to raise capital. and capital contributions that do not entail a repayment obligation also
Furthermore, the government initiated various changes to Swiss do not qualify as deposits. Since 1 August 2017, the holding of client
law. Among others, relevant rules for the on-boarding of clients or for funds no longer triggers banking licence requirements if the funds do
entering into asset management agreements were adapted to render not at any time exceed 1 million Swiss francs, the funds are neither rein-
them technology neutral (ie, to enable online on-boarding and online vested nor interest-bearing and the depositors have been informed in
writing prior to making the deposits that their funds are not covered by FINMA. Collective investment schemes are highly regulated in
by the Swiss depositor protection regime and that the institution is not Switzerland and subject to investment and borrowing restrictions as
supervised by FINMA. On 1 January 2019, a special licence was intro- well as to strict rules applicable to the sales of its units in or from
duced whereby undertakings accepting deposits from the public of up to Switzerland. No specific regulations apply for fintech companies.
100 million Swiss francs may qualify for a banking licence light, a licence There is a project pending for a change of law, which could intro-
that subject these undertakings to rules less stringent than the rules duce a non-licensed fund structure for professional investors only.
applicable to banks, providing no interest is paid on such deposits and
the funds are not reinvested (fintech licence). Alternative investment funds
An entity that commercially buys and sells securities on the primary 8 Are managers of alternative investment funds regulated?
market for its own account for short term resale or for the account of
third parties, which offers them publicly on the primary market or create Switzerland not being a member state of the European Union, the
or publicly offers derivatives, may require a securities house licence. Alternative Investment Fund Managers Directive is not applicable. As
The term ‘securities’ is now defined in the FMIA and is understood as a rule, an asset manager domiciled in Switzerland of a Swiss or foreign
meaning ‘standardised certified and uncertified securities, derivatives collective investment scheme requires a licence from FINMA. However,
and intermediated securities, which are suitable for mass trading’. if the investment fund is open to qualified investors only, the asset
Further clarification is provided by the ordinance on financial market manager may not fall under the licence requirement if the assets under
infrastructures and market conduct in securities and derivatives trading, management do not exceed 100 million Swiss francs, or if the assets do
which clarifies that only such securities that are publicly offered for sale not exceed 500 million Swiss francs, provided that the portfolio is not
in the same structure and denomination or are placed with more than leveraged and the investors do not have a redemption right for a period
20 clients, insofar as they have not been created especially for individual of five years, or if the investor is part of the same financial group as the
counterparties, will fall under the regulation. asset manager.
While advising on investments will not be subject to licence
requirements, asset management based on a power of attorney subjects Peer-to-peer and marketplace lending
the asset manager to the obligation to join a SRO, to comply with the 9 Describe any specific regulation of peer-to-peer or
relevant rules of the Swiss AMLA and to obtain a licence from FINMA. marketplace lending in your jurisdiction.
AMLA regulations also extend to persons who carry out credit trans-
actions, such as consumer loans or mortgages, factoring, commercial If the fintech company organising the marketplace is acting as a mere
financing or financial leasing, and persons who provide services relating marketplace and does not accept or forward any funds, it will not be
to payment transactions. subject to any specific regulation. However, if the fintech organising the
Payment systems may under certain conditions require a licence marketplace or the peer-to-peer lending accepts funds or controls the
under the FMIA. forwarding of these funds to another party of the marketplace, it will be
subject to AML regulations and will need to join an SRO to comply with
Consumer lending the AML regulations.
5 Is consumer lending regulated in your jurisdiction?
Crowdfunding
Consumer lending activities will require membership in a SRO and 10 Describe any specific regulation of crowdfunding in your
compliance with the applicable AML rules. Furthermore, consumer jurisdiction.
lending may fall under the Consumer Credit Act; a consumer lending
company must obtain a licence (from a cantonal authority, unless it Crowdfunding is not specifically regulated under Swiss law, but FINMA
holds a banking licence), must hold own assets in the amount of 8 per issued a fact sheet outlining the applicable rules. Therefore, the general
cent of the issued consumer loans and is subject to various rules on rules apply to crowdfunding systems. As a rule, crowdfunding platforms
providing transparency on the terms of the consumer loan and the obli- will not be subject to prudential supervision. If the crowdfunding plat-
gation to verify the creditworthiness of the counterparty. form only organises the funding but does not control the flow of funds,
it will not be subject to licensing requirements. If the crowdfunding
Secondary market loan trading platform accepts funds and forwards these funds to the recipient within
6 Are there restrictions on trading loans in the secondary a time period of up to a maximum of 60 days without paying interest
market in your jurisdiction? on the funds, the crowdfunding platform will be subject to AML regula-
tions and will need to become a member of an SRO. If a crowdfunding
There is no licence requirement for trading loans in the secondary platform holds funds for a period longer than 60 days, it may require a
market. However, if an investment company is buying and selling securi- fintech licence under the Banking Act, if the funds held do not exceed
ties for their own account with the intent of reselling them within a short the amount of 100 million Swiss francs. If the funds held exceed this
time period or for the account of third parties, these companies must amount or if interest is paid on the amount held, a banking licence will be
obtain a securities house licence from FINMA. required. Not only the platform may require a licence, but also the project
developer, if it accepts deposits or advertises that it will accept deposits.
Collective investment schemes
7 Describe the regulatory regime for collective investment Invoice trading
schemes and whether fintech companies providing alternative 11 Describe any specific regulation of invoice trading in your
finance products or services would fall within its scope. jurisdiction.
As a rule, peer-to-peer lenders, marketplace lenders or crowdfunding Invoice trading and factoring is not specifically regulated in Switzerland
platforms will not fall under the rules applicable to collective investment and does not require a prudential licence. However, trading in invoices
schemes. Collective investment schemes and companies managing qualifies the fintech company as a financial intermediary and the fintech
collective investment schemes are subject to prudential supervision company will have to comply with AML regulations and join an SRO.
www.lexology.com/gtdt 213
© Law Business Research 2020
Switzerland Niederer Kraft Frey
Payment services basis, this activity may trigger reporting obligations to the Swiss
12 Are payment services regulated in your jurisdiction? Foreign Department under the Federal Act on private Security
Services Abroad.
Switzerland not being a member of the European Union, the European
Payment Services Directive 2 (PSD2) does not apply and Switzerland CROSS-BORDER REGULATION
does not have a corresponding regulation. Therefore, no prudential
licence is required for payment services. However, any provider of Passporting
payment services will need to comply with AML rules and will have 17 Can regulated activities be passported into your jurisdiction?
to join an SRO. If a payment system is deemed to be of systemic rele-
vance, or if FINMA is of the opinion that supervision is required for the No passporting of regulated activities into Switzerland is possible.
protection of the participants of a payment system, FINMA can at its
discretion require a payment system to obtain a licence under the FMIA Requirement for a local presence
and such systems will furthermore be subject to reporting obligations 18 Can fintech companies obtain a licence to provide financial
to the Swiss National Bank. The Swiss National Bank has the compe- services in your jurisdiction without establishing a local
tence to subject foreign payment systems that are of systemic relevance presence?
to Switzerland to its supervision. However, most payment systems are
not subject to prudential supervision or licence requirements. FINMA As a rule, a licence will only be granted to a company established in
declared that the LIBRA stablecoin, Facebook’s project, would be of Switzerland (ie, if it has local presence either in the form of a company
systemic relevance. or in the form of a branch of a foreign legal entity). Product offerings,
however, are possible on a cross-border basis provided that the prod-
Open banking ucts (such as investment funds) are approved in Switzerland. While
13 Are there any laws or regulations introduced to promote the distribution of insurance products, collective investment schemes,
competition that require financial institutions to make derivatives and securities is regulated, general banking services may
customer or product data available to third parties? be offered by foreign banks in Switzerland without licensing require-
ments; however, since 1 January 2020, client advisers working for
The PSD2 does not apply in Switzerland and no equivalent regulation foreign financial service providers need to register in a Swiss advisory
exists. Swiss banks are sceptical and, at the time of writing, do not open register. Exempt from this are client advisers working for banks, securi-
up interfaces to their client data. However, as banks are criticised for ties houses and asset managers and client advisers working for other
that approach and as banks usually also provide cross-border services, foreign prudentially supervised financial institutions if they only advice
it is expected that certain banks will in the future start to apply the PSD2 professional or institutional clients.
rules voluntarily by granting third parties access to certain data, subject When marketing financial products, such as investment funds and
to customer consent. structured products, the local Swiss rules on the marketing of such
products must be complied with (eg, prospectus requirements under
Robo-advice Swiss law).
14 Describe any specific regulation of robo-advisers or other
companies that provide retail customers with automated SALES AND MARKETING
access to investment products in your jurisdiction.
Restrictions
There are several robo-advisers active on the Swiss market. The 19 What restrictions apply to the sales and marketing of
rules applicable to them are the same as those that apply to normal financial services and products in your jurisdiction?
asset managers.
When marketing financial products, such as investment funds and struc-
Insurance products tured products, the local Swiss rules on the marketing of such products
15 Do fintech companies that sell or market insurance products must be complied with (eg, prospectus requirements under Swiss law).
in your jurisdiction need to be regulated?
CHANGE OF CONTROL
Insurance companies operating in Switzerland must obtain a licence
for their specific activities from FINMA. As the sale and marketing of Notification and consent
insurance products is highly regulated, any marketing of these products 20 Describe any rules relating to notification or consent
(including cross-border marketing into Switzerland) needs to be evalu- requirements if a regulated business changes control.
ated in detail prior to any marketing activities.
If a prudentially supervised legal entity changes control, the legal entity
Credit references and the new controlling shareholder must obtain an additional licence
16 Are there any restrictions on providing credit references or from the Financial Market Supervisory Authority. The same applies if
credit information services in your jurisdiction? 10 per cent or more of the capital or of the voting rights in a foreign-
controlled prudentially supervised legal entity are transferred. In the
There is no general licensing requirement for providing credit refer- application, full information must be provided on the new shareholder
ences or credit information services. However, any company providing and on the persons controlling this new shareholder up to the ultimate
this information must comply with the Swiss Federal Act on Data beneficial owner.
Protection, which applies not only to natural persons but also to legal
entities. Furthermore, the gathering of information from non-public
sources may qualify as activity of private detective, which is subject
to licensing requirements in certain cantons. If done on a cross-border
FINANCIAL CRIME A security assignment of rights will also only be valid if entered
into in writing by the assignee. Mortgages can only be entered into in
Anti-bribery and anti-money laundering procedures the form of a public deed.
21 Are fintech companies required by law or regulation to have
procedures to combat bribery or money laundering? Assignment of loans
24 What steps are required to perfect an assignment of
There are no specific rules applicable to fintech companies. All Swiss loans originated on a peer-to-peer or marketplace lending
legal entities and persons are subject to the anti-bribery rules of the platform? What are the implications for the purchaser if the
Swiss Criminal Code and need to comply with these provisions. For assignment is not perfected? Is it possible to assign these
prudentially supervised companies, compliance with such anti-bribery loans without informing the borrower?
rules is part of the supervisory concept and any breaching of these
rules may endanger the licence. An assignment of a claim can be done unilaterally without informing the
Anti-money laundering (AML) provisions apply as soon as a debtor under the loan. However, such assignment of a claim must be
company controls foreign assets or issues a currency. In the framework done in writing. An assignment of a contract is possible without such
of an initial coin offering (ICO), therefore, a company launching an ICO formal requirements (unless the contract itself requires a certain form,
and issuing currency tokens will have to comply with AML provisions. which is not the case for loan agreements) but needs the consent of the
A company issuing pure utility tokens or security tokens may not have counterparty (ie, of the debtor under the loan).
to comply with AML provisions, provided that the tokens are operative.
Even if a company issuing tokens may not be under strict obligations to Securitisation risk retention requirements
comply with AML provisions, it may find it difficult if not impossible to 25 Are securitisation transactions subject to risk retention
find a Swiss bank willing to provide a bank account unless it identifies its requirements?
investors (in the case of the issuing of security tokens) according to AML
standards compatible with the AML standards applied by Swiss banks. The EU Securitisation Regulation does not apply in Switzerland and its
Digital currency exchanges may be subject to AML requirements rules are not part of the Swiss regulatory framework.
as exchanges from one cryptocurrency to the other are deemed to be
monetary transactions. Securitisation confidentiality and data protection requirements
In a recent major legislative project, new rules on the application of 26 Is a special purpose company used to purchase and securitise
Swiss AML law to crypto-assets have been proposed. The new proposals peer-to-peer or marketplace loans subject to a duty of
are pending in Parliament but may not become effective until 2021. confidentiality or data protection laws regarding information
relating to the borrowers?
Guidance
22 Is there regulatory or industry anti-financial crime guidance Switzerland has strong confidentiality and data protection laws appli-
for fintech companies? cable to client relationships. However, the well-known banking secrecy
and similar secrecy obligations of financial intermediaries apply to rela-
There is no general regulatory or industry anti-financial crime guidance tionships with banks, securities traders and fund administrators only and
for fintech companies. However, the Swiss Bankers Association (www. not to each and every company. Therefore, the duty of confidentiality may
swissbanking.org) recently issued guidelines for banks on the applica- depend on the origin of the loans: if such loans originate from a bank,
tion of AML rules to crypto-assets and to accounts of bank customers the bank must ensure that the SPV complies with the relevant secrecy
dealing in crypto-assets (such as in the case of an ICO). Furthermore, obligations (unless the bank customers consented and gave a waiver of
private associations such as the Capital Markets and Technology their secrecy rights). However, a special purpose company domiciled in
Association are currently working on guidelines on how AML rules Switzerland will be subject to the Swiss Data Protection Act and will need
should be applied to crypto-assets, in particular tokenised shares and to treat the data received in accordance with these provisions, which do
non-voting shares. Finally, the Financial Market Supervisory Authority not only protect natural persons but also legal entities. Furthermore, a
issued interpretative guidelines relating to cryptocurrency transfers. transfer of data abroad may be subject to additional limitations.
www.lexology.com/gtdt 215
© Law Business Research 2020
Switzerland Niederer Kraft Frey
September 2018). On 13 December 2019, the report ‘Challenges of prudential licence requirement. However, if not only digital currencies
Artificial Intelligence’ was published, but without specific requests for but also security tokens will be traded on the exchange; the exchange
changes to Swiss law. may qualify as an organised or a multilateral trading facility under the
A company providing robo-advice may qualify as an asset manager Financial Market Infrastructure Act and must comply with the rules
if the company automatically implements the advice on a client portfolio, applicable to these institutions.
may be subject to anti-money laundering (AML) rules and may have to
become a member of a self-regulatory organisation. Initial coin offerings
31 Are there rules or regulations governing initial coin offerings
Distributed ledger technology (ICOs) or token generation events?
28 Are there rules or regulations governing the use of
distributed ledger technology or blockchains? Switzerland has a technology-neutral approach to digital assets.
Blockchain projects fall under the regulatory regimes of the industries
There are no special rules or regulations governing the use of such they apply to, such as the finance industry. On 16 February 2018, FINMA
technology and the general laws apply. published ‘Guidelines for enquiries regarding the regulatory framework
for initial coin offerings’ wherein it describes in detail how it deals with
Crypto-assets the supervisory and regulatory framework for ICOs under Swiss law. On
29 Are there rules or regulations governing the use of crypto- 26 August 2019, further specifications were given relating to payments
assets, including digital currencies, digital wallets and on the blockchain (Supervisory Notice 02/2019). FINMA will consider,
e-money? among other things, the investor categories and ICO targets, compliance
with AML regulations and the functionalities of the token generated but
Switzerland has a technology-neutral approach to digital assets. also the technologies used, the technical standards and wallets and
Blockchain projects fall under the regulatory regimes of the industries technical standards to transfer tokens. In its guidelines, FINMA distin-
they apply to, such as the finance industry. On 16 February 2018, the guishes three token categories, namely payment tokens, which are
Financial Market Supervisory Authority (FINMA) published ‘Guidelines intended to be used as a means of payment and do not grant any claims
for enquiries regarding the regulatory framework for initial coin offer- against the issuer of the token, utility tokens, which grant access to an
ings’ wherein it describes in detail how it deals with the supervisory application or service, and asset tokens, which represent assets such as
and regulatory framework for initial coin offerings (ICOs) under Swiss a debt or equity claim against the issuer or that enable physical assets
law. On 26 August 2019, further specifications were given relating to to be traded on the blockchain. If a token combines functions of more
payments on the blockchain (Supervisory Notice 02/2019). FINMA will than one of these categories, it is considered a hybrid token and has to
consider, among other things, the investor categories and ICO targets, comply with the requirements of all categories concerned.
compliance with AML regulations and the functionalities of the token
generated but also the technologies used, the technical standards and DATA PROTECTION AND CYBERSECURITY
wallets and technical standards to transfer tokens. In its guidelines,
FINMA distinguishes three token categories, namely payment tokens, Data protection
which are intended to be used as a means of payment and do not grant 32 What rules and regulations govern the processing and
any claims against the issuer of the token, utility tokens, which grant transfer (domestic and cross-border) of data relating to
access to an application or service, and asset tokens, which represent fintech products and services?
assets such as a debt or equity claim against the issuer or that enable
physical assets to be traded on the blockchain. If a token combines func- There are no specific rules and regulations that would apply to fintech
tions of more than one of these categories, it is considered a hybrid token products and services. Hence, the existing data protection law and the
and has to comply with the requirements of all categories concerned. guidelines from the Swiss Federal Data Protection and Information
The issuance of digital currencies will render the issuer subject Commissioner (FDPIC) apply. The Swiss Federal Data Protection Act is
to AML regulations. The offering of digital wallets, as a rule, will also currently being revised.
subject the provider to AML regulations. The safekeeping of digital
currencies in a wallet will, as a rule, not be considered as an activity Cybersecurity
requiring a banking licence by FINMA, provided that the private keys 33 What cybersecurity regulations or standards apply to fintech
do not fall into the bankrupt estate of the custodian. However, if the businesses?
custodian had control over the wallet (ie, is capable of disposing of the
currencies therein without interference of the beneficiary), the holding There are no specific cybersecurity regulations or standards that apply
of the wallet may render the custodian subject to banking licence to fintech businesses. Hence, the existing data protection law and the
requirements. In the recent proposals submitted by the Federal Council guidelines from the FDPIC apply. In particular the ‘Guide on Technical
for discussion, further clarifications regarding the treatment of digital and Organisational Measures’ (see file://srvzhfile02/users$/cgo/VDI/
wallets in the bankruptcy of the custodian are proposed. Downloads/guideTOM_en_2015%20(1).pdf).
www.lexology.com/gtdt 217
© Law Business Research 2020
Switzerland Niederer Kraft Frey
TAX
There are no tax incentives specifically designed for fintech companies Bahnhofstrasse 53
and investors. However, both companies and investors benefit from the 8001 Zurich
generally favourable Swiss tax environment. The corporate tax rate Switzerland
depends on the exact location of the company but may be as low as 12 Tel: +41 58 800 8000
per cent, the VAT rate is significantly lower than in most EU member Fax: +41 58 800 8080
states and individual investors resident in Switzerland do not pay taxes www.nkf.ch
on gains realised on the sale of equity investments. Very low taxes apply
to capital gains from the sale of equity investments by corporate share-
holders if the participation was held for at least one year and was 10 per
cent or more of the equity of the company. UPDATE AND TRENDS
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
www.lexology.com/gtdt 219
© Law Business Research 2020
Taiwan
Abe T S Sung and Eddie Hsiung
Lee and Li Attorneys at Law
FINTECH LANDSCAPE AND INITIATIVES and explore the possibility of amending the existing rules that pose
obstacles to the experimented financial innovation if put in the real
General innovation climate world. However, depending on the review result of the FSC, the sandbox
1 What is the general state of fintech innovation in your entity or individual might still be required to apply for a relevant licence
jurisdiction? or approval from the FSC to formally conduct the activities as previously
tested in the sandbox.
Taiwan’s law for the fintech regulatory sandbox, the FinTech
Development and Innovation and Experiment Act (the Sandbox Act), was FINANCIAL REGULATION
promulgated on 31 January 2018 and took effect on 30 April 2018. At the
time of writing, seven applications have been approved by the Financial Regulatory bodies
Supervisory Commission (FSC) to enter into the sandbox, as summa- 3 Which bodies regulate the provision of fintech products and
rised below: services?
• to facilitate digital banking business (eg, online credit (credit
card, credit facility)) by means of a mobile phone identity verifica- In Taiwan, the Financial Supervisory Commission (FSC) is the govern-
tion system; ment body regulating all financial products and services. There are
• the outbound remittance by foreign workers through local conveni- four bureaux established under the FSC: the Banking Bureau (BB), the
ence stores (two cases); Securities and Futures Bureau (SFB), the Insurance Bureau (IB) and the
• to use blockchain technology for the transmission of fund transfer Financial Examination Bureau (EB) (collectively the Bureaux). Each of
information between financial institutions; the BB, SFB and IB is separately responsible for regulating the banking,
• to enable customers to purchase travel insurance through the securities and insurance industries. The EB is in charge of financial
website of a travel agency by means of API connections; inspection and audits of financial institutions regulated by the FSC.
• to provide the ‘fund exchange’ service by means of blockchain tech- Currently, none of the four bureaux has been specifically designated to
nology; and regulate fintech products and services. Therefore, it should depend on
• to shorten the fund transmission gap by means of ‘T+0 contract the nature of such products and services to determine which bureau
mechanism’. would be the body regulating the relevant fintech products or services.
As to the mechanism of the regulatory sandbox, the FSC is the
In addition to the sandbox mechanism described above, in 2018, the competent authority; nonetheless, if the tested fintech product and
Taiwan government also supported fintech developments by, for service relates to the regulatory regime of other competent authorities
example, establishing a ‘FinTechSpace’, which is a physical location situ- (such as the Central Bank), the opinion of these relevant authority will
ated in the city of Taipei with an aim to provide relevant assistance to also be consulted by the FSC.
fintech start-ups, such as acting as an intermediary between fintech
start-ups and financial services entities (with respect to potential coop- Regulated activities
eration between the parties), a ‘regulatory clinic’ (ie, free preliminary 4 Which activities trigger a licensing requirement in your
advice provided by government officials regarding regulations), etc. jurisdiction?
Government and regulatory support In Taiwan, conducting finance-related activities generally requires a
2 Do government bodies or regulators provide any support licence from the FSC. These activities include the following, without
specific to financial innovation? If so, what are the key limitation.
benefits of such support? • Securities-related activities: securities underwriting, securities
brokerage, securities dealing (ie, proprietary trading), securities
The regulatory sandbox offers a platform to test new applications of investment trust (ie, asset management) and securities investment
fintech technologies. According to the Sandbox Act, an applicant (who consulting.
can be an entity or individual) needs to obtain an approval from the FSC • General consulting business, such as acting as financial advisers
before entering the sandbox and beginning the experiment. During the or agents to arrange investments or bring about merger or acqui-
experiment period, the experimental activities may enjoy exemptions sition deals, does not require any licence. In addition, acting as
from certain laws and regulations (such as FSC licensing requirements principal in an investment deal does not require any licence (except
and certain legal liability exemptions). After completion of the approved for if a foreign investor should need a foreign investment approval
experiments, the FSC will analyse the results of them. If the result is and investment in regulated industries needs special approvals).
positive, the FSC may review the existing financial laws and regulations • Bank-related activities:
• lending: lending activities do not fall within the business to Offshore funds
be exclusively conducted by a local licensed bank. However, Offshore funds with the nature of a securities investment trust fund
as no financing company may be registered in Taiwan, it is may also be publicly offered (subject to FSC prior approval) or privately
currently not possible for an entity to register as a financing placed (subject to post-filing with the FSC or its designated institution)
company to carry on lending activities in Taiwan; to Taiwan investors, subject to certain qualifications and conditions. An
• factoring and invoice, discounting and secondary market offshore fintech company, which does not have the nature of a securities
loan trading; investment trust fund, will not be allowed to be offered in Taiwan.
• deposit taking;
• foreign exchange trading; Alternative investment funds
• remittance; and 8 Are managers of alternative investment funds regulated?
• electronic payment, credit cards and electronic stored-value
cards. Currently, only securities investment funds, real property trust funds
and futures trust funds (which focus on investment in futures and deriv
Consumer lending atives) are permitted in Taiwan (except that SITEs and securities firms
5 Is consumer lending regulated in your jurisdiction? are now permitted to set up a subsidiary to act as the general partner of
a private equity fund under the structure of limited partnership). These
A local licensed bank may carry on consumer lending activities. funds may only be offered and managed by FSC-licensed entities, such
Although lending activities do not fall within the business to be exclu- as SITEs, banks or futures trust enterprises. A fintech company, which
sively conducted by a local licensed bank, carrying out lending activities is not a SITE, a bank or a future trust enterprise, will not be allowed to
as one of a company’s registered business activities is still not permitted manage these funds in Taiwan.
in Taiwan.
Peer-to-peer and marketplace lending
Secondary market loan trading 9 Describe any specific regulation of peer-to-peer or
6 Are there restrictions on trading loans in the secondary marketplace lending in your jurisdiction.
market in your jurisdiction?
While to date there are no laws or regulations specifically regulating or
The general principle under Taiwan’s Civil Code is that any receivable is governing peer-to-peer lending, the Bankers Association of the Republic
assignable unless (1) the nature of the receivable does not permit this of China (the Bankers Association), the self-disciplinary organisation of
transfer; (2) the parties to the loan have agreed that the receivable shall the banking industry, has promulgated the Self-Disciplinary Rules of
not be transferred; or (3) the receivable, in nature, is not legally attach- Business Cooperation between Member Banks of Bankers Association
able. The receivables under loan, subject to (2) above, are generally and Peer-to-Peer Lending Operators (the P2P Self-Disciplinary Rules)
transferable. However, a bank is subject to stricter rules that, gener- and such P2P Self-Disciplinary Rules have been filed with the FSC
ally, loans that remain performing cannot be transferred by a bank, for record.
with some limited exceptions (such as for the purpose of securitisation). According to the P2P Self-Disciplinary Rules, banks may work
For this reason, Taiwan does not currently have an active secondary together with the peer-to-peer lending operators on the following
loan market. matters:
• providing fund custodian services;
Collective investment schemes • providing cash-flow services;
7 Describe the regulatory regime for collective investment • providing credit review and rating services;
schemes and whether fintech companies providing • extending facility by a bank to the customer (ie, the people-to-busi-
alternative finance products or services would fall within its ness model);
scope. • advertising and marketing activities; and
• providing credit document custody services.
Local funds (securities investment trust funds)
The most common form of collective investment scheme in Taiwan is Crowdfunding
securities investment trust funds, which may be offered to the general 10 Describe any specific regulation of crowdfunding in your
public or privately placed to specified persons. Public offering of a jurisdiction.
securities investment trust fund needs prior approval or effective regis
tration with the FSC or the institution designated by the FSC. No prior Equity-based crowdfunding
approval is required for a private placement of a securities investment The following two ways of fundraising are generally known as the
trust fund; however, it can only be placed to eligible investors and within equity-based crowdfunding platforms in Taiwan. These ways of crowd
five days after the payment of the subscription price for initial invest funding are exempted from the prior approval or effective registration
ment offering, a report on the private placement shall be filed with normally required under the Securities and Exchange Act (SEA).
the FSC or the institution designated by the FSC. Generally, the total
number of qualified non-institutional investors under a private place The Go Incubation Board for Startup and Acceleration Firms of the
ment shall not exceed 99. Under current laws and regulations, public Taipei Exchange
offering and private placement of securities investment trust funds may The Taipei Exchange (TPEx), one of the two securities exchanges in
only be conducted by FSC-licensed securities investment trust enter Taiwan, established the Go Incubation Board for Startup and Acceleration
prises (SITEs). Currently, the paid-in capital of a SITE should not be Firms (GISA) in 2014 for the purpose of assisting innovative and creative
lower than NT$300 million, and there exist certain qualifications for the small non-public companies in capital raising.
shareholders of a SITE. A fintech company, which is not a SITE, will not A company with innovative or creative ideas with the potential for
be able to raise funds as a SITE does. development is qualified to apply for GISA registration with the TPEx.
After the TPEx approves the application, the company will first start
www.lexology.com/gtdt 221
© Law Business Research 2020
Taiwan Lee and Li Attorneys at Law
receiving counselling services from the TPEx regarding accounting, In 2015, the Act Governing Electronic Payment Institutions (the
internal control, marketing and legal affairs. After the counselling E-Payment Act) was enacted. This E-Payment Act regulates the activities
period, there is another TPEx review to examine, among other things, of an electronic payment institution, acting in the capacity of an interme-
the company’s management teams, the role of board of directors, diary between payers and recipients to engage, principally, in (1) collecting
accounting and internal control systems, and the reasonableness and and making payments for real transactions as an agent; (2) accepting
feasibility of the plan for raising capital, and if the TPEx deems appro- deposits of funds as stored value funds; and (3) transfer ring funds
priate, the company may raise capital on the GISA. The amount raised between e-payment accounts. According to the E-Payment Act, an elec-
by the company through the GISA may not exceed NT$30 million unless tronic payment institution should obtain approval from the FSC unless it
otherwise approved. In addition, an investor’s annual maximum amount engages only in (1) above and the total balance of funds collected, paid and
of investment through the GISA should not exceed NT$150,000, except for kept by it as an agent does not exceed the specific amount set by the FSC.
in the case of angel investors defined by the TPEx or wealthy individuals In July 2019, the FSC announced a proposed amendment to the
with assets exceeding an amount set by the TPEx and with professional E-Payment Act. The amendment will merge the E-Payment Act and
knowledge regarding financial products or trading experience. E-Card Act. In addition, according to the proposed amendment, if
approved by the FSC, an electronic payment institution or non-elec-
Equity-based crowdfunding on the platforms of securities firms tronic payment institution would be able to provide limited remittance
A securities firm may also establish a crowdfunding platform and services, which is currently a service exclusive to banks. With the expan-
conduct equity crowdfunding business. Currently, a company with sion of the services that electronic payment institutions can provide, it
paid-in capital of less than NT$50 million may enter into a contract with is anticipated that this amendment will promote the development of the
a qualified securities firm to raise funds through the crowdfunding plat electronic payment market in Taiwan. The amendment to the E-Payment
form maintained by the securities firm, provided that the total amount of Act is expected to be discussed in the Legislative Yuan of Taiwan and will
funds raised by the company through all securities firms’ crowdfunding hopefully be passed in 2020.
platforms in a year may not exceed NT$30 million. The amount of invest-
ment made by an investor on a securities firm’s platform may not exceed Open banking
NT$50,000 for each subscription, and may not exceed NT$100,000 in 13 Are there any laws or regulations introduced to promote
aggregate in a year, except for in the case of angel investors as defined competition that require financial institutions to make
in the relevant regulations. customer or product data available to third parties?
Non-equity-based crowdfunding While the FSC has the general power to request the provision of
In 2013, the TPEx established the ‘Gofunding Zone’ on its official website. customer or product data by financial institutions to the FSC, in practice,
This mechanism allows the non-equity-based crowdfunding platform the FSC's relevant regulations, directions or guidelines also require that
operators, once approved by the TPEx, to post information regarding financial institutions provide relevant customer and product data (such
their proposals and projects on the Gofunding Zone. However, in May as data relating to credit extensions, credit cards and derivatives) to the
2018, the TPEx announced that owing to the significant developments Joint Credit Information Center (JCIC) for banks' use of credit check in
in the crowdfunding business, the phased task of the TPEx to support terms of credit extension.
this business had been completed, and, thus, it decided to close the In addition, in response to support of 'open banking' from some
Gofunding Zone and annulled relevant rules. industry experts and market players, the FSC has demanded that the
Bankers Association set out relevant self-regulatory rules to implement
Invoice trading the concept of open banking in Taiwan. The FSC did not wish to set
11 Describe any specific regulation of invoice trading in your out mandatory disclosure rules for banks and, instead, asked the self-
jurisdiction. regulatory organisation (ie, the Bankers Association) and the Financial
Information Service Company to set out relevant rules and information
The general principle under Taiwan’s Civil Code is that any receivable is security standards for banks to follow. The first stage of open banking
assignable unless (1) the nature of the receivable does not permit this was launched in late 2019, which allowed public product information
transfer; (2) the parties to the loan have agreed that the receivable shall to be searchable by third parties (ie, third-party service providers).
not be transferred; or (3) the receivable, in nature, is not legally attach- According to relevant news reports, the newly appointed FSC chair-
able. The receivables under loan, subject to (2) above, are generally person, Mr Huang, announced that the second stage of open banking
transferable. However, a bank is subject to stricter rules that, gener- (which involves customer-related information) will be launched in 2020.
ally, loans that remain performing cannot be transferred by a bank, with
some limited exceptions (such as for the purpose of securitisation). Robo-advice
In general, no company may carry out the activities of receivable 14 Describe any specific regulation of robo-advisers or other
transfer for business. Purchase of accounts receivable may only be companies that provide retail customers with automated
conducted by a licensed bank. access to investment products in your jurisdiction.
Payment services In June 2017, the Securities Investment Trust and Consulting Association
12 Are payment services regulated in your jurisdiction? of Taiwan, the self-disciplinary organisation of the asset manage-
ment industry, issued the Operating Rules for Securities Investment
Yes. Traditionally, payments by wire transfer can only be made through Consulting Enterprises Using Automated Tools to Provide Consulting
a licensed bank. Payments via cheques and credit cards are also run Service (Robo-Adviser) (the Robo-Adviser Rules), which was approved
through banks. by the FSC. Pursuant to the Robo-Adviser Rules, securities invest-
Non-banks engaging in credit card-related business and issuance ment consulting enterprises may provide online securities investment
of electronic stored-value cards should also obtain approval from the consulting services by using automated tools through an algorithm
FSC, pursuant to the Act Governing Issuance of Electronic Stored Value (Robo-Advisor Services) and they must comply with certain rules, which
Cards (the E-Card Act). include, among others, the following:
There is no concept of passporting right in Taiwan. To engage in regu- Anti-bribery and anti-money laundering procedures
lated financial activities, a company needs to apply for the relevant 21 Are fintech companies required by law or regulation to have
licences to the Financial Supervisory Commission (FSC). Depending on procedures to combat bribery or money laundering?
the types of regulated activities, the applicant must meet certain qualifi-
cations as required under relevant laws and FSC regulations. Money laundering activities are mainly regulated by the Money
Laundering Control Act (MLCA) (last amended on 7 November 2018) and
Requirement for a local presence its related regulations. Under the MLCA, in order to prevent money laun-
18 Can fintech companies obtain a licence to provide financial dering activities, financial institutions are required to implement their
services in your jurisdiction without establishing a local own internal anti-money laundering guidelines and procedures and
presence? submit them to the Financial Supervisory Commission (FSC) for record.
With respect to digital currency platform operators or transac-
No. Foreign companies cannot carry on regulated business (which tions, it was reported that, according to Mr Koo, the ex-chairperson of
include financial services) without a licence, and the FSC licences the FSC, the FSC will regulate the anti-money laundering activities of
required for providing financial services are not issued to foreign cryptocurrency trading platforms or exchanges under the MLCA after
companies without establishing a subsidiary or a branch in Taiwan. the Executive Yuan officially authorises the FSC as the regulator. As at
the time of writing, the Executive Yuan has not granted this authorisa-
tion to the FSC. In addition, it is unclear at this stage what requirements
will be imposed by the FSC on anti-money laundering activities of cryp-
tocurrency trading platforms or exchanges.
www.lexology.com/gtdt 223
© Law Business Research 2020
Taiwan Lee and Li Attorneys at Law
PEER-TO-PEER AND MARKETPLACE LENDING Personal information is protected by the Personal Data Protection Act
(PDPA) and the collection and use of any personal data is subject to
Execution and enforceability of loan agreements notice and consent requirements. If a special-purpose company, when
23 What are the requirements for executing loan agreements or purchasing and securitising loans, acquires any personal data, it will be
security agreements? Is there a risk that loan agreements subject to the obligations under the PDPA.
or security agreements entered into on a peer-to-peer or
marketplace lending platform will not be enforceable? ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
TECHNOLOGY AND CRYPTO-ASSETS
There are no particular formality requirements for executing loan agree-
ments. As to security agreements, under Taiwan law, different types of Artificial intelligence
asset are subject to different formality requirements for perfection of a 27 Are there rules or regulations governing the use of artificial
security interest created over them. The formality requirements for the intelligence, including in relation to robo-advice?
most commonly seen security interests are as follows.
• Chattels: there must be a written agreement to create a chattel The Taiwan government announced the 5+2 Industrial Innovation Plan
mortgage. The mortgagor needs not deliver the possession thereof (the 5+2 Plan) in 2008, in which artificial intelligence played an impor-
to the mortgagee; however, a registration with the competent tant role. The 5+2 Plan mainly focuses on seven industries (ie, intelligent
authority will be necessary for the mortgagee to claim the chattel machinery, Asia Silicon Valley, green energy, biomedicine, national
mortgage against a bona fide third party. defence and aerospace, new agriculture and the circular economy),
• Real properties: security interest over real properties is taken by and is considered the core generator for Taiwan’s next generation of
way of a mortgage registered with the relevant land registration industrial development. To facilitate the 5+2 Plan, the government also
offices. The parties must enter into a written agreement to agree launched the AI Talent Programme, which aims to:
on the creation of the mortgage and apply for registration of the • cultivate 1,000 high-calibre talents in intelligent technologies;
mortgage before the mortgage can take effect. • train 5,000 talents in practical intelligent technologies; and
• Shares: to create a pledge over shares, the pledgor and pledgee • attract foreign professionals by the year 2021.
should enter into a written agreement. If the shares are repre-
sented by physical certificates, the pledged share certificates Nevertheless, the development of application of artificial intelligence in
should also be duly endorsed by the pledgor and physically deliv financial business in Taiwan is still at a preliminary stage. The main
ered into the pledgee’s possession. A notice of pledge to the issuing application involves correspondence with clients, such as through
company is also required. If the shares are listed and deposited to Chatbot and Robo-Adviser Services.
or registered with the local securities depository (ie, the Taiwan
Depositary and Clearing Corporation (TDCC)), the above endorse- Distributed ledger technology
ment, physical delivery of the shares and notification to the issuing 28 Are there rules or regulations governing the use of
company are not required; instead, a pledge registration of the distributed ledger technology or blockchains?
shares in the TDCC’s book-entry system in accordance with the
TDCC’s regulations will suffice. No.
No different rules apply to cases of peer-to-peer lending.
Crypto-assets
Assignment of loans 29 Are there rules or regulations governing the use of crypto-
24 What steps are required to perfect an assignment of assets, including digital currencies, digital wallets and
loans originated on a peer-to-peer or marketplace lending e-money?
platform? What are the implications for the purchaser if the
assignment is not perfected? Is it possible to assign these Digital currencies (such as virtual currencies or cryptocurrencies with
loans without informing the borrower? the applications of blockchain technology) that are not linked or tied to
the currency of any nation are currently not accepted by the Central
An assignment will not be effective against the borrower until the Bank of the Republic of China (Taiwan) (the Central Bank) as currencies.
borrower has been notified of this assignment. If the borrower is not In December 2013, both the Central Bank and the Financial Supervisory
notified of the assignment, the borrower may still make the repayment Commission (FSC) expressed the government’s position toward bitcoin
to the assignor and discharge its repayment obligation by doing so. by issuing a joint press release (the 2013 Release). According to the
2013 Release, the two authorities held that bitcoin should not be consid-
Securitisation risk retention requirements ered a currency, but a highly speculative digital virtual commodity. In
25 Are securitisation transactions subject to risk retention another FSC press release in 2014 (the 2014 Release), the FSC ordered
requirements? that local banks must not accept bitcoin or provide any other services
related to bitcoin (such as exchange bitcoin for fiat currency). The FSC
There are no mandatory risk retention requirements for securitisation further issued a press release on 19 December 2017 (the 2017 Release),
as prescribed for in the Financial Asset Securitisation Act of Taiwan. in which the FSC reiterated the government’s positions as specified in
the 2013 Release and 2014 Release. Other than the above, no laws, regu-
lations or rulings have been officially issued, promulgated or amended
to specifically deal with the rise of digital currencies, except for the Regulations on issuance (primary market):
regulations governing tokens with the nature of securities. • Qualifications of the issuer: the issuer must be a company limited by
Non-banks engaging in credit card-related business and issuance shares incorporated under the laws of Taiwan and not a company
of electronic stored-value cards should also obtain approval from the listed on the Taiwan Stock Exchange, the TPEx or traded on the
FSC, pursuant to the Act Governing Issuance of Electronic Stored Value Emerging Stock Market. This indicates that a foreign entity may not
Cards. Banks providing mobile payment services must comply with act as an issuer of an STO programme.
relevant FSC rules on, among others, security control. • Types of security tokens that can be issued: the issuer can only
issue profit-sharing or debt tokens without shareholders’ rights,
Digital currency exchanges meaning that shares, being a type of securities under SEA, with
30 Are there rules or regulations governing the operation of regular shareholders’ rights of an issuer cannot be issued in the
digital currency exchanges or brokerages? form of security tokens, while bonds can be issued as debt tokens.
• Eligible investors and amount limits: only professional inves-
So far no Taiwanese laws or regulations have been promulgated tors are eligible to participate in STOs; where the professional
or amended to formally regulate the operation of digital currency investor is a natural person, the maximum subscription amount is
exchanges or brokerages in Taiwan, except for the regulations governing NT$300,000 per STO.
ICO tokens with the nature of securities as well as the platform operator • Issuance process: issuers must conduct STOs on a single plat-
for these tokens. form, and the platform operator has the obligation to ensure
that the issuer meets the qualification requirements and that the
Initial coin offerings prospectus is well prepared. Where the platform operator itself is
31 Are there rules or regulations governing initial coin offerings an STO issuer, this issuer should not launch an STO without a prior
(ICOs) or token generation events? review by the TPEx.
Regulations on trading (secondary market):
In response to the rising amount of ICOs and other investment activi- • Trading mechanism for security tokens: the platform oper-
ties regarding digital currencies and cryptocurrencies, the FSC also ator should obtain a securities dealer licence and handle the
expressed the following views on ICOs through the 2017 Release. trading by way of price negotiation. The platform operator
• The classification of an ICO should be determined on a case-by-case should be the counterparty to every transaction and should
basis. If an ICO involves offering and the issuance of securities, it offer a reasonable reference quotation based on the market
should be subject to the Securities and Exchange Act (SEA). The conditions. In addition, each security token under an STO
issue of whether tokens in an ICO would be deemed securities programme may be traded only on a single platform.
under the SEA would depend on the facts of each individual case. • Maximum transaction amount: where the professional investor
• If any misrepresentations with respect to technologies or their is a natural person, the maximum amount of holding under
outcomes or promises of unreasonably high returns are used by an STO programme is NT$300,000. In addition, the maximum
the issuer of virtual currencies or an ICO to attract investors, the daily transaction limit for each STO is 50 per cent of the total
issuer would be deemed as committing fraud or illegal fundraising. issuance amount under such STO programme.
On 3 July 2019, the FSC issued a ruling that officially designated cryp- An STO platform operator:
tocurrencies the nature of securities, (ie, security tokens, described • Qualifications of the platform operator: the platform operator
as 'securities' under the SEA (the 2019 Ruling)). According to the 2019 should obtain a securities dealer licence, have minimum paid-in
Ruling, security tokens refer to those that: capital of NT$100 million and provide an operation bond in the
• utilise cryptography, distributed ledger technology or other similar amount of NT$10 million.
technology to represent the value that can be stored, exchanged or • Total offering amount capacity: the total offering amount of all STOs
transferred through digital mechanisms; on a single platform should not exceed NT$100 million. A platform
• are transferable; and can accept to process a second STO only one year after the security
• encompass all of the following attributes of an investment: tokens of the first STO have been traded on the platform.
• funding is provided by investors; • Transfer and record keeping: the platform operator should enter
• funding provides for a common enterprise or project; into an agreement with the Taiwan Depository and Clearing
• investors expect to receive profits; and Corporation (TDCC) and transmit the trading information, such as
• profits are generated primarily from the efforts of the issuer balance changes and the balance statement, to the TDCC for its
or third parties. record on a daily basis. The TDCC should provide an STO balance
inquiry service to investors.
In addition to the 2019 Ruling, the FSC issued a press release on 27 June
2019 to illustrate the key points of the FSC's policy on security token Subscription and trading
offerings (STOs). Since then, the FSC and the Taipei Exchange (TPEx) Subscription and trading of security tokens should be conducted on a
have set out the regulations governing STOs (the STO Rules), and the real-name basis and the transactions must be conducted in New Taiwan
STO Rules were finalised in January 2020. Specifically, the FSC differ- Dollar under the same name as the account name of the bank account.
entiates the regulation of different STOs using the threshold of NT$30
million. For an STO of NT$30 million or less, the STO may be conducted
in compliance with the STO Rules; an STO above NT$30 million must
first apply to be tested in the ‘financial regulatory sandbox’ pursuant to
the FinTech Development and Innovation and Experiment Act and, if the
experiment has a positive outcome, should be conducted pursuant to
SEA. Below is a summary of certain other major provisions of the STO
Rules (ie, for STOs of NT$30 million or less).
www.lexology.com/gtdt 225
© Law Business Research 2020
Taiwan Lee and Li Attorneys at Law
DATA PROTECTION AND CYBERSECURITY As for other financial services companies, there exists no single
regulation that governs their outsourcing activities, and, generally,
Data protection outsourcing is allowed only if the FSC has issued any ruling permitting
32 What rules and regulations govern the processing and it. For example, a securities investment trust enterprise is permitted to
transfer (domestic and cross-border) of data relating to outsource its operation of evaluating fund assets, calculation of a fund’s
fintech products and services? net worth and fund accounting to a professional institution, subject to
applicable requirements specified under the relevant FSC rulings.
In Taiwan, personal data is generally protected by the Personal Data When the use of cloud computing involves outsourcing the
Protection Act (PDPA). Under the PDPA, unless otherwise specified operations of a financial institution, relevant laws and regulations
under law, a company is generally required to give notice to (notice governing outsourcing activities should be complied with. In general,
requirement) and obtain consent from (consent requirement) an indi- an outsourcing activity should follow the internal rules and procedures
vidual before collecting, processing or using any of this individual’s of the financial institutions, and in certain circumstances, prior approval
personal information, subject to certain exemptions. To satisfy the from the FSC would be required. The use of cloud computing should
notice requirement, certain matters must be communicated to the indi- also comply with the Personal Data Protection Act.
vidual, such as the purposes for which his or her data is collected, the
type of the personal data and the term, area and persons authorised to Cloud computing
use the data. 35 Are there legal requirements or regulatory guidance with
respect to the use of cloud computing in the financial services
Cybersecurity industry?
33 What cybersecurity regulations or standards apply to fintech
businesses? When the use of cloud computing involves outsourcing the opera-
tions of a financial institution, relevant laws and regulations governing
Different cybersecurity regulations or standards may apply to different outsourcing activities should be complied with. In general, an
types of financial service entities or their products or services. For outsourcing activity should follow the internal rules and procedures of
example, if a type of fintech business is considered to fall within the the financial institutions, and, in certain circumstances, prior approval
scope of electronic banking business, in addition to the relevant licensing from the FSC would be required. The use of cloud computing should
requirements under certain financial regulations, it should also comply also comply with the Personal Data Protection Act.
with the rules governing the security control for this business. According to the Regulations Governing Internal Operating Systems
With respect to the 'regulatory sandbox' under the FinTech and Procedures for the Outsourcing of Financial Institution Operation as
Development and Innovation and Experiment Act, relevant description last amended on 30 September 2019, a prior approval from the FSC is
regarding the information system and security control is required for an required if an outsouring of operations by a financial institution involves
application for entering the sandbox. cloud-based services and the outsourcing of operations is consid-
The Cyber Security Management Act (CSMA) was enacted in June ered ‘material’ or the operation is outsourced to an overseas service
2018. According to the CSMA, financial services firms would be required provider. Further, when the outsourcing involves cloud-based services,
to comply with relevant obligations (including, among other things, the financial institution must, among other things: ensure appropriate
requirements for meeting a specific security level, setting up relevant diversification of cloud service providers; retain full ownership of the
internal rules for implementing plans for maintaining information data outsourced to cloud service providers; and ensure the location for
security and reporting to the government in case of any cyber security processing and storage is within Taiwan (with certain exceptions).
incident) under the CSMA if they are designated by the Taiwan govern-
ment as the ‘critical infrastructure provider’ (CIP) under the CSMA. INTELLECTUAL PROPERTY RIGHTS
While we think that no specific fintech business would be designated
as a CIP, the CSMA would still apply to fintech businesses if the types IP protection for software
of financial service entities carrying out these fintech business activities 36 Which intellectual property rights are available to protect
are considered Financial Supervisory Commission-regulated entities software, and how do you obtain those rights?
and are designated as CIPs by the Taiwan government.
Software can be protected by intellectual property rights such as patent,
OUTSOURCING AND CLOUD COMPUTING copyright or trade secret. As to patent, an inventor may file an applica
tion with Taiwan’s Intellectual Property Office, and the patent right will
Outsourcing be obtained once the application is approved. For copyrights and trade
34 Are there legal requirements or regulatory guidance with secrets, there are no registration or filing requirements for a copyright
respect to the outsourcing by a financial services company of or a trade secret to be protected by law. However, there are certain
a material aspect of its business? features that qualify a copyright or trade secret, such as ‘originality’
and ‘expression’ for copyrights, and ‘economic valuable’ and ‘adoption
The legal requirements with respect to the outsourcing by a financial of reasonable protection measures’ for trade secrets.
services company vary among the types of companies. For example, According to the Patent Act of Taiwan, the subject of a patent right
a bank’s outsourcing must comply with the Regulations Governing is ’invention’ and an invention means the creation of technical ideas,
Internal Operating Systems and Procedures for the Outsourcing of utilising the laws of nature. As a general rule, business methods are
Financial Institution Operation (the Banks Outsourcing Regulations), regarded as using social or business rules rather than laws of nature,
under which only the activities enumerated in the Banks Outsourcing and therefore may not be the subject of a patent right. As for software-
Regulations can be outsourced (subject to relevant requirements, implemented inventions, if it coordinates the software and hardware to
such as supervision of the outsourced party and the contract with the process the information, and there is a technical effect in its operation, it
outsourced party), and outsourcing of some activities would require might become patentable. For instance, a ‘method of conducting foreign
prior approval from the Financial Supervisory Commission (FSC). exchange transaction’ would be deemed as a business method and thus
unpatentable; however, a ‘method of using financial information system order should not use the trade secrets for purposes other than those
to process foreign exchange transactions’ might be patentable. related to the court trial or disclose the trade secrets to those who are
not subject to the order.
IP developed by employees and contractors
37 Who owns new intellectual property developed by an Branding
employee during the course of employment? Do the same 40 What intellectual property rights are available to protect
rules apply to new intellectual property developed by branding and how do you obtain those rights? How can fintech
contractors or consultants? businesses ensure they do not infringe existing brands?
Intellectual property developed by an employee during the course The Trademark Act in Taiwan provides for the protection of brands. The
of employment rights of trademarks can be obtained through registration with Taiwan’s
With regard to a patent, the right of an invention made by an employee Intellectual Property Office. The term of protection is 10 years from the
during the course of performing his or her duties under employment date of publication of the registration and may be renewed for another
will be vested in his or her employer and the employer should pay 10 years by filing a renewal application.
the employee reasonable remuneration unless otherwise agreed by Every registered trademark will be published on the official website
the parties. maintained by the Intellectual Property Office and the trademark search
A trade secret is the result of research or development by an system is accessible by the general public. On the search system, a
employee during the course of performing his or her duties under fintech business may check whether an identical or similar trademark
employment and it will belong to the employer unless otherwise agreed exists and who the proprietor of a registered trademark is.
by the parties.
For copyright, where a work is completed by an employee within Remedies for infringement of IP
the scope of employment, the employee is the author of the work but 41 What remedies are available to individuals or companies
the economic rights to this work will be enjoyed by the employer unless whose intellectual property rights have been infringed?
otherwise agreed by the parties.
Patent
Intellectual property developed by contractors or consultants With regard to infringement of an invention patent, the patentee may
In respect of patent rights and trade secrets, the agreement between claim for damage suffered because of the infringement. The amount
the parties will prevail, or these rights will be vested in the inventor or of damages may be calculated by the damage suffered and the loss of
developer in the absence of such agreement. However, if there is a fund profits as a result of the infringement; profit earned by the infringer as
provider, the funder may use this invention. a result of patent infringement; or the amount calculated on the basis
In respect of copyright, the contractor or the consultant who actu of reasonable royalties. If the infringement is found to be caused by the
ally makes the work is the author of the work unless otherwise agreed infringer’s wilful act of misconduct, the court may triple the damages to
by the parties; the enjoyment of the economic rights arising from the be awarded. Patent infringements have been decriminalised since 2003.
work should be agreed by the parties, or these rights will be enjoyed
by the contractor or the consultant in the absence of such agreement. Copyright
However, the commissioning party may use the work. The damage suffered because of copyright infringement may be claimed
in the process of civil procedure. As for criminal liabilities, there are
Joint ownership different levels depending on different types of infringement, ranging
38 Are there any restrictions on a joint owner of intellectual from imprisonment, of no more than three years, and detention to a fine
property’s right to use, license, charge or assign its right in of no more than NT$750,000.
intellectual property?
Trademark
In respect of patents and trademarks, each joint owner may use the The damage suffered because of trademark infringement may be
jointly owned rights at his, her or its discretion; however, a joint owner claimed in the process of civil procedure. As for criminal liabilities, any
may not license or assign the jointly owned rights without consent of all person shall be liable to imprisonment for a period not exceeding three
the other joint owners. In respect of copyrights and trade secrets, each years or a fine not exceeding NT$200,000, or both, if he or she:
joint owner may not use, license or assign the rights without unanimous • uses a trademark that is identical to the registered trademark in
consent of the other joint owners, while the other joint owners may not relation to identical goods or services;
withhold the consent without reasonable cause. • uses a trademark that is identical to the registered trademark in
relation to similar goods or services and hence there exists a likeli
Trade secrets hood of confusion for relevant consumers; or
39 How are trade secrets protected? Are trade secrets kept • uses a trademark that is similar to the registered trademark in
confidential during court proceedings? relation to identical or similar goods or services and there exists a
likelihood of confusion for relevant consumers.
Trade secrets are protected if they satisfy the following constituent
elements: information that may be used in the course of production, Trade secrets
sales or operations; having the nature of secrecy; economic value; and The damage suffered because of infringement of trade secrets may be
adoption of reasonable protection measures. claimed in the process of civil procedure. As for criminal liabilities, a
To keep the trade secrets confidential during court proceedings, person may be sentenced to a maximum of five years imprisonment and,
the court trial may be held in private if the court deems it appropriate in addition, a fine between NT$1 million and NT$10 million if he or she:
or it is otherwise agreed upon by the parties. The parties and a third 1 acquires a trade secret by an act of theft, embezzlement, fraud,
party may also apply to the court for issuing a ‘confidentiality preserva threat, unauthorised reproduction or other wrongful means, or
tion order’, and the person subject to this confidentiality preservation uses or discloses a trade secret that has been acquired;
www.lexology.com/gtdt 227
© Law Business Research 2020
Taiwan Lee and Li Attorneys at Law
Currently there are no such new tax laws or guidance and, to our under-
standing, currently there are no such proposals.
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
www.lexology.com/gtdt 229
© Law Business Research 2020
Turkey
Cigdem Ayozger Ongun and Begum Erturk
SRP-Legal Law Firm
FINTECH LANDSCAPE AND INITIATIVES Law No. 4691 and its implementing regulation. This law provides lower
corporate income tax, withholding tax, income tax exemptions, employer
General innovation climate social security contribution support payments and value-added tax
1 What is the general state of fintech innovation in your exemptions for fintech start-ups. Moreover, the Presidential Decree on
jurisdiction? State Incentives Provided to Investments, which entered into force on 7
August 2019, saw a recent amendment that scrapped large-scale infra-
There is a dynamic fintech climate in Turkey and all areas of the market structure project investments from the incentive regime and introduced
are ripe for investment. The fintech ecosystem in Turkey in 2019 was increased incentives for R&D activities and value-added technology
one of the most important areas, as eight fintech companies (ie, credit production.
scoring, payment and e-money institutions) were launched, and, accord- Besides this, government support may be seen in the 11th
ingly, they were partially or totally acquired by local and foreign fintech Development Plan of Turkey (the 11th Plan), which was published in
or technology companies. the Official Gazette on 23 July 2019. The 11th Plan includes objectives
In the Turkish fintech ecosystem there are services (ie, payment directly related to the Turkish financial technology ecosystem.
and e-money services, money transfer and remittance, bill payment Finally, the Amendment to the Law on Payment and Securities
and system operator services) that are regulated under Turkish law, Settlement Systems, Payment Services and Electronic Money
while others (ie, lending and credit scoring, digital wallet and applica- Institutions (the Amendment), in line with the requirements of the
tion programming interface providers) are not. However, in less than a Payment System Services Directive II (Directive 2015/2366), entered
year, new regulations with regard to open banking, equity and lending- into force on 1 January 2020. The Amendment set forth a provision
based crowdfunding entered into force. Therefore, the upcoming years of the establishment of the Turkish Payment Services and Electronic
are expected to contain more new developments in Turkish fintech law. Money Association (the Association), which entered into force on 22
May 2020. Accordingly, all payment and electronic money institutions
Government and regulatory support are required to become members of the Association. The duties of the
2 Do government bodies or regulators provide any support Association include, among other things, carrying out professional
specific to financial innovation? If so, what are the key training, research and advertising activities, establishing standards for
benefits of such support? the industry and helping ensure coordination among members and with
the regulator.
In Turkey, investments have been supported pursuant to the Decision
on State Aid in Investments brought into force with Decision of the FINANCIAL REGULATION
Council of Ministers No. 2012/3305 and its Implementing Communiqué
No. 2012/1; the Decision on Providing Project Based State Aid to Regulatory bodies
Investments brought into force with Decision of the Council of Ministers 3 Which bodies regulate the provision of fintech products and
No. 2016/9495; and Communiqué No. 30892 on the Code of Practice of services?
Technology-Oriented Industrial Movements Programme (Communiqué
No. 30892). Latest developments concern the Communiqué No. 30892: The Legislative Proposal to Amend the Law on Payment and Security
its amendments were published in the Official Gazette No. 30969 on, and Settlement Systems, Payment Services, and Electronic Money
were effective from, 5 December 2019. Institutions and Other Laws (the Amending Law) was published in
Investment incentives are provided to all entities that meet the the Official Gazette No. 30956 on 22 November 2019 and entered
requirements pursuant to the above-mentioned laws and regulations. into force on 1 January 2020. On the effective date of the Amending
One of the purposes of the incentives is supporting high and medium-high Law, the powers of the Banking Regulation and Supervision Agency
technology investments that will provide technological transformation. (BRSA) set forth under the Law on Payment and Securities Settlement
Unlike many other information technology or e-commerce projects, Systems, Payment Services and Electronic Money Institutions (Law No.
fintech projects are more likely to benefit from R&D incentives because 6493) were transferred to the Central Bank of the Republic of Turkey
of the nature of fintech and its requirements, such as security, payment (CBRT). Accordingly, the CBTR has the authority to monitor legal rela-
infrastructure, user experience and mobility. tions to which the payment service providers are a party owing to their
During the establishment phase of fintech start-ups, there are activities in order to determine issues and areas for development. The
alternatives, such as private incubation centres, techno-centres and Amending Law also grants the CBTR the authority to determine the
collaboration offices, that may allow fintech start-ups to benefit from tax rules and procedures of the legal relations therein and form working
advantages. In addition to these investment incentive-focused regula- committees if it deems the relevant activities harmful to the area of
tions, fintech start-ups may also benefit from Technology Development payments. Finally, the CBRT is entitled to issue payments, e-money and
system operator licences pursuant to the Law No. 6493, the Regulation There are no registration requirements with the authorities in Turkey
on Payment Services and Electronic Money Issuance and Payment for a transfer or assignment to be effective.
Institutions and the Communiqué on the Management and Supervision On the other hand, debt instruments, which can only be provided
for Information Systems of the Payment E-Money Institutions. by the above-mentioned institutions, can be purchased and sold in the
In addition to the CBRT, the Turkish Financial Crimes Investigation secondary market under the Capital Markets Law and regulations.
(MASAK), which acts as Turkey's financial intelligence unit, effectively As the secondary regulation regarding lending-based crowdfunding
fights money laundering and terrorist financing (AML). MASAK checks has not yet been prepared by the Turkish Capital Markets Board (CMB),
whether financial institutions meet the requirements of AML regula- the situation of the trading of the funds in the secondary market, which
tions and laws. Therefore, fintech companies, such as payment service will be provided through a lending-based crowdfunding platform, has
providers, cryptocurrency trading platforms and crowdfunding plat- not been determined yet.
forms, must fulfil their AML obligations.
Collective investment schemes
Regulated activities 7 Describe the regulatory regime for collective investment
4 Which activities trigger a licensing requirement in your schemes and whether fintech companies providing alternative
jurisdiction? finance products or services would fall within its scope.
A large number of financial services and activities are regulated in In Turkey, the general rules and principles regarding investment funds
Turkey. Some of these activities, which trigger licensing, authorisation are mainly regulated under the Capital Markets Law and regulations. In
or registration requirements in Turkey, include, and are regulated by, this respect, further details regarding the establishment and activities of
the following. investment funds are regulated under the Communiqué on the Principles
• The Central Bank of the Republic of Turkey authorises payment of Investment Funds (III.52.1). Accordingly, the Investment Funds Guide
services, invoicing services, e-money services and system oper- clarifies the rules and principles stipulated in this Communiqué.
ator services. The regulatory regime for collective investment schemes is new,
• The Banking Regulatory and Supervisory Agency issues licences and equity and lending-based crowdfunding platforms have been highly
for banking and finance activities, such as banking services, regulated under Turkish Capital Markets Law. The Communiqué on
factoring and financial leasing services. Equity Based Crowdfunding III-35/A.1 was issued by the CMB and was
• The Capital Market Authority is responsible for authorising equity published in the Official Gazette No. 30907 on 3 October 2019. As per
and lending-based crowdfunding platform services, trading and this Communiqué, only the platforms authorised and listed by the CMB
carrying out intermediation activities in securities and other capital may carry out equity-based crowdfunding activities. On the other hand,
markets instruments. a communiqué for lending-based crowdfunding platforms, has not yet
• The Ministry of Treasury and Finance authorises insurance been prepared and, accordingly, carrying out lending-based crowd-
activities. funding activities is not yet allowed.
• The Central Securities Depository of the Turkish Capital Markets
provides its members with registration (public offering, etc), settle- Alternative investment funds
ment and custody services. 8 Are managers of alternative investment funds regulated?
Consumer lending Alternative investment funds (AIFs) are operated and managed by port-
5 Is consumer lending regulated in your jurisdiction? folio management companies on behalf of their investors in exchange
for a consideration, namely ‘a participation share’. Managers of AIFs are
Consumer lending is regulated within the scope of the Banking Law, subject to the Communiqué on Portfolio Management Companies and
the Law on Bank Cards and Credit Cards, the Regulation on Credit Activities of Such Companies (III-55.1) issued by the CMB.
Operations of Banks and by the Ministry of Commerce through the Portfolio management companies are required to be established
Consumer Law, the Regulation on Consumer Loan Agreements and the as joint-stock companies with the main objective of operating and
Regulation on Housing Finance Agreements. managing investment funds. Compliance with certain conditions and
obtaining the CMB licence as set forth under the above Communiqué
Secondary market loan trading are required for establishing and operating a portfolio management
6 Are there restrictions on trading loans in the secondary company (PMC). The manager can either be the founder (founding a
market in your jurisdiction? PMC or real estate PMC (REPMC)) or hold another role in the PMC or
REPMC pursuant to a portfolio management contract. Fintech compa-
In Turkey, in principle, loans can only be provided by bank and credit nies do not fall under the scope of the legislation concerning alternative
institutions, which do not include payment service or e-money insti- investment fund managers.
tutions. These banks and credit institutions must be established
and authorised by the Banking Regulation and Supervision Agency. Peer-to-peer and marketplace lending
Additionally, loan-based transactions are subject to the Turkish Banking 9 Describe any specific regulation of peer-to-peer or
Law and regulations. Transferring a loan by way of novation (ie, marketplace lending in your jurisdiction.
discharging the original debt) will have the effect of extinguishing the
Turkish law-governed security. In these cases, there is a requirement Lending activities are highly regulated by the BRSA. For instance,
to re-establish the security for the new lender. A parallel debt struc- according to the Banking Law or the Financial Leasing Law, only the
ture may be a way of preventing the fall of the accessory security as a entities with a licence granted by the BRSA can legally conduct lending
result of novation. The transfer of debts is also possible and made by an activities. According to the Turkish Criminal Code No. 5237, money
agreement between the transferor, the transferee and the debtor. The lending and earning interest from that money without holding a licence
agreement does not have to be in writing. However, security providers is a crime, defined as usury, that is subject to imprisonment between two
for these debts should provide their consent in written form as well. to five years and a monetary fine of an amount up to 500,000 Turkish lira.
www.lexology.com/gtdt 231
© Law Business Research 2020
Turkey SRP-Legal Law Firm
2013. As of September 2014, KKB gathered its services aimed at indi- FINANCIAL CRIME
viduals and the real sector under the umbrella of Findeks, the consumer
service platform of KKB. Anti-bribery and anti-money laundering procedures
Providing credit references or credit information services in Turkey 21 Are fintech companies required by law or regulation to have
is a regulated activity under the Banking Law (Law No. 5411). The Risk procedures to combat bribery or money laundering?
Centre was established within the Banks Association of Turkey (TBB) for
the purpose of collecting the risk data and information of clients of credit Turkish money laundering and terrorist financing legislation, namely the
institutions and other financial institutions to be deemed eligible by the Law for Preventing Laundered Criminal Income (Law No. 5549) and its
Banking Regulatory and Supervisory Board and ensuring that this infor- supplementary regulation, requires that fintech companies implement
mation is shared with these institutions or with the relevant persons or procedures to combat bribery. The appointment of a compliance officer,
entities themselves or with real persons and 61 private law legal enti- identity verification of account holders and reporting of suspicious
ties if approved and consented to. The KKB was founded in accordance transactions are commonplace requirements the regulation imposes
with article 73/4 of the Banking Law and it conducts all operational and on fintech companies. The Turkish Financial Crimes Investigation Board
technical activities through its own organisation as an agency of the Risk (MASAK), also regulates fintech products and services in terms of
Centre of the TBB and provides data collection and sharing services to money laundering proceedings for crime and terrorist financing.
the 180 financial institutions that are members of the Risk Centre.
Guidance
CROSS-BORDER REGULATION 22 Is there regulatory or industry anti-financial crime guidance
for fintech companies?
Passporting
17 Can regulated activities be passported into your jurisdiction? Yes, both industry and regulatory authorities provide assistance to enti-
ties active in regulated industries. MASAK, mandated by Ministry of
Regulated activities cannot be passported into Turkey as regulated Treasury and Finance, provides guidance and education. MASAK has
in the Markets in Financial Instruments Directive II for the European issued Sectoral Guidance Notes addressing Financial Institutions and
Economic Area. Banks but not specifically addressing the fintech companies.
CHANGE OF CONTROL There are no registration requirements with the authorities in Turkey for
a transfer or assignment of loans to be effective. However, peer-to-peer
Notification and consent or marketplace lending platforms have not been allowed to run yet.
20 Describe any rules relating to notification or consent
requirements if a regulated business changes control. Securitisation risk retention requirements
25 Are securitisation transactions subject to risk retention
Some companies performing in the banking and finance sector, such as requirements?
payment service providers, crowdfunding platforms, banks and financial
institutions, that are supposed to be parties to business transactions The primary piece of legislation that governs asset-backed securities
(ie, mergers, acquisitions or share transfers) must notify the relevant and the risk retention system and requirements that must be put in
authorities (ie, the Banking Regulation and Supervision Agency, the place is the Communiqué on Asset Backed Securities No. III-59.1. The
Central Bank of the Republic of Turkey and the Capital Market Authority). originator must retain the risk.
www.lexology.com/gtdt 233
© Law Business Research 2020
Turkey SRP-Legal Law Firm
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER The Personal Data Protection Law, the Regulation on the Erasure,
TECHNOLOGY AND CRYPTO-ASSETS Destruction, or Anonymisation of Personal Data and the other secondary
regulations are the main laws that regulate personal data processing
Artificial intelligence activities (ie, collection, domestic and cross-border transfers, destruc-
27 Are there rules or regulations governing the use of artificial tion and protection) for all sector players, including fintech companies.
intelligence, including in relation to robo-advice? On the other hand, payment service providers must obtain a
Payment Card Industry Data Security Standard certificate and comply
There are neither rules nor regulations governing the use of artificial with its principles and procedures, which also include rules regarding
intelligence in Turkey. data erasure, transfer, destruction and processing. Moreover, they must
keep all data in Turkey under the Communiqué on the Administration
Distributed ledger technology and Auditing of Payment Institutions and Electronic Money Institutions’
28 Are there rules or regulations governing the use of distributed Information Systems.
ledger technology or blockchains? Finally, there are personal data protection and privacy-specific
provisions in other laws and regulations, such as the Turkish Banking
There are neither rules nor regulations governing the use of distributed Law and Turkish Capital Markets Law.
ledger technology or blockchains. However, distributed ledger technology
and blockchains have recently started to be used in various sectors, Cybersecurity
including banking and finance sector. Therefore, they are not forbidden. 33 What cybersecurity regulations or standards apply to fintech
businesses?
Crypto-assets
29 Are there rules or regulations governing the use of crypto- Article 31 of Law No. 6493 on Payment and Securities Settlement
assets, including digital currencies, digital wallets and Systems, Payment Services and Electronic Money Institutions levies
e-money? the duty to uphold a secure information technology system on the
licensed payment service provider. Additionally, the Communiqué on
There are neither rules nor regulations governing the use of crypto- the Administration and Auditing of Payment Institutions and Electronic
assets, cryptocurrencies or digital wallets. However, the Turkish Money Institutions’ Information Systems sets clear regulatory stand-
Financial Crimes Investigation Board published an updated guidebook ards applicable to fintech businesses.
that states that fund transfers made to intermediary institutions for the The Communiqué on Principles Applicable to Banking Information
purpose of purchasing crypto-assets (ie, bitcoin) will no longer automati- Systems Management published by the Banking Regulation and
cally be considered a suspicious movement of funds and will be analysed Supervision Agency also regulates the field of cybersecurity appli-
on a know your customer basis. This represents a more flexible approach cable to financial institutions, however, it does not govern payment
towards crypto-assets. In addition, the Turkish Banking Regulation and service providers and e-money institutions. Additionally, the Electronic
Supervision Agency explicitly states within its public announcement No. Communications Law also governs the issue of cybersecurity pertinent
2013/32 that crypto-assets are not to be considered as e-money. to businesses active in the fintech industry, namely with its supple-
The use of digital wallets is allowed, but there are no rules or regula- mental Regulation titled Network and Information Security in the
tions governing this tool. Electronic Communications Industry published in the Official Gazette
Finally, e-money, which is regulated under Law No. 6493 on No. 29059 on 13 July 2014.
Payment and Securities Settlement Systems, Payment Services and
Electronic Money Institutions, can only be issued by e-money institu-
tions authorised by the Central Bank of the Republic of Turkey.
www.lexology.com/gtdt 235
© Law Business Research 2020
Turkey SRP-Legal Law Firm
If the design application or design belongs to more than one Remedies for infringement of IP
person, the partnership claim on the right shall be determined pursuant 41 What remedies are available to individuals or companies
to the agreement concluded between the parties, and if there is no such whose intellectual property rights have been infringed?
agreement between the parties, it is determined in accordance with the
provisions related to joint ownership in the Turkish Civil Code No. 4721. According to Law No. 5846, authors whose intellectual property rights
For a patent licence to be granted to third parties in relation to have been violated may:
the use of an invention, each of the right owners must grant permis- • file a civil lawsuit regarding the prohibition of the infringement;
sion unanimously. Even in the case of joint ownership, the rights of the • file a civil lawsuit regarding the prevention of infringement;
owners may not be separated in relation to patent application or patent • request compensation; or
assignment. Additionally, in the case of joint ownership, the right owners • file a criminal lawsuit.
may assign a joint representative.
Finally, according to Law No. 5846, if a work is created by more than According to Law No. 6769, persons whose rights are being violated may:
one author and if the work is of an inseparable nature, joint ownership • file a civil lawsuit regarding probable infringement;
shall be assumed and the provisions regarding ordinary partnerships • file a civil lawsuit to cease infringement;
stipulated under Turkish Obligations Law No. 6098 shall apply. • file a civil lawsuit regarding the removal of infringement and
request compensation; or
Trade secrets • request for necessary precautions to be taken.
39 How are trade secrets protected? Are trade secrets kept
confidential during court proceedings? COMPETITION
Trade secrets are protected under several Turkish regulations, including Sector-specific issues
the Turkish Criminal Code. 42 Are there any specific competition issues that exist with
Duties of confidentiality are established for a variety of parties, respect to fintech companies in your jurisdiction?
including but not limited to, board members, shareholders, proxies,
auditors, employees and contractors. Trade secrets, such as technical Since 2018, Turkish Competition Authority (TCA) has rendered decisions
production secrets, production methods, and research and development in favour as well as against fintech companies. Recently, the TCA made
plans, are protected also under Law No. 6769. a series of decisions that may potentially affect the market structure
According to Turkish Commercial Law No. 6102, the protection of and the nature of competition in payment systems. Essentially, those
trade secrets is stipulated as unfair competition, and persons that act decisions are based on the re-evaluation of earlier granted exemptions
in violation of the confidentiality obligation regarding trade secrets and for certain services of the Interbank Card Centre (BKM). In brief, the TCA
disclose trade secrets in bad faith; and employees, representatives and found that the BKM’s digital wallet, BKM Express, is not qualified for
other contractors that deceive employers into providing trade secrets, exemption as its restrictive effects on competition outweigh the benefits
shall be subject to an administrative sanction or imprisonment of up to general welfare, and the TCA ordered the BKM to stop BKM Express
to two years. In addition, pursuant this Law, employers may request services no later than 30 June 2020.
pecuniary and non-pecuniary damages from persons that violate the
confidentiality obligation and non-competition obligation, causing unfair TAX
competition.
As for the protections offered during litigation processes where Incentives
court records become public knowledge, the Turkish Civil Procedure 43 Are there any tax incentives available for fintech companies
Code shall apply. Pursuant to Law No. 6100, parties that act in bad faith and investors to encourage innovation and investment in the
and unreasonably utilise litigation proceedings to have access to trade fintech sector in your jurisdiction?
secrets shall be subject to part of a or whole retainer fee in addition to
a disciplinary fine. There exists a variety of tax incentives that are applicable to entities
that are active in the technology industry, albeit these incentives are
Branding not exclusive to the fintech industry and under most circumstances an
40 What intellectual property rights are available to protect entity’s entitlement to these incentives requires that a sectoral analysis
branding and how do you obtain those rights? How can of the applicant be performed on a case-by-case review.
fintech businesses ensure they do not infringe existing According to Law No. 4691 on Technology Development Zones, the
brands? fintech companies located in technoparks can benefit from numerous
tax incentives, including exemption from corporate tax, income tax and
There are no specific regulations on intellectual property protection VAT. In addition, if fintech companies are essentially research and devel-
regarding fintech innovations. Intellectual and industrial property rights opment companies, these companies have the right to deduct 50 per
are generally protected by Law No. 5846 on Intellectual and Artistic Work cent of the social security premium exemption for its employees for a
and Law No. 6769. If fintech products or services are subject to indus- period of five years. Further, under the same law, a taxpayer whose
trial property rights (ie, a trademark or patent), a patent or trademark primary place of business is located within a designated tech zone shall
is required to be registered before the Turkish Patent and Trademark be excluded from the duty of paying corporate tax and income tax until
Office. However, there is no registration requirement in terms of intel- 31 December 2023.
lectual rights.
According to the Law No. 5846, ownership of a fintech innovation
will belong to its first creator and he or she will be deemed as an author.
If an employee creates an innovation during the employment contract,
the author will be his or her employer. The duration of the IP right is the
life of the author plus 70 years.
A new digital service tax was introduced with the Law on the Digital
Service Tax and Amendments on Certain Laws and Decree No. 375,
which was published in the Official Gazette on 7 December 2019 and
became effective after three months following its publication. Revenue Cigdem Ayozger Ongun
cigdem@srp-legal.com
gained from the activities that fall under the definition of digital services
and intermediary services provided in the digital environment shall be Begum Erturk
subject to digital service tax. Taxpayers exceeding a revenue threshold begum.erturk@srp-legal.com
of €750 million in global revenue and 20 million lira in local revenue will
be subject to a digital service tax at a rate of 7.5 per cent. 42 Maslak A27/8
The transactions carried out by the fintech companies that fall Maslak 34398
within the scope of the Law on Payment and Securities Settlement Istanbul
Systems, Payment Services and Electronic Money Institutions are Turkey
subject to banking insurance and transaction tax (BITT) at a rate of 5 per Tel: +90 212 4014401
cent in general (although some transactions are subject to 1 per cent or www.srp-legal.com
0 per cent BITT).
IMMIGRATION
in line with the Directive (EU) 2015/2366 on payment services. This
Sector-specific schemes Amendment is expected to enable the entry of new players to the fintech
45 What immigration schemes are available for fintech market, increase cooperation with the banking sector and facilitate the
businesses to recruit skilled staff from abroad? Are there development of fintech sector in Turkey.
any special regimes specific to the technology or financial
sectors? Coronavirus
47 What emergency legislation, relief programmes and other
There is no specific immigration scheme for fintech businesses to recruit initiatives specific to your practice area has your state
staff from abroad. However, in the Turkish legal framework, there are implemented to address the pandemic? Have any existing
several laws and regulations for immigration schemes to recruit skilled government programmes, laws or regulations been amended
staff from abroad. The main regulations are the Turkish Citizenship Law, to address these concerns? What best practices are advisable
the Law on Foreigners and International Protection, the International for clients?
Labour Law, the Law on Work Permits for Foreigners and the Law on
Residence and Travel of Foreigners in Turkey. During the covid-19 outbreak, certain relief regulations have been stipu-
Persons that provide significant investment and employment lated. These include changes to labour law, commercial law, tax law and
opportunities or are expected to provide significant improvements to finance law, such as amendments to working conditions, credit opportu-
the technology and sciences sector, can receive Turkish citizenship nities, supportive payments to be made to employees, profit distribution
under the Turkish Citizenship Law. regulations and the practicalities and delays relating to tax payments.
As for work permits, industries that require specific expert employ- Civil and criminal proceedings and enforcement proceedings have been
ment or a qualified executive candidate be appointed to director postponed and institutions have started to accept online applications
positions, auditor positions that require the supervision of technical only. However, this has not hindered the application of laws. Although
and administrative standards, or any other personnel that might be some sectors have been adversely affected, some companies within
classified as key personnel will be eligible to receive a residency and specific sectors have considerably profited during this period.
work permit. In Turkey, the online education, fitness application, mobile retail
and domestic grocery sectors have profited most during this period,
UPDATE AND TRENDS whereas the most negatively affected are airlines, entertainment busi-
nesses and transport services.
Current developments According to the regulations stipulated under tax and finance laws,
46 Are there any other current developments or emerging if a company’s activity decreases by one-third and the company is in a
trends to note? poor financial state, we advise that these companies take advantage of
the relevant regulations adopted following the covid-19 outbreak.]
A spirited and developing fintech industry exists in Turkey. Even though
there are no specific definitions of crypto-assets in key legislation, there
are no restrictions on engaging in these cryptocurrency transactions
in Turkey. There have been developments in the legal and regulatory
landscape for equity-based crowdfunding, payments, open banking and
the protection of personal data. The recent Amendment to the Law on
Payment and Securities Settlement Systems, Payment Services and
Electronic Money Institutions reorganised the regulatory framework in
the payment and electronic money services and introduced new defini-
tions of account information services and payment initiation services
www.lexology.com/gtdt 237
© Law Business Research 2020
United Arab Emirates
Muneer Khan, Jack Rossiter and Raza Rizvi
Simmons & Simmons LLP
FINTECH LANDSCAPE AND INITIATIVES Beyond the DIFC and ADGM financial free zones, there are a number
of other initiatives to foster innovation in the UAE that cross over into
General innovation climate the UAE fintech sector. The UAE Blockchain Strategy 2021 aims to have
1 What is the general state of fintech innovation in your 50 per cent of all government transactions on the blockchain network
jurisdiction? by 2021. In October 2016, the UAE cabinet launched Government
Accelerators as a new mechanism to boost the achievement of the
There is a generally progressive and ambitious trend around fintech National Agenda to achieve Vision 2021. Additionally, the Smart Dubai
innovation in the UAE, with some fintech subsectors generating more initiative is the Emirate of Dubai government office charged with facili-
notable and scaled innovation than others. Government and public tating Dubai’s citywide smart transformation, to empower, deliver and
sector entities and regulators play a key role in the innovation strate- promote an efficient, seamless, safe and impactful city experience for
gies across most industry verticals and this is also the case for fintech. residents and visitors. Among its key initiatives are the development of
From a financial services regulatory perspective, the UAE comprises Dubai’s first Artificial Intelligence Smart lab and the Dubai Blockchain
three separate and independent jurisdictions: Strategy, which is a collaboration between the Smart Dubai Office and
• the Dubai International Financial Centre (DIFC); the Dubai Future Foundation to continually explore and evaluate the
• the Abu Dhabi Global Market (ADGM); and latest technology innovations. The UAE created the first Minister of AI
• the remainder of the UAE (often referred to as ‘onshore’ or with a mandate that will cross over into fintech innovation. In August
‘onshore UAE’). 2018, it was announced that the DIFC courts has partnered with Smart
Dubai to create the world’s first Court of Blockchain.
Federal-level financial services regulators have jurisdiction over
onshore UAE; however, the DIFC and the ADGM each has its own regula- Government and regulatory support
tory bodies, and all the various regulators across all three jurisdictions 2 Do government bodies or regulators provide any support
have identified fintech innovation (albeit with some differing flavours) specific to financial innovation? If so, what are the key
as a key priority. benefits of such support?
In the DIFC, the DIFC FinTech Hive runs a now well-established
accelerator programme that has focussed on fintech, insurtech, regtech The UAE’s financial services free zones (namely, the ADGM and the
and Islamic fintech start-ups. In tandem, the DIFC’s financial services DIFC) each has its own regulators that have launched initiatives to
regulator, the Dubai Financial Services Authority (DFSA) launched its enable fintech businesses to participate and test their solutions in envi-
Innovation Testing Licence (ITL), a regulatory sandbox in 2017. These initi- ronments with lighter-touch regulation.
atives are in line with the goals of the Dubai Plan 2021 strategy to develop In the ADGM, the FSRA has created a RegLab. Participants in the
Dubai’s economy. The DFSA has also signed a number of bilateral fintech RegLab are not subjected to the full suite of authorisation regulation
agreements with other regulators globally, such as with the Monetary and rules from the outset; rather, a customised set of rules will be
Authority of Singapore in August 2018 and Japan’s Financial Services applied, which will depend on the business model, technology deployed
Agency in September 2018, to cooperate in the development of fintech and risk profile of the fintech participant.
and to foster innovation in their respective jurisdictions. Other similar Under the RegLab framework, fintech participants are given
agreements that the DFSA has entered into include with the Australian two years to develop, test and launch their products and services in
Securities and Investment Commission, the Hong Kong Monetary a controlled environment, after which fintech participants with viable
Authority, the Hong Kong Securities and Futures Commission, the Hong business models will be transferred to the full authorisation and super-
Kong Insurance Authority and the Securities Commission Malaysia. visory regime (provided they meet the authorisation criteria). Firms that
Similarly, the ADGM’s financial services regulator, the Financial are not ready after the two-year period will exit the RegLab framework.
Services Regulatory Authority (FSRA) launched its regulatory sandbox, In the DIFC, the DFSA has created the ITL, which fintech companies
the Regulatory Laboratory (RegLab) following the implementation of its can apply for to test an innovative product or service for six to 12 months.
fintech legislative framework. The ADGM has also partnered with the In exceptional cases, the DFSA will consider extending that period. If an
Association of Southeast Asian Nations Financial Innovation Network, ITL licensee has met the outcomes detailed in its regulatory test plan, and
which launched a digital marketplace – the Application Programming it can meet the full DFSA authorisation requirements, it will migrate to
Interface Exchange (APIX) – for South-East Asia to support financial full authorisation. If it does not, the company will have to cease carrying
inclusion, to test the cross-border connectivity between the ADGM on activities in the DIFC that need regulation. The DIFC also launched a
Digital Sandbox and APIX. Both the DFSA and the FSRA joined the Global fintech fund of US$100 million fund with a stated objective to help prom-
Financial Innovation Network (GFIN), to, among other objectives, assist ising start-ups raise growth capital, while also supporting their outreach
with cross-border testing. and connections within the wider financial services industry.
To further the ambition of innovation of Dubai and the UAE in • dealing in products and investments (either as principal or agent);
the financial world, the DFSA and the FSRA are committed to cross- • underwriting and placing financial products;
border testing under the direction of the GFIN. The purpose of such a • offering and providing discretionary investment manage-
pilot scheme is to assist in providing efficient ways for fintech firms to ment services;
engage with regulators across multiple jurisdictions. • marketing or selling funds (including the provision of invest-
ment advice);
FINANCIAL REGULATION • accepting deposits;
• providing credit;
Regulatory bodies • providing money services;
3 Which bodies regulate the provision of fintech products and • arranging deals in investments;
services? • managing assets;
• managing a collective investment fund;
For banking and lending-related activities in onshore UAE, the financial • advising on financial products; and
services regulator is the UAE Central Bank, while for securities and • insurance intermediation.
capital markets-related matters, the UAE Securities and Commodities
Authority (SCA) is the relevant regulator. Onshore UAE also has an insur- Securities and financial products that are regulated by the respective
ance-sector regulator, which is the UAE Insurance Authority (IA). For all financial services regulators across onshore UAE, the DIFC and the
regulated financial activities in the Dubai International Financial Centre ADGM include, but are not limited to, equity securities, debt securi-
(DIFC), the regulator is the Dubai Financial Services Authority (DFSA). For ties, linked products, derivatives, structured products, deposits, notes
all regulated financial activities in the Abu Dhabi Global Market (ADGM), and warrants.
the regulator is the Financial Services Regulatory Authority (FSRA).
Consumer lending
Regulated activities 5 Is consumer lending regulated in your jurisdiction?
4 Which activities trigger a licensing requirement in your
jurisdiction? Yes. Article 65 of UAE Decretal Federal Law No. 14 of 2018 Regarding the
Central Bank and Organisation of Financial Institutions and Activities
The onshore UAE regulatory regime is separate and different from the provides that the UAE Central Bank will regulate, among other things,
regulatory regime found in the DIFC and the ADGM. So, when consid- the activities of ‘providing credit facilities of all types’, ‘providing stored
ering the UAE, it is important to first ask which specific jurisdiction and values services, electronic retail payments and digital money services’
financial regulatory regime is applicable. and ‘providing virtual banking services’.
As financial free zones, both the DIFC and the ADGM have their own With regard to the provision and booking of these services ‘in
common law-based commercial and civil legal and financial services or from’ either the DIFC or the ADGM, these activities are likely to be
regulatory frameworks, as well as their own dedicated courts. The DFSA considered as ‘providing credit’, which will require a licence from either
is the financial services regulator for activities conducted in or from the the DFSA or FSRA respectively. To the extent that these services are
DIFC and the FSRA regulates financial services activities in or from the only ‘advised’ on or ‘arranged’ from the same jurisdictions, an appro-
ADGM. The relevant federal onshore UAE (ie, in the UAE but outside priate licence would also be required from either the DFSA or FSRA. If
the DIFC and ADGM) financial regulators are the SCA, the UAE Central these services are merely promoted (with no ‘advising’ or ‘arranging’)
Bank and the IA. The UAE Central Bank is the prudential regulator for ‘in or from’ either financial free zone, unless an exemption applies, a
onshore UAE and mainly regulates activities relating to banking and Representative Office licence would be required from either the DFSA
lending activities such as: or the FSRA respectively.
• deposit taking (including sweep deposit accounts);
• foreign exchange trading; Secondary market loan trading
• guarantees and commitments; 6 Are there restrictions on trading loans in the secondary
• payment services (including the issuance of payment instruments market in your jurisdiction?
and other means of payments);
• primary lending; Secondary market loan trading is an activity regulated by the UAE
• factoring; Central Bank. It constitutes primary lending and is regulated whether or
• invoice discounting; not the loan has been fully drawn. The trading of loans would also consti-
• arranging primary loans; tute a regulated financial services activity in the DIFC and the ADGM.
• secondary market loan trading; and
• secondary market loan intermediation. Collective investment schemes
7 Describe the regulatory regime for collective investment
Outside the banking and lending context, the UAE Central Bank was schemes and whether fintech companies providing
historically the sole financial services regulator for onshore UAE prior alternative finance products or services would fall within its
to the establishment of the SCA (in 2001) and the IA (in 2007). There are scope.
therefore some other areas of financial activity that the UAE Central
Bank continues to regulate – such as, among other things, currency In onshore UAE, there is a general prohibition on marketing unregis-
brokerage, money exchange and some activities that would be typically tered collective investment schemes (ie, funds) unless they have been
associated with investment banking. registered with the SCA accordingly (either for private or public promo-
Generally, the types of regulated activities in onshore UAE, the tion). However, the onshore UAE marketing prohibition does not apply
DIFC and the ADGM include, among other things: to the promotion of foreign funds to a non-natural ‘qualified investor’. A
• the marketing and sale of securities; non-natural qualified investor is defined in the SCA rules and includes
• providing investment advice; the federal government, among others.
www.lexology.com/gtdt 239
© Law Business Research 2020
United Arab Emirates Simmons & Simmons LLP
There is a private placement regime under the SCA rules, where • benefit from a new financial activity and licence for operating such
if the potential investor is a natural person, foreign funds can be regis- a platform;
tered for private placement by an SCA-licensed promoter subject to • apply appropriate prudential and conduct of business require-
several conditions. ments for these platforms;
With regard to the DIFC, there is a prohibition on marketing unreg- • disseminate appropriate risk warnings and disclosures to lenders
istered funds in the DIFC except through a DFSA-licensed intermediary and borrowers;
with the appropriate type of licence, unless an exemption applies. The • conduct suitable due diligence on the borrowers as well as checks
prohibition on the offer or sale of a fund only applies where this activity on lenders;
is carried out ‘in or from’ the DIFC. It is not possible to register a foreign • deploy a business cessation plan in the event that it ceases oper-
fund for distribution in the DIFC. Funds need only be registered with the ations; and
DFSA if they are domiciled in the DIFC. There are currently relatively few • follow rules in relation to transfer of rights and obligations
funds domiciled in the DIFC and so most funds marketed in the DIFC are between lenders.
foreign (ie, non-DIFC-domiciled) and, therefore, unregistered. However,
all funds and collective investment schemes promoted ‘in or from’ the On 1 August 2017, changes to the DFSA rules came into force that intro-
DIFC need to meet a fund eligibility criteria. duced rules relevant to crowdfunding. Additional rules, which included
Once a marketing entity holds the appropriate licence it may investment limits and property valuation requirements in the context of
market foreign domiciled funds or DIFC-domiciled funds, provided it property crowdfunding, came into force on 1 July 2019.
markets only to investors within the scope of its licence, and in the case
of any foreign fund: Crowdfunding
• the fund qualifies as a ‘designated’ or ‘non-designated fund’; 10 Describe any specific regulation of crowdfunding in your
• the marketing entity has a reasonable basis for recommending a jurisdiction.
fund as suitable to a particular client; or
• the fund offered discreetly to persons who are professional clients Financial services in the UAE are regulated either by the UAE Central
and the minimum subscription per investor is US$50,000. Bank, the IA or the SCA depending on the nature of the activity. In
Similar provisions exist with regard to the ADGM. respect of financial free zones in the UAE, such activities are regu-
lated by the DFSA in the DIFC, and the FSRA in the ADGM. In particular,
Following public consultation, with effect from 31 August 2017, the DFSA issues of securities by UAE companies are regulated under the UAE
updated its rules to include ‘operating a crowdfunding platform’ as a Companies Law (Federal Law No. 2 of 2015) and regulations issued
regulated activity. by the SCA. As such, under the UAE Companies Law, only public joint-
With regard to onshore UAE, while the UAE Central Bank is stock companies may offer securities by way of a public subscription
reported to be in the process of drafting regulations relevant to crowd- through a prospectus. Other companies, whether incorporated in the
funding, no specific regulatory regime has been introduced. However, UAE (onshore or in a free zone) or in a foreign jurisdiction, are prohib-
depending on the specific activities undertaken (ie, where the platform ited from advertising including the invitation to a public subscription
merely introduces two independently contracting parties or if the plat- without the approval of the SCA. In practice, private joint-stock compa-
form is actively establishing a fund or offering securities), the activity nies are entitled to issue securities to sophisticated investors by way
may potentially fall under existing UAE Central Bank or SCA regulation. of a private placement. Accordingly, this regulatory limitation restricts
the ability of limited liability companies, the legal form adopted by
Alternative investment funds most SMEs in the UAE, from raising funds through equity-based
8 Are managers of alternative investment funds regulated? crowdfunding.
On 1 August 2017, changes to the DFSA rules came into force that
Yes, managers of alternative investment funds are regulated in onshore introduced rules relevant to crowdfunding. Additional rules, which
UAE, the DIFC and the ADGM. included investment limits and property valuation requirements in the
context of property crowdfunding, came into force on 1 July 2019.
Peer-to-peer and marketplace lending
9 Describe any specific regulation of peer-to-peer or Invoice trading
marketplace lending in your jurisdiction. 11 Describe any specific regulation of invoice trading in your
jurisdiction.
Lending is a regulated activity whereby intermediary platforms are
required to obtain approvals to operate from the UAE Central Bank, Invoice trading currently falls within the activity of ‘arranging credit’
which would trigger compliance requirements on the platform including within the DIFC and is regulated as such by the DFSA. Similar provi-
the proper vetting of borrowers and anti-money laundering checks. sions exist in the ADGM. With regard to onshore UAE, invoice trading will
While interest is prohibited under articles 409 to 412 of the Penal require a form of regulatory licence either from the UAE Central Bank
Code and is void under articles 204 and 714 of the Civil Code, interest is (if providing credit) or the SCA (if invoices were to be considered as
permitted under articles 77 and 90 of the Commercial Code, provided it a financial product falling within the SCA’s Promoting and Introducing
does not exceed 12 per cent. In any case, UAE Federal Supreme Court Regulations – Regulation 3/RM of 2017). To the extent that services
Decision No. 14/9 of 28 June 1981 permits the charging of simple are merely promoted within onshore UAE, the DIFC or the ADGM,
interest (presumably as opposed to compound interest) in connection a Representative Office licence in the respective jurisdiction would
with banking operations. be required.
The DFSA issued a consultation paper in early 2017 called
‘Crowdfunding: SME Financing through Lending’, which proposed a
regulatory framework to operate loan-based crowdfunding platforms in
the DIFC. In summary, the DFSA proposed a regime whereby loan-based
crowdfunding platforms in the DIFC:
Payment services criminal liability under article 379 of the UAE Penal Code. Further,
12 Are payment services regulated in your jurisdiction? article 106 of the Banking Law requires the UAE Central Bank to keep
confidential all banking data that it receives.
Yes. On 1 January 2017, the UAE Central Bank published its Regulatory
Framework for Stored Values and Electronic Payment Systems Robo-advice
(the Digital Payment Regulation), which covers the following digital 14 Describe any specific regulation of robo-advisers or other
payment services: companies that provide retail customers with automated
• cash-in services: enabling cash to be placed in a payment account; access to investment products in your jurisdiction.
• cash-out services: enabling cash withdrawals from a payment
account; The FSRA has issued a regulatory framework for digital investment
• retail credit and debit digital payment transactions; managers (robo-advisers) operating in the ADGM. To supplement this,
• government credit and debit digital payment transactions; the FSRA has also released guidance to illustrate how its regulatory
• peer-to-peer digital payment transactions; and framework applies to robo-advisers in the ADGM. In particular, the guid-
• money remittances. ance outlines:
• the regulatory permission that may be required to provide digital
The Digital Payment Regulation does not apply to the following payment investments services in or from the ADGM; and
services or providers, although it states that the list below may be • how the FSRA will apply its authorisation criteria in key existing
subject to other Central Bank laws and regulations: areas of technology governance, suitability and disclosure, and
• payment transactions in cash without any involvement from an newer areas such as algorithm governance.
intermediary;
• payment transactions using a credit or debit card; Insurance products
• payment transactions using paper cheques; 15 Do fintech companies that sell or market insurance products
• payment instruments accepted as a means of payment only to in your jurisdiction need to be regulated?
make purchases of goods or services provided from the issuer or
any of its subsidiaries (ie, closed-loop payment instruments); Nothing in current UAE legislation (whether onshore UAE, DIFC or
• payment transactions within a payment or settlement system ADGM) specifically regulates fintech companies that wish to sell or
between settlement institutions, clearinghouses, central banks and market insurance products, and, therefore, the general regulation
payment service providers (PSPs); around the sale and marketing of insurance products in the relevant
• payment transactions related to transfer of securities or assets jurisdictions applies.
(including dividends, income and investment services); The IA was established under Federal Law No. 6 of 2007 (the
• payment transactions carried out between PSPs (including their Insurance Law). The IA, through the powers given to it under the
agents and branches) for their own accounts; and Insurance Law, regulates insurance and reinsurance operations in
• technical services providers. onshore UAE. Insurance operations include insurance activities such as
life assurance and funds accumulation operations, properties insurance
The Digital Payment Regulation specifies four categories of PSPs: retail and life liability insurance.
PSPs, micropayment PSPs, government PSPs and non-issuing PSPs. Detailed financial regulations around insurance companies were
In November 2019, the DFSA published Consultation Paper No.125 published at the end of 2014. The IA has issued various guidance and
on Proposals for Money Services. circulars that affect the scope of regulation around the insurance
In the paper, the DFSA set out its proposal to allow certain activities industry in the UAE. Insurtech businesses looking at the UAE market
relating to money services that have emerged owing to rapid advance- will need to observe additional guidance from the IA.
ments in technology, with the DFSA recognising that these activities
could promote the growth of regulated financial services activities in Credit references
the DIFC and provide greater protection and choices to users of money 16 Are there any restrictions on providing credit references or
services. One of the activities it proposed to allow was the provision of credit information services in your jurisdiction?
money services (as defined in the DFSA Rulebook Conduct of Business
Module (COB)) in respect of electronic currency. The consultation has On 15 April 2018, the SCA issued Chairman of the SCA Board of Directors’
since closed and amendments to the DFSA Rulebook COB Module came Decision No. 18/RM of 2018 Concerning the Regulations as to Licensing
into force on 1 April 2020, introducing requirements for the provision of Credit Rating Agencies. Under these regulations, a credit rating is ‘a
money services in relation to electronic money in the DIFC. periodic measure to determine and assess the ability of the rated entity
to meet its financial liabilities, and potential risks that may affect it, and
Open banking to evaluate the financial products and potential risks of acquiring them
13 Are there any laws or regulations introduced to promote by the investor’ and credit rating activities are regulated. To be eligible
competition that require financial institutions to make for a licence to carry on credit rating activities, an entity must have,
customer or product data available to third parties? among other things, a minimum of 2 million UAE dirhams in capital and
consent from the UAE Central Bank or the IA (should the licence applica-
Other than in the context of a regulatory or official investigation, there tion be subject to their mandate).
is no specific obligation in UAE legislation requiring the disclosure of In the DIFC, ‘operating a credit rating agency’ is a regulated activity
data to third parties. However, the Digital Payment Regulation maintains that would require a DFSA licence. Similar provisions exist in the ADGM.
the UAE Central Bank’s rights to impose access regimes and interoper- However, individual credit reference and information services
ability obligations on PSPs. are possible in the UAE through the Al Etihad Credit Bureau (AECB),
The general position is that financial institutions that are in a posi- which is a public joint stock company wholly owned by the UAE federal
tion to collect and store data from the public are bound by a duty of government. According to UAE Federal Law No. 6 of 2010 concerning
confidentiality. A breach of this duty of confidentiality could attract Credit Information, the AECB is mandated to regularly collect credit
www.lexology.com/gtdt 241
© Law Business Research 2020
United Arab Emirates Simmons & Simmons LLP
information from financial and non-financial institutions in the UAE. SALES AND MARKETING
The AECB aggregates and analyses this data to calculate credit scores
and produce credit reports that are made available to individuals and Restrictions
companies in the UAE. The AECB collects information on individuals 19 What restrictions apply to the sales and marketing of
and companies from banks, finance companies and telecoms compa- financial services and products in your jurisdiction?
nies. Additional information from other sources such as utilities, real
estate, government and other entities are planned to be added in the There are a number of restrictions on the offering or promotion of finan-
future. Financial institutions in the UAE are mandated by law to supply cial services in onshore UAE, the Dubai International Financial Centre
the AECB with all credit information on a monthly basis. and the Abu Dhabi Global Market, and in many cases corresponding
exemptions relating to these promotions, all of which differ according to
CROSS-BORDER REGULATION the type of product or service offered.
responsibility for implementing and overseeing compliance; the officer Assignment of loans
must have an appropriate level of seniority and independence to act in 24 What steps are required to perfect an assignment of
the role and be resident in the UAE. loans originated on a peer-to-peer or marketplace lending
Similar to the DIFC, the federal legislation governing money laun- platform? What are the implications for the purchaser if the
dering and terrorist financing also applies within the Abu Dhabi Global assignment is not perfected? Is it possible to assign these
Market (ADGM). The ADGM’s AML rules are contained in the Anti-Money loans without informing the borrower?
Laundering and Sanctions Rules and Guidance Module to the Financial
Services Regulatory Authority Rulebook (the ADGM AML Module). In onshore UAE, an assignment of rights requires only notification from
According to the ADGM AML Module, an entity must have policies, proce- the assignor to the counterparty, confirming the assignment to the
dures, systems and controls that ensure compliance with the federal assignee. Where this is not possible, the bank may require this income
law, enable suspicious customers and transactions to be detected and to be deposited into a collection account, which will be covered by an
reported, ensure the entity is able to provide an appropriate audit of trail accounts pledge.
of a transaction, and ensure compliance with any other obligations as In the DIFC, an assignment is perfected when it attaches (ie, when
contained in the ADGM AML Module. it becomes enforceable against the debtor or third party). The position
in the ADGM is similar.
Guidance Assuming there are no contractual restrictions on transfers, the
22 Is there regulatory or industry anti-financial crime guidance position in each of the relevant jurisdictions is as follows.
for fintech companies?
Onshore UAE
There is no guidance specifically targeted at fintech companies. The Article 1109 of the UAE Civil Code (Federal Law No. 5 of 1985) provides
regulatory guidance on financial crime is contained in the DFSA AML that the assignor, the assignee and the borrower must consent for there
rules, the ADGM AML rules and the applicable federal laws. to be a valid assignment. There are Federal Supreme Court judgments
Further federal legislation in relation to financial crime regarding holding that, in commercial matters, the consent to the assignment by
corporate and business fraud is contained in articles 399 to 402 of the the borrower is not necessary, although evidence will be required that
UAE Penal Code (Federal Law No. 3 of 1987), provisions of the Dubai the borrower has been notified of the assignment.
Recovery of Public Funds (Dubai Law No. 37 of 2009) and other specific UAE law does not generally recognise the concept of beneficial
offences set out in legislation including the UAE Cyber Crimes Law ownership. Accordingly, an assignee of certain rights otherwise than in
(Federal Law No. 5 of 2012) and the UAE Commercial Transactions Law accordance with the UAE will not be recognised as having a beneficial
(Federal Law No. 18 of 1993). interest in the rights to be assigned.
www.lexology.com/gtdt 243
© Law Business Research 2020
United Arab Emirates Simmons & Simmons LLP
Securitisation risk retention requirements The UAE federal government and certain emirate-level govern-
25 Are securitisation transactions subject to risk retention ments have publicly committed to the creation of problem statements
requirements? and use cases to enable government services to benefit from DLT and,
in particular, blockchain. Examples of this include the government of
There are currently no risk retention requirements within the onshore Dubai’s public commitment to have all government services and trans-
UAE legislation or the legislation of the DIFC or ADGM. However, while actions on the blockchain by 2020.
not imposed by UAE law, securitisations originating in the UAE may still In some areas, UAE law is permissive as regards the use of DLT
be subject to risk retention rules depending on the relevant investor and distributed digital ledgers or databases in scenarios where parties
base that is being marketed to. intend to create legal relations; for example, article 12 of Federal Law
No. 1 of 2006 on Electronic Commerce and Transactions, which seems to
Securitisation confidentiality and data protection requirements have foreseen ‘smart contracts’ by confirming the validity and enforce-
26 Is a special purpose company used to purchase and securitise ability of contracts formed through computer programs that include two
peer-to-peer or marketplace loans subject to a duty of or more electronic information systems present and preprogrammed to
confidentiality or data protection laws regarding information carry out the transaction, even if no individual is directly involved.
relating to the borrowers?
Crypto-assets
There are likely to be contractual duties of confidentiality in the relevant 29 Are there rules or regulations governing the use of crypto-
local documentation that may require borrower consent prior to disclo- assets, including digital currencies, digital wallets and
sure concerning the loans or the borrowers. Further, if the borrowers e-money?
are data subjects for the purposes of the DIFC Data Protection Law or
the ADGM Data Protection Law, the special purpose vehicle may be Virtual currencies are defined in the Regulatory Framework for
treated as a processor for the purposes of those laws. Stored Values and Electronic Payment Systems (the Digital Payment
Regulation) as:
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
TECHNOLOGY AND CRYPTO-ASSETS Any type of digital unit used as a medium of exchange, a unit of
account, or a form of stored value. Virtual Currency is not recog-
Artificial intelligence nised by this Regulation. Exceptions are made to a digital unit that:
27 Are there rules or regulations governing the use of artificial (a) can be redeemed for goods, services, and discounts as part
intelligence, including in relation to robo-advice? of a user loyalty or rewards programme with the Issuer; and (b)
cannot be converted into a fiat/virtual currency.
The Financial Services Regulatory Authority (FSRA) has issued a regu-
latory framework for digital investment managers (robo-advisers) The Digital Payment Regulation contained a provision which that stated
operating in the Abu Dhabi Global Market (ADGM). To supplement this, that ‘all virtual currencies (and any transactions thereof) are prohib-
the FSRA has also released guidance to illustrate how its regulatory ited’. A month after the Digital Payment Regulation was published, the
framework applies to robo-advisers in the ADGM. In particular, the guid- Governor of the UAE Central Bank issued a statement to the state media
ance outlines: to say that the regulations ‘do not cover digital currency’ but are under
• the regulatory permissions that may be required to provide digital further review and likely to be subject to new regulations in due course.
investments services in or from the ADGM; and For now, there remains a grey area around the specific legal status
• how the FSRA will apply its authorisation criteria in key existing of virtual currencies (eg, bitcoin) in the UAE, which affects how they
areas of technology governance, suitability and disclosure, and are treated and any restrictions around specific use. However, while
newer areas such as algorithm governance. there are currently no laws in force that specifically regulate crypto-
assets in the UAE, in October 2019, the UAE Securities and Commodities
Otherwise, there are currently no rules or regulations governing the Authority (SCA) issued draft legislation – the Regulation for Issuing and
use of artificial intelligence or automated investment advice (ie, robo- Offering Crypto Assets – that, when implemented, will directly regulate
advisory services) in the Dubai International Financial Centre (DIFC) crypto-assets in the UAE. The draft regulations cover all aspects of the
or onshore UAE. Those conducting these automated investment activi- crypto-asset industry, such as safekeeping practices and compliance
ties will need to ensure that they are authorised to provide investment with financial crime prevention measures.
advice, irrespective of the method of delivery. The ADGM regulatory framework for virtual assets (first introduced
The Dubai Financial Services Authority's (DFSA) Innovation Testing on 25 June 2018 and amended in February 2020) features a number of
Licence regime has been used to issue licences relevant to automated guidance points related to virtual assets and digital wallets.
investment advisory services. In these cases, there are bespoke disclo- In November 2019, the DFSA published Consultation Paper No.125
sures, reporting conditions and monitored progress in line with an on Proposals for Money Services. In the paper, the DFSA set out its
agreed ‘regulatory test plan’. Firms intending to provide robo-advi- proposal to allow certain activities relating to money services that have
sory services have also been accepted into the ADGM’s Regulatory emerged owing to rapid advancements in technology, with the DFSA
Laboratory (which provides a controlled environment for fintech partici- recognising that these activities could promote the growth of regulated
pants to develop and test innovative fintech solutions). financial services activities in DIFC and provide greater protection and
choices to users of money services. One of the activities it proposed
Distributed ledger technology to allow was the provision of money services (as defined in the DFSA
28 Are there rules or regulations governing the use of Rulebook Conduct of Business Module (COB)) in respect of electronic
distributed ledger technology or blockchains? currency. Amendments to the DFSA Rulebook COB Module came into
force on 1 April 2020, introducing requirements for the provision of
There are currently no dedicated rules or guidelines regarding the use money services in relation to electronic money in the DIFC.
of distributed ledger technology (DLT) or blockchain.
Following a public consultation, on 25 June 2018 the ADGM FSRA issued Not specifically.
its framework for the regulation of spot crypto-asset activities, including On 13 September 2017, the DFSA issued a General Investor Statement
those undertaken by exchanges, custodians and other intermediaries in on Cryptocurrencies that warned that it considered initial coin offerings
the ADGM. Specifically, the FSRA introduced the new regulated activity (ICOs) to be high-risk investments owing, in part, to the complex systems
of ‘Operating a Crypto Asset Business’ that covers, among other things, and technology on which they are based. According to the DFSA General
the arranging, buying, selling, custody provision, marketing and advising Statement, cryptocurrencies and ICOs have their own unique risks, which
on the merits of the buying or selling of ‘Accepted Crypto Assets’. The may not be easy to identify or understand. The statement urged potential
regime also included a regulatory framework for the operation of a investors to conduct due diligence and exercise caution. This is a similar
‘Crypto Assets Exchange’ and a ‘Crypto Asset Custodian’. approach to that taken by the UK’s Financial Conduct Authority, which
On 14 May 2019, the FSRA issued its updated guidance addressing, released a consumer warning on the risks of ICOs on 12 September 2017.
among other things: In the ADGM, the FSRA is moving towards greater regulation of
• Stablecoins and fiat tokens: stablecoins that are fully backed by virtual currencies under its principal financial services legislation, the
fiat currencies (fiat tokens) will be treated as a form of digital ADGM FSMR, as amended. The FSRA issued its Supplementary Guidance
representation of money. Where used as a payment instrument – Regulation of Initial Coin/Token Offerings and Virtual Currencies under
for the purposes of money transmission as defined under the the FSMR on 9 October 2017, which is aimed at those wanting to use ICOs
ADGM’s Financial Services and Markets Regulations 2015 (FSMR), to raise funds, investors and generally anyone considering transacting
the activity will be licensed and regulated as ‘providing money in virtual currencies. It states that whether or not an ICO is regulated
services’. under the FSMR, it will be assessed by the FSRA on a case-by-case
• Custody: further clarity on the types of crypto-asset custody activi- basis. If the tokens in an ICO are assessed to exhibit the characteris-
ties that can be undertaken and setting out FSRA expectations in tics of a security (as defined in the FSMR, such as, among other things,
terms of custody governance and operations. ‘certificates representing certain financial instruments’ or ‘instruments
• Technology governance: further enhancements and clarifications giving entitlements to investments’), the FSRA may deem them to be a
are introduced, including in relation to changes in the underlying security under section 58(2)(b) of the FSMR, which empowers the FSRA
protocol of a crypto-asset that results in a fork (coding change), to deem any investment a security under ADGM regulation. The ADGM
and the associated governance and control expectations for crypto- Guidance also outlines that derivatives of virtual currencies or secu-
asset exchanges and licence-holders. rity tokens will be regulated as ‘specified investments’ under the FSMR.
• FSRA Anti-Money Laundering and Sanctions Rules and Guidance: However, the ADGM Guidance states that other virtual tokens that do
as the Anti-Money Laundering Rulebook applies in full to the regu- not exhibit the features and characteristics of a regulated investment
lated activity of crypto-asset operators or holders, the guidance or instrument under the FSMR will be treated as commodities and not
has been updated with the latest local and global changes and regulated as specified investments under the FSMR.
provides further clarity on the use of new regulatory and surveil- Outside the UAE’s financial free zones in onshore UAE, the UAE
lance technologies in this area. Central Bank issued a Regulatory Framework for Stored Values and
Electronic Payment Systems on 1 January 2017, under powers vested
As part of its ongoing commitment to regularly update and improve its in the UAE Central Bank under the UAE Decretal Federal Law No. 14
crypto-regulatory framework based on global developments, the FRSA of 2018 Regarding the Central Bank and Organisation of Financial
updated its virtual asset regulatory framework in February 2020. Institutions and Activities. The Regulatory Framework for Stored Values
Among other things, the key amendments included: and Electronic Payment Systems states that its purpose is to facilitate
• changing the definition of ‘crypto-asset’ to ‘virtual asset’ (to align the robust adoption of digital payments across the UAE in a secure
the terminology in the legalisation with that of the Financial Action manner. However, it then states that virtual currencies (and any trans-
Task Force); and actions thereof) are prohibited.
• moving the applicable regulations and rules from the bespoke A virtual currency is defined as ‘any type of digital unit used as
category of ‘Operating a Crypto Asset Business’ to the respective a medium of exchange, a unit of account, or a form of stored value,
underlying regulated activities (eg, providing custody, operating a although there are exceptions for digital units that can be redeemed
mulitlateral trading facility and dealing in investments). This is to for goods, services, and discounts as part of a user loyalty or rewards
be better reflect the nature of the underlying activities in relation programmes with the issuer, and which cannot be converted into a fiat
to virtual assets. or virtual currency’.
On the face of it, the Regulatory Framework for Stored Values and
Currently, there are no other rules in onshore UAE, the DIFC or the Electronic Payment Systems seemed to cover the major virtual or cryp-
ADGM specific to the operation of digital currency exchanges or broker- tocurrencies on the market. However, on 23 October 2017, the Governor
ages. However, in October 2019, the SCA issued draft legislation of the UAE Central Bank stated that the Regulatory Framework for
– the Regulation for Issuing and Offering Crypto Assets – that, when Stored Values and Electronic Payment Systems did not apply to all
implemented, will directly regulate cryptoassets in the UAE, including virtual currencies. The Governor then clarified the UAE Central Bank’s
crypto-exchanges. As of 21 May 2020, these regulations are yet to enter policy on virtual currencies on 23 October 2017 by warning against use
into force and so, for the time being, the existing regulations relevant of ‘digital coins’ saying it had not issued a licence to allow virtual curren-
to exchanges or authorised market institutions generally may apply if cies in the local UAE market. The Governor also warned of the risks of
a digital currency is deemed to be a security. However, with the draft using digital currencies as a medium for exchange, stating that because
crypto-asset regulations having been published, this is an area where virtual currencies do not go through official channels and cannot be
regulation is susceptible to change at short notice. monitored or controlled, they pose a risk of being used for money laun-
dering or terrorist financing purposes.
www.lexology.com/gtdt 245
© Law Business Research 2020
United Arab Emirates Simmons & Simmons LLP
Similarly, the SCA issued a public warning on ICOs in February • impose conditions concerning the disclosure of personal data to
2018, cautioning investors to be aware of some risks associated with third parties and the transfer of personal data outside the respec-
these investments, such as the potential for fraud, high volatility in tive free zone.
light of speculation, and the fact they are not specifically catered for
under existing SCA regulations. Whether the SCA will consider ICOs as a The DIFC law is enforced by the Commissioner of Data Protection, while
‘foreign security’ under existing legislation, such as the SCA Promoting the Registrar is responsible for enforcing the ADGM law.
and Introducing Regulations (SCA Decision No. 3/R of 2017), remains
to be seen. Fintech-specific rules and regulations
Of particular relevance to fintech products and services is the Regulatory
DATA PROTECTION AND CYBERSECURITY Framework for Stored Values and Electronic Payment Systems (the
Digital Payment Regulation), which requires payment service providers
Data protection (PSPs) to keep users’ identification and transaction data confidential
32 What rules and regulations govern the processing and and to only disclose this data to the relevant user, the Central Bank,
transfer (domestic and cross-border) of data relating to another regulatory authority approved by the Central Bank or by order
fintech products and services? of a UAE court. There is a separate requirement to ensure that personal
data is only processed and shared for the purposes of compliance with
The UAE does not yet have a specific, standalone data protection law. anti-money laundering and terrorist financing legislation. The Digital
Instead, various general and sector-specific laws and regulations govern Payment Regulation also provides for minimum retention periods for
aspects of the processing of personal data in the UAE. For example, the user and transaction data. There are no other legal requirements or
UAE Constitution provides for a right to freedom and secrecy of commu- regulatory guidance relating to personal data that are specifically aimed
nications; the Penal Code and Cybercrime Law provide for a range of at fintech companies.
criminal offences prohibiting the disclosure or publication of private
information and the interception of personal communications; the Civil Anonymisation and aggregation of personal data
Code and Labour Law set out certain obligations on employers when There are no specific legal requirements or regulatory guidance in the
dealing with employee information; another law governs the collection, UAE dealing with the anonymisation or aggregation of personal data
processing and disclosure of credit-related information; and telecoms used for commercial gain. This, and the absence of a specific data
operators are subject to special regulations regarding the protection of protection law in the UAE (outside the financial free zones), has the
subscriber information. result that there is a wider scope for the commercial exploitation of data
While there has been no formal confirmation or release, a draft for commercial purposes in the UAE.
data protection law is generally known to be under consideration by the The definitions of ‘personal data’ in the ADGM and DIFC data
UAE government. protection laws each require the individual to whom the data relates
The Abu Dhabi Global Market (ADGM) and Dubai International to be identifiable. The guidance published by the DIFC Commissioner
Financial Centre (DIFC) have each introduced standalone laws of Data Protection suggests that, as data that is stripped of all personal
governing the processing of personal data by organisations operating in identifiers will no longer relate to an identifiable individual, the DIFC
their respective zones. The DIFC’s much anticipated new and refreshed data protection law will no longer apply.
data protection law was enacted on 1 June 2020 and set to become The guidance cautions that complete anonymisation may be diffi-
enforceable after 1 October 2020. cult to achieve in practice, as data will still be protected if it is possible
Although the new DIFC data protection law sets a high benchmark to identify an individual indirectly using the data. The guidance also
and aligns more closely with the GDPR, it does share some common reminds organisations that the act of anonymisation is itself an activity
elements with the data protection law in the ADGM. For instance, each that must be conducted in compliance with the DIFC data protection law.
law requires that personal data is processed in a manner that is fair, The guidance published in respect of the ADGM data protection regime
lawful and secure. does not provide further comment on the anonymisation or aggregation
The most common methods used by businesses in each free zone of personal data.
to ensure that their processing of personal data is fair and lawful are: In light of the restrictions on the processing of user and transac-
• obtaining the consent of the relevant individual to the processing tion data introduced by the Digital Payment Regulation, PSPs seeking to
of their data; use personal data for commercial gain will need to consider employing
• processing the data based on the ‘legitimate interests’ of the anonymisation and aggregation techniques in respect of the data
company undertaking the processing (provided that these inter- they hold.
ests are not overridden by the interests of the individual);
• processing in order for the company undertaking the processing to Cybersecurity
comply with a legal requirement (not a contractual requirement); and 33 What cybersecurity regulations or standards apply to fintech
• processing in order to perform or enter into a contract with the businesses?
individual.
Fintech businesses must comply with the UAE Cyber Crimes Law
The ADGM and DIFC data protection laws also require organisations to: (Federal Law 5 of 2012 on Combatting Cybercrimes), the provisions of
• provide specific information to individuals before collecting their which broadly relate to IT security, state security and political stability,
personal data; morality and proper conduct and financial and commercial issues arising
• create various rights for individuals, including rights to obtain from the use of the internet or IT infrastructure. The Cyber Crimes Law
a copy of personal data, to require the correction or deletion of has extraterritorial effect.
personal data, and to object to the processing of personal data, that
a company holds about them;
• require organisations to implement appropriate security
measures; and
OUTSOURCING AND CLOUD COMPUTING As computer programs are not specifically excluded from patent-
ability under UAE legislation, so long as registration formalities are
Outsourcing followed, it is possible in principle to obtain patent protection for
34 Are there legal requirements or regulatory guidance with software-implemented inventions and business methods. It is likely to
respect to the outsourcing by a financial services company of be more difficult, however, for these inventions to meet the criteria of
a material aspect of its business? novelty, inventiveness and industrial applicability as required by UAE
legislation.
There is no regulatory guidance setting out notification or approval
requirements where a financial services company in the UAE intends IP developed by employees and contractors
to outsource a material aspect of its business. However, depending on 37 Who owns new intellectual property developed by an
the nature of the company and the functions being outsourced, there employee during the course of employment? Do the same
may be other restrictions. For example, the Regulatory Framework for rules apply to new intellectual property developed by
Stored Values and Electronic Payment Systems (the Digital Payment contractors or consultants?
Regulation) imposes restrictions upon certain payment service
providers (PSPs) looking to outsource operational functions where, Copyright in works created by an employee in the course of employ-
among other things, the functions being outsourced are deemed mate- ment will not automatically be owned by the employer. Such a work will
rially important or where a defect or failure in performance of the be owned by the individual employee or, if created alongside others,
outsourced functions would materially impact continued compliance may be protected as a joint work. It may be possible for the employer
with licensing requirements. to assert that a work created under the supervision or direction of the
employer meets the conditions for protection as a collective work under
Cloud computing UAE legislation.
35 Are there legal requirements or regulatory guidance with In most cases, however, employers seeking to take ownership of
respect to the use of cloud computing in the financial services copyright-protected works created by employees must do so by way of
industry? written assignment. Under the Copyright Law, a provision in a contract
that purports to assign the copyright in more than five future works
There are regulations that set parameters around the use of cloud will be void.
computing in the context of outsourcings, which includes those within In the context of patents, provided that an employee’s role includes
the financial services industry. inventive activities, inventions created by an employee in the course
Organisations carrying out functions that are regulated by the of an employment contract are automatically owned by the employer,
Dubai Financial Services Authority (in the Dubai International Financial unless otherwise agreed. Different rules apply if the employee’s role
Centre) or the Financial Services Regulatory Authority (in the Abu Dhabi does not include inventive activities. In these cases, the employer may
Global Market) have specific obligations in relation to material outsourc- exercise an option to take ownership of the invention within four months
ings, which in practice will include many cases of the use of cloud of becoming aware of the invention and the employee is entitled to
computing services. In respect of each material outsourcing, the organi- receive fair compensation.
sation must implement policies and risk management programmes, The same rules that apply to employee creators of copyright-
enter into an appropriate contract with the service provider incorpo- protected works apply in respect of works created by contractors and
rating certain minimum terms, and notify the relevant regulator of the consultants. These works will be owned by the individual creator or, if
outsourcing arrangement. created alongside others, may be protected as joint works.
The Digital Payment Regulation regulates how PSPs (other than non- As against employee creators, different rules apply in respect of
issuing PSPs) may outsource operational functions, which could include inventions created by a contractor or consultant during the course of a
outsourcings to cloud service providers. In respect of each outsourcing, contract. In these cases, the contractor or consultant will own the inven-
the PSP must obtain approval from the Central Bank. The outsourced tion, unless otherwise agreed.
services are required to be carried out in the UAE (outside the financial
free zones). Special rules apply when an outsourcing is considered to Joint ownership
relate to a material operational function, although no specific distinction 38 Are there any restrictions on a joint owner of intellectual
or guidance is given in relation to cloud computing solutions. property’s right to use, license, charge or assign its right in
intellectual property?
INTELLECTUAL PROPERTY RIGHTS
Joint owners of a copyright-protected work in which it is not possible
IP protection for software to separate the contributions of each owner cannot exercise their rights
36 Which intellectual property rights are available to protect to use, license or assign the work individually, unless otherwise agreed
software, and how do you obtain those rights? in writing.
Where multiple authors contribute different kinds of art to a single
Original computer programs and related software applications are work, they may each exploit their individual contributions provided that
protected by copyright as literary works. Databases underlying soft- this does not damage the exploitation of the joint work. The legal posi-
ware programs can also attract copyright protection. Copyright arises tion is less clear in relation to works that include contributions of the
automatically as soon as the relevant literary work is created, so when same kind of art from multiple contributors.
a computer program is recorded, software lines are coded or a database A joint owner of a patented invention may exploit or assign his or
is created. There is no requirement to register these rights to be able to her rights independently of the other patentees. However, joint paten-
have them recognised or enforce them against a third party in the UAE. tees may only license the exploitation of the patent jointly with the other
If the software code has been kept confidential, it may also be patentees.
protected as confidential information and unauthorised disclosure can
attract criminal sanctions. No registration is required.
www.lexology.com/gtdt 247
© Law Business Research 2020
United Arab Emirates Simmons & Simmons LLP
Trade secrets scope. One of these wholly excluded sectors is the financial sector. The
39 How are trade secrets protected? Are trade secrets kept list of excluded sectors and other important aspects of the competition
confidential during court proceedings? regime in the UAE are within the discretion of the Ministry of Economy,
and fintech businesses in the UAE will need to consider their specific
The UAE legislation dealing with patents and industrial designs also competition law issues to assess their exposure. Looking ahead, there
includes specific protection for trade secrets and know-how. Employees is expected to be increased consolidation in the banking sector and an
have specific statutory duties to keep the commercial and industrial expectation of greater collaboration, information-sharing and other
secrets of their employers confidential and may be criminally liable in horizontal arrangements, all of which could give rise to competition law
cases of unlawful use or disclosure of information. Trade secrets and risks in the UAE.
confidential information more broadly are commonly protected by way
of contractual obligations. TAX
Court proceedings in the UAE are not held in public and there is
thereore less of a concern around maintaining the confidentiality of Incentives
trade secrets in this context. 43 Are there any tax incentives available for fintech companies
and investors to encourage innovation and investment in the
Branding fintech sector in your jurisdiction?
40 What intellectual property rights are available to protect
branding and how do you obtain those rights? How can fintech There are no special incentives. However, onshore UAE, the Dubai
businesses ensure they do not infringe existing brands? International Financial Centre and Abu Dhabi Global Market are all
currently low or zero-tax jurisdictions.
Brands can be protected as registered trademarks in the UAE. An
application for registration and other formalities must be pursued to Increased tax burden
obtain protection. A law recognising a unified trademark regime for Gulf 44 Are there any new or proposed tax laws or guidance that
Cooperation Council countries has been decreed in the UAE but has not could significantly increase tax or administrative costs for
yet entered into force. fintech companies in your jurisdiction?
The UAE trademark database can be used to identify registered
trademark rights and, therefore, help ensure that a fintech business There are no relevant new or proposed tax laws or guidance.
does not infringe existing brands. The database is not available to the
public but the law provides for a right to obtain a certified extract of IMMIGRATION
the contents of a register upon payment of a fee. Applicants must pay a
separate fee to search each class for existing trademark rights. Sector-specific schemes
It is highly advisable for new businesses, perhaps using the 45 What immigration schemes are available for fintech
services of specialist trademark attorneys, to check whether the data- businesses to recruit skilled staff from abroad? Are there
base enquiry results indicate earlier registrations that are identical or any special regimes specific to the technology or financial
similar to their proposed brand names and marks. It may also be advis- sectors?
able to conduct internet searches for any unregistered trademark rights
that may prevent use of the proposed mark. Once an employee enters the UAE on an entry permit, the employer must
make an application for a residence visa to the immigration authorities.
Remedies for infringement of IP Before the visa is granted, the employee must pass a medical exami-
41 What remedies are available to individuals or companies nation. These requirements must be satisfied within 60 days of the
whose intellectual property rights have been infringed? employee’s entry into the UAE on the entry permit. Residence visas are
typically valid for two years outside the free zones and three years for
Remedies available to individuals or companies include: employees within a free zone. The total cost of the residence visa and
• precautionary measures, including requirements to cease the use the required permits depends on the nature of the company’s activity
of an infringing item; and whether the employee is hired within or outside the UAE. The cost
• confiscation or destruction of infringing items; outside the free zones ranges from US$400 to US$1,200. Free zone
• damages; and costs can differ.
• publication orders. Both financial free zones in the UAE offer start-up-specific licences
that, if obtained, provide for the recruitment of skilled staff from outside
The UAE legislation dealing with intellectual property rights, including of the UAE. In 2018, the Abu Dhabi Global Market (ADGM) introduced
in respect of patents, designs, trademarks and copyright, provides for the ADGM Tech Start-up Commercial Licence, under which it is possible
criminal liability in various cases of infringement. to secure up to four UAE residence visas. In the Dubai International
Financial Centre (DIFC), the DIFC FinTech Commercial Licence enables
COMPETITION fintech start-ups to apply for residence visas for their staff, the number
of which is dependent on office space (generally one visa per 80
Sector-specific issues square feet).
42 Are there any specific competition issues that exist with Investor visas are available to shareholders and proprietors.
respect to fintech companies in your jurisdiction?
Since the enactment of Federal Law No. 12 of 2012, the UAE has had a
standalone, federally applicable competition law that covers anticom-
petitive agreements, abuse of dominance and merger control; however,
the law also has a list of sectors that are entirely excluded from its
Current developments
46 Are there any other current developments or emerging
trends to note?
www.lexology.com/gtdt 249
© Law Business Research 2020
United Kingdom
Angus McLean, George Morris, Jo Crookshank, Kate Cofman-Nicoresti, Olly Jones, Penny Miller
and Peter Broadhurst
Simmons & Simmons LLP
FINTECH LANDSCAPE AND INITIATIVES • the Global Financial Innovation Network is an international group
of financial regulators and related organisations, including the FCA,
General innovation climate committed to supporting financial innovation internationally;
1 What is the general state of fintech innovation in your • supporting regtech by encouraging the development of new
jurisdiction? technologies to help overcome regulatory challenges in financial
services; and
The United Kingdom has been at the forefront of innovation in tech- • engaging with firms across the UK and internationally to maximise
nology and finance for many years. Despite the ongoing uncertainty the reach of the FCA’s Innovate initiatives.
over the terms of the UK’s departure from the EU and the effects of the
covid-19 pandemic, this remains the case today. As the worlds of tech- The Bank of England is also interested in fintech. Its FinTech Hub
nology and finance become increasingly linked, London, in particular, includes the FinTech Accelerator Project, which works with businesses
has the unique advantages of being the national centre of govern- on fintech proofs of concept.
ment and finance and having many world class universities nearby.
Fintech businesses also benefit from the UK’s time zone, language and FINANCIAL REGULATION
legal system.
Perhaps mindful of the potential effect of Brexit, the UK government Regulatory bodies
remains committed to attracting start-ups and scale-up entrepreneurs 3 Which bodies regulate the provision of fintech products and
and investors. The UK remains the leading jurisdiction within Europe for services?
fintech activity. According to data from the UK's fintech trade associa-
tion, Innovate Finance, in 2019 fintech companies in the UK attracted The Financial Conduct Authority (FCA) is the financial services regulator
more capital and completed more deals than the rest of the top 10 for most regulated activities and services that a fintech would provide.
European countries combined. Seven of the top 10 deals in Europe The Prudential Regulation Authority is the regulator for banks in the UK.
involved UK fintech companies. Overall, investment was up 38 per cent The FCA regulates conduct matters for banks.
to $4.9 billion. This moved the UK up to second in the global rankings for
fintech venture capital investment. Regulated activities
While the UK is home to fintech innovation across the water- 4 Which activities trigger a licensing requirement in your
front, there is particular strength and expertise in AI and automation, jurisdiction?
blockchain and distributed ledger technology, cloud computing, crypto-
assets, cybersecurity, big data, insurtech, open banking, payments, There are a large number of activities (‘specified activities’) that, when
peer-to-peer lending and crowdfunding, and regtech. carried on in the UK by way of business in respect of specified kinds of
investments, trigger licensing requirements in the UK. These are set
Government and regulatory support out in the Financial Services and Markets Act 2000 (Regulated Activities)
2 Do government bodies or regulators provide any support Order 2001 (RAO). While it is not practical to list them all, the most
specific to financial innovation? If so, what are the key common include the following.
benefits of such support? • Accepting deposits: this is mainly carried on by banks and building
societies. An institution will accept a deposit where it lends the
Fintech in the UK is promoted by a range of government and regula- money it receives to others or uses it to finance its business.
tory bodies. • Dealing in investments (as principal or agent): buying, selling,
The Financial Conduct Authority (FCA) started ‘Project Innovate’ subscribing for or underwriting particular types of investments. In
in 2014 to encourage innovation and promote competition. Currently, respect of dealing as principal, the specified investments are ‘secu-
Project Innovate includes six initiatives: rities’ and ‘contractually based investments’. In respect of dealing
• the Regulatory Sandbox allows businesses to test innovative prop- as agent, the specified kinds of investments are ‘securities’ and
ositions in the market with real consumers; ‘relevant investments’:
• the Innovation Hub provides tailored regulatory support for inno- • securities include shares, bonds, debentures, govern-
vative firms; ment securities, warrants, units in a collective investment
• the Advice Unit provides feedback to firms developing automated scheme (CIS) and rights under stakeholder and personal
advice and guidance models; pension schemes;
• contractually based investments include rights under statements and the detailed requirements as to the form and content of
certain insurance contracts (excluding contracts of general the credit agreement itself.
insurance), options, futures, contracts for differences and The CONC chapter in the FCA Handbook sets out detailed rules that
funeral plan contracts; and regulated consumer credit firms must comply with and covers areas
• relevant investments include the same investments as such as conduct of business, financial promotions, pre-contractual disclo-
contractually based investments but also include contracts of sure of information, responsible lending, post-contractual requirements,
general insurance. arrears, default and recovery, cancellation of credit agreements and
• Arranging deals in investments (this is split into two activities and agreements that are secured on land.
specified investments in respect of arranging include securities In addition to the CONC, authorised consumer credit firms must also
and relevant investments): comply with other applicable chapters of the FCA Handbook.
• arranging (bringing about) deals in investments, which applies Failing to comply with the requirements of the CCA may result in
to arrangements that have the direct effect of bringing about those agreements being unenforceable against borrowers and the FCA
a deal; and imposing financial penalties on the firm in question.
• making arrangements with a view to transactions in invest- Entering into a regulated mortgage contract is a regulated activity.
ments, which is much wider and includes arrangements that Such contracts are loans where:
facilitate others entering into transactions. • the contract is one under which a person (lender) provides credit to
• Advising on investments: advising a person in their capacity as an an individual or trustee (borrower);
investor on the merits of buying, selling, subscribing for or under- • the contract provides for the obligation of the borrower to repay to
writing a security or relevant investment or exercising any right be secured by a mortgage on land in the EEA (this will change to
conferred by that investment to buy, sell, subscribe for or under- land in the UK from 31 December 2020); and
write such an investment. • at least 40 per cent of that land is, or is intended to be, used:
• Managing investments: managing assets belonging to another • in the case of credit provided to an individual, as or in connec-
person, in circumstances involving the exercise of discretion, where tion with a dwelling by the borrower; or
the assets include any investment that is a security or contractu- • in the case of credit provided to a trustee that is not an indi-
ally based investment. vidual, as or in connection with a dwelling by an individual who
• Establishing, operating or winding up a CIS. is a beneficiary of the trust, or by a related person.
• Certain lending activities: entering into a regulated mortgage
contract or a regulated (consumer) credit agreement (or consumer Secondary market loan trading
hire agreement) as lender. 6 Are there restrictions on trading loans in the secondary
• Certain insurance activities: effecting a contract of insurance as market in your jurisdiction?
principal and carrying out a contract of insurance as principal.
• Payment services: providing payment services. Provided that the loan itself is being traded, and not the loan instrument
• Electronic money: issuing electronic money. (eg, an instrument creating or acknowledging indebtedness), then there
are no restrictions on trading loans in the secondary market.
Consumer lending
5 Is consumer lending regulated in your jurisdiction? Collective investment schemes
7 Describe the regulatory regime for collective investment
The general position is that lending by way of business to consumers is schemes and whether fintech companies providing alternative
regulated in the UK. The FCA is responsible for authorising and regu- finance products or services would fall within its scope.
lating consumer credit firms.
There are two categories of regulated lending: regulated credit Establishing, operating or winding up a CIS is a regulated activity in the
agreements and mortgages. UK for which firms must be authorised by the FCA.
Any person (A) who enters into an agreement with an individual (or The definition of a CIS is set out in section 235 of the Financial
a ‘relevant recipient of credit’, which includes a partnership consisting Services and Markets Act 2000 (FSMA). Broadly, a CIS is any arrange-
of two or three persons not all of whom are bodies corporate and an ment with respect to property of any description, the purpose or effect of
unincorporated body of persons that does not consist entirely of bodies which is to enable the persons taking part in the arrangements to partici-
corporate and is not a partnership) (B) under which A provides B with pate in or receive profits or income arising from the acquisition, holding,
credit of any amount must be authorised by the FCA – unless an appro- management or disposal of the property or sums paid out of such profits
priate exemption applies. or income. The persons participating in the arrangements must not have
Two of the most common exemptions are: where the amount of day-to-day control over the management of the property. The arrange-
credit exceeds £25,000 and the credit agreement is entered into wholly ments must also have either or both of the following characteristics:
or predominantly for business purposes; and where the borrower certi- • the contributions of the participants and the profits or income out of
fies that they are ‘high net worth’ and the credit is more than £60,260. which payments are to be made to them are pooled; or
Other complex exemptions are available that relate to, among other • the property is managed as a whole by, or on behalf of, the operator
things, the total charge for the credit, the number of repayments to be of the scheme.
made under the agreement and the nature of the lender.
If an exemption applies, the lender does not need to comply with Whether a fintech company falls within the scope of this regime will
the detailed legislative requirements that apply to regulated credit depend on the nature of its business. For example, fintech companies that
agreements contained in the Consumer Credit Act 1974 (CCA) (and manage assets on a pooled basis on behalf of investors should consider
secondary legislation made under it) and the FCA’s Consumer Credit carefully whether they may be operating a CIS. On the other hand, fintech
Sourcebook (CONC). companies that only provide advice or payment services may be less
Broadly, the CCA sets out the requirements lenders need to likely to operate a CIS. Fintech companies are advised to seek legal advice
comply with in relation to the provision of information, documents and on this subject and to have regard to their other regulatory obligations.
www.lexology.com/gtdt 251
© Law Business Research 2020
United Kingdom Simmons & Simmons LLP
The management of two forms of regulated collective investment • setting out the minimum information that a platform should provide
schemes, UCITS and AIFs, are also regulated activities. to investors; and
• introducing a requirement to monitor the investors that can use
Alternative investment funds a platform, including that platforms assess investors’ knowledge
8 Are managers of alternative investment funds regulated? and experience of platform lending where no advice has been given
to them. Firms are required to ensure that retail clients:
Managers of alternative investment funds are regulated in the UK under • are certified or self-certified as ‘sophisticated investors’ or
the Alternative Investment Fund Managers Directive, which has been ‘high net worth investors’; or
implemented in the UK by the Alternative Investment Fund Managers • confirm before a promotion is made that they will receive
Regulations 2013 and rules and guidance contained in the FCA Handbook. regulated investment advice or investment management
services from an authorised person; or
Peer-to-peer and marketplace lending • do not invest more than 10 per cent of their net investible
9 Describe any specific regulation of peer-to-peer or assets in P2P agreements in the 12 months following
marketplace lending in your jurisdiction. certification.
Payment services requires banks to allow third-party payment service providers to initiate
12 Are payment services regulated in your jurisdiction? payments from their customers’ accounts.
Payment services are regulated under the Payment Services Regulations Robo-advice
2017, which implement the second Payment Services Directive (PSD2) 14 Describe any specific regulation of robo-advisers or other
in the UK. Payment services include: companies that provide retail customers with automated
• services enabling cash to be placed on a payment account and all access to investment products in your jurisdiction.
the operations required for operating a payment account;
• services enabling cash withdrawals from a payment account and There are no specific regulations to cover robo-advisers. The rules
all the operations required for operating a payment account; applying to investment advisers or arrangers and discretionary invest-
• the execution of the following types of payment transaction: ment managers are technology-neutral and cover face-to-face as well
• direct debits, including one-off direct debits; as online or automated services. Therefore, a licence would generally
• payment transactions executed through a payment card or a be required, and robo-advisers would be subject to the usual conduct
similar device; and of business requirements, for example, around suitability assessments,
• credit transfers, including standing orders; disclosure of costs and charges, and marketing (which must be fair,
• the execution of the following types of payment transaction where clear and not misleading).
the funds are covered by a credit line for the payment service user:
• direct debits, including one-off direct debits; Insurance products
• payment transactions executed through a payment card or a 15 Do fintech companies that sell or market insurance products
similar device; and in your jurisdiction need to be regulated?
• credit transfers, including standing orders;
• issuing payment instruments or acquiring payment transactions; Effecting or carrying out a contract of insurance, arranging contracts
• money remittance; of insurance, or dealing in insurance as an agent are a regulated activi-
• payment initiation services (initiating a payment order at the ties and fintech companies that wish to do this must be regulated.
request of a payment service user with respect to an account held Companies that wish to market insurance products must either be
with another payment service provider); and regulated, have their marketing material approved by a regulated firm
• account information services (online service to provide consoli- or fall within an applicable exclusion. For example, exemptions may be
dated information on one or more payment accounts held by the available for communications to high net worth individuals, companies,
payment service user with another one (or more) payment service sophisticated individuals and other investment professionals.
provider).
Credit references
The PSD2 broadens the scope of transactions governed by its provi- 16 Are there any restrictions on providing credit references or
sions, narrows the scope of certain exclusions, amends the conduct of credit information services in your jurisdiction?
business requirements and introduces security requirements.
To provide payment services in the UK, a firm must fall within the Providing credit information services and providing credit references
definition of a ‘payment service provider’. Payment service providers are regulated activities for which firms must be regulated. A firm
include ‘authorised payment institutions’, ‘small payment institutions’, provides credit information services where it takes any of the following
credit institutions, electronic money institutions, the post office, the steps (or gives advice in relation to any of the following steps) on behalf
Bank of England and government departments and local authorities. of an individual or relevant recipient of credit:
A firm that provides payment services in or from the UK as a • ascertaining whether a credit information agency holds informa-
regular occupation or business activity (and is not exempt, or a bank) tion relevant to the financial standing of an individual or relevant
must apply for authorisation or registration as a payment institution. recipient of credit;
• ascertaining the contents of such information;
Open banking • securing the correction of, the omission of anything from, or the
13 Are there any laws or regulations introduced to promote making of any other kind of modification of, such information; and
competition that require financial institutions to make • securing that a credit information agency that holds such
customer or product data available to third parties? information:
• stops holding the information; or
Following its investigation into the retail and small and medium-sized • does not provide it to any other person.
enterprise (SME) banking sectors between 2013 and 2016, the UK’s
competition authority (the Competition and Markets Authority (CMA)) Providing credit references involves providing people with infor-
ordered a number of remedies to help promote greater competition in mation relevant to the financial standing of individuals or relevant
the retail and SME banking markets. recipients of credit where the person has collected the information
One of the core remedies ordered by the CMA requires the nine for that purpose.
largest retail banks in Great Britain and Northern Ireland to develop In addition, the Small and Medium-Sized Business (Credit
and implement an open banking standard application programming Information) Regulations 2015 (the SMB Regulations) require:
interface (API) to give third parties access to information about their • designated banks to share specified credit information about SMEs
services, prices and service quality in order to improve competition, effi- with designated credit reference agencies (with the permission of
ciency and stimulate innovation. The open APIs also allow retail and SME the relevant SME); and
customers to share their own transaction data with trusted intermedi- • designated credit reference agencies to provide this information
aries, which can then offer advice tailored to the individual customer. to finance providers at the request of the SME and to the Bank
These measures are intended to make it easier for customers of England.
to identify the best products for their needs. Additionally, the PSD2
www.lexology.com/gtdt 253
© Law Business Research 2020
United Kingdom Simmons & Simmons LLP
While the provision of this information is not a regulated activity under SALES AND MARKETING
the FSMA, the FCA does monitor and enforce compliance with the SMB
Regulations. Restrictions
19 What restrictions apply to the sales and marketing of
CROSS-BORDER REGULATION financial services and products in your jurisdiction?
• present any comparisons or contrasts in a fair, balanced and mean- • each exiting controller notifying the FCA of the change of
ingful way; control; and
• use plain and intelligible language; • the FCA-regulated firm notifying the FCA of these changes.
• are easily legible and audible (if given orally);
• specify the name of the person making the communication (or In practice, a joint notification is usually made, coordinated by the
whom they are communicating on behalf of, if applicable); and FCA-regulated firm with the new controllers and exiting controllers.
• do not state or imply that credit is available regardless of the Any potential controllers must provide detailed information, including in
customer’s financial circumstances or status. respect of its group structure, senior management, commercial activi-
ties, any criminal or civil proceedings against the company, and details
Various other detailed requirements apply depending on the type of of the acquisition.
credit (eg, peer-to-peer, secured, unsecured or ‘high-cost short-term’ The FCA has a statutory assessment period of 60 working days to
credit) and the type of agreement (eg, whether it is secured on land), determine change-of-control applications. This can be interrupted for a
which govern things such as: period of 30 days. In practice, determinations are made more quickly.
• the requirement to include particular risk warnings and how those There is no application fee.
warnings must be worded;
• when and how annual percentage rates and representative exam- FINANCIAL CRIME
ples must be included and displayed; and
• expressions that cannot be included in financial promotions. Anti-bribery and anti-money laundering procedures
21 Are fintech companies required by law or regulation to have
In relation to mortgages, chapter 3A of the Mortgages and Home Finance: procedures to combat bribery or money laundering?
COBS applies. In addition to being clear, fair and not misleading, finan-
cial promotions must: Generally, fintech companies are only required to have anti-money laun-
• be accurate; dering (AML) procedures if the company is authorised by the Financial
• be balanced (without emphasising any potential benefits without Conduct Authority (FCA) or carries out business that is subject to the
also giving a fair and prominent indication of any relevant risks); Money Laundering Regulations 2017 (MLRs 2017). The UK implemented
• be sufficient for, and presented in a way that is likely to be under- the Fifth Money Laundering Directive (5MLD) on 10 January 2020, by
stood by, the average member of the group to whom it is directed, way of updates to the MLRS 2017 effected by the Money Laundering
or by whom it is likely to be received; and Terrorist Financing (Amendment) Regulations 2019 (the 2019
• make it clear, where applicable, that the credit is secured on the Regulations). Under 5MLD, the 2019 Regulations (in line with the 5MLD),
customer’s home; the types of entities required to have money laundering procedures has
• be presented in a way that does not disguise, omit, diminish or been widened to include crypto-asset exchange providers and custo-
obscure important items, statements or warnings; and dian wallet providers. The 2019 Regulations also capture peer-to-peer
• where they contain a comparison or contrast, be designed in such exchange providers, crypto-asset automated teller machines and the
a way that the comparison or contrast is presented in a fair and issuing of new crypto-assets (eg, an initial coin offering (ICO) or initial
balanced way and ensures that it is meaningful. exchange offering (IEO)).
Entities subject to UK money laundering regulations are required
As with credit agreements, other provisions apply depending on the to, among other things:
particular type of mortgage, covering, among other things: • identify and assess the firm’s exposure to money laundering risk
• the inclusion and presentation of annual percentage rates and by, for example, undertaking a risk assessment;
other credit-related information; • perform customer due diligence to an adequate standard depending
• points of contact; and on the risk profile of the customer;
• when and how financial promotions can be made. • keep appropriate records;
• monitor compliance with the AML regulations, including internal
CHANGE OF CONTROL communication of policies and procedures; and
• report suspicious transactions.
Notification and consent
20 Describe any rules relating to notification or consent With respect to anti-bribery policies and procedures, all companies
requirements if a regulated business changes control. (including fintech companies) that are incorporated in or carry on busi-
ness, or a part of their business, in the UK are subject to the Bribery
Part 12 of the Financial Services and Markets Act 2000 sets out a strict Act 2010. While the Bribery Act does not require the implementation of
system concerning changes of control of regulated firms, and failure policies or procedures to combat bribery, it creates a de facto require-
to adhere to the appropriate statutory requirements can be a criminal ment to do so. This is because a company charged with ‘failing to
offence, depending on the nature of the breach. prevent bribery’ may rely on the statutory defence that the company had
Controllers or potential controllers of FCA-authorised firms are adequate policies and procedures in place designed to prevent bribery.
required to make notifications to and obtain approval from the Financial It is not just large companies that need to be concerned with this law.
Conduct Authority (FCA) when a change of control occurs. The notifica- The successful prosecution of Skansen Interiors Ltd (a company with
tion must be made before a change of control takes place. A person fewer than 30 employees) for failing to prevent bribery in 2018 indicates
who fails to obtain the appropriate FCA approval will be guilty of a crim- that UK prosecutors will target smaller companies for such an offence.
inal offence.
The notification process takes place under three parallel
processes:
• each new controller submitting the appropriate controller notifica-
tion form to seek the FCA’s pre-approval;
www.lexology.com/gtdt 255
© Law Business Research 2020
United Kingdom Simmons & Simmons LLP
If the assignment does not comply with the above criteria for a legal registered office. Therefore, the non-EU subsidiary of an EU entity may
assignment, it may nevertheless take effect as an equitable assignment. not be subject to the direct retention obligation because a subsidiary
One of the key distinctions between a legal and an equitable assignment is typically a separate legal entity, whereas a non-EU branch of an EU
is that, in the case of an equitable assignment, the person to whom the entity may be caught within this provision because a branch is typically
loan has been transferred would not be able to bring an action under not a separate legal entity.
the contract in their own name. Further, there was an unexpected and unintended consequence
of the drafting under article 1(11) in Regulation (EU) 2017/2401, which
Securitisation risk retention requirements amended article 14 of Regulation (EU) No. 575/2013 (CRR) effective
25 Are securitisation transactions subject to risk retention from 1 January 2019. The effect of such amendment was to require
requirements? non-EU subsidiaries to comply with the direct obligations under Chapter
2 of the EU Securitisation Regulation on a consolidated basis (ie, those
The risk retention requirements set out in Regulation (EU) 2017/2402, relating to due diligence, risk retention, transparency, banning re-secu-
which came into force on 1 January 2019 (the EU Securitisation ritisation and criteria for credit granting). This raised challenges for
Regulation) will apply directly to the ‘originators’, ‘sponsors’ and ‘original third-country entities that are consolidated into European groups (eg,
lenders’ of a ‘securitisation’ transaction (as each such term is defined in EU banks operating in third countries through their non-EU subsidi-
the EU Securitisation Regulation) where any of the originator, sponsor aries), as these non-EU subsidiaries may be required to comply with
or original lender is established in the EU, and indirectly to originators, potentially conflicting sets of requirements under the EU risk retention
sponsors and original lenders of securitisation transactions that are rules and the locally applicable rules.
offered to ‘institutional investors’ (as defined in the EU Securitisation Following concerns from market participants, the position on the
Regulation) regulated by a competent authority of an EU member jurisdictional scope is now clarified through article 1(9) of Regulation
state (in each case, including any P2P securitisation that falls within (EU) 2019/876 (the CRR II Regulation), which further amended article 14
the definition of ‘securitisation’ in the EU Securitisation Regulation), as of the CRR. CRR II Regulation entered into force on 27 June 2019 (except
described further below. for certain provisions) and limited the application article 14 of the CRR
to article 5 of the EU Securitisation Regulation such that only the due
What are the risk retention requirements? diligence requirements will continue to apply on a consolidated basis to
The EU Securitisation Regulation requires the originator, sponsor or non-EU subsidiaries.
original lender in respect of a securitisation to retain on an ongoing
basis a material net economic interest in such securitisation of not less Possible retaining entities in respect of P2P securitisations
than 5 per cent using one of five prescribed risk retention methods, Typically, a P2P lending platform will not qualify as the ‘sponsor’ or
including (among other things) retention of: ‘original lender’ of a P2P securitisation. However, it may qualify as an
• the most subordinated tranches, so that the retention equals no less ‘originator’ if it was (either itself or through related entities) directly or
than 5 per cent of the nominal value of the securitised exposures; indirectly involved in the original agreement that created the P2P loans
• 5 per cent of the nominal value of each of the tranches sold to being securitised. Whether or not the P2P lending platform comprises
investors; or an originator will ultimately be a question of fact, but it is likely that
• randomly selected exposures equivalent to no less than 5 per cent some P2P lending platforms in the market will (by virtue of their docu-
of the nominal value of the securitised exposures. mentation structure and role as operator of the platform) comprise
originators for the purposes of the EU Securitisation Regulation. If this
Direct and indirect approaches is the case, any such P2P lending platform will be required to retain a
The retention requirement applies on a direct basis, as originators, 5 per cent economic interest in any securitisation of loans originated
sponsors and original lenders are required to agree on an entity that on their platform unless the originator, sponsor or original lender have
will act as retention holder and to ensure compliance with the retention agreed between them that another entity will retain.
requirements, and on an indirect basis, as it is incumbent upon investors If a P2P lending platform does either not qualify as an originator
in securitisation transactions to ensure that the retention requirement or does qualify as an originator but does not wish to retain, another
has been complied with. In the absence of agreement among the origi- entity with the capacity to retain will need to be identified and this entity
nator, sponsor or original lender as to who will be the retention holder, will need to agree to retain in accordance with the terms of the EU
the originator shall be the retention holder. Originators, sponsors and Securitisation Regulation. Any entity that retains in the capacity of ‘origi-
original lenders may potentially be subject to a broad range of adminis- nator’ is expected to be an entity of substance, and the EU Securitisation
trative sanctions (including significant fines) or remedial measures, or Regulation expressly provides that an entity will not be considered an
even criminal sanctions, where the they have negligently or intentionally originator where it has been established or operates for the sole purpose
infringed the risk retention requirements under the EU Securitisation of securitising exposures. The EU Securitisation Regulation does not
Regulation. Investors in a securitisation that is non-compliant will be specify in what circumstances an entity will be considered to have been
subject to higher regulatory capital charges. established for the sole purpose of securitising exposures but, in the Final
Draft Regulatory Technical Standards relating to risk retention pursuant
Jurisdictional scope to article 6(7) of the EU Securitisation Regulation (published on 31 July
The EU Securitisation Regulation does not explicitly set out the juris- 2018), the European Banking Authority (EBA) proposed that an originator
dictional scope of the direct retention obligation (which is where the will not be considered to have been established with the ‘sole purpose’
originator, sponsor or original lender would be required to comply of securitising exposures if it satisfies certain conditions, including that:
with the risk retention requirements), but there is a helpful note in the • it has a broader business enterprise and strategy;
Explanatory Memorandum to the original Commission proposal for the • it has sufficient decision makers with the required experience; and
EU Securitisation Regulation that the intention is that the direct approach • its ability to make payment obligations does not depend on the
would not apply where none of the originator, sponsor or original lender exposures to be securitised or on any exposures retained for the
is ‘established in the EU’. ‘Establishment’ is typically described by refer- purposes of the risk retention regulations.
ence to the jurisdiction in which the legal entity is incorporated or has its
www.lexology.com/gtdt 257
© Law Business Research 2020
United Kingdom Simmons & Simmons LLP
given the technology's generally ‘immutable’ (ie, unchangeable) nature. Therefore, in broad terms, the approach in the UK to the regulation
Another example is the Centralised Securities Depositary Regulation of crypto-assets at present varies.
(an EU-level regulation applicable in the UK), which requires dema- • Unregulated tokens (classic exchange tokens such as bitcoin
terialised securities to be settled through a centralised securities and utility tokens) are unregulated, although to offer services
depositary, which is a hurdle to be overcome for those fintech busi- concerning them, a business may need to be registered
nesses seeking to settle securities via distributed ledger technologies with the FCA.
(security tokens). • E-money tokens (crypto-assets that have the characteristics of
e-money) are regulated as if they were e-money, and businesses
Crypto-assets dealing in them need to be properly authorised by the FCA as
29 Are there rules or regulations governing the use of crypto- appropriate under the Electronic Money Regulations and the
assets, including digital currencies, digital wallets and Payment Services Regulations.
e-money? • Security tokens (crypto-assets that have the characteristics of
regulated financial products) are regulated in the same way as the
In the UK, there are specific rules relating the operation of certain types type of security that the crypto-asset shares characteristics with,
of crypto-businesses in the UK, requiring the following businesses to be and any businesses dealing in them need to be properly authorised
registered with the FCA: by the FCA as appropriate.
• those that provide a facility to enable the exchange of one crypto-
asset for another or the exchange of fiat currency for crypto-assets Crypto-asset regulation in the UK continues to be a developing area.
(or vice versa), or any business that makes arrangements with a There are two outstanding regulatory consultations that have been
view to any such exchange; announced but not yet published – one on extending the FCA’s powers
• those that provide custodial crypto-asset wallet services; in respect of regulation of currently unregulated crypto-assets, and
• any business that issues new crypto-assets (eg, a business another on potentially applying certain rules to the promotion of crypto-
conducting an initial coin offering); and assets, both of which are likely to be relatively transformative if and
• businesses that operate crypto-asset automated teller machines. when they are published.
Prior to operating any such business, the business must first register Digital currency exchanges
with the FCA. The registration process is complex and requires the 30 Are there rules or regulations governing the operation of
submission of a number of different information requirements. Once a digital currency exchanges or brokerages?
complete application has been submitted, the FCA has three months
to consider the application and accept or reject it as it sees fit. At the Any digital currency exchange or brokerage operating in the UK needs
time of writing, there is currently a grace period for registration oper- to be registered with the FCA. The registration process is complex and
ating, whereby any in-scope business that was operating crypto-asset requires the submission of a number of different information require-
services as at 10 January 2020 has until 10 January 2021 to register. For ments. Once a complete application has been submitted, the FCA has
any business launching after 10 January 2020, they must be registered three months to consider the application and accept or reject it as it
with the FCA before they can begin providing crypto-asset services sees fit. At the time of writing, there is currently a grace period for regis-
in the UK. tration operating, whereby any in-scope business that was operating
Other regulatory processes regarding crypto-assets continue in crypto-asset services as at 10 January 2020 has until 10 January 2021
other areas. These follow on from the FCA, Bank of England and HM to register. For any business launching after 10 January 2020, they must
Treasury’s Crypto Assets Task Force report of 2018, which announced be registered with the FCA before they can begin providing crypto-asset
the intention to launch a series of consultations on regulation of the services in the UK.
crypto-assets industry, including on: Beyond the registration requirement noted above, there are no
• the transposition of the Fifth Anti-Money Laundering directive rules or regulations specifically governing the operation of digital
into UK law (which resulted in the registration requirements currency exchanges or brokerages where they deal in spot transac-
noted above); tions of unregulated crypto-assets. If a digital currency exchange or
• guidance around the application of existing financial services regu- brokerage deals in regulated crypto-assets or any other regulated
lation to the crypto assets market (see below); product (even if in tokenised form), FCA regulations will apply around
• the potential extension of the FCA’s regulatory perimeter to authorisation and compliance to the same extent that they would apply
encompass certain assets and activities within the crypto- to a traditional exchange or brokerage.
assets sector (which, as at the date of writing, has not yet been Regulation around crypto-assets in the UK is undergoing some
published); and change at the time of writing.
• a potential ban on the offering of derivative products to retail
customers, where those products reference crypto-assets (which Initial coin offerings
was published in 2019, but the results of which have not been 31 Are there rules or regulations governing initial coin offerings
released at the time of writing). (ICOs) or token generation events?
On the consultation for guidance on crypto-asset regulation, this was Any business intending on carrying out an initial coin offering (ICO) in
launched in January 2019, and finalised guidance was released in July the UK needs to be registered with the FCA. The registration process
2019. The guidance details the FCA’s taxonomy covering ‘exchange is complex and requires the submission of a number of different infor-
tokens’ (decentralised assets such as bitcoin), ‘security tokens’ (block- mation requirements. Once a complete application has been submitted,
chain-traded products that have similar characteristics to traditional the FCA has three months to consider the application and accept or
regulated securities), and ‘utility tokens’ (blockchain-traded products or reject it as it sees fit. At the time of writing, there is currently a grace
other items that do not have similar characteristics to traditional regu- period for registration operating, whereby any in-scope business that
lated securities). had launched its ICO as at 10 January 2020 has until 10 January 2021
www.lexology.com/gtdt 259
© Law Business Research 2020
United Kingdom Simmons & Simmons LLP
to register. For any ICO launching after 10 January 2020, they must be to transfer personal data between the UK and the EU). The oversight of
registered with the FCA before they can begin their ICO in the UK. UK businesses’ compliance with the GDPR and related legislation, and
Beyond the registration requirement noted above, here are no enforcement of them, is carried out by the UK regulator, the Information
rules or regulations specifically governing ICOs, token generating Commissioner’s Office.
events or any other analogous token distribution process, provided that There are no rules or regulations in the UK relating to personal
the tokens being issued as part of the process in question do not have data that are specifically aimed at fintech companies.
the same or similar rights to regulated securities or e-money in the UK.
If the token being issued has the same or similar rights attached to it Cybersecurity
as regulated securities or e-money in the UK, strict FCA regulations will 33 What cybersecurity regulations or standards apply to fintech
apply on issuing, holding, dealing in or otherwise selling those tokens. businesses?
Regulation around crypto-assets in the UK is undergoing some
change at the time of writing. There are no rules or regulations in the UK that provide cybersecu-
rity requirements for fintech businesses specifically. More generally,
DATA PROTECTION AND CYBERSECURITY the GDPR imposes more general requirements on businesses in the
UK to ensure a high standard of security over personal data that they
Data protection process, including the general obligation to have in place reasonable
32 What rules and regulations govern the processing and technical and organisational measures to ensure the security of that
transfer (domestic and cross-border) of data relating to data, compliance with which requires measures relating to cybersecu-
fintech products and services? rity to be put in place.
Further, for FCA-regulated businesses, the Financial Conduct
On 25 May 2018, the EU General Data Regulation (GDPR) came into force Authority (FCA) has significant powers of oversight and enforcement in
with direct effect across the entire EU. The GDPR governs the storage, respect of those businesses’ internal systems and controls relating to
viewing, use of, manipulation and other processing by businesses of protection of confidential client information. The FCA actively manages
data that relates to a living individual. In summary, the GDPR requires and oversees these requirements and, in recent years, has imposed
that businesses may only process personal data where that processing significant fines on entities that have failed to meet these requirements.
is done in a lawful, fair and transparent manner, as further described
in the GDPR. OUTSOURCING AND CLOUD COMPUTING
The GDPR requires that any processing of personal data must
be done pursuant to one of six lawful bases for processing. The most Outsourcing
commonly used lawful basis for processing is to obtain the consent 34 Are there legal requirements or regulatory guidance with
of the data subject to that processing – in relying on this lawful basis, respect to the outsourcing by a financial services company of
the business must ensure that the consent is freely given, specific, a material aspect of its business?
informed and unambiguous, and capable of being withdrawn as easily
as it is given. This places a significant burden on businesses to ensure The position on regulation of outsourcing by financial services compa-
that their customers are fully informed as to what their personal data is nies in the UK is a complex picture, encompassing a number of different
being used for, which is a crucial change to the previous regime under requirements that apply in different ways, depending on the type of
which disclosure did not need to be so transparent. Other lawful bases financial services business in question.
for processing data include where that processing is necessary for the The most important of these requirements is the new European
business to perform a contract it has with the data subject, or where Banking Authority (EBA) guidelines. On 25 February 2019, the EBA
required to comply with an obligation the business has at law (not a published revised (final) guidelines on outsourcing arrangements (the
contractual obligation). Guidelines) for credit institutions and certain investment firms as well
The GDPR further differs from the previous regime in that it places as payment and electronic money institutions. The Guidelines amend
a significantly increased compliance burden on businesses, including for and finalise previously published draft guidelines in light of extensive
example mandatory requirements to notify regulators of data breaches, consultation responses from the industry and industry bodies. Therefore,
obligations to keep detailed records on processing, and requirements the Guidelines are consistent with, and build upon, the previous Senior
for most entities to appoint a data protection officer. Management Arrangements, Systems and Controls Chapter 8 (SYSC 8)
The GDPR does not apply to personal data that has been truly requirements (which now operate mostly as guidance rather than as
anonymised – as anonymised data cannot, by definition, be personal requirements); however, they apply to a broader set of businesses than
data. However, to ensure that GDPR does not apply to a certain data set, SYSC 8 – most noteworthy is the inclusion of payment and electronic
that data set must be truly anonymised. The GDPR itself gives limited money institutions, which are not subject to SYSC 8.
guidance on anonymisation in Recital 26, requiring data controllers to In broad terms, the Guidelines provide more granular detail around
consider a number of factors in deciding if personal data has been truly requirements that relevant businesses must comply with when carrying
anonymised, including the costs and time required to de-anonymise, out outsourcing (including in relation to internal processes and proce-
the technology available at the time to attempt de-anonymisation and dures), compared to the SYSC 8 requirements.
further developments in technology. The Guidelines took effect on 30 September 2019 and have been
Businesses that infringe the GDPR may be subject to administra- adopted in the UK. All new outsourcing contracts entered into after this
tive fines of an amount up to €20 million or 4 per cent of global turnover, date should be compliant with the Guidelines, and relevant institutions
whichever is higher. are expected to review and update any internal processes and proce-
In the UK, the Data Protection Act 2018 came into force at the same dures to meet the Guidelines' requirements. There is also a backstop
time as the GDPR. Among other things, it replaces the Data Protection date for upgrading pre-existing contracts to comply with the Guidelines
Act 1998, fills in gaps in the GDPR and ensures that on leaving the EU, by 31 December 2021. The Guidelines support harmonisation of existing
the UK will have an ‘adequate’ data protection regime compared to that regulation and guidance applicable to different types of financial
of the EU (with the aim of ensuring an unhindered ability for businesses services firms.
www.lexology.com/gtdt 261
© Law Business Research 2020
United Kingdom Simmons & Simmons LLP
The Trade Secrets Regulations also implement aspects of the Trade • issues around the anticompetitive use of algorithms and
Secrets Directive that differ from, or add to, the existing law applying machine learning.
to the protection of confidential information. This includes specifying
the limitation period for bringing a trade secrets claim and the rules The Competition and Markets Authority (CMA), Financial Conduct
regarding awarding damages and interim and corrective measures. Authority (FCA) and Payment Systems Regulator (all of which are
Confidential information (which may include non-public information concurrent competition law enforcement authorities in the UK) gener-
that is not captured by the definition of ‘trade secret’) can be protected ally consider fintech to represent a pro-competitive force, leading to
against misuse, provided the information in question has the necessary change in markets and encouraging innovation. For example, the FCA is
quality of confidence and is subject to an express or implied duty of an active participant in the Global Financial Innovation Network.
confidence. In the case of both trade secrets and the confidential infor- The CMA has been undertaking a number of initiatives to formulate
mation, no registration is necessary (or possible). Trade secrets and its approach to the regulation of competition in the UK digital markets,
confidential information can be kept confidential during civil proceed- with a view to focusing on the protection of the consumer. As well as
ings with the permission of the court. undertaking an investigation into the retail banking market, seeking
to implement open banking and improve the quality of information
Branding provided to customers, the CMA has also taken advice from external
40 What intellectual property rights are available to protect experts, advocating a more involved approach to competition regula-
branding and how do you obtain those rights? How can fintech tion. The CMA has been advised to perform more sophisticated analyses
businesses ensure they do not infringe existing brands? of digital mergers, consider the role of big data in creating barriers to
entry, and take account of network affects to create more effective rules
Brands can be protected as registered trademarks either in the UK for large digital platforms (see Furman and Lear reports for further
alone (as a UK trademark) or across the EU (as an EU trademark). A information). As a result, the CMA issued its Digital Markets Strategy in
brand can also be protected under the common law tort of passing-off if July 2019: a vision for how it proposes to protect consumers in complex
it has acquired sufficient goodwill. and rapidly-changing digital markets while continuing to protect inno-
Certain branding, such as logos and stylised marks, can also be vation. One concrete outcome of this has been the creation of a Digital
protected by design rights and may also be protected by copyright as Markets Taskforce, a dedicated unit with the role of monitoring develop-
artistic works. ments in digital markets and advising the Government on how best to
The UK and EU trademark databases can all be searched to iden- approach them.
tify registered or applied for trademark rights with effect in the UK. It is The CMA has also taken an increasingly interventionist stance
highly advisable for fintech businesses to conduct trademark searches in UK merger cases. In part, this is probably as a result of it having
to check whether earlier registrations exist that are identical or similar received more resources in preparation for Brexit; but also because of
to their proposed brand names. It may also be advisable to conduct a growing feeling that it may have been missing transactions that have
searches of the internet for any unregistered trademark rights that may negatively impacted competition. This more interventionist approach
prevent use of the proposed mark. has been present in all sectors to some extent, but it has been particu-
larly noticeable in relation to fintech deals – a number of Phase II
Remedies for infringement of IP (in-depth) investigations have been related to transactions involving
41 What remedies are available to individuals or companies fintech players in the last 12 months.
whose intellectual property rights have been infringed? The future of fintech competition regulation will depend in some
part on the UK’s relationship with the EU post-Brexit. The FCA has as
Remedies include: one of its priorities the development of future bilateral arrangements
• preliminary and final injunctions; with the EU and the rest of the world to promote its expertise in fintech
• damages or an account of profits; regulation.
• delivery up or destruction of infringing products;
• publication orders; and TAX
• costs.
Incentives
COMPETITION 43 Are there any tax incentives available for fintech companies
and investors to encourage innovation and investment in the
Sector-specific issues fintech sector in your jurisdiction?
42 Are there any specific competition issues that exist with
respect to fintech companies in your jurisdiction? The UK has introduced a wide range of tax incentives that are available
to fintech companies and investors in such companies. The key incen-
Competition authorities in the UK (and elsewhere) face a range of poten- tives are set out below, although there are a number of conditions to be
tially complex competition law issues in relation to fintech offerings. met to qualify for each scheme:
These include: • seed enterprise investment scheme (SEIS): 50 per cent income tax
• the risks around the exchange of competitively sensitive relief and exemption from capital gains tax for investors in high-
information; risk start-up trading companies;
• the risks of a fintech firm or platform obtaining a dominant posi- • enterprise investment scheme (EIS): 30 per cent income tax relief
tion in the market and any behaviour that could potentially exclude and exemption from capital gains tax for investors in small high-
other market players; risk trading companies;
• the development and participation in technical standards; • venture capital trust (VCT) scheme: 30 per cent income tax relief
• exclusivity arrangements between parties to a fintech offering; and exemption from capital gains tax for investors in venture
• the limits of any specified tying or bundling of products or services capital trusts, which subscribe for equity in, or lend money to, small
to the fintech solution; and unquoted companies;
• business asset disposal relief (formerly entrepreneurs’ relief): a From April 2021, large businesses will be required to notify HMRC
reduced 10 per cent capital gains tax rate for entrepreneurs selling when they take a tax filing position HMRC is likely to challenge. The
business assets (only available to directors and employees of government is consulting on how this will operate and there are still
businesses); many details to be ironed out. However, the rules are expected to apply
• investors’ relief: an additional reduced 10 per cent capital gains to businesses with a turnover above £200 million or a balance sheet
tax rate that allows other types of shareholders to benefit from total over £2 billion. Large fintech businesses are advised to watch out
the same relief as is provided under business asset disposal for developments in this area.
relief when they sell their shares. Unlike business asset disposal
relief, this reduced rate is only available to investors who have IMMIGRATION
not been officers or employees in the company whose shares are
being sold; Sector-specific schemes
• research and development tax credits: tax relief for expenditure on 45 What immigration schemes are available for fintech
research and development; businesses to recruit skilled staff from abroad? Are there
• patent box regime: a reduced 10 per cent corporation tax rate any special regimes specific to the technology or financial
for profits from the development and exploitation of patents and sectors?
certain other intellectual property rights;
• innovative finance ISA eligibility: peer-to-peer (P2P) loans are Nationals from EU countries, Iceland, Liechtenstein, Norway and
eligible for inclusion in tax-free ISAs; Switzerland
• tax relief for P2P bad debt: an income tax relief for irrecoverable Despite the UK’s departure from the EU, Fintech businesses are
P2P loans, or P2P bad debt; and currently still able to recruit workers from EU countries, Iceland,
• P2P interest withholding tax exemption: P2P loan interest payments Liechtenstein, Norway and Switzerland in the same way and on the
are exempt from UK withholding tax. same basis as they recruit British nationals.
However, this is set to change with nationals from EU countries,
Subject to applicable lifetime limits, a company may raise up to £150,000 Iceland, Liechtenstein, Norway and Switzerland who enter the UK after
under the SEIS over a three-year investment period and up to a total 31 December 2020 becoming subject to the same working visa require-
of £5 million (£10 million for knowledge-intensive companies) over 12 ments as nationals from other countries.
months from ‘relevant investments’, which includes investments under
the SEIS and EIS and investments by VCTs. While financial activities Nationals from other countries
are an excluded activity for the SEIS, EIS and VCT scheme, as long as Workers from other countries may only be recruited by UK fintech busi-
a fintech company is only providing a platform through which financial nesses if they meet the relevant eligibility criteria and are awarded
activities are carried out, such a fintech company should still qualify for sufficient points under a tiered points-based system. The relevant tiers
those schemes assuming it meets the other conditions. for fintech businesses are likely to be tier 1 and tier 2.
Tier 1 is open to investors and, until recently, included the
Increased tax burden Exceptional Talent visa. This is now closed to new applicants and has
44 Are there any new or proposed tax laws or guidance that been replaced by a Global Talent visa, which is available to highly expe-
could significantly increase tax or administrative costs for rienced and internationally recognised professionals in a wide range of
fintech companies in your jurisdiction? disciplines, including digital technology. The application depends on an
endorsement by an approved body that, in the case of digital technology
In the Budget 2020, the lifetime limit for business asset disposal relief applicants, is Tech Nation.
(formerly entrepreneurs’ relief) was reduced from £10 million to £1 Tier 1 also includes options for entrepreneurs who may apply for
million for any qualifying disposals made on or after 11 March 2020. either a ‘start-up visa’ or an ‘innovator visa’, depending on their level
This significantly decreases the relief available from capital gains tax for of experience. In many cases, entrepreneurs and other workers will
investors disposing of businesses where the investor meets the quali- require an assessment or endorsement by a relevant UK body, which
fying conditions. for fintech related roles is likely to be Tech Nation
The Budget 2020 announced a review of VAT on fund management Tier 2 is open to skilled workers who are sponsored by a licensed
fees alongside the establishment of an industry working group to review organisation where the role is being transferred to the UK from over-
how financial services are treated for VAT purposes. Fintech companies seas or cannot be filled by someone living in the UK. A worker with skills
are advised to keep an eye on what emerges from the working group, deemed to be in short supply receives a number of advantages under
given the potential impact on their tax position. the tiered points-based system. Roles currently deemed to be in short
The digital services tax (DST) was introduced from 1 April 2020 supply include IT business analysts, architects and system designers,
following a government consultation. This 2 per cent tax applies to the programmers and software development professionals, and other infor-
revenues of search engines, social media services and online market mation technology and communications professionals. Finance roles
places, which derive value from UK users. The DST applies where a are not currently considered to be in short supply.
group’s worldwide revenue from digital activities is more than £500
million and more than £25 million of the revenue is derived from the UPDATE AND TRENDS
UK. As such, the tax is expected to impact a small number of large
multinationals. Financial services providers are excluded from the Current developments
online market places definition, meaning fintech companies should 46 Are there any other current developments or emerging
generally fall out of the scope of this tax. However, where there are trends to note?
unified platforms with social media, marketplace and search engine
elements and the threshold conditions are met, then fintech companies The authorities in the UK continue to develop their approach to the
could fall in scope for revenue from the social media and search engine regulation of fintech businesses. While we expect the next six months
income streams. of regulatory and policy activity to focus on supporting all aspects of
www.lexology.com/gtdt 263
© Law Business Research 2020
United Kingdom Simmons & Simmons LLP
the financial services sector (including the fintech sector) through the
impact of the coronavirus pandemic and Brexit uncertainty, there is still
a large amount of fintech-specific regulator activity on the horizon.
In May 2020, The Financial Conduct Authority (FCA) launched a
regulatory grid to help financial firms prepare for upcoming regulatory
work. Upcoming regulatory work relevant to the fintech sector includes:
• a review of the UK fintech sector to identify measures to maintain
growth and competitiveness;
• a consultation on a measure to bring certain crypto-assets into the Angus McLean
angus.mclean@simmons-simmons.com
scope of financial promotions regulation;
• the Cryptoasset Task Force consultation on the broader regula- George Morris
tory approach to crypto-assets, including new challenges from george.morris@simmons-simmons.com
stablecoins; Jo Crookshank
• changes to the regulatory regime to prohibit investment products jo.crookshank@simmons-simmons.com
referencing certain crypto-assets;
Kate Cofman-Nicoresti
• a project involving the Bank of England (BOE) and seven firms to
kate.cofman-nicoresti@simmons-simmons.com
explore the viability of testing machine-readable and -executable
regulatory reporting; Olly Jones
• the establishment of a joint FCA and BOE forum with industry to olly.jones@simmons-simmons.com
look at the impact of AI on financial services; Penny Miller
• the implementation of new rules to enhance the security of penny.miller@simmons-simmons.com
payments and limit fraud during the authentication process; and
Peter Broadhurst
• an assessment of the opportunities and risks arising from open
peter.broadhurst@simmons-simmons.com
finance and the FCA’s role in ensuring that it develops in the best
interests of consumers.
CityPoint
In its 2020/2021 business plan, the Prudential Regulation Authority One Ropemaker Street
has outlined its intention to focus on digital currencies and RegTech. London EC2Y 9SS
United Kingdom
It also intends to examine its regulatory framework to identify any
Tel: +44 20 7628 2020
changes required.
Fax: +44 20 7628 2070
The BOE has launched a review in discussion with banks, insurers www.simmons-simmons.com
and financial market infrastructures to reform regulatory data over
the next decade. The review will seek ways to decrease the burden
on industry and to increase the timeliness and effectiveness of data in
supporting supervisory judgements, with the outputs helping inform up to £2,500. The scheme will run until October 2020, but the level
appropriate next steps. of government funding will taper from August 2020, with employers
The Payment Systems Regulator’s key projects for the coming year being expected to contribute the balance of the payments;
include a commitment to supporting Pay.UK’s development of the New • a £500 million Future Fund for Innovative UK-based companies,
Payments Architecture and ensuring that it delivers a resilient medium which allows them to apply for a convertible loan of between
for making digital payments. It has also strengthened its commitment £125,000 and £5 million from the UK government. The government
to ensuring that the market for card-acquiring services work well; high- loans need to be matched by private investors; and
lighted the need for greater efforts to tackle authorised push payment • £750 million grant and loan funding to be provided to small and
scams; and committed to ensuring that payment systems and markets medium-sized enterprises focusing on research and development.
are more competitive. The funding will be administered by Innovate UK.
lexology.com/gtdt
ISBN 978-1-83862-339-5